maturing your application's security with seam security
TRANSCRIPT
![Page 1: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/1.jpg)
Maturing your application’ssecurity with Seam Security
Dan AllenSenior Software EngineerJBoss, by Red Hat
![Page 2: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/2.jpg)
Seam Security | Dan Allen2
Who am I?
● Author of Seam in Action, Manning 2008
● Seam and Weld project member
● JSR-314 (JSF 2.0) EG member
● JSF user from the trenches
![Page 3: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/3.jpg)
Seam Security | Dan Allen3
Objective
To discover the wide array of options forsecuring your application with Seam security
![Page 4: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/4.jpg)
Seam Security | Dan Allen4
Agenda
● Security principles
● Authentication (in 3 steps)
● Identity management
● Open ID
● Authorization
● Permission management
![Page 5: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/5.jpg)
Seam Security | Dan Allen5
Security needs
● It should be easy to setup
● It should be easy to manage
● The application should not outgrow it
![Page 6: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/6.jpg)
Seam Security | Dan Allen6
JAAS
● A surviving remnant of J2EE
● Obscure and complex configuration
● Too container dependent
● Poorly documented
● Pluggable? At what cost?
Let’s get back to basics
![Page 7: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/7.jpg)
Seam Security | Dan Allen7
Security principles
● Identity● Principle – who you are● Grants – roles and groups
● Authentication● Proving you are you● Relies on your secret
● Authorization● Who shall pass● Resource control
![Page 8: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/8.jpg)
Seam Security | Dan Allen8
Authentication
Authentication
![Page 9: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/9.jpg)
Seam Security | Dan Allen9
Authentication with Seam in 3 steps
1) Declare an authentication method
2) Create a JSF login form
3) Write the authentication method
![Page 10: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/10.jpg)
Seam Security | Dan Allen10
Step 0: No prerequisites
● Security is a core concern in Seam
● Authentication● Preemptive: Login API● Lazy: Built-in redirection to and from login page
● Authorization
● Identity and permission management
● Out of the box security setup in seam-gen projects
![Page 11: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/11.jpg)
Seam Security | Dan Allen11
Authentication
Demo: Security setup in seam-gen
![Page 12: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/12.jpg)
Seam Security | Dan Allen12
Step 1: Declare an authentication method
● Method requirements● No arguments● Return boolean if credentials are valid● Must be accessible via the EL
● No special interfaces!
● Declared in Seam component descriptor
<security:identity authentication-method="#{authenticator.authenticate}"/><security:identity authentication-method="#{authenticator.authenticate}"/>
![Page 13: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/13.jpg)
Seam Security | Dan Allen13
Step 2: Create a JSF login form
● Native JSF login form● Bind credentials to inputs● Wire form action to identity component’s login method
● Built-in “remember me” support
<h:form id="login"> <h:panelGrid columns="2"> <h:outputLabel for="username">Username</h:outputLabel> <h:inputText id="username" value="#{credentials.username}"/> <h:outputLabel for="password">Password</h:outputLabel> <h:inputSecret id="password" value="#{credentials.password}"/> <h:selectBooleanCheckbox id="rememberMe" value="#{rememberMe.enabled}"/> </h:panelGrid> <div><h:commandButton value="Login" action="#{identity.login}"/></div></h:form>
<h:form id="login"> <h:panelGrid columns="2"> <h:outputLabel for="username">Username</h:outputLabel> <h:inputText id="username" value="#{credentials.username}"/> <h:outputLabel for="password">Password</h:outputLabel> <h:inputSecret id="password" value="#{credentials.password}"/> <h:selectBooleanCheckbox id="rememberMe" value="#{rememberMe.enabled}"/> </h:panelGrid> <div><h:commandButton value="Login" action="#{identity.login}"/></div></h:form>
![Page 14: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/14.jpg)
Seam Security | Dan Allen14
Step 3: Write the authentication method
● Basic procedure:● Credentials captured from login form are injected● Application validates credentials ● Grant roles using identity component
@Name("authenticator")public class Authenticator { @In Identity identity; @In Credentials credentials; @In EntityManager entityManager; public boolean authenticate() { User u = (User) entityManager.createQuery("...").getSingleResult(); if (u.getPassword().equals(credentials.getPassword()) { identity.addRole("member"); return true; } return false; }}
@Name("authenticator")public class Authenticator { @In Identity identity; @In Credentials credentials; @In EntityManager entityManager; public boolean authenticate() { User u = (User) entityManager.createQuery("...").getSingleResult(); if (u.getPassword().equals(credentials.getPassword()) { identity.addRole("member"); return true; } return false; }}
![Page 15: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/15.jpg)
Seam Security | Dan Allen15
Authentication
Identity management
![Page 16: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/16.jpg)
Seam Security | Dan Allen16
Turning authentication over to Seam
● Pluggable identity store (JPA and LDAP)
● Annotation-based identity mapping
● Classes designated on identity component
public @Entity class UserAccount { public @UserPrincipal String getUsername() { ... }
public @UserPassword(hash = "MD5") String getPasswordHash() { ... }
public @UserRoles @ManyToMany Set<UserRole> getRoles() { ... } }
public @Entity class UserAccount { public @UserPrincipal String getUsername() { ... }
public @UserPassword(hash = "MD5") String getPasswordHash() { ... }
public @UserRoles @ManyToMany Set<UserRole> getRoles() { ... } }
public @Entity class UserRole { public @RoleName String getName() { ... }}
public @Entity class UserRole { public @RoleName String getName() { ... }}
<security:jpa-identity-store user-class="com.company.app.model.UserAccount" role-class="com.company.app.model.UserRole"/>
<security:jpa-identity-store user-class="com.company.app.model.UserAccount" role-class="com.company.app.model.UserRole"/>
![Page 17: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/17.jpg)
Seam Security | Dan Allen17
API for managing identities
● UserSearch● Populates data model of users and handles user selection
● UserAction● Manages conversation for adding or modifying selected user
● RoleSearch● Populates data model of roles and handles role selection
● RoleAction● Manages conversation for adding or modifying selected role
![Page 18: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/18.jpg)
Seam Security | Dan Allen18
Authentication
Demo: Identity management
![Page 19: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/19.jpg)
Seam Security | Dan Allen19
Authentication
Open ID
![Page 20: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/20.jpg)
Seam Security | Dan Allen20
Delegating authentication to a third party
● Open ID● Eliminates need for multiple usernames across sites● Users gets to choose who to trust with their credentials● You don’t have to maintain authentication secrets
● Seam has a built-in openid component● Negotiates with third party to assign user an identity principal● Used in place of identity component on login page
● You may still want to create a local profile for the user● Redirect new user to registration page after first login
![Page 21: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/21.jpg)
Seam Security | Dan Allen21
Authentication
Demo: Open ID
![Page 22: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/22.jpg)
Seam Security | Dan Allen22
Open ID setup
● Add phase listener for handling callback from provider
● Add Open ID libraries and dependencies to classpath
● Create login page and configure navigation rules
<phase-listener>org.jboss.seam.security.openid.OpenIdPhaseListener</phase-listener><phase-listener>org.jboss.seam.security.openid.OpenIdPhaseListener</phase-listener>
![Page 23: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/23.jpg)
Seam Security | Dan Allen23
Open ID login page
● User chooses provider (AOL, Blogger, Yahoo, etc)
● Seam negotiates hand-off (using openid4java)
● User returned to /openid.xhtml pseudo-view after login
● Navigation rules direct user● Transfer Open ID account to principal● Direct user to registration page
● Access Open ID using #{openid.validatedId}
<h:form id="login"> <h:outputLabel for="openid">Open ID</h:outputLabel> <h:inputText id="openid" value="#{openid.id}"/> <h:commandButton value="Login" action="#{openid.login}"/></h:form>
<h:form id="login"> <h:outputLabel for="openid">Open ID</h:outputLabel> <h:inputText id="openid" value="#{openid.id}"/> <h:commandButton value="Login" action="#{openid.login}"/></h:form>
![Page 24: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/24.jpg)
Seam Security | Dan Allen24
Open ID identity transfer
![Page 25: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/25.jpg)
Seam Security | Dan Allen25
Authorization
Authorization
![Page 26: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/26.jpg)
Seam Security | Dan Allen26
Authorization styles
● Binary● Separates members from guests
● Role-based● Stereotypes users● Enforces privilege levels
● Rule-based● Declarative and contextual
● Access control lists (ACLs)● Protects object instances● Stored in data source
![Page 27: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/27.jpg)
Seam Security | Dan Allen27
Binary authorization
● First line of defense
● Requires user to have identity
● identity component tracks “logged in” state
if (identity.isLoggedIn()) { ...}
if (identity.isLoggedIn()) { ...}
<h:panelGroup rendered="#{identity.loggedIn}"> Rate this post...</h:panelGroup>
<h:panelGroup rendered="#{identity.loggedIn}"> Rate this post...</h:panelGroup>
<page view-id="/membersOnly.xhtml" login-required="true"> ...</page>
<page view-id="/membersOnly.xhtml" login-required="true"> ...</page>
Java
EL
Seam page descriptor
![Page 28: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/28.jpg)
Seam Security | Dan Allen28
Role-based authorization
● Coarse-grained security● Primarily for partitioning application
● Roles assigned during authentication● identity.addRole()● @Roles
● Seam doesn’t dictate naming convention
if (identity.hasRole("admin")) { ...}
if (identity.hasRole("admin")) { ...}
Java
<s:link view="/admin/home.xhtml" rendered="#{identity.hasRole("admin")}" value="Admin Area"/>
<s:link view="/admin/home.xhtml" rendered="#{identity.hasRole("admin")}" value="Admin Area"/>
JBoss EL
![Page 29: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/29.jpg)
Seam Security | Dan Allen29
Declarative restrictions
● JSF views
● Classes and methods
● Permission implied if no criteria● Target - object instance or view ID● Action - method name or JSF life cycle phase
<restrict>#{identity.hasRole("admin")}</restrict><restrict>#{identity.hasRole("admin")}</restrict>
<page login-required="true"/><page login-required="true"/>
<h:panelGroup rendered="#{identity.loggedIn}"> Rate this post...</h:panelGroup>
<h:panelGroup rendered="#{identity.loggedIn}"> Rate this post...</h:panelGroup>
public @Restrict void uploadDesign() { ... }public @Restrict void uploadDesign() { ... }
![Page 30: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/30.jpg)
Seam Security | Dan Allen30
Resolving a permission
Permission (target + action) User identity (recipient)
Permission resolver chain
Persistence permission resolver
Grant?
Rule-based permission resolver
![Page 31: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/31.jpg)
Seam Security | Dan Allen31
Rule-based security
● Based on Drools
● Major differentiator of Seam Security
● Rules are the raison d'être of security● You cannot enter the room with key● You cannot buy alcohol unless you are 21● You cannot fly if you have illegal weapons or 4oz of shampoo● You cannot cash check unless it’s endorsed
● Eliminates a lot of spaghetti business logic● Declarative and expressive● Hot swappable
![Page 32: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/32.jpg)
Seam Security | Dan Allen32
Check your facts
● The working memory contains facts● Facts are objects stored in a rules session
● You use facts to:● make assertions● perform operations when the rule is true
● Seam seeds working memory for security rules● PermissionCheck – the permission being requested● Principal – the security principal holding the username● Role – one or more roles assigned to the user● Authenticated user account (identity management)● Optional set of user-defined objects
![Page 33: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/33.jpg)
Seam Security | Dan Allen33
Authorization
Permission management
![Page 34: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/34.jpg)
Seam Security | Dan Allen34
Access Control Lists (ACLs)
● Permission with a specific target
● Granted to a user, role or group
● Managed by the application● Typically persisted in a database
● Can be combined with rules● Conditional roles
![Page 35: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/35.jpg)
Seam Security | Dan Allen35
Managing permissions
● Permission● target● action● recipient (security principal)
● Select provider
● Manage● Use built-in permissionManager component● Provides list, grant and revoke operations
<security:jpa-permission-store user-class="com.company.app.model.UserPermission"/><security:jpa-permission-store user-class="com.company.app.model.UserPermission"/>
![Page 36: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/36.jpg)
Seam Security | Dan Allen36
Demo
Demo: Permissions
![Page 37: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/37.jpg)
Seam Security | Dan Allen37
King for a thread
● Elevated privileges for distinct operation● Self-registration on a web site
● Alternatively, could use rule for this operation
new RunAsOperation() { public void execute() { identityManager.createUser(username, password); }}.addRole("admin").run();
new RunAsOperation() { public void execute() { identityManager.createUser(username, password); }}.addRole("admin").run();
![Page 38: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/38.jpg)
Seam Security | Dan Allen38
Seam security take away
● Easy to adopt
● <configuration> is kept to a minimum
● Provides built-in security components● Declarative authentication● Identity and permissions management
● Has a myriad of authorization options● Binary, role-based, rule-based and ACLs● Combination of rules and ACLs is powerful
● A security model that matures with your application
![Page 39: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/39.jpg)
Seam Security | Dan Allen39
Permission granted
Ask questions
Make comments
Try out Seam Security
![Page 40: Maturing your application's security with Seam Security](https://reader036.vdocument.in/reader036/viewer/2022062413/58a2d3051a28ab856d8b6a84/html5/thumbnails/40.jpg)
Seam Security | Dan Allen40
Resources
● Seam in Action, Manning 2008● Securing Seam Applications (Ch 11)● http://manning.com/dallen
● Seam project and news● http://seamframework.org
● http://in.relation.to
● ACL Security in Seam, DZone article● http://java.dzone.com/articles/acl-security-in-seam
● Demo code● http://tinyurl.com/seamsecuritydemos