JBOSS SECURITY

1
JBOSS SECURITY

• COSC617
• Wenxue Zhang
• Lianjiang Zong
• Yedong Tang

2
Concepts of J2EE security

• Authentication
• Determine who can access
• Authorization
• Determine what an authenticated user can access

3
What need protection?

• Front-end web pages
• Backend business logic
• Data

4
J2EE Web-based Security

• The J2EE define a simple role-based security
  model for EJBs and web components. but does not
  specify how roles are obtained from the operation
  environment. This is an implementation detail
  left to the application server.
• Jboss provides this implementation layer.the
  default implementation is based on JAAS (Java
  Authentication and Authorization Service) login
  modules and subjects.
• The JBoss component framework that handles
  security is the JBossSX extension framework which
  provides support for both the role-based
  declarative J2EE security model and integration
  of custom security via a security proxy layer.

5
Secure the web sites

• Protect the administrative pages
• Restrict access based on the URL pattern
• Associate security roles with the URL
• Create security roles for the JAW Motors
  application
• Choose an Authentication mechanism and implement
  it
• Automate extra web.xml settings with XDoclet

6
Secure the web sites cont.

• Create a security realm that associates a user
  with the roles he plays in the system
• configure a JAAS loginModule thats tied to the
  security realm
• Deploy the JAAS-based security realm with the
  JBOSS container
• protect MVC administrative actions
• Restrict access based on the URL pattern

7
Secure the web sites cont.

• propagate the correct user credentials from the
  web tier
• Establish a default user identity for non-secure
  web access
• Use the right user identity for secure web access

8

• Protect the administrative pages
• Declarative security is provided by J2EE
• Can be accomplished through URL patterns and
  deployment descriptors, for example
• Carlist.jsp and Carform.jsp should be protected
• Add and edit action should be protected
• 1. Move the .jsp file you want to protect to a
  sub-directory under WEB-INF
• for example, move the carlist.jsp and
  carform.jsp to admin under WEB-INF in WAR file.

9

• WEB-INF
• All public non-protected pages
• WEB-INF/admin/
• All administrative protected pages carlist.jsp,
  carform.jsp
• 2.restrict the access to the administrative pages
  by creating security roles and associating them
  with these URL patterns in web.xml

10
Restrict access with web.xml

• ltsecurity-constraintgt
• ltweb-resource-collectiongt
• ltweb-resource-namegtCarlist.jsp carform.jsplt/web-re
  sourcenamegt
• ltdescriptiongtrequire users to authenticate.
  lt/descriptiongt
• lturl-patterngt/admin/ lt/url-patterngt
• lt/web-resource-collectiongt
• ltauth-constraintgt
• ltdescriptiongtallow manager role to access Admin
  pages lt/descriptiongt
• ltrole-namegtManagerlt/role-namegt
• lt/auth-constraintgt
• lt/security-constraintgt
• ltsecurity-rolegt
• ltdescriptiongtJAW managers lt/descriptiongt
• ltrole-namegtManagerlt/role-namegt
• lt/security-rolegt

11

• 3.Prefix all the administrative pages with the
  admin/URL of ControllerServlet.java
• Public class ControllerServelet extends
  HttpServerlet
• Protected void processRequest(HttpServletRequest
  request,HttpServletResponse response) throws
  ServletException, IOException
• //perform action
• else if(MODIFY_CAR_LIST_ACTION.equals(m-Carlist))
• DestinationPage/admin/carlist.jsp

12

• choose an Authentication mechanism and implement
  it
• Four methods of authentication
• HTTP Basic Authentication
• Container asks for users name and password from
  a pop dialog box, back information is not
  encrypted
• HTTP Digest Authentication
• As the same as Basic but the back information
  encrypted
• HTTPs Client (or Client-cert) Authentication
• Using SSL(Secure Sockets Layer certificates)
• Form-based Authentication
• Redirected to an application specific login page.
  If valid, allowed access, Otherwise, redirect to
  login error page

13

• Form-based Authentication
• Most commonly used authentication technique
• Can use your own login page

14

• Configure form-based authentication in web.xml
• ltlogin-configgt
• ltauth-mathodgtFORM lt/auth-mathodgt
• ltrealm-namegt JawJaasDbRealmlt/realm-namegt
• ltform-login-configgt
• ltForm-login-pagegt/login.jsp lt/Form-login-pagegt
• ltform-error-pagegt loginerror.jsplt/form-error-pagegt
  
• lt/form-login-configgt
• lt/login-configgt
• The ltrealm-namegt element specifies the name of
  our security realm, JawJaasDbRealm and it must
  matches the realm specified in the Jboss JAAS
  login configuration file we will see in later
  pages

15
Note for form-based login

• The user ID and password fields must be named
  j_username and j_password respectively
• The form must post the user login information to
  j_security_check
• Everything else must under our control(such as
  the appearance and location of the login and
  error page)

16
Automate extra web.xml settings with XDoclet

• We have ltsecurity-constraintgt,ltsecurity-rolegt and
  ltlogin-configgt
• We need create a merge file that Xdoclet merges
  in as it generated web.xml

17
Create a security realm

• Create a security realm using database tables
  that associates a user with the roles he plays in
  the system.
• User table JOINT Role table ?User_Role table
• User_ID Role_ID
• 1 1
• 2 1
• ROLE_ID ROLE_NAME
• 1 Manager
• User_ID User_name Password
• 1 Fsmith fred
• 2 Jjones john

18
configure a JAAS loginModule thats tied to the
security realm

• About JAAS
• Enables an application to protect its resource by
  restricting access to only those users with
  proper credentials and permissions.
• Provides a layer of abstraction between an
  application and its underlying security
  mechanisms and easy to change security
  technologies and realms without impacting the
  rest of the system.
• Supports single sign-on for an application.(only
  need signing one time for all system)

19
LonginModule

• Logs user/subject into a security realm based on
  their name and password
• Interact with an operating system, a database,
  JNDI or a biometric device like retinal scanner
• Dont need known much about it, you never
  interact with LonginModule
• Only need to modify the LonginModule
  Configuration file and your codes unchanged
• indirection enables an independent of the
  underlying security mechanisms used

20
LoginModule cont.

• There are many freely available LoginModule
• Tagish
• Sun Microsystem
• Jboss
• We chose the Jboss LoginModule
• They are already bundled with Jboss
• Dont need to configure any third party JARs.

21
Deploy the JAAS-based security realm with the
JBOSS container

• Each server has their own way to set up
  LoginModule configuration and domain names.
• Configure the LoginModule
• Add the LOginModules security domain name to
  jBoss-web.xml
• Need re-add your ltapplication-policygt elements to
  the default login-config.xml file to make things
  work again when you update to a new version JBoss
  each time.
• Jboss LoginModule Configuration
• Add the LoginModule configuration data to the
  JBoss default JBOSS_DIST?server/default/conf/logi
  n-cinfig.xml
• Create your own custom LoginModule configuration
  file in JBOSS_DIST/server/default/conf that has
  the same structure as Login-config.xml

22
Chose the custom LoginModule configuration

• The application-specific elements

23

• ltpolicygt
• ltapplication-policy nameJawJaasDbRealmgt
• ltauthenticationgt
• ltLogin-module codeorg.jboss.security.auth.spi.Da
  tabaseServerLoginModule flagrequiredgt
• ltmodule-option nameunauthenticatedIdetitygtguest
  lt/ module-option gt
• ltmodule-option namepassword-stackinggtuseFirstpa
  sslt /module-option gt
• ltmodule-option namedsJndiNamegtjava/JBossAtWork
  DS lt/ module-option gt
• ltmodule-option nameprincipalsQuerygtSELLECT
  PASSWORD FROM USER WHERE NAME?lt /module-option gt
• ltmodule-option namerolesQuerygtSELLECT
  ROLE.NAME,ROLES FROM ROLE, USER_ROLE, USER
  WHERE USER.NAME? AND USER.IDUSER_ROLE.USER_ID
  AND ROLE.IDUSER_ROLE.USER_IDlt /module-option gt
• lt/Login-modulegt
• lt/authenticationgt
• lt/application-policygt
• ltpolicygt

24

• JBoss uses a MBean to read the JBOSS_HOME/server/
  default/conf/jaw-login-config.xml file at startup
  time to configure its security domains
• Each ltapplication-policygt element configures a
  LOginModule for a security realm
• The application-policy name sets to
  JawJaasDbRealm
• The ltLogin-modulegt element configures the
  JBoss-specific DatabaseServerLoginModule to query
  the USER abd ROLE tables in the JAW Motors
  database to authenticate the user.
• The ltLogin-modulegt elements flag attribute is
  set to required because to impede users to access
  sensitive pages unless the user successfully logs
  on all security realms.

25

• ltmodule-optiongt elements specify the LoginModule
  options for DataBaseServerLoginModule
• unauthenticatedIdetity when no authenticated
  information supplied, use default username
• When useFirstPass, means the user had entered
  successfully, so, the LoginModule does nothing.
• dsJndiName the jboss-specific JNDI name for a
  databases DtaSource
• principalsQuery SQL query to select a users
  password from the JAW Motors database of User
  table
• Rolesquery SQL query to select a users role
  from the JAW Motors Database of User, Role and
  User_Role table

26

• JAW Motorss application-specific LoginModule
  configuration file is not a part of the default
  JBoss setup anymore. So, we need to create a JMX
  MBean defined in a service file-jaw-login-config-s
  ervice.xml to tell the JBoss to load this file at
  startup time, like this
• ltservergt
• ltmbean codeorg.jboss.security.auth.login.Dynamic
  LoginConfig namejbossserviceDynamicLoginConfi
  ggt
• ltattribute nameauthconfiggtjaw-login-config.xml
  lt/attributegt
• ltdepends optional-attribute-nameLoginConfigServi
  cegt jboss.securityserviceXMLLoginConfig
  lt/dependsgt
• ltdepends optional-attribute-namesecurityManagerS
  ervicgt jboss.securityserviceJaasSecurityManager
  ltdependsgt
• lt/mbeangt
• lt/servergt

27

• Then, to deploy the loginModule configuration
  file to Jboss, the Ant build script copies the
  jaw-login-config.xml file from the
  ch09-a/src/META-INF directory to the JBoss
  configuration directory JBOSS_HOME/server/defaul
  t/conf

28
Setting JAAS Domain in jboss-web.xml

• To secure domain in jboss-web.xml, defines a
  security domain used by all web components in the
  application
• It must match the JawJaasDbRealm JAAS
  application name from the login-config.xml
• It comes before the elements that define the
  JNDI-based resources

29
Automating JAAS Domain Setting in jboss-web.xml

• Add a securitydomain attribute to the
  ltjbosswebxmlgt subtask in the webapp sub-projects
  build.xml to generate the ltsecurity-domaingt
  element in jboss-web.xml
• ltwebdocletgt
• ltjbosswebxml version4.0 destdirgen.source.d
  ir securitydomainjava/jaas/JawJaasDbRealmgt
• lt/webdocletgt

30
Testing secure JSPs

• The processing is just done to secure the
  administrative page and it is ready to be tested
• ant in the root directory of ch09-a to build
  the project
• Shut down the JBoss so theh Ant script can clean
  up the JBoss deployment area
• ant colddeploy to deploy the EAR file(jaw.ear)
  to the BOSS_HOME/server/default/deploy directory
  and Ant build script also deploy
• The MBean service file(jaw-login-config-service.xm
  l)to the BOSS_HOME/server/default/deploy
• The LoginModule Configuration file(jaw-login-confi
  g.xml) to the BOSS_HOME/server/default/onf

31

• Start JBoss back up
• Go to the ch09-a/sql sub-directory and ant to
  modify the database
• Visit http//localhost8080/jaw/admin/carList.jsp
  in a web browser
• Input your name and password you want to take and
  the browser sands it to the servlet Container, if
  the input is valid, the servlet lead you to the
  CarInventory page. Otherwise, to a login error
  page.

32
Protecting the Administrative Actions

• Associate the administrative actions with an URL
  pattern
• - To do that we prefix them with admin/in the
  JSPs and in the Conrtoller Servlet.
• Example index.jsp
• lthtmlgt
• ltheadgt
• ltbodygt
• lta href controller/admin/modifyCarListgt
  Modify inventory lt/agtlt/brgt
• lta href controller/admin/viewCarListgt View
  inventory lt/agtlt/brgt

33

• Protect the new administrative action URL pattern
• - To fully protect the administrative action
  URLs, we add a new lturl-patterngt to web.xml
• ltsecurity-constraintgt
• ltweb-resource-collectiongt
• ltweb-resource-namegt
• JAW Application protected Admin pages and
  actions.
• lt/web-resource-namegt
• ltdescriptiongtRequire users to
  authenticate.lt/descriptiongt
• lturl-patterngt/admin/lt/url-patterngt
• lturl-patterngt/controller/admin/lt/url-patterngt
• lt/web-resource-collectiongt
• The new /controller/admin/ lturl-patterngt forces
  the user to log in before accessing secure
  actions.

34
Propagating Security Credentials from the Web
Tire

• Any secure page or action (under the
  /controller/admin/ URL pattern) runs as an
  authorized user role Manager.
• Any non-secure page or action (under the
  /controller/ URL pattern) runs as the
  unauthenticated guest user identity

35
Automating Security Credential Propagation in
web.xml

• Modify the ltservletgt and ltservlet-mappinggt
  element to propagate the correct credentials from
  the Controller Servelet.
• _at_web.servlet
• name SecureController
• Modified the XDoclet tags in the Controller
  Servlet to generate the mapping foe the
  secureCotroller and /conteoller/admin/
  ltrul-patterngt

36

• _at_web.servlet-mapping
• url-pattern controller/admin/
• We also added a new ltservlet-mappinggt element to
  web.xml for non-sercure URL action patterns.
• - However, XDoclet doesnt provide a way to
  generate more than one set of there elements for
  a servlet. So we could have hardcoded those
  elements in web.xml, but this wouldnt fit with
  our ant-based build process.
• -So we created xdoclet merge files called
  servlets.xml and servlet-mappings.xml files that
  contain the extra settings, and xdoclet merges
  them in as it generates web.xml.

37
Testing Web Security

• Type ant in the root directory of ch09-b to build
  the project
• Shut doen JBoss so the Ant script can clean up
  the JBoss deployment area
• - type ant colddeploy to deploy the EAR file
  to the JBoss_HOME/server/default/deploy
  directory
• Start JBoss back up
• Visit http//localhost8080/jaw in a web browser.

38
Web Security Checklist

• Protected the administrative pages by
• - Restricting access based on the /admin/ URL
  pattern in web.xml
• - Associating security roles with the /admin/
  URL pattern in web.xml
• - Moving the administrative pages beneath the
  /admin sub-directory in WEB INF
• - Creating security roles for the JAW Motors
  application in web.xml

39

• Implemented FORM-based Authentication by
• - Adding a ltlogin-configgt element to web.xml
  and tying it to security realm
• - Creating a login page, login.jsp with a form
  that follws FORM-based Authentication naming
  conventions
• - Developing a login error page
  logineror.jsp

40

• Automated extra web.xml settings with the
  servlets.xml, servlet-mapping.xml, the roles they
  play in the system
• Created a security realm in the JAW Motors
  database that associates a user with the riles
  they play in the system
• Deployed the JAAS-based security realm with the
  JBoss container by
• - Configuring a JAAS loginModule thats tied
  to the database security tealm using
  JBOSS_HOME/server/default/conf/JBOSS_HOME
  server/default/conf and JBOSS_HOME/server/default
  /deploy/jaw-login-config-service.xml

41

• - Adding the JAS domain settings to
  jboss-web.xml
• Added a read-only page and MVC action to ensure
  that we can still access non-secure resources
  without logging in.
• Protected MV administrative actions by
• - Modifying JSPs and the Controller Servlet to
  prefix all administrative action URLs with
  /admin/.
• - Modifying web.xml with new
  /controller/admin/ lturl-patterngt element to lock
  down the administrative action URLs

42

• Propagated the correct user credentials form the
  web tier
• - Established a default guest user identify
  for non-secure actions and pages in web.xml
• - Used the Manager identiry for secure actions
  and pages in web.xml.

43
EJB Tier Security

• Deploy the JAAS-based security realm with the
  JBoss container.
• Protect the EJB
• - Allow access to non-secure methods
• - Configure access to administrative methods.
• - ass security roles.
• Automate extra ejb-jar.xml setting with XDoclet.

44
JAAS Domain in jboss.xml

• Security domain defines a security domain used by
  all EJBs in the application.
• Match the JawJassDbRealm JAAS application name
  form login-config.xm and the ltsecurity-domaingt
  element in jboss-web.xml.
• ltSecurity domaingt defines a single security
  domain used by all EJBs in the application

45
Protecting EJBs with ejb-jar.xml

• ltmethod-permissiongt
• ltrole-namegtguestlt/role-namegt
• ltrole-namegtmanagerlt/role-namegt
• ltmethodgt
• ltejb-namegt InventoryFacsdelt/ejb-namegt
• ltmethod-intfgtRemotelt/method-intfgt
• ltmethod-namegt findCar ltmethod-namegt
• ltmethod-paramsgt
• ltmethod-paramgt int ltmethod-paramgt
• lt/method-paramsgt
• lt/methosgt
• lt/method-permissiongt
• Only user with the guest or manager roles can
  invoke the non-secure findCar() method when using
  the remote component interface

46
Automating EJB Security Setting with XDoclet

• InventoryFacadeBean.java
• /
• _at_ejb.security-role-ref
• role-nameManager
• role-link Manager
• _at_ejb.security-role-ref
• role-nameguest
• role-link guest
• /
• Public class InventoryFacadeBean implement
  SessionBean
• /
• _at_ejb.create-method
• _at_ejb.permission
• role-name guset, Manager
• /

47

• Public void ejbCreate() throws CreateException
• /
• _at_ejb.permission
• role-nameguest, Manager
• /
• .
• The class level _at_ejb.security-role-ref XDoclet
  tags associate the InventoryFacede Bean with the
  Manager security role
• The _at_ejb.permission tag on the ejbCreate() mehods
  makes them accssible only to users in the suest
  and Manager roles.

48
Testing Secure EJB Methods

• Type ant in the root directory of ch09-c to build
  the project.
• Shut down JBoss so the Ant script can clean up
  the JBoss deployment area.
• Type art colddeploy to deploy the EAR file to the
  JBOSS_HOME/sever/default/deploy directory
• Start JBoss back up.
• Visit http//localhost8080/jaw in a web browser

49
EJB Security Checklist

• Deploy the JAAS-based security realm with the
  JBoss container
• Protected the EJB in ejb-jar.xml
• - Added security roles
• - Allowed callers with the unauthenticated
  guest or authorized manager role to access non
  secure methods
• - Restricted access to administrative methods
  to users in the Manager roles
• Automated extra ejb-jar.xml setting with XDoclet

50
Question?