the anatomy of a secure web app using javaee spring
play

The Anatomy of a Secure Web App Using JavaEE, Spring Security and - PowerPoint PPT Presentation

The Anatomy of a Secure Web App Using JavaEE, Spring Security and Apache Fortress May 18, 2017 ApacheCon NA, Miami Objective Think about how a web app would behave, if we spared no expense for security. ApacheCon NA, Miami 2017 2 @play


  1. The Anatomy of a Secure Web App Using JavaEE, Spring Security and Apache Fortress May 18, 2017 ApacheCon NA, Miami

  2. Objective • Think about how a web app would behave, if we spared no expense for security. ApacheCon NA, Miami 2017 2

  3. @play Introductions Shawn McKinney @work • Software Architect • PMC Apache Directory Project • Engineering Team ApacheCon NA, Miami 2017 3

  4. Agenda Look at two examples… 1. Apache Fortress Demo + Java EE + Spring Security – https://github.com/shawnmckinney/apache-fortress-demo 2. Fortress SAML Demo + Spring Security SP – https://github.com/shawnmckinney/fortress-saml-demo ApacheCon NA, Miami 2017 4

  5. Themes Covered 1. Simplicity 2. Common Sense 3. Household Analogies to explain ‘Why’ ApacheCon NA, Miami 2017 5

  6. With a few caveats… • Not cloud native • Not microservices • Not big data Not a problem em, same e rules s apply ApacheCon NA, Miami 2017 6

  7. And a couple of recommendations • Listen, don’t take notes. These slides are published and have all the details you need. • Save questions for the end (we’ve got a lot of ground to cover). ApacheCon NA, Miami 2017 7

  8. Example #1 Apache Fortress Demo https://github.com/shawnmckinney/apache-fortress-demo ApacheCon NA, Miami 2017 8

  9. The Five Security Layers of Java Web Apps 1.Java Secure Socket Extension (JSSE) 2.Java EE Security 3.Spring Security 4.Web App Framework 5.Database Functions ApacheCon NA, Miami 2017 9

  10. Rationale for Each ------- ----- ----- ----- ------ ----- ----- ------ ----- -- private te conversa ersation tions 1.JSSE 2.Java EE Security ------- ----- --- deadbol olt t on front door 3.Spring Security ------- ----- ----- -- locks on room doors - locks on equipmen ment t in rooms 4.Web App Framework 5.Database Functions ---- conten ---- ent t filtering ApacheCon NA, Miami 2017 10

  11. Two Areas of Access Control 1.Java EE and Spring Role Declarative checks 2.RBAC Permission Programmatic checks ApacheCon NA, Miami 2017 11

  12. Start with Tomcat Servlet Container ApacheCon NA, Miami 2017 12

  13. ssss ssh!!! !!! 1 & 2. Enable HTTPS 1. Update the Server.xml 2. Add private key ApacheCon NA, Miami 2017 13

  14. Enable Tomcat TLS 1. Generate keystore with private key (Steps 1 - 5): http://shawnmckinney.github.io/ apache-fortress-demo/apidocs/doc-files/keys.html 2. Add the following to server.xml: <Connector port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled= " true“ “/path/mykeystore” keystoreFile= keystorePass= “******” clientAuth="false" sslProtocol="TLS"/> http://shawnmckinney.github.io/ apache-fortress-demo/apidocs/doc-files/apache-tomcat-ssl .html

  15. Change Tomcat TLS Enabled Cipher Suites <Connector port="8443" … Disable e weak Diffie-Hel ellman man ciphers ciphers= "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_E CDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECD H_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_EC DH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS _ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_S HA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_12 8_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_2 56_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH _3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE _RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_NULL_SHA,TLS_ECDH_ RSA_WITH_NULL_SHA,TLS_ECDHE_ECDSA_WITH_NULL_SHA,TLS_ECDHE_RSA_WIT H_NULL_SHA” ApacheCon NA, Miami 2017 15

  16. the deadbol olt 3. Enable Java EE Security a. Update web.xml b. Drop the proxy jar c. Add context.xml d. Add fortress to pom.xml ApacheCon NA, Miami 2017 16

  17. Enable Java EE Security Realm 1. Java EE conta tainer er Add to App’s Web.xml prote tects cts this URL <security-constraint> Automa omatical cally. y. <display-name>My Project Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/wicket/*</url-pattern> </web-resource-collection> 2. All users must <auth-constraint> <role-name>DEMO2_USER</role-name> have e this role to </auth-constraint> </security-constraint> gain entry. <login-config> <auth-method>FORM</auth-method> 3. Route e un-authN uthN <realm-name>MySecurityRealm</realm-name> reques ests ts to my form. <form-login-config> <form-login-page>/login/login.html</form-login-page> https://github.com/shawnmckinney/apache-fortress-demo/blob/master/src/main/webapp/WEB-INF/web.xml ApacheCon NA, Miami 2017 17

  18. Enable Java EE Security Realm Drop the Fortress Realm Proxy Jar in Tomcat’s lib folder Fortres ess Realm m Proxy y uses depende denci cies es within the web app p via URLClassloa oader. er. ApacheCon NA, Miami 2017 18

  19. Enable Java EE Security Realm Add context.xml to META-INF folder: <Context reloadable="true"> Apach che e Fortres ess Tomcat cat Realm Realm className= < “ org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxy " defaultRoles="ROLE_DEMO2_SUPER_USER,DEMO2_ALL_PAGES, ROLE_PAGE1, ROLE_PAGE2, ROLE_PAGE3" The set of role candi dida dates tes eligible e to be actived ed into a session on. /> </Context> https://github.com/shawnmckinney/ apache-fortress-demo /blob/master/src/main/resources/META-INF/context.xml ApacheCon NA, Miami 2017 19

  20. Enable RBAC Policy Decision Point Add Fortress Dependency to web app’s pom.xml: <dependency> <groupId>org.apache.directory.fortress</groupId> <artifactId> fortress-realm-impl </artifactId> <version>2.0.0-RC2</version> </dependency> ApacheCon NA, Miami 2017 20

  21. the securit ity y system tem 4. Setup RBAC PDP Policy Decision Point a. Install b. Configure c. Use ApacheCon NA, Miami 2017 21

  22. https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-APACHEDS.md ApacheCon NA, Miami 2017 22

  23. Or Or https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-SLAPD.md ApacheCon NA, Miami 2017 23

  24. Use ANSI RBAC INCITS 359 Specification RBAC0 : – Users, Roles, Perms, Sessions RBAC1 : – Hierarchical Roles RBAC2 : – Static Separation of Duties RBAC3 : – x Dynamic Separation of Duties Toda day y we demo o this ApacheCon NA, Miami 2017 24

  25. Use RBAC Object Model Six basic elements: 1. User – human or machine entity 2. Role – a job function within an organization 3. Object – maps to system resources 4. Operation – executable image of program 5. Permission – approval to perform an Operation on one or more Objects 6. Session – contains set of activated roles for User ApacheCon NA, Miami 2017 25

  26. Use RBAC Functional Model APIs form three standard interfaces: Managem ement ent and Config process sses es 1. Admin – Add, Update, Delete 2. Review – Read, Search System – Access Control 3. x Demo runtime e proces esse ses ApacheCon NA, Miami 2017 26

  27. Use RBAC Functional Model System Manager APIs: http://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/directory/fortress/core/impl/ AccessMgrImpl .html 1. createSession – authenticate, activate roles 2. checkAccess – permission check 3. sessionPermissions – all perms active for user 4. sessionRoles – return all roles active 5. addActiveRole – add new role to session 6. dropActiveRole – remove role from session ApacheCon NA, Miami 2017 27

  28. confident identialit iality 5 – 8 Enable LDAP SSL ApacheCon NA, Miami 2017 28

  29. Enable LDAP SSL Client 1. Import public key to java truststore: http://shawnmckinney.github.io/apache-fortress- demo/apidocs/doc-files/keys.html common name 2. Add to fortress.properties host=ldap-server-domain-name.com in server r cert port=636 enable.ldap.ssl=true trust.store=mytruststore Can be found trust.store.password=changeit trust.store.onclasspath=true on classpa path th ApacheCon NA, Miami 2017 29

  30. Enable ApacheDS LDAP SSL Server 1.Import keystore with Apache Directory Studio 2.Restart ApacheDS Server http://shawnmckinney.github.io/apache-fortress-demo/apidocs/doc-files/apache-directory-ssl.html

  31. Or Or Enable OpenLDAP SSL Server Add locations of crypto artifacts to slapd server config: TLSCACertificateFile /path/to/my/ca-certificate TLSCertificateFile /path/to/my/server-certificate TLSCertificateKeyFile /path/to/my/private-key http://shawnmckinney.github.io/apache-fortress-demo/apidocs/doc-files/openldap-ssl.html ApacheCon NA, Miami 2017 31

  32. locks ks on the rooms ms 9. Enable Spring Security a. Authorization b. Role mapping ApacheCon NA, Miami 2017 32

Recommend


More recommend