iPCD » Triple Combo Sonic » Quad Combo iPCD™ » Triple Combo Sonic » Quad Combo
WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and...
Transcript of WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and...
![Page 1: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/1.jpg)
The Anatomy of a Secure Java Web App Using Apache Fortress
October 11, 2018
AppSec USA, San Jose
![Page 2: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/2.jpg)
Objective
Think about how we should be securing web apps.
2
(If we removed all stops)
![Page 3: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/3.jpg)
Intro
• John Tumminaro
– VP Technology, GlobalLogic
• Shawn McKinney
– Software Architect, Symas
3 AppSec USA, San Jose 2018
![Page 4: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/4.jpg)
Agenda
1. Have a look at Equifax
2. End-to-End Security w/ Apache Fortress Samples
3. Talk about RBAC and ABAC
4
![Page 5: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/5.jpg)
Recommendation
Listen and absorb conceptually. Slides are published and have the details.
https://iamfortress.files.wordpress.com/2018/09/
anatomy-secure-web-app-appsec-2018-v41.pdf
5
![Page 6: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/6.jpg)
What’s The Problem
• Equifax Breach
– 143 million Americans’ personal info, including names, addresses, dates of birth and SSNs compromised.
– Only a veneer of security in place.
6
![Page 7: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/7.jpg)
7
https://cwiki.apache.org/confluence/display/WW/S2-045
![Page 8: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/8.jpg)
The Exploit “The Jakarta Multipart parser in Apache
Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd=string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.”
8
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
arbitrary commands via a #cmd= string
![Page 9: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/9.jpg)
9 AppSec USA, San Jose 2018
https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/
The Exploit
![Page 10: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/10.jpg)
10 https://blog.cloudflare.com/apache-struts-s2-057/
![Page 11: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/11.jpg)
Behind The Equifax Breach
11 https://www.brighttalk.com/webcast/13983/280311/behind-the-equifax-breach-a-deep-dive-into-apache-struts-cve-2017-5638
![Page 12: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/12.jpg)
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
![Page 13: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/13.jpg)
The Solution
Ensure all appropriate patches have been applied.
13
https://www.owasp.org/index.php/OWASP_Dependency_Check
![Page 14: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/14.jpg)
OWASP Dependency-Check
14
https://www.owasp.org/index.php/OWASP_Dependency_Check
![Page 15: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/15.jpg)
OWASP Vulnerability Scanning (Java) Add to your Maven pom.xml file: <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>3.3.1</version> <configuration> <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
<suppressionFile>${project.basedir}…/suppression.xml</suppressionFile> </configuration> </plugin>
15
![Page 16: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/16.jpg)
16
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
![Page 17: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/17.jpg)
How do we make our software free of unknown vulnerabilities?
17
![Page 18: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/18.jpg)
The Solution (Take 2)
Practice the principle of least privilege.
(Employ mandatory access controls)
18
![Page 19: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/19.jpg)
Employ a Runtime Java Security Policy
grant codeBase "file:${catalina.home}/webapps/my-web-app-1/-" {
permission java.net.SocketPermission "localhost", "resolve";
permission java.net.SocketPermission "127.0.0.1:32768", "connect,resolve";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.io.SerializablePermission "enableSubclassImplementation";
permission java.io.FilePermission “…/resources/", "execute";
…
};
^ use w/ caution
19
permission java.io.FilePermission “…/resources/", "execute";
![Page 20: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/20.jpg)
Example #1
https://github.com/shawnmckinney/remote-code-execution-sample
![Page 21: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/21.jpg)
Not a Perfect Solution grant codeBase "file:${catalina.home}/webapps/my-web-app-1/-" {
permission java.net.SocketPermission "localhost", "resolve";
permission java.io.FilePermission “…/resources/good-scripts*", "execute";
permission java.net.SocketPermission "127.0.0.1:32768", "connect,resolve";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.io.SerializablePermission "enableSubclassImplementation";
…
};
21
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
![Page 22: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/22.jpg)
22 https://www.monkeyuser.com/2018/architecture/
What now?
![Page 23: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/23.jpg)
23 https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
![Page 24: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/24.jpg)
24
https://en.wikipedia.org/wiki/Information_security
security measures is called defense in depth. In contrast to a metal chain, which is famously
only as strong as its weakest link, the defense-in-depth aims at a structure where, should one
defensive measure fail, other measures will continue to provide protection.
The building up, layering on and overlapping of
![Page 25: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/25.jpg)
Java Web Security Layers
1. Java SE Security 2. Java Secure Socket
Extension (JSSE) 3. Java EE Security 4. Spring Security 5. Web App Framework 6. Database Framework
25
![Page 26: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/26.jpg)
Each with a specific purpose
1.Java SE Security
2.JSSE
3.Java EE Security
4.Spring Security
5.Web App Framework
6.Database Functions
26
---------------------------- private conversations
---------- deadbolt on front door
------------ locks on room doors
- locks on equipment in rooms
---- content filtering
----------- principle of least privilege
![Page 27: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/27.jpg)
Example #2
Apache
Fortress
Demo
27
https://github.com/shawnmckinney/apache-fortress-demo
![Page 28: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/28.jpg)
Enable Java EE Security
28
a. Update web.xml
b. Drop the proxy jar c. Add context.xml d. Add fortress to pom.xml
the deadbolt
![Page 29: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/29.jpg)
Setup Policy Decision Point
29
the security system
![Page 30: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/30.jpg)
Use ANSI RBAC INCITS 359 Specification
RBAC0: – Users, Roles, Perms, Sessions
RBAC1: – Hierarchical Roles
RBAC2: – Static Separation of Duties
RBAC3: – x
30
Dynamic Separation of Duties
![Page 31: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/31.jpg)
The Standards Journey • An RBAC authority reference:
– http://csrc.nist.gov/groups/SNS/rbac/
• An original paper on RBAC:
– http://csrc.nist.gov/groups/SNS/rbac/documents/ferraiolo-kuhn-92.pdf
• An updated paper on RBAC:
– http://csrc.nist.gov/groups/SNS/rbac/documents/sandhu-ferraiolo-kuhn-00.pdf
• The current standard – http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf
31
![Page 32: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/32.jpg)
Use ANSI RBAC INCITS 359 Specification
32
USER ROLES
SESS- IONS
OPS OBS
PRMS
Role Hierarchy SSD
DSD
User Assignment
User Session Session Roles
![Page 33: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/33.jpg)
Use RBAC Object Model Six basic elements: 1. User – human or machine entity 2. Role – a job function within an organization 3. Object – maps to system resources 4. Operation – executable image of program 5. Permission – approval to perform an Operation on one
or more Objects 6. Session – contains set of activated roles for User
33
![Page 34: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/34.jpg)
34
![Page 35: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/35.jpg)
Use RBAC Functional Model
APIs form three standard interfaces:
1. Admin – Add, Update, Delete
2. Review – Read, Search
3. x
35
System – Access Control
![Page 36: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/36.jpg)
Use RBAC Functional Model System Manager APIs: 1. createSession – authenticate, activate roles 2. checkAccess – permission check 3. sessionPermissions – all perms active for user 4. sessionRoles – return all roles active 5. addActiveRole – add new role to session 6. dropActiveRole – remove role from session
36
http://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/directory/fortress/core/impl/AccessMgrImpl.html
![Page 37: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/37.jpg)
Example #3 : Role Engineering Sample
37
https://github.com/shawnmckinney/role-engineering-sample
![Page 38: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/38.jpg)
Enable Spring Security
38
a. Authorization b. Role mapping
locks on the rooms
![Page 39: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/39.jpg)
Web App Authorization
39
Add fine-grained checks: a. Page links b. Buttons c. Other controls
locks on equipment
![Page 40: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/40.jpg)
DAO Authorization
40
Add fine-grained Checks to: a. Create b. Read c. Update d. Delete
filtering
![Page 41: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/41.jpg)
Enable SSL Everywhere
41
Client a. public key b. config Server a. private key b. config
Confidentiality
![Page 42: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/42.jpg)
Apache Fortress Demo • Three Pages and Three Customers
• One role for every page to customer combo
• Users may be assigned to one or more roles
• One and only one role may be activated
42
Pages Customer 123 Customer 456 Customer 789
Page One PAGE1_123 PAGE1_456 PAGE1_789
Page Two PAGE2_123 PAGE2_456 PAGE2_789
Page Three PAGE3_123 PAGE3_456 PAGE3_789
![Page 43: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/43.jpg)
43
User123 Customer 123 Customer 456 Customer 789
Page1 True False False
Page2 True False False
Page3 True False False
User1 Customer 123 Customer 456 Customer 789
Page1 True True True
Page2 False False False
Page3 False False False
User1_123 Customer 123 Customer 456 Customer 789
Page1 True False False
Page2 False False False
Page3 False False False
![Page 44: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/44.jpg)
RBAC Demo
44
http://www.wright-brothers.org/Information_Desk/Help_with_Homework/Wright_Photos/Wright_Photos_images/1902_Glider_Flying.jpg
![Page 45: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/45.jpg)
Testing • Verify security functionality via
automation.
• Beware of regressions. Can go unnoticed for weeks, months, years.
45
https://github.com/shawnmckinney/apache-fortress-demo/.../ApacheFortressDemoSeleniumITCase.java
![Page 46: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/46.jpg)
We still have a problem…
46
![Page 47: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/47.jpg)
Roles Have Exploded
47
![Page 48: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/48.jpg)
Number of Roles = sizeof(A) * sizeof(B)
Roles (A)
Page1
Page2
Page3
48
Relationships (B)
Customer 123
Customer 456
Customer 789
Roles 1. Page1-123 2. Page1-456 3. Page1-789 4. Page2-123 5. Page2-456 6. Page2-789 7. Page3-123 8. Page3-456 9. Page3-789
* =>
![Page 49: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/49.jpg)
Roles
Page1_123
Page1_456
Page1_789
Page2_123
Page2_456
Page2_789
Page3_123
Page3_456
Page3_789
Poweruser
49
RBAC only
![Page 50: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/50.jpg)
The Solution
Use attributes to constrain under what conditions roles may be activated.
50
![Page 51: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/51.jpg)
RBAC Policy Enhanced
Role Based Access Control – Policy-Enhanced, ANSI INCITS 494 prescribes the usage of dynamic constraints (runtime) which may be applied to users, roles, operations, objects, and permissions.
51 AppSec USA, San Jose 2018
![Page 52: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/52.jpg)
Use ANSI RBAC INCITS 359 Specification
52
USER ROLES
SESS- IONS
OPS OBS
PRMS
Role Hierarchy SSD
DSD
User Assignment
User Session Session Roles
![Page 53: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/53.jpg)
Use ANSI RBAC & ABAC
53 AppSec USA, San Jose 2018
USER ROLES
SESS- IONS
OPS OBS
PRMS
Role Constraint
Role Hierarchy SSD
DSD
User Assignment
User Session Session Roles
![Page 54: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/54.jpg)
Roles
Cashiers
Washers
Managers
Cashiers: McDonald’s,Inout, BurgerKing
Cashiers: InOut Washers : BurgerKing Managers: McDonald’s Cashiers: BurgerKing Washers: InOut,McDonald’s
Curly
Moe
Larry
54
RBAC w/ ABAC
![Page 55: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/55.jpg)
Roles
Page1
Page2
Page3
Page1 : 123, 456, 789, … Page2 : 123, 456, 789, … Page3 : 123, 345, 789, …
Poweruser
55
RBAC w/ ABAC
![Page 56: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/56.jpg)
Under the Hood
56
https://appdevcloudworkshop.github.io/images/introduction/image16.png
![Page 57: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/57.jpg)
After ABAC
RBAC only
RBAC w/
ABAC
![Page 58: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/58.jpg)
Role Constraints
<roleconstraint role=“PAGE1"
key="customer" … />
<roleconstraint role=“PAGE2"
key="customer" … />
<roleconstraint role=“PAGE3"
key="customer" … />
58 https://github.com/shawnmckinney/fortress-abac-demo/blob/master/src/main/resources/fortress-abac-demo-load-policy.xml
![Page 59: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/59.jpg)
User-Role Constraints <roleconstraint userId="User123" role=“PAGE1" key="customer" value="123“ … />
<roleconstraint userId="User123" role=“PAGE2" key="customer" value="123“ … />
<roleconstraint userId="User123" role=“PAGE3" key="customer" value="123" … />
59 https://github.com/shawnmckinney/fortress-abac-demo/blob/master/src/main/resources/fortress-abac-demo-load-policy.xml
![Page 60: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/60.jpg)
// Nothing new here:
User user = new User(“curly”);
// This is new:
RoleConstraint constraint = new RoleConstraint( );
// In practice we're not gonna pass hard-coded key-values in here:
constraint.setKey( "customer" );
constraint.setValue( "123" );
// This is just boilerplate goop:
List<RoleConstraint> constraints = new ArrayList();
constraints.add( constraint );
try
{
// Create the RBAC session with ABAC constraint -- customer=123, asserted:
Session session = accessMgr.createSession( user, constraints );
...
}
Code Sample
https://github.com/shawnmckinney/fortress-abac-demo/blob/master/src/main/java/com/mycompany/MyBasePage.java
![Page 61: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/61.jpg)
Example #4
Apache
Fortress
ABAC
Demo
61
https://github.com/shawnmckinney/fortress-abac-demo
![Page 62: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/62.jpg)
ABAC Demo
62
![Page 63: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/63.jpg)
Closing Thoughts
1. Never allow users more than they need to do their jobs – Principle of Least Privilege
2. Apply security controls across many layers – Defense in Depth
3. RBAC may be combined with ABAC – Fine-grained Authorization
63
![Page 64: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/64.jpg)
Examples 1. https://github.com/shawnmckinney/remote-code-execution-
sample 2. https://github.com/shawnmckinney/apache-fortress-demo 3. https://github.com/shawnmckinney/role-engineering-sample 4. https://github.com/shawnmckinney/fortress-abac-demo
5. https://github.com/shawnmckinney/rbac-abac-sample 6. https://github.com/shawnmckinney/fortress-saml-demo
64
Bonus:
![Page 65: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/65.jpg)
Questions
65
![Page 66: WordPress.com - The Anatomy of a Secure Java Web App ......Apache Fortress Demo •Three Pages and Three Customers •One role for every page to customer combo •Users may be assigned](https://reader033.fdocuments.us/reader033/viewer/2022060603/6057708f799b4344437bc20b/html5/thumbnails/66.jpg)
Contacts • John Tumminaro
– http://www.globallogic.com/ – [email protected]
• Shawn McKinney
– https://symas.com/ – [email protected] – @shawnmckinney
66