Maturing your security with Seam. Dan Allen Senior Software Engineer JBoss, a division of Red Hat

Transcription

1 Maturing your security with Seam Dan Allen Senior Software Engineer JBoss, a division of Red Hat

2 Who am I? Author of Seam in Action Member of Seam project JSF user from the trenches Linux, Java and Open Source advocate

3 Outline Why JAAS left us hanging Security principles Authentication in 3 steps Declarative authentication Open ID: delegation of trust Four styles of authorization Permissions: targets and actions

4 Seam security assumptions You are looking for a better security solution You are using Seam, JSF or both You'll want to use Seam after this talk ;) Contrary to popular belief... Seam is not invasive or heavyweight Seam works on any major application server or servlet container

5 JAAS, a surviving remnant of J2EE Entirely too complicated to setup Too container dependent Obscure configuration formats Poorly documented (in terms of examples) Pluggable? At what cost? Let's get back to basics Borrow the APIs generic enough to reuse

6 The security needs of a developer It should be simple to setup It should be easy to manage The application should not outgrow it

7 Security principles Identity Who you are (security principal) Isolates you from the guests Accompanied by a set of grants (roles and groups) Authentication Proving that you are you Based on a secret you know Authorization Resource control based on credentials

8 Authentication in 3 steps Switch on authentication in Seam Specify an authentication method declaratively Create a JSF login form Captures the user's credentials Submit button kicks off authentication routine Write the authentication method Cross reference user's credentials against database Assign user a security principal and mark user as logged in

9 Step 0: No prerequisites Security is a core concern in Seam Includes built-in support for routing user to login page Ties into event system Customized using navigation rules Authentication already setup in seam-gen projects

10 Step 1: Switching on authentication Declare an authentication method in components.xml <security:identity authentication-method="#{authenticator.authenticate}"/> Authentication method requirements: No arguments Return boolean indicating if credentials are valid Must be accessible via the EL Otherwise, the method can: Have any name Reside on any class (doesn't have to implement any special interfaces) Called behind the scenes by JAAS

11 Step 2: Create a JSF login form Native JSF support! No more j_username, j_password, and /j_security_check Can be used for eager or lazy authentication Bind credentials to built-in identity component <h:form id="login"> <h:panelgrid columns="2"> <h:outputlabel for="username">username</h:outputlabel> <h:inputtext id="username" value="#{identity.username}"/> <h:outputlabel for="password">password</h:outputlabel> <h:inputsecret id="password" value="#{identity.password}"/> </h:panelgrid> <div> <h:commandbutton value="login" action="#{identity.login}"/> </div> </h:form>

12 Step 3: Write an authentication method Adapts to any authentication backend The only catch is that you have to do the delegation Start with a simple strategy on Day 1 Basic procedure Identity component delivers credentials to be validated You validate credentials (username and password) and grant public class Authenticator protected Identity identity; public boolean authenticate() { out.println("login attempt by " + identity.getusername()); identity.addrole("admin"); return true; } }

13 Data-driven authentication method Query database using JPA public class Authenticator protected Identity protected EntityManager em; public boolean authenticate() { try { User user = (User) em.createquery("select u from User u " + "where u.username = #{identity.username}").getsingleresult(); if (user.getpassword().equals(identity.getpassword())) { identity.addrole("member"); return true; } } catch (NoResultException) {} return false; } }

14 Authentication Demo

15 Turning authentication over to Seam Identity management framework Annotation-based Pluggable identity store (JPA and LDAP supported out of the box) Built-in CRUD operations for users and roles/groups Eliminates authentication method <security:identity/> The catch: some addition configuration is required

16 Identity configuration Select identity store implementation (JPA or LDAP) Identify User and Role classes <security:jpa-identity-store user-class="com.company.app.model.user" role-class="com.company.app.model.userrole"/> Annotate User and Role public class User public String getusername() {... = "MD5") public String getpasswordhash() {... public Set<UserRole> getroles() {... public class UserRole public String getname() {... } }

17 Delegating authentication to a third party Open ID Eliminates the need for multiple usernames across different websites Users gets to choose who to trust with their credentials You don t have the burden of maintaining authentication secrets Seam has a built-in openid component Negotiates with third party to assign user an identity principal Used in place of identity component on login page; no password! You may still want to create a local profile for the user Can redirect new user to registration page after login

18 Open ID login page User chooses provider Seam negotiates hand-off (using openid4java) <h:form id="login"> <h:outputlabel for="openid">open ID</h:outputLabel> <h:inputtext id="openid" value="#{openid.id}"/> <h:commandbutton value="login" action="#{openid.login}"/> </h:form> Returns to /openid.xhtml pseudo-view after login Using navigation rules, you can... Transfer Open ID account to user principal Route user to registration page

19 Authorization styles Binary Separates members from the guests Role-based Stereotypes users Rule-based Declarative and contextual rules Access Control Lists (ACLs) Typically stored in database

20 Binary authorization Often first requirement Requires user to have an identity Identity component reports logged in state Java if (identity.isloggedin()) {... } Seam page descriptor <page view-id="/membersonly.xhtml" login-required="true">... </page> EL <h:panelgroup rendered="#{identity.loggedin}"> Rate this post... </h:panelgroup>

21 Role-based authorization Coarse-grained security Good for sectioning off areas of application Roles are assigned during authentication identity.addrole("role name") for custom mapping when using identity store Seam doesn't dictate a naming convention for roles Java if (identity.hasrole("admin")) {... } JBoss EL <s:link view="/admin/home.xhtml" rendered="#{identity.hasrole("admin")}" value="admin Area"/>

22 Declarative restrictions Mark resource as secured Classes and annotation JSF views (i.e., pages) <restrict> element If no criteria specified, permission implied Permission has 2 parts Target object or view ID Action method or life cycle phase Can override with a specific <restrict>#{identity.hasrole("admin")}</restrict>

23 Resolving a permission Permission(target, action) User identity Permission resolver chain Persistence permission resolver Rule-based permission resolver Grant?

24 Rule-based security Rules are the raison d'être of security You cannot enter the room with key You cannot buy alcohol unless you are 21 You cannot fly if you have illegal weapons or 4 oz of shampoo You cannot cash check unless it s endorsed Unique aspect of Seam security Based on Drools Expressive Hot swappable (if configured correctly) Can eliminate a lot of spaghetti business logic

25 Drools crash course Implementation of Rete algorithm Efficient pattern matching Anatomy of a rule Left-hand side (LHS) Facts which must prove true Right-hand side (RHS) Action to take if they do Expressed using a Drools rule language DRL Drools Rule Language DSL Human readable rule XML Legacy format; primarily for exchange Rules executed against objects in working memory Rules fire continuously until no new facts are matched

26 Example Drools rule Only admins can modify private or resort facilities rule ModifyPrivateFacility no-loop when $perm: PermissionCheck(name == "facilityhome", action in ("update", "remove"), granted == false) Role(name == "admin") Facility(type == "PRIVATE" == "RESORT") then $perm.grant(); end LHS public class Facility implements public void public void preremove() {} }

27 Rule-based Security Demo

28 Access control lists (ACLs) Permission with a specific target Granted to a user or a role/group Can be managed by the application Typically stored in a database

29 Managing permissions in Seam Includes a framework to manage Permission objects A Permission object represents A target An action A recipient (java.security.principal) Built-in permissionmanager component List Grant Revoke Very easy to integrate into application

30 Permission Management Demo

31 Summary Seam security is easy to adopt Configuration is kept to a minimum Built-in security components Often eliminates need to write any code at all Makes management of users and permissions easy Lots of options for authorization The security model matures with your application

32 Questions?

33 Resources Seam in Action, Manning Chapter 11: Securing Seam Applications In Relation To... Blog Seam, Hibernate, Web Beans, JBoss Tools, RichFaces Seam community forums & wiki Seam issue tracker