Scribd
Upload
64 views15 pages

Security in Java Enterprise Edition (EE) : Anil Saldhana Red Hat Inc

This document discusses security in Java Enterprise Edition applications. It covers the following key points: - Java EE uses role-based access control (RBAC) to determine what resources a user has access to based on their assigned roles. Authentication establishes a user's identity, and authorization determines their roles and enforces access. - Common authentication methods in Java EE include basic authentication using usernames/passwords, form-based authentication, and SSL certificate-based authentication. - After authentication, the container puts the user into a Java Principal and assigns roles. Policies then enforce authorization by checking the principal's roles against resources. - The document provides steps for configuring basic, form-based, and SSL certificate-

Uploaded by

Kamal Pandey
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
64 views15 pages

Security in Java Enterprise Edition (EE) : Anil Saldhana Red Hat Inc

This document discusses security in Java Enterprise Edition applications. It covers the following key points: - Java EE uses role-based access control (RBAC) to determine what resources a user has access to based on their assigned roles. Authentication establishes a user's identity, and authorization determines their roles and enforces access. - Common authentication methods in Java EE include basic authentication using usernames/passwords, form-based authentication, and SSL certificate-based authentication. - After authentication, the container puts the user into a Java Principal and assigns roles. Policies then enforce authorization by checking the principal's roles against resources. - The document provides steps for configuring basic, form-based, and SSL certificate-

Uploaded by

Kamal Pandey
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 15

Security in Java Enterprise Edition (EE)

Anil Saldhana Red Hat Inc.


[email protected] http://anil-identity.blogspot.com

Java Enterprise

Java EE Application Server

Java EE Application Server

Legacy Infrastructure

Browser

Web Server or Java EE Application Server


Java EE Application Server

Database/ Messaging/ LDAP

Java EE Security

Underspecified. Containers perform 2 sequential steps

Establish Principal (Authentication)


Determine Roles and undertake enforcement

RBAC based coarse-grained access control.

Roles shield
Web Resources, EJB Methods, Message Destinations.

Security is an aspect external to app

Java EE Containers Authentication


I KNOW YOU!

WHO ARE YOU?

Username SAML2 Assertions WS-Trust Claims Kerberos Principal

Java Principal in Java Subject Java EE Container

Java EE Containers Authorization


GO AHEAD! Java EE Container

WHAT ROLES DO YOU HAVE?

Java Principal

Access

Java EE Policies

AUTHENTICATION TYPES

BASIC AUTHENTICATION - security credential are required to authenticate


FORM BASED AUTHENTICATION A html form providing security credential

SSL AUTHENTICATION authentication by certificates

Important Terms in Java EE Security Realm Groups Users Principal Role The application Server will provide the facility to create realm, users and groups

In BASIC AUTHENTICATION and FORM-BASED AUTHENTICATION

Roles are created in the application context like sun-web.xml with predefined tags
The resources required to be protected are listed in web.xml with role and group

BASIC AUTHENTICATION

FORM BASED AUTHENTICATION

SSL AUTHENTICATION

SSL AUTHENTICATION
THE SERVER IS AUTHENTICATED BY THE CLIENT USING DIGITAL CERTIFICATE CERTIFIED BY A CERTIFICATION AUTHORITY FIRST STEP IS TO GENERATE A DIGITAL CERTIFICATE USING PUBLIC KEY PRIVATE KEY PAIR

STEPS TO G ENERATE CERTIFICATE (with reference to


glassfish-v2)
1. visit the config folder and copy the existing keystore by any other name cp keystore.jks keystore-backup.jks 2. remove the default key (s1as) from keystore keytool -delete -alias s1as -keystore keystore.jks This will prompt us a password . The default password is the password of keystore (changeit) 3. Generatiing key pair in keystore A) keytool -genkey -keyalg RSA -keysize 1024 -alias s1as -keystore keystore.jks -validity 365 b) Enter the password

Continued
4. Enter all the credentials required , like name, city , company etc 5. Generate a certificate file keytool -export -alias s1as -file serverbcert.cer -keystore keystore.jks

6. copy the file into trusted keystore cacerts.jks keytool -import -alias serverb.mycompany.com -file serverb-cert.cer 30 -keystore cacerts.jks

Browse your resource using https

eg. https://localhost:8181/ConverterApp
This will show a certificate from Server which a client can reject or accept

You might also like