Covering J2EE Security and WebLogic Topics

Monty Python Teaches Application Security

There are two main components of application security: authentication and authorization. Authentication determines who the user is and authorization determines what the user can access. Both components are essential.

Some examples are in order, so let’s turn to Monty Python’s Holy Grail for inspiration. Surely you’ve seen the Holy Grail, right? It’s full of application security concepts. Well, some anyway. And they’re abstract at that, but let’s see what we can do.

King of the Who?

After coconut-clapping his way to the entrance of a castle on an imaginary horse, King Arthur asks the guards if he may speak with the lord of the castle. The ever vigilant guards immediately see that something is amiss and pick apart Arthur’s story with their expert knowledge of avian aerodynamics.

In this scene, Arthur tries to gain access to a protected resource (the lord of the castle). In application security, attempting to access a protected resource requires an authorization check. However, the system cannot check authorization without first determining who the user is. Thus, the system must first ask the user to identify himself. The guards try to authenticate King Arthur by having him prove his identity. In their estimation, though, he failed authentication and thus the issue of authorization was moot.

The most common form of authentication for applications is username and password. The username is who you are and the password proves that you are that person since, presumably, only you know it. Although you can build custom authentication logic, all J2EE compliant application servers such as WebLogic can manage authentication for you without custom coding.

Answer Me These Questions Three

Returning to the story at a later point, King Arthur and his knights seek to cross the Bridge of Death. However, an old man requires each to answer five (no, three!) questions before they can cross. Upon correctly answering the questions, the knights are allowed access to the bridge. Regrettably, some don’t make it…

In this scene, the bridge is a protected resource that the keeper is guarding. His first question is a very weak form of authentication whereby he asks each knight his name and takes the response at face value. The remaining two questions are a form of authorization.

In application security, authorization determines if the authenticated user should be allowed access to a protected resource. In J2EE, this is most often achieved with roles. The user is granted access if he has the role required by the resource.

Like authentication, simple forms of authorization can be managed by the application server without custom coding.

Hackers and Honeypots

And now for something completely different…

Admittedly, the examples above were a whimsical approach to explaining the concepts of authentication and authorization. But it got me thinking about other security concepts that can be found in the Holy Grail movie. (Yes, I’m easily amused.) The two I thought of are mentioned below.

An example of perimeter defense can be found in the scene where the Black Knight blocks Arthur’s path. “None shall pass,” says the Black Knight. Arthur, determined to pass, literally hacks his way past the defenses. This shows that a determined hacker can breach the perimeter and that defense-in-depth is critical.

The second example can be found at the source of the Grail-shaped beacon. Of all the places the Grail could be, Zoot’s castle makes it easy to find the protected, er, resources, that it contains. This is like a honeypot system attempting to study or snare hackers who are drawn to it.

Can you think of any scenes in the Holy Grail that can represent a security concept?