Security always tends to take the last place in a new project. Or you use a framework like Spring where security is already build-in and can be switched on easily.
I try to find an open security framework that can be plugged-in to both Swing and Web applications (and JavaFX?), maybe easy to digest. I looked at plain JAAS, JGuard and JSecurity but its just too complicated to get started.
Any recommendations or experience to share ?
I am working with NB, Glassfish and MySQL.
Thanks
Sven
I have just taken a view of this http://shiro.apache.org/
Apache Shiro is a powerful and
easy-to-use Java security framework
that performs authentication,
authorization, cryptography, and
session management. With Shiro’s
easy-to-understand API, you can
quickly and easily secure any
application – from the smallest mobile
applications to the largest web and
enterprise applications.
I would strongly recommend learning JAAS. It really isn't that difficult to pick up, and there are some useful tutorials and a reference guide on the Sun web site.
In my experience, JAAS is pretty widely used, so it's definitely something you'll be able to reuse once you're learnt it. It also happens to be one of the building blocks for the Glassfish authentication mechanism!
I have done a similar research in JAAS for web application and has ran into a "mind roadblock" until I finally realize JAAS is a framework addressing security at a different "layer" then traditional web applications in the Java World. It is build to tackle security issues in J2SE not J2EE.
JAAS is a security framework build for securing things at a much lower level then web-application. Some example of these things are code and resources available at the JVM level, hence all these ability to set policy files in the JVM level.
However, since J2EE is build on top of J2SE, a few modules from JAAS was reuse in J2EE security such as the LoginModules and Callbacks.
On the other hand, Acegi, aka Spring Security, tackles a much higher "layer" in the securing web-application problem. It is build on top of J2EE security hence J2SE hence JAAS. Unless you are looking to secure resources in the J2SE level (classes, System resources), I don't see any real use of JAAS other than the using the common class and interfaces. Just focus on using Acegi or plain old J2EE security which solves a lot of common web application security problems.
At the end of the day, it is important to learn which "layer" of the J2EE-J2SE security issue you are tackling and choose the write tool(s) for the problem.
I would recommend you take a look at OACC (http://oaccframework.org). OACC was designed for solving the problem of application security. Unlike most frameworks OACC is able to store/manage the authorization relationships in your application. OACC's authorization model is more powerful that Shiro or Spring Security.
There is alternative from JBoss. A new version for PicketBox. More information here:
https://docs.jboss.org/author/display/SECURITY/Java+Application+Security
apache shiro miserably fails when you stress a web application under JBoss (say 2 million requests of a simple GET with a concurrency of 50 threads).
was very dissapointing to find out this.
it happens when you use filters.
You can read http://code4reference.com/2013/08/guest-posttop-java-security-frameworks-for-developing-defensive-java-applications/
It gives 1000mile view from various Java Security framework, such as JAAS, Shiro or Spring Security. All are depended on your requirements and technology stacks that you choose
Related
I am evaluating Broadleaf Commerce.
Currently I am having one concern. If I install Out-Of-Box Broadleaf Commerce how secure is it? What are existing vulnerabilities that I need to see while using out of box?
I went though documentation. It was mentioned that, SQL Injection and XSS has been taken care.But not sure as to what extent that has been taken care of.
I am new to eCommerce and security so am unable to evaluate this parameter.
From the offical Broadleaf forum:
Broadleaf Commerce uses an extendible ORM strategy based on JPA (and specifically Hibernate behind the scenes). If you drill down even further, we are entirely using prepared statements and we do not dynamically build queries at all using user input. This deals with the SQL injection issue.
As for XSS, we utilize Spring MVC as our de-facto engine for the presentation layer and even provide some out-of-the-box controllers to speed development in this area. Spring MVC has great support for protection against XSS through html escape sequences via simple configuration. This blog talks about it a bit more: http://sanjaysinghloha.blogspot.com/200 ... ng_05.html. Having said that, as an e-commerce framework, Broadleaf Commerce does not force you to use Spring MVC to create a site. Any modern Java-based MVC framework should work fine with Broadleaf Commerce, but care should be taken with any MVC framework choice to account for XSS protection.
One of our partners has built their entire e-commerce site on Broadleaf Commerce using Spring MVC and Spring Security and has utilized S3 Security (http://www.s3security.com) to perform their extensive penetration testing as part of their successful PCI certification. S3 uses several tools, one of which is Retina Scanner.
No vulnerabilities have been discovered so far.
IMHO as a penetration tester view, it seems pretty safe and developed with security in mind but still this doesn't mean it's invulnerable. By implementing a WAF such as mod_security and being aware of the updates you will be good to go.
I'm so new to Spring and Spring security , we have an extended java application (not web application) and trying to use spring as a framework.
I've read a little about jaas and have made a simple jaas security framework for my application (not a perfect one).
now , as we want to merge to Spring framework , I have some questions:
Does "Spring Security" based on "jaas" or it can use jaas as an optional provider which can be replaced by something exactly different?
Does "Spring Security" has the ability to manage multiple parallel users in a single application? (particularly for authorization)
I've found that you should have lots of work to convert basic jaas api to a useful api (using DB, user/group management classes,...), what about "Spring Security"? (seems in jaas-Provider we have a lot's of useful implementations)
do you know any sample code using "Spring Security" for a swing application?
thanks a lot for your time
Spring Security is not based on JAAS. Indeed, it can use JAAS as an
optional provider.
Yes, it does. I'm not sure to fully understand your question, as if
it couldn't, it would be pointless.
Building a JAAS provider is indeed a lot of work. Developing a Spring
Security authentication provider is much much simpler.
You'll find a good sample here
Spring Security integrates quite nicely with JAAS .
Parallel users are all individually managed, both in terms of authentication as well as authorization, and includes a variety of constructs to configure authorization, from taglibs to pointcuts and annotations.
What are good framework choices for web security in a Scala web application. We would like to try out Scala web development, but couldn't yet find good Scala web app security frameworks.
From the Java side I know at least Spring Security and Apache Shiro.
Do you have experience with Scala web app security frameworks or with Spring Security / Apache Shiro in a Scala context?
Lift has security baked in as described here by David Pollak, the author of Lift.
I used Spring Security in small Scala web application. I created it as I started to learn Scala and I tried to use complete Java stack: Spring MVC + Spring + Spring Security + Hibernate + BlazeDS (I also used Flex in this project for the frontend). Now I can tell that it was really nice and positive experience. Generally the question is how good scala integrates with Spring and Hibernate. I had to use #BeanProperty or #BeanInfo and java collections in entities.
But I have not faced any real issues from the spring security side. It was working as expected. I can remember only one minor issue with Spring AOP: service classes were publishing their methods through BlazeDS to the flex application. I also secured them with Spring Security's object ACLs (with <security:intercept-methods /> and <security:protect />). All this stuff, of course, is possible because of AOP magic. So I noticed this wired Spring AOP's behavior - if your class implements some interfaces, then it will use JDK's proxies to implement them and delegate all calls to target, but if class does not implementing any interfaces, then it will use cglib to extend your class and delegate each method call. The problem is that my public service classes does not implement any interfaces, but AOP was not working properly. The reason is ScalaObject interface that is implemented by all scala classes. So I created new traits for all public services in order to solve this problem (I have not found any way to configure Spring AOP - seems that this behavior is hardcoded).
So as you can see it's not a problem to use Spring Security with Scala. I believe that it should be even easier to use Apache Shiro because it claims to be completely container or environment independent (I heard that it's possible to use Spring Security outside Spring, but I also heard that it's pretty painful). Generally in Scala you can archive everything you can in Java. The question is how pretty/idiomatic/pure/side-effect-free resulting code would be.
By the way, there is a new project that integrates Lift with Apache Shiro: lift-shiro. Here you can also find small blog post about it.
Hope this helps.
So, I have an web-based application that is using the Wicket 1.4 framework, and it uses Spring beans, the Java Persistence API (JPA), and the OpenSessionInView pattern. I'm hoping to find a security model that is declarative, but doesn't require gobs of XML configuration -- I'd prefer annotations.
Here are the options so far:
Spring Security (guide) - looks complete, but every guide I find that combines it with Wicket still calls it Acegi Security, which makes me think it must be old.
Wicket-Auth-Roles (guide 1 and guide 2) - Most guides recommend mixing this with Spring Security, and I love the declarative style of #Authorize("ROLE1","ROLE2",etc). I'm concerned about having to extend AuthenticatedWebApplication, since I'm already extending org.apache.wicket.protocol.http.WebApplication, and Spring is already proxying that behind org.apache.wicket.spring.SpringWebApplicationFactory.
SWARM / WASP (guide) - This looks the newest (though the main contributor passed away years ago), but I hate all of the JAAS-styled text files that declare permissions for principals. I also don't like the idea of making an Action class for every single thing a user might want to do. Secure models also aren't immediately obvious to me. Plus, there isn't an Authn example.
Additionally, it looks like lots of folks recommend mixing the first and second options. I can't tell what the best practice is at all, though.
I don't know if you saw this blog post so I'm adding it here as reference and I'll just quote the end:
Update 2009/03/12: those interested in securing Wicket
applications should also be aware that
there is an alternative to
Wicket-Security, called
wicket-auth-roles. This thread
will give you a good overview of the
status of the two frameworks.
Integrating wicket-auth-roles with
Spring Security is covered here.
One compelling feature of
wicket-auth-roles is the ability to
configure authorizations with Java
annotations. I find it somehow more
elegant than a centralized
configuration file. There is an
example here.
Based on the information above and the one your provided, and because I prefer annotations too, I'd go for Wicket-Auth-Roles with Spring Security (i.e. guide 2). Extending AuthenticatedWebApplication shouldn't be a problem as this class extends WebApplication. And pulling your application object out of spring context using SpringWebApplicationFactory should also just work.
And if your concerns are really big, this would be pretty easy and fast to confirm with a test IMO :)
We've been using Wicket-security for years now and we have used it together with jaas files and with annotatations. Defining jaas files is quite a hassle and maintaining them is near impossible...
With annotations one has to define actions and principals for every page. This is timeconsuming however it does allow you to let the user define roles and authorizations dynamically. It is also possible to test all the principals using the WicketTester.
Each of the 3 packages has it's (dis)advantages, it's a matter of taste and it also depends on the size of the application.
I have a mixed UI (Win App, WPF App, and soon an ASP.NET MVC App) setup, so far I'm using Client Application Services for security. I know how to programmatically get a user authenticated and doing so is working beautifully. However...
I want to implement some cross cutting that basically checks to see if the user is authenticated all the time. Since everything will be accessing web services I want to enable this as a standard execution for pretty much everything the UI does. So far I'm thinking the PIAB - Policy Injection Application Block - will serve that function. What I'm wondering is two things;
1 Will the PIAB cover that needed functionality? Verifying authentication at every practical step if used against the UI?
...and...
2 Are there alternatives out there besides the PIAB? I'm curious to do a comparison of aspect oriented policy injection frameworks.
I'm not really familiar with Client Application Services but from my experience, most AOP frameworks wrap interfaces in order to implement the cross-cutting functionality. If CAS uses interfaces, you could probably just wrap them with what ever functionality you require.
Alternative AOP frameworks:
Spring.NET
Castle Dynamic Proxy
Spring.NET and Dynamic proxy seem to work in much the same way and have much the same performance in my Hello World type tests (about half-way between direct calls and invoking through reflection). PIAB is significantly slower than both these frameworks and I found bit more verbose. It does have the ability to be configurable via xml and I'm not sure if that's a good thing or not. Not sure if the other frameworks provide that. It does of course have the MS stamp of approval though :P.