March 18, 2005
Ron Bodkin on Aspects and Security (AOSD 2005)
I missed the beginning of this talk, so here's the story from half-way through.
Ron is showing an aspect for JAAS authentication. It uses around
advice to set up a JAAS LoginContext around secured request
operations. Making the point that more web containers are now starting
to provide built in support for this. Role-based authorization is
straightforward too - just use before advice to get and check the
Permission before executing an authorized method.
Motivating example - editing employee data. A manager can only read and edit sensitive data for their own employees (it's not a general permission to say "can I read employee data or not"). We need data-driven authorization. Ron is starting off by showing how you would implement this with a standard java proxy-based solution. Requires custom factories and invocation handlers. Better than scattering the code all throughout the app, but it's a primitive form. Using aspects you can code this in a simpler more reusable way. Define a pointcut for a sensitive operation. Use before advice that takes advantage of exposed context.
Now Ron is adding in security auditing - you certainly want to audit failed authorization checks for example. Uses after returning advice to record a successful authorization, and after throwing advice to record a failed one.
Next example shows how annotations are useful in working with security and aspects. For example: pointcut p3pDataAccessField(Field field) : get((* @P3P) *.*) && ... (P3P is a standard for data privacy, defines about 17 types of sensitive data).
Next example is an aspect that filters out sensitive results (rows) from a database query. Using around advice to do this. Adds a where clause constraint to the query before it executes.
Domain-specific tools are really important here. it's not the programmer that we want to be making security decisions. Security experts should do this - and showing those experts a bunch of pointcuts won't work. Need something on top.
Final example: UI filtering requirements. You should not give people links or options to do things that they are not authorized to perform, show them fields that they are not allowed to see etc. Basic strategy: advice finds unauthorized field display. servlet filter removes complete context. Deployment options are precompiled JSPs, or configure containers JSP compiler to us ajc.
Posted by adrian at March 18, 2005 11:54 PM [permalink]
Post a comment
Thanks for signing in, . Now you can comment. (sign out)(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)