You are on page 1of 15

Security in Java Enterprise Edition (EE)

Anil Saldhana Red Hat Inc.


Anil.Saldhana@redhat.com http://anil-identity.blogspot.com

Java Enterprise

Java EE Application Server

Java EE Application Server

Legacy Infrastructure

Browser

Web Server or Java EE Application Server


Java EE Application Server

Database/ Messaging/ LDAP

Java EE Security

Underspecified. Containers perform 2 sequential steps

Establish Principal (Authentication)


Determine Roles and undertake enforcement

RBAC based coarse-grained access control.

Roles shield
Web Resources, EJB Methods, Message Destinations.

Security is an aspect external to app

Java EE Containers Authentication


I KNOW YOU!

WHO ARE YOU?

Username SAML2 Assertions WS-Trust Claims Kerberos Principal

Java Principal in Java Subject Java EE Container

Java EE Containers Authorization


GO AHEAD! Java EE Container

WHAT ROLES DO YOU HAVE?

Java Principal

Access

Java EE Policies

AUTHENTICATION TYPES

BASIC AUTHENTICATION - security credential are required to authenticate


FORM BASED AUTHENTICATION A html form providing security credential

SSL AUTHENTICATION authentication by certificates

Important Terms in Java EE Security Realm Groups Users Principal Role The application Server will provide the facility to create realm, users and groups

In BASIC AUTHENTICATION and FORM-BASED AUTHENTICATION

Roles are created in the application context like sun-web.xml with predefined tags
The resources required to be protected are listed in web.xml with role and group

BASIC AUTHENTICATION

FORM BASED AUTHENTICATION

SSL AUTHENTICATION

SSL AUTHENTICATION
THE SERVER IS AUTHENTICATED BY THE CLIENT USING DIGITAL CERTIFICATE CERTIFIED BY A CERTIFICATION AUTHORITY FIRST STEP IS TO GENERATE A DIGITAL CERTIFICATE USING PUBLIC KEY PRIVATE KEY PAIR

STEPS TO G ENERATE CERTIFICATE (with reference to


glassfish-v2)
1. visit the config folder and copy the existing keystore by any other name cp keystore.jks keystore-backup.jks 2. remove the default key (s1as) from keystore keytool -delete -alias s1as -keystore keystore.jks This will prompt us a password . The default password is the password of keystore (changeit) 3. Generatiing key pair in keystore A) keytool -genkey -keyalg RSA -keysize 1024 -alias s1as -keystore keystore.jks -validity 365 b) Enter the password

Continued
4. Enter all the credentials required , like name, city , company etc 5. Generate a certificate file keytool -export -alias s1as -file serverbcert.cer -keystore keystore.jks

6. copy the file into trusted keystore cacerts.jks keytool -import -alias serverb.mycompany.com -file serverb-cert.cer 30 -keystore cacerts.jks

Browse your resource using https

eg. https://localhost:8181/ConverterApp
This will show a certificate from Server which a client can reject or accept

You might also like