extreme security
TRANSCRIPT
- 1.eXtreme Enterprise SecurityArne Limburg // open knowledge GmbH
2. Meine PersonArne Limburg @ArneLimburgEnterprise Architect @_openknowledgeopen knowledge GmbHwww.openknowledge.deSchwerpunkte Open Source JPA JPA Security Apache DeltaSpike CDI Apache OpenWebBeans 3. Enterprise Application SecurityKommunikationssicherheit- HTTP / HTTPS- Application-Firewall Webserver - Konfiguration Authentication Network Security- OS Authorization- Firewall- TCP/IP 4. BeispielanwendungE-Learning Plattform 5. Security-Anforderungen Nur Dozenten drfen Kurse anlegen Dozenten drfen Veranstaltungen frihre Kurse anlegen Dozenten drfen nur Studenten sehen,die an ihren Kursen teilnehmen Studenten drfen nur Mitstudentensehen, mit denen sie gemeinsameKurse haben 6. Authentication vs. Authorization 7. AuthenticationNutzername / Kennwort Twitter OAuthWer ist der aktuelle Benutzer? Public KeyFacebook Biometrisch 8. Authentication in einer Web-App.web.xml FORMJAAS/login.xhtml> /error.xhtml> 9. Servlet 3.0 Authenticationpublic void login(HttpServletRequest request,String username,String password) {request.login(username, password);}public void logout(HttpServletRequest req) {req.logout();} 10. AuthorizationRollenbasiertAccess Control Lists Was darf der aktuelle Benutzer?User-Permissions Domain-Object-Security 11. JAAS Pluggable Authentication Authorization Pluggable Policy-Provider Permission-Checks berAccessController 12. Java PermissionsPolicy-Dateigrant principal deUser "arne" {deExecPermission "deCourseDao.find*"}grant principal deUser "admin" {deExecPermission "deCourseDao.*"} 13. Java Permissionspublic class ExecPermission extends BasicPermission {public ExecPermission(String methodName) {super(methodName);}} 14. Java Permissionspublic void create(Course course) {String methodName = "deCourseDao.create";AccessController.checkPermission(new ExecPermission(methodName););entityManager.persist(course);} 15. Fazit Permissons Jede Security-Anforderung abbildbar Aber Viel zu aufwendig Schlecht wartbarErweiterungen ntig 16. AuthorizationRollenbasiert Access Control Lists Was darf der aktuelle Benutzer? User-Permissions Domain-Object-Security 17. Role based Access ControlUsers RolesPermissionsTeacher 1 Create CourseTeacherStudent 1 Read CourseStudentStudent 2 Read Student 18. Role based Access ControlServlet SpecPermissions fr Web-Resources 19. Role based Access Controlweb.xmlNew Course>/courses/create.xhtml>teacher> 20. Role based Access Control Servlet Spec Permissions fr Web-Resources Java EE SecurityPermissions fr Klassen und Methoden 21. Role based Access Control in Java EE@DeclareRoles@RolesAllowed@PermitAll@DenyAll 22. JACCJava Authorization Contract forContainers Implementierung ist verantwortlich fr: Rollen als Sammlung von Permissions Granting von Permissions berprfung von Permissions 23. Role Based Access Control@RolesAllowed("teacher")public Course create(Teacher lecturer, ) {Course course = new Course(lecturer, );entityManager.persist(course);return course;} 24. Role Based Access Control@RolesAllowed("teacher")public Course create(Teacher lecturer, ) {Course course = Anforderung: new Course(lecturer, );entityManager.persist(course); anlegen. Dozenten drfen nur ihre Kursereturn course;} 25. Role Based Access Control@Resourceprivate EjbContext context;public Course create(Teacher lecturer, ) {Principal caller= ejbContext.getCallerPrincipal();if (!lecturer.equals(caller)) {throw new SecurityException();}} 26. Role Based Access Control@Resourceprivate EjbContext context; Das Rollenkonzept ist sehr limitiert!public Course create(Teacher lecturer, ) {Komplexere Access-Control-AnforderungenPrincipal callerfinden sich im Code verstreut wieder!= ejbContext.getCallerPrincipal();if (!lecturer.equals(caller)) {throw new SecurityException();Wartbarkeits- und Erweiterbarkeitsprobleme!}} 27. Alternativen zuRole based Access Control? 28. Die Rechte sollten nicht danach vergebenAlternativen zu werden, was der Benutzer ist (welche Rolle er hat),Role based Access Control?sondern danach, was er darf! 29. Beispiel I 30. Beispiel I 31. Beispiel I 32. Beispiel I 33. Beispiel II 34. Beispiel II 35. Beispiel II 36. Beispiel II 37. AuthorizationRollenbasiert Access Control Lists Was darf der aktuelle Benutzer?User-Permissions Domain-Object-Security 38. Access Control ListsObject Access Control List Access Control Entry User 1 Access Control Entry User 2 Access Control Entry User 3 39. Spring SecuritySecurity fr spring-basierten Web-Apps Umfangreiche Authentication-Module Authorization Request-basiert Methoden-basiert Access Control Lists 40. ACLs in Spring Securitypublic List findAll() {TypedQuery query= entityManager.createNamedQuery(, );return query.getResultList();} 41. ACLs in Spring SecurityAnforderungen:public List Studenten sehen, die ihreDozenten drfen nur findAll() {TypedQuery besuchen.Kurse query= entityManager.createNamedQuery(, );return query.getResultList();Studenten drfen nur Kommilitonen sehen, mit} denen sie gemeinsame Kurse haben. 42. ACLs in Spring SecuritySpring Context 43. ACLs in Spring Security@PostFilter ("hasPermission(filterObject, read)")public List findAll() {TypedQuery query= entityManager.createNamedQuery(, );return query.getResultList();} 44. ACLs in Spring Security@PostFilter Problem: ("hasPermission(filterObject, read)")public List findAll() {TypedQuery querySpeicher! Filtern passiert im= entityManager.createNamedQuery(, );return Schlechte Performance bei groen query.getResultList();} Datenmengen! 45. ACLs in Spring Security@PostFilter ("hasPermission(filterObject, read)")public List findAll() {Anforderung:TypedQuery query=Dozenten drfen nur ihre Kurse anlegen.entityManager.createNamedQuery(, );return query.getResultList();} 46. ACLs in Spring Security@PreAuthorize ("hasPermission(#course, create)")public void create(Course course) {entityManager.persist(course);}AccessDeniedException 47. ACLs in Spring Security@PreAuthorize ("hasPermission(#course, create)")public void create(Course course) {entityManager.persist(course); Weiteres Problem:}Wie kommen die ACLs in die Datenbank?AccessDeniedException 48. ACLs in Spring Security@PreAuthorize ("hasPermission(#course, create)")public void create(Course course) {entityManager.persist(course);} 49. ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, create)")public Course create(Course course) {entityManager.persist(course);return course;} 50. ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, create)")public Course create(Course course) {entityManager.persist(course);ObjectIdentity identity= new ObjectIdentityImpl(Course.class, course.getId());} 51. ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, create)")public Course create(Course course) {entityManager.persist(course);ObjectIdentity identity = ;String name = course.getTeacher().getName();PrincipalSid principal= new PrincipalSid(name); 52. ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, create)")public Course create(Course course) {entityManager.persist(course);ObjectIdentity identity = ;PrincipalSid principal = ;MutableAcl acl = aclService.createAcl(i);acl.insertAce(0, CREATE, principal, true);aclService.updateAcl(acl);return course;} 53. ACLs in Spring Securitypublic void add(Course course,Student student) {course.subscribe(student);createACE(student, course.getLecturer());for (Student participant: course.getParticipants()) {createACE(student, participant);createACE(participant, student);}} 54. ACLs in Spring Securitypublic void add(Course course, Student student) { Anlegen und Lschen von ACLs findet sich imcourse.subscribe(student); Code verstreut wieder!createACE(student, course.getLecturer());Wartbarkeits- und Erweiterbarkeitsprobleme!for (Student participant:course.getParticipants()) {createACE(student, participant);Was passiert, wenn ein Entwickler vergisst,createACE(participant, student); eine ACL anzulegen oder zu lschen?}} 55. AuthorizationRollenbasiertAccess Control Lists Was darf der aktuelle Benutzer?User-Permissions Domain-Object-Security 56. Seam Security Authentication JAAS (Seam 2) PicketLink (Seam 3) Authorization JSF Business-Method Entity (nur Seam 2) 57. Seam 3 Security@Createpublic Course create(@Owner Teacher lecturer, ) {Course course = new Course(lecturer, );entityManager.persist(course);return course;} 58. Eigene Security-Annotation@SecurityBindingTypepublic @interface Create {}@SecurityParameterBindingpublic @interface Owner {} 59. Separate Logik-Implementierungpublic class SecurityRules {@Secures @Createpublic boolean checkOwner(@Owner User owner,Identity user) {return owner.equals(user);}} 60. Seam 3 Security@Createpublic Course create(@Owner Teacher lecturer, ) {Course course = new Course(lecturer, );entityManager.persist(course);return course;} 61. Seam 3 Security@Createpublic Course create(@Owner Teacher lecturer, ) {Check des Rckgabe-Wertes aktuell noch);Course course = new Course(lecturer, nichtmglich!entityManager.persist(course);return course;} 62. Spring Security@PreAuthorize("#lecturer == principal")@PostAuthorize ("returnedObject.lecturer == principal")public Course create(Teacher lecturer, ) {Course course = new Course(lecturer, );entityManager.persist(course);return course;} 63. Domain-Object-basiert@PreAuthorize("#lecturer == principal")@PostAuthorize ("returnedObject.lecturer == principal")public Course create(Teacherdes Kurses nicht Was ist, wenn das Anlegen lecturer, ) {Course course =create-Methode erfolgt? ); ber die new Course(lecturer,entityManager.persist(course);return course;} 64. Seam 2 SecurityRule-based Authorization mit DroolsAuch auf Entitten-Ebene 65. Entity-Security in Seam 2@Restrict@Entitypublic Course {} 66. Entity-Security in Seam 2Drools Konfiguration rule CreateCourse no-loop activation-group "permission" when principal: Principal() course: Course(lecturer: lecturer -> (lecturer.equals(principal))) check: PermissionCheck(target == course,action == "insert",granted == false) then check.grant(); end; 67. Entity-Security mit Seam 2orm.xml 68. Entity-Security mit Seam 2public List findAll() {TypedQuery query= entityManager.createNamedQuery(, );return query.getResultList();}AuthorizationException 69. Entity-Security mit Seam 2public List findAll() {TypedQuery queryZwei Methoden notwendig= entityManager.createNamedQuery(, );return query.getResultList();}AuthorizationException 70. Entity-Security mit Seam 2public List find(Teacher lecturer) {}public List find(Student fellow) {} 71. Entity-Security mit Seam 2public List find(Teacher lecturer) {} Aufruf geschieht auf Basis des aktuellangemeldeten Benutzers!public List find(Student fellow) {} 72. Entity-Security mit Seam 2public List findAll() {Principal caller= ejbContext.getCallerPrincipal();if (caller instanceof Teacher) {return find((Teacher)caller);} else {return find((Student)caller);}} 73. Entity-Security mit Seam 2public List findAll() {Principal caller= ejbContext.getCallerPrincipal();if (caller instanceof Teacher) { Wieder Security im Code verstreut!return find((Teacher)caller);} else {return find((Student)caller);}} 74. JPA SecuritySecurity Framework fr JPA Pluggable Authentication Authorization JSP- und JSF-Support Access-Check bei CRUD-Operationen In-Memory-Filtern von Collections In-Database-Filtern von Queries(JPQL und Criteria) 75. Entity-Security mit JPA Security @Permit(access = AccessType.CREATE, rule = "lecturer = CURRENT_PRINCIPAL") @Entity public Course { } 76. Entity-Security mit JPA Security @Permit(access = AccessType.CREATE, ruleAutomatischer = CURRENT_PRINCIPAL")= "lecturer Check bei @EntityentityManager.persist() oder public entityManager.merge() oder beiCourse { Cascading! } 77. Entity-Security mit JPA Security public List findAll() { TypedQuery query = entityManager.createNamedQuery(, ); return query.getResultList(); } 78. Entity-Security mit JPA Security public List findAll() { TypedQuery query JPA Queries undAutomatische Filterung vonCriterias! = entityManager.createNamedQuery(, ); return query.getResultList(); } 79. Entity-Security mit JPA Security @PermitAny({ @Permit(access = AccessType.READ, rule= "this IN (SELECT p"+ " FROM Course course"+ " JOIN course.participants p"+ " WHERE course.lecturer"+ " = CURRENT_PRINCIPAL"), @Permit()}) @Entity public Student { 80. Entity-Security mit JPA Securitypersistence.xmlorg.hibernate.ejb.HibernatePersistence> 81. Entity-Security mit JPA Securitypersistence.xmlnet.sf.jpaseSecurePersistenceProvider> 82. Kurs anlegen 83. Kurs ndern 84. Fazit Authorization Methoden-basiert Spring Security Permissions, ACL oder EL Seam 3 Security Typesafe ber Annotations im Code Entity-basiert JPA Security automatischer Filterung in der Datenbank 85. Q&AVielen Dank fr Ihre Zeit.Kontakt:open knowledge GmbHBismarckstr. 1326122 [email protected] ArneLimburg _openknowledge