How to set Java EE security roles - security

I'm working on a filter to be put in front of a Java application. This filter already is responsible for setting the user name in the remote user variable (in order for the application to do a request.getRemoteUser() call).
I'd like to also set the roles of the currently logged user from a custom call to an LDAP (not requesting user groups but other specific attributes).
How can I achieve that?

If you write a custom LoginModule, you can authenticate the user yourself, as well as populate the user's roles based on what is in LDAP. If you specify your application server, I could provide more specific information.

OK, LoginModule. It looks like it's what I was looking for... (Filter does not provide the needed functionalities regarding EJB, only servlets)
What specificities are they between different App Servers? Isn't there a core Java EE LoginModule specification that is suported by all servers? (at least WAS and jBoss I would say)
Thanks for your help anyway!

Related

JAAS, JSF 2 and Authentication

I want to build a web application with JSF where I use JAAS for authentication.
I will run the application on Glassfish v4 and I want to use a custom realm/login module to have my user credentials stored in a database and moreover having the passwords salted and hashed. As far as I know the JDBCRealm of Glassfish does not give me possibility to have the passwords salted.
I already found resources on how build such login modules and security realms for it.
Now I reached a point where I still have too many questions open and no answers found on the web.
My first question now is more like a conceptual question.
So for me it actually seems like a disadvantage if I use JAAS since that would require me to write custom realms and login modules for each application server I want my application to be deployed to.
I mean I see the advantage to have the authentication seperated but still it seems quite a bit of extra work compared to a solution where I would do the login procedure on my own.
Since I could also do the access control using custom filter in JSF this seems to be a more universal way because there is no extra effort when I change the application server.
Do I miss something here?
This also leads me to another point. Is there a way to perform the login procedure by myself but assign the current user specific roles in the context of JAAS during my custom login?
Another question: I have seen that it is also possible to create/update/delete users with a custom realm which sounds awesome for my needs... Sorry if this is a kind of a noob question but I still could not figure out how to retrieve the JAAS realm from within my JSF application...

How do I secure mixed content resources in Java EE 6?

I'm trying to decide how to secure a modern web application. I am relatively new to the Java EE 6 technology stack, but I've done some pet projects that didn't utilize security, so I'm looking for some general guidance on what's even possible using out of the box Java EE 6 security.
I understand that declarative security allows you to protect resources based on what role(s) have been assigned to a user attempting to access that resource. So, for example, a user requests a page at a particular URL, the Java EE server checks the user's credentials to see if they're authorized to access that page. This makes perfect sense for resources that only to be accessed by authenticated users. Good examples include administration pages, user account setting pages, restricted content areas.
So as long as I divide a website into secure and unsecured areas, that works fine and I have no questions. But how do I deal with the situation where I have a resource that I want to behave differently based on the authentication level of the user for declarative security.
For example, I may have a home page on a website that displays one view with a login prompt if the user is an unauthenticated user, but if an authenticated user visits that same resource should display some sort of control panel with account management links, etc instead of the login prompt.
How is this achieved in modern Java EE 6 applications? Declarative security doesn't seem expressive enough to allow this to happen as it's very "all or nothing". I've read a little about programmatic security, but all the guides talk about servlets and in a modern web application I would assume that JSFs would be the way to go, not raw servlets. I want to ensure that when I secure a web application with this mixed content that depends on the authentication status of the user that I don't end up spamming security code all throughout the web app because that's extremely error prone, and very messy.
Given the above requirements what solutions would you recommend? I'm not looking for a step by step, just some helpful pointers to get me started in the right direction. Both "Here's what you can use" and "here's how it's going to fulfill your goals" would be helpful!
One last thing, I'd like to avoid loading the Spring suite onto this webapp. I like using the Java EE 6 container technologies as much as possible, and I've heard there are issues making Spring managed beans and Java EE container managed beans available to each others' contexts.
Well, you should read: the Security chapter of the Java ee tutorial.
In a nutshell, either in servlets or EJBs you should:
Declare the security roles involved: #DeclareRoles("javaee6user")
In your servlets either
use #ServletSecurity(#HttpConstraint(rolesAllowed = {"javaee6user"})) for the whole servlet (declarative security)
in the servlet's methods check with request.isUserInRole("javaee6user") just as you did in 'old' servlets (programmatic security)
In your EJBs either
declare the role(s) allowed for a whole method with #RolesAllowed("javaee6user") (declarative security)
inject with #Resource SessionContext ctx; the bean context, and invoke ctx.isCallerInRole("javaee6user") inside your method, just as you did in 'old' EJBs (programmatic security)

Glassfish security realm for each application

I have deployed two applications onto the glassfish server, each of which uses its own security realm (file, jdbc). The problem is that the glassfish allows only one default realm to be set which results in only one application to be functional at a time. I'm a newbie with the glassfish so I might be missing something fundamental or should approach this problem differently (do I need a separate domain for each of mine applications to be able to set the security with specific realm?).
Any suggestions would be appreciated.
Thank you.
It's possible to create more file Realms in the same GlassFish domain, you simply have to specify a new file name for the keyfile storing the users / passwords information. You can follow this tutorial if you wish.
Concerning the other part of the question, you can also consider to use a LDAP server, which is a scalable and more general solution, because it can be used also by other applications inside the same firm. You can use OpenLDAP or OpenDJ for example, and use JNDI API for letting your applications access the LDAP realm.
Here you can find a JNDI and OpenLDAP Tutorial, but you can easily find other tutorials around on the subject.

ASP.NET MVC 3 - Security architecture considerations

I am researching security frameworks for an ASP.NET MVC3 application that would have some pretty complex authorization rules in terms who can see data, who can create and edit it. Rules such as
- I can only see clients that are part of my company or branch.
- If I am out 15 or less days from the day the record was created and my role is of super user then only I can edit all but two fields on that record. After 16 days or more I can only edit two fields.
My initial thought was to use the Enterprise Security Block and just add customized authorizers, but after reading more about the native support for membership based security in ASP.NET, I am not so sure if Enterprise Security Block is necessary. I have not use neither of the frameworks in a real-world application so looking for some collective wisdom on the topic.
This is the problem with complex field level security. There is no real framework to help you with it, because everything is so custom. The best you can do is extract this into some kind of lookup table, and assign each field a custom identifier in the table, then have a set of columns that indicate each security level. Then, you build your business logic so that you pass in a field and conditions, and it simply responds back whether or not to allow it.
THen you have to figure out what "allow" means in your interface. Disable it? Hide it? ignore it?
I don't envy you.
You might find this semi-interesting.
http://bartreyserhove.blogspot.com/2008/12/field-level-security-using-aspnet-mvc.html
You can use Azman - Microsoft Authorization Manager and its related APIs.
It provides you with roles, actions, permissions and many more configurable options.
Azman uses AD to store most of this. It also provides options to store using local XML and/or configuration files.
You are crossing into more than just direct security concerns here but actually authorization rules AND edit rules. Your auth rules sound quite custom and I feel that you may need to process these rules in your own custom code and then include these Attributes in your own view models.
Im not aware of any frameworks that will give you this by default as these are very custom editing rules. You could call these claims and when you login go against a claims based framework such as windows identity foundations (WIF) but you will still need custom IF stmts to allow editing in your view based on properties you set in your ViewModel such as CustomerViewModel.AllowAddressEdit. Your view needs to then check this property to display DisplayFor or EditorFor. However you should also check these values on postback to ensure a user hasn't just injected values to hack your app.
You can use asp.net security for basic authentication to the site, and you can use it for basic role membership. But since these are site-wide permissions, you will need your own logic to segment users into organizational permissions.
What I've done in the past is use the asp.net membership logic to handle the basic auth stuff, but then keep another structure in your database that maps the user id's to other parameters - like the mentioned organizational level membership, or especially access rights for data-driven structures.
I'm actually surprised there aren't better solutions already built out there for handling more complext membership/permissions situations that many apps need.

How can a JACC provider use the Principal-to-role mapping facilities of the server it's deployed on?

I am writing a JACC provider.
Along the way, this means implementing a PolicyConfiguration.
The PolicyConfiguration is responsible for accepting configuration information from the application server, such as which permissions accrue to which roles. This is so that a Policy later on can make authorization decisions when handed information about the current user and what he's trying to do.
However, it is not part of the PolicyConfiguration's (atrocious) contract to maintain a mapping between roles and their permissions, and Principals that are assigned to those roles.
Typically--always, really--an application server houses this mapping. For example, on Glassfish, you affect this mapping by supplying things like sun-web.xml and sun-ejb-jar.xml and so on with your Java EE modules. (These vendor-specific files are responsible for saying, e.g., superusers is a group that is to be assigned the application role of admins.)
I would like to reuse the functionality these files supply, and I would like to do so for as wide an array of application servers as possible.
Here is--totally arbitrarily--IBM's take on the matter, which appears to confirm my suspicion that what I want to do is essentially impossible. (More ammunition for my case that this particular Java EE contract is not worth the paper it's printed on.)
My question: how do I get at this principal-to-role-mapping information in--for starters--Glassfish and JBoss from within a PolicyConfiguration? If there's a standard way to do it that I'm unaware of, I'm all ears.
The short answer is: there's no standard way to do it.
Although Glassfish and JBoss support principal-to-role mappings, JACC does no assume all containers do, and so it delegates the responsibility of keeping those mappings to the JACC provider implementation. From the docs (see: PolicyConfiguration.addToRole method):
It is the job of the Policy provider to ensure that all the
permissions added to a role are granted to principals "mapped to the
role".
In other words, you need to implement that yourself inside your JACC provider for each container. For JBoss, for example, you could use one of the subclasses of AbstractRolesMappingProvider.

Resources