Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting...
Transcript of Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting...
![Page 1: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/1.jpg)
Practical Dynamic Modules (OSGi) SecurityProtecting More Than Just Data
David SmithJames GouldVeriSign201
![Page 2: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/2.jpg)
AGENDA
> Background on OSGi> Security per OSGI spec> Security beyond OSGI spec
![Page 3: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/3.jpg)
Background on OSGi
> Why use OSGi?– Modularity– Service-oriented architecture– Hot-deployable updates– Multiple versions of code in residence– Hot-swappable versions
> Ideal for highly available, highly adaptable applications> OSGi containers include:
– Eclipse Equinox– Apache Felix– Knopflerfish
![Page 4: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/4.jpg)
Bundle Lifecycle
Starting,
Started
Stopping,Stopped
Installed,Resolved
![Page 5: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/5.jpg)
OSGi Layers
Module
Lifecycle
Service
Security
![Page 6: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/6.jpg)
What Interactions Have To Be Secured?
ApplicationBundle
Management Bundle
SystemBundles
useradmin
![Page 7: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/7.jpg)
Your Application Is A Castle
![Page 8: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/8.jpg)
Keep Services Separated
![Page 9: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/9.jpg)
Limiting Who Talks To Whom
![Page 10: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/10.jpg)
What Security is Defined in the OSGi Spec?
> Java 2 Security!– Use of Security Manager, Security Policies with Permissions
> Permission Admin Service> Conditional Permission Admin Service> User Admin Service
![Page 11: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/11.jpg)
What Security is Not Defined in the OSGi Spec?
> Truly cross-cutting security apart from Java 2 Security> Java Authentication and Authorization Service (JAAS) integration> Securing the container from bad people> An easy way to apply user-based, declarative access protections
– No @annotations– Only programmatic security– Not declarative
![Page 12: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/12.jpg)
Java 2 Security
> Let’s walk through memory lane?
> Protect what bundles can do– Bundles granted permissions based on code base and jar signing– Programmatic checking permissions in bundles
![Page 13: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/13.jpg)
Java 2 Security Steps
> Enable Security Manager -Djava.security.manager
> Define security policy in policy file-Djava.security.policy=<file>
> Create custom permissions or use java.security.BasicPermission new BasicPermission(“displayReports”);
> Check permissions in protected code segmentsSecurityManager sm = System.getSecurityManager();if (sm != null)
sm.checkPermission(new BasicPermission(“displayReports”));
![Page 14: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/14.jpg)
Sample Policy Filekeystore “jazoon.jks”;
grant codeBase "file:Untrusted*" { permission java.io.FilePermission "<<ALL FILES>>", "read";};
grant signedBy ”jazoontest" { permission java.io.FilePermission "<<ALL FILES>>", "read, write, delete, execute";};
grant { permission java.security.AllPermission;};
![Page 15: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/15.jpg)
Keystore and jarsigner
$ keytool -list -keystore jazoon.jks –storepass <pass>Keystore type: jksKeystore provider: SUN
Your keystore contains 1 entry
jazoontest, May 25, 2010, keyEntry,Certificate fingerprint (MD5): 93:48:DC:4B:E5:E3:B2:05:F2:9B:A4:74:73:22:A1:C9};$ jarsigner –keystore jazoon.jks jazoontest.jar jazoontestEnter Passphrase for keystore: <pass>
![Page 16: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/16.jpg)
Java 2 Security Protection Domains
Class Loader A
Class Loader B
System Class Loader
Protection Domain A
Protection Domain B
Class A
Class B
File System PDSecurity.checkPermission( new FilePermission(file, “write”));
B.doAction()
File.createTempFile(“pre”, null);
AccessControlContext context = AccessController.getContext();
ProtectionDomain.implies(perm);
If all Protection Domains don’t imply the permission, then a SecurityException occurs
Class A, Class B, and File must imply FilePermission(file, “write”)
![Page 17: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/17.jpg)
Use of AccessController.doPrivileged()
Class Loader A
Class Loader B
System Class Loader
Protection Domain A
Protection Domain B
Class A
Class B
File System PD
What if B.doAction() needs to create a temp file independent of Class A’s permissions?
Use AccessController.doPrivileged!
B.doAction()
AccessController.doPrivileged( new PrivilegedAction() { public Object run() { File.createTempFile( “pre”, null); return null; }});
AccessControlContext context = AccessController.getContext();
context.checkPermission(perm);
ProtectionDomain.implies(perm);
![Page 18: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/18.jpg)
Java 2 Security and JAAS
> The Authorization of JAAS is handled by Java 2 Security> Policy grant supports Principals to define Permissions for users
grant Principal com.acme.MyPrincipal “jim” {
permission java.io.FilePermission “/home/jim/-”, “read, write, delete, execute”;
}
> To include user Principals with Protection Domain use Subject.doAsSubject.doAs(subject, new PrivilegedAction() {
public Object run() {
File newFile = new File(“/home/jim/test.txt”);
newFile.createNewFile();
return null;
});
![Page 19: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/19.jpg)
OSGi Permission Admin Service
> What is missing from Java 2 Security for OSGi?– Define permissions based on bundles (location)– Allow management agent to lookup bundle permissions– Allow management agent to manage bundle permissions
> Superseded by Conditional Permission Admin Service> Features
– Permissions persisted– Support for default permissions– OSGi service management interface– Integration into Bundle Protection Domains
![Page 20: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/20.jpg)
Setup Management Agent
> Default permission of AllPermission> First bundle to assign permissions wins!
– Management Agent must load first– Management Agent must give itself AllPermission
> ExamplepermAdmin.setPermissions( context.getBundle().getLocation(), new PermissionInfo[]{ new PermissionInfo( AllPermission.class.getName(),"”,"")});
![Page 21: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/21.jpg)
OSGi Permission Admin Service Interface
PermissionInfo[] getDefaultPermissions();
String[] getLocations();
PermissionInfo[] getPermissions(java.lang.String location);
void setDefaultPermissions(PermissionInfo[] permissions);
void setPermissions(String location, PermissionInfo[] permissions);
![Page 22: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/22.jpg)
OSGi Permission Admin Service Flow
Application Bundle
Service Bundle
Framework
Application PD
Service PD
Application
Service
Framework PD PermissionAdmin Service
Agent
Permissions
doServicehasPermission
hasPermission
setPermissions
FrameworkService
execute
hasPermission
![Page 23: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/23.jpg)
OSGi Conditional Permission Admin Service
> What is missing from Permission Admin Service?– Permission Admin Service dependency on Bundle location as identifier– Not flexible for complex security models
> Features– Introduction of ordered security conditions– Allow and deny policies– Support for local bundle permissions– Mutable and immutable conditions– Immediate and postponed conditions
![Page 24: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/24.jpg)
Conditions
> A Condition determines if a set of Permissions apply for a Bundle> A Condition is instantiated by the Bundle Protection Domain
– Reference from Condition to Bundle> Features
– Can be custom – Mutable– Postponed
> Implying a Permission with Conditions– Is the Condition satisfied?– Are one of the permissions applied?– Policy access type (ALLOW or DENY) determines success or failure
![Page 25: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/25.jpg)
Local Permissions
> Allow Developer to specify what Permissions are needed by Bundle– Maximum Permissions for Bundle
> Defined using Bundle Permission Resource in the Bundle– OSGI-INF/permissions.perm
> Example
# Require all FilePermissions(java.io.FilePermission "<<ALL FILES>>” "read, write,
delete, execute”)
![Page 26: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/26.jpg)
ConditionalPermissionAdmin Interface
AccessControlContext getAccessControlContext( String[] signers); ConditionalPermissionUpdate newConditionalPermissionUpdate();
ConditionalPermissionInfo newConditionalPermissionInfo( String name, ConditionInfo conditions[], PermissionInfo permissions[], String access);
ConditionalPermissionInfo newConditionalPermissionInfo( String encodedConditionalPermissionInfo);
![Page 27: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/27.jpg)
OSGi Conditional Permission Admin Service Flow
Application Bundle
Service Bundle
Framework
ApplicationPD
Service PD
Application
Service
Framework Service
Framework PD
PermissionAdmin ServiceAgent Permissions
Conditional Permission
Admin Service
ConditionalPermissions
Security Manager
doService
execute
hasPermission
hasPermissionhasPermission
setPermissions
commithasPermission
![Page 28: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/28.jpg)
OSGi Effective Permissions
> With Java 2 Security, Permission Admin Service, Conditional Permission Admin Server, and Local Permissions how is the effective permissions determined?– Java 2 Security always applies that can be extended with Implied
Permissions– Local Permissions intersected with the Permission Services– Permission Admin Service takes precedence over Conditional Permission
Admin Service
![Page 29: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/29.jpg)
OSGi Effective Permissions
Local Permissions
Java 2 Permissions &
Implied Permissions
![Page 30: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/30.jpg)
Limiting What Outsiders (Users) Can Do
![Page 31: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/31.jpg)
OSGi User Admin Service
> What is missing from Permission Admin Services?– User level authentication and authorization!
> Features– Contains Users, Roles, and Groups– Used to authenticate users– Used to create Authorization objects for authorizing user actions– Support for Basic (any) and Required (all) roles
> Does not integrate with JAAS or Java 2 Security for user level security– Access to User Admin Service done via Java 2 Security
![Page 32: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/32.jpg)
Role, User, Group, and Authorization
Role
User
Group
1..n
roles
Authorization
user
roles
![Page 33: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/33.jpg)
UserAdmin Interface
Role createRole(String name, int type);
boolean removeRole(String name);
Role getRole(String name);
Role[] getRoles(String filter) throws InvalidSyntaxException;
Role[] getRoles(String filter) throws InvalidSyntaxException;
User getUser(String key, String value);
public Authorization getAuthorization(User user);
![Page 34: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/34.jpg)
OSGi User Admin Service Flow
Application Bundle
Service Bundle
Framework
Application
Service
UserAdmin Service
Authenticate (“suzy”, “passwd”)
authenticate
User user = userAdmin.getUser( “auth.userid”, “suzy”);
If (user == null || !user.hasCredential( “auth.passwd”, hash(“passwd”))) throw SecurityException(“Invalid login”);
Authorization auth = userAdmin.getAuthorization(user);
doServiceService.doService(auth);
authorize
Service.doService(Authorization auth) { if (!auth.hasRole(“ServiceRole”)) throw new SecurityException( “authorization error”); }
doAction
![Page 35: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/35.jpg)
Outside Attackers
![Page 36: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/36.jpg)
Pull Up the Castle’s Drawbridge
> Disable the command-line console– Containers support this– For instance, in Equinox use –noConsole
> Disable any insecure access to remote command-line (e.g., telnet)– You wouldn’t allow telnet into a production box, would you?– Just in case, see whether your container starts this by default
> Disable any insecure access to any remote management– Container may have web interface, or you may use Felix’s– Container may expose JMX commands
![Page 37: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/37.jpg)
Install Secure Entrances: Console
> Protect the command line– Custom authentication before granting access– Standard OS user security– LDAP, one-time password, custom challenge
![Page 38: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/38.jpg)
Writing Your Own Console
public void acceptCommands () {BufferedReader consoleInput =
new BufferedReader( new InputStreamReader( System.in ) );while ( true ) { System.out.print( ">>> [install|start|stop]=[file|bundle]" ); String inputLine = null; try { inputLine = null; inputLine = consoleInput.readLine(); this.handle( inputLine ); } catch ( Exception e ) { e.printStackTrace(); }}
}
![Page 39: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/39.jpg)
Writing Your Own Console, Continued
private void handle ( String inputLine ) throws BundleException {String[] cmdAndArg = inputLine.split( "=" );String cmd = cmdAndArg[ 0 ];String arg = cmdAndArg[ 1 ];
if ( "install".equals( cmd ) ) { this.bundleContext.installBundle( arg );} else if ( . . . ){ . . .}
}
![Page 40: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/40.jpg)
No Remote Threats
![Page 41: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/41.jpg)
Install Secure Entrances: Remote Connections
> Always use a secure network interface– Back-office communications should always be on secure interfaces – Accidental changes to ACLs can expose means of compromise
> Apply additional security standards native to the means of access– For web access: https/certificates– JMX:
JAAS (w/LDAP or some other auth mechanism) User Admin Service
– Web services: https and/or standard WSS
![Page 42: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/42.jpg)
JMX AuthenticationSimple Authentication Server
> $JAVA_HOME/lib/management/jmxremote.password
> $JAVA_HOME/lib/management/jmxremote.access
> Start Java with command-line arg– com.sun.management.jmxremote.authenticate=true
bob b@B
bob readwrite
![Page 43: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/43.jpg)
JMX AuthenticationSimple Authentication Client
JMXServiceURL url = new JMXServiceURL(“service:jmx:rmi:///jndi/rmi://1.1.1.1:9379/<…>”);
Map<String, Object> env = new HashMap<String, Object>();String[] creds = {“bob”, “b@B”};env.put(JMXConnector.CREDENTIALS, creds);
JMXConnector conn = JMXConnectorFactory.newJMXConnector(url, env);conn.connect();
MBeanServerConnection mBeanServer = conn.getMBeanServerConnection();
![Page 44: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/44.jpg)
JMX™ AuthenticationUsing LDAP via JAAS> Authenticate with LDAP directory> Use Java 6 JAAS LDAP LoginModule
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
LocateRegistry.createRegistry(9379);JMXServiceURL jmxServiceURL = new JMXServiceURL(...);
Map<String, Object> env = new HashMap<String, Object>();env.put("jmx.remote.x.login.config", ”MyLdapConfig");
JMXConnectorServer cs = JMXConnectorServerFactory.newJMXConnectorServer(url, env, mbs);
cs.start();
![Page 45: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/45.jpg)
JMX AuthenticationUsing LDAP via JAAS (cont.)
> jaas.config
> Start with command-line arg– java.security.auth.login.config=jaas.config
MyLdapConfig { com.sun.security.auth.module.LdapLoginModule REQUIRED userProvider=
"ldap://sun-ds/ou=people,dc=sun,dc=com" userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))" authzIdentity=adminRole useSSL=false; };
![Page 46: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/46.jpg)
JMX Custom Authenticator
> A Custom JMXAuthenticator can– Authenticate to custom identity data store– Accept additional login credentials– Be an alternative to writing custom LoginModule
![Page 47: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/47.jpg)
Custom AuthenticatorServer Code Examplepublic class MyOsgiJmxAuthenticator implements JMXAuthenticator { public Subject authenticate(Object aCredentials) { final String[]credentials = (String[]) aCredentials; String username = (String) credentials[0]; String password = (String) credentials[1]; // Validate credentials... if ([ok]) { Set<JMXPrincipal> principals = new Set<JMXPrincipal>();
principals.add(new JMXPrincipal(username));principals.add(new JMXPrincipal(“admin”));
return new Subject(true, principals, Collections.EMPTY_SET, Collections.EMPTY_SET); } else { throw new SecurityException(“Authentication failure”); } } }
![Page 48: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/48.jpg)
Custom AuthenticatorServer Code Example
JMXServiceURL url = new JMXServiceURL(. . .);
Map<String, Object> env = new HashMap<String, Object>();env.put(JMXConnectorServer.AUTHENTICATOR, new MyOsgiJmxAuthenticator());
JMXConnector conn = JMXConnectorFactory.newJMXConnector(url, env);conn.connect();
MBeanServerConnection mBeanServer = conn.getMBeanServerConnection();
![Page 49: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/49.jpg)
Remote Deployment
I have a msg for
you!
OK. I’ll open a window for
you.
Send it over here.
![Page 50: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/50.jpg)
Cluster
Remote JMX Installer
> With clustering, remote distribution becomes a problem> Remote, secure distribution even more difficult
Central JMX-Based
Installer
Instance:JMX
:1379request install
send jar
Instance
Instance:JMX
:9731request install
:JMX
![Page 51: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/51.jpg)
Install Guards
> Deployment watchdog– Watches for deployments– Has criteria for allowed deployments– Alerts on unexpected deployments
> Could ask bundle for shared secret/digital signature– bundle.getEntry( "/sharedSecret.txt" );– bundle.findEntries(“secret", "*.txt", noRecurse);
![Page 52: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/52.jpg)
Custom Watchdog (BundleListener)
public void bundleChanged ( BundleEvent aEvent ) { int type = aEvent.getType(); String symbolicName = bundle.getSymbolicName(); boolean bundleIsAllowed = allowedBundles.contains ( symbolicName ); BundleEventEnum eventType = BundleEventEnum.getByCode( type ); if ( !bundleIsAllowed
&& (eventType.isInProcessOfStarting()) ) { try { bundle.uninstall(); } catch ( Exception e ) { e.printStackTrace(); } }}Activator: context.addBundleListener( listener );
![Page 53: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/53.jpg)
Bundle-Event Enumeration
public enum BundleEventEnum {INSTALLED(BundleEvent.INSTALLED, "INSTALLED"), LAZY_ACTIVATION(BundleEvent.LAZY_ACTIVATION, "LAZY_ACTIVATION"), RESOLVED(BundleEvent.RESOLVED, "RESOLVED"), . . . ;private final String name;private final int code;
BundleEventEnum ( final int aCode, final String aName ) { this.code = aCode; this.name = aName;}
public boolean isInProcessOfStarting () { return (this == INSTALLED) || (this == RESOLVED) || (this == STARTED) || (this == STARTING) || (this == UPDATED);}
}
![Page 54: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/54.jpg)
BundleTracker (OSGi 4.2)
> Not necessary to write your own listener> Works like ServiceTracker> Add BundleTrackerCustomizer
– addingBundle(Bundle bundle, BundleEvent event) – modifiedBundle(Bundle bundle, BundleEvent event, Object object) – removedBundle(Bundle bundle, BundleEvent event, Object object)
![Page 55: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/55.jpg)
Summary
> We covered a lot of territory including– Java 2 Security– Permission Admin Service and Conditional Permission Admin Service– User Admin Service– Removing insecure admin access– Adding secure admin access
> Let’s protect the OSGi Castle!
![Page 56: Practical Dynamic Modules (OSGi) Security · Practical Dynamic Modules (OSGi) Security Protecting More Than Just Data David Smith James Gould VeriSign 201. AGENDA > Background on](https://reader036.fdocuments.us/reader036/viewer/2022070711/5ec829fc1d431114bb6d1e5d/html5/thumbnails/56.jpg)
David Smith verisign.com VeriSign [email protected]
Jim Gould verisign.comVeriSign [email protected]