WWDC2001 Session 617

Transcript

Kind: captions
Language: en
okay well I've got six areas I'm going
to be covering today privacy is
basically gonna be covering things with
SSL because sometimes that can be a bit
tedious to work with with web objects
protecting resources they're going to be
talking about overriding things in the
wolf request response loop to kind of
protect things and lock your app down on
authentication just a little bit on
using maybe some more irritating things
with the authentication HTTP challenge
panels and digital certificates for
persistent data integrity things like
helping you make databases where your
passwords and your credit card numbers
for example aren't like fully exposed
for messaging integrity a little bit on
using digital signatures to do things
where you can do message between apps we
can kind of verify what's going on and
an access control that's kind of a the
biggest one unfortunate thing I'm
probably gonna have to be able to spend
the least amount of time on but in that
I'm talking about using access controls
to protect your EOS and pages and I've
got a demonstration there or at least
some code that I can let you all have
after this show that shows using the
Java ACL package and integrated that
with AO so what to go so first keeping
it private this is the main problem with
I guess SSL and web objects you've got
these partial URLs and while that's
great from an app server standpoint the
app doesn't know how that doesn't have
to know about the deployment environment
it's kind of a problem if you want to
actually force things to go to a certain
web server or in this case SSL because
if you came in over HTTP that would be
an HTTP URL if you came in over HTTPS
you'd be okay so the trick is you got to
create absolute URLs or come to the app
over absolute URLs so can I have a guest
to please
alright so I'm gonna come into here this
is a project this WWDC app is something
that I'm gonna try and make available to
anyone of y'all that want to check it
out
it basically is in code everything I'm
demoing here today including just some
reusable components first of all secure
hyperlink is a way of generating
absolute URLs and so you can just
basically use this instead of will
hyperlink okay and this is the sort of
the the gist of what's going on notice
I've got a load generic container here
it's an element named a for anchor and
instead of just binding this thing to an
action I find invoke action to a method
on the page called invoke action and I
have href down to a method called href
so the action that gets invoked on the
server I can set the URL or the href I
want to associate with that action using
this technique so let's take a look at
the source for this okay and that's how
I'm generating the href normally if web
object is just doing things normally it
asked the context for its component
action URL and in this case if this
binding says it should be under a secure
mode all it does is take HTTP and append
the hostname to be pre pin the hostname
to the URL and then they do the same
thing for a form and these things are
based on framework this is the secure
form by the way the same basic thing
this stuff is based on components you
can find in web objects 5 called
component elements this stuff has been
available actually I think since web
objects for how many people know about
this framework but basically what what
it is is all just about all the dynamic
elements you're familiar with implement
it as components using all the
high-speed things that were done to make
components fast and I use that as a
template and in fact I subclass one of
those guys called WX hyperlink here to
create the secure hyperlink so the what
this looks like is this is a page that
right now is over SSL and because of
some demoing issues I'm going to leave
it over SSL but just gonna have to take
my word for it that that is an absolute
URL behind that hyperlink and it isn't
this doesn't look like HTTPS because I
came in over HTTPS it looks like a CVS
because that's the full
well that was put up there so they go
back here have this life back okay now
there's a a better way in my opinion to
actually get to SSL than than using
these hyperlinks and that would be to do
SSL via redirection and the technique
that I've used in the demo application
is over I depend response and if you're
not coming in over SSL I basically tell
you to either access is denied or if the
page requires it I redirect you to it of
course the trick there is detecting SSL
and there's really no hard and fast rule
for this these are just some heuristics
you might use in your implementation I
have an implementation called is request
secure that you can use that uses this
type of information the HTTP header and
the server port but you really have to
get with your deployment engineer to
figure out exactly what they're doing so
you can look for the right thing to tell
whether or not they're coming in over
secure connection okay so can I have
guests to again please
okay so basically what this demo app is
just by the way is a simple commerce
application and it isn't just purely
demo where I wanted to show some of
these security concepts in the context
of like a real application and even
apart from the security stuff you might
find this application useful as an
example or as a starting point for
making a commerce site so anyway some of
these things require SSL as it turns out
this create account page requires HTTPS
since I'm in it the request is secure if
I'm not a redirect occurs same thing
with this sign-in page if I'm not over a
secure request it does a redirect and
comes in over SSL the reason I like this
better than just making the link SSL
like imagine that this particular
username and password the page is over
HTTP but the forum was over SSL the user
wouldn't have any feedback to throw in a
secure page it would look unsecure to
them and they might feel uncomfortable
about submitting it even though it was
safe if the page itself makes a decision
as to whether or not it should be secure
and can make itself secure on the fly
then you're always guaranteed that when
they get to this page they're secure and
therefore when they submit it you're
secure ok so back to it's lights
Oh one thing I guess I should point out
about the implementation that have done
here and that gel can take a look at
before the redirect happens I try to do
this redirect in a way where I don't get
side effects I've seen techniques like
this before where you got a double
invocation of an action or you got a
double append response on the page and I
wanted you to have something where when
you went to the page it never generated
at all unless it was okay to see it and
furthermore when you came back to it on
the redirect you didn't reinvent the
redirect actually happens instead of
reinventing a URI that points to a
direct action that's a special direct
action I call SSL return that goes and
recovers the page from the session and
then tells it to finish generating its
response okay now you've got your entire
app over SSL every page is accessed over
SSL and you think everything is really
secure except for this little thing and
what I mean by session hijacking is
someone recovery in your session ID
through maybe looking over your shoulder
you get up to go to the bathroom and
come back to your system and all of a
sudden there the session ID to your
etrade account and they're taking a look
at your portfolio on their machine so
you might want to disable this and it's
not terribly easy because at some point
the session ID has to be in the in the
clear if you put the session but if you
what I the solution I use is to emit a
cookie that's specific to the session
and when I when I do that it I check for
that on every single request and so if
someone goes to some other machine not
only would they have to look over my
shoulder casual they'd also have to get
on my machine get my cookie file get the
cookie go over to their machine stick it
in there and then try and hijack it from
there and if they don't I throw up like
a access denied page okay so this
section is somewhat similar to the the
SSL section that I'm overwriting append
response and some of the things in this
section here I'm talking about
overriding whoops request handling stuff
as it turns out there's lots of ways to
get into a web objects application you
can
specify page name you could specify a
direct action on the URL so it's kind of
important to just have the apps smart
enough not to generate things by default
unless unless your authenticate it just
push the logic into the pages themselves
to prevent them from accidentally you
know rendering when they shouldn't so
one way you can do that is to override
page generation and that would mean
overriding append response and not
calling super unless you're logged in
for certain pages the other thing you
might do is page creation protection
where you override page with name in the
application class and therefore prevent
page construction and there's some pros
and cons to this well that's a type 1
the advantage to overriding page with
name is you prevent the constructor from
ever executing so if the constructor is
doing something that requires sensitive
code it never executes son unless you're
authorized but if you / I paid your name
in context and not authorized for page
and returned a page that they can't see
you might return null might raise an
exception now the code that calls that
needs to handle that so basically in
order to take advantage of that you have
to alter all the places in your
application or use page with name with
page generation protection you actually
let the page get created and you send it
a message saying is it ok to generate
you and if so then it can it can
generate the only downside is you have
to make sure there's no sensitive logic
in the constructor code of the page
because that will execute under this
scenario okay ok now this is something
else I don't think most people realize
but you know if you log in and you have
a link to a direct action and if you
never log in you never see that link on
the page it really doesn't mean you
can't type the direct action link in the
location field of the browser and just
directly access that thing anyway now if
you use the technique I just talked
about for pages you might prevent the
page from rendering no-one can see the
page but that doesn't prevent the direct
action that got to that page from
invoking so if there's something
sensitive going on in there and you just
want to globally prevent any direct
action from firing unless it's actually
ok or it's a non sensitive direct action
you can override perform action name
inspect the past and action name and
just don't call super
don't call super if you're really not
allowed to invoke that action and you
also have access to the will request so
in that method you could look at the
form values for the will request and the
action name itself okay now you might
not think this particular topic
backtracking would be specific to
security but I put it up here and then
in the demo example I created a little
algorithm that detects backtracking so
even if you disabled clients like
caching you still might want to know or
give the user some feedback that you
know backtracking isn't something you
want now in an e-commerce site you want
people to backtrack but there's certain
aspects of a commerce site like the
checkout process you know when you're
going through step one two and three you
probably don't want them to backtrack to
step three after they've you know
already made the order okay so it'd be
kinda nice to detect backtracking and I
do it by comparing context IDs of the
current requests to the previous one and
some other things that are relevant to
direct actions and I don't call super
invoke action if they backtracked on
those pages instead of just return null
which has the effect of refreshing the
page okay so can I have guest to again
please all right this action here
account edit requires authentication and
the page itself knows that it can't
render itself unless you're
authenticated so instead it shows the
access denied page which puts this big
title access not allowed and you must
log in to access this direct action now
this page down here secret stuff is a
page just awoke component and again this
particular page instead of the direct -
and this time it's the pages decided to
can't render itself and so it comes up
like this now if I log in I got a test
account here
okay says I'm logged in I should be able
to go to account edit now okay then you
know I can see the my account
information okay you probably notice
that these security demos are kind of
boring and I couldn't do anything more
graphical than just this and sorry about
that but most of the stuff is happening
behind the scenes and I know it's not
exciting when you see a URL change from
HTTP to HTTPS but it's the best I can do
okay okay authentication this I'm not
going to go at unto all these different
ways you can authenticate or gather
credentials but I will talk about a
couple things like when to log in the
typical thing in a web objects
application is it turns out is what I
call this front gate login but there's
other ways that I think are more
friendly like on demand and you might
prompt for login on a session timeout
now this is the usual means like people
like put a login panel in the main page
and you have to go through that login
panel to get anywhere else
so even if you did have direct actions
if they went and follow the advice
before and lock those down or didn't
define any to vector into the app well
it doesn't matter because you got to go
in here so it's like hey come to my site
I've got this really interesting thing
over here but you I can't give you a URL
to it because you got to login and then
you got to navigate to it and and then
then you can see it and people go well
up I'm gonna bother it'd be nice to just
sort of put a direct action on an email
message to send to someone have them
click on it and if they're not
authenticated just have them you know
prompt for it so it'd be nice if you
could do something a little bit better
than this sort of front gate thing and
that's browse on demand and the cool
thing about the previous stuff I showed
you about resource protection when you
override a pending response and perform
action you're basically making your
direct action objects and your pages
smart enough to know when it's okay for
them to show themselves and given that
you can just navigate through the app
and instead of showing an access denied
page like I just showed there
might as well just prompt him for login
or prompting for login to create an
account and if they create an account
and they do so successfully take them to
the intended resource
okay so come to that in this case yes to
please okay I'm gonna start a new
session here and let's see I need to
start just shopping here so I've got
some specials down here by the way the
special logic actually works it
overrides the default price and that's
to go home and drill through some of
these categories
let's see I'll add this to my shopping
cart so I'm just browsing around the
page and I'm able to access some of this
stuff and then I come to this checkout
button and click that and it says hey
you're not logged in so okay I'll log in
and it goes right where I left off when
I click that page the page didn't know
about it didn't actually it was like a
superclass I figured out how to return
the login page if I had been logged in I
would have just gone here so the way
this algorithm works is you go to the
page append response starts to generate
the page she goes oh my god you're not
logged in then it creates a login
response instead and so doing super
append response on the page it goes and
gets the login page and tells it to
generate response and then returns that
and an appended response so I see a
login page but before it does that I
take the page and I put it in an
accession variable so when they do
successfully log in the log in action
can recover that guy from the session
and then tell it to finish generating
this response and then you see this step
one of the check out page right here so
cool yes would you like to do this now
yes cancel okay if I had time to put the
Visa and MasterCard images up there I
would have but that's what those things
there are some picking my credit card
and do next and okay so I'm at the
confirmation page and let's say I
backtrack okay it knows that I did that
because it compared the context ID and
knew that I where I am is not where I
was supposed to be so instead of
actually backtracking to that page where
the visa cards I'm just looking at this
again and is so the user doesn't get
confused I tell them hey you know you're
backtracking please please don't do that
within the checkout assistant but you
noticed before I got in there was
backtracking all over the place and that
was okay so anyway I hope this these
things will be useful for you so that's
it for that can I have the slide back
all right now I'm not don't be
frightened by this I'm not actually
gonna go through all those I'm being a
I've already demonstrated HTML page I'm
gonna talk about HTTP panel just a
little bit in client certificates and
just touch on biometric for a second the
HTTP challenge panel actually with web
objects since you've got an HTML page
it's probably not necessary to use this
but you might have a situation where
you've got to use it because people are
using the HTTP challenge panel that
thing that web server pops up or just
pops up if you send back a certain
header and it does kind of have an
advantage that it can give you an
effective single sign-on but it can be a
little tricky because if you're not used
to it you've got to look for certain
headers in the request you got to omit
certain headers the headers are gonna be
base64 encoded and your web server might
not work as is you might have to use a
special web server for example this
authorization headers the one that gets
sent back when you're authorized and
pure web service with CGI and Netscape
of CGI don't pass it but Netscape with
NS API and the Apache module will do I'm
sure there's some other combinations
that that do as well but you just have
to be aware of it so you see the panel
and then you never get the header and
you wonder why what this is why the
interface might not be supporting it and
the other thing that's really confusing
is this realm one way that you can get
the sort of single sign-on effect is you
can pick a realm on your web objects app
that matches the same realms and need to
protect it on the on the web server site
for static pages and so when you off
entick 8 to the web objects application
the in you access something else that
matches that realm like some of these
static pages you know your browser is
gonna pass the the authorization stuff
down to the web server and then the web
server does the authentication to see
whether or not you can see it anyway
that gives you the single sign-on effect
so that's kind of cool but you know
what's cooler are these things if you
can get away with it if you're on an
internet you might be able to get away
with this basically have people
authenticate with a client-side
certificate
you've heard of server-side certificates
the kinds of things that you buy to put
in your web service you can get SSL this
is a similar cert but for the user
something the user submits something you
configure the web server to ask for and
it can also give you single sign
because you're basically doing a
cryptographic operation between the
client and the server and authenticating
to the web server and then getting
access to everything behind it and that
might be good enough and you're done and
the web objects app doesn't even have to
be aware that it's happening let me get
to this mentioned something about the
second bullet though however in some
cases you might actually want to get the
digital certificate and unfortunately
that's a little bit problematic right
now with the low adapters so to address
that even though I'm not going to demo
that a nice gentleman made a special low
adapter that works with Apache as a
module on Mac os10
that will properly ask Apache for the
proper header where the certificate is
and get that guy and pass it on your web
objects application so your web objects
application can do things like validate
it or look at user information in the
certificate and see if there's an
enterprise object associated with that
guy in some type of hook on the
application side like application awake
or something like that now here's
something you might actually want to do
with that digital certificate on the
server you might want to see the server
the certificates been revoked that's one
thing you might want to do in your code
and you do that by looking at a
certificate revocation list and Verisign
and all these other CAS have certificate
revocation lists usually posted on the
net on over HTTP you can also go to like
some like Clearinghouse for this a
validation Authority news OCSP maybe to
get just the status of the particular
certificate you're interested in the
reason you might want to do this is this
Microsoft example I want to share with
you about a month ago someone posing as
a Microsoft employee went to Verisign
embarrassing mistakenly gave them a
certificate and a private key that let
this gentleman sign code is if he's
Microsoft Corporation ok so when you get
that little panel this is trust
Microsoft Corporation and you go yeah
always that means you could be like
downloading this guy's stuff and God
knows what you're installing and that
wouldn't happen that cert got
immediately revoked
I mean it they found out they made a
mistake they immediately revoke the
certificate or bearer signed it it was
kind of bear signs of love I guess but
if no one's checking the certificate
status and not many people do talk about
an interesting tech everything looks
safe and in fact you're being attacked
so it's probably not a bad thing to do
ok
and and lastly in this off indication
section just to note on biometrics
personally I think they're interesting I
don't think I'd recommend them alone but
if you combined them with a password
they're pretty cool and another thing we
might be able to show you at least one
on one after this is an example of a
biometric system where it detects who
you are by how you type just kind of
interesting but most of these things are
thumbprint palm prints something about
you your voice that kind of thing and a
lot of times are used with digital
certificates as pass phrases to unlock
the private key now you've gone to all
this trouble to have these strong
passwords you've got all the ssl
everything's hunky-dory but then your
users pick passwords like foo bar
numbers 1 2 3 4 that kind of thing and
they they're susceptible to dictionary
attacks so you might want to prevent
people from logging in over and over
again with a dictionary attack on your
system so I've got a demo of that this
app happens to implement a intrusion
sort of detection stuff can I have
guests to please
okay so login with a valid username but
gibberish password that's a password
must be from Texas okay well I must have
liked to work that thing down too you
get only one shot at it
I I thought I had it set to three but I
must have said it to one but that's
pretty that's pretty rude I think I've
you know maybe make that a little bit
longer that demos over now there's two
kinds of counts you want to do one based
on the username and one based on the IP
address even while people can spoof IP
addresses you know but you still want to
do it because you want to sort of
discourage the possibility of someone
going to a workstation and going to
different workstations at the same
username or going to the same
workstation as many different usernames
and attacking that way so if you check
both and you make sure that not too many
happen within a certain period of time
you know then you should be well quite a
bit safer plus you've got a log this
particular demo application is writing
these records to the database when a
failed login attempt has it writes this
thing called an intrusion log to the
database okay
now persistent data integrity this has
to do is things that happen outside your
application there's hashing encryption
and signatures and time stamps so in the
case of passwords it's I don't know how
many people do this but sure seems I've
been to a few sites and I've seen these
password columns and that password looks
pretty damn human readable you know and
it become nice if it was at least
encrypted or hashed and and basically
hashing the password is probably a at
least a pretty good way of storing it if
you're gonna store it in a database and
the way the demo application works by
the way is to do just that when you sign
in for an account and provide a password
the server hashes that password and
stores the hash and it's a one-way
function so you can't recover the
password from the hash and when I
authenticate when I go to that login
panel and fetching the user taking the
the hash that are the password that they
inserted hashing that and then look
that the user the hash for the users
password and I compare them if they're
the same then you know I know that
they're okay and they get to get in I
assume everyone knows what a hash is so
I'm gonna have to move on in encryption
and this is a situation where you make
the thing look scrambled but you can
actually recover it and for passwords
that's not necessary because you're just
doing a comparison but if a credit card
number you might want to encrypt it and
again I've seen a few websites you
probably heard of a few where they go in
and they hack in and they get all the
credit cards sometimes those people do
go ahead and encrypt their database and
they just don't put the secret key in a
safe place but hey at least you got to
encrypt things like that and there's
ways of doing it with a key value coding
with special accessors so it happens
transparently so the rest of your app
doesn't have to care and well
unfortunately yes after you do that
people might hack the database but to
get the passwords that to hack the
database get the credit cards then hack
some server that's storing the private
key or the secret key and get that too
but you could put that secret key in a
pretty safe place kind of locks within
the locks and one place might be the
unten might be the Mac os10
keychain if he went to the like the
security framework talks from earlier
it's actually got a standard C interface
and you could use like the Java native
API to put those put that key into a
into that keychain and then lock that
down in my particular case in the demo
example I'm putting the secret key used
for the encryption and a Java key file
on you know in a file in the project but
if you really want to be secure you can
actually put the key in a hardware
device like chrysalis and in cipher
create these things where all the
cryptographic operations happen on the
device the private key or the secret key
never even leaves that device to get
into memory so they're extremely
difficult to hack you actually really
have to be at the machine to have
possession of this hardware token in
order to hack into it and to do this
stuff can I have guests to please to do
all this stuff I'm actually using in
Java cryptographic extensions they do
work with Java too and that's kind of
the nice thing about web objects 5 is
that I can use all these job of two
things and just drop of the jars
from Suns website and they work so in
this case I'm just going to show the
source code to the to my credit card
class okay and I should let me come to
this worry about that in a second okay
this is a method the decrypted CC number
and set decrypted CC number this is the
method that all the code calls and it
does the encryption and decryption
on-the-fly and the encryption and
decryption is actually handled in this
class called security utilities
decrypted base64 string basically what I
try to do in this demo is factor out as
much of the security related stuff into
this class called security utility so
you have one place to look at and
actually commented it you know and that
does the the work of encrypting it and
then base64 encoding it and I base 64
encode it so I can just sort of drop it
in any kind of database and regardless
of what type of even if they just have
just barely a few ASCII characters
supported for that column I can I can
safely store the thing now be there's an
actual attribute down here called credit
card number and that sets and gets this
encrypted gibberish so if you look at
the return value for that you see the
encrypted value which is just a bunch of
funky looking stuff okay so can I see
back here
actually can see one of the reasons I
wanted to have this demo for you guys to
download is that 99% of the stuff going
on in these things is happening
underneath the covers it's stuff you
can't see so I wanted you be able to you
came out here for the developer
conference I want to be able to you know
walk away with something that would tear
you forth afterwards signatures and time
stamps and for this this has to do with
like safely storing documents you could
store a hash of a document you could
store the document you could store hash
and that might be good if you're
protecting against things like just
accidental corruption of the file
because you can check the hash and see
if it matches up in a future date and if
it looks if the cache for the document
matches what's in the database you have
some reliance that it wasn't tampered
with but someone could always alter the
document create a new hash and store
both and then you wouldn't see that
someone had altered things so that's why
you might want to digitally sign the
document and store the signature with it
and if you want to make sure that
if it was important that something
happened like this is a contract it was
important that time was recorded on this
you might want to use a third party to
get a digital timestamp if y'all don't
know what that is it's basically there's
these third parties where you can take
your document hash it take the hash send
it to these guys I think surety com is
one of them and they will basically put
a timestamp in this take your hash put a
timestamp digitally sign that and it
send that back to you you can take that
and put it in the database and as it
turns out there's actually this is what
I'm describing is basically a digital
receipt and there's an XML standard for
doing documents like this you don't have
to put things in two places you can just
put them all in one XML document and
that URL at the bottom is the org where
you can find the DTD for that okay
now messaging integrity this is actually
very similar to the document stuff but
instead of storing things persistently
I'm talking here about throwing things
up to the user
Adobe five not not the reader but Adobe
Acrobat five supports digital signatures
on Mac OS 9 it actually runs on Mac OS
10 and classic and should be I guess
carbonized pretty soon I'm not sure I
know n on Windows so you basically have
this solution where you can put it on
just about any desktop out there and get
digital signatures done and you might
want to do that for actually the point
at the bottom I think is the coolest
paperless workflow or will actually
employee forms processing those two
things inside a business you're in an
intranet you could actually distribute
the software on clients and your web app
your web objects application could like
you're doing stuff and it returns a
contracts and you really wish to agree
to this type of insurance or claims
processing for HR and you can have your
private certificate which hey it might
be embedded on one of these which would
be kind of cool and then you can insert
this if it were a smart card this one
isn't don't get excited if this were
smart card you could stick it in the
Machine and then digitally sign the
document with it you could like save the
signed version on your system or you
could post the signed document back up
to the server and in a way that's a lot
better than a handwritten signature and
there's nothing to fax you know there's
no paper and it's pretty secure or can
be if you have a pretty strong public
key infrastructure
now this b2b thing is very similar to
what you saw in a way last just the
other day when you saw in a web objects
thing on XML here I'm talking about
doing exactly what happened there you
got two web objects apps talking to each
other but it wouldn't be nice if you
could like digitally sign just some
arbitrary content and so the receiver of
it could know that this wasn't some you
know Joe Blow with no authority to buy
the 100 PowerMax
and in Reverse too you know so when when
you're done processing the order when
you send a response back you might
digitally sign that and to do that in
web objects you have a few things to
help you've got whoa direct actions to
turn whoa apps into services you've got
the whole message API for
programmatically creating requests
sending them to a server and getting the
response back
and you have some XML management stuff
for generating it and interpreting it
and so what I did actually took the demo
that you saw yesterday for XML process
and just took it and added utility class
which again is another thing that it'll
be a resource for you guys and then
added a little bit of code to the actual
original source code to add a signature
to that XML okay so the request ends up
getting signed up with the signature in
a header field and then I send that down
to the server and the server validates
that the content and the signature
passed in our are okay okay so then go
to that guest to please
okay this is the class with all of the
digital signature stuff and let me show
you where I build up this request
or actually interpret the responses
okay
okay here's the here's the code that
does it as it turns out I've got a an
element called signature value and then
I take the body of the soap document in
this case I take those two pieces of
information and then I send them to this
signature XML utilities class I was
talking about and said verify our XML
element with the signature passing the
body passing the base64 encoded
signature and an output format for it to
use and then it just returns whether or
not that thing was okay right so that
this this isn't specific to soap I mean
you could use this particular utility
with anything and it uses again the Java
cryptographic extensions to perform the
digital signature and the digital
signature verification so I would show
you the demo but it's exactly like
yesterday's I mean you just fill
something in and you go to it and
besides it's not running so okay this is
the actually the last piece of this guy
the sixth part access control so you're
authenticating to a web server and
you've authenticated and now we know who
you are
most of the stuff I've talked about so
far is what do I do if I don't know who
you are okay but now I do so I've got an
enterprise object or a page and the page
has certain restrictions and I'm a user
it might be in certain groups so whether
I get to see it or edit it or do
something else to it depends on the
combination of State okay now here's
something actually I I presented I think
before and I with one little wrinkle
here here's a just an example
implementation you might stick on an
abstract superclass for enterprise
objects can't show and can edit and pass
in a user object and just let the
enterprise object figure out what to do
with it this is a nice simple interface
that the higher levels in your app can
program to because if you just use a
basic interface like that move over to
here you can apply conditionals you can
filter out EOS and one thing I'd
recommend in this particular area is
like if you have an EO editing context
you might subclass it and override
object of specification call super and
the actual results that you kick back
you might ask the results that are you
readable are you readable are you
readable and if you are put you in a
subset and only return the subset then
you kind of have a global you know way
of keeping the results set to a minimum
we're just well just not so you don't
like show a count of seven and the user
only sees five rows you know that that
doesn't look good and then maybe you
could look at group membership based on
the users to collectively hide and show
big swaths of the UI but anyway back up
to this okay the other thing I didn't
actually my demo application I have
examples of using an implementation of
can show and can edit I don't have an
example of value for key user take value
for key user but the idea for that is
similar to keep how you coding accept
the user argument is thrown in as well
and the reason you might want to add
something like that or an interface or
something like that
is you might have a big honkin record
with like a hundred columns and guests
can see this much but certain privileged
people only get to see these attributes
you know and if you had a competent
which is smart enough to use that API
and just decided to use that in
standardize on it you know you could
control access at the granularity be
attributed with the interface like that
now what about the implementation behind
an interface like that okay here's a
very simple interface that makes some
assumptions I've got a this these are
methods that might be on say a product
or category as it turns out in my demo
application the category entity and the
product entity a subclass from an
abstract class called protected object
and they implement default
implementations of this minor bit more
advances all show but that's where you'd
put it just put it on and on an on a
neo-nazi one relationship and it might
have a relationship to its owners to
many relationship and if this particular
Jake says if the past and user equals
the Creator you get to see it if the if
is a member of the owners you get to see
it if not it's false and the can't edit
is trivial basically the rule is if you
can see it you get to edit it okay so a
simple one but you could get more
elaborate oops and these are sort of the
two highlight best ways of doing access
control there's a discretionary access
and mandatory access
discretionary access is what you're sort
of used to mandatory access is something
I'll go into a little bit if I have time
but it is definitely a lot different
than discretionary access and it's
pretty important to customers in the
government especially secured agencies
and so forth okay so let me show you
this what's going on here
okay diagram
all right this is a diagram view of the
classes which are relevant to the access
control stuff I don't know if y'all knew
this actually it came as a surprise to
me a few months ago there's actually a
Java spec for defining a CLS it's called
if I can remember correctly
java.security dot ACL and there's some
classes in there and so what I've got
here are a bunch of yo s yo generic
records that implement those interfaces
okay
and instead of like riding my own
implementation of an ACL policy that
interprets all the state and figures out
what to do I've got an EO that actually
uses the implementation provided by sun
to digest this state and tell what's
going on so actually it's not very much
code and let's say we've got the classes
involved our ACL entry which implements
the Java ACL entry user interface user
group implements the group interface
permission implements the permission
interface person implements the
principal interface and all these guys
are sort of networked together and
basically ready to work with any java
ACL policy that that adheres to the
interface is defined by Java soft so we
go into the application here
I knew I was gonna do that I gotta make
sure I type this right good okay let me
take a look at something that's
protected categories now what I've done
is kind of logged into an administration
form of this application and I'm not
even gonna I'm gonna I'm gonna try
actually explain this I don't know how
I'm gonna do it okay so we've got
product categories and I'm logged in as
the admin I'm in the marketing group and
what you're looking at here is a list of
all the categories in the system so I'm
in as an administrator but I'm doing
some things you'd never put an
administration user interface does I
want to illustrate what's going on here
as it turns out the accessories cool
category I can edits name and so forth
it's got these three access control list
entries okay and I'm sorry the fonts
kind of small price should have boosted
for this but let me read it for you if
you're in the marketing group to get to
read it if you're in the administration
group you get to read it if you're the
user M Neuman you get to read and write
it okay and as it turns out admin is in
the marketing group and therefore what
does that mean marketing group read now
what's kind of cool about ACLs is that
unlike the UNIX file system if you
someone's in a group and they get to
read it you can strategically pull
someone out remove access so let me edit
this guy and what you're seeing here is
an ACL edit components part of the
project that you will get if you want it
and let's add an ACL here for that's
applicable to the admin not applicable
to a group I'll make it
I read permission and I'll select negate
okay and then save this and if you look
down here I can't read it anymore
and this list of available permissions
is now empty alright so that's how it
works and you can do sort of keep
stacking these things on and the way the
java policy works is it takes these two
sets and it merges them and negatives
cancel out positives and what your in
the resulting set is a set of available
permissions and then all I do in my can
show and can edit methods is just call
one line on the ACL policy we
says do you have this permission or not
yes or no and then return that so it's a
pretty clean little interface I think
and you can like add new permissions to
make up different things readwrite I
added one called upload you might have
other types of permissions or things you
might want to randomly stick in here and
it's pretty easy to extend okay okay so
the first thing I covered was a
protecting privacy that was SSL
components to generate absolute URLs
I showed a redirection detection of SSL
and doing that without side effects and
I didn't want the side effect of the
double generation of an action of the
double generation of a page for
protecting resources I showed overriding
some request handling methods I think
they were perform action named page with
name and appended response and one thing
I didn't talk about but I think might be
important is if you wanted to like
totally override everything in the app
or at least inspect everything you can
override dispatch requests on the
application object and you can ask the
request what is your request Handler and
actually lock down things like the
resource manager the resource manager is
responsible for vending out images and
maybe charts or dynamic graphs if it's
the resource manager you might look at
the URL and you might look at what kind
of resource is trying to get and if
they're not logged in maybe they don't
get to see that you know so I meant to
mention that and didn't but that's just
one of the things in protecting
resources on authentication talked about
using digital certificates and the
importance of actually validating their
status and for persistent data integrity
talked about and showed using hashing of
passwords and encrypting credit cards
and talked about digitally signing
documents and for messaging integrity
actually did sign a document digitally
signed a request and then validated that
request on a server and then finally for
access control was using a CL
implementation and combined that with AO
so you could get the best of these Java
standards plus what UF has to offer
so these are the kind of places you
might want to go to get some more
information this fact from RSA is
awesome if you want to know a lot about
security in a nutshell it's a pretty
good resource for if you're interested
in like protecting your secret keys in
cipher has a pretty neat device for
storing that so do a few other companies
a rainbow comes to mind and a chrysalis
digital receipt that's an open source
place and get the DTD for the digital
receipt stuff validating certificates
that's a company that validates
certificates certificate authority
there's many companies that do that
you've got Verisign there's thought
there's interesting that digital
timestamp actually that should be surety
comm sure t y comm and then signing plug
in Adobe comm so I guess we still have
there's still lab left today so we're
1030 you still had a chance to go and
play with web objects 5 and if you feel
like it you might even vote for the app
server thing and the next presentation
is a optimizing web objects that's
coming up a little bit later it's not
directly related to it but you know I'm
it's Friday and there just isn't much
left so you know I had to put something
on this slide feedback form of course on
web objects later on today and here's
who to contact the up like want to know
more or you want to have event feedback
on the product or problems and so forth
and call our director of objects
engineering and Bob Fraser for product
marketing at the same email address and
if you're interested in consulting
integration training and so forth
there's the eye services
thank you seeing all this many times
this week
you