Security in Enterprise Java
-
Upload
open-knowledge-gmbh -
Category
Technology
-
view
607 -
download
1
description
Transcript of Security in Enterprise Java
![Page 1: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/1.jpg)
Arne Limburg // open knowledge GmbH
Aber sicher!Security in Enterprise Java
![Page 2: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/2.jpg)
Meine Person
Open Source• JPA Security• Apache DeltaSpike• Apache OpenWebBeans
Arne LimburgEnterprise Architectopen knowledge GmbH
@ArneLimburg@_openknowledge
www.openknowledge.de
Schwerpunkte• JPA• CDI
![Page 3: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/3.jpg)
Enterprise Application Security
Authentication
Authorization Network Security- OS- Firewall - TCP/IP
Webserver- Konfiguration
Kommunikationssicherheit- HTTP / HTTPS- Application-Firewall
![Page 4: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/4.jpg)
BeispielanwendungE-Learning Plattform
![Page 5: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/5.jpg)
Security-Anforderungen
• Nur Dozenten dürfen Kurse anlegen• Dozenten dürfen Veranstaltungen für
ihre Kurse anlegen• Dozenten dürfen nur Studenten sehen,
die an ihren Kursen teilnehmen• Studenten dürfen nur Mitstudenten
sehen, mit denen sie gemeinsame Kurse haben
![Page 6: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/6.jpg)
Authentication vs. Authorization
![Page 7: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/7.jpg)
Wer ist der aktuelle Benutzer?
Authentication
Nutzername / Kennwort
Public Key
OAuth
Biometrisch
![Page 8: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/8.jpg)
Authentication in einer Web-App.web.xml
<login-config> <auth-method>FORM</auth-method> <realm-name>JAAS</realm-name> <form-login-config> <form-login-page>/login.xhtml</…> <form-error-page>/error.xhtml</…> </form-login-config> </login-config>
![Page 9: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/9.jpg)
Servlet 3.0 Authentication
public void login(HttpServletRequest request, String username, String password) { request.login(username, password);}
public void logout(HttpServletRequest req) { req.logout();}
![Page 10: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/10.jpg)
Was darf der aktuelle Benutzer?
Authorization
Rollenbasiert
User-Permissions
Access Control Lists
Domain-Object-Security
![Page 11: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/11.jpg)
Was darf der aktuelle Benutzer?
Authorization
Rollenbasiert
User-Permissions
Access Control Lists
Domain-Object-Security
![Page 12: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/12.jpg)
JAAS
• Pluggable Authentication• Authorization
– Pluggable Policy-Provider– Permission-Checks über AccessController
![Page 13: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/13.jpg)
Java PermissionsPolicy-Datei
grant principal de…User "arne" { de…ExecPermission "de…CourseDao.find*"}
grant principal de…User "admin" { de…ExecPermission "de…CourseDao.*"}
![Page 14: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/14.jpg)
Java Permissions
public class ExecPermission extends BasicPermission {
public ExecPermission(String methodName) { super(methodName); }}
![Page 15: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/15.jpg)
Java Permissionspublic void create(Course course) {
String methodName = "de…CourseDao.create";
AccessController.checkPermission( new ExecPermission(methodName); );
entityManager.persist(course);}
![Page 16: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/16.jpg)
Fazit Permissons
• Jede Security-Anforderung abbildbar• Aber
– Viel zu aufwendig– Schlecht wartbar
Erweiterungen nötig
![Page 17: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/17.jpg)
Was darf der aktuelle Benutzer?
Authorization
Rollenbasiert
User-Permissions
Access Control Lists
Domain-Object-Security
![Page 18: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/18.jpg)
Was darf der aktuelle Benutzer?
Authorization
Rollenbasiert
User-Permissions
Access Control Lists
Domain-Object-Security
![Page 19: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/19.jpg)
Role based Access Control
Create Course
Read Course
…
Permissions
Read Student
Teacher
Student
RolesUsers
Teacher 1
Student 1
…
Student 2
![Page 20: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/20.jpg)
Role based Access Control
Servlet SpecPermissions für Web-Resources
![Page 21: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/21.jpg)
Role based Access Controlweb.xml
<security-constraint> <web-resource-name>New Course</…> <url-pattern>/courses/create.xhtml</…> <auth-constraint> <role-name>teacher</…> </auth-constraint> </security-constraint>
![Page 22: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/22.jpg)
Role based Access Control
Servlet SpecPermissions für Web-Resources
Java EE SecurityPermissions für Klassen und Methoden
![Page 23: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/23.jpg)
Role based Access Control in Java EE
@DeclareRoles
@RolesAllowed@PermitAll@DenyAll
![Page 24: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/24.jpg)
JACC
Java Authorization Contract for Containers• Implementierung ist verantwortlich für:
– Rollen als Sammlung von Permissions– Granting von Permissions– Überprüfung von Permissions
![Page 25: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/25.jpg)
Role Based Access Control
@RolesAllowed("teacher")public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
![Page 26: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/26.jpg)
@RolesAllowed("teacher")public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
Anforderung:Dozenten dürfen nur ihre Kurse anlegen.
Anforderung:Dozenten dürfen nur ihre Kurse anlegen.
Role Based Access Control
![Page 27: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/27.jpg)
Role Based Access Control@Resourceprivate EjbContext context;
public Course create(Teacher lecturer, …) { Principal caller = ejbContext.getCallerPrincipal(); if (!lecturer.equals(caller)) { throw new SecurityException(…); } …}
![Page 28: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/28.jpg)
Role Based Access Control@Resourceprivate EjbContext context;
public Course create(Teacher lecturer, …) { Principal caller = ejbContext.getCallerPrincipal(); if (!lecturer.equals(caller)) { throw new SecurityException(…); } …}
Das Rollenkonzept ist sehr limitiert!
Komplexere Access-Control-Anforderungen finden sich im Code „verstreut“ wieder!
Wartbarkeits- und Erweiterbarkeitsprobleme!
![Page 29: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/29.jpg)
Alternativen zu Role based Access Control?
![Page 30: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/30.jpg)
Alternativen zu Role based Access Control?
Die Rechte sollten nicht danach vergeben werden, was der Benutzer ist
(welche Rolle er hat),sondern danach, was er darf!
![Page 31: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/31.jpg)
<h:outputLink value="editCourse.xhtml" rendered ="#{sec:isUserInRole('teacher')}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Edit Course"/>
</h:outputLink>
Beispiel I
![Page 32: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/32.jpg)
Beispiel I<h:outputLink value="editCourse.xhtml" rendered ="#{sec:isUserInRole('teacher')}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Edit Course"/>
</h:outputLink>
![Page 33: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/33.jpg)
Beispiel I<h:outputLink value="editCourse.xhtml" rendered ="#{sec:hasPermission('editCourse')}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Edit Course"/>
</h:outputLink>
![Page 34: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/34.jpg)
Beispiel I<h:outputLink value="editCourse.xhtml" rendered ="#{sec:canUpdate(course)}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Edit Course"/>
</h:outputLink>
![Page 35: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/35.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:isUserInRole('teacher')}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Create Lesson"/>
</h:outputLink>
Beispiel II
![Page 36: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/36.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:isUserInRole('teacher')}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Create Lesson"/>
</h:outputLink>
Beispiel II
![Page 37: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/37.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:hasPermission('createLesson')}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Create Lesson"/>
</h:outputLink>
Beispiel II
![Page 38: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/38.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:canCreate('Lesson', course)}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Create Lesson"/>
</h:outputLink>
Beispiel II
![Page 39: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/39.jpg)
Was darf der aktuelle Benutzer?
Authorization
Rollenbasiert
User-Permissions
Access Control Lists
Domain-Object-Security
![Page 40: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/40.jpg)
Was darf der aktuelle Benutzer?
Authorization
Rollenbasiert
User-Permissions
Access Control Lists
Domain-Object-Security
![Page 41: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/41.jpg)
Access Control Lists
Object Access Control List
Access Control Entry
Access Control Entry
Access Control Entry
User 1
User 2
User 3
![Page 42: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/42.jpg)
Spring Security
Security für spring-basierten Web-Apps• Umfangreiche Authentication-Module• Authorization
– Request-basiert– Methoden-basiert– Access Control Lists
![Page 43: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/43.jpg)
ACLs in Spring Security
public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
![Page 44: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/44.jpg)
ACLs in Spring Security
public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
Anforderungen:Dozenten dürfen nur Studenten sehen, die ihre
Kurse besuchen.
Studenten dürfen nur Kommilitonen sehen, mit denen sie gemeinsame Kurse haben.
![Page 45: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/45.jpg)
ACLs in Spring Security
Spring Context
<global-method-security pre-post-annotations="enabled" />
![Page 46: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/46.jpg)
ACLs in Spring Security
@PostFilter ("hasPermission(filterObject, 'read')")public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
![Page 47: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/47.jpg)
ACLs in Spring Security
@PostFilter ("hasPermission(filterObject, 'read')")public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
Problem:
Filtern passiert im Speicher!
Schlechte Performance bei großen Datenmengen!
![Page 48: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/48.jpg)
ACLs in Spring Security
@PostFilter ("hasPermission(filterObject, 'read')")public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
Anforderung:Dozenten dürfen nur ihre Kurse anlegen.
![Page 49: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/49.jpg)
ACLs in Spring Security@PreAuthorize ("hasPermission(#course, 'create')")public void create(Course course) { entityManager.persist(course);}
AccessDeniedException
![Page 50: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/50.jpg)
ACLs in Spring Security@PreAuthorize ("hasPermission(#course, 'create')")public void create(Course course) { entityManager.persist(course);}
AccessDeniedException
Weiteres Problem:
Wie kommen die ACLs in die Datenbank?
![Page 51: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/51.jpg)
ACLs in Spring Security@PreAuthorize ("hasPermission(#course, 'create')")public void create(Course course) { entityManager.persist(course);}
![Page 52: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/52.jpg)
ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, 'create')")public Course create(Course course) { entityManager.persist(course); return course;}
![Page 53: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/53.jpg)
ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, 'create')")public Course create(Course course) { entityManager.persist(course); ObjectIdentity identity = new ObjectIdentityImpl(Course.class, course.getId()); …}
![Page 54: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/54.jpg)
ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, 'create')")public Course create(Course course) { entityManager.persist(course); ObjectIdentity identity = …; String name = course.getTeacher().getName(); PrincipalSid principal = new PrincipalSid(name);
![Page 55: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/55.jpg)
ACLs in Spring Security@PostAuthorize ("hasPermission(returnedObject, 'create')")public Course create(Course course) { entityManager.persist(course); ObjectIdentity identity = …; PrincipalSid principal = …; MutableAcl acl = aclService.createAcl(i); acl.insertAce(0, CREATE, principal, true); aclService.updateAcl(acl); return course;}
![Page 56: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/56.jpg)
ACLs in Spring Securitypublic void add(Course course, Student student) { course.subscribe(student); createACE(student, course.getLecturer()); for (Student participant: course.getParticipants()) { createACE(student, participant); createACE(participant, student); }}
![Page 57: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/57.jpg)
ACLs in Spring Securitypublic void add(Course course, Student student) { course.subscribe(student); createACE(student, course.getLecturer()); for (Student participant: course.getParticipants()) { createACE(student, participant); createACE(participant, student); }}
Anlegen und Löschen von ACLs findet sich im Code „verstreut“ wieder!
Wartbarkeits- und Erweiterbarkeitsprobleme!
Was passiert, wenn ein Entwickler vergisst, eine ACL anzulegen oder zu löschen?
![Page 58: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/58.jpg)
Authorization
Rollenbasiert
User-Permissions
Access Control Lists
Domain-Object-Security
Was darf der aktuelle Benutzer?
![Page 59: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/59.jpg)
Authorization
Rollenbasiert
User-PermissionsDomain-Object-Security
Access Control Lists
Was darf der aktuelle Benutzer?
![Page 60: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/60.jpg)
DeltaSpike Security
• Authentication– Yet to come…
• Authorization– Business-Method via Annotations
![Page 61: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/61.jpg)
DeltaSpike Security
@Createpublic Course create( @Owner Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
![Page 62: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/62.jpg)
Eigene Security-Annotation
@SecurityBindingTypepublic @interface Create {}
@SecurityParameterBindingpublic @interface Owner {}
![Page 63: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/63.jpg)
Separate Logik-Implementierung
public class SecurityRules { @Secures @Create public boolean checkOwner(@Owner User owner, Identity user) { return owner.equals(user); }}
![Page 64: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/64.jpg)
DeltaSpike Security
@Createpublic Course create( @Owner Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
![Page 65: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/65.jpg)
DeltaSpike Security
@Createpublic Course create( @Owner Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
Check des Rückgabe-Wertes noch nicht so elegant möglich!
![Page 66: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/66.jpg)
DeltaSpike Security
Check des Rückgabe-Wertes• Implementieren einer @Alternative SecurityStrategy
• Interface an Interceptor-API angelehnt
![Page 67: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/67.jpg)
DeltaSpike Security@Alternativepublic class MySecurityStrategy implements SecurityStrategy {
public Object execute (InvocationContext ctx) { result = ctx.proceed(); // check result here return result; }}
![Page 68: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/68.jpg)
DeltaSpike Security@Alternativepublic class MySecurityStrategy extends DefaultSecurityStrategy {
public Object execute (InvocationContext ctx) { result = super.execute(ctx); // check result here return result; }}
![Page 69: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/69.jpg)
Spring Security
@PreAuthorize("#lecturer == principal")@PostAuthorize ("returnedObject.lecturer == principal")public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
![Page 70: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/70.jpg)
Domain-Object-basiert
@PreAuthorize("#lecturer == principal")@PostAuthorize ("returnedObject.lecturer == principal")public Course create(Teacher lecturer, …) { Course course = new Course(lecturer, …); entityManager.persist(course); return course;}
Was ist, wenn das Anlegen des Kurses nicht über die create-Methode erfolgt?
![Page 71: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/71.jpg)
Seam Security
• Authentication– JAAS (Seam 2)– PicketLink (Seam 3)
• Authorization– JSF– Business-Method– Entity (nur Seam 2)
![Page 72: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/72.jpg)
Seam 2 Security
Rule-based Authorization mit Drools
Auch auf Entitäten-Ebene
![Page 73: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/73.jpg)
Entity-Security in Seam 2
@Restrict@Entitypublic Course { …}
![Page 74: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/74.jpg)
Entity-Security in Seam 2
Drools Konfiguration rule CreateCourse no-loop activation-group "permission"when principal: Principal() course: Course(lecturer: lecturer -> (lecturer.equals(principal))) check: PermissionCheck(target == course, action == "insert", granted == false)then check.grant();end;
![Page 75: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/75.jpg)
Entity-Security mit Seam 2orm.xml
<persistence-unit-metadata> <persistence-unit-defaults> <entity-listeners> <entity-listener class= "org.jboss.seam.security.EntitySecurityListener" /> </entity-listeners> </persistence-unit-defaults></persistence-unit-metadata>
![Page 76: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/76.jpg)
Entity-Security mit Seam 2
public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
AuthorizationException
![Page 77: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/77.jpg)
Entity-Security mit Seam 2
public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
AuthorizationException
Zwei Methoden notwendig
![Page 78: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/78.jpg)
Entity-Security mit Seam 2
public List<Student> find(Teacher lecturer) { …}
public List<Student> find(Student fellow) { …}
![Page 79: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/79.jpg)
Entity-Security mit Seam 2
public List<Student> find(Teacher lecturer) { …}
public List<Student> find(Student fellow) { …}
Aufruf geschieht auf Basis des aktuell angemeldeten Benutzers!
![Page 80: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/80.jpg)
Entity-Security mit Seam 2
public List<Student> findAll() { Principal caller = ejbContext.getCallerPrincipal(); if (caller instanceof Teacher) { return find((Teacher)caller); } else { return find((Student)caller); }}
![Page 81: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/81.jpg)
Entity-Security mit Seam 2
public List<Student> findAll() { Principal caller = ejbContext.getCallerPrincipal(); if (caller instanceof Teacher) { return find((Teacher)caller); } else { return find((Student)caller); }}
Wieder Security im Code „verstreut“!
![Page 82: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/82.jpg)
JPA Security
Security Framework für JPA• Pluggable Authentication• Authorization
– JSP- und JSF-Support– Access-Check bei CRUD-Operationen– In-Memory-Filtern von Collections– In-Database-Filtern von Queries
(JPQL und Criteria)
![Page 83: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/83.jpg)
@Permit(access = AccessType.CREATE, rule = "lecturer = CURRENT_PRINCIPAL")@Entitypublic Course { …}
Entity-Security mit JPA Security
![Page 84: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/84.jpg)
@Permit(access = AccessType.CREATE, rule = "lecturer = CURRENT_PRINCIPAL")@Entitypublic Course { …}
Automatischer Check bei entityManager.persist(…) oder entityManager.merge(…) oder bei
Cascading!
Entity-Security mit JPA Security
![Page 85: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/85.jpg)
Entity-Security mit JPA Security
public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
![Page 86: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/86.jpg)
Entity-Security mit JPA Security
public List<Student> findAll() { TypedQuery<Student> query = entityManager.createNamedQuery(…, …); return query.getResultList();}
Automatische Filterung von JPA Queries und Criterias!
![Page 87: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/87.jpg)
@PermitAny({ @Permit(access = AccessType.READ, rule = "this IN (SELECT p" + " FROM Course course" + " JOIN course.participants p" + " WHERE course.lecturer" + " = CURRENT_PRINCIPAL)"), @Permit(…)})@Entitypublic Student { …
Entity-Security mit JPA Security
![Page 88: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/88.jpg)
Entity-Security mit JPA Securitypersistence.xml
<persistence …> <persistence-unit name="…"> <provider>org.hibernate.ejb.HibernatePersistence</…> <properties> …
</properties> </persistence-unit></persistence>
![Page 89: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/89.jpg)
<persistence …> <persistence-unit name="…"> <provider>net.sf.jpase…SecurePersistenceProvider</…> <properties> <property name="net.sf.jpasecurity.persistence.provider" value="org.hibernate.ejb.HibernatePersistence"/> </properties> </persistence-unit></persistence>
<persistence …> <persistence-unit name="…"> <provider>net.sf.jpase…SecurePersistenceProvider</…> <properties> …
</properties> </persistence-unit></persistence>
Entity-Security mit JPA Securitypersistence.xml
![Page 90: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/90.jpg)
<h:outputLink value="createLesson.xhtml" rendered ="#{sec:canCreate('Lesson', course)}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Create Lesson"/>
</h:outputLink>
Kurs anlegen
![Page 91: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/91.jpg)
Kurs ändern<h:outputLink value="editCourse.xhtml" rendered ="#{sec:canUpdate(course)}"/>
<f:param name="courseId" value="#{course.id}"/>
<h:outputText value="Edit Course"/>
</h:outputLink>
![Page 92: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/92.jpg)
Fazit Authorization
• Methoden-basiert– Spring Security
Permissions, ACL oder EL
– DeltaSpike SecurityTypesafe über Annotations im Code
• Entity-basiert– JPA Security
automatischer Filterung in der Datenbank
![Page 93: Security in Enterprise Java](https://reader037.fdocuments.us/reader037/viewer/2022103116/558a195ad8b42af0378b46c0/html5/thumbnails/93.jpg)
Vielen Dank für Ihre Zeit.
Kontakt:
open knowledge GmbHBismarckstr. 1326122 Oldenburg
[email protected]://jpasecurity.sf.net
ArneLimburg _openknowledge
Q&A