I'm having trouble understanding how certain parts of the Security class work.
I understand that calling getProviders() will return all of the providers available on the current Android device. What I'm having trouble understanding is how to make use of these providers' algorithms for encryption/decryption.
The Security class also has a setProperty() function. The documentation doesn't go into much detail about how this works, but it seems like I can set any made up property here with any value that I like. How would I actually check that a change took place on my device after setting a specific property?
If anybody could point me to a resource online that goes into detail on this topic I would appreciate it.
EDIT:
I'll be more specific. I'm trying to take advantage of a FIPS-compliant device. There is a specific property that needs to be set using the setProperty() method to enable "FIPS mode" on the device.
I'd like to figure out how I can confirm that the device is running in this mode after the property is set, and how I can utilize the available FIPS validated algorithms.
On your "encryption/decryption" request, if you are referring to store data in an encrypted/safe way in the device (i.e. data at rest, opposed to data on transit), I think https://developer.android.com/about/versions/android-4.3.html#Security - KeyStore is one good and apparently easy solution. That way you will follow the Android way, if you want to follow the standard Java way there are tutorials for that as well, but I discourage as the possibility of adding a mistake is very high. Crypto is kind of difficult for anyone...
For data in transit (i.e. network) you should rely only on HTTPs (or pure TLS if you use something different from HTTP - this hardly happens) rather than any ad hoc implementation, unless you really need an additional layer (i.e. a secret protocol you want to protect).
If you want to make sure that a specific algorithm is used, you can specify the provider in the getInstance methods. Another option is to place the provider first in the list of installed providers. If you just want to use the provider for private and secret keys you can also put the provider in the end of the list and rely on delayed provider selection. This actually links the underlying CipherSpi during the initialization phase, after the compatibility of the key with the provider has been established.
With regards to the question in the edit, that depends on the provider. I don't think that there is anything specific in the security architecture to make sure FIPS mode is run. Instead, you should check if the Provider or the underlying implementation (PKCS#11?) has possibilities to log usage. Usually you need to authenticate before you can use private or secret keys on the token. If that is the case, not having to provide a password (using a call back) is a pretty good indication that the key isn't accessed.
Related
I have a Liferay instance running on a URL like example.org/app. This instance does have a REST API that would normally be running under example.org/app/o/restpath.
The way the server running this instance is that the frontend is accessible without restrictions from the outside, however the REST API is only accessible from the inside the network under a URL like example.org/rest.
I need to make sure that it is impossible to access the REST API with example.org/app. I should also be impossible to access the frontend with example.org/rest. Does anybody have any suggestions?
There are tons of ways of doing that, the best one will depend on your stack, preferences and abilities.
A reverse proxy is the first that comes to mind, bearing in mind that is is normally better if your app has control of who can access it. So a wrapper or a filter checking who is accessing would help. But even then, is the filter to be put on the main application or on your module? That is an evaluation that needs to come from you.
You can also combine the proxy strategy, with a filter, just in case one day you are tuning up your proxy and let something through. You can also decide change your proxy server too..
Or your company already have a proxy that enables traffic going out, and would be easier if that proxy was to have access...
Your servlet contained might also be able to provide such control, so you do not actually need a proxy.
Although I would feel more comfortable if that kind of feature was in the application layer itself, like a wrapper for your component and that wrapper provides the service, a filter, or even a method in in the entry-point, while the others are just extra and to reduce load.
Some companies have networks devices that go up several layers of the network stack, those have lots of potential to help here too, IDS would be able to provide alarms, triggers and such...
As it stands, one would need more information to help you more, even in what you mean by "ensure" ( how far this assurance need to go, like are you thinking about passwords, certificates, IDS, or a simple approach like the mentioned ones ), but I guess that covers it.
We're currently adopting JAAS and JACC using JBoss EAP 6.4/7.0. Just a brief explanation on how we are applying things:
we use HttpServletRequest.login(...) to authenticate
subsequently, we use HttpServletRequest.logout() to log out.
we have a LoginModule which validates the credentials and preps up the Roles.
All is well and good, however, part of my application must allow a certain set of users to be able to:
revoke someone else's Role to log into the system, and
kick out them out of any currently-active sessions.
The first part is easy, but I am having a hard time trying to figure out how I could invalidate someone's session. Is there a way I could somehow get hold of some other user's Subject/Session and invalidate it?
Much appreciated
Note on terminology:
Authentication Mechanism (AM) herein refers to any component responsible for making authentication statements pertaining to, and registering / establishing, as a result, the identity of, authenticated caller entities with / in a Java EE runtime. Such components may be specific to the Application Server (AS) or Java EE-standard; AS implementation details or types destined for extension by the Java EE application developer; deployed as part of a Java EE application or as part of the AS. One such component is your JAAS LoginModule (LM). While Identity Store (IS) appears to be the (semi-)normative term used for referring to (among other things) LMs nowadays, I wanted to reserve it for your application-specific, persistence layer (e.g. JPA #Entity) types representing your users, and thus had to establish this (ill-defined) distinction. "Why are you being vague?", you might ask, "Can't you just call an LM an LM?". Because I know nothing about JBoss LMs! In fact, I am neither a JBoss user, nor someone using JAAS in Java EE. Still, I felt like I could contribute an answer applying to the general case, hence the inevitable vagueness.
Deactivated user refers, for lack of a better term, to your "to-be-kicked-out-user", i.e., the user whose rights (groups, roles, permissions--whatever they are called in there) have been revoked in some way at the IS level.
First of all, there is no standard Java EE API that will expose the Subject or HttpSession of an arbitrary user to your code. You could theoretically record that information yourself, e.g. during authentication, but I will assume that this is not quite what you want. Furthermore, regarding the Subject specifically, while no standard explicitly forbids its (Principal / credential collection's) modification during servicing of a request on the Subject's behalf, none state that it has to be either. It is in fact not even clear whether the current authenticated caller's Subject--the one populated during authentication and retrievable via JACC's "javax.security.auth.Subject.container" PolicyContextHandler--must coincide with the data structure the runtime queries the Policy with when making authorization decisions; that is, the runtime might only provide you with a copy, use an entirely different representation of the authenticated caller internally, or anything in between. Therefore, even if you were able to modify the Subject, doing so would not necessarily affect the security context in effect.
Moving on to what can be done. Your need can be addressed either on the authentication and/or on the authorization side, with the former approach being considerably easier to employ than the later. Since you did not answer my comment, I will briefly cover both of its possible answers.
Prohibiting caller re-authentication
Once the application has deactivated the user, it must somehow instruct the AM to cease re-authenticating them on subsequent requests they issue. In order to reduce coupling, the application will typically not communicate with the AM directly, but satisfy some condition evaluated by the later instead. For instance, the application might assign some special "locked_out" right to the user, or set an HttpSession attribute. When asked to re-authenticate the deactivated user, the AM would acknowledge deactivation and refuse to re-authenticate them. Subsequently it would invalidate the user's session. How exactly it would accomplish that depends on its kind and implementation. Your LM would probably have to leverage the "javax.servlet.http.HttpServletRequest" JACC PolicyContextHandler for that purpose. A JASPIC ServerAuthModule would have immediate access to the request instance, having received it as a validateRequest argument. Some other component would perhaps have to resort to use of AS internals, or burden the application with the responsibility of session invalidation (some call-intercepting component, such as a Servlet Filter, would have to query the IS a second time and act accordingly).
The aforementioned approach obviously requires the ability to modify the functionality of the AM. Additionally, a caching AM needs to evaluate said deactivation condition before reusing its previously established authentication outcome. Lastly, as mentioned in the comment, if, at the time of a user's IS access revocation, a request on that user's behalf is in the process of being serviced (having arrived / having been authenticated prior to the occurrence of the access revocation event), servicing of that request will complete normally (unless the application requests re-authentication of that user, e.g. via HttpServletRequest#(login|authenticate).
Prohibiting caller re-authorization
While, as I mentioned in the begining, users' Subjects are not readily retrievable / modifiable, the backing Policy, against which, on JACC-compliant Java EE runtimes those get authorized, actually is. Unfortunately, the default AS-provided JACC provider (PolicyConfiguration + Policy) has a serious limitation: it only allows you to operate on Java EE roles, not on the caller Principals mapped to, i.e., "having", those roles. For example, the default provider allows you to extend the Permissions that Principals mapped to the "admin" role have; it allows you to remove the "admin" role along with all its Permissions; but it does not allow you to decide who gets to be an "admin"--at least not in a standard way.
This limitation basically leaves you with two alternatives, as far as JACC is concerned: Either have the AM add a "dummy" group Principal to each caller's Subject, with the same name as that of the respective caller Principal. Then, upon user deactivation, add (via PolicyConfiguration#addToRole) a custon Permission pertaining to the "dummy" group. Finally, check (e.g. via AccessController#checkPermission) from "application-space" code whether the user has the Permission and if so kick them out. But wait, this is utterly meaningless--why even bother using the Policy in the first place, if it is incapable of handling authorization on its own? The alternative is to author and install your own JACC provider. Doing so would give you full control over Principal-/group-to-role mappings and enable you to act pretty much however you please, authorization-wise, with that information from that point on. Writing a new provider is nontrivial though, particularly because it would have to accommodate for the authorization needs JRE-wide, not just in the scope of a single application. I doubt that your requirement justifies an amount of work that high. If you still feel like going down that path, the JACC-related articles on Arjan Tijms' blog are a great starting point.
WSO2 seems to support 2 scenarios/models of authorization (e.g. as explained here): First is Database based Permission Store and the other is XACML based authorization using defined policies. The first allows you to define permission in a nice UI tree per each role while the later requires more complex policy definitions (but more flexible as it is fine grained permissions).
As far as I found it, those are separate mechanisms, and XACML queries does not consider the permissions defined by the first method. Since I need to support a simple RBAC model, I wish to concentrate on the first kind.
Using Java, I have found how to use the SDK to check the user decision using EntitlementServiceStub SDK, however I failed to find the SDK that can be used to check if the user has permissions of the first kind (I was just able to get the UI definitions, but I'm looking for something that can answer what is the decision/result, e.g. given "user1" & "/permission/protected/server-admin/homepage" can answer "true" - I suspect RemoteAuthorizationManagerServiceStub but not sure it is).
What is the SDK I'm looking for?
According to the post, it claims that database permission store is only available for Carbon based Server. And I think you are trying to do the same for identity server. In the documentation, it is not mentioned which means it does not support this feature for identity server
We would like to start using salesforce for managing sales contacts, but there is also some business functions regarding contacts that we would like to retain in our current system.
As far as I can see, that means that we're going to need a two-way sync? Ie, when anything changes on salesforce, we need to update it on our system and vice versa.
I'm suggesting some kind of messaging product that can sit in the middle and retry failed messages, because I have a feeling that without that, things are going to get very messy? Eg, when one or other service is down.
The manager on the project would like to keep it simple and feels that using messages rather then realtime point-to-point calls is overkill, but I feel like without it we're going to be in for a world of pain.
Does anyone have any experience with trying to do two-way syncs (actually even one-way suffers from the same risks I think?)
Many thanks for your insights..
I can't speak for your system, but on the side Salesforce API, take a look at the getUpdated() and getDeleted() calls, which are designed for data replication. The SOAP API doc has a section that goes into detail about how to use them effectively.
We use Jitterbit to achieve two way sync between Salesforce and billing system. The Salesforce has a last-modified field and so does our biling system (you system should have this, if not, add a timestamp field to the table in its SQL storage). The only important thing is to chose one of the keys as primary (either SF_ID or other system's key) and create that key field in another system as it will be used for conflict resolution. The process is simple and multistep, load all modified SF data into flat file, load all modified secondary system data into another flat file, look for conflicts by comparing two files over a common key field, notify admin on conflicts, if any, and propagate all non-conflicting changes to another system. We run this process every 10 minutes and we store the last timestamp on both systems between cycle runs so that we only take records that were modified between two cycles.
In case two users edit at the same time, you will either encounter a confict and resolve it manually or you will get the "last-saved-wins" outcome.
You also have to cater for new provisions, on SF side use upsert instead of update (using external or SF key depending on which you chose above), on your other side it depends on the system.
We have a system that comprises of several functions and I am requested to separate some functionality from our existing system.
Basically, the system have only one user which has access to the whole system functionality, however, the requirement here is to limit the access some users have to the system.
I would appreciate some kind help in the direction i am suppose to take with this assignment.
Thanks in advance
PS if its not clear enough you can follow up by comment.
The first question you need to answer is - where do you want to keep your access information? i.e. who can access what. some options include a LDAP server, hard coding into the app, or some sort of encrypted file, etc. How you asnwer this will dictate the technology you use.
For example, if you decide to use a LDAP server, then you need to have your app setup a connection to it, prompt the user for a userid and password, logon, and retrieve their security groups. Then when you are setting up the GUI, you can query the retrieved groups to see what the user can see or access.
It's pretty much always a good idea to relate a user to one or more security groups. From there you can decide to either assign GUI functionality to individual groups, or to decouple a step further and assign function to privilages, and then define group to privilage relationships.
Java comes with JAAS which is a built in security framework. But it can take some time to get your head around and (AFAIK) is not a completely solution, just a starting point.
It also may be that you simply don't need anything as complex as LDAP and JAAS. If it's a simple app then perhaps you only need an admin id which only one or two people know the password to, and some shared other ids, in that case you can simply store the data in the app. Although this is the least flexible solution.
Finally you should make sure that the difficultly of accessing the system should match the importance of the information being stored. ie. don't put bank level security in front of editing the staff's contact information.