InfoQ

News

SpringSource's Ben Alex Details Emerging Standards in Application Security

Posted by Srini Penchikala on Jun 05, 2008 11:00 AM

Community
Java
Topics
Security
Tags
JavaOne 2008

At JavaOne 2008 conference, Ben Alex from SpringSource talked about the emerging security requirements and standards in enterprise applications and open source frameworks that implement the standards. In the technical session, he discussed the standards like Servlet Security, Java Authentication and Authorization Service (JAAS), CAPTCHA, Single Sign-On (SSO) and Federated Identity using OpenID technology.

Ben started off the presentation with an overview of Servlet and JAAS API and the new security features in Servlet 3.0 Specification (JSR-315) such as the ability to login/logout and Self Registration. He listed the following security concerns that should be taken into consideration when designing a web application:

  • Authentication
  • Authorization
  • Accounting
  • Auditing

Component, State and Transition Security are becoming more important as the web development moves towards component-based web frameworks such as JSF, Spring Web Flow, and JBoss Seam. Spring Web Flow provides a JSF platform model and authorization of States, Flows, and Transitions. It uses Spring Security for authentication and authorization purposes. Spring Security 2 integrates with Java technology-based servlet security and JAAS software. It has a new Security Namespace as well as "Remember Me" support in the latest version.

Completely Automated Public Test to tell Computers and Humans Apart (CAPTCHA) technique is used for mitigating denial of service (DoS) and IP infringement security vulnerabilities. CAPTCHA implementation frameworks include JCaptcha and reCAPTCHA. Java platform support (MIT licensed) for reCAPTCHA is available from the Google project.

In SSO area, Spring Security supports SSO for Microsoft Windows LANs (via Samba JCIFS) and JA-SIG Central Authentication Service (CAS). Another popular technology for Federated Identity is OpenID which is currently supported by many major companies like Sun, IBM, Microsoft, Google, Yahoo, Flickr, LiveDoor, LiveJournal, Orange, and Blogger. Spring Security supports OpenID with OpenID4Java framework.

Ben also talked about advanced web security requirements like method level authorization, JSR-250 for defining method security metadata, Spring Security method metadata, and domain access control. JSR-250 (Common Annotations for the Java platform) defines the annotations like @RunAs(someRole), @RolesAllowed(someRole), @PermitAll(), @DenyAll(), @DeclareRoles(someRole) for method level authorization. These annotations can also be applied on method arguments.

The presentation also included securing web services (WS-Security), RFC-defined Basic (RFC 1945) and Digest (RFC 2617) authentication for remote client and Web 2.0 applications. Securing web services is based on WSS standard (formerly WS-Security) which provides security for SOAP messages. XWSS (part of Metro project) is a Java platform implementation of WSS. XWSS version 3.0 implements OASIS WSS Specification 1.1.

Ben talked about destination authorization when using JMS messaging in web applications. JMS 1.1 API does not provide message integrity or privacy so the JMS providers are expected to provide such features. ActiveMQ messaging framework provides three methods (read, write, and admin) for the authorization requirements. He discussed the message end-point and channel authorization and security mediation service requirements when using an Enterprise Service Bus (ESB) in Java EE applications. ESB security patterns article lists various design patterns to be considered when implementing an ESB container.

The presentation included demonstrations ranging from a simple security requirements of a web login form to implementing application security in a Google Web Toolkit (GWT) application using Spring Security framework.

Related Sponsor

The Adobe Flash Platform provides everything you need to develop applications, content and video across operating systems and devices.

No comments

Watch Thread Reply

Educational Content

Bindings, Platforms, and Innovation

This presentation focuses on the Internet and separating myth from fact, history from the future, and the mundane from the imaginative. Bob Frankston presents a vision of what could and should be.

  •  Jul 02, 2009,
  •  

Orchestrating Long Running Activities with JBoss / JBPM

This article explores the use of JBoss and jBPM to implement design solutions that effectively address the issue of orchestrating long running activities.

  •  Jul 01, 2009,
  •  

Neo4j - The Benefits of Graph Databases

This presentation covers the use of graph databases as an optimal solution for data that is difficult to fit in static tables, rapidly evolving data or data that has a lot of optional attributes.

Realistic about Risk: Software development with Real Options

This session introduces Real Options and shows how it can help in running your project. Real Options is a decision-making process that can be used to manage risk.

  •  Jun 30, 2009,
  •  

Communication Flexibility Using Bindings

This article discusses the use of bindings on services and references (including the instance of non-configured bindings) as the means to implement SCA communications in a Web and SOA environment.

  •  Jun 30, 2009,
  •  

Writing DSLs in Groovy

After a short introduction to DSLs, Scott Davis plays with the keyboard showing how to approach the creation of a DSL by typing working snippets of Groovy code that get executed.

Scaling Agile with C/ALM (Collaborative Application Lifecycle Management)

IBM Rational and InfoQ present, Scaling Agile with C/ALM, an eBook showing organizations how to become “finely tuned software delivery machines” by enabling team integration and scaling.

Concurrent Programming with Microsoft F#

Amanda Laucher presents a real life enterprise application written in F#. She shows actual code snippets, explaining design decisions and suggesting how to use some of the F# constructs.