Faculdade de Engenharia da

Universidade do Porto

SES 2017/2018

Report

Securing a Java EE 7 application

Luís Filipe Fernandes Costa Melo 201206020

Marco António Fernandes Gonçalves 201708897
Tiago Cardoso Matias 201700427

Professors:
Ana Cristina Ramada Paiva
António Miguel Pontes Pimenta Monteiro

May, 2018
Contents

1 Introduction 2

2 Theoretical Background 3
2.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3 Java EE Structure 6

4 Methodology 8
4.1 Java Class Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.2 Session Bean . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.3 Client Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.4 Enterprise Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.5 Glassfish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5 Project Guide 11
5.1 Installation Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.2 User Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

6 Conclusion 13

1
1 Introduction

Throughout this document a complete report will be prepared describing what has been done, what
has been observed, and some curiosities regarding the assignment Securing a Java EE 7 application.
This document is prepared in the context of Security in Software Engineering taught at Faculty of
Engineering of the University of Porto.

To complete this assignment, Java EE was used for the Enterprise Java Beans and application client.
Java Enterprise Edition (Java EE) is the standard in community-driven enterprise software. Java
EE is a free open-source tool that is developed with contributions from industry experts, commercial
and open source organisations, Java User Groups, and countless individuals. Each release integrates
features that will help the users needs.

Figure 1: Java EE icon.

Was also used Netbeans 8.2. Netbeans is a free open source IDE for software developers for Java,
JavaScript, HTML5, PHP, C / C ++, among others. It is a multi platform tool.

Figure 2: Netbeans icon.

To conclude it was also used GlassFish which is a free Application Server for Java EE. GlassFish
supports Java EE components such as Enterprise JavaBeans that was used for the preparation of
this work.

Figure 3: GlassFish icon.

2
2 Theoretical Background

2.1 Authentication

An authentication can be defined as "binding of an identity to an entity", where an identity is the

name of some entity. For computer systems, an entity can be users, computer nodes on a network
or even programs that are running on the system. Authentication plays a very important role in
security, it is the basis of access control and accountability.

Being a widely studied area, a lot of the functionalities are standardized like the process required to
authenticate that is the following:

1. Registration: In this field information about the user is collected, here an identity is assigned
to the entity, password and other information about the user should be stored safely;
2. Identification: In this step the user must specify his identifier;
3. Verification: In this last phase the system will authenticate user if the information entered
is correct.

The verification process typically includes four characteristics that are associated with users.

1. Something the user knows: passwords, PINs, etc;

2. Something the user possesses physically: token, smart card, etc;
3. Something the user is: face, iris, etc;
4. Something the user does: voice, signature, etc.

Password authentication is still the most used authentication method where the user provides a
username, and the system asks for the password. If the password is correct the user is authenticated.
After the user is authenticated the system will check which permissions to access the system that
user has, i.e it will determine what the privileges the users have and what control it has over the
system. Regarding the password, Salt prevents the duplication of a password from being visible in
the password files, that increase the difficulty of offline dictionary attacks and it is not possible to
know if the user has the same password in several different systems.

Nowadays there are a lot of authentication security issues that software and security engineers try
hard to fix and prevent. The most common of them are:

1. Client attacks: The attacker attempts to authenticate without access the authenticator;
2. Host attacks: The attacker attempts to get the password that is stored on a file in the host;
3. Eavesdropping: The attacker tries to find written passwords, key logging, network intercep-
tion, etc;
4. Replay: The attacker tries to repeat a previously user information captured;

3
 5. Trojan horse: It is a disguised application that tries to get user data in an evil way;
6. Denial of service: The attacker tries to disable the authentication service.

2.2 Access Control

Access Control is, according to Ross J. Anderson, the centre of gravity of computational security,
whose function is to control the access of resources to the various users of the system, regulating
what can be queried, executed and what can be shared [1].

Already according to RFC 4949, document that regulates the glossary referring to Internet security,
the definition is similar, saying that it is "The process by which use of system resources is regulated
according to a security policy and is permitted only by authorized entities (users, programs, processes,
or other systems) according to that policy "[5].

The two definitions go against each other, and the most important thing to keep in mind is that
Access Control is the set of a series of activities that helps to guarantee the computer security of the
most diverse devices, encompassing, as it is present in the Figure 4:

• Authentication: entities that can access the system;

• Authorization: the process of granting access to a resource by a system entity/user;

• Auditing: verification and examination of user activity;

• Security administration: maintenance of the authorization database (responsible for map-

ping authorization between user and resource).

Figure 4: Activities that are part of Control Access process

To control the access of each user to the resources, four access control policies are standardized,
which are:

4
 • Discretionary access control (DAC): where there is a complete matrix with the various
combinations that map the possibility of executing the various operations possible with existing
entities;

• Mandatory access control (MAC): similar to the DAC however, permissions can not be
transferred between subjects;

• Role based access control (RBAC): each user has one or more associated roles and the
constraints are made at the role level and not the entity;

• Attribute based access control (ABAC): is the most complex being that access to
attributes of a given resource is done based on the attributes that a user or entity possesses.

During the laboratory experiment that will be described next, RBAC was used.

5
3 Java EE Structure

Java EE is a set of technologies and integrated APIs designed to be able to function as infrastructure
for an enterprise application. So it-s mandatory to have some complexity to ensure that the system
is as reliable and secure as possible so that all users are are protected from malicious people.

Thus, Java EE has a container-based security layer, evidenced in Figure 5, which can be of two types,
declarative or programmatic. The first one exists as a file external to the main application. The
second one exists in the form of API, allowing the user types and their permissions to be changed
via API [2].

Figure 5: Java EE Containers Architecture.

Java EE also has at its disposal a whole complex infrastructure of Authentication (verification
process of an entity [3]) and Authorization (Access Control) (the process of differentiating the
privileges of an entity for a certain resource [3] access), which gives security to the applications. It
also provides services such as Data Integrity, Confidentiality, Non-repudiation, Quality of Service
and Auditing [4].

A normal flow of a simple calling process from an EJB method with embedded authentication is
described in Figure 6.

6
 Figure 6: Simple Sequence Diagram for invoking an Enterprise Bean Method1 .

Authentication for access to methods or Beans can be done via annotation in the code or through
User/Role mapping in XML descriptive language.

1 Based on Java Oracle official documentation

7
4 Methodology

The project was done in Netbeans IDE for Java EE application.

The project is an aggregation of four java projects, presented in Figure 7 and each one will be
detailed in the next sub-sections.

Figure 7: Project folder.

4.1 Java Class Library

The Java Class Library presented in the project is the main interface class. This file will serve as
an interface for the methods that will be bound to particular user groups specified in the glassfish
server.

4.2 Session Bean

The Session Bean in the project is the responsible for the business logic. In this module, where
the session bean was created it was implemented all the methods and the appropriate user group
permissions to respect the project requirements. The project requirements mentioned 3 distinct
groups(low user group, medium user group and high user group), and 4 distinct user operations
√ √
(square root ( x), cubic root ( 3 x), power to a given exponent (xy ) and the logarithm in a given
base (logy x)).

Given this requirements, four methods were implemented with the relevant user group access defined
by the syntax @RolesAllowed() as shown in Listing 1.

Listing 1: Business logic

@Override
@RolesAllowed ( " high " )
public double calcExp ( int base , int exp ) {
return pow ( base , exp );
}

8
@Override
@RolesAllowed ( " medium " )
public double squareRoot ( int x ) {
return sqrt ( x );
}

@Override
@RolesAllowed ( " medium " )
public double cubicSquare ( int x ) {
return cbrt ( x );
}

@Override
@RolesAllowed ( " low " )
public double opLog ( int base , int exp ) {
return ( log ( base )/ log ( exp ));
}

4.3 Client Application

The Client Application is the responsible for the User Interface. Here it was implemented the
graphical calculator as it is shown in Figure 8

Figure 8: Java EE Application.

4.4 Enterprise Application

The Enterprise Application consists of a wrapper, that will connect the business logic and UI.

The performance of user action in the calculator buttons will call the methods implemented in the

9
Sessions Bean, that according to the account used to log into the application will allow the user to
perform actions or it will creates a message window alerting the user of permission denied, as shown
in Figure 9.

Figure 9: Client App Permission Denied.

4.5 Glassfish

For the application to work properly, it’s mandatory to setup glassfish with the required user groups.
To fulfil this purpose the glassfish server must be running and access glassfish console running on
port 4848 and easily accessed using a web browser (localhost:4848).

The setup of user groups in the glassfish console is made under Configuration -> Server-Config
-> Security -> Realms -> file. In manage users, it’s possible to see existing users and user
groups, and/or create new ones. For this project, it was created 3 users, low user belonging to the
low user group, the medium user belonging to the medium and low user group and the high user
belonging to the high, medium and low user group, as shown in Figure 10

Figure 10: Glassfish user groups.

This step is extremely important because the application will validate the login through the credentials
created in glassfish and without them, the application cannot work correctly.

10
5 Project Guide

5.1 Installation Guide

In order to run the application, it is necessary to install Netbeans IDE for Java EE application.
After installing NetBeans simply import the four project folders and make setup of glassfish as
explained above. When this step is completed, just select the EACalc folder and click on Run, as
shown in Figure 11. NetBeans will start all services of the glassfish and after this, it will open a
window where you will be able to authenticate to use the calculator.

Figure 11: Setup to run the project.

5.2 User Manual

On each application startup, the first window shown is the account login, Figure 12. The form must
be submitted with a valid username and password in order to access the calculator.

Figure 12: Login Form.

In the case of a successful login, the calculator can be used to perform the desired operations. To
perform operations with the calculator certain rules must be respected, being them:
√ √
• square root: Press button ( x), choose a number and press button (=) (ex: 16, result =
4), Figure 13;
√ √
• cubic root: Press button ( 3 x), choose a number and press button (=) (ex: 3 8, result = 2),
Figure 14;

• power: choose a number [x], press button (exp), choose a number [y] and press button (=)
(ex: 22 , result = 4), Figure 15;

• logarithm: type a number (y), press button (log ), type a number (x) and press button (=)
(ex: log10 10, result = 1), Figure 16.

11
 Figure 13: Square root of four.

Figure 14: Cubic root of eight.

Figure 15: Two exponential of two.

Figure 16: Ten logarithm of ten.

12
6 Conclusion

This work carried out within the scope of the Security Course in Software Gaming, allowed to gain
experience of a technology widely used in the industry as well as to consolidate state-of-the-art
knowledge regarding authentication and authorization methodologies that, being agnostic, can be
implemented in any technology.

The project consisted in the implementation of a simple calculator that had features that were only
accessible to certain types of users defined through the glassfish interface, as well as the orchestration
of the authentication and authorization processes, making use of the API and Java EE functionalities.

Finally, it is possible to affirm that all the objectives proposed for this experimental work were
successfully concluded.

13
References

[1] Ross J. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems.
2nd ed. Wiley Publishing, 2008. isbn: 9780470068526.
[2] Marina Fisher et al. Java EE and .NET Interoperability: Integration Strategies, Patterns, and
Best Practices. Upper Saddle River, NJ, USA: Prentice Hall PTR, 2006. isbn: 0131472232.
[3] Alexandre M. S. P. Moraes. Autenticação, Autorização e Accounting: Conceitos Fundamentais.
https://alexandremspmoraes.wordpress.com/2013/02/15/autenticacao-autorizacao-
e-accounting-conceitos-fundamentais/. [Online; accessed 01-May-2018]. 2013.
[4] Oracle. Overview of Java EE Security. https://docs.oracle.com/javaee/7/tutorial/
security-intro001.htm. [Online; accessed 01-May-2018]. 2014.
[5] Robert W. Shirey. Internet Security Glossary, Version 2. RFC 4949. Aug. 2007. doi: 10.17487/
RFC4949. url: https://rfc-editor.org/rfc/rfc4949.txt.

14