The Anatomy of a Secure Web Application Using Java

Themes:

• Simplicity
• Common sense
• Household analogy

5 security layers

• Java secure socket ext
• Java ee sec
• Spring sec - locks on door
• Web app fw - household permissions turn on tv
• Db functions - what channels can child watch

Tutorial online, canonical app. Fortressdemo and fortressdemo2 on github.

Tomcat server, turn on https connector in server.xml, provide keystore

Java ee container, add to web.xml, do you have role to not y/n
Policy decision point file.
Use openldap sentry rbac controls 0- 3.

3 std interfaces

• 1 admin
• 2 review
• 3 system

Encryption,, openldap uses open ssl

Spring security, mappings between pages and roles.

Web framework
Wicket e.g passing page and role

Db access object
check access in dao
Encryption
MySQL, openssl

Demo

Fortress suite for rbac, was openldap hosted now apache. Includes audit.

Paas (?)
Pivotal Cloud Foundry
Platform as a service
You manage vm, has provided scaling.
Upgrade app to use cloud if easy. Cloud foundry's idm out of scope
Ldap not in cloud
Cloud Foundry vm warden container, Servlet container, war.
5 areas of cf security to reconfigure.

Different context, you don't setup tomcat, Cloud Foundry does. So ssl termination is at cloud. Only one cert needed for all transactions.

Mysql connection same. No jdbc. Injected at runtime.

Jee realm config and j2sse trust store, install build packs in Cloud Foundry (stack).

Linux containers, Warden container isolation of mult. processes. Shell, environment, pids independent of other apps. Chroot on steroids. Multiple vms per warden.

Cloud Foundry can install on laptop.

A very fast presentation with a lot of diagrams = hard to take notes on. But the idea was very interesting, security at every layer and a freely available presentation (from Oracle somewhere) and github projects. Not sure if Cloud Foundry is free or not but even the non-cloud application security part was good enough. I wonder if the github project will have a link to the presentation.