server security
Post on 07-Apr-2018
222 Views
Preview:
TRANSCRIPT
-
8/3/2019 Server Security
1/15
Security in Java Enterprise
Edition (EE)Anil SaldhanaRed Hat Inc.Anil.Saldhana@redhat.comhttp://anil-identity.blogspot.com
-
8/3/2019 Server Security
2/15
Java Enterprise
BrowserWeb Server orJava EEApplication Server
Java EE
Application Server
Java EE
Application Server
Java EE
Application Server
Database/Messaging/LDAP
LegacyInfrastructure
-
8/3/2019 Server Security
3/15
Java EE Security
Underspecified.
Containers perform 2 sequential steps
Establish Principal (Authentication) Determine Roles and undertake enforcement
RBAC based coarse-grained access control.
Roles shield Web Resources, EJB Methods, Message Destinations.
Security is an aspect external to app
-
8/3/2019 Server Security
4/15
Java EE Containers Authentication
Java EE Container
WHO ARE YOU?I KNOW YOU!
UsernameSAML2 AssertionsWS-Trust ClaimsKerberos Principal
Java PrincipalinJava Subject
-
8/3/2019 Server Security
5/15
Java EE Containers Authorization
Java EE Container
WHAT ROLES DO YOU HAVE?GO AHEAD!
Java Principal Access
Java EE Policies
-
8/3/2019 Server Security
6/15
AUTHENTICATION TYPES BASIC AUTHENTICATION - securitycredential are required to authenticate
FORM BASED AUTHENTICATION A html form providing security
credential
SSL AUTHENTICATIONauthentication by certificates
-
8/3/2019 Server Security
7/15
Important Terms in Java EE Security
Realm
Groups
Users
Principal
Role The application Server will provide the
facility to create realm, users and groups
-
8/3/2019 Server Security
8/15
In BASIC AUTHENTICATION and
FORM-BASED AUTHENTICATION
Roles are created in the applicationcontext like sun-web.xml with predefinedtags
The resources required to be protectedare listed in web.xml with role and group
-
8/3/2019 Server Security
9/15
BASIC AUTHENTICATION
-
8/3/2019 Server Security
10/15
FORM BASED
AUTHENTICATION
-
8/3/2019 Server Security
11/15
SSL AUTHENTICATION
-
8/3/2019 Server Security
12/15
SSL AUTHENTICATION
THE SERVER IS AUTHENTICATED BY THECLIENT USING DIGITAL CERTIFICATE
CERTIFIED BY A CERTIFICATIONAUTHORITY
FIRST STEP IS TO GENERATE A DIGITALCERTIFICATE USING PUBLIC KEY
PRIVATE KEY PAIR
TEP TO G ENERATE
-
8/3/2019 Server Security
13/15
TEP TO G ENERATECERTIFICATE (with reference to
glassfish-v2)
1. visit the configfolder and copy the existing keystore by any other namecp keystore.jks keystore-backup.jks
2. remove the default key (s1as) from keystore
keytool -delete -alias s1as -keystore keystore.jksThis will prompt us a password . The default password is the password of
keystore (changeit)
3. Generatiing key pair in keystoreA) keytool -genkey -keyalg RSA -keysize 1024 -alias s1as -keystorekeystore.jks -validity 365b) Enter the password
C i d
-
8/3/2019 Server Security
14/15
Continued
4. Enter all the credentials required , like
name, city , company etc
5. Generate a certificate file
keytool -export -alias s1as -file serverb-cert.cer -keystore keystore.jks
6. copy the file into trusted keystore
cacerts.jkskeytool -import -alias
serverb.mycompany.com -file serverb-cert.cer
-keystore cacerts.jks30
-
8/3/2019 Server Security
15/15
Browse your resource using https
eg. https://localhost:8181/ConverterApp
This will show a certificate from Serverwhich a client can reject or accept
https://localhost:8181/ConverterApphttps://localhost:8181/ConverterApphttps://localhost:8181/ConverterApp
top related