Click here to close now.



Welcome!

Cloud Security Authors: Shelly Palmer, Tom Kelly, Cloud Best Practices Network, Gregor Petri, Elizabeth White

Related Topics: Java IoT, Cloud Security

Java IoT: Article

SOA Focus - Web Services Security in Java EE

The present and future

In my earlier article "Moving to SOA in J2EE 1.4" published in the February issue of JDJ I introduced you to the new object distribution model based on Web Services that became available to Enterprise Java applications with the advent of Java EE 1.4. In this article I want to look at the security features available in Java EE SOA.

Here you'll get thehands-on knowledge of Web Services security in Java EE that we acquired when adding security support to OptimalJ-generated SOA applications. It's based on the J2EE 1.4 specification itself as well as on what is actually supported and it works in three major J2EE 1.4 application servers - JBoss 4.0.4, WebSphere 6.0.2.x, and WebLogic 9.1. You'll also learn about the new mandatory security features available to Web Service endpoints in Java EE 5.0.

Overview of Security in Java EE
Java EE comes with a mature security model that provides for the guaranteed features that have to be supported by all compliant application servers: authentication, authorization, confidentiality, and integrity. Though not yet required by the specification, most high-end application servers also support some sort of auditing of security-related events and non-repudiation - in other words a way of preventing an invocation sender from denying responsibility for the action - for communicating with Web Service components.

Authorization is based on logical security roles that are simple names defined by the component provider or application assembler in XML deployment descriptors. The code underneath all Java EE components - JSPs, servlets, and Enterprise JavaBeans - can be restricted declaratively based on logical security roles. In the case of EJBs, access can be limited on an Enterprise Bean's method level, whereas access to JSPs and servlets is enforced based on their URL and the HTTP method utilized (e.g. POST, GET, etc.). Besides declarative authorization, programmatic authorization is also supported so that a component's code can dynamically inquire whether the security context of the current user is associated with a particular logical security role and make a decision based on this analysis. How a given principal is actually mapped to a set of security roles depends on the Java EE notion of a security domain and the principal authentication mechanisms associated with the domain.

The confidentiality and integrity requirements are met at the transport layer with the help of the Secure Sockets Layer (SSL 3.0) protocol and the related IETF standard Transport Layer Security (TLS 1.0) protocol. For SSL and TLS only X.509 certificates are supported for authenticating principals. Kerberos-based authentication mechanisms in TLS are presently regarded as optional and aren't implemented by the application servers this article concentrates on.

The authentication security requirement is by far the most difficult to explain since it requires understanding the Java EE notion of a security domain, which is essentially a security mechanism used to authenticate the user. Here are the three arbitrary examples of security domains:

  1. A security domain where users are authenticated based on their X509 certificates presented during an SSL handshake. In this case the protocol used by the client for communicating with the application server can be HTTPS, IIOP/SSL, or JRMP/SSL.
  2. A security domain that uses the SRP protocol in communicating a user's name and password to the server in a secure fashion. Here the communications protocol that the client uses can be JRMP.
  3. A security domain that uses the HTTP Basic Authentication in communicating a user name and password to the server. Such a security domain will use either HTTP or HTTPS as the supported communications protocol.
Different security domains entail different types of principals for representing users. In the first security domain presented above, a principal will be derived from an X509 certificate or a certificate chain that the user presented during an SSL handshake. In the second example, a principal will be taken from the user name specified by the client. Here's a code sample taken from JBoss that shows how a certificate chain can be mapped to a principal:

public Principal toPrinicipal(
       X509Certificate[] certs) {
    Principal subject = certs[0].getSubjectDN();
    return subject;
}

Thus a security domain deals with a set of principals of a particular kind (e.g., based on X509 certificates, Kerberos tickets, plain user names, etc.). This set is termed a principal realm. For each principal realm, there's mapping between its principals and the one or more logical security roles that are used in Java EE applications. Application servers offer a plethora of ways to represent a principal realm, the most common of which are a local OS user registry, an LDAP server, an RDBMS schema, a Kerberos KDC, or a simple .properties files.

Modern Java EE application servers support different security domains or let users define their own based on the JAAS login modules available. See the sidebar "What is JAAS?" for more information on using JAAS in Java EE.

When a Java EE application is deployed, the deployer assigns the application modules to the security domains that have been configured in the targeted application server installation. Typically, the components of a Java EE module (an EJB .jar module or a Web .war module) are all assigned to the same security domain; some application servers let the components of a given module be assigned to different security domains, but this practice is generally avoided since it can easily lead to confusion. Java EE doesn't standardize the scope of a security domain and leaves it up to vendors. At the moment all high-end application servers let a security domain span multiple application server installations (which typically form a cluster).

Security Context Propagation and Single Sign-on
A Java EE application server features three different containers (there's also an applet container that is typically embodied by a Web browser program): a Web Container that hosts JSPs and servlet components, an EJB Container where EJB components are deployed, and an Application client container (see the sidebar "Application client containers" for more details on this concept). EJB and Web Containers are typically collocated, and components running in the Web Container can access EJBs of the corresponding EJB container. Figure 1 depicts the relationships between the three containers and various ways in which a client can access a Java EE application. For simplicity's sake I depicted all the enterprise components as running in the same application server on a single node, but it doesn't have to be this way; modern application servers let them be distributed among multiple nodes.

The following are the two typical usage scenarios shown in Figure 1 involving access to an enterprise Java application:

1.  A user accesses a JSP or a servlet component deployed in a Web Container with a Web browser. He authenticates himself to the Web Container using either 1) a username and password that his Web browser prompts him to enter (Basic HTTP Authentication) or 2) an X509 certificate that the browser lets the user choose from a pre-installed set of user certificates. The servlet component carries out the presentation-related activities and invokes an EJB Session component (using a local invocation in the same JVM or RMI-based protocol) to carry out the business logic-related tasks. To fulfill the business logic task the session bean can invoke an Entity EJB, call on an EIS with a help of a JCA resource adapter, or carry out some JDBC-based data access. After completing its work, the session component returns the processing results to the servlet component, which in turn renders them to the user in HTML.

The user can then invoke the servlet or some Web component or JSP again.The application server maintains a session with the user's browser and doesn't require re-authentication.

2.  A Java client application uses either RMI-IIOP or RMI-JRPM to access the server. The application prompts the user for a name and credentials and authenticates itself to the server with the help of JAAS and one or more JAAS the login modules provided by the vendor. For RMI-IIOP, the CSIv2 SAS protocol will most likely be used to communicate authentication data to the server. The client application accesses an EJB deployed in an EJB Container. Like the first scenario, the invoked EJB can call other EJBs or enterprise services.

The client application then goes on to invoke another EJB without having to re-authenticate the user. Listing 1 is an example of such a client application for WebSphere.

A lot can be gathered from these scenarios and from Figure 1.

First, they show that external clients can access components running in the WEB container by using either HTTP or HTTPS and components hosted in the EJB container with RMI-IIOP or RMI-JRMP. They also show that components can use 1) local invocations in the same JVM, 2) RMI-IIOP, or 3) RMI-JRMP for inter-component communication. Which of the three is used depends on the vendor and the configuration of the application server.

Second, in both examples the clients authenticated themselves to the container before being able to use a component, and the application server propagated the established client security context when the component invoked the other EJBs.

Third, the samples demonstrate Java EE support for single sign-on (frequently abbreviated as SSO), thanks to which needless re-authentications are avoided for subsequent application are avoided server access. The propagation of the client security context and single sign-on are two important security characteristics of Java EE.

Application servers let the client security context be propagated if local JVM invocations, RMI-IIOP, or RMI-JRMP are used as inter-component communication transports and the component targeted belongs to the same security domain. A client security context typically consists of a principal object (whose type depends on the security domain of the Java EE application) and zero or more associated credentials presented during authentication. Java EE specifies RMI-IIOP and the accompanying CSIv2 OMG spec as the only interoperable way of propagating a client security context that must be understood and supported by all compliant application servers (a security context propagated with RMI-JRMP is only meaningful if the targeted component runs in an application server from the same vendor). Using CORBA-related standards for interoperability among disparate application servers reflects the CORBA-oriented nature of the early Java EE specifications that holds to this day.


More Stories By Andrei Iltchenko

Andrei Iltchenko is a development lead at Compuware Corporation where he works on the MDA product OptimalJ and is responsible for the business logic area of OptimalJ-generated J2EE applications. He is also a Sun certified Java developer for Java Web Services, a Sun Certified Business Component Developer, a Sun Certified Developer, and a Sun Certified Programmer.

Comments (4) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Andrei Iltchenko 08/17/06 01:36:29 PM EDT

Gerald, thank you very much for your words and for the correction you found! I am glad you found the article of use.

Gerald Loeffler 07/26/06 06:57:59 AM EDT

Brilliant article - precise, accurate and comprehensive, including valuable real-world information that goes beyond "spec knowledge". A pleaseure to read!

cheers,
gerald

P.S.: there is a bug in listing 2: the variable to downcast should be "bean1Stub" and not "port".

http://www.gerald-loeffler.net

SYS-CON Australia News Desk 07/25/06 01:53:42 PM EDT

In my earlier article 'Moving to SOA in J2EE 1.4' published in the February issue of JDJ I introduced you to the new object distribution model based on Web Services that became available to Enterprise Java applications with the advent of Java EE 1.4. In this article I want to look at the security features available in Java EE SOA.

JDJ News Desk 07/25/06 01:33:45 PM EDT

In my earlier article 'Moving to SOA in J2EE 1.4' published in the February issue of JDJ I introduced you to the new object distribution model based on Web Services that became available to Enterprise Java applications with the advent of Java EE 1.4. In this article I want to look at the security features available in Java EE SOA.

@ThingsExpo Stories
Most people haven’t heard the word, “gamification,” even though they probably, and perhaps unwittingly, participate in it every day. Gamification is “the process of adding games or game-like elements to something (as a task) so as to encourage participation.” Further, gamification is about bringing game mechanics – rules, constructs, processes, and methods – into the real world in an effort to engage people. In his session at @ThingsExpo, Robert Endo, owner and engagement manager of Intrepid D...
With an estimated 50 billion devices connected to the Internet by 2020, several industries will begin to expand their capabilities for retaining end point data at the edge to better utilize the range of data types and sheer volume of M2M data generated by the Internet of Things. In his session at @ThingsExpo, Don DeLoach, CEO and President of Infobright, will discuss the infrastructures businesses will need to implement to handle this explosion of data by providing specific use cases for filte...
SYS-CON Events announced today that Fusion, a leading provider of cloud services, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Fusion, a leading provider of integrated cloud solutions to small, medium and large businesses, is the industry's single source for the cloud. Fusion's advanced, proprietary cloud service platform enables the integration of leading edge solutions in the cloud, including clou...
SYS-CON Events announced today that Commvault, a global leader in enterprise data protection and information management, has been named “Bronze Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Commvault is a leading provider of data protection and information management...
SYS-CON Events announced today that Alert Logic, Inc., the leading provider of Security-as-a-Service solutions for the cloud, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Alert Logic, Inc., provides Security-as-a-Service for on-premises, cloud, and hybrid infrastructures, delivering deep security insight and continuous protection for customers at a lower cost than traditional security solutions. Ful...
SYS-CON Events announced today that VAI, a leading ERP software provider, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. VAI (Vormittag Associates, Inc.) is a leading independent mid-market ERP software developer renowned for its flexible solutions and ability to automate critical business functions for the distribution, manufacturing, specialty retail and service sectors. An IBM Premier Business Part...
The cloud promises new levels of agility and cost-savings for Big Data, data warehousing and analytics. But it’s challenging to understand all the options – from IaaS and PaaS to newer services like HaaS (Hadoop as a Service) and BDaaS (Big Data as a Service). In her session at @BigDataExpo at @ThingsExpo, Hannah Smalltree, a director at Cazena, will provide an educational overview of emerging “as-a-service” options for Big Data in the cloud. This is critical background for IT and data profes...
Fortunately, meaningful and tangible business cases for IoT are plentiful in a broad array of industries and vertical markets. These range from simple warranty cost reduction for capital intensive assets, to minimizing downtime for vital business tools, to creating feedback loops improving product design, to improving and enhancing enterprise customer experiences. All of these business cases, which will be briefly explored in this session, hinge on cost effectively extracting relevant data from ...
As enterprises work to take advantage of Big Data technologies, they frequently become distracted by product-level decisions. In most new Big Data builds this approach is completely counter-productive: it presupposes tools that may not be a fit for development teams, forces IT to take on the burden of evaluating and maintaining unfamiliar technology, and represents a major up-front expense. In his session at @BigDataExpo at @ThingsExpo, Andrew Warfield, CTO and Co-Founder of Coho Data, will dis...
With the Apple Watch making its way onto wrists all over the world, it’s only a matter of time before it becomes a staple in the workplace. In fact, Forrester reported that 68 percent of technology and business decision-makers characterize wearables as a top priority for 2015. Recognizing their business value early on, FinancialForce.com was the first to bring ERP to wearables, helping streamline communication across front and back office functions. In his session at @ThingsExpo, Kevin Roberts...
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2015 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 ad...
Eighty percent of a data scientist’s time is spent gathering and cleaning up data, and 80% of all data is unstructured and almost never analyzed. Cognitive computing, in combination with Big Data, is changing the equation by creating data reservoirs and using natural language processing to enable analysis of unstructured data sources. This is impacting every aspect of the analytics profession from how data is mined (and by whom) to how it is delivered. This is not some futuristic vision: it's ha...
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
Learn how IoT, cloud, social networks and last but not least, humans, can be integrated into a seamless integration of cooperative organisms both cybernetic and biological. This has been enabled by recent advances in IoT device capabilities, messaging frameworks, presence and collaboration services, where devices can share information and make independent and human assisted decisions based upon social status from other entities. In his session at @ThingsExpo, Michael Heydt, founder of Seamless...
The IoT's basic concept of collecting data from as many sources possible to drive better decision making, create process innovation and realize additional revenue has been in use at large enterprises with deep pockets for decades. So what has changed? In his session at @ThingsExpo, Prasanna Sivaramakrishnan, Solutions Architect at Red Hat, discussed the impact commodity hardware, ubiquitous connectivity, and innovations in open source software are having on the connected universe of people, thi...
WebRTC: together these advances have created a perfect storm of technologies that are disrupting and transforming classic communications models and ecosystems. In his session at WebRTC Summit, Cary Bran, VP of Innovation and New Ventures at Plantronics and PLT Labs, provided an overview of this technological shift, including associated business and consumer communications impacts, and opportunities it may enable, complement or entirely transform.
There are so many tools and techniques for data analytics that even for a data scientist the choices, possible systems, and even the types of data can be daunting. In his session at @ThingsExpo, Chris Harrold, Global CTO for Big Data Solutions for EMC Corporation, showed how to perform a simple, but meaningful analysis of social sentiment data using freely available tools that take only minutes to download and install. Participants received the download information, scripts, and complete end-t...
For manufacturers, the Internet of Things (IoT) represents a jumping-off point for innovation, jobs, and revenue creation. But to adequately seize the opportunity, manufacturers must design devices that are interconnected, can continually sense their environment and process huge amounts of data. As a first step, manufacturers must embrace a new product development ecosystem in order to support these products.
Manufacturing connected IoT versions of traditional products requires more than multiple deep technology skills. It also requires a shift in mindset, to realize that connected, sensor-enabled “things” act more like services than what we usually think of as products. In his session at @ThingsExpo, David Friedman, CEO and co-founder of Ayla Networks, discussed how when sensors start generating detailed real-world data about products and how they’re being used, smart manufacturers can use the dat...
When it comes to IoT in the enterprise, namely the commercial building and hospitality markets, a benefit not getting the attention it deserves is energy efficiency, and IoT’s direct impact on a cleaner, greener environment when installed in smart buildings. Until now clean technology was offered piecemeal and led with point solutions that require significant systems integration to orchestrate and deploy. There didn't exist a 'top down' approach that can manage and monitor the way a Smart Buildi...