The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure...
Transcript of The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure...
![Page 1: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/1.jpg)
The Anatomy of a Secure Java Web App Using Apache Fortress
September 24, 2018
ApacheCon NA, Montréal
![Page 2: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/2.jpg)
Objective
Think about how we should be securing web apps.
2
(If we spared no expense)
ApacheCon NA, Montréal 2018
![Page 3: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/3.jpg)
Intro
• Software Architect • PMC Apache Directory Project • Engineering Team
3
Shawn McKinney
![Page 4: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/4.jpg)
Agenda
1. Have a quick look at OWASP Vulnerability Scanning and Java Remote Code Execution Vulnerability
2. End-to-End Security w/ Apache Fortress Samples
3. Talk about RBAC, ABAC and how they can work together.
4 ApacheCon NA, Montréal 2018
![Page 5: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/5.jpg)
Recommendation
Listen and absorb conceptually. Slides are published and have the details.
https://updateme.pdf
5 ApacheCon NA, Montréal 2018
![Page 6: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/6.jpg)
What’s The Problem
• Equifax Breach
– 143 million Americans’ personal info, including names, addresses, dates of birth and SSNs compromised.
– Only a veneer of security in place.
6 ApacheCon NA, Montréal 2018
![Page 7: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/7.jpg)
7
https://cwiki.apache.org/confluence/display/WW/S2-045
ApacheCon NA, Montréal 2018
![Page 8: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/8.jpg)
The Exploit “The Jakarta Multipart parser in Apache
Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd=string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.”
8
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
arbitrary commands via a #cmd= string
ApacheCon NA, Montréal 2018
![Page 9: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/9.jpg)
The Solution
Ensure all appropriate patches have been applied.
9 ApacheCon NA, Montréal 2018
![Page 10: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/10.jpg)
How do we ensure that our software is free of vulnerabilities?
10 ApacheCon NA, Montréal 2018
![Page 11: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/11.jpg)
The Solution (Take 1)
Perform software vulnerability scans.
https://www.owasp.org/index.php/OWASP_Dependency_Check
11 ApacheCon NA, Montréal 2018
![Page 12: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/12.jpg)
OWASP Vulnerability Scanning Add to your Maven pom.xml file: <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>3.3.1</version> <configuration> <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
<suppressionFile>${project.basedir}…/suppression.xml</suppressionFile> </configuration> </plugin>
12 ApacheCon NA, Montréal 2018
![Page 13: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/13.jpg)
False Positives [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.owasp:dependency-check-maven:3.3.1:check (default) on project fortress-core: [ERROR] [ERROR] One or more dependencies were identified with vulnerabilities: [ERROR] [ERROR] accelerator-api-1.0-RC41.jar: CVE-2006-5779, CVE-2002-1508, CVE-2009-3767, CVE-2013-4449, CVE-2011-4079, CVE-2017-14159, CVE-2002-1378,
CVE-2002-0045, CVE-2002-1379, CVE-2006-6493, CVE-2007-6698, CVE-2012-1164, CVE-2017-9287, CVE-2005-4442, CVE-2015-3276, CVE-2017-17740, CVE-2005-2069, CVE-2012-2668, CVE-2015-6908
[ERROR] [ERROR] See the dependency-check report for more details. [ERROR] -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException smckinn@ubuntu:~/GIT/fortressDev/directory-fortress-core$ mvn install -Powasp
13 ApacheCon NA, Montréal 2018
![Page 14: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/14.jpg)
Suppress False Positives <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-
suppression.1.1.xsd"> <!-- Suppress OWASP warnings about openldap serverside vulnerabilities. --> <suppress> <notes><![CDATA[ file name: accelerator-api-1.0-RC41.jar ]]></notes> <gav regex="true">^org\.openldap:accelerator-api:.*$</gav> <cpe>cpe:/a:openldap:openldap</cpe> </suppress> … </suppressions>
14 ApacheCon NA, Montréal 2018
![Page 15: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/15.jpg)
How do we ensure that our software is free of vulnerabilities yet to be detected?
It practically can’t be done.
15 ApacheCon NA, Montréal 2018
![Page 16: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/16.jpg)
So Now What?
“Security best practices dictate that this
user have as little privilege as possible on the server itself, since security vulnerabilities in web applications and web servers are so commonly exploited.”
16
https://www.wired.com/story/equifax-breach-no-excuse/
little privilege as possible
ApacheCon NA, Montréal 2018
![Page 17: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/17.jpg)
The Solution (Take 2)
Practice the principle of least privilege.
17 ApacheCon NA, Montréal 2018
![Page 18: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/18.jpg)
18
https://en.wikipedia.org/wiki/Principle_of_least_privilege
![Page 19: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/19.jpg)
Java Object Serialization Exploit public class BadCode
implements java.io.Serializable…
{…
private void readObject(java.io.ObjectInputStream in)
{
in.defaultReadObject();
Runtime.getRuntime().exec( cmd );
19
Runtime.getRuntime().exec( cmd );
Java’s remote code execution exploit occurs when a rogue object is read from an input resource and deserialized.
![Page 20: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/20.jpg)
Employ a Runtime Java Security Policy
grant codeBase "file:${catalina.home}/webapps/my-web-app-1/-" {
permission java.net.SocketPermission "localhost", "resolve";
permission java.net.SocketPermission "127.0.0.1:32768", "connect,resolve";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.io.SerializablePermission "enableSubclassImplementation";
permission java.io.FilePermission “…/resources/", "execute";
…
};
^ use w/ caution
20
permission java.io.FilePermission “…/resources/", "execute";
ApacheCon NA, Montréal 2018
![Page 21: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/21.jpg)
Example # 1 Begin serial exploit test....
Input: duke moscone center
Serialized data is saved in myObject.ser
BadCode will now run hacker script
user.home=/home/myuser
execute hacker command…
Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" “…/hacker-script.sh" "execute")
21
https://github.com/shawnmckinney/serial-exploit-sample
![Page 22: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/22.jpg)
Demo #1
22 ApacheCon NA, Montréal 2018
![Page 23: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/23.jpg)
Not a Perfect Solution grant codeBase "file:${catalina.home}/webapps/my-web-app-1/-" {
permission java.net.SocketPermission "localhost", "resolve";
permission java.io.FilePermission “…/resources/good-scripts*", "execute";
permission java.net.SocketPermission "127.0.0.1:32768", "connect,resolve";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.io.SerializablePermission "enableSubclassImplementation";
…
};
23
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
ApacheCon NA, Montréal 2018
![Page 24: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/24.jpg)
One day maybe…
24
Beyond Java 8
• Modularization
• Improved encapsulation
• Finer control over package access.
ApacheCon NA, Montréal 2018
![Page 25: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/25.jpg)
Meanwhile
25
What should we do?
ApacheCon NA, Montréal 2018
![Page 26: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/26.jpg)
26
https://en.wikipedia.org/wiki/Information_security
security measures is called defense in depth. In contrast to a metal chain, which is famously
only as strong as its weakest link, the defense-in-depth aims at a structure where, should one
defensive measure fail, other measures will continue to provide protection.
The building up, layering on and overlapping of
![Page 27: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/27.jpg)
Java Web Security Layers
1. Java SE Security 2. Java Secure Socket
Extension (JSSE) 3. Java EE Security 4. Spring Security 5. Web App Framework 6. Database Framework
27 ApacheCon NA, Montréal 2018
![Page 28: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/28.jpg)
Each with a specific purpose
1.Java SE Security
2.JSSE
3.Java EE Security
4.Spring Security
5.Web App Framework
6.Database Functions
28
---------------------------- private conversations
---------- deadbolt on front door
------------ locks on room doors
- locks on equipment in rooms
---- content filtering
----------- principle of least privilege
ApacheCon NA, Montréal 2018
![Page 29: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/29.jpg)
Example #2
Apache
Fortress
Demo
29
https://github.com/shawnmckinney/apache-fortress-demo ApacheCon NA, Montréal 2018
![Page 30: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/30.jpg)
Two Areas of Control
1.JavaSE, JSSE, JavaEE and Spring Declarative controls
2.Programmatic AuthZ controls in the Web and DB layers
30 ApacheCon NA, Montréal 2018
![Page 31: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/31.jpg)
Start with Tomcat Servlet Container
31 ApacheCon NA, Montréal 2018
![Page 32: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/32.jpg)
1 & 2. Enable HTTPS
32
1. Update the Server.xml 2. Add private key
ssssh!!!
ApacheCon NA, Montréal 2018
![Page 33: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/33.jpg)
3. Enable Java EE Security
33
a. Update web.xml
b. Drop the proxy jar c. Add context.xml d. Add fortress to pom.xml
the deadbolt
ApacheCon NA, Montréal 2018
![Page 34: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/34.jpg)
Current Specs for Java EE Security
1. JSR-196 – JASPIC - AuthN
2. JSR-115 – JAAC - AuthZ
3. JSR-375 – JavaEE Security API
34 ApacheCon NA, Montréal 2018
![Page 35: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/35.jpg)
What is a Realm?
A Realm is a "database" of usernames and passwords that identify valid users of a web application (or set of web applications), plus an enumeration of the list of roles associated with each valid user.
https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html
35 ApacheCon NA, Montréal 2018
![Page 36: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/36.jpg)
![Page 37: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/37.jpg)
Apache Fortress Context Realm
37 ApacheCon NA, Montréal 2018
![Page 38: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/38.jpg)
Add Fortress Realm Dependency Add Fortress Dependency to web app’s pom.xml: <dependency> <groupId>org.apache.directory.fortress</groupId> <artifactId> </artifactId> <version>2.0.0</version> </dependency>
38
fortress-realm-impl
ApacheCon NA, Montréal 2018
![Page 39: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/39.jpg)
Enable Fortress Context Realm Add context.xml to META-INF folder:
<Context reloadable="true">
<
defaultRoles=“ROLE_PAGE1,ROLE_PAGE2, ROLE_PAGE3,…“
contextId=“tenant314"
/>
</Context>
Realm className= “org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxy"
https://github.com/shawnmckinney/apache-fortress-demo/blob/master/src/main/resources/META-INF/context.xml
39 ApacheCon NA, Montréal 2018
![Page 40: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/40.jpg)
use Host Realm, doesn’t expose the App to Fortress
40 ApacheCon NA, Montréal 2018
But, then the App can’t use the programmatic APIs.
Or
![Page 41: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/41.jpg)
Enable Fortress Tomcat Realm
Drop the Fortress Realm Proxy Jar in Tomcat’s lib folder:
41 ApacheCon NA, Montréal 2018
![Page 42: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/42.jpg)
Enable Fortress Tomcat Realm Add to App’s Web.xml
<security-constraint>
<display-name>My Project Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<realm-name>MySecurityRealm</realm-name>
<form-login-config>
<url-pattern>/wicket/*</url-pattern>
<role-name>DEMO2_USER</role-name>
<auth-method>FORM</auth-method>
<form-login-page>/login/login.html</form-login-page> https://github.com/shawnmckinney/apache-fortress-demo/blob/master/src/main/webapp/WEB-INF/web.xml
1. Java EE container protects this URL Automatically.
2. All users must have this role to gain entry.
3. Route un-authN requests to my form.
42 ApacheCon NA, Montréal 2018
![Page 43: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/43.jpg)
4. Setup Policy Decision Point
43
the security system
ApacheCon NA, Montréal 2018
![Page 44: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/44.jpg)
Intro to the RBAC Standard
44 ApacheCon NA, Montréal 2018
![Page 45: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/45.jpg)
Use ANSI RBAC INCITS 359 Specification
RBAC0: – Users, Roles, Perms, Sessions
RBAC1: – Hierarchical Roles
RBAC2: – Static Separation of Duties
RBAC3: – x
45
Dynamic Separation of Duties
Today we demo this ApacheCon NA, Montréal 2018
![Page 46: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/46.jpg)
Early Years • The Role-Based Access Control model was formally introduced in
1992 by David Ferraiolo and Richard Kuhn of National Institute of Standards and Technology.
• Their model, already in use for some time, was meant to address
critical shortcomings of the Discretionary Access Control. DAC was not meeting the needs of non-DoD organizations.
• In particular integrity was lacking, defined by them, as the
requirement for data and process to be modified only in authorized ways by authorized users.
46 ApacheCon NA, Montréal 2018
![Page 47: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/47.jpg)
Middle Years • Eight years later, in 2000, they teamed with Ravi Sandhu and
produced another influential paper entitled ‘The NIST Model for a Role-Based Access Control: Towards a Unified Standard’.
• Later the team released the RBAC formal model. One that laid out
in discrete terms how these types of systems were to work. The specifications, written in Z-notation, left no ambiguity whatsoever.
• This model formed the basis for the standard that followed:
– ANSI INCITS 359
47 ApacheCon NA, Montréal 2018
![Page 48: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/48.jpg)
Current Years
• INCITS 359-2012 RBAC also known as Core.
• INCITS 494-2012 RBAC Policy Enhanced allows attribute modifiers on permissions specifically to provide support for fine-grained authorization.
48 ApacheCon NA, Montréal 2018
![Page 49: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/49.jpg)
ANSI INCITS 359
In 2004 ANSI Formalized RBAC into a Standard (Revised in 2012)
49 ApacheCon NA, Montréal 2018
![Page 50: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/50.jpg)
Use RBAC Object Model Six basic elements: 1. User – human or machine entity 2. Role – a job function within an organization 3. Object – maps to system resources 4. Operation – executable image of program 5. Permission – approval to perform an Operation on one
or more Objects 6. Session – contains set of activated roles for User
50 ApacheCon NA, Montréal 2018
![Page 51: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/51.jpg)
Use RBAC Functional Model
APIs form three standard interfaces:
1. Admin – Add, Update, Delete
2. Review – Read, Search
3. x
51
System – Access Control Demo runtime processes
Management and Config processes
ApacheCon NA, Montréal 2018
![Page 52: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/52.jpg)
Use RBAC Functional Model System Manager APIs: 1. createSession – authenticate, activate roles 2. checkAccess – permission check 3. sessionPermissions – all perms active for user 4. sessionRoles – return all roles active 5. addActiveRole – add new role to session 6. dropActiveRole – remove role from session
52
http://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/directory/fortress/core/impl/AccessMgrImpl.html
ApacheCon NA, Montréal 2018
![Page 53: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/53.jpg)
Example #3 : Role Engineering Sample
53
https://github.com/shawnmckinney/role-engineering-sample
ApacheCon NA, Montréal 2018
![Page 54: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/54.jpg)
4. Back to Installing a policy decision point
54 ApacheCon NA, Montréal 2018
![Page 55: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/55.jpg)
55
https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-APACHEDS.md
ApacheCon NA, Montréal 2018
Use
![Page 56: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/56.jpg)
56
https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-SLAPD.md
Or
ApacheCon NA, Montréal 2018
![Page 57: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/57.jpg)
5 – 8 Enable LDAP SSL
57
confidentiality
ApacheCon NA, Montréal 2018
![Page 58: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/58.jpg)
9. Enable Spring Security
58
a. Authorization b. Role mapping
locks on the rooms
ApacheCon NA, Montréal 2018
![Page 59: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/59.jpg)
10. Web App Authorization
59
Add fine-grained checks: a. Page links b. Buttons c. Other controls
locks on equipment
ApacheCon NA, Montréal 2018
![Page 60: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/60.jpg)
11. DAO Authorization
60
Add fine-grained Checks to: a. Create b. Read c. Update d. Delete
filtering
ApacheCon NA, Montréal 2018
![Page 61: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/61.jpg)
12, 13. Enable DB SSL
61
12. Client a. public key b. config 13. Server a. private key b. config
Confidentiality
ApacheCon NA, Montréal 2018
![Page 62: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/62.jpg)
Apache Fortress Demo • Three Pages and Three Customers
• One role for every page to customer combo
• Users may be assigned to one or more roles
• One and only one role may be activated
62
Pages Customer 123 Customer 456 Customer 789
Page One PAGE1_123 PAGE1_456 PAGE1_789
Page Two PAGE2_123 PAGE2_456 PAGE2_789
Page Three PAGE3_123 PAGE3_456 PAGE3_789
ApacheCon NA, Montréal 2018
![Page 63: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/63.jpg)
63
User123 Customer 123 Customer 456 Customer 789
Page1 True False False
Page2 True False False
Page3 True False False
User1 Customer 123 Customer 456 Customer 789
Page1 True True True
Page2 False False False
Page3 False False False
User1_123 Customer 123 Customer 456 Customer 789
Page1 True False False
Page2 False False False
Page3 False False False
ApacheCon NA, Montréal 2018
![Page 64: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/64.jpg)
Demo #2
64 ApacheCon NA, Montréal 2018
![Page 65: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/65.jpg)
Testing • Verify security functionality via
automation.
• Beware of regressions. Can go unnoticed for weeks, months, years.
65
https://github.com/shawnmckinney/apache-fortress-demo/.../ApacheFortressDemoSeleniumITCase.java
ApacheCon NA, Montréal 2018
![Page 66: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/66.jpg)
Apache Fortress Demo
• https://github.com/shawnmckinney/apache-fortress-demo
66
User Foo Customer 123 Customer 456 Customer 789
Page1 False True True
Page2 True False False
Page3 True False False
ApacheCon NA, Montréal 2018
![Page 67: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/67.jpg)
We still have a problem…
67 ApacheCon NA, Montréal 2018
![Page 68: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/68.jpg)
Our Roles Have Exploded
68 ApacheCon NA, Montréal 2018
![Page 69: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/69.jpg)
Cartesian Product
A x B = {(a,b) | a ∈ A and b ∈ B}
–A : role
–B : relationships
69 ApacheCon NA, Montréal 2018
![Page 70: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/70.jpg)
Number of Roles = sizeof(A) * sizeof(B)
Roles (A)
Page1
Page2
Page3
70 ApacheCon NA, Montréal 2018
Relationships (B)
Customer 123
Customer 456
Customer 789
Roles 1. Page1-123 2. Page1-456 3. Page1-789 4. Page2-123 5. Page2-456 6. Page2-789 7. Page3-123 8. Page3-456 9. Page3-789
* =>
![Page 71: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/71.jpg)
The Solution
Use attributes to constrain under what conditions roles may be activated.
71 ApacheCon NA, Montréal 2018
![Page 72: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/72.jpg)
RBAC w/ ABAC
Roles
Page1
Page2
Page3
72 ApacheCon NA, Montréal 2018
Constraints Page1 : 123 Page1 : 456 Page1 : 789 Page2 : 123 Page2 : 456 Page2 : 789 Page3 : 123 Page3 : 456 Page3 : 789
Users User1-123 User1-456 User1-789 User2-123 User2-456 User2-789 User3-123 User3-456 User3-789
![Page 73: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/73.jpg)
Roles
Page1
Page2
Page3
Page1 : 123, 456, 789, …
Page1 : 123 Page2 : 123, Page3 : 123
Page2 : 123, 456, 789, …
Page1 : 456 Page2 : 456 Page3 : 456
Page3 : 123, 345, 789, …
Page1 : 789 Page2 : 789 Page3 : 789
User1
User123
User2
User456
User3
User789
ApacheCon NA, Montréal 2018 73
RBAC w/ ABAC
![Page 74: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/74.jpg)
After ABAC
RBAC only
RBAC w/
ABAC
![Page 75: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/75.jpg)
Roles
Page1_123
Page1_456
Page1_789
Page2_123
Page2_456
Page2_789
Page3_123
Page3_456
Page3_789
Poweruser
ApacheCon NA, Montréal 2018 75
RBAC only
![Page 76: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/76.jpg)
Roles
Page1
Page2
Page3
Page1 : 123, 456, 789, … Page2 : 123, 456, 789, … Page3 : 123, 345, 789, …
Poweruser
ApacheCon NA, Montréal 2018 76
RBAC w/ ABAC
![Page 77: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/77.jpg)
// Nothing new here:
User user = new User(“curly”);
// This is new:
RoleConstraint constraint = new RoleConstraint( );
// In practice we're not gonna pass hard-coded key-values in here:
constraint.setKey( "customer" );
constraint.setValue( "123" );
// This is just boilerplate goop:
List<RoleConstraint> constraints = new ArrayList();
constraints.add( constraint );
try
{
// Now, create the RBAC session with an ABAC constraint, customer=123, asserted:
Session session = accessMgr.createSession( user, constraints );
...
}
Code Sample
![Page 78: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/78.jpg)
Example #4
Apache
Fortress
ABAC
Demo
78
https://github.com/shawnmckinney/fortress-abac-demo ApacheCon NA, Montréal 2018
![Page 79: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/79.jpg)
Demo #3
79 ApacheCon NA, Montréal 2018
![Page 80: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/80.jpg)
Example #5
RBAC
ABAC
Demo
80
https://github.com/shawnmckinney/rbac-abac-sample ApacheCon NA, Montréal 2018
![Page 81: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/81.jpg)
Closing Thoughts
1. Never allow users more than they need to do their jobs – Principle of Least Privilege
2. Apply security controls across many layers – Defense in Depth
3. RBAC may be combined with ABAC – Fine-grained Authorization
81 ApacheCon NA, Montréal 2018
![Page 82: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/82.jpg)
82
Apache
Fortress
SAML
Demo
https://github.com/shawnmckinney/fortress-saml-demo
Example #6
ApacheCon NA, Montréal 2018
Bonus
![Page 83: The Anatomy of a Secure Java Web App Using Apache Fortress › 2018 › 09 › anatomy-secure … · The Anatomy of a Secure Java Web App Using Apache Fortress September 24, 2018](https://reader033.fdocuments.us/reader033/viewer/2022060318/5f0c788f7e708231d435911f/html5/thumbnails/83.jpg)
Contact Info
83
https://iamfortress.net
http://symas.com
@shawnmckinney Twitter:
Website:
Email:
Project: https://directory.apache.org/fortress
Blog:
ApacheCon NA, Montréal 2018