eXtreme Security
-
Upload
open-knowledge-gmbh -
Category
Technology
-
view
385 -
download
2
Transcript of eXtreme Security
![Page 1: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/1.jpg)
eXtreme Enterprise Security
Arne Limburg // open knowledge GmbH
![Page 2: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/2.jpg)
Meine Person
Arne Limburg @ArneLimburg
Enterprise Architect @_openknowledge
open knowledge GmbH www.openknowledge.de
Schwerpunkte• JPA• CDI
Open Source• JPA Security• Apache DeltaSpike• Apache OpenWebBeans
![Page 3: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/3.jpg)
Enterprise Application Security
Authentication
Authorization Network Security- OS- Firewall - TCP/IP
Webserver- Konfiguration
Kommunikationssicherheit- HTTP / HTTPS- Application-Firewall
![Page 4: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/4.jpg)
BeispielanwendungE-Learning Plattform
![Page 5: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/5.jpg)
Security-Anforderungen
• Nur Dozenten dürfen Kurse anlegen• Dozenten dürfen Veranstaltungen für
ihre Kurse anlegen• Dozenten dürfen nur Studenten sehen,
die an ihren Kursen teilnehmen• Studenten dürfen nur Mitstudenten
sehen, mit denen sie gemeinsame Kurse haben
![Page 6: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/6.jpg)
Authentication vs. Authorization
![Page 7: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/7.jpg)
Wer ist der aktuelle Benutzer?
Authentication
Nutzername / Kennwort
Public Key
OAuth
Biometrisch
![Page 8: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/8.jpg)
Authentication in einer Web-App.web.xml
<login-config> <auth-method>FORM</auth-method> <realm-name>JAAS</realm-name> <form-login-config> <form-login-page>/login.xhtml</…> <form-error-page>/error.xhtml</…> </form-login-config> </login-config>
![Page 9: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/9.jpg)
Servlet 3.0 Authentication
public void login(HttpServletRequest request, String username, String password) { request.login(username, password);}
public void logout(HttpServletRequest req) { req.logout();}
![Page 10: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/10.jpg)
Was darf der aktuelle Benutzer?
Authorization
Rollenbasiert
User-Permissions
Access Control Lists
Domain-Object-Security
![Page 11: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/11.jpg)
JAAS
• Pluggable Authentication• Authorization
– Pluggable Policy-Provider– Permission-Checks über AccessController
![Page 12: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/12.jpg)
Java PermissionsPolicy-Datei
grant principal de…User "arne" { de…ExecPermission "de…CourseDao.find*"}
grant principal de…User "admin" { de…ExecPermission "de…CourseDao.*"}
![Page 13: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/13.jpg)
Java Permissions
public class ExecPermission extends BasicPermission {
public ExecPermission(String methodName) { super(methodName); }}
![Page 14: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/14.jpg)
Java Permissionspublic void create(Course course) {
String methodName = "de…CourseDao.create";
AccessController.checkPermission( new ExecPermission(methodName); );
entityManager.persist(course);}
![Page 15: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/15.jpg)
Fazit Permissons
• Jede Security-Anforderung abbildbar• Aber
– Viel zu aufwendig– Schlecht wartbar
Erweiterungen nötig
![Page 16: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/16.jpg)
Was darf der aktuelle Benutzer?
Authorization
Rollenbasiert
User-Permissions
Access Control Lists
Domain-Object-Security
![Page 17: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/17.jpg)
Role based Access Control
Create Course
Read Course
…
Permissions
Read Student
Teacher
Student
RolesUsers
Teacher 1
Student 1
…
Student 2
![Page 18: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/18.jpg)
Role based Access Control
Servlet SpecPermissions für Web-Resources
![Page 19: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/19.jpg)
Role based Access Controlweb.xml
<security-constraint> <web-resource-name>New Course</…> <url-pattern>/courses/create.xhtml</…> <auth-constraint> <role-name>teacher</…> </auth-constraint> </security-constraint>
![Page 20: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/20.jpg)
Role based Access Control
Servlet SpecPermissions für Web-Resources
Java EE SecurityPermissions für Klassen und Methoden
![Page 21: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/21.jpg)
Role based Access Controlin Java EE
@DeclareRoles
@RolesAllowed@PermitAll@DenyAll
![Page 22: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/22.jpg)
JACC
Java Authorization Contract for Containers• Implementierung ist verantwortlich für:
– Rollen als Sammlung von Permissions– Granting von Permissions– Überprüfung von Permissions
![Page 23: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/23.jpg)
Role Based Access Control
@RolesAllowed("teacher")public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
![Page 24: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/24.jpg)
@RolesAllowed("teacher")public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
Anforderung:Dozenten dürfen nur ihre Kurse anlegen.
Anforderung:Dozenten dürfen nur ihre Kurse anlegen.
Role Based Access Control
![Page 25: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/25.jpg)
Role Based Access Control@Resourceprivate EjbContext context;
public Course create(Teacher lecturer, …) { Principal caller = ejbContext.getCallerPrincipal(); if (!lecturer.equals(caller)) { throw new SecurityException(…); } …}
![Page 26: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/26.jpg)
Role Based Access Control@Resourceprivate EjbContext context;
public Course create(Teacher lecturer, …) { Principal caller = ejbContext.getCallerPrincipal(); if (!lecturer.equals(caller)) { throw new SecurityException(…); } …}
Das Rollenkonzept ist sehr limitiert!
Komplexere Access-Control-Anforderungen finden sich im Code „verstreut“ wieder!
Wartbarkeits- und Erweiterbarkeitsprobleme!
![Page 27: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/27.jpg)
Alternativen zu Role based Access Control?
![Page 28: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/28.jpg)
Alternativen zu Role based Access Control?
Die Rechte sollten nicht danach vergeben werden, was der Benutzer ist
(welche Rolle er hat),sondern danach, was er darf!
![Page 29: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/29.jpg)
<h:outputLink value="editCourse.xhtml" rendered ="#{sec:isUserInRole('teacher')}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Edit Course"/>
</h:outputLink>
Beispiel I
![Page 30: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/30.jpg)
Beispiel I<h:outputLink value="editCourse.xhtml" rendered ="#{sec:isUserInRole('teacher')}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Edit Course"/>
</h:outputLink>
![Page 31: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/31.jpg)
Beispiel I<h:outputLink value="editCourse.xhtml" rendered ="#{sec:hasPermission('editCourse')}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Edit Course"/>
</h:outputLink>
![Page 32: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/32.jpg)
Beispiel I<h:outputLink value="editCourse.xhtml" rendered ="#{sec:canUpdate(course)}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Edit Course"/>
</h:outputLink>
![Page 33: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/33.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:isUserInRole('teacher')}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Create Lesson"/>
</h:outputLink>
Beispiel II
![Page 34: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/34.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:isUserInRole('teacher')}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Create Lesson"/>
</h:outputLink>
Beispiel II
![Page 35: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/35.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:hasPermission('createLesson')}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Create Lesson"/>
</h:outputLink>
Beispiel II
![Page 36: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/36.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:canCreate('Lesson', course)}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Create Lesson"/>
</h:outputLink>
Beispiel II
![Page 37: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/37.jpg)
Was darf der aktuelle Benutzer?
Authorization
Rollenbasiert
User-Permissions
Access Control Lists
Domain-Object-Security
![Page 38: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/38.jpg)
Access Control Lists
Object Access Control List
Access Control Entry
Access Control Entry
Access Control Entry
User 1
User 2
User 3
![Page 39: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/39.jpg)
Spring Security
Security für spring-basierten Web-Apps• Umfangreiche Authentication-Module• Authorization
– Request-basiert– Methoden-basiert– Access Control Lists
![Page 40: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/40.jpg)
ACLs in Spring Security
public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
![Page 41: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/41.jpg)
ACLs in Spring Security
public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
Anforderungen:Dozenten dürfen nur Studenten sehen, die ihre
Kurse besuchen.
Studenten dürfen nur Kommilitonen sehen, mit denen sie gemeinsame Kurse haben.
![Page 42: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/42.jpg)
ACLs in Spring Security
Spring Context
<global-method-security pre-post-annotations="enabled" />
![Page 43: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/43.jpg)
ACLs in Spring Security
@PostFilter ("hasPermission(filterObject, 'read')")public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
![Page 44: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/44.jpg)
ACLs in Spring Security
@PostFilter ("hasPermission(filterObject, 'read')")public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
Problem:
Filtern passiert im Speicher!
Schlechte Performance bei großen Datenmengen!
![Page 45: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/45.jpg)
ACLs in Spring Security
@PostFilter ("hasPermission(filterObject, 'read')")public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
Anforderung:Dozenten dürfen nur ihre Kurse anlegen.
![Page 46: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/46.jpg)
ACLs in Spring Security@PreAuthorize ("hasPermission(#course, 'create')")public void create(Course course) { entityManager.persist(course);}
AccessDeniedException
![Page 47: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/47.jpg)
ACLs in Spring Security@PreAuthorize ("hasPermission(#course, 'create')")public void create(Course course) { entityManager.persist(course);}
AccessDeniedException
Weiteres Problem:
Wie kommen die ACLs in die Datenbank?
![Page 48: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/48.jpg)
ACLs in Spring Security@PreAuthorize ("hasPermission(#course, 'create')")public void create(Course course) { entityManager.persist(course);}
![Page 49: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/49.jpg)
ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, 'create')")public Course create(Course course) { entityManager.persist(course); return course;}
![Page 50: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/50.jpg)
ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, 'create')")public Course create(Course course) { entityManager.persist(course); ObjectIdentity identity = new ObjectIdentityImpl(Course.class, course.getId()); …}
![Page 51: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/51.jpg)
ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, 'create')")public Course create(Course course) { entityManager.persist(course); ObjectIdentity identity = …; String name = course.getTeacher().getName(); PrincipalSid principal = new PrincipalSid(name);
![Page 52: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/52.jpg)
ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, 'create')")public Course create(Course course) { entityManager.persist(course); ObjectIdentity identity = …; PrincipalSid principal = …; MutableAcl acl = aclService.createAcl(i); acl.insertAce(0, CREATE, principal, true); aclService.updateAcl(acl); return course;}
![Page 53: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/53.jpg)
ACLs in Spring Securitypublic void add(Course course, Student student) { course.subscribe(student); createACE(student, course.getLecturer()); for (Student participant: course.getParticipants()) { createACE(student, participant); createACE(participant, student); }}
![Page 54: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/54.jpg)
ACLs in Spring Securitypublic void add(Course course, Student student) { course.subscribe(student); createACE(student, course.getLecturer()); for (Student participant: course.getParticipants()) { createACE(student, participant); createACE(participant, student); }}
Anlegen und Löschen von ACLs findet sich im Code „verstreut“ wieder!
Wartbarkeits- und Erweiterbarkeitsprobleme!
Was passiert, wenn ein Entwickler vergisst, eine ACL anzulegen oder zu löschen?
![Page 55: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/55.jpg)
Authorization
Rollenbasiert
User-PermissionsDomain-Object-Security
Access Control Lists
Was darf der aktuelle Benutzer?
![Page 56: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/56.jpg)
Seam Security
• Authentication– JAAS (Seam 2)– PicketLink (Seam 3)
• Authorization– JSF– Business-Method– Entity (nur Seam 2)
![Page 57: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/57.jpg)
Seam 3 Security
@Createpublic Course create( @Owner Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
![Page 58: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/58.jpg)
Eigene Security-Annotation
@SecurityBindingTypepublic @interface Create {}
@SecurityParameterBindingpublic @interface Owner {}
![Page 59: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/59.jpg)
Separate Logik-Implementierung
public class SecurityRules { @Secures @Create public boolean checkOwner(@Owner User owner, Identity user) { return owner.equals(user); }}
![Page 60: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/60.jpg)
Seam 3 Security
@Createpublic Course create( @Owner Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
![Page 61: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/61.jpg)
Seam 3 Security
@Createpublic Course create( @Owner Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
Check des Rückgabe-Wertes aktuell noch nicht möglich!
![Page 62: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/62.jpg)
Spring Security
@PreAuthorize("#lecturer == principal")@PostAuthorize ("returnedObject.lecturer == principal")public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
![Page 63: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/63.jpg)
Domain-Object-basiert
@PreAuthorize("#lecturer == principal")@PostAuthorize ("returnedObject.lecturer == principal")public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
Was ist, wenn das Anlegen des Kurses nicht über die create-Methode erfolgt?
![Page 64: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/64.jpg)
Seam 2 Security
Rule-based Authorization mit Drools
Auch auf Entitäten-Ebene
![Page 65: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/65.jpg)
Entity-Security in Seam 2
@Restrict@Entitypublic Course { …}
![Page 66: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/66.jpg)
Entity-Security in Seam 2
Drools Konfiguration rule CreateCourse no-loop activation-group "permission"when principal: Principal() course: Course(lecturer: lecturer -> (lecturer.equals(principal))) check: PermissionCheck(target == course, action == "insert", granted == false)then check.grant();end;
![Page 67: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/67.jpg)
Entity-Security mit Seam 2orm.xml
<persistence-unit-metadata> <persistence-unit-defaults> <entity-listeners> <entity-listener class= "org.jboss.seam.security.EntitySecurityListener" /> </entity-listeners> </persistence-unit-defaults></persistence-unit-metadata>
![Page 68: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/68.jpg)
Entity-Security mit Seam 2
public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
AuthorizationException
![Page 69: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/69.jpg)
Entity-Security mit Seam 2
public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
AuthorizationException
Zwei Methoden notwendig
![Page 70: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/70.jpg)
Entity-Security mit Seam 2
public List<Student> find(Teacher lecturer) { …}
public List<Student> find(Student fellow) { …}
![Page 71: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/71.jpg)
Entity-Security mit Seam 2
public List<Student> find(Teacher lecturer) { …}
public List<Student> find(Student fellow) { …}
Aufruf geschieht auf Basis des aktuell angemeldeten Benutzers!
![Page 72: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/72.jpg)
Entity-Security mit Seam 2
public List<Student> findAll() { Principal caller = ejbContext.getCallerPrincipal(); if (caller instanceof Teacher) { return find((Teacher)caller); } else { return find((Student)caller); }}
![Page 73: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/73.jpg)
Entity-Security mit Seam 2
public List<Student> findAll() { Principal caller = ejbContext.getCallerPrincipal(); if (caller instanceof Teacher) { return find((Teacher)caller); } else { return find((Student)caller); }}
Wieder Security im Code „verstreut“!
![Page 74: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/74.jpg)
JPA Security
Security Framework für JPA• Pluggable Authentication• Authorization
– JSP- und JSF-Support– Access-Check bei CRUD-Operationen– In-Memory-Filtern von Collections– In-Database-Filtern von Queries
(JPQL und Criteria)
![Page 75: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/75.jpg)
@Permit(access = AccessType.CREATE, rule = "lecturer = CURRENT_PRINCIPAL")@Entitypublic Course { …}
Entity-Security mit JPA Security
![Page 76: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/76.jpg)
@Permit(access = AccessType.CREATE, rule = "lecturer = CURRENT_PRINCIPAL")@Entitypublic Course { …}
Automatischer Check bei entityManager.persist(…) oder entityManager.merge(…) oder bei
Cascading!
Entity-Security mit JPA Security
![Page 77: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/77.jpg)
Entity-Security mit JPA Security
public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
![Page 78: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/78.jpg)
Entity-Security mit JPA Security
public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
Automatische Filterung von JPA Queries und Criterias!
![Page 79: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/79.jpg)
@PermitAny({ @Permit(access = AccessType.READ, rule = "this IN (SELECT p" + " FROM Course course" + " JOIN course.participants p" + " WHERE course.lecturer" + " = CURRENT_PRINCIPAL"), @Permit(…)})@Entitypublic Student { …
Entity-Security mit JPA Security
![Page 80: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/80.jpg)
Entity-Security mit JPA Securitypersistence.xml
<persistence …> <persistence-unit name="…"> <provider>org.hibernate.ejb.HibernatePersistence</…> <properties> …
</properties> </persistence-unit></persistence>
![Page 81: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/81.jpg)
<persistence …> <persistence-unit name="…"> <provider>net.sf.jpase…SecurePersistenceProvider</…> <properties> <property name="net.sf.jpasecurity.persistence.provider" value="org.hibernate.ejb.HibernatePersistence"/> </properties> </persistence-unit></persistence>
<persistence …> <persistence-unit name="…"> <provider>net.sf.jpase…SecurePersistenceProvider</…> <properties>
</properties> </persistence-unit></persistence>
Entity-Security mit JPA Securitypersistence.xml
![Page 82: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/82.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:canCreate('Lesson', course)}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Create Lesson"/>
</h:outputLink>
Kurs anlegen
![Page 83: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/83.jpg)
Kurs ändern<h:outputLink value="editCourse.xhtml" rendered ="#{sec:canUpdate(course)}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Edit Course"/>
</h:outputLink>
![Page 84: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/84.jpg)
Fazit Authorization
• Methoden-basiert– Spring Security
Permissions, ACL oder EL
– Seam 3 SecurityTypesafe über Annotations im Code
• Entity-basiert– JPA Security
automatischer Filterung in der Datenbank
![Page 85: eXtreme Security](https://reader035.fdocuments.us/reader035/viewer/2022081400/554f809cb4c905435d8b4993/html5/thumbnails/85.jpg)
Vielen Dank für Ihre Zeit.
Kontakt:
open knowledge GmbHBismarckstr. 1326122 Oldenburg
ArneLimburg _openknowledge
Q&A