server security

8/3/2019 Server Security

1/15

Security in Java Enterprise

Edition (EE)Anil SaldhanaRed Hat [email protected]://anil-identity.blogspot.com


2/15

Java Enterprise

BrowserWeb Server orJava EEApplication Server

Java EE

Application Server

Java EE

Application Server

Java EE

Application Server

Database/Messaging/LDAP

LegacyInfrastructure


3/15

Java EE Security

Underspecified.

Containers perform 2 sequential steps

Establish Principal (Authentication) Determine Roles and undertake enforcement

RBAC based coarse-grained access control.

Roles shield Web Resources, EJB Methods, Message Destinations.

Security is an aspect external to app


4/15

Java EE Containers Authentication

Java EE Container

WHO ARE YOU?I KNOW YOU!

UsernameSAML2 AssertionsWS-Trust ClaimsKerberos Principal

Java PrincipalinJava Subject


5/15

Java EE Containers Authorization

Java EE Container

WHAT ROLES DO YOU HAVE?GO AHEAD!

Java Principal Access

Java EE Policies


6/15

AUTHENTICATION TYPES BASIC AUTHENTICATION - securitycredential are required to authenticate

FORM BASED AUTHENTICATION A html form providing security

credential

SSL AUTHENTICATIONauthentication by certificates


7/15

Important Terms in Java EE Security

Realm

Groups

Users

Principal

Role The application Server will provide the

facility to create realm, users and groups


8/15

In BASIC AUTHENTICATION and

FORM-BASED AUTHENTICATION

Roles are created in the applicationcontext like sun-web.xml with predefinedtags

The resources required to be protectedare listed in web.xml with role and group


9/15

BASIC AUTHENTICATION


10/15

FORM BASED

AUTHENTICATION


11/15

SSL AUTHENTICATION


12/15

SSL AUTHENTICATION

THE SERVER IS AUTHENTICATED BY THECLIENT USING DIGITAL CERTIFICATE

CERTIFIED BY A CERTIFICATIONAUTHORITY

FIRST STEP IS TO GENERATE A DIGITALCERTIFICATE USING PUBLIC KEY

PRIVATE KEY PAIR

TEP TO G ENERATE


13/15

TEP TO G ENERATECERTIFICATE (with reference to

glassfish-v2)

1. visit the configfolder and copy the existing keystore by any other namecp keystore.jks keystore-backup.jks

2. remove the default key (s1as) from keystore

keytool -delete -alias s1as -keystore keystore.jksThis will prompt us a password . The default password is the password of

keystore (changeit)

3. Generatiing key pair in keystoreA) keytool -genkey -keyalg RSA -keysize 1024 -alias s1as -keystorekeystore.jks -validity 365b) Enter the password

C i d


14/15

Continued

4. Enter all the credentials required , like

name, city , company etc

5. Generate a certificate file

keytool -export -alias s1as -file serverb-cert.cer -keystore keystore.jks

6. copy the file into trusted keystore

cacerts.jkskeytool -import -alias

serverb.mycompany.com -file serverb-cert.cer

-keystore cacerts.jks30


15/15

Browse your resource using https

eg. https://localhost:8181/ConverterApp

This will show a certificate from Serverwhich a client can reject or accept
https://localhost:8181/ConverterApphttps://localhost:8181/ConverterApphttps://localhost:8181/ConverterApp

server security

Documents