the anatomy of a secure web applica6on using java
play

The Anatomy of a Secure Web Applica6on Using Java - PowerPoint PPT Presentation

Apr 07, 2023 •141 likes •907 views

The Anatomy of a Secure Web Applica6on Using Java ApacheCon NA 2015 John Field, Pivotal Services @EMC 1 Image:

  1. The ¡Anatomy ¡of ¡a ¡ ¡ Secure ¡Web ¡Applica6on ¡ ¡ Using ¡Java ¡ ¡ ¡ ¡ ¡ ¡ ApacheCon ¡NA ¡2015 ¡ ¡ John ¡Field, ¡Pivotal ¡Services ¡@EMC ¡ 1 Image: http://amhistory.si.edu/img/collections_xlarge/99-2741_428px.jpg

  2. Introduc6ons ¡ l John ¡Field ¡ @ l Security ¡Architect ¡at ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡@architectedsec ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡hJps://johnpfield.wordpress.com ¡ ¡ ¡ *Joint ¡work ¡with ¡Shawn ¡McKinney, ¡Principal ¡at ¡Symas. ¡ ¡ ¡ ApacheCon NA 2015 2 ¡

  3. Agenda ¡ • Introduc6on ¡ ¡ • Quick ¡Demonstra6on ¡ • Step-­‑by-­‑Step ¡“How ¡To” ¡Security ¡Guidance ¡ • Based ¡upon ¡the ¡“ FortressDemo2” ¡sample ¡applica6on ¡ • Survey ¡of ¡Security ¡Architecture ¡PaJerns ¡ • Requirements, ¡Capabili6es ¡ • Conclusion ¡ Picture of • Project ¡coordinates ¡ Oreo ApacheCon NA 2015 3

  4. Tutorial ¡Approach ¡ • Examine ¡a ¡typical ¡enterprise ¡Java ¡Web ¡applica6on, ¡ one ¡architectural ¡layer ¡at ¡a ¡6me. ¡ • Goals: ¡ • Be ¡able ¡to ¡recognize ¡and ¡iden6fy ¡some ¡well-­‑ known ¡security ¡architecture ¡paJerns. ¡ • Understand ¡how ¡each ¡paJern ¡contributes ¡to ¡ sa6sfying ¡the ¡overall ¡security ¡requirements. ¡ • Learn ¡how ¡to ¡implement ¡these ¡paJerns ¡via ¡ pragma6c, ¡hands-­‑on ¡configura6on ¡guidance. ¡ ApacheCon NA 2015 4

  5. Be a “Full Stack” Developer “No one can know everything about everything, but you should be able to visualize what happens up and down the stack as an application does its thing.” -- C. Bueno of Facebook, c. 2010 ApacheCon NA 2015 5

  6. Our ¡Business ¡Use ¡Case ¡ l Deployment ¡of ¡an ¡Enterprise ¡Java ¡Web ¡Applica6on. ¡ Assumes ¡a ¡standard ¡User ¡Agent ¡/ ¡Browser-­‑based ¡HTTPS ¡ • access ¡path. ¡ l We ¡have ¡requirements ¡for: ¡ ¡ ¡ ¡ User ¡Authen6ca6on ¡ • User ¡Authoriza6on ¡ HTTPS • Audit ¡Logging ¡ ¡ • Confiden6ality ¡and ¡Integrity ¡ ¡ ¡ ¡ • ApacheCon NA 2015 6

  7. Core Security Architecture Patterns 1. Use HTTPS / TLS on a shared network. 2. Use Container-based Enforcement 3. Delegate to a Trusted Third Party (TTP). 4. Use RBAC to express access control policy. 5. Create an audit log. The patterns remain the same, whether deploying on standalone servers, or to the cloud. ApacheCon NA 2015 7

  8. High-Level Deployment Tomcat LDAPS X509 Server Certificate HTTPS Java Web Application JDBC PAAS ApacheCon NA 2015 8

  9. Demonstration l Communications secured via SSL/TLS. l Users authenticate via enterprise LDAP. l Resource authorization via RBAC. - Static (type-based) and dynamic (instance-based) l Including Static and Dynamic Separation of Duties l Audit logging for all application events - i.e. any change of state ApacheCon NA 2015 9

  10. High-Level Deployment PAP: Identities Policies PEP: Confidentiality, Integrity Tomcat LDAPS X509 Server Certificate HTTPS Java Web Application JDBC PEP: AuthN & PEP: coarse- PEP: Pages, PDP: PDP: grained Audit controls, Policy Decision AuthZ datum, Logging AuthZ ApacheCon NA 2015 10

  11. The Anatomy of a Secure Java Web Application ApacheCon NA 2015 11

  12. The Anatomy of a Secure Java Web Application ApacheCon NA 2015 12

  13. Here we go! ApacheCon NA 2015 13

  14. Need to: - Create certificates. - Put them in the right place. ApacheCon NA 2015 14

  15. Step 1: Issue Certificates # ¡openssl ¡version ¡-­‑b ¡ If date < Mon Apr 7 2014, and version = 1.0.1, then installation is vulnerable to Heart Bleed and must be upgraded. # ¡sudo ¡apt-­‑get ¡upgrade ¡openssl ¡ ApacheCon NA 2015 15

  16. Step 1: Issue Certificates # ¡mkdir ¡certs ¡ Generate Generate CA self-signed keys # ¡cd ¡certs ¡ CA certificate ¡ Generate server certificate # ¡openssl ¡genrsa ¡2048 ¡> ¡pse-­‑ca-­‑key.pem ¡ signing request # ¡openssl ¡req ¡-­‑new ¡-­‑x509 ¡-­‑nodes ¡-­‑days ¡3600 ¡-­‑key ¡pse-­‑ca-­‑ key.pem ¡-­‑out ¡pse-­‑ca-­‑cert.pem ¡ # ¡openssl ¡req ¡-­‑newkey ¡rsa:2048 ¡-­‑days ¡1825 ¡-­‑nodes ¡-­‑keyout ¡ oreo-­‑server-­‑key.pem ¡-­‑out ¡oreo-­‑server-­‑req.pem ¡ ApacheCon NA 2015 16

  17. Step 1: Issue Certificates # ¡openssl ¡rsa ¡-­‑in ¡oreo-­‑server-­‑key.pem ¡-­‑out ¡oreo-­‑server-­‑ key.pem ¡ Sign server Remove passphrase ¡ certificate request from private key ¡ # ¡openssl ¡x509 ¡-­‑req ¡-­‑in ¡oreo-­‑server-­‑req.pem ¡-­‑days ¡1825 ¡-­‑CA ¡ pse-­‑ca-­‑cert.pem ¡-­‑CAkey ¡pse-­‑ca-­‑key.pem ¡-­‑set_serial ¡01 ¡-­‑out ¡ oreo-­‑server-­‑cert.pem ¡ Generate a temporary ¡ PKCS12 keystore. # ¡openssl ¡pkcs12 ¡-­‑export ¡-­‑name ¡fortressDemo2ServerCACert ¡-­‑ in ¡oreo-­‑server-­‑cert.pem ¡-­‑inkey ¡oreo-­‑server-­‑key.pem ¡-­‑out ¡ mykeystore.p12 ¡ ApacheCon NA 2015 17

  18. Step 1: Issue Certificates Use Java keytool to import PKCS12 into JKS key store for Web server # ¡keytool ¡-­‑importkeystore ¡-­‑destkeystore ¡mykeystore ¡-­‑ srckeystore ¡mykeystore.p12 ¡-­‑srcstoretype ¡pkcs12 ¡-­‑alias ¡ fortressDemo2ServerCACert ¡ Use Java keytool to import CA cert into JKS truststore for client application # ¡keytool ¡-­‑import ¡-­‑alias ¡fortressDemo2ServerCACert ¡-­‑file ¡pse-­‑ ca-­‑cert.pem ¡-­‑keystore ¡mytruststore ¡ ApacheCon NA 2015 18

  19. Certificate Summary • Server-side: 4 Files. • Used by OpenLDAP and MySQL to offer TLS. 1. pse-ca-cert.pem 2. oreo-server-cert.pem 3. oreo-server-key.pem • Used by Tomcat JSSE to offer HTTPS. 4. mykeystore • Client-side: 1 File. • Used by the Web application JSSE to negotiate HTTPS / TLS with OpenLDAP and MySQL servers. • mytruststore ApacheCon NA 2015 19

  20. Step 2: Tomcat HTTPS ApacheCon NA 2015 20

  21. Step 2: Tomcat HTTPS # ¡sudo ¡apt-­‑get ¡install ¡tomcat7 ¡tomcat7-­‑admin ¡tomcat7-­‑docs ¡ ¡ # ¡vi ¡/usr/share/tomcat7/conf/server.xml ¡ ApacheCon NA 2015 21

  22. Step 2: Tomcat HTTPS l Add the following to server.xml : <Connector ¡port="8443" ¡maxThreads="200" ¡ ¡ ¡ ¡ ¡ ¡ ¡scheme="hJps" ¡secure="true" ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡SSLEnabled="true“ ¡ ¡ ¡ ¡ ¡ ¡ ¡keystoreFile= ¡“conf/mykeystore” ¡ ¡ ¡ ¡ ¡ ¡ ¡keystorePass=”changeit” ¡ ¡ ¡ ¡ ¡ ¡ ¡clientAuth="false" ¡sslProtocol="TLS"/> ¡ ApacheCon NA 2015 22

  23. Step 2: Tomcat HTTPS Put mykeystore in the indicated place # ¡sudo ¡cp ¡certs/mykeystore ¡ ¡/usr/share/tomcat7/conf ¡ # ¡sudo ¡cp ¡sentry-­‑1.0-­‑RC39-­‑proxy.jar ¡/usr/share/tomcat7/lib ¡ ¡ # ¡sudo ¡service ¡tomcat7 ¡restart ¡ While you are at it, add the JEE Security Realm Provider Proxy jar. ApacheCon NA 2015 23

  24. Step 3: Enable Java EE Security ApacheCon NA 2015 24

  25. Add JEE Security To Web.xml <security-constraint> Declarative <display-name>My Security Constraint</display-name> coarse-grained <web-resource-collection> authorization. <web-resource-name>Protected Area</web-resource-name> Enforced <url-pattern>/secured/*</url-pattern> high in the </web-resource-collection> stack. <auth-constraint> <role-name>ROLE_DEMO_USER</role-name> HTML </auth-constraint> Form-based Authentication </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>MySecurityRealm</realm-name> <form-login-config> <form-login-page>/login/login.html</form-login-page> <form-error-page>/login/error.html</form-error-page> </form-login-config> ApacheCon NA 2015 25 </login-config>

  26. Step 4: Enable Policy Decision Point ApacheCon NA 2015 26

  27. Step 4: Enable Policy Decision Point Assume an LDAP server Focus on is already the PDP deployed. integration via Fortress Sentry ApacheCon NA 2015 27

  28. Fortress Sentry RBAC PDP • Sentry is a standards-compliant RBAC PDP • Conforms to NIST / ANSI / INCITS 359 • Integrates into Tomcat • JEE Custom Realm Provider • Integrates into application • As a standard Java component. • Add the dependency to Maven pom.xml • Add the Bean definition to Spring applicationContext.xml ApacheCon NA 2015 28

  29. ANSI RBAC – the TL;DR ApacheCon NA 2015 29

  30. ANSI RBAC – INCITS 359 RBAC0 : Users, Roles, Perms, Sessions RBAC1 : Hierarchical Roles RBAC2 : Static Separation of Duties RBAC3 : Dynamic Separation of Duties ApacheCon NA 2015 30

Recommend

Agenda 1. Introduction 1. Introduction 2. Anatomy 2. Anatomy 3. A real word example 3. A real

Agenda 1. Introduction 1. Introduction 2. Anatomy 2. Anatomy 3. A real word example 3. A real

The Android GUI Fram ew ork Java User Group Sw itzerland May 2008 Markus Pilz Peter Wlodarczak mp@greenliff.com pw@greenliff.com Agenda 1. Introduction 1. Introduction 2. Anatomy 2. Anatomy 3. A real word example 3. A real word example

526 views • 19 slides
Anatomy of a Java User Group A Community of Developers

Anatomy of a Java User Group A Community of Developers

Anatomy of a Java User Group A Community of Developers for Developers About the London Java Community Leading Java User Group in the UK

975 views • 8 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Section 0006 Instructor: Alvin Chao Professor: Alvin Chao Anatomy of a Java Program: Comments l

Section 0006 Instructor: Alvin Chao Professor: Alvin Chao Anatomy of a Java Program: Comments l

Welcome to CS 149 Section 0006 Instructor: Alvin Chao Professor: Alvin Chao Anatomy of a Java Program: Comments l Javadoc comments: /** l * Application that converts inches to centimeters. * l * @author Chris Mayfield l * @version

221 views • 21 slides
The Anatomy of a Secure Web App Using JavaEE, Spring Security and Apache Fortress May 18, 2017

The Anatomy of a Secure Web App Using JavaEE, Spring Security and Apache Fortress May 18, 2017

The Anatomy of a Secure Web App Using JavaEE, Spring Security and Apache Fortress May 18, 2017 ApacheCon NA, Miami Objective Think about how a web app would behave, if we spared no expense for security. ApacheCon NA, Miami 2017 2 @play

1.03k views • 85 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements Repetition statements (loops) Writing Classes in Java Selim Aksoy Class definitions Bilkent University Encapsulation and Java modifiers

346 views • 11 slides
CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits

CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits

CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits Some Survey Responses 2 Sunsetting Google+ 3 https://www.blog.google/technology/safety-security/project-strobe/ Details 4 Notifications 5

1.12k views • 64 slides
Basic Anatomy Anatomy: General Planes of the body

Basic Anatomy Anatomy: General Planes of the body

Musculoskeletal Biomechanics BIOEN 520 | ME 527 Mini-Lab 1 Basic Anatomy Anatomy: General Planes of the body DirecGonal terms Joint

1.24k views • 65 slides
2D and 3D Medical Ima 2D and 3D Medical Ima ages for Anatomy ages for Anatomy Education using a

2D and 3D Medical Ima 2D and 3D Medical Ima ages for Anatomy ages for Anatomy Education using a

2D and 3D Medical Ima 2D and 3D Medical Ima ages for Anatomy ages for Anatomy Education using a cloud d computing platform Lih Shyang Chen Department of Electrical En ngineering National Cheng Kung Unive N ti l Ch K U i ersity

319 views • 27 slides
Secure SMS messaging using Quasigroup encryption and Java SMS API Marko Hassinen, Smile Markovski

Secure SMS messaging using Quasigroup encryption and Java SMS API Marko Hassinen, Smile Markovski

Secure SMS messaging using Quasigroup encryption and Java SMS API Marko Hassinen, Smile Markovski Marko.Hassinen@cs.uku.fi, smile@ii.edu.mk University of Kuopio, Finland SS Cyril and Methodius University, Republic of Macedonia SPLST 2003

595 views • 38 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides
1 Reason Anatomy and Physiology are the foundation on which all medicine is based. Learn well

1 Reason Anatomy and Physiology are the foundation on which all medicine is based. Learn well

EAPIntroduction to Anatomy and Physiology PFN: SOMAPL11 Hours: 1.5 JSOMTC, SWMG(A) Slide 1 Terminal Learning Objective Action: Communicate knowledge of Introduction to Anatomy and Physiology Condition: Given a lecture in a

630 views • 30 slides
BIOMETRY COURSE Module 1 Anatomy &amp; Vision Welcome to Anatomy Emma Deighan Trainer in

BIOMETRY COURSE Module 1 Anatomy &amp; Vision Welcome to Anatomy Emma Deighan Trainer in

BIOMETRY COURSE Module 1 Anatomy &amp; Vision Welcome to Anatomy Emma Deighan Trainer in Ophthalmology for 20 Years Please ask questions! Email emma@medsalesacademy.co.uk www.medsalesacademy.co.uk Today we will learn Anatomy

1.24k views • 29 slides
1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i &lt; 100;

1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i &lt; 100;

The Java programming environment Introduction to JVM Based on material produced by Bill Venners 1 2 The Java platform The role of the virtual machime byte code generated by the Java front-end is an intermediate representation (IR)

834 views • 3 slides
TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java Authoring Team: Bill Foote, Chihiro Saito, A. Sundararajan, Jaya Hangal TS-5449 Talk Outline HD Cookbook Community Overview Target: Blu-ray

592 views • 44 slides
Classes 1 / 36 Classes Classes 2 / 36 Anatomy of a Class By the end of next lecture, youll

Classes 1 / 36 Classes Classes 2 / 36 Anatomy of a Class By the end of next lecture, youll

Classes 1 / 36 Classes Classes 2 / 36 Anatomy of a Class By the end of next lecture, youll understand everything in this class definition. package edu.gatech.cs1331.card; import java.util.Arrays; public class Card { public static

705 views • 36 slides
DTrace Topics: -&gt; java/lang/System.arraycopy &lt;- java/lang/System.arraycopy Java &lt;-

DTrace Topics: -&gt; java/lang/System.arraycopy &lt;- java/lang/System.arraycopy Java &lt;-

# ./jflow.d &lt;- java/lang/Thread.sleep -&gt; Greeting.greet -&gt; java/io/PrintStream.println -&gt; java/io/PrintStream.print -&gt; java/io/PrintStream.write -&gt; java/io/PrintStream.ensureOpen &lt;- java/io/PrintStream.ensureOpen -&gt;

632 views • 34 slides
Overview TCP/IP Securing TCP/IP Open Systems Interconnection Model Anatomy of a Packet

Overview TCP/IP Securing TCP/IP Open Systems Interconnection Model Anatomy of a Packet

Overview TCP/IP Securing TCP/IP Open Systems Interconnection Model Anatomy of a Packet Internet Protocol Security (IPSec) Chapter 6 Web Security (HTTP over TLS, Secure-HTTP) Lecturer: Pei-yih Ting 1 2 Introduction to TCP/IP

445 views • 8 slides
Core Surgical Anatomy Programme Induction to the Programme &amp; the Human Anatomy Unit Revised

Core Surgical Anatomy Programme Induction to the Programme &amp; the Human Anatomy Unit Revised

Core Surgical Anatomy Programme Induction to the Programme &amp; the Human Anatomy Unit Revised Version 7, Aug 2019 RJW The aim of the Programme is to review the anatomy of the whole human body with a clinical slant, using cadaveric

696 views • 38 slides
Section 38: Muscle - Anatomy Section 38: Muscle - Anatomy 38-1 Muscle types: cardiac

Section 38: Muscle - Anatomy Section 38: Muscle - Anatomy 38-1 Muscle types: cardiac

Section 38: Muscle - Anatomy Section 38: Muscle - Anatomy 38-1 Muscle types: cardiac muscle: composes the heart smooth muscle: lines hollow internal organs skeletal (striated or voluntary) muscle: attached to skeleton via

252 views • 9 slides
Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp ..

Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp ..

Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp .. -jar myapp.jar Java 9 java -cp .. -jar myapp.jar Today's journey Running on Java 9 Java 9 modules Migrating to modules Modularising code

851 views • 45 slides
Eye Anatomy Hook Your Attention The Parts of the Eye 1 10/3/2017 Eye Physiology How the Eye

Eye Anatomy Hook Your Attention The Parts of the Eye 1 10/3/2017 Eye Physiology How the Eye

10/3/2017 Itinerary Today Anatomy Physiology Exam Everything you need to WKC 16 Cases know about the eye in 58 Questions minutes Michael B. Shapiro MD, MS Madison, Wisconsin October 2017 Eye Anatomy Hook Your

549 views • 13 slides
C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well.

C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well.

CSCI 2132: Software Development Norbert Zeh Faculty of Computer Science C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well. Focus on differences between C and Java. Arithmetic Operators Most

152 views • 14 slides

More recommend