Chapter 1. Introducing the Security System

Table of Contents

1.1. Overview
1.2. Key Features
1.3. System Architecture
1.4. Core Concepts
1.4.1. Login
1.4.2. Authentication
1.4.3. Authorization
1.4.4. Auditing
1.4.5. Services and SPI
1.4.6. Domain
1.5. Improving Performance and Security Level
1.5.1. Tuning the Security System
1.5.2. Improving Security Level

This chapter describes the concepts, structure, and key features of the security system.

Basic security definition is used to prevent and detect various types of attacks including an internal attack. A similar concept can be applied to an enterprise or computer environment that handles and provides user information.

The security targets are name, password, and address of users, and resources that provide a service or operate the system. Each system uses a security related software or implements a hardware related security system to protect its critical data and system resources.

The JEUS security service is based on SPI (Service Provider Interface), it provides various security service types to protect user information and resources registered with JEUS.

This guide covers the JEUS security structure and security related information.

The JEUS security system aimed for high design goals. In summary, the new security system should:

  • Have a flexible and pluggable framework.

    Necessary for integrating the security system with any existing 3rd-party security mechanism and/or persistent storage mechanism.

  • Ensure security.

    Prevent any unauthorized access to the system, even in the case when a very clever hacker with an ill intent de-compiles the security system sources.

  • Provide high performance.

    The involvement of security system in the system and application code should have a minimal impact on the overall performance. Note that there is a trade off here: the degree of system security will adversely affect system performance. JEUS security system is designed for high performance and maximum security.

  • Provide a simple, unambiguous API and SPI for facilitating maintenance and the creation of 3rd party security services.

  • Maintain data integrity.

  • Conform with the standards.

JEUS security system satisfies all of the aforementioned high-level goals.

The key features of the new JEUS security system are summarized in the following list. The security system:

  • Has an open architecture and framework with a complete set of security integration SPI for customers and 3rd parties to use as needed.

  • Fully supports dynamic principal-to-role and role-to-resource authorization mappings.

    This means that the authorization mappings (principal-to-role, Role-to-Resource mapping) are applied at runtime.

    This enables the following security policies:

    • User U is granted the R role only during the 9 to 5 business hours, Monday to Friday

    • Everyone is granted the R role

    • No-one is granted the R role

  • Supports the concept of a security domain (hereafter domain). This allows different J2EE applications access different security services.

    Note that domain and security domain refer to different concepts in the JEUS system. In the system, a domain refers to a server management unit and a security domain refers to a security management unit.

  • Provides default implementations of all critical security operations such as authentication, authorization, repositories, auditing, and clustering.

  • Supports security auditing mechanisms through a flexible event handling model.

  • Enables one to programmatically add simple security functions, limited to functions like adding subjects and policies, to the Servlet, EJB, and application source codes.

  • Fully supports JDK 1.6 and JACC 1.4 specifications.

  • Provides full support through this document and additional Javadoc.

  • Runs independently from other JEUS modules, which makes it easy to use in a different context.

The basic architecture of the security system is summarized in the following figure.


The main components (package) of the previous figure are :

This chapter covers the core concepts necessary to understand the overall security system.

  • Login

  • Authentication

  • Authorization

  • Auditing

  • Service and SPI

  • Domain

Authentication is determining the identity of a caller for the purpose of using it for authorization decisions at a later time.

In the JEUS security system, identities are always represented as principals that are defined by the java.security.Principal interface.

These Principals are always stored as attribute values of the Subject. Subject is implemented by the jeus.security.base.Subject class and gets associated with an execution thread, as previously described. Subject also contains Principals and Credentials as its security attributes.

Note

The Subject implementation used in the JEUS security system is NOT equivalent to the JAAS Subject defined by the class javax.security.auth.Subject. However, many similarities exist between these two implementations, and in general, it is possible to convert from one to the other. Even if some information is lost, an alias can be used to refer to it.

The following is a UML diagram for a JEUS Subject.


As shown, the Subject has a main Principal, which is the only ID of the Subject. The Subject may also carry any number of additional optional Principals. These are generally non-unique Principals that may be shared by several Subjects (e.g., group Principals).

Subject can also have public or private credentials. Credentials are usually used as a proof to authenticate the Subject or to deliver specific information. An example of a private credential is a password. An example of a public credential is a digital certificate.

The credentials for a given Subject may be created by using its sub-class, credentialFactory class. The actual credentials are obtained from the credential factories using the refresh() method, and they are added to the public or private credential sets.

Caution

Each Subject always belongs to exactly one domain. A Subject with main principal user1 in domain A is thus different from another Subject with main principal user1 in domain B.

In the JEUS security system, authorization is determining whether a previously authenticated entity (Subject) should be allowed to perform a particular operation.

Authorization happens at the system level by, for example, allowing only certain Subjects (usually administrators) to boot or shut down the JEUS server. Authorization also happens at the application level when a JEUS engine checks whether a remote caller should be allowed to access a particular application component, such as a specific EJB method or a certain Servlet.

In the JEUS security system, like in J2EE, authorization is a role-based mechanism. The developer or assembler of a J2EE application sets up the security restrictions according to Roles. During the deployment of the application, the deployer or administrator maps actual Principals in the system to these logical Roles. .

Caution

ote that the role-based approach is also used for JEUS system authorization as well as for J2EE applications.

Furthermore, in the JEUS security system, all authorization mappings are expressed as Permissions (actual sub-classes of java.security.Permission). For example, the Principal, user1, may own a Permission that grants him access to a role called R (meaning that user1 is in role R).

The role R may have permission to access the resource JNDI and execute the lookup action.

These concepts are illustrated in the following figure.


As can be seen from the previous figure, only Principals and Roles are actually represented as physical entities. The resource circle in the figure has a dashed outline to denote that resources are implied and not actually modeled in the authorization system.

In the previous figure, the two boxes marked RolePermission and ResourcePermission represent instances of the two classes jeus.security.resource.RolePermission and jeus.security.resource.ResourcePermission, respectively. Both of these classes extend the basic java.security.Permission abstract class, and there are various other sub-classes of the Permission class.

To summarize, a principal owns a set of Permissions and those Permissions grant the principal a set of logical Roles. These Roles in turn own another set of Permissions that grant those Roles access to a set of Actions on the Resources. By following these indirect mappings, one can deduce whether a principal should be allowed to perform a specific Action on a Resource.

The figure above shows that the principal user1 owns a RolePermission. The arrows marked "Owns" in the figure intuitively denotes a direct, static binding. However, the term implies is different. The figure shows that the RolePermission implies role R. It is important to note that this implication binding is not static. It is determines the implication status dynamically at runtime by invoking the method implies(Permission p) on then RolePermission instance.

If the implies() method returns true, the RolePermission is said to imply role R, otherwise it is not. Thus, in the former case, principal user1 is in role R, while in the latter case it is not. The same logic applies for the implication between the role R and the Resource JNDI. For a better understanding of the terminology Permission, refer to the java.security.Permission of J2SE Javadoc.

Note

For more information about Permission refer to the java.security.Permission section in J2SE Javadoc.

Given the previous information, it is not difficult to implement dynamic mappings. If we just change the implementation of the implies() method, we can make a Permission imply a role (or Resource) only under certain special conditions. For example, we might want to create a dynamic mapping from principal user1 to role R, which allows user1 to be in role R only during the business hours (9am to 5pm). To do this, we could simply create a new RolePermission sub-class, called TimeConstrainedRolePermisson, and override the implementation of the implies() method. In this method, you can add a check for the additional time-constraint.

For examples, refer to [Figure 1.5] and [Figure 1.6].


As shown in [Figure 1.5], principal user1 is not part of role R.


As shown in the previous figures, the TimeConstrainedRolePermission class contains two variables, Name and Actions. Name is set to the name of the implied Role, R in this case, and the Actions are set to the times when the implication is valid (between 9am and 5pm). Both Name and Actions are standard variables that are declared in most java.security.Permission class implementations.

Moreover, apart from the basic Permission-based mappings, every Permission in the authorization system belongs to one of the following three categories.

ClassificationDescription
Excluded Permission

No one can have authority for this Permission.

For example, an excluded Permission, that grants access to the resource RSC, will not allow anyone to access RSC.

Excluded Permissions have higher priority than unchecked Permissions, in case there is an overlap.

Unchecked Permission

Permission that is owned by everybody.

For example, an unchecked Permission that grants access to a resource “RSC will allow anyone to access RSC, regardless of his or her role(s).

Unchecked Permissions have lower priority than excluded Permissions but higher priority than checked Permissions, in case there is an overlap.

Checked PermissionA Permission owned by a principal or a Role. Examples of these Permissions are illustrated in the previous 2 figures.

A few examples to illustrate these ideas will be shown later.

In the JEUS security system, all Permission mappings are the classes that implement the jeus.security.base.PermissionMap class. These PermissionMap classes are included in the jeus.security.base.Policy class.

Policy class has two kinds of PermissionMaps.

  • Principal-to-Role Map(Role Policy0)

  • Role-to-Resource Map(Resource Policy)

Each PermissionMap contains the 3 aforementioned Permission types, excluded, unchecked and checked permissions. In the case of checked permissions, Permission and role PermissionMap are combined through a principal or Role. Policy and Resource PermissionMap are combined through a context id, which indicates the authorization scope.

The following is a UML diagram of Policy and PermissionMap classes.


All the information is summarized in the following figure.


In the previous figure, we have a Policy instance that contains one principal-to-role mapping (required) and also two role-to-resource mappings with context ids A and B, respectively. All three PermissionMaps contain three sets of permissions as follows.

The elliptical bubbles inside the boxes represent the actual Permission instances (Name: Action) with Name and Action variables.

Assuming that a Subject, with context ID A and the principal user1, wants to access JNDI to perform the action "modify", will user1 be able to perform this action?

The authorization system (actually the Policy implementation) would process this authorization query as follows:

In this process, although user1 is mapped to the role Administrator, since Administrator is also in the excluded set, no one (not even user1) will be in the role Administrator. This is because excluded Permissions have higher precedence over both unchecked and checked Permissions.

Using the previous figure and following the step-by-step instructions above, you should be able to work out the following authorization queries.


As we have mentioned before, each class in the security system that implements security functionalities constitutes as a Service. A Service is simply an implementation of an SPI (Service Provider Interface) that provides some security functionality, whether it is authentication, authorization, networking, or other things.

SPI is short for Service Provider Interface and is an abstract class of the Java package jeus.security.spi. These SPI classes should be extended and implemented in order to implement customized security functionality. The extended sub-classes of an SPI class are called Services.

All instances of Services in the security system are treated individually as independent entities whose services are called as needed. However, it is also quite common for a Service implementation to make calls to another SPI, and some dependency may exist among different Services. In order to initialize Services. All Services receives a key–value pair property value used to initialize the Service. The configuration data of a Service can also be saved in a configuration file.

All Services may also optionally define a JMX bean that will be exported to the JEUS management system. The JMX MBean is normally created based on a MBeanInfo instance returned by the Service.getMBeanInfo() method.

All Services have two states, created state and destroyed state. The create() and destroy() methods are called to transition between the two states. Calling these methods will invoke doCreate() and doDestroy() abstract methods. These abstract methods should be implemented by Service sub-classes for service initialization and management.


Following is the Service class diagram and various SPI classes in the jeus.security.spi package.


At runtime, Service instances are created by the singleton class called SecurityInstaller. A simple SecurityInstaller class can be implemented just by writing the necessary code. A more sophisticated implementation would save the service name and property values to a specific configuration file and use the information to instantiate and initialize the Service. The default SecurityInstaller implementation operates according to the latter approach, providing a very simple and flexible way to add new Service implementations to the security system.

Caution

Users do not need to understand the Service and SPI architecture when only using the JEUS security system.

Security domain is a collection of security Service instances. Several domains may exist concurrently within the security system. The purpose of a domain is to allow different deployed applications and JEUS sub-systems to use different security Services. A domain separates the security Services for each application.

For example, the JEUS server could be set up to use a special domain. In this case, it's call the SYSTEM_DOMAIN. This domain contains Subjects and Policies that are used to manage the JEUS server. For example, the SYSTEM_DOMAIN contains the user information for a main Subject called administrator, which can be used to boot or shut down the server.

Another domain, let's call it APP_DOMAIN, could be used by a deployed J2EE application. That domain might also contain a user information for a Subject called administrator, which is different from the JEUS server administrator. You could also configure a different repository mechanism for each domain. While the SYSTEM_DOMAIN can be configured to use a simple XML file to store Subject information, the APP_DOMAIN can be configured to use a remote database to read and write Subject information.

The domain concept is illustrated in the following figure.


Use of the domain feature is optional. If no domain is specified, a special SYSTEM_DOMAIN will be used.

Caution

It is our convention to name domains using capital letters and to append "_DOMAIN" to the name. This is not a requirement, just a convention. Also note that whenever the term domain is used within this document, it refers to the Security domain. These Security domains have nothing in common with J2EE server domains.

By default, JEUS uses two domains, SYSTEM_DOMAIN and SHARED_DOMAIN, as follows:

To apply different security services to applications, create a separate domain and configure the domain.xml file. For more information about creating and configuring security domains, refer to "Chapter 2. Configuring the Security System".

To a certain degree, the information given in this chapter conflicts with the attributes a security system must have. Basically, there is always a trade-off between performance and security. Thus, users need to control the level of performance and security to an appropriate level according to the task requirements.

This section explains how to improve the security system level despite a performance hit.

The following are the ways to improve overall security level of JEUS:

  • Set the global system password.

  • Use secured connection in JEUS security domain

    Configure the network security service to use secured connection, which is usually protected with SSL/TLS. Refer to Reference to learn how to set a secured connection when the default network service is used. This prevents anyone from network eavesdropping and picking up sensitive information.

  • Protect Subject and Policy from Unauthorized Access

    It is essential to protect user information of a Subject and the policy repository location from unauthorized access. The method for this depends on the repository type. The following are some example cases.

    • If a database is in use, the table that stores user information of a Subject and the table where policy is stored must be protected through authentication and authorization configured on the database side. You must also protect connections between the JEUS security repository and the database by using SSL, etc. Refer to the database documents to learn how to configure this setting.

    • If security information is stored in an XML file such as accounts.xml and policies.xml, you must create proper file access permissions to ensure that only the JEUS security system and administrators have access to this file. Use encryption, if encryption is supported regardless of the repository. Refer to the repository document to learn how to apply security to files. Refer to the operating system manual to learn how to set read/write access to the files.

  • Use Security Auditing

    Create a security event log for events that occur in the system and periodically audit the log. JEUS security auditing mechanism is usually implemented by using the service SPI class, jeus.security.spi.EventHandling. Note that a log file must be protected from unauthorized access. Refer to Reference for information about various security auditing mechanisms.

  • Use JavaSE SecurityManager

    Set JavaSE SecurityManager as explained in "2.7.1. Configuring Java SE SecurityManager" to improve the robustness of the JEUS system and to protect JEUS from potentially malicious EJB and Servlet code injections.

  • Use Third-Party Security Mechanism

    In an environment that deals with sensitive information (such as in a banking application), it is strongly recommended to use additional security mechanisms such as firewalls or VPNs (Virtual Private Networks) along with the JEUS security system.

  • Configure Security for Operating System

    Regardless of the operating system in which JEUS operates, do as follows to protect the operating system.

    • Restrict physical access to the servers where JEUS is installed. For example, keep the servers in a locked place.

    • Set process and file privileges so that only trusted administrator can access the JEUS files and processes. Refer to the operating system manual.

    • Update the operating system with the latest security related patches.

    • Periodically execute an antivirus software.

    • Keep all written security related documents safe. For example, keep written passwords in a locked cabinet.