Enterprise Ajax security with ICEfaces.The question is simple: Can enterprise application developers deliver Rich Internet Applications This is a list of rich Internet applications. They are organised by their use. Communication
The evidence is mounting: The Yammer (1) and MySpace (2) worms are two early examples that illustrate Ajax based implementations are susceptible to attack, and these attacks have the particularly nasty characteristic of being completely invisible to the users being violated, and thus can proliferate pro·lif·er·ate v. To grow or multiply by rapidly producing new tissue, parts, cells, or offspring. at astounding a·stound tr.v. a·stound·ed, a·stound·ing, a·stounds To astonish and bewilder. See Synonyms at surprise. [From Middle English astoned, past participle of astonen, rates. The solutions are sparse sparse - A sparse matrix (or vector, or array) is one in which most of the elements are zero. If storage space is more important than access speed, it may be preferable to store a sparse matrix as a list of (index, value) pairs or use some kind of hash scheme or associative memory. : While the Ajax world is exploding with new capabilities and wiz-bang features, technology providers have been derelict derelict n. something or someone who is abandoned, such as a ship left to drift at sea or a homeless person ignored by family and society. (See: abandon, dereliction) DERELICT, common law. in addressing fundamental security issues in the offerings they promote, leaving a formidable security challenge for the application developer to address. In this paper we will examine some of the fundamental security issues related to client-centric Ajax techniques, and will show how these issues can be overcome using a server-centric approach based on Java EE The revised name for the J2EE Platform from Sun. In 2005, Sun renamed J2EE to Java EE and J2ME to Java ME. See J2EE and J2ME. and ICEfaces. The Fundamentals of Ajax Insecurity Insecurity Inseparability (See FRIENDSHIP.) Insolence (See ARROGANCE.) Hamlet introspective, vacillating Prince of Denmark. [Br. Lit.: Hamlet] Linus cartoon character who is lost without his security blanket. The client is untrusted, SO DON"T TRUST IT! This is as fundamental as it gets. The entire web security model is based on the premise of an insecure in·se·cure adj. 1. Lacking emotional stability; not well-adjusted. 2. Lacking self-confidence; plagued by anxiety. in client, and established and proven security architectures have evolved on this basis. With the popular adoption of Ajax techniques, there is a growing tendency toward client-centric implementations despite the fact that the approach breaks the fundamental premise of the untrusted client. So, regardless of what client-centric Ajax technology you might pick, you will have to address some fundamental security issues. Client-centric business logic and data: In order to enable a rich user interface, most sophisticated Ajax libraries promote a client run time environment where the user interface and associated business logic and data coexist co·ex·ist intr.v. co·ex·ist·ed, co·ex·ist·ing, co·ex·ists 1. To exist together, at the same time, or in the same place. 2. on the client in order to achieve the rich interactive features required. There is simply no way to protect business logic and data in these types of implementations, which means that the developer must be diligent dil·i·gent adj. Marked by persevering, painstaking effort. See Synonyms at busy. [Middle English, from Old French, from Latin d about identifying sensitive logic and data and determining how best to secure it. It will be necessary to push sensitive parts of the implementation back to the server in order to properly protect them, which can lead to considerable additional complexity in the implementation, and may severely restrict the Ajax features that can be used. Client-centric validation: While client-side validation using Ajax techniques can be effective for providing immediate feedback to the user, it cannot be trusted to ensure the data submitted back to the server-resident elements of the application is valid and safe. It is necessary to implement a complete server-resident validation subsystem to sufficiently protect server-based assets. Now you face the challenge of maintaining two sets of validation logic, and any inconsistencies between them may open a security hole in the application. Furthermore, an attacker may gain clues on how to attack the application by examining the client-resident validation logic. XMLHttpRequest (XHR XHR XMLHttpRequest (AJAX) XHR Extra High Resolution ): The XHR is fundamental to all Ajax approaches, and the basic mechanism itself does not introduce additional security concerns as it inherits the same privileges as the initial HTTP HTTP in full HyperText Transfer Protocol Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol. request. Additionally, XHR is not permitted to make cross-domain requests, so in itself XHR can be a secure mechanism. The security issues with XHR arise from its improper/ insecure use. One prevalent approach is to use XHR to implement a network interface back into server-resident resources. While this may be the most straightforward way to implement a client-centric, Ajax-based application, the network interface to those protected services cannot be concealed and offers the hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. a well-defined attack surface, if proper access control is not established. The security concerns with XHR are magnified by the invisible nature of mechanism. Any security violation achieved through XHR can occur without being in any way visible to the user, which means that a security breach can propagate prop·a·gate v. 1. To cause an organism to multiply or breed. 2. To breed offspring. 3. To transmit characteristics from one generation to another. 4. rapidly through a community of users that is completely unaware that an attack is in progress. The use of XHR in cross-site scripting See XSS. attackscan be particularly lethal for this reason. Implementation Complexity: The distributed nature of a client-centric, Ajax-enabled, application introduces complexity to the application when compared with traditional server-centric approaches. It requires a significant amount of JavaScript development, which in itself introduces complexity to development and testing. Furthermore, the distinct roles of developer, designer, and security expert are blurred in this model. Now your JavaScript developer needs to be a security expert as well. The bottom line is that as complexity rises, the potential for security issues also rises, and the QA process will not typically catch these issues, as they manifest themselves as hidden unintended functionality. This unintended functionality can be fertile ground for the diligent attacker. Beyond the complexity of your own implementation, the implementation of the Ajax framework An application framework that takes the tedium out of building AJAX programs, both at the client and server sides. AJAX frameworks differ in the amount of coding expertise needed, as some require extensive knowledge, while others use pre-built components that require less experience. itself may be inherently insecure. It is a pretty safe bet that a complete security audit has not been performed on your JavaScript framework of choice. Security Through Obscurity (security) security through obscurity - Or "security by obscurity". A term applied by hackers to most operating system vendors' favourite way of coping with security holes - namely, ignoring them, documenting neither any known holes nor the underlying security algorithms, trusting : The notion of the untrusted client trumps trump 1 n. 1. Games a. A suit in card games that outranks all other suits for the duration of a hand. Often used in the plural. b. A card of such a suit. c. A trump card. 2. the notion that client resources can be protected through some form of obfuscation ob·fus·cate tr.v. ob·fus·cat·ed, ob·fus·cat·ing, ob·fus·cates 1. To make so confused or opaque as to be difficult to perceive or understand: "A great effort was made . . . . The simple fact is, obfuscation provides no real security, and in the worst case may provide a false sense of security to the developer. Leveraging the Java EE Architecture From the previous discussion it is clear that there are fundamental security concerns with client-centric approaches, and that extreme diligence will be required to implement a suitable security architecture. There is a big advantage if we can step away from client-centric approaches and back toward server-centric approaches, as we can leverage the existing, industry-proven Java EE security architecture. [FIGURE 1 OMITTED] An Established Security Architecture: Security has always been a first-class consideration in the Java EE stack and has matured to the point where the security architecture is well established from the persistence layer through to the presentation layer. Furthermore, proven implementations such as JAAS JAAS Journal of Analytical Atomic Spectrometry JAAS Java Authentication and Authorization Service JAAS Jiangsu Academy of Agricultural Sciences (China) JAAS Journal of the Assyrian Academic Society and Acegi are prevalent, so you don't have to invent a security architecture and implement it yourself. Separation of Roles: Another advantage of the Java EE architecture is that it promotes clean separation of roles between the page designer, Java developer, and security architect. The security architect can establish overall security policies, and identify appropriate technologies for implementation. The Java developer can use the specified security technologies to implement back-end security, and establish necessary access control at various levels of the application architecture. The page designer can deal with high-level concepts like user roles when implementing the 151, and will not have to be concerned about the details of the access control implementation itself. So where is the Ajax? It is all fine and good to say we are going to use a server-centric approach and leverage the existing Java EE security architecture while maintaining separation of roles during development, but can we achieve effective rich client features based on Ajax techniques with such an approach? We turn our attention to the Java EE presentation layer technologies to make this determination. JSF (JavaServerFaces) A standard framework of components for building rich user interfaces for Java applications. JavaServer Faces run on the server, but are displayed on the client. JSF - JavaServer Faces is the most recent addition to the Java EE stack and it provides a good foundation to build on. JSF itself is not Ajax-enabled and relies on a full-page refresh (1) To continuously charge a device that cannot hold its content. CRTs must be refreshed, because the phosphors hold their glow for only a few milliseconds. Dynamic RAM chips require refreshing to maintain their charged bit patterns. See vertical scan frequency and redraw. to effect presentation changes, but it is completely server-centric so provides us with the security characteristics that we seek. So, if we can establish Ajax functionality in JSF without compromising the server-centric nature of the framework we will be able to inherit To receive property according to the state laws of intestate succession from a decedent who has failed to execute a valid will, or, where the term is applied in a more general sense, to receive the property of a decedent by will. inherit v. the existing Java EE security architecture. This is precisely where the open source ICEfaces technology comes into play. ICEfaces: Server-centric Ajax with JSF Preserving the JSF Lifecycle: Central to the JSF architecture is the JSF lifecycle, which is illustrated in Figure 1 below. The lifecycle kicks off with a standard request, which is processed to apply request values, passes through validation, updates the model values, invokes application-specific processing, and finally results in new presentation generated from the render response phase of the lifecycle. If you look to Ajaxify JSF it is important that the approach not circumvent cir·cum·vent tr.v. cir·cum·vent·ed, cir·cum·vent·ing, cir·cum·vents 1. To surround (an enemy, for example); enclose or entrap. 2. To go around; bypass: circumvented the city. the JSF lifecycle, otherwise you may be circumventing the servercentric security architecture that we seek to preserve. You can expect that if XHR is used from the JSF generated presentation markup (text) markup - In computerised document preparation, a method of adding information to the text indicating the logical components of a document, or instructions for layout of the text on the page or other information which can be interpreted by some automatic system. to directly access server-side resources you will be exposed to the same security concerns associated with client-centric approaches. In order to ensure lifecycle preservation, any use of XHR needs to be restricted to standard form submission so the entire JSF lifecycle can execute. There are two key mechanisms required to achieve Ajax functionality under this restriction. * An automatic, partial submission mechanism is required to react to user interaction with the presentation in order to submit a request back to the server for processing. It is automatic in the sense that each UI control will perform these submissions in a natural way without requiring developer intervention. For example, when focus moves out of an input text field an automatic submission should occur so that user input can be processed. The submission is partial in the sense that it may not be necessary to process the entire form, as there will likely be various elements in the form that the user has not yet interacted with. For example you don't want validators running against input controls that are still blank. * An incremental Additional or increased growth, bulk, quantity, number, or value; enlarged. Incremental cost is additional or increased cost of an item or service apart from its actual cost. presentation updated mechanism is required to eliminate excessive rerendering of the browser page. Ideally, this mechanism should result in the minimum required updates to the page, and should require no developer intervention. The need for the developer or designer to wire together the elements on the page that may impact each other's presentation under various conditions can be very tedious and error prone. [FIGURE 2 OMITTED] Additionally, the need to do this blurs the separation of roles between the developer and designer. The ICEfaces Solution: The ICEfaces architecture, as illustrated in Figure 2, provides the required mechanisms to Ajaxify JSF while preserving the lifecycle, and inheriting in·her·it v. in·her·it·ed, in·her·it·ing, in·her·its v.tr. 1. a. To receive (property or a title, for example) from an ancestor by legal succession or will. b. the underlying Java EE security architecture. Central to the ICEfaces architecture is a lightweight Ajax Bridge that facilitates both the incremental presentation update mechanism, and automatic partial submission mechanism. While elements of the bridge are implemented in JavaScript and execute client-side, it is a small fixed-function piece of code that exposes only a standard submit mechanism via XHR, and handles only pure presentation data during incremental updates, so does not introduce any security holes to the Java EE security architecture. The partial submit mechanism is built in to the ICEfaces component suite, so the developer has control over the mechanism on a component level basis, using a standard component attribute. Simply specifying "partia1Submit=true" on an ICEfaces component will result in a partial submit when the user interacts with it. The bridge handles the rest of the process in a completely transparent fashion, including limiting the validation process to controls that the user has interacted with. In order to Ajaxify the render response phase ICEfaces uses a technique called Direct-to-DOM rendering with incremental update. Basically, the entire response is rendered directly into a server-side DOM, and incremental changes to the DOM are distilled out and delivered to the client via the bridge. The client-side of the bridge reassembles the changes in the browser DOM, resulting in smooth incremental page updates. A key advantage to this approach is that the framework determines precisely the minimal updates to be applied, and does so in a transparently fashion. There is no explicit need for the developer to tediously wire together components that might affect each other. Presentation Layer Access Control: In addition to the fundamentally secure Ajax features of ICEfaces, presentation layer access control is also supported in a natural fashion. Using standard component level attributes with dynamic binds such as a rendered={ #...}, disabled={ #...}, renderedOnUserRole={ #...}, enabledOnUserRole={ #...} the designer can incorporate role-based access control The identification, authentication and authorization of individuals based on their job titles within an organization. Contrast with mandatory access control and discretionary access control. See least privilege. features into the application UI, and leverage the server-side user authentication See authentication. mechanisms transparently. About ICEsoft ICEsoft Technologies Inc., is the leading provider of standards-compliant, AJAXbased solutions for deploying pure Java Refers to initiatives from Sun that specify 100% compliance with its Java specification. The goal is to maintain a consistent, single interface for Java so that all Java Virtual Machines can run all Java programs. See Holy Grail. , rich Internet applications. http://www.icefaces.com For additional information, please visit: www.icefaces.org References (1.) Securina (2007). Technical explanation of the JS/Yamanner Worm (2006). Article retrieved Jane 2007 from: http://secunia.com/virus_information/29782/js.yamanner/ (2.) Technical explanation of the MySpace Worm (2006). Article retrieved June 2007 from: http://www.adtmag.com/article.aspx?id=17953 ICEfaces, is an Ajax-based Java EE framework for developing and deploying thinclient, rich enterprise applications. http://www.icefaces.org Stephen Maryka, CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. ICEsoft Technologies Inc. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion