Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management
The following sections briefly discuss the business and security requirements of the eRewards portal followed by some detailed use cases represented by UML diagrams. We could devote a whole chapter to the requirements gathering processes and the creation of the architecture based on risk analysis, but because this book is focused more on security patterns, we have abbreviated the business requirements to highlight the importance of security in the portal. Using use cases to analyze business requirements can help reduce the difficulty of building the application architecture and can help us to identify the required security features. Because the case study focuses on applying end-to-end security design techniques in different tiers, it will use a "micro-architecture" approach [CJP2], using appropriate security design patterns that were discussed in earlier chapters to illustrate the security design best practices (instead of the J2EE application design itself). Choosing the Right Methodology
To get started on our eRewards portal case study, we must first identify a process methodology that gets us through the software development life cycle and meets both the business and security goals we set forth earlier. To accomplish our goals and to meet our deadlines while delivering a secure system, we chose to use the Secure UP as described in Chapter 8, "The Alchemy of Security Design: Methodology, Patterns, and Reality Checks." Doing so allows us to take advantage of the leading industry-recognized software development process and to extend it in order to ensure that our nonfunctional goals of security, reliability, and management are met. Referring to the activity diagram (Figure 8-3) in Chapter 8, "The Alchemy of Security DesignMethodology, Patterns, and Reality Checks," we see that our first activity is to have a business analyst who defines the business and security requirements. Creating this definition is part of the business modeling and security requirements disciplines. Identifying the Requirements
Let's assume that our business analysts have met with the business owners and derived the requirements for our eRewards portal. These would be broken out into business requirements and nonfunctional requirements, such as security, manageability, reliability, performance, high availability, and so forth. These functional and nonfunctional requirements are grouped into related sets of use cases for development and are tracked using a requirements management tool (for example, DOORS, RequisitePro, or another tool). At a high level, the eRewards portal should be able to allow user self-registration by way of using a trusted Identity Provider. Upon successful registration, the portal subscribers (also referred to as users) can check their current account information, including their membership award point balance and the history of transactions. They can also update their personal information or access membership services. The portal also provides a selected list of merchandise for membership award redemption. It delivers an online product catalog system from a service provider hosted by the online portal. Subscribers can redeem merchandise by browsing the online product catalog, selecting the catalog product items, and placing the order in the online shopping cart. The internal order management system will fetch product details from the shopping cart and the corresponding item price by product ID and then retrieve the membership award status to see if the subscriber has sufficient membership award points to redeem for the merchandise. In the future, the eRewards portal will also allow the subscriber to purchase merchandise by credit card if the subscriber does not have enough membership award points for redemption. The majority of the merchandise is supplied by trading partners by way of specialized merchant services. The eRewards online catalog maintains merchandise information and product details by taking a nightly offline data feed from the external trading partners. Fulfilling an order will require sending the delivery order from the internal order management system to the external systems of the trading partners. The order management system will send the subscriber's name, delivery address, and the merchandise details electronically in a secure manner. The order fulfillment system will also track the delivery status of the shipment. Because the eRewards portal is intended to be available to subscribers around the clock, it has a high-availability service-level requirement of 99.99%. This suggests that the application servers running both the membership service and the merchant service should be almost "non-stop." Designing around merchant services operated by external trading partners (service providers) can be challenging, because the online portal does not have direct control over their availability. As an interim measure, the online portal requires notification of service exceptions if the external merchant service is not available. However, there is currently no service-level agreement (SLA) between the external trading partners and the eRewards portal about availability or the turnaround time for any service notification. Identifying the Security Requirements
As mentioned earlier, we are focusing only on the security requirements of the portalnot the other nonfunctional requirements. End-to-end security is essential for the eRewards portal because security risks or threats do not come from a single source. Securing the Web server for the eRewards portal does not necessarily mean that the entire portal is secure. This is because business functions for membership services and merchant services do not come from a single server; they are distributed in different servers and different security domains. Each security domain has different fabrics or substrates of security elements that require specific security design considerations or security risk mitigation measures. A monolithic security model of using HTTPS or using traditional host security-hardening techniques will not be sufficient to handle a mixture of J2EE applications and Web services. Security should never be an afterthought whose importance goes unnoticed until something unpleasant happens or a security loophole is reported. Security requirements are the key drivers for the reliability and availability of the business services provided by the online portal. These include authentication, authorization, traceability, data privacy or confidentiality, availability, data integrity, and non-repudiation. The business-level security requirements gathered for the eRewards portal also include the following:
System Constraints
Based on our requirements, there are system constraints that may impact the security design. One main constraint is the identity management infrastructure. The eRewards portal has a previous investment in an identity management vendor solution and currently uses a trusted external Identity Provider. Thus, there will be no need to build or customize any single sign-on security solution. Many Web services in the portal are created by exposing home-grown J2EE, .NET, and legacy applications as Web services. There may be no security built into these home-grown or legacy applications. Thus, there should be separate security considerations made for them during the design process. Security Use Cases
Use cases are the end artifact of the requirements discipline. The use cases address one or more business requirements, defining the details of how those requirements must be implemented. Once a use case is complete, analysis and design for that functionality can begin. The following section presents some of the security use cases relevant to our eRewards portal case study. These use cases serve as the basis for defining the security design for our portal scenario. Typically, each use case would be defined in one or more documents, using a standard template. For our present purposes, we will skip an elaborate template and briefly summarize, using a use case diagram. Use Case Diagram
Based on our business requirements, we have constructed our security use case diagram as shown in Figure 14-2. Figure 14-2. Security use cases for the eRewards portal
In Figure 14-2, Client, a subscriber to the eRewards portal (OnlinePortal), needs to initiate and obtain secure login access to the portal. Upon successful authentication and authorization from the Identity Provider, Client can select different business services available from the portal. In this case study, Client intends to redeem merchandise (gifts offered by the portal and/or their affiliated merchants) using his or her membership award points. First, Client browses through the online catalog and selects the merchandise. Upon confirmation of his or her merchandise selection, Client chooses to redeem the merchandise by deducting membership award points from the available membership award balance. The portal retrieves the membership award balance and determines whether Client is eligible to redeem the merchandise. If Client is eligible to redeem the merchandise, the portal will place an order with the supplier merchant (TradingPartner) and issue an order to fulfill the order according to the pre-registered home address of the subscriber (Client). In this scenario, we primarily focus on the security-related use cases such as User login, Secure Catalog service, Secure order placement, and Secure order fulfillment.
Actors
The following Actors are the key entities that interact with the security use cases such as secure catalog service and secure order fulfillment. Here is a short description of each of the Actors:
eRewards PortalLogical View
Based on the use cases, let's take a look now at what we have as a conceptual model of our Web-based business portal. Figure 14-3 illustrates the logical representation of the Web-based business portal. Figure 14-3. Logical View of eRewards portal
In Figure 14-4, we see our three main services in the portal. They connect to the merchant service at our trading partner and use an external Identity Provider for identity management. All of the transactional data is stored in our warehouse database. Figure 14-4. eRewards portal: high-level application architecture
System Environment
We assume the eRewards portal and the service providers work together as a medium-scale business application hosted using heterogeneous platforms including Solaris, Linux, and Microsoft Windows. The portal runs on a J2EE 1.4-compliant application server that also provides support for RPC and document-style Web services. No vendor-specific application server extension features will be used. The portal and the underlying service providers make use of an external trusted Identity Provider for authentication, authorization, single sign-on, and identity management services. |
Категории