Markus Eisele, profile picture
Uploaded byMarkus Eisele
PDF, PPTX6,489 views

THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS

The document discusses the essential principles for securing Java EE applications, emphasizing a holistic approach to security across various layers such as network, operating system, and application services. Key topics include managing threats and vulnerabilities, effective authentication and authorization strategies, and ensuring data confidentiality, integrity, and availability. Best practices are highlighted, alongside the limitations of Java EE in supporting these security measures, with suggestions for custom implementations and external tools.

Embed presentation

Download as PDF, PPTX
THEFT PROOF-JAVA EE Markus Eisele markus@jboss.org @myfear blog.eisele.net Securing your Java EE applications
YOU KNOW JAVA EE
BUT WHAT DO YOU KNOW ABOUT SECURITY?
Markus Eisele aka @myfear5 HOLISTIC SECURITY To build a secure Java EE application, a holistic approach to application security is required and security must be applied at all layers and services. Network Host Application Platform Services (JVM, Application Server) Operating System Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture
Secure applications rely on secure networks Markus Eisele aka @myfear6 SECURE NETWORKS Things to look out for: • Router • Firewall • Switch • Protocols • Ports • Firmware • Standard passwords
Repeat for all of them: including database, message broker, httpd-server and all the others. Markus Eisele aka @myfear7 SECURE HOSTS / OPERATING SYSTEMS Things to look out for: • Shared Volumes • Running Services • Accounts (user and service) • Auditing and Logging • Files and directories • Patches and updates
All pre-installed runtimes, like the JVM/JDK, Application server, etc. Markus Eisele aka @myfear8 PLATFORM SERVICES Things to look out for: • Policy Files • File Access Rights • Default Passwords • Admin Console
Security relies on the following components WHAT IS APPLICATION SECURITY? Availability Integrity Confidentiality Auditing Authorization Authentication Markus Eisele aka @myfear9
A thread is a potential event that may affect your system. An attack exploits a vulnerability in your system. Markus Eisele aka @myfear10 THREATS, VULNERABILITIES, AND ATTACKS How do you decide if an application is secure? Application + Infrastructure exposes Vulnerability exploits Attack
Markus Eisele aka @myfear11 NO SECURITY WITHOUT THREATS It is not possible to design and build a secure Web application until you know your threats. Thread modelling in the design phase: • To be protected • CC, Address, etc. Data Goal of an attackThreat • Potential damage • $ or image Rate
Markus Eisele aka @myfear12 STRATEGY – APPROACH - GOAL
Some basic categories mapped down from the security components Markus Eisele aka @myfear13 APPLICATION VULNERABILITY CATEGORIES • Input Validation • Authentication • Authorization • Configuration Management • Sensitive Data • Session Management • Data Encryption • Parameter Manipulation • Exception Handling • Auditing and Logging • Timestamping • Role Based Access Control • Execution Sandboxing • Process Separation
Best Practices for designing secure applications. Markus Eisele aka @myfear14 CORE SECURITY PRINCIPLES • Compartmentalize • Use least privilege • Apply defense in depth • Do not trust user input • Check at the gate • Fail securely • Secure the weakest link • Create secure defaults • Reduce your attack surface THINGS TO KEEP IN MIND FOR YOUR SYSTEM DESIGN
AND HOW MUCH OF THAT CAN YOU DO WITH JAVA EE? 15
Basic, Form, Digest, Client, Mutual Markus Eisele aka @myfear16 AUTHENTICATION The means by which communicating entities, such as client and server, prove to each other that they are acting on behalf of specific identities that are authorized for access. This ensures that users are who they say they are. • Configuration via deployment descriptor • Application roles mapping into server groups • Most servers provide standard login modules (DB, LDAP, Client-Cert, Filesystem) • Additional resources (Keystores, LDAP, DB) • Custom Authentication Logic via: • JASPIC • JAAS • Server Specific Features (Realms)
The missing pieces Markus Eisele aka @myfear17 AUTHENTICATION Well known and broadly used and still missing in Java EE • Two Factor Auth Support (Custom Token, Hardware Token, Soft-Token) • Social Login (Facebook, Twitter, GitHub) • User Registration / Self Service • Easy Customizing for custom login pages • OAuth support • Policies (Password / Revocation)
Option: Custom implementation (e.g. OAuth w/ programmatic security) Markus Eisele aka @myfear18 AUTHENTICATION https://oneminutedistraction.wordpress.com/2014/04/29/using-oauth-for-your-javaee-login/ Browser Java EE Server OAuth Login Button Redirect Login Page Submit Credentials Redirect Callback URL Redirect Callback Get access_token Get User Data
DISADVANTAGESADVANTAGES Custom Implementation Markus Eisele aka @myfear19 AUTHENTICATION • Minimal – Meet Needs • Fast Implementation • Tied to one provider • Hard to extend • Hard to test • Potential implementation mistakes expose vulnerabilities • JAAS/JASPIC hard to understand • Easy to be accidentally tied to a specific server • Not “microservices-ready”
Option: Identity Broker – e.g. Keycloak Markus Eisele aka @myfear20 AUTHENTICATION http://keycloak.jboss.org/docs
DISADVANTAGESADVANTAGES Identity Broker Markus Eisele aka @myfear21 AUTHENTICATION • Flexible • Configurable and extendable • Runtime Changes • Many Identity Providers • Additional Features (Government/Policies) • Ready for microservices (downstream propagation) • Separate System - Complexity • Takes User/Roles management out of the Java EE Server
Or Access Control Markus Eisele aka @myfear22 AUTHORIZATION The means by which interactions with resources are limited to collections of users or programs for the purpose of enforcing integrity, confidentiality, or availability constraints. This ensures that users have permission to perform operations or access data. • Configuration via deployment descriptor or Annotations (@RolesAllowed) • Custom Authorization Logic via: • Programmatic Security + • CDI / Aspects + • Caching • JACC
The missing pieces Markus Eisele aka @myfear23 AUTHORIZATION Well known and broadly used and still missing in Java EE • Fine Grained Access Control (technical or business) • Data Protection Model through different specifications (e.g. data access per user/tenant) • Coherent AccessException Model
Option: Custom Implementation Markus Eisele aka @myfear24 AUTHORIZATION Use a mixture of standard authorization mechanisms (Principal) and add a custom user object which get‘s enriched with Permissions. • Authentication via form-based or other method • Creating an application User per Principal • Resolving custom rights per user (Datastore, In-Memory DB) • Implementing Around Invoke Aspects (@AllowedTo(Permission.WRITE) http://kenai.com/projects/javaee-patterns/sources/hg/show/javaee-security
DISADVANTAGESADVANTAGES Custom Implementation Markus Eisele aka @myfear25 AUTHORIZATION • Native to the Java EE programmer • Simple, Customizable at development time • Assignable per application • Potential implementation mistakes expose vulnerabilities • Common Code tied into all modules • Complex permission matrices need to be extensively cached • Cache invalidation • No runtime changes to permissions
Option: JACC (Java Authorization Contract for Containers) Markus Eisele aka @myfear26 AUTHORIZATION It “defines a contract between a Java EE application server and an authorization policy provider" and which "defines java.security.Permission classes that satisfy the Java EE authorization model” Implement: • A factory that provides an object that collects permissions • A state machine that controls the life-cyle of this permission collector • Linking permissions of multiple modules and utilities • Collecting and managing permissions • Processing permissions after collecting • An "authorization module" using permissions for authorization decisions http://arjan-tijms.omnifaces.org/2015/03/java-ee-authorization-jacc-revisited.html
DISADVANTAGESADVANTAGES JACC (Java Authorization Contract for Containers) Markus Eisele aka @myfear27 AUTHORIZATION • Integrated with the Java EE container • Part of the standard • As secure as it can get • C.O.M.P.L.E.X.I.T.Y • Amount of classes • APIs • Verbose • Not truly portable • Application Server Wide
Logging which security relevant changes happen. Markus Eisele aka @myfear28 AUDITING An audit trail (also called audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event. • There‘s nothing here in Java EE Options: • Custom Implementations • Logger Implementations • Data centered approaches (JPA / Database) • Server specific implementations
Option: Custom Implementation Markus Eisele aka @myfear29 AUDITING A transactional application often requires to audit the persistent entities. Sometimes you have to be able to track down changes and build up a history of changes. Or you’re requirement to have a long term rollback or need to archive in accordance with legal audit requirements. • Aspects in the widest sense (EJB, CDI) • @AroundInvoke captures relevant events on the service layer • Events should be persisted asynchronously • Ideally includes user information, date time and event type http://blog.eisele.net/2011/01/five-ways-to-know-how-your-data-looked.html
DISADVANTAGESADVANTAGES Custom Implementation Markus Eisele aka @myfear30 AUDITING • Suitable for business activity auditing • Simple to implement with a small set of activities. • Maybe used to also track performance of service calls • No rollback or data centered auditing • Doesn’t include security relevant audits (aspects don’t work in login- modules or realms • May be “forgotten” • Performance critical • No UI to generate an audit trail
Option: Logger Implementation (e.g. Log4j) Markus Eisele aka @myfear31 AUDITING Some logging frameworks were specifically designed to support audit features. One among them is Log4j. Others with more respect to legal audit requirements also do exist. • Use Log4j‘s audit logging features • Populate ThreadContext Map with basic data like: user-id, remote-IP address, application-name, application-version, etc. • Create a StructuredDataMessage for every event • EventLogger.logEvent(msg) • Select an appropriate provider (Syslog, JMS, JDBC, Flume, etc.) • Combine with aspects and automatically constructed DataMessages for broad coverage on services.
DISADVANTAGESADVANTAGES Logger Implementation Markus Eisele aka @myfear32 AUDITING • Native for Java EE developers • Easy to use as “logging” • Will work in security relevant classes • Guaranteed delivery ? • Performance overhead with growing events
Option: JPA Centered Approaches (Hibernate ORM Envers) Markus Eisele aka @myfear33 AUDITING The Envers module aims to enable easy auditing/versioning of persistent classes. All that you have to do is annotate your persistent class or some of its properties, that you want to audit, with @Audited. Just add @Audited to your entities • auditing of all mappings defined by the JPA specification • auditing of some Hibernate mappings, which extend JPA, like custom types and collections/maps of "simple" types (Strings, Integers, etc.) (see here for one exception) • logging data for each revision using a "revision entity" • querying historical data http://hibernate.org/orm/envers/
DISADVANTAGESADVANTAGES Option: JPA Centered Approaches (Hibernate ORM Envers) Markus Eisele aka @myfear34 AUDITING • Historical Data • Revisions • Fully integrated into JPA • Only Data Centered Auditing
or data privacy Markus Eisele aka @myfear35 CONFIDENTIALITY Confidentiality is the process of maintaining data privacy wherein we secure the communications channel, to make sure the data is not accessed in its original form by a third party by eavesdropping. Java EE doesn‘t bring a hell lot to the table here. Options: • SSL Termination on the Application Server • SSL Termination on a box before (httpd, router, appliance)
Terminating SSL on the App-Server Markus Eisele aka @myfear36 CONFIDENTIALITY <transport-guarantee>CONFIDENTIAL | INTEGRAL</transport-guarantee> A value of INTEGRAL means that the application requires the data sent between the client and server to be sent in such a way that it can't be changed in transit. A value of CONFIDENTIAL means that the application requires the data to be transmitted in a fashion that prevents other entities from observing the contents of the transmission.
DISADVANTAGESADVANTAGES Terminating SSL on the App-Server Markus Eisele aka @myfear37 CONFIDENTIALITY • Access to the SSL connection information (ssl-session-id) • Performance • Configuration complexity • Testing locally
Terminating SSL on a box Markus Eisele aka @myfear38 CONFIDENTIALITY Httpd server (Apache) • Mostly in place anyway for load-balancing (therefore needs to inspect the data anway) • OpenSSL as a way to terminate SSL/TLS connections Firewall / Router (including or not LB features) • See above. • Mostly hardware accelerated SSL termination. • High performance.
DISADVANTAGESADVANTAGES Terminating SSL on a box Markus Eisele aka @myfear39 CONFIDENTIALITY • If SSL session information are required, they have to be passed downstream • Considered “best practice” for failover, clustering and load- balancing • Additional infrastructure
Mostly Data Integrity Markus Eisele aka @myfear40 INTEGRITY Data integrity is the process of verifying if data is transmitted without corruption or modification, thus making sure that the data received at the receiver end is in fact the same message sent by the sender. In Java EE mostly two big areas: Implemented for data access/exchange with JPA and JTA.
Mostly Data Integrity Markus Eisele aka @myfear41 INTEGRITY Data integrity is the process of verifying if data is transmitted without corruption or modification, thus making sure that the data received at the receiver end is in fact the same message sent by the sender. In Java EE mostly data integrity • Implemented for data access/exchange with JPA and JTA. Options: • Enforce integrity on the database • Store and compare hashes of entities
Clustering, Scaling et al Markus Eisele aka @myfear42 AVAILABILITY Availability is commonly referred to as the most underspecified non- functional requirement for applications. Fact is: Applications only earn money, while they are running. There‘s nothing in Java EE. • Clustering, Scaling and other features aren‘t specified. • Completely vendor specific and server dependent.
WHAT ELSE DOES IT TAKES? 43
It needs a lot more. JUST SECURE CODE ISN‘T ENOUGH People Process Technology Markus Eisele aka @myfear44
45 “IT AIN’T WHAT YOU DON’T KNOW THAT GETS YOU INTO TROUBLE. IT’S WHAT YOU KNOW FOR SURE THAT JUST AIN’T SO.” — MARK TWAIN
Q&A
FURTHER READING • http://de.slideshare.net/mraible/java-web-application-security-with-java-ee- spring-security-and-apache-shiro-uberconf-2015 • http://de.slideshare.net/MasoudKalali/top-security-risks-for-java • https://abhirockzz.wordpress.com/2014/12/04/whats-up-with-java-ee-8/ • https://blogs.oracle.com/theaquarium/entry/jsr_375_java_ee_security • http://www.infoq.com/news/2014/11/javaee8-security-jsr • https://docs.oracle.com/javaee/7/tutorial/security-intro001.htm • http://www.oracle.com/technetwork/java/seccodeguide-139067.html • http://www.informit.com/store/java-coding-guidelines-75-recommendations- for-reliable-9780133439519 • https://www.owasp.org/index.php/Category:OWASP_Guide_Project • https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series

More Related Content

PDF
Community and Java EE @ DevConf.CZ
byMarkus Eisele
 
PDF
Modernizing Applications with Microservices
byMarkus Eisele
 
PDF
Taking the friction out of microservice frameworks with Lagom
byMarkus Eisele
 
PDF
How would ESBs look like, if they were done today.
byMarkus Eisele
 
ODP
micro services architecture (FrosCon2014)
bysmancke
 
PPTX
Tokyo azure meetup #12 service fabric internals
byTokyo Azure Meetup
 
PDF
Monitor Micro-service with MicroProfile metrics
byRudy De Busscher
 
PPTX
Tokyo Azure Meetup #5 - Microservices and Azure Service Fabric
byTokyo Azure Meetup
 
Community and Java EE @ DevConf.CZ
byMarkus Eisele
 
Modernizing Applications with Microservices
byMarkus Eisele
 
Taking the friction out of microservice frameworks with Lagom
byMarkus Eisele
 
How would ESBs look like, if they were done today.
byMarkus Eisele
 
micro services architecture (FrosCon2014)
bysmancke
 
Tokyo azure meetup #12 service fabric internals
byTokyo Azure Meetup
 
Monitor Micro-service with MicroProfile metrics
byRudy De Busscher
 
Tokyo Azure Meetup #5 - Microservices and Azure Service Fabric
byTokyo Azure Meetup
 

What's hot

PDF
Gradual migration to MicroProfile
byRudy De Busscher
 
PDF
SOA to Microservices
byChristian Posta
 
PPTX
JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native Companion
byJakarta_EE
 
PDF
Application Security - 28 Nov 2018
byCheah Eng Soon
 
PPTX
Microservices in Azure
byDoug Vanderweide
 
PDF
The 6 Rules for Modernizing Your Legacy Java Monolith with Microservices
byLightbend
 
PPTX
Microservices architecture
byFaren faren
 
PPTX
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
byManageIQ
 
PDF
Microservices with Spring
bySoftware Infrastructure
 
PPTX
A Deeper Look Into Reactive Streams with Akka Streams 1.0 and Slick 3.0
byLegacy Typesafe (now Lightbend)
 
PDF
Secure JAX-RS
byPayara
 
PPTX
Tokyo Azure Meetup #4 - Build 2016 Overview
byTokyo Azure Meetup
 
PPTX
Extending Windows Admin Center to manage your applications and infrastructure...
byMicrosoft Tech Community
 
PPTX
MVC 6 - the new unified Web programming model
byAlex Thissen
 
PPTX
Event Bus as Backbone for Decoupled Microservice Choreography (Oracle Code, A...
byLucas Jellema
 
PDF
Microservices with Apache Camel, DDD, and Kubernetes
byChristian Posta
 
PDF
Java one kubernetes, jenkins and microservices
byChristian Posta
 
PPTX
An evolution of application networking: service mesh
byChristian Posta
 
PDF
Lagom in Practice
byJWORKS powered by Ordina
 
PPTX
Tokyo Azure Meetup #6 - Azure Monthly Update - June
byTokyo Azure Meetup
 
Gradual migration to MicroProfile
byRudy De Busscher
 
SOA to Microservices
byChristian Posta
 
JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native Companion
byJakarta_EE
 
Application Security - 28 Nov 2018
byCheah Eng Soon
 
Microservices in Azure
byDoug Vanderweide
 
The 6 Rules for Modernizing Your Legacy Java Monolith with Microservices
byLightbend
 
Microservices architecture
byFaren faren
 
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
byManageIQ
 
Microservices with Spring
bySoftware Infrastructure
 
A Deeper Look Into Reactive Streams with Akka Streams 1.0 and Slick 3.0
byLegacy Typesafe (now Lightbend)
 
Secure JAX-RS
byPayara
 
Tokyo Azure Meetup #4 - Build 2016 Overview
byTokyo Azure Meetup
 
Extending Windows Admin Center to manage your applications and infrastructure...
byMicrosoft Tech Community
 
MVC 6 - the new unified Web programming model
byAlex Thissen
 
Event Bus as Backbone for Decoupled Microservice Choreography (Oracle Code, A...
byLucas Jellema
 
Microservices with Apache Camel, DDD, and Kubernetes
byChristian Posta
 
Java one kubernetes, jenkins and microservices
byChristian Posta
 
An evolution of application networking: service mesh
byChristian Posta
 
Lagom in Practice
byJWORKS powered by Ordina
 
Tokyo Azure Meetup #6 - Azure Monthly Update - June
byTokyo Azure Meetup
 

Viewers also liked

PDF
ARCHITECTING LARGE ENTERPRISE JAVA PROJECTS - vJUG
byMarkus Eisele
 
PDF
Java EE microservices architecture - evolving the monolith
byMarkus Eisele
 
PDF
Nine Neins - where Java EE will never take you
byMarkus Eisele
 
PDF
Wild Flies and a Camel Java EE Integration Stories
byMarkus Eisele
 
PDF
Microservice Come in Systems
byMarkus Eisele
 
PDF
Wild Flies and a Camel - Chicago JUG - 03/15
byMarkus Eisele
 
PDF
OpenShift for Java EE Developers
byMarkus Eisele
 
PDF
Architecting Large Enterprise Projects @DevConf.CZ
byMarkus Eisele
 
PDF
Architecting for failure - Why are distributed systems hard?
byMarkus Eisele
 
PDF
How to avoid top 10 security risks in Java EE applications and how to avoid them
byMasoud Kalali
 
PPTX
Real-Time Integration Between MongoDB and SQL Databases
byEugene Dvorkin
 
PDF
Owasp lapse
byn|u - The Open Security Community
 
PDF
JavaOne 2015 - Simplificando a segurança de sua aplicação com Java EE
byLeonardo Zanivan
 
PDF
Real-World RESTful Service Development Problems and Solutions
byMasoud Kalali
 
PPT
Confess 2013: OWASP Top 10 and Java EE security in practice
byMasoud Kalali
 
PPTX
Real world RESTful service development problems and solutions
byMasoud Kalali
 
PDF
Architecting Large Enterprise Java Projects
byMarkus Eisele
 
PDF
Java EE 7 - Into the Cloud
byMarkus Eisele
 
PDF
Architecting Large Enterprise Java Projects
byMarkus Eisele
 
PDF
Java cloud service - And introduction for Java EE Developers
byMarkus Eisele
 
ARCHITECTING LARGE ENTERPRISE JAVA PROJECTS - vJUG
byMarkus Eisele
 
Java EE microservices architecture - evolving the monolith
byMarkus Eisele
 
Nine Neins - where Java EE will never take you
byMarkus Eisele
 
Wild Flies and a Camel Java EE Integration Stories
byMarkus Eisele
 
Microservice Come in Systems
byMarkus Eisele
 
Wild Flies and a Camel - Chicago JUG - 03/15
byMarkus Eisele
 
OpenShift for Java EE Developers
byMarkus Eisele
 
Architecting Large Enterprise Projects @DevConf.CZ
byMarkus Eisele
 
Architecting for failure - Why are distributed systems hard?
byMarkus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
byMasoud Kalali
 
Real-Time Integration Between MongoDB and SQL Databases
byEugene Dvorkin
 
Owasp lapse
byn|u - The Open Security Community
 
JavaOne 2015 - Simplificando a segurança de sua aplicação com Java EE
byLeonardo Zanivan
 
Real-World RESTful Service Development Problems and Solutions
byMasoud Kalali
 
Confess 2013: OWASP Top 10 and Java EE security in practice
byMasoud Kalali
 
Real world RESTful service development problems and solutions
byMasoud Kalali
 
Architecting Large Enterprise Java Projects
byMarkus Eisele
 
Java EE 7 - Into the Cloud
byMarkus Eisele
 
Architecting Large Enterprise Java Projects
byMarkus Eisele
 
Java cloud service - And introduction for Java EE Developers
byMarkus Eisele
 

Similar to THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS

PDF
Finally, EE Security API JSR 375
byAlex Kosowski
 
PPS
Ajs 4 a
byNiit Care
 
PPTX
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
byWerner Keil
 
PPTX
Java ee 8 + security overview
byRudy De Busscher
 
PDF
Introduction to PicketLink
byJBUG London
 
PDF
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
byWebStackAcademy
 
PPTX
SCWCD : Secure web
byBen Abdallah Helmi
 
PPTX
SCWCD : Secure web : CHAP : 7
byBen Abdallah Helmi
 
PPT
Websphere on z/OS and RACF security
byMichael Erichsen
 
PDF
Java EE Services
byAbdalla Mahmoud
 
PPTX
Introduction To Building Enterprise Web Application With Spring Mvc
byAbdelmonaim Remani
 
PDF
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
PPTX
Intro to Apache Shiro
byClaire Hunsaker
 
PDF
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
byelliando dias
 
PPT
Security in java ee platform: what is included, what is missing
byMasoud Kalali
 
PPT
Session 8 Tp8
byphanleson
 
PDF
What is tackled in the Java EE Security API (Java EE 8)
byRudy De Busscher
 
PDF
Oracle ADF Architecture TV - Design - Designing for Security
byChris Muir
 
PDF
Real World Application Threat Modelling By Example
byNCC Group
 
ODP
CISSP Week 13
byjemtallon
 
Finally, EE Security API JSR 375
byAlex Kosowski
 
Ajs 4 a
byNiit Care
 
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
byWerner Keil
 
Java ee 8 + security overview
byRudy De Busscher
 
Introduction to PicketLink
byJBUG London
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
byWebStackAcademy
 
SCWCD : Secure web
byBen Abdallah Helmi
 
SCWCD : Secure web : CHAP : 7
byBen Abdallah Helmi
 
Websphere on z/OS and RACF security
byMichael Erichsen
 
Java EE Services
byAbdalla Mahmoud
 
Introduction To Building Enterprise Web Application With Spring Mvc
byAbdelmonaim Remani
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
Intro to Apache Shiro
byClaire Hunsaker
 
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
byelliando dias
 
Security in java ee platform: what is included, what is missing
byMasoud Kalali
 
Session 8 Tp8
byphanleson
 
What is tackled in the Java EE Security API (Java EE 8)
byRudy De Busscher
 
Oracle ADF Architecture TV - Design - Designing for Security
byChris Muir
 
Real World Application Threat Modelling By Example
byNCC Group
 
CISSP Week 13
byjemtallon
 

More from Markus Eisele

PDF
Everything You Ever Wanted to Know About Quarkus and LangChain4j
byMarkus Eisele
 
PDF
What Writing 250+ Blog Posts Taught Me About Artificial Intelligence.pdf
byMarkus Eisele
 
PDF
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
byMarkus Eisele
 
PDF
Backstage Software Templates for Java Developers
byMarkus Eisele
 
PDF
SparksCon 2024 - Die Ringe der Macht
byMarkus Eisele
 
PDF
Sustainable Software Architecture - Open Tour DACH '22
byMarkus Eisele
 
PDF
Going from java message service (jms) to eda
byMarkus Eisele
 
PDF
Let's be real. Quarkus in the wild.
byMarkus Eisele
 
PDF
What happens when unicorns drink coffee
byMarkus Eisele
 
PDF
Stateful on Stateless - The Future of Applications in the Cloud
byMarkus Eisele
 
PDF
Java in the age of containers - JUG Frankfurt/M
byMarkus Eisele
 
PDF
Java in the Age of Containers and Serverless
byMarkus Eisele
 
PDF
Migrating from Java EE to cloud-native Reactive systems
byMarkus Eisele
 
PDF
Streaming to a new Jakarta EE / JOTB19
byMarkus Eisele
 
PDF
Cloud wars - A LavaOne discussion in seven slides
byMarkus Eisele
 
PDF
Streaming to a new Jakarta EE
byMarkus Eisele
 
PDF
Reactive Integrations - Caveats and bumps in the road explained
byMarkus Eisele
 
PDF
Stay productive while slicing up the monolith
byMarkus Eisele
 
PDF
Stay productive while slicing up the monolith
byMarkus Eisele
 
PDF
Stay productive_while_slicing_up_the_monolith
byMarkus Eisele
 
Everything You Ever Wanted to Know About Quarkus and LangChain4j
byMarkus Eisele
 
What Writing 250+ Blog Posts Taught Me About Artificial Intelligence.pdf
byMarkus Eisele
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
byMarkus Eisele
 
Backstage Software Templates for Java Developers
byMarkus Eisele
 
SparksCon 2024 - Die Ringe der Macht
byMarkus Eisele
 
Sustainable Software Architecture - Open Tour DACH '22
byMarkus Eisele
 
Going from java message service (jms) to eda
byMarkus Eisele
 
Let's be real. Quarkus in the wild.
byMarkus Eisele
 
What happens when unicorns drink coffee
byMarkus Eisele
 
Stateful on Stateless - The Future of Applications in the Cloud
byMarkus Eisele
 
Java in the age of containers - JUG Frankfurt/M
byMarkus Eisele
 
Java in the Age of Containers and Serverless
byMarkus Eisele
 
Migrating from Java EE to cloud-native Reactive systems
byMarkus Eisele
 
Streaming to a new Jakarta EE / JOTB19
byMarkus Eisele
 
Cloud wars - A LavaOne discussion in seven slides
byMarkus Eisele
 
Streaming to a new Jakarta EE
byMarkus Eisele
 
Reactive Integrations - Caveats and bumps in the road explained
byMarkus Eisele
 
Stay productive while slicing up the monolith
byMarkus Eisele
 
Stay productive while slicing up the monolith
byMarkus Eisele
 
Stay productive_while_slicing_up_the_monolith
byMarkus Eisele
 

Recently uploaded

PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PDF
PCCC25(設立25年記念PCクラスタシンポジウム):エヌビディア合同会社 テーマ2「NVIDIA BlueField-4 DPU」
byPC Cluster Consortium
 
PPTX
Leon Brands - Methodical GPU Profiling (Graphics Programming Conference 2025)
byleonbrands1998
 
PDF
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
PDF
Cybersecurity Prevention and Detection: Unit 3
byVICTOR MAESTRE RAMIREZ
 
PDF
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PPTX
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
PPTX
System Software_CIE_AS_LEVEL_CS_9618 .pptx
byJawaad BM
 
PDF
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
PDF
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
byAssociazione Digital Days
 
PDF
Welcome by Uni Systems: Shaping Experiences
byUni Systems S.M.S.A.
 
PDF
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
PDF
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
PDF
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PDF
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
PPTX
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PDF
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PCCC25(設立25年記念PCクラスタシンポジウム):エヌビディア合同会社 テーマ2「NVIDIA BlueField-4 DPU」
byPC Cluster Consortium
 
Leon Brands - Methodical GPU Profiling (Graphics Programming Conference 2025)
byleonbrands1998
 
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
Cybersecurity Prevention and Detection: Unit 3
byVICTOR MAESTRE RAMIREZ
 
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
System Software_CIE_AS_LEVEL_CS_9618 .pptx
byJawaad BM
 
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
byAssociazione Digital Days
 
Welcome by Uni Systems: Shaping Experiences
byUni Systems S.M.S.A.
 
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 

THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS

  • 1.
    THEFT PROOF-JAVA EE MarkusEisele markus@jboss.org @myfear blog.eisele.net Securing your Java EE applications
  • 2.
  • 3.
    BUT WHAT DOYOU KNOW ABOUT SECURITY?
  • 5.
    Markus Eisele aka@myfear5 HOLISTIC SECURITY To build a secure Java EE application, a holistic approach to application security is required and security must be applied at all layers and services. Network Host Application Platform Services (JVM, Application Server) Operating System Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture
  • 6.
    Secure applications relyon secure networks Markus Eisele aka @myfear6 SECURE NETWORKS Things to look out for: • Router • Firewall • Switch • Protocols • Ports • Firmware • Standard passwords
  • 7.
    Repeat for allof them: including database, message broker, httpd-server and all the others. Markus Eisele aka @myfear7 SECURE HOSTS / OPERATING SYSTEMS Things to look out for: • Shared Volumes • Running Services • Accounts (user and service) • Auditing and Logging • Files and directories • Patches and updates
  • 8.
    All pre-installed runtimes,like the JVM/JDK, Application server, etc. Markus Eisele aka @myfear8 PLATFORM SERVICES Things to look out for: • Policy Files • File Access Rights • Default Passwords • Admin Console
  • 9.
    Security relies onthe following components WHAT IS APPLICATION SECURITY? Availability Integrity Confidentiality Auditing Authorization Authentication Markus Eisele aka @myfear9
  • 10.
    A thread isa potential event that may affect your system. An attack exploits a vulnerability in your system. Markus Eisele aka @myfear10 THREATS, VULNERABILITIES, AND ATTACKS How do you decide if an application is secure? Application + Infrastructure exposes Vulnerability exploits Attack
  • 11.
    Markus Eisele aka@myfear11 NO SECURITY WITHOUT THREATS It is not possible to design and build a secure Web application until you know your threats. Thread modelling in the design phase: • To be protected • CC, Address, etc. Data Goal of an attackThreat • Potential damage • $ or image Rate
  • 12.
    Markus Eisele aka@myfear12 STRATEGY – APPROACH - GOAL
  • 13.
    Some basic categoriesmapped down from the security components Markus Eisele aka @myfear13 APPLICATION VULNERABILITY CATEGORIES • Input Validation • Authentication • Authorization • Configuration Management • Sensitive Data • Session Management • Data Encryption • Parameter Manipulation • Exception Handling • Auditing and Logging • Timestamping • Role Based Access Control • Execution Sandboxing • Process Separation
  • 14.
    Best Practices fordesigning secure applications. Markus Eisele aka @myfear14 CORE SECURITY PRINCIPLES • Compartmentalize • Use least privilege • Apply defense in depth • Do not trust user input • Check at the gate • Fail securely • Secure the weakest link • Create secure defaults • Reduce your attack surface THINGS TO KEEP IN MIND FOR YOUR SYSTEM DESIGN
  • 15.
    AND HOW MUCHOF THAT CAN YOU DO WITH JAVA EE? 15
  • 16.
    Basic, Form, Digest,Client, Mutual Markus Eisele aka @myfear16 AUTHENTICATION The means by which communicating entities, such as client and server, prove to each other that they are acting on behalf of specific identities that are authorized for access. This ensures that users are who they say they are. • Configuration via deployment descriptor • Application roles mapping into server groups • Most servers provide standard login modules (DB, LDAP, Client-Cert, Filesystem) • Additional resources (Keystores, LDAP, DB) • Custom Authentication Logic via: • JASPIC • JAAS • Server Specific Features (Realms)
  • 17.
    The missing pieces MarkusEisele aka @myfear17 AUTHENTICATION Well known and broadly used and still missing in Java EE • Two Factor Auth Support (Custom Token, Hardware Token, Soft-Token) • Social Login (Facebook, Twitter, GitHub) • User Registration / Self Service • Easy Customizing for custom login pages • OAuth support • Policies (Password / Revocation)
  • 18.
    Option: Custom implementation(e.g. OAuth w/ programmatic security) Markus Eisele aka @myfear18 AUTHENTICATION https://oneminutedistraction.wordpress.com/2014/04/29/using-oauth-for-your-javaee-login/ Browser Java EE Server OAuth Login Button Redirect Login Page Submit Credentials Redirect Callback URL Redirect Callback Get access_token Get User Data
  • 19.
    DISADVANTAGESADVANTAGES Custom Implementation Markus Eiseleaka @myfear19 AUTHENTICATION • Minimal – Meet Needs • Fast Implementation • Tied to one provider • Hard to extend • Hard to test • Potential implementation mistakes expose vulnerabilities • JAAS/JASPIC hard to understand • Easy to be accidentally tied to a specific server • Not “microservices-ready”
  • 20.
    Option: Identity Broker– e.g. Keycloak Markus Eisele aka @myfear20 AUTHENTICATION http://keycloak.jboss.org/docs
  • 21.
    DISADVANTAGESADVANTAGES Identity Broker Markus Eiseleaka @myfear21 AUTHENTICATION • Flexible • Configurable and extendable • Runtime Changes • Many Identity Providers • Additional Features (Government/Policies) • Ready for microservices (downstream propagation) • Separate System - Complexity • Takes User/Roles management out of the Java EE Server
  • 22.
    Or Access Control MarkusEisele aka @myfear22 AUTHORIZATION The means by which interactions with resources are limited to collections of users or programs for the purpose of enforcing integrity, confidentiality, or availability constraints. This ensures that users have permission to perform operations or access data. • Configuration via deployment descriptor or Annotations (@RolesAllowed) • Custom Authorization Logic via: • Programmatic Security + • CDI / Aspects + • Caching • JACC
  • 23.
    The missing pieces MarkusEisele aka @myfear23 AUTHORIZATION Well known and broadly used and still missing in Java EE • Fine Grained Access Control (technical or business) • Data Protection Model through different specifications (e.g. data access per user/tenant) • Coherent AccessException Model
  • 24.
    Option: Custom Implementation MarkusEisele aka @myfear24 AUTHORIZATION Use a mixture of standard authorization mechanisms (Principal) and add a custom user object which get‘s enriched with Permissions. • Authentication via form-based or other method • Creating an application User per Principal • Resolving custom rights per user (Datastore, In-Memory DB) • Implementing Around Invoke Aspects (@AllowedTo(Permission.WRITE) http://kenai.com/projects/javaee-patterns/sources/hg/show/javaee-security
  • 25.
    DISADVANTAGESADVANTAGES Custom Implementation Markus Eiseleaka @myfear25 AUTHORIZATION • Native to the Java EE programmer • Simple, Customizable at development time • Assignable per application • Potential implementation mistakes expose vulnerabilities • Common Code tied into all modules • Complex permission matrices need to be extensively cached • Cache invalidation • No runtime changes to permissions
  • 26.
    Option: JACC (JavaAuthorization Contract for Containers) Markus Eisele aka @myfear26 AUTHORIZATION It “defines a contract between a Java EE application server and an authorization policy provider" and which "defines java.security.Permission classes that satisfy the Java EE authorization model” Implement: • A factory that provides an object that collects permissions • A state machine that controls the life-cyle of this permission collector • Linking permissions of multiple modules and utilities • Collecting and managing permissions • Processing permissions after collecting • An "authorization module" using permissions for authorization decisions http://arjan-tijms.omnifaces.org/2015/03/java-ee-authorization-jacc-revisited.html
  • 27.
    DISADVANTAGESADVANTAGES JACC (Java AuthorizationContract for Containers) Markus Eisele aka @myfear27 AUTHORIZATION • Integrated with the Java EE container • Part of the standard • As secure as it can get • C.O.M.P.L.E.X.I.T.Y • Amount of classes • APIs • Verbose • Not truly portable • Application Server Wide
  • 28.
    Logging which securityrelevant changes happen. Markus Eisele aka @myfear28 AUDITING An audit trail (also called audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event. • There‘s nothing here in Java EE Options: • Custom Implementations • Logger Implementations • Data centered approaches (JPA / Database) • Server specific implementations
  • 29.
    Option: Custom Implementation MarkusEisele aka @myfear29 AUDITING A transactional application often requires to audit the persistent entities. Sometimes you have to be able to track down changes and build up a history of changes. Or you’re requirement to have a long term rollback or need to archive in accordance with legal audit requirements. • Aspects in the widest sense (EJB, CDI) • @AroundInvoke captures relevant events on the service layer • Events should be persisted asynchronously • Ideally includes user information, date time and event type http://blog.eisele.net/2011/01/five-ways-to-know-how-your-data-looked.html
  • 30.
    DISADVANTAGESADVANTAGES Custom Implementation Markus Eiseleaka @myfear30 AUDITING • Suitable for business activity auditing • Simple to implement with a small set of activities. • Maybe used to also track performance of service calls • No rollback or data centered auditing • Doesn’t include security relevant audits (aspects don’t work in login- modules or realms • May be “forgotten” • Performance critical • No UI to generate an audit trail
  • 31.
    Option: Logger Implementation(e.g. Log4j) Markus Eisele aka @myfear31 AUDITING Some logging frameworks were specifically designed to support audit features. One among them is Log4j. Others with more respect to legal audit requirements also do exist. • Use Log4j‘s audit logging features • Populate ThreadContext Map with basic data like: user-id, remote-IP address, application-name, application-version, etc. • Create a StructuredDataMessage for every event • EventLogger.logEvent(msg) • Select an appropriate provider (Syslog, JMS, JDBC, Flume, etc.) • Combine with aspects and automatically constructed DataMessages for broad coverage on services.
  • 32.
    DISADVANTAGESADVANTAGES Logger Implementation Markus Eiseleaka @myfear32 AUDITING • Native for Java EE developers • Easy to use as “logging” • Will work in security relevant classes • Guaranteed delivery ? • Performance overhead with growing events
  • 33.
    Option: JPA CenteredApproaches (Hibernate ORM Envers) Markus Eisele aka @myfear33 AUDITING The Envers module aims to enable easy auditing/versioning of persistent classes. All that you have to do is annotate your persistent class or some of its properties, that you want to audit, with @Audited. Just add @Audited to your entities • auditing of all mappings defined by the JPA specification • auditing of some Hibernate mappings, which extend JPA, like custom types and collections/maps of "simple" types (Strings, Integers, etc.) (see here for one exception) • logging data for each revision using a "revision entity" • querying historical data http://hibernate.org/orm/envers/
  • 34.
    DISADVANTAGESADVANTAGES Option: JPA CenteredApproaches (Hibernate ORM Envers) Markus Eisele aka @myfear34 AUDITING • Historical Data • Revisions • Fully integrated into JPA • Only Data Centered Auditing
  • 35.
    or data privacy MarkusEisele aka @myfear35 CONFIDENTIALITY Confidentiality is the process of maintaining data privacy wherein we secure the communications channel, to make sure the data is not accessed in its original form by a third party by eavesdropping. Java EE doesn‘t bring a hell lot to the table here. Options: • SSL Termination on the Application Server • SSL Termination on a box before (httpd, router, appliance)
  • 36.
    Terminating SSL onthe App-Server Markus Eisele aka @myfear36 CONFIDENTIALITY <transport-guarantee>CONFIDENTIAL | INTEGRAL</transport-guarantee> A value of INTEGRAL means that the application requires the data sent between the client and server to be sent in such a way that it can't be changed in transit. A value of CONFIDENTIAL means that the application requires the data to be transmitted in a fashion that prevents other entities from observing the contents of the transmission.
  • 37.
    DISADVANTAGESADVANTAGES Terminating SSL onthe App-Server Markus Eisele aka @myfear37 CONFIDENTIALITY • Access to the SSL connection information (ssl-session-id) • Performance • Configuration complexity • Testing locally
  • 38.
    Terminating SSL ona box Markus Eisele aka @myfear38 CONFIDENTIALITY Httpd server (Apache) • Mostly in place anyway for load-balancing (therefore needs to inspect the data anway) • OpenSSL as a way to terminate SSL/TLS connections Firewall / Router (including or not LB features) • See above. • Mostly hardware accelerated SSL termination. • High performance.
  • 39.
    DISADVANTAGESADVANTAGES Terminating SSL ona box Markus Eisele aka @myfear39 CONFIDENTIALITY • If SSL session information are required, they have to be passed downstream • Considered “best practice” for failover, clustering and load- balancing • Additional infrastructure
  • 40.
    Mostly Data Integrity MarkusEisele aka @myfear40 INTEGRITY Data integrity is the process of verifying if data is transmitted without corruption or modification, thus making sure that the data received at the receiver end is in fact the same message sent by the sender. In Java EE mostly two big areas: Implemented for data access/exchange with JPA and JTA.
  • 41.
    Mostly Data Integrity MarkusEisele aka @myfear41 INTEGRITY Data integrity is the process of verifying if data is transmitted without corruption or modification, thus making sure that the data received at the receiver end is in fact the same message sent by the sender. In Java EE mostly data integrity • Implemented for data access/exchange with JPA and JTA. Options: • Enforce integrity on the database • Store and compare hashes of entities
  • 42.
    Clustering, Scaling etal Markus Eisele aka @myfear42 AVAILABILITY Availability is commonly referred to as the most underspecified non- functional requirement for applications. Fact is: Applications only earn money, while they are running. There‘s nothing in Java EE. • Clustering, Scaling and other features aren‘t specified. • Completely vendor specific and server dependent.
  • 43.
    WHAT ELSE DOESIT TAKES? 43
  • 44.
    It needs alot more. JUST SECURE CODE ISN‘T ENOUGH People Process Technology Markus Eisele aka @myfear44
  • 45.
    45 “IT AIN’T WHAT YOUDON’T KNOW THAT GETS YOU INTO TROUBLE. IT’S WHAT YOU KNOW FOR SURE THAT JUST AIN’T SO.” — MARK TWAIN
  • 46.
  • 47.
    FURTHER READING • http://de.slideshare.net/mraible/java-web-application-security-with-java-ee- spring-security-and-apache-shiro-uberconf-2015 •http://de.slideshare.net/MasoudKalali/top-security-risks-for-java • https://abhirockzz.wordpress.com/2014/12/04/whats-up-with-java-ee-8/ • https://blogs.oracle.com/theaquarium/entry/jsr_375_java_ee_security • http://www.infoq.com/news/2014/11/javaee8-security-jsr • https://docs.oracle.com/javaee/7/tutorial/security-intro001.htm • http://www.oracle.com/technetwork/java/seccodeguide-139067.html • http://www.informit.com/store/java-coding-guidelines-75-recommendations- for-reliable-9780133439519 • https://www.owasp.org/index.php/Category:OWASP_Guide_Project • https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series