--- title: WWDC2001 Session 617 framework: wwdc role: article path: wwdc/wwdc2001-617 --- # WWDC2001 Session 617 ## Transcript Kind: captions Language: en okay well I've got six areas I'm going to be covering today privacy is basically gonna be covering things with SSL because sometimes that can be a bit tedious to work with with web objects protecting resources they're going to be talking about overriding things in the wolf request response loop to kind of protect things and lock your app down on authentication just a little bit on using maybe some more irritating things with the authentication HTTP challenge panels and digital certificates for persistent data integrity things like helping you make databases where your passwords and your credit card numbers for example aren't like fully exposed for messaging integrity a little bit on using digital signatures to do things where you can do message between apps we can kind of verify what's going on and an access control that's kind of a the biggest one unfortunate thing I'm probably gonna have to be able to spend the least amount of time on but in that I'm talking about using access controls to protect your EOS and pages and I've got a demonstration there or at least some code that I can let you all have after this show that shows using the Java ACL package and integrated that with AO so what to go so first keeping it private this is the main problem with I guess SSL and web objects you've got these partial URLs and while that's great from an app server standpoint the app doesn't know how that doesn't have to know about the deployment environment it's kind of a problem if you want to actually force things to go to a certain web server or in this case SSL because if you came in over HTTP that would be an HTTP URL if you came in over HTTPS you'd be okay so the trick is you got to create absolute URLs or come to the app over absolute URLs so can I have a guest to please alright so I'm gonna come into here this is a project this WWDC app is something that I'm gonna try and make available to anyone of y'all that want to check it out it basically is in code everything I'm demoing here today including just some reusable components first of all secure hyperlink is a way of generating absolute URLs and so you can just basically use this instead of will hyperlink okay and this is the sort of the the gist of what's going on notice I've got a load generic container here it's an element named a for anchor and instead of just binding this thing to an action I find invoke action to a method on the page called invoke action and I have href down to a method called href so the action that gets invoked on the server I can set the URL or the href I want to associate with that action using this technique so let's take a look at the source for this okay and that's how I'm generating the href normally if web object is just doing things normally it asked the context for its component action URL and in this case if this binding says it should be under a secure mode all it does is take HTTP and append the hostname to be pre pin the hostname to the URL and then they do the same thing for a form and these things are based on framework this is the secure form by the way the same basic thing this stuff is based on components you can find in web objects 5 called component elements this stuff has been available actually I think since web objects for how many people know about this framework but basically what what it is is all just about all the dynamic elements you're familiar with implement it as components using all the high-speed things that were done to make components fast and I use that as a template and in fact I subclass one of those guys called WX hyperlink here to create the secure hyperlink so the what this looks like is this is a page that right now is over SSL and because of some demoing issues I'm going to leave it over SSL but just gonna have to take my word for it that that is an absolute URL behind that hyperlink and it isn't this doesn't look like HTTPS because I came in over HTTPS it looks like a CVS because that's the full well that was put up there so they go back here have this life back okay now there's a a better way in my opinion to actually get to SSL than than using these hyperlinks and that would be to do SSL via redirection and the technique that I've used in the demo application is over I depend response and if you're not coming in over SSL I basically tell you to either access is denied or if the page requires it I redirect you to it of course the trick there is detecting SSL and there's really no hard and fast rule for this these are just some heuristics you might use in your implementation I have an implementation called is request secure that you can use that uses this type of information the HTTP header and the server port but you really have to get with your deployment engineer to figure out exactly what they're doing so you can look for the right thing to tell whether or not they're coming in over secure connection okay so can I have guests to again please okay so basically what this demo app is just by the way is a simple commerce application and it isn't just purely demo where I wanted to show some of these security concepts in the context of like a real application and even apart from the security stuff you might find this application useful as an example or as a starting point for making a commerce site so anyway some of these things require SSL as it turns out this create account page requires HTTPS since I'm in it the request is secure if I'm not a redirect occurs same thing with this sign-in page if I'm not over a secure request it does a redirect and comes in over SSL the reason I like this better than just making the link SSL like imagine that this particular username and password the page is over HTTP but the forum was over SSL the user wouldn't have any feedback to throw in a secure page it would look unsecure to them and they might feel uncomfortable about submitting it even though it was safe if the page itself makes a decision as to whether or not it should be secure and can make itself secure on the fly then you're always guaranteed that when they get to this page they're secure and therefore when they submit it you're secure ok so back to it's lights Oh one thing I guess I should point out about the implementation that have done here and that gel can take a look at before the redirect happens I try to do this redirect in a way where I don't get side effects I've seen techniques like this before where you got a double invocation of an action or you got a double append response on the page and I wanted you to have something where when you went to the page it never generated at all unless it was okay to see it and furthermore when you came back to it on the redirect you didn't reinvent the redirect actually happens instead of reinventing a URI that points to a direct action that's a special direct action I call SSL return that goes and recovers the page from the session and then tells it to finish generating its response okay now you've got your entire app over SSL every page is accessed over SSL and you think everything is really secure except for this little thing and what I mean by session hijacking is someone recovery in your session ID through maybe looking over your shoulder you get up to go to the bathroom and come back to your system and all of a sudden there the session ID to your etrade account and they're taking a look at your portfolio on their machine so you might want to disable this and it's not terribly easy because at some point the session ID has to be in the in the clear if you put the session but if you what I the solution I use is to emit a cookie that's specific to the session and when I when I do that it I check for that on every single request and so if someone goes to some other machine not only would they have to look over my shoulder casual they'd also have to get on my machine get my cookie file get the cookie go over to their machine stick it in there and then try and hijack it from there and if they don't I throw up like a access denied page okay so this section is somewhat similar to the the SSL section that I'm overwriting append response and some of the things in this section here I'm talking about overriding whoops request handling stuff as it turns out there's lots of ways to get into a web objects application you can specify page name you could specify a direct action on the URL so it's kind of important to just have the apps smart enough not to generate things by default unless unless your authenticate it just push the logic into the pages themselves to prevent them from accidentally you know rendering when they shouldn't so one way you can do that is to override page generation and that would mean overriding append response and not calling super unless you're logged in for certain pages the other thing you might do is page creation protection where you override page with name in the application class and therefore prevent page construction and there's some pros and cons to this well that's a type 1 the advantage to overriding page with name is you prevent the constructor from ever executing so if the constructor is doing something that requires sensitive code it never executes son unless you're authorized but if you / I paid your name in context and not authorized for page and returned a page that they can't see you might return null might raise an exception now the code that calls that needs to handle that so basically in order to take advantage of that you have to alter all the places in your application or use page with name with page generation protection you actually let the page get created and you send it a message saying is it ok to generate you and if so then it can it can generate the only downside is you have to make sure there's no sensitive logic in the constructor code of the page because that will execute under this scenario okay ok now this is something else I don't think most people realize but you know if you log in and you have a link to a direct action and if you never log in you never see that link on the page it really doesn't mean you can't type the direct action link in the location field of the browser and just directly access that thing anyway now if you use the technique I just talked about for pages you might prevent the page from rendering no-one can see the page but that doesn't prevent the direct action that got to that page from invoking so if there's something sensitive going on in there and you just want to globally prevent any direct action from firing unless it's actually ok or it's a non sensitive direct action you can override perform action name inspect the past and action name and just don't call super don't call super if you're really not allowed to invoke that action and you also have access to the will request so in that method you could look at the form values for the will request and the action name itself okay now you might not think this particular topic backtracking would be specific to security but I put it up here and then in the demo example I created a little algorithm that detects backtracking so even if you disabled clients like caching you still might want to know or give the user some feedback that you know backtracking isn't something you want now in an e-commerce site you want people to backtrack but there's certain aspects of a commerce site like the checkout process you know when you're going through step one two and three you probably don't want them to backtrack to step three after they've you know already made the order okay so it'd be kinda nice to detect backtracking and I do it by comparing context IDs of the current requests to the previous one and some other things that are relevant to direct actions and I don't call super invoke action if they backtracked on those pages instead of just return null which has the effect of refreshing the page okay so can I have guest to again please all right this action here account edit requires authentication and the page itself knows that it can't render itself unless you're authenticated so instead it shows the access denied page which puts this big title access not allowed and you must log in to access this direct action now this page down here secret stuff is a page just awoke component and again this particular page instead of the direct - and this time it's the pages decided to can't render itself and so it comes up like this now if I log in I got a test account here okay says I'm logged in I should be able to go to account edit now okay then you know I can see the my account information okay you probably notice that these security demos are kind of boring and I couldn't do anything more graphical than just this and sorry about that but most of the stuff is happening behind the scenes and I know it's not exciting when you see a URL change from HTTP to HTTPS but it's the best I can do okay okay authentication this I'm not going to go at unto all these different ways you can authenticate or gather credentials but I will talk about a couple things like when to log in the typical thing in a web objects application is it turns out is what I call this front gate login but there's other ways that I think are more friendly like on demand and you might prompt for login on a session timeout now this is the usual means like people like put a login panel in the main page and you have to go through that login panel to get anywhere else so even if you did have direct actions if they went and follow the advice before and lock those down or didn't define any to vector into the app well it doesn't matter because you got to go in here so it's like hey come to my site I've got this really interesting thing over here but you I can't give you a URL to it because you got to login and then you got to navigate to it and and then then you can see it and people go well up I'm gonna bother it'd be nice to just sort of put a direct action on an email message to send to someone have them click on it and if they're not authenticated just have them you know prompt for it so it'd be nice if you could do something a little bit better than this sort of front gate thing and that's browse on demand and the cool thing about the previous stuff I showed you about resource protection when you override a pending response and perform action you're basically making your direct action objects and your pages smart enough to know when it's okay for them to show themselves and given that you can just navigate through the app and instead of showing an access denied page like I just showed there might as well just prompt him for login or prompting for login to create an account and if they create an account and they do so successfully take them to the intended resource okay so come to that in this case yes to please okay I'm gonna start a new session here and let's see I need to start just shopping here so I've got some specials down here by the way the special logic actually works it overrides the default price and that's to go home and drill through some of these categories let's see I'll add this to my shopping cart so I'm just browsing around the page and I'm able to access some of this stuff and then I come to this checkout button and click that and it says hey you're not logged in so okay I'll log in and it goes right where I left off when I click that page the page didn't know about it didn't actually it was like a superclass I figured out how to return the login page if I had been logged in I would have just gone here so the way this algorithm works is you go to the page append response starts to generate the page she goes oh my god you're not logged in then it creates a login response instead and so doing super append response on the page it goes and gets the login page and tells it to generate response and then returns that and an appended response so I see a login page but before it does that I take the page and I put it in an accession variable so when they do successfully log in the log in action can recover that guy from the session and then tell it to finish generating this response and then you see this step one of the check out page right here so cool yes would you like to do this now yes cancel okay if I had time to put the Visa and MasterCard images up there I would have but that's what those things there are some picking my credit card and do next and okay so I'm at the confirmation page and let's say I backtrack okay it knows that I did that because it compared the context ID and knew that I where I am is not where I was supposed to be so instead of actually backtracking to that page where the visa cards I'm just looking at this again and is so the user doesn't get confused I tell them hey you know you're backtracking please please don't do that within the checkout assistant but you noticed before I got in there was backtracking all over the place and that was okay so anyway I hope this these things will be useful for you so that's it for that can I have the slide back all right now I'm not don't be frightened by this I'm not actually gonna go through all those I'm being a I've already demonstrated HTML page I'm gonna talk about HTTP panel just a little bit in client certificates and just touch on biometric for a second the HTTP challenge panel actually with web objects since you've got an HTML page it's probably not necessary to use this but you might have a situation where you've got to use it because people are using the HTTP challenge panel that thing that web server pops up or just pops up if you send back a certain header and it does kind of have an advantage that it can give you an effective single sign-on but it can be a little tricky because if you're not used to it you've got to look for certain headers in the request you got to omit certain headers the headers are gonna be base64 encoded and your web server might not work as is you might have to use a special web server for example this authorization headers the one that gets sent back when you're authorized and pure web service with CGI and Netscape of CGI don't pass it but Netscape with NS API and the Apache module will do I'm sure there's some other combinations that that do as well but you just have to be aware of it so you see the panel and then you never get the header and you wonder why what this is why the interface might not be supporting it and the other thing that's really confusing is this realm one way that you can get the sort of single sign-on effect is you can pick a realm on your web objects app that matches the same realms and need to protect it on the on the web server site for static pages and so when you off entick 8 to the web objects application the in you access something else that matches that realm like some of these static pages you know your browser is gonna pass the the authorization stuff down to the web server and then the web server does the authentication to see whether or not you can see it anyway that gives you the single sign-on effect so that's kind of cool but you know what's cooler are these things if you can get away with it if you're on an internet you might be able to get away with this basically have people authenticate with a client-side certificate you've heard of server-side certificates the kinds of things that you buy to put in your web service you can get SSL this is a similar cert but for the user something the user submits something you configure the web server to ask for and it can also give you single sign because you're basically doing a cryptographic operation between the client and the server and authenticating to the web server and then getting access to everything behind it and that might be good enough and you're done and the web objects app doesn't even have to be aware that it's happening let me get to this mentioned something about the second bullet though however in some cases you might actually want to get the digital certificate and unfortunately that's a little bit problematic right now with the low adapters so to address that even though I'm not going to demo that a nice gentleman made a special low adapter that works with Apache as a module on Mac os10 that will properly ask Apache for the proper header where the certificate is and get that guy and pass it on your web objects application so your web objects application can do things like validate it or look at user information in the certificate and see if there's an enterprise object associated with that guy in some type of hook on the application side like application awake or something like that now here's something you might actually want to do with that digital certificate on the server you might want to see the server the certificates been revoked that's one thing you might want to do in your code and you do that by looking at a certificate revocation list and Verisign and all these other CAS have certificate revocation lists usually posted on the net on over HTTP you can also go to like some like Clearinghouse for this a validation Authority news OCSP maybe to get just the status of the particular certificate you're interested in the reason you might want to do this is this Microsoft example I want to share with you about a month ago someone posing as a Microsoft employee went to Verisign embarrassing mistakenly gave them a certificate and a private key that let this gentleman sign code is if he's Microsoft Corporation ok so when you get that little panel this is trust Microsoft Corporation and you go yeah always that means you could be like downloading this guy's stuff and God knows what you're installing and that wouldn't happen that cert got immediately revoked I mean it they found out they made a mistake they immediately revoke the certificate or bearer signed it it was kind of bear signs of love I guess but if no one's checking the certificate status and not many people do talk about an interesting tech everything looks safe and in fact you're being attacked so it's probably not a bad thing to do ok and and lastly in this off indication section just to note on biometrics personally I think they're interesting I don't think I'd recommend them alone but if you combined them with a password they're pretty cool and another thing we might be able to show you at least one on one after this is an example of a biometric system where it detects who you are by how you type just kind of interesting but most of these things are thumbprint palm prints something about you your voice that kind of thing and a lot of times are used with digital certificates as pass phrases to unlock the private key now you've gone to all this trouble to have these strong passwords you've got all the ssl everything's hunky-dory but then your users pick passwords like foo bar numbers 1 2 3 4 that kind of thing and they they're susceptible to dictionary attacks so you might want to prevent people from logging in over and over again with a dictionary attack on your system so I've got a demo of that this app happens to implement a intrusion sort of detection stuff can I have guests to please okay so login with a valid username but gibberish password that's a password must be from Texas okay well I must have liked to work that thing down too you get only one shot at it I I thought I had it set to three but I must have said it to one but that's pretty that's pretty rude I think I've you know maybe make that a little bit longer that demos over now there's two kinds of counts you want to do one based on the username and one based on the IP address even while people can spoof IP addresses you know but you still want to do it because you want to sort of discourage the possibility of someone going to a workstation and going to different workstations at the same username or going to the same workstation as many different usernames and attacking that way so if you check both and you make sure that not too many happen within a certain period of time you know then you should be well quite a bit safer plus you've got a log this particular demo application is writing these records to the database when a failed login attempt has it writes this thing called an intrusion log to the database okay now persistent data integrity this has to do is things that happen outside your application there's hashing encryption and signatures and time stamps so in the case of passwords it's I don't know how many people do this but sure seems I've been to a few sites and I've seen these password columns and that password looks pretty damn human readable you know and it become nice if it was at least encrypted or hashed and and basically hashing the password is probably a at least a pretty good way of storing it if you're gonna store it in a database and the way the demo application works by the way is to do just that when you sign in for an account and provide a password the server hashes that password and stores the hash and it's a one-way function so you can't recover the password from the hash and when I authenticate when I go to that login panel and fetching the user taking the the hash that are the password that they inserted hashing that and then look that the user the hash for the users password and I compare them if they're the same then you know I know that they're okay and they get to get in I assume everyone knows what a hash is so I'm gonna have to move on in encryption and this is a situation where you make the thing look scrambled but you can actually recover it and for passwords that's not necessary because you're just doing a comparison but if a credit card number you might want to encrypt it and again I've seen a few websites you probably heard of a few where they go in and they hack in and they get all the credit cards sometimes those people do go ahead and encrypt their database and they just don't put the secret key in a safe place but hey at least you got to encrypt things like that and there's ways of doing it with a key value coding with special accessors so it happens transparently so the rest of your app doesn't have to care and well unfortunately yes after you do that people might hack the database but to get the passwords that to hack the database get the credit cards then hack some server that's storing the private key or the secret key and get that too but you could put that secret key in a pretty safe place kind of locks within the locks and one place might be the unten might be the Mac os10 keychain if he went to the like the security framework talks from earlier it's actually got a standard C interface and you could use like the Java native API to put those put that key into a into that keychain and then lock that down in my particular case in the demo example I'm putting the secret key used for the encryption and a Java key file on you know in a file in the project but if you really want to be secure you can actually put the key in a hardware device like chrysalis and in cipher create these things where all the cryptographic operations happen on the device the private key or the secret key never even leaves that device to get into memory so they're extremely difficult to hack you actually really have to be at the machine to have possession of this hardware token in order to hack into it and to do this stuff can I have guests to please to do all this stuff I'm actually using in Java cryptographic extensions they do work with Java too and that's kind of the nice thing about web objects 5 is that I can use all these job of two things and just drop of the jars from Suns website and they work so in this case I'm just going to show the source code to the to my credit card class okay and I should let me come to this worry about that in a second okay this is a method the decrypted CC number and set decrypted CC number this is the method that all the code calls and it does the encryption and decryption on-the-fly and the encryption and decryption is actually handled in this class called security utilities decrypted base64 string basically what I try to do in this demo is factor out as much of the security related stuff into this class called security utility so you have one place to look at and actually commented it you know and that does the the work of encrypting it and then base64 encoding it and I base 64 encode it so I can just sort of drop it in any kind of database and regardless of what type of even if they just have just barely a few ASCII characters supported for that column I can I can safely store the thing now be there's an actual attribute down here called credit card number and that sets and gets this encrypted gibberish so if you look at the return value for that you see the encrypted value which is just a bunch of funky looking stuff okay so can I see back here actually can see one of the reasons I wanted to have this demo for you guys to download is that 99% of the stuff going on in these things is happening underneath the covers it's stuff you can't see so I wanted you be able to you came out here for the developer conference I want to be able to you know walk away with something that would tear you forth afterwards signatures and time stamps and for this this has to do with like safely storing documents you could store a hash of a document you could store the document you could store hash and that might be good if you're protecting against things like just accidental corruption of the file because you can check the hash and see if it matches up in a future date and if it looks if the cache for the document matches what's in the database you have some reliance that it wasn't tampered with but someone could always alter the document create a new hash and store both and then you wouldn't see that someone had altered things so that's why you might want to digitally sign the document and store the signature with it and if you want to make sure that if it was important that something happened like this is a contract it was important that time was recorded on this you might want to use a third party to get a digital timestamp if y'all don't know what that is it's basically there's these third parties where you can take your document hash it take the hash send it to these guys I think surety com is one of them and they will basically put a timestamp in this take your hash put a timestamp digitally sign that and it send that back to you you can take that and put it in the database and as it turns out there's actually this is what I'm describing is basically a digital receipt and there's an XML standard for doing documents like this you don't have to put things in two places you can just put them all in one XML document and that URL at the bottom is the org where you can find the DTD for that okay now messaging integrity this is actually very similar to the document stuff but instead of storing things persistently I'm talking here about throwing things up to the user Adobe five not not the reader but Adobe Acrobat five supports digital signatures on Mac OS 9 it actually runs on Mac OS 10 and classic and should be I guess carbonized pretty soon I'm not sure I know n on Windows so you basically have this solution where you can put it on just about any desktop out there and get digital signatures done and you might want to do that for actually the point at the bottom I think is the coolest paperless workflow or will actually employee forms processing those two things inside a business you're in an intranet you could actually distribute the software on clients and your web app your web objects application could like you're doing stuff and it returns a contracts and you really wish to agree to this type of insurance or claims processing for HR and you can have your private certificate which hey it might be embedded on one of these which would be kind of cool and then you can insert this if it were a smart card this one isn't don't get excited if this were smart card you could stick it in the Machine and then digitally sign the document with it you could like save the signed version on your system or you could post the signed document back up to the server and in a way that's a lot better than a handwritten signature and there's nothing to fax you know there's no paper and it's pretty secure or can be if you have a pretty strong public key infrastructure now this b2b thing is very similar to what you saw in a way last just the other day when you saw in a web objects thing on XML here I'm talking about doing exactly what happened there you got two web objects apps talking to each other but it wouldn't be nice if you could like digitally sign just some arbitrary content and so the receiver of it could know that this wasn't some you know Joe Blow with no authority to buy the 100 PowerMax and in Reverse too you know so when when you're done processing the order when you send a response back you might digitally sign that and to do that in web objects you have a few things to help you've got whoa direct actions to turn whoa apps into services you've got the whole message API for programmatically creating requests sending them to a server and getting the response back and you have some XML management stuff for generating it and interpreting it and so what I did actually took the demo that you saw yesterday for XML process and just took it and added utility class which again is another thing that it'll be a resource for you guys and then added a little bit of code to the actual original source code to add a signature to that XML okay so the request ends up getting signed up with the signature in a header field and then I send that down to the server and the server validates that the content and the signature passed in our are okay okay so then go to that guest to please okay this is the class with all of the digital signature stuff and let me show you where I build up this request or actually interpret the responses okay okay here's the here's the code that does it as it turns out I've got a an element called signature value and then I take the body of the soap document in this case I take those two pieces of information and then I send them to this signature XML utilities class I was talking about and said verify our XML element with the signature passing the body passing the base64 encoded signature and an output format for it to use and then it just returns whether or not that thing was okay right so that this this isn't specific to soap I mean you could use this particular utility with anything and it uses again the Java cryptographic extensions to perform the digital signature and the digital signature verification so I would show you the demo but it's exactly like yesterday's I mean you just fill something in and you go to it and besides it's not running so okay this is the actually the last piece of this guy the sixth part access control so you're authenticating to a web server and you've authenticated and now we know who you are most of the stuff I've talked about so far is what do I do if I don't know who you are okay but now I do so I've got an enterprise object or a page and the page has certain restrictions and I'm a user it might be in certain groups so whether I get to see it or edit it or do something else to it depends on the combination of State okay now here's something actually I I presented I think before and I with one little wrinkle here here's a just an example implementation you might stick on an abstract superclass for enterprise objects can't show and can edit and pass in a user object and just let the enterprise object figure out what to do with it this is a nice simple interface that the higher levels in your app can program to because if you just use a basic interface like that move over to here you can apply conditionals you can filter out EOS and one thing I'd recommend in this particular area is like if you have an EO editing context you might subclass it and override object of specification call super and the actual results that you kick back you might ask the results that are you readable are you readable are you readable and if you are put you in a subset and only return the subset then you kind of have a global you know way of keeping the results set to a minimum we're just well just not so you don't like show a count of seven and the user only sees five rows you know that that doesn't look good and then maybe you could look at group membership based on the users to collectively hide and show big swaths of the UI but anyway back up to this okay the other thing I didn't actually my demo application I have examples of using an implementation of can show and can edit I don't have an example of value for key user take value for key user but the idea for that is similar to keep how you coding accept the user argument is thrown in as well and the reason you might want to add something like that or an interface or something like that is you might have a big honkin record with like a hundred columns and guests can see this much but certain privileged people only get to see these attributes you know and if you had a competent which is smart enough to use that API and just decided to use that in standardize on it you know you could control access at the granularity be attributed with the interface like that now what about the implementation behind an interface like that okay here's a very simple interface that makes some assumptions I've got a this these are methods that might be on say a product or category as it turns out in my demo application the category entity and the product entity a subclass from an abstract class called protected object and they implement default implementations of this minor bit more advances all show but that's where you'd put it just put it on and on an on a neo-nazi one relationship and it might have a relationship to its owners to many relationship and if this particular Jake says if the past and user equals the Creator you get to see it if the if is a member of the owners you get to see it if not it's false and the can't edit is trivial basically the rule is if you can see it you get to edit it okay so a simple one but you could get more elaborate oops and these are sort of the two highlight best ways of doing access control there's a discretionary access and mandatory access discretionary access is what you're sort of used to mandatory access is something I'll go into a little bit if I have time but it is definitely a lot different than discretionary access and it's pretty important to customers in the government especially secured agencies and so forth okay so let me show you this what's going on here okay diagram all right this is a diagram view of the classes which are relevant to the access control stuff I don't know if y'all knew this actually it came as a surprise to me a few months ago there's actually a Java spec for defining a CLS it's called if I can remember correctly java.security dot ACL and there's some classes in there and so what I've got here are a bunch of yo s yo generic records that implement those interfaces okay and instead of like riding my own implementation of an ACL policy that interprets all the state and figures out what to do I've got an EO that actually uses the implementation provided by sun to digest this state and tell what's going on so actually it's not very much code and let's say we've got the classes involved our ACL entry which implements the Java ACL entry user interface user group implements the group interface permission implements the permission interface person implements the principal interface and all these guys are sort of networked together and basically ready to work with any java ACL policy that that adheres to the interface is defined by Java soft so we go into the application here I knew I was gonna do that I gotta make sure I type this right good okay let me take a look at something that's protected categories now what I've done is kind of logged into an administration form of this application and I'm not even gonna I'm gonna I'm gonna try actually explain this I don't know how I'm gonna do it okay so we've got product categories and I'm logged in as the admin I'm in the marketing group and what you're looking at here is a list of all the categories in the system so I'm in as an administrator but I'm doing some things you'd never put an administration user interface does I want to illustrate what's going on here as it turns out the accessories cool category I can edits name and so forth it's got these three access control list entries okay and I'm sorry the fonts kind of small price should have boosted for this but let me read it for you if you're in the marketing group to get to read it if you're in the administration group you get to read it if you're the user M Neuman you get to read and write it okay and as it turns out admin is in the marketing group and therefore what does that mean marketing group read now what's kind of cool about ACLs is that unlike the UNIX file system if you someone's in a group and they get to read it you can strategically pull someone out remove access so let me edit this guy and what you're seeing here is an ACL edit components part of the project that you will get if you want it and let's add an ACL here for that's applicable to the admin not applicable to a group I'll make it I read permission and I'll select negate okay and then save this and if you look down here I can't read it anymore and this list of available permissions is now empty alright so that's how it works and you can do sort of keep stacking these things on and the way the java policy works is it takes these two sets and it merges them and negatives cancel out positives and what your in the resulting set is a set of available permissions and then all I do in my can show and can edit methods is just call one line on the ACL policy we says do you have this permission or not yes or no and then return that so it's a pretty clean little interface I think and you can like add new permissions to make up different things readwrite I added one called upload you might have other types of permissions or things you might want to randomly stick in here and it's pretty easy to extend okay okay so the first thing I covered was a protecting privacy that was SSL components to generate absolute URLs I showed a redirection detection of SSL and doing that without side effects and I didn't want the side effect of the double generation of an action of the double generation of a page for protecting resources I showed overriding some request handling methods I think they were perform action named page with name and appended response and one thing I didn't talk about but I think might be important is if you wanted to like totally override everything in the app or at least inspect everything you can override dispatch requests on the application object and you can ask the request what is your request Handler and actually lock down things like the resource manager the resource manager is responsible for vending out images and maybe charts or dynamic graphs if it's the resource manager you might look at the URL and you might look at what kind of resource is trying to get and if they're not logged in maybe they don't get to see that you know so I meant to mention that and didn't but that's just one of the things in protecting resources on authentication talked about using digital certificates and the importance of actually validating their status and for persistent data integrity talked about and showed using hashing of passwords and encrypting credit cards and talked about digitally signing documents and for messaging integrity actually did sign a document digitally signed a request and then validated that request on a server and then finally for access control was using a CL implementation and combined that with AO so you could get the best of these Java standards plus what UF has to offer so these are the kind of places you might want to go to get some more information this fact from RSA is awesome if you want to know a lot about security in a nutshell it's a pretty good resource for if you're interested in like protecting your secret keys in cipher has a pretty neat device for storing that so do a few other companies a rainbow comes to mind and a chrysalis digital receipt that's an open source place and get the DTD for the digital receipt stuff validating certificates that's a company that validates certificates certificate authority there's many companies that do that you've got Verisign there's thought there's interesting that digital timestamp actually that should be surety comm sure t y comm and then signing plug in Adobe comm so I guess we still have there's still lab left today so we're 1030 you still had a chance to go and play with web objects 5 and if you feel like it you might even vote for the app server thing and the next presentation is a optimizing web objects that's coming up a little bit later it's not directly related to it but you know I'm it's Friday and there just isn't much left so you know I had to put something on this slide feedback form of course on web objects later on today and here's who to contact the up like want to know more or you want to have event feedback on the product or problems and so forth and call our director of objects engineering and Bob Fraser for product marketing at the same email address and if you're interested in consulting integration training and so forth there's the eye services thank you seeing all this many times this week you