C H A P T E R
Security
I
Explain the client-side security model for the Java SE environment, including the Web Start and applet deployment modes. Given an architectural system specication, select appropriate locations for implementation of specied security features, and select suitable technologies for implementation of those features. Identify and classify potential threats to a system and describe how a given architecture will address the threats. Describe the commonly used declarative and programmatic methods used to secure applications built on the Java EE platformfor example, use of deployment descriptors and JAAS.
Introduction
Security is quite possibly the most overlooked aspect of many JEE-based systems, yet failure to ensure that a system is properly secured possesses the most potential to inict serious damage to the underlying business. As a JEE architect, you must understand the Java security model not just on the server, but on the client as wellthus the inclusion of the rst item in the previous objectives list for this section. The primary securityrelated objectives of any JEE system are as follows:
I
CondentialityEnsure that the system data and functions are protected from unauthorized access. IntegrityEnsure (provably) that system data has not been modied or interfered with by a third party (malicious or not). AuthenticationEnsure that the identity of a user or a remote system accessing the system is valid and correct and has not been impersonated or compromised in any way.
83
84
Chapter 6 Security
AuthorizationEnsure that a valid, authenticated user or remote system has the appropriate rights to access system data or execute system functions. Non-RepudiationEnsure that all actions, once performed, cannot be denied by the user or the system itself.
Depending on the industry setting, the use cases you have to solve, and the nature of the business itself, the importance attached to each of these characteristics varies. (For example, anyone can visit www.google. com and execute a search; far fewer people can access a search engine for classied military matters run by a defense company.) In this chapter, we address security as it is addressed by the JEE platform, honing in where appropriate on topics that we believe are especially relevant to the exam situation.
Prerequisite Review
You must be familiar with the following topics and resources relating to security listed here. You are not required to know all of the material here by rote or memorization, but equally, you cannot claim to be a procient architect unless you understand clearly the underpinnings of the Java security model and how it is then extended and leveraged in higher architecture tiers in the JEE environment. The relevant topics and specications (with relevant Java Specication Request, or JSR, numbers) are as follows:
I I
The Java Language Specication (JLS), version 3.0. The JAAS API: http://java.sun.com/j2se/1.5.0/docs/guide/ security/jaas/JAASRefGuide.html (Note: The ofcial link is http://java.sun.com/products/jaas, but this link simply redirects to the Java SE Security home page.) The WS-Security home page (purely for background reading): http://www.oasis-open.org/committees/tc_home.php?wg_ abbrev=wss#technical. Chapter 3 of the Java EE 5 specication.
Prerequisite Review
85
We examine the seminal aspects and use cases of security in more detail. First, we run through some of the most important security-related concepts in the JEE.
JRE
The sandbox of the Java Runtime Environment (JRE) is a fundamental property of the Java runtime environment and is the basis for all other security layers in the Java programming model. Simply put, the designers of the Java programming language and runtime gave careful consideration to security at design time as well as implementation time, and this has provided higher-level security APIs and abstractions a rm foundation to build on. Basics provided by the JRE/Java programming language include: automatic memory management, strong typing, bytecode verication, and secure class loading. For exam purposes, take all of this as a given, and focus your revision and study efforts on the security APIs and capabilities built on top of these basic capabilities in the JEE platform, including the difference between sandboxed applets and regular Java applications.
JAAS
JAAS, or the Java Authentication and Authorization Service, is the general mechanism supplied by the Java Virtual Machine (JVM), allowing Java code to identify users and roles before allowing or denying access to resources or functionality controlled by the JVM. JAAS was originally a modular install for the JVM but is now built into the JVM and is required by the JEE 5 specication. JAAS supports pluggable authentication and authorization modules, making it possible for architects to integrate existing security services into JAAS. Moreover, the standard JAAS implementation ships with connectors that implement authentication protocols for example, the Kerberos module.
Credential
A credential is a container of information used to authenticate a principal (discussed next) to the System under Development (SuD). Credentials vary signicantly depending on the authentication protocol or system used (that is, they are mechanism specic). However, the core
86
Chapter 6 Security
purpose is the samea credential is a structured set of information that an authentication module uses to either allow or deny access to the SuD.
Principal
A principal is an entity (a person or system that can be uniquely identied) that can be authenticated by a JEE security module before SuD system access is allowed or denied.
Authentication
Authentication is the process by which the SuD examines the credentials of a named principal in order to recognize that principal as a named user of the SuD. An end user can authenticate to a JEE application using either a web client (that is, a JSP/JSF presentation tier), or an application client (a client-side Java application or applet). The JEE 5 platform requires that all application servers support three specic authentication methods: HTTP basic authentication, SSL mutual authentication, and form-based login.
Authorization
Authorization is the process by which a named principal (who is already authenticated to the SuD) is allowed or disallowed access to a protected SuD named resource based on the permissions granted either directly to them or indirectly through group or role membership. The JEE security model employs a role-based access control mechanism that abstract principals from permissions by the introduction of roles. A principal may belong to one or more roles, and those roles may have zero or more permissions assigned to them.
Discussion
Security is the perennial hot topic in the enterprise application space. Often overlooked in development and under-tested in QA, the security aspects of all applications, including JEE applications, undergo greater scrutiny as corporations of all shapes and sizes realize their potential exposure if data is compromised. Despite its unwieldiness in some
Discussion
87
scenarios, the JEE platform has robust support for ensuring that a JEE application can do the following:
I
Control access to application data as necessary with ne granularity Control access to application business logic as necessary with ne granularity Encrypt and decrypt data as necessary to provide secure messaging Co-operate with existing enterprise resource systems (ERSs) to control access to data and business logic contained within those ERSs as necessary
These capabilities are not accidental. From its inception, the JEE platform has been designed and enhanced to meet the needs of applications that need a strong and comprehensive security model end to end. We now consider the most important features of the JEE platform.
Client-Side Security
In this section, we need to consider applets run by the browser via the Java plug-in and applications deployed via Java Web Start or installed directly on the machine. Both Web Start applications and applets run inside a sandbox environment, which allows the end user to control what client-side resources the code can and cannot access or modify. Compiled Java bytecode must be signed before it can request access to these resourcesall code attempting to access client-side resources, such as the local le system, or to open a socket to another server will prompt the end user with a modal dialog to permit or deny the operation. Java applications installed directly onto a client machine do not run inside a sandbox, and no permissions are checked before an operation is executed. Regardless of how an application has been deployed to a remote machine, once there the architects job is to ensure that sensitive data passed between the server and the client is encrypted and impenetrable to malicious entities. The easiest way to achieve this is to encrypt all data using Secure Sockets Layer (SSL). Java supports this both to encrypt RMI trafc (RMI over SSL) and to encrypt HTTP trafc (HTTP over SSL, or HTTPS).