Welcome!

Cloud Security Authors: Pat Romanski, Elizabeth White, Liz McMillan, Yeshim Deniz, Ed Featherston

Related Topics: Java IoT, Cloud Security

Java IoT: Article

SOA Focus - Web Services Security in Java EE

The present and future

In my earlier article "Moving to SOA in J2EE 1.4" published in the February issue of JDJ I introduced you to the new object distribution model based on Web Services that became available to Enterprise Java applications with the advent of Java EE 1.4. In this article I want to look at the security features available in Java EE SOA.

Here you'll get thehands-on knowledge of Web Services security in Java EE that we acquired when adding security support to OptimalJ-generated SOA applications. It's based on the J2EE 1.4 specification itself as well as on what is actually supported and it works in three major J2EE 1.4 application servers - JBoss 4.0.4, WebSphere 6.0.2.x, and WebLogic 9.1. You'll also learn about the new mandatory security features available to Web Service endpoints in Java EE 5.0.

Overview of Security in Java EE
Java EE comes with a mature security model that provides for the guaranteed features that have to be supported by all compliant application servers: authentication, authorization, confidentiality, and integrity. Though not yet required by the specification, most high-end application servers also support some sort of auditing of security-related events and non-repudiation - in other words a way of preventing an invocation sender from denying responsibility for the action - for communicating with Web Service components.

Authorization is based on logical security roles that are simple names defined by the component provider or application assembler in XML deployment descriptors. The code underneath all Java EE components - JSPs, servlets, and Enterprise JavaBeans - can be restricted declaratively based on logical security roles. In the case of EJBs, access can be limited on an Enterprise Bean's method level, whereas access to JSPs and servlets is enforced based on their URL and the HTTP method utilized (e.g. POST, GET, etc.). Besides declarative authorization, programmatic authorization is also supported so that a component's code can dynamically inquire whether the security context of the current user is associated with a particular logical security role and make a decision based on this analysis. How a given principal is actually mapped to a set of security roles depends on the Java EE notion of a security domain and the principal authentication mechanisms associated with the domain.

The confidentiality and integrity requirements are met at the transport layer with the help of the Secure Sockets Layer (SSL 3.0) protocol and the related IETF standard Transport Layer Security (TLS 1.0) protocol. For SSL and TLS only X.509 certificates are supported for authenticating principals. Kerberos-based authentication mechanisms in TLS are presently regarded as optional and aren't implemented by the application servers this article concentrates on.

The authentication security requirement is by far the most difficult to explain since it requires understanding the Java EE notion of a security domain, which is essentially a security mechanism used to authenticate the user. Here are the three arbitrary examples of security domains:

  1. A security domain where users are authenticated based on their X509 certificates presented during an SSL handshake. In this case the protocol used by the client for communicating with the application server can be HTTPS, IIOP/SSL, or JRMP/SSL.
  2. A security domain that uses the SRP protocol in communicating a user's name and password to the server in a secure fashion. Here the communications protocol that the client uses can be JRMP.
  3. A security domain that uses the HTTP Basic Authentication in communicating a user name and password to the server. Such a security domain will use either HTTP or HTTPS as the supported communications protocol.
Different security domains entail different types of principals for representing users. In the first security domain presented above, a principal will be derived from an X509 certificate or a certificate chain that the user presented during an SSL handshake. In the second example, a principal will be taken from the user name specified by the client. Here's a code sample taken from JBoss that shows how a certificate chain can be mapped to a principal:

public Principal toPrinicipal(
       X509Certificate[] certs) {
    Principal subject = certs[0].getSubjectDN();
    return subject;
}

Thus a security domain deals with a set of principals of a particular kind (e.g., based on X509 certificates, Kerberos tickets, plain user names, etc.). This set is termed a principal realm. For each principal realm, there's mapping between its principals and the one or more logical security roles that are used in Java EE applications. Application servers offer a plethora of ways to represent a principal realm, the most common of which are a local OS user registry, an LDAP server, an RDBMS schema, a Kerberos KDC, or a simple .properties files.

Modern Java EE application servers support different security domains or let users define their own based on the JAAS login modules available. See the sidebar "What is JAAS?" for more information on using JAAS in Java EE.

When a Java EE application is deployed, the deployer assigns the application modules to the security domains that have been configured in the targeted application server installation. Typically, the components of a Java EE module (an EJB .jar module or a Web .war module) are all assigned to the same security domain; some application servers let the components of a given module be assigned to different security domains, but this practice is generally avoided since it can easily lead to confusion. Java EE doesn't standardize the scope of a security domain and leaves it up to vendors. At the moment all high-end application servers let a security domain span multiple application server installations (which typically form a cluster).

Security Context Propagation and Single Sign-on
A Java EE application server features three different containers (there's also an applet container that is typically embodied by a Web browser program): a Web Container that hosts JSPs and servlet components, an EJB Container where EJB components are deployed, and an Application client container (see the sidebar "Application client containers" for more details on this concept). EJB and Web Containers are typically collocated, and components running in the Web Container can access EJBs of the corresponding EJB container. Figure 1 depicts the relationships between the three containers and various ways in which a client can access a Java EE application. For simplicity's sake I depicted all the enterprise components as running in the same application server on a single node, but it doesn't have to be this way; modern application servers let them be distributed among multiple nodes.

The following are the two typical usage scenarios shown in Figure 1 involving access to an enterprise Java application:

1.  A user accesses a JSP or a servlet component deployed in a Web Container with a Web browser. He authenticates himself to the Web Container using either 1) a username and password that his Web browser prompts him to enter (Basic HTTP Authentication) or 2) an X509 certificate that the browser lets the user choose from a pre-installed set of user certificates. The servlet component carries out the presentation-related activities and invokes an EJB Session component (using a local invocation in the same JVM or RMI-based protocol) to carry out the business logic-related tasks. To fulfill the business logic task the session bean can invoke an Entity EJB, call on an EIS with a help of a JCA resource adapter, or carry out some JDBC-based data access. After completing its work, the session component returns the processing results to the servlet component, which in turn renders them to the user in HTML.

The user can then invoke the servlet or some Web component or JSP again.The application server maintains a session with the user's browser and doesn't require re-authentication.

2.  A Java client application uses either RMI-IIOP or RMI-JRPM to access the server. The application prompts the user for a name and credentials and authenticates itself to the server with the help of JAAS and one or more JAAS the login modules provided by the vendor. For RMI-IIOP, the CSIv2 SAS protocol will most likely be used to communicate authentication data to the server. The client application accesses an EJB deployed in an EJB Container. Like the first scenario, the invoked EJB can call other EJBs or enterprise services.

The client application then goes on to invoke another EJB without having to re-authenticate the user. Listing 1 is an example of such a client application for WebSphere.

A lot can be gathered from these scenarios and from Figure 1.

First, they show that external clients can access components running in the WEB container by using either HTTP or HTTPS and components hosted in the EJB container with RMI-IIOP or RMI-JRMP. They also show that components can use 1) local invocations in the same JVM, 2) RMI-IIOP, or 3) RMI-JRMP for inter-component communication. Which of the three is used depends on the vendor and the configuration of the application server.

Second, in both examples the clients authenticated themselves to the container before being able to use a component, and the application server propagated the established client security context when the component invoked the other EJBs.

Third, the samples demonstrate Java EE support for single sign-on (frequently abbreviated as SSO), thanks to which needless re-authentications are avoided for subsequent application are avoided server access. The propagation of the client security context and single sign-on are two important security characteristics of Java EE.

Application servers let the client security context be propagated if local JVM invocations, RMI-IIOP, or RMI-JRMP are used as inter-component communication transports and the component targeted belongs to the same security domain. A client security context typically consists of a principal object (whose type depends on the security domain of the Java EE application) and zero or more associated credentials presented during authentication. Java EE specifies RMI-IIOP and the accompanying CSIv2 OMG spec as the only interoperable way of propagating a client security context that must be understood and supported by all compliant application servers (a security context propagated with RMI-JRMP is only meaningful if the targeted component runs in an application server from the same vendor). Using CORBA-related standards for interoperability among disparate application servers reflects the CORBA-oriented nature of the early Java EE specifications that holds to this day.


More Stories By Andrei Iltchenko

Andrei Iltchenko is a development lead at Compuware Corporation where he works on the MDA product OptimalJ and is responsible for the business logic area of OptimalJ-generated J2EE applications. He is also a Sun certified Java developer for Java Web Services, a Sun Certified Business Component Developer, a Sun Certified Developer, and a Sun Certified Programmer.

Comments (4) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Andrei Iltchenko 08/17/06 01:36:29 PM EDT

Gerald, thank you very much for your words and for the correction you found! I am glad you found the article of use.

Gerald Loeffler 07/26/06 06:57:59 AM EDT

Brilliant article - precise, accurate and comprehensive, including valuable real-world information that goes beyond "spec knowledge". A pleaseure to read!

cheers,
gerald

P.S.: there is a bug in listing 2: the variable to downcast should be "bean1Stub" and not "port".

http://www.gerald-loeffler.net

SYS-CON Australia News Desk 07/25/06 01:53:42 PM EDT

In my earlier article 'Moving to SOA in J2EE 1.4' published in the February issue of JDJ I introduced you to the new object distribution model based on Web Services that became available to Enterprise Java applications with the advent of Java EE 1.4. In this article I want to look at the security features available in Java EE SOA.

JDJ News Desk 07/25/06 01:33:45 PM EDT

In my earlier article 'Moving to SOA in J2EE 1.4' published in the February issue of JDJ I introduced you to the new object distribution model based on Web Services that became available to Enterprise Java applications with the advent of Java EE 1.4. In this article I want to look at the security features available in Java EE SOA.

@ThingsExpo Stories
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
DXWorldEXPO LLC, the producer of the world's most influential technology conferences and trade shows has announced the 22nd International CloudEXPO | DXWorldEXPO "Early Bird Registration" is now open. Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)
Join IBM November 1 at 21st Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Cognitive analysis impacts today’s systems with unparalleled ability that were previously available only to manned, back-end operations. Thanks to cloud processing, IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Imagine a robot vacuum that becomes your personal assistant tha...
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
I think DevOps is now a rambunctious teenager - it's starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
Detecting internal user threats in the Big Data eco-system is challenging and cumbersome. Many organizations monitor internal usage of the Big Data eco-system using a set of alerts. This is not a scalable process given the increase in the number of alerts with the accelerating growth in data volume and user base. Organizations are increasingly leveraging machine learning to monitor only those data elements that are sensitive and critical, autonomously establish monitoring policies, and to detect...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settl...
In his session at @ThingsExpo, Dr. Robert Cohen, an economist and senior fellow at the Economic Strategy Institute, presented the findings of a series of six detailed case studies of how large corporations are implementing IoT. The session explored how IoT has improved their economic performance, had major impacts on business models and resulted in impressive ROIs. The companies covered span manufacturing and services firms. He also explored servicification, how manufacturing firms shift from se...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
IoT solutions exploit operational data generated by Internet-connected smart “things” for the purpose of gaining operational insight and producing “better outcomes” (for example, create new business models, eliminate unscheduled maintenance, etc.). The explosive proliferation of IoT solutions will result in an exponential growth in the volume of IoT data, precipitating significant Information Governance issues: who owns the IoT data, what are the rights/duties of IoT solutions adopters towards t...
Amazon started as an online bookseller 20 years ago. Since then, it has evolved into a technology juggernaut that has disrupted multiple markets and industries and touches many aspects of our lives. It is a relentless technology and business model innovator driving disruption throughout numerous ecosystems. Amazon’s AWS revenues alone are approaching $16B a year making it one of the largest IT companies in the world. With dominant offerings in Cloud, IoT, eCommerce, Big Data, AI, Digital Assista...