Addison wesley enterprise java security building secure and robust J2EE applications feb 2004 ISBN 0321118898

Enterprise JavaTM Security: Building Secure J2EETM Applications provides application how they need to utilize the latest Java EJBTMtechnologies that are at the core of the J2EE architect

developers, managers, and researchers have about such a critical topic I am sure that this book will contribute greatly to the success of the J2EE platform and e-business."

-From the Foreword by Steven A Mills,

Senior Vice President and Group Executive, Software Group, IBM Corporation

Enterprise Java(TM) Security: Building Secure J2EE(TM) Applications provides application

how they need to utilize the latest Java

(EJB(TM))technologies that are at the core of the J2EE architecture In addition, the book covers Web Services security.

Examples and sample code are provided

throughout the book to give readers a solid

The relationship between Java and

cryptographic technologies is covered in great detail, including:

1 Java (Computer program language) 2 Computer security I Pistoia, Marco QA76.73.J3E58 2004

understanding and support to pursue my dreams To my

daughter, Divya, for giving me a new perspective on life To mymother and my family, for making me who I am

Nataraj

To Karen, Sam, and Max, for the love, support, and joy theybring to my life To my mother, who taught me, "Life is short.Eat dessert first." To my father, who is always there when Ineed him To my brother, who taught me how to count

E-business, one of the fastest-growing segments of the

information technology industry, is changing the face of

commerce as we know it Conducting business on the Web israpidly becoming a fundamental element of how organizationsconduct business with each other, as well as with their

customers Web-based systems do not stand alone Rather,

they are the integration of many existing enterprise systems,processes, and protocols, oftentimes reengineered to leveragethe capabilities inherent in the Web-based systems and to

afford new capabilities The value is not in the technology pieceparts but in the rapid creation of new business solutions

All technologies introduce risks into businesses The challenge is

in managing these risks Some of the risks originate from thecomplexity of the solutions designed to address a company'sbusiness needs; other risks are inherent in the technologieschosen to address these needs To meet these risks, we haveseen the rise of various security technologies, such as antivirusscanners, firewalls, intrusion-detection systems, virtual privatenetworks (VPNs), public-key cryptography, and the Secure

Sockets Layer (SSL) protocol

The Web is no exception Although it offers new opportunitiesfor creating markets and marketplaces, the risks it introduceshave driven the creation of new and innovative solutions Theseinclude authenticating and authorizing users of the system,

protecting transactions from malevolent hackers, enforcing

access control, guaranteeing privacy, and offering federatedidentity management

An enterprise system usually comprises heterogeneous

systems Enabling these systems to communicate and integrate

to form useful end-to-end solutions is essential, as much of thegrowth is not in the creation of entirely new systems but in

of development Enabling open standards in the industry canhappen only when there is an open exchange of ideas and

cooperation between vendors

This book takes an in-depth look at the development of

enterprise applications based on the Java 2 Platform, EnterpriseEdition (J2EE), which enables integration of existing subsystemsinto more powerful Web-based enterprise systems This bookfocuses on the set of security standards that support and

is making a shift from programmatic security to declarative

security The goal is to manage security through policies ratherthan via security code being written into every application,

which is much more expensive to maintain and upgrade as newthreats and risks are identified

This book is the result of IBM's technical leadership and

strength in security, middleware, and on-demand computing, aswell as a long-standing collaboration between IBM's SoftwareGroup and Research Division This collaboration has broughttogether people from around the world, creating a partnershipdedicated to providing value to the marketplace in a dynamicbusiness and technical environment

For a long time, there has been a need for a J2EE security book

I am very happy to see that there is now such a book to answermany of the technical questions that developers, managers, andresearchers have about such a critical topic I am sure that thisbook will contribute greatly to the success of the J2EE platform

Steven A Mills

Senior Vice President and Group ExecutiveSoftware Group, IBM Corporation

technology in building secure enterprise applications

The book introduces the J2EE and J2SE security architectures,showing how these architectures relate to each other and howthey are augmented by Java Authentication and AuthorizationService (JAAS) to provide authentication and authorization.Then, the book delves into the J2EE security technologies: Thesecurity aspects of servlets, JavaServer Pages (JSP), and

Enterprise JavaBeans (EJB) are treated in detail because thesetechnologies constitute the core of the J2EE architecture Tosatisfy the needs of developers who need to build J2EE

applications and want to do so securely and reliably, the bookcovers in great detail the relationship between J2EE and

cryptographic technologies; Java Cryptography Architecture,Java Cryptography Extension, Public-Key Cryptography

Standards, Secure/Multipurpose Internet Mail Extensions, andJava Secure Socket Extension are also described in detail Thebook explains how to work with J2EE in practice and shows howthe technologies presented work together and are integrated.The scenarios described are targeted to J2EE developers anddeployers needing to build an integrated, secure, component-based system Finally, Web Services security and other

emerging technologies are discussed, along with a description

of how the underlying middleware works The book ends bysummarizing the impact of J2EE security in today's e-businessenvironments

solutions and use patterns to address the challenges that lieahead as these architectures evolve to address enterprise e-business needs The goal is to give practical guidance to groupsinvolved in making Java-based applications or Web sites intoindustrial-strength commercial propositions Examples are

provided to give the reader a clearer understanding of the

underlying technology

To achieve the goals of portability and reusability, J2EE securityhas been designed to be mainly declarative Most of the

authentication, authorization, integrity, confidentiality, and

access-control decisions on a J2EE platform can be made

through configuration files and deployment descriptors, whichare external to the applications This reduces the burden on theprogrammer and allows Java enterprise programs to be

portable, reusable, and flexible For this reason, Parts I and II

focus on the declarative approach of Java security by showingexamples of configuration files and deployment descriptors

on Java in March 2000 to present on a number of security

topics It was clear that developers and managers were not

familiar with Java security features, J2EE security, and how tomanage security in a J2EE environment Inquiries on Java andJ2EE security were being routed to us via e-mail and through

those written for server-based applications and Web Services,was needed

This book draws and expands on material from multiple

sources, including the J2SE security book and articles

mentioned Specifically, this book covers J2SE V1.4 and J2EEV1.4 The relevant specifications for J2EE covered in this bookinclude the J2EE V1.4 specification, the Java Servlet V2.4

specification, the EJB V2.1 specification, and the Web Servicesspecifications The list of the sources used in this book can be

This book was written by a team of IBM security researchersand architects who have had a major impact in the definition ofthe Java security architecture and its related technologies Theleader of this project was Marco Pistoia

Marco Pistoia is a Research Staff Member in the Java and Web

Services Security department, a part of the Networking

Security, Privacy and Cryptography department at the IBM

Thomas J Watson Research Center in Yorktown Heights, NewYork He has written ten books and several papers and journalarticles on all areas of Java and e-business security His latest

to teach graduate courses on Java security and has presented

at the New York State Center for Advanced Technology in

Telecommunications (CATT), Brooklyn, New York Marco

received his M.S in Mathematics summa cum laude from theUniversity of Rome, Italy, in 1995 and is working toward a Ph.D

in Mathematics from Polytechnic University, Brooklyn, New York.His technical interests are in mobile-code security, componentsoftware, and static analysis of object-oriented languages

Nataraj Nagaratnam is a Senior Technical Staff Member and

the lead security architect for IBM's WebSphere software family

in Raleigh, North Carolina He leads the security architecture forIBM WebSphere and the IBM Grid infrastructure He is also acore member of the IBM Web Services security architecture

team He has coauthored the Web Services security

documents He actively participates in the Java Community

Process on the topics related to J2EE security by either leading

or participating in the Java Specification Requests related toJ2EE security Nataraj received his Ph.D in Computer

Engineering from Syracuse University, Syracuse, New York Histhesis deals with the aspects of secure delegation in distributedobject environments He has widely presented on Java and

security topics at various conferences and symposiums and haspublished extensively in numerous journals, conferences, andmagazines Nataraj was the lead author of one of the first books

on Java networking, Java Networking and AWT API SuperBible,

published by Waite Group Press in 1996

Larry Koved is a Research Staff Member and the manager of

the Java and Web Services Security department, a part of theNetworking Security, Privacy, and Cryptography department atthe IBM Thomas J Watson Research Center in Yorktown

Heights, New York With Anthony Nadalin, he has served as

IBM's Java security architect, including being a liaison to SunMicrosystems for Java security design and development

collaboration He was actively involved in the design of the JavaAuthentication and Authorization Services (JAAS) and then

Enterpise JavaBeans (EJB) V1.1 security architecture Larry haspublished more than 25 articles and technical reports on userinterface technologies, virtual reality, hypertext and mobile

computing, static analysis of Java code, and security He haspresented at several conferences, including ACM OOPSLA, theInstitute of Electrical and Electronics Engineers (IEEE)

Symposium on Security and Privacy, the O'Reilly Conference onJava, IBM's developerWorks Live!, and Sun Microsystems'

JavaOne His current interests include security of mobile code,component software, and static analysis of OO languages

Anthony Nadalin is IBM's lead security architect for Java and

Web Services in Austin, Texas As Senior Technical Staff

Member, he is responsible for security infrastructure design and

positions: lead security architect for VM/SP, security architectfor AS/400, and security architect for OS/2 He has authoredand coauthored more than 30 technical journal and conference

articles, and the book Java and Internet Security, which was

published by iUniverse.com in 2000 He has been on the

technical committee of three major scientific journals and oneconference and has extensively reviewed work published bypeers in the field He has given several presentations and

invited speeches at numerous technical security conferences

Thanks to the following people for their invaluable contributions

to this project:

Rosario Gennaro, Kenneth Goldman, Bob Johnson, Jeff Kravitz, Michael McIntosh, Charles Palmer,

Darrell Reimer, Kavitha Srinivas, Ray Valdez, Paula Austel, Michael Steiner

IBM Thomas J Watson Research Center, Yorktown Heights,New York

Keys Botzum

IBM WebSphere Services, Bethesda, Maryland

Tom Alcott

IBM WebSphere Sales and Technology Support, Costa Mesa,California

Formerly of Addison-Wesley Professional, Boston,Massachusetts

Thanks also to our able copy editor, Evelyn Pyle

Chapter 1 An Overview of Java Technology and SecurityChapter 2 Enterprise Network Security and Java

Technology

Technology and Security

As e-business matures, companies require enterprise-scalablefunctionality for their corporate Internet and intranet

environments To support the expansion of their computing

boundaries, businesses have embraced Web application servers(WASs) These servers provide simplified development and

deployment of Web-based applications Web applications

contain the presentation layer and encapsulate business logicconnecting to back-end data stores and legacy applications.However, securing this malleable model presents a challenge.Savvy companies recognize that their security infrastructuresneed to address the e-business challenge These companies areaware of the types of attacks that malevolent entities can

launch against their servers, and can plan appropriate defenses

Java technology has established itself as important in the

enterprise, both for the ease with which developers can createcomponent software and for the platform independence of thelanguage Java-based enterprise application servers supportJava Servlet, JavaServer Pages (JSP), and Enterprise JavaBeans(EJB) technologies, providing simplified development and

flexible deployment of Web-based applications

To provide security for e-business, the Java 2 Platform,

Enterprise Edition (J2EE), builds on the Java 2 Platform,

Standard Edition (J2SE), core technologies J2SE introduced afine-grained, policy-based security model that is customizableand configurable into numerous security protection domains.This approach is a useful addition to security for component-based software J2SE security also builds on an additional set ofrelatively new core technologies: Java Authentication and

Authorization Service (JAAS), Java Cryptography Architecture(JCA), Java Cryptography Extension (JCE), Java Secure Socket

Extension (JSSE), Public-Key Cryptography Standards (PKCS),and support for the Public Key Infrastructure (PKI).

Applications?

Few programming languages and runtimes span heterogeneousmultitier distributed computing environments Prior to the

introduction of Java, the client processed Hypertext MarkupLanguage (HTML), Perl, and C/C++, in addition to other

programming and scripting languages

The middle tiers contained the same languages, though often indifferent combinations, as well as additional languages for

performing database queries and messaging The back-end tierusually contained database query languages, messaging, someamount of scripting, C/C++, and COBOL to access enterprise

enterprise environment Creating an integrated application orsuite to address corporate needs across these tiers was a

daunting task, especially in a heterogeneous computing

environment with multiple languages, development tools, andoperating systems

Figure 1.1 Language Heterogeneity in a

Traditional Multitiered Enterprise Environment

As a programming language and runtime environment, J2SEinthe clients, middle tiers, and back-end serversaddresses thechallenge of heterogeneous multitiered computing environment

by providing a common programming language and runtimeenvironment supported on multiple operating systems The Javaenvironment acts as a glue to bind these heterogeneous andlegacy systems together Libraries and components exist in

J2SE, as well as from other organizations, such as the WorldWide Web Consortium (W3C) and Apache, to manipulate thedata as it is transformed between the client and back-end

servers These libraries include support for managing and

transforming eXtensible Markup Language (XML) documents.However, a single language and its runtime support are

insufficient Additional frameworks are needed to provide

structure and design patterns that enable architects, designers,and developers to create and deploy enterprise-scalable

applications

1.1.2 Java 2 Platform, Enterprise Edition

J2EE encompasses a set of enterprise technologies, all

integrated through Java Application Programming Interfaces(APIs) These APIs provide the structure needed by enterpriseapplications The J2EE technologies include distributed

transaction support, asynchronous messaging, and e-mail Inaddition, a number of enterprise-critical technologies, includingauthentication, authorization, message integrity, and

confidentiality, are related to security The J2EE security

technologies described in this book afford portable security

technologies and APIs that enable interoperable security acrossthe enterprise, even in the presence of heterogenous computingplatforms

1.1.3.1 Development Environment and Libraries

The Java 2 Software Development Kit (SDK) contains the toolsand library code needed to compile and test Java programs A

multithreading, high-level synchronization primitives, graphicaluser interface (GUI) support, and key security services

For the most part, the services found in the Java 2 libraries arethose found in typical modern operating systems The difference

is that these libraries have been designed to be portable acrossoperating environments In addition, these libraries contain

integrated security features For example, to open a networkconnection to another process, the Socket class not only

provides the required interfaces but also defines the securityauthorization requirements for being allowed to open a networkconnection

Also, Java code must be written to be type safe Non-type-safecode will be rejected by the compiler or the runtime Unlike in C

or C++, unsafe type-cast operations are not allowed For

example, in the Java language, it is not possible to cast a

String object to be a StringBuffer object in order to modifythe value in the String object In contrast, other languages,such as C and C++, allow sequences of type-safety-violatingcast operations

classes at execution time In particular, the standard Java

compiler does not perform many optimizations Instead, theruntime computes and performs optimizations on the classes

is sometimes referred to as a just-in-time (JIT) compiler

Like most runtime environments, the JRE includes a set of

librariesfor networking, file I/O, threading, GUI support, andsecurityfor application developers to use The J2EE executionenvironment may include the compiler, debugger, and othertools, although their presence is not guaranteed and depends

on the runtime configuration

It is the responsibility of the runtime to provide the securitymechanisms necessary to enforce security at multiple levels Ascode is loaded into the runtime, the runtime ensures type

mismatched types When type-safety violations are identified,the offending code is not loaded into the runtime In addition,for those cases in which type safety cannot be verified statically,the runtime performs dynamic type safety Some of the morefamiliar runtime safety tests include array-bounds checking andtype casting

As code is loaded into the Java runtime, the location from whichthe code was obtained is recorded, and when the code is

digitally signed, the digital signatures are verified The

combination of the location from which the code was loaded andthe set of digital signatures used to sign the code is known as a

As of J2SE V1.4, the runtime also contains an integrated

framework for authenticating and authorizing principals (users,systems, or other accountable entities) This framework is

called JAAS Principal-based authentication and authorizationare familiar to most users of computing systems JAAS usuallymanifests itself through a login process and restrictions placed

on access to computing resources The support for JAAS bothsupplements and complements the previously existing supportfor CodeSource-based authorization mechanisms J2EE V1.3does not require J2SE V1.4 but must support the JAAS API and

1.1.3.3 Interfaces and Architectures

Java programs interact with the non-Java world through a set ofstandard interfaces, or APIs This interaction includes accessingdatabases, messaging systems, and processes running in othersystems Many of these interfaces interact with architected

subsystems that enable multiple vendors to provide the services

in a vendor-neutral manner Thus, the application can access aset of services without writing to proprietary APIs

Examples of nonsecurity interfaces and architectures includeJava Database Connectivity (JDBC), for access to databases;and Java Message Service (JMS), for access to messaging

systems In the security arena, JCA supplies standard interfacesand architectures for creating and accessing message digestsand digital signatures, whereas JCE adds support for

encryption JAAS provides a standard architecture and

interfaces for defining and using authentication and

authorization services

protected computing resources, such as networking and file I/O

From a security perspective, Java has grown and matured toinclude an architecture and a set of interfaces to enable a widerange of cryptographic services via JCA and JCE, support forSecure Sockets Layer (SSL) and Transport Layer Security (TLS)via JSSE, Secure/Multipurpose Internet Mail Extensions

client/server applications by using secret-key cryptography; andGeneric Security Services (GSS), a protocol for securely

exchanging messages between communicating applications.Support for GSS is embedded in the Java GSS API (JGSS-API)

All these services are based on a set of widely recognized andsupported standards Because they are founded on existing

standards, Java-based applications can interoperate with

existing, or legacy, computing services The Java developmentcommunity has expended substantial effort in compliance andinteroperability testing Thus, application and system

developers can be assured that Java-based services, including

shows the Java security technologies and how they interrelate

The Java technology had security as a primary design goal fromthe very beginning Originally, however, Java technology lacked

a number of important security features The technology hassince matured to include some essential cryptographic services,

as previously mentioned Also, one of the security services

lacking in the earlier Java versions was a standard architectureand interfaces for performing principal-based authentication andauthorization Although it had a well-developed architecture forauthenticating the origins of code executing in the Java

runtime, the Java technology lacked standard mechanisms forauthentication typically found in server environments JAAS hasfilled this gaping hole by providing the means for authenticating

a principal and performing authorization based on whether theauthenticated principal is authorized to access a specific

protected resource

What is unique about Java support for security is its ability toprovide essentially the same collection of security services

across a set of heterogeneous computing platforms Because of

application code and security services highly portable, able towork in heterogeneous computing environments, and able tocommunicate with non-Java applications and services For

example, a Java program can communicate through an SSL

connection or use Kerberos and interoperate with other servicesand processes not written in the Java language This book

describes how Java technology is used to create sophisticatedserver-side applications that can be protected using the securitytechnologies found in an enterprise application developmentand deployment environment

1.1.5 Portability in a Heterogeneous World

Most enterprises comprise heterogeneous computing

environments The client-side operating systems include variousversions of Microsoft Windows and several flavors of UNIX orLinux, which may be different from the operating systems

running on the enterprise servers Larger enterprises have aserver computing environment that also is heterogeneous Thisheterogeneity can pose a significant cost to the organization interms of development, deployment, and interoperability

Heterogeneity can be an impediment to interoperability and

integration of computing resources When this happens, theorganization is unable to integrate the services that make it

more efficient and competitive

One of the really tough challenges for enterprises is the creation

of applications that can be written and tested on one platformand run on other platforms Java technology, including J2EE,strives to enable application developers to write and test

applications in development environments that are familiar tothe developers but that allow deployment and testing in lessfamiliar environments For example, the development can beperformed on a desktop operating system and the code

In addition, few environments can claim to support a broad andcommon set of security services on the same range of

platforms This level of portability is a tremendous benefit tomany organizations that have applications running across a set

of heterogeneous computing environments The cross-platformdevelopment and deployment, along with the broad industrysupport for security, database, and messaging services, are

tremendous benefits to organizations that are under pressure todevelop and deploy secure applications in heterogeneous

environments

Much of the portability and interoperability of applications arederived from the broad set of services available via the Javaruntime libraries These libraries eliminate or vastly reduce the

need for native, or non-Java, code In fact, J2EE discourages

the use of native code by bundling a broad range of servicesmost often needed by enterprise application developers

important to recognize is that to develop an application, it is notnecessary that the technology run in all the tiers; nor is it

required that all the computing platforms across the tiers usethe same software or hardware architectures It is quite likely

technologies Because of the Java set of interoperable

technologies, it is possible to write a Java-based application forone or more of the tiers and interface to existing technologies inthe same or other tiers

Enterprise Java applications can connect to other non-J2EE

application systems, such as mainframe and enterprise resourceplanning (ERP) systems This capability can be achieved

through the functionality offered by the Java Connector

connectors, including JDBC and JMS drivers, to provide access

to non-J2EE systems These adapters can be plugged into anyJ2EE environment

A company's C-based application can send a Web ServicesXML document through an existing message-queuing-based

The XML document drives a set of servlets and EJB

components, resulting in e-mail being sent to customers tonotify them of a set of the company's new services

[2] Formerly known as IBM MQSeries.

The client and the middle tier use non-Java technologies,whereas the data-base stored procedures in the back-endserver are written in Structured Query Language for Java(SQLJ)

A Java-based client application can be written to drive non-A non-Java-based system can send messages via a wirelesscommunication service to a Java-based application running

in a cell phone or a personal digital assistant (PDA)

Connecting heterogeneous applications and systems written indifferent languages and running on different platforms is one ofthe most complex tasks that enterprises face To address the

issues in this space, the emerging Web Services technology

views resources and applications as services These servicescan be accessed through a combination of language-agnosticmessage format over a transport protocol Such a combination

is called a binding A popular binding consists of sending Simple

Object Access Protocol (SOAP) messages over HyperText

Transfer Protocol (HTTP) SOAP is a proposed standard formatfor exchanging business messages between applications usingstandard Internet technologies

To summarize, it is clear that Java technologies can interoperatewith any of the computing tiers in the enterprise Therefore, theimportant question is not so much, "How does Java technologyfit into a multitier computing model?" but rather, "Which Javatechnologies are most appropriate for your enterprise and

where?"

1.2.1 The Middle Tier: Servlets, JSP, and EJB

When the Web-based computing environment was emerging,developing content that extended beyond static HTML pageswas difficult, particularly when more than one vendor's Webserver was involved Extending the server with scripts oftenrequired the use of proprietary APIs, making the scripts writtenfor one Web server incompatible with other Web servers For a

scripting languages, developing portable extensions to Web

servers remained challenging

The original Common Gateway Interface (CGI) programmingmodel for Web servers was problematic from both scalabilityand security perspectives Simple HTTP servers did not supportmultithreading CGI scripts were a target of hackers; poorlydesigned and tested CGI programs failed to test parametersand passed them on to the remainder of the CGI program,

resulting in buffer overflows that crashed the CGI script or theHTTP server itself In some cases, the malicious request causedrogue code to get installed and executed in the server

The emergence of the Java Servlet programming model

simplified server-side Web server programming Servlets offerserver application developers a useful set of APIs for Web

application development In fact, servlets, which are written inthe Java language, are often portable across a number of WASsand operating systems Through servlets, it is possible to writeplatform-neutral scripts that can call enterprise beans; handledatabase transactions via JDBC; send messages via JMS and e-mail via JavaMail; generate output, such as HTML or XML, tosend to the client; call other servlets; or perform other

through its declarative security architecture, which reduces theburden on the application developer when developing or

updating an application Because the security services are part

of the servlet architecture, many of them are easy to enable

For example, the servlet deployment descriptoran XML file

containing instructions on how to run servletscan specify thatcommunication to a particular servlet via HTTP requires

confidentiality The Web server and the servlet container willrequire that a client communicate with that particular servletvia an HTTP over SSL (HTTPS) session, which uses SSL for

encryption If the deployment descriptor specifies a requirementfor client-side authentication based on a digital certificate, thedigital certificates exchanged to establish the SSL session will

be used to perform client authentication

Although experienced software developers understand the

business logic required to create enterprise applications, thedetails of how to correctly implement this sort of sophisticatedsecurity are often beyond their expertise Even developers who

do have some experience with security technologies do not

always implement and deploy these security technologies in asecure manner It is the responsibility of the Web server and theservlet container to correctly implement and integrate thesetechnologies By doing so, the security burden on the

application developer is greatly reduced

Servlets have been a boon to Web application developers

However, developing new content could be tedious, particularlywhen the result to be sent to the client is in HTML, XML, or

other formats The JSP technology was created to address thisshortcoming Rather than writing explicit code to produce theHTML or XML content that will be sent back to the client, a

compiler converts an HTML, XML, and Java mixed-content fileinto a servlet that is then executed

The servlet and JSP programming models are quite flexible andmay be, relatively speaking, long running However, many