Transcript Corporate PPT Template - Oracle Software Downloads

Session id:40119
Building Secure J2EE
Applications With Oracle
Cary Bakker
Principal Consultant
John Gammon
Principal Consultant
Adam Leftik
Sr. Principal Consultant
Oracle Corporation
Agenda
 Introduction
–
–
–
Motivation for POC
Requirements for solution
Architectural decisions
 Security Fundamentals
–
–
Security Concepts review
SSL
 A “How To” on locking down the system
–
–
–
Web Client to HTTP Server
HTTP Server to App Server
App Server to Database
Client Motivation
 Aerospace Operation Center (AOC) issues:
–
Separate Coalition Network
 n * as many servers
 n * setup time
–
Difficult to share data




Data “cleansing” process
Untimely data
Erroneous data
Unavailable data
Solution Requirements
 Multi Level Security (MLS)
–
US and Coalition all on single network
 Timely release of data
 Security given highest priority
 Flexible architecture
Solution Architecture Overview
 SSL Mutual Authentication for all network
communication, lock down all layers
 Oracle’s MVC Framework – flexibility for
migration to service oriented architecture
implementation
 Oracle Label Security – key for MLS and
timely release of information
Security Concepts Review




Authentication
Authorization
Confidentiality
Integrity
Secure Socket Layer Protocol
(SSL)
•
•
•
•
•
•
•
Client Sends list of cipher suites
Server responds with the cipher suite specification and web
servers digital certificate and requests client certificate
Client verifies certificate
Client generates pre-master secret and encrypts with server’s
public key and sends its client certificate and pre-master secret
Server decrypts pre-master secret with private key and verifies
client certificate
Session key is calculated using pre-master secret by both
parties independently
Session key is used for symmetric key encryption for rest of the
session
Certificate Verification
•
•
•
•
•
Is this certificate in the CRL?
Is the certificate within validity period?
Is the Certificate Authority trusted (chain)?
Does the issuing certificate’s public key
validate issuer’s signature?
(Optional) Does the web server DNS name
match the subject’s (server cert) DN? 9i also
supports instance verification via instance
name + hostname
Secure Software Architecture
High-Level Flow
Oracle Http Server and
Mod OSSL
• Provides authentication, confidentiality, and
integrity for communication between web
client and OHS using SSL
• Support for majority of cryptographically
strong cipher algorithms
• SSL mutual authentication support (two-phase
authentication)
Key OHS Directives
LoadModule ossl_module
modules/ApacheModuleOSSL.DLL
SSLWallet
file:<ohs_home>\conf\Apache\Apache\conf
SSLWalletPassword mypassword
SSLVerifyClient require
SSLOptions +FakeBasicAuth +ExportCertData
+CompatEnvVars +StrictRequire
Securing OC4J





Mod OC4J for proxying requests to OC4J
AJP over SSL support in 9.04
IP Checks
Security Filters
JAZN provides authentication and
authorization for middle-tier business logic
Mod OC4J Example
<IfModule mod_oc4j.c>
# propagate credentials to OC4J
Oc4jExtractSSL on
<Location /oc4j-service>
SetHandler oc4j-service-handler
Order deny,allow
Deny from all
Allow from localhost
</Location>
</IfModule>
Oc4jMount /myapp home
Oc4jMount /myapp/* home
</IfModule>
Accessing Certificates
//Servlet sevice method….
ServetRequest request = null;
….
java.security.cert.X509Certificate [] certs =
request.getAttribute(java.security.cert.
X509Certificate.getClass().getName());
Principal issuerPrincipal = cert[0].getIssuerDN();
Principal subjPrincipal = cert[0].getSubjectDN();
Security Filter
JAZN
 Provides authorization for middle-tier
resources
 Makes the J2EE container ‘aware’ of the
authentication and authorization
 Map J2EE Principals and Roles to enterprise
data stores e.g. LDAP
 Support for declarative security model in J2EE
e.g. method level permissions in EJB
deployment descriptors
Database Users and
Application Users
 Avoid the “One Big Database User”
–
–
Leverage auditing
Allows you to use other security features
 Oracle Label Security
 Secure application roles
Securing Database Access
Proxy Authentication
 JDBC OCI connection pool support (Subclass of
OracleDataSource)
 A pool of lightweight database sessions created via
app server database user which are authenticated via
SSL mutual authentication
 Digital certificates propagated to database server to
authenticate application users creating a ‘heavyweight
session’
 SSL ensures Middle-Tier and Database trust each
other
 Preserves application identities
Proxy Authentication Example
CREATE USER APP_SERVER IDENTIFIED
GLOBALLY AS ‘CN=APP_SERVER, C=US’;
CREATE USER JOHN_ROHLER IDENTIFIED
GLOBALLY AS 'CN=Jon Rohler, C=US';
GRANT "CONNECT" TO APP_SERVER;
ALTER USER JOHN_ROHLER GRANT CONNECT
THROUGH APP_SERVER;
GRANT "CONNECT" TO JOHN_ROHLER;
GRANT “APPLICATION_ROLE” TO JOHN_ROHLER;
Proxy Authentication Example
(cont)
import oracle.jdbc.pool;
…..
InitialContext ctx = new InitialContext();
OracleOCIConnectionPool ds = (OracleOCIConnectionPool)
initial.lookup("jdbc/OracleProxyDS");
Properties props = new Properties();
props.put(OracleOCIConnectionPool.PROXY_CERTIFICATE,
UsersDERCertRef);
Connection connection =
pool.getProxyConnection(OracleOCIConnectionPool.
PROXYTYPE_CERTIFICATE, props);
Secure Application Roles
 Only allows privileges to schema objects from
specific applications in specific contexts
 Reduce the possibility of inside intrusion by
circumventing middle-tier
 Network based authorization
Secure Application Role
Example
CREATE OR REPLACE PACKAGE BODY MY_ROLE IS
PROCEDURE check_access
IS
proxy_usr VARCHAR2 (4000);
ip_address VARCHAR2 (16);
BEGIN
proxy_usr := SYS_CONTEXT('userenv','proxy_user');
ip_address := SYS_CONTEXT('userenv','ip_address');
IF proxy_usr = ‘APP_SERVER’ AND ip_address = ‘192.168.1.125’ THEN
DBMS_SESSION.SET_ROLE(‘MY_APPLICATION_ROLE');
END IF;
END;
END;
/
GRANT SELECT ON ACCOUNTS TO MY_APPPLICATION_ROLE;
GRANT EXECUTE ON MY_ROLE TO JOHN_ROHLER;
CREATE MY_APPLICATION_ROLE IDENTIFIED USING schema_owner_for_pl_sql_package.MY_ROLE;
GRANT "MY_APPLICATION_ROLE" TO JOHN_ROHLER;
ALTER USER JOHN_ROHLER DEFAULT ROLE ALL EXCEPT MY_APPLICATION_ROLE;
Integration With JDBC
Example
Connection conn = null;
CallableStatement cs = null;
try {
// get a proxy connection from jdbc oci connection pool
conn = getConnection();
cs = conn.prepareCall(“begin schema_owner.my_role.check_access(); end;”);
cs.execute();
// now use conn to issue a query against account table, query will fail if not connecting from
middle tier
} catch (SQLException sqle) {
//handle the exception
} finally {
if (conn != null) {
try { conn.close();} catch (SQLException sqle){}
}
if (cs != null) {
try{cs.close();}catch(SQLException sqle){}
}
}
Oracle Label Security –
Row Level Security
 Built on top of VPD
 General purpose row-level authorization
 Based on military classification metaphor
 Flexible: Levels, Compartments, Groups
Oracle Label Example –
Create Policy and Levels
EXEC SA_SYSDBA.CREATE_POLICY('MYPOLICY',
'MYCOLUMN', 'READ_CONTROL, WRITE_CONTROL,
CHECK_CONTROL, LABEL_DEFAULT');
EXEC SA_COMPONENTS.CREATE_LEVEL('MYPOLICY',9000,'C',
'CLASSIFIED');
EXEC SA_COMPONENTS.CREATE_LEVEL('MYPOLICY',2000,'HS',
'HIGHLY_SENSITIVE');
EXEC SA_COMPONENTS.CREATE_LEVEL('MYPOLICY',1000,'S',
'SENSITIVE');
Oracle Label Example –
Apply Policy to Table
EXEC sa_policy_admin.apply_table_policy(
'MYPOLICY',
'SCHEMAOWNER',
'MYTABLE');
Oracle Label Example –
Authorize User Labels
BEGIN
SA_USER_ADMIN.SET_USER_LABELS(
POLICY_NAME=>'MYPOLICY',
USER_NAME => ‘JOHN_ROHLER',
MAX_READ_LABEL => 'C,HS,S',
MAX_WRITE_LABEL => 'C',
MIN_WRITE_LABEL => ‘C’);
END;
/
Oracle Label Example –
Apply Labels to Rows
UPDATE SCHEMAOWNER.TABLE_NAME
SET MYCOLUMNAME =
char_to_label('MYPOLICY','C')
WHERE
MYUNIQUEKEY = 'SOMEUNIQUEVALUE';
INSERT INTO ACCOUNTS (ACCOUNT_NUM) VALUES (1);
INSERT INTO ACCOUNTS (ACCOUNT_NUM, LABEL_COLUMN)
VALUES (2, char_to_label(‘MYPOLICY’,’C’));
SELECT * FROM ACCOUNTS;
Next Steps….
 To request a complimentary 1-on-1 consultation to
begin a personalized assessment of the potential
benefits of an Oracle solution based on your
organization’s environment, stop by the Oracle
Consultations area in the Oracle DEMOgrounds
section of the Exhibit Hall.
 For information on our services, visit the Oracle
Consulting booth in the Oracle Services area in the
Oracle DEMOgrounds section of the Exhibit Hall.
For more information
 TheServerSide.com J2EE Community
–
–
–
–
–
–
–
Largest J2EE site in the world
305,000 registered members
Enterprise Java News
Design Patterns
Free Books
Product Reviews
Articles and Video Interviews
Reminder –
please complete the
OracleWorld online session
survey
Thank you.