Java Security Interview Questions and Answers: Single Sign-On (i.e. SSO) with Spring 3 Security

Q. Can you provide a high level overview of the "access control security" in a recent application you had worked?
A. As shown below, SiteMinder is configured to intercept the calls to authenticate the user. Once the user is authenticated, a HTTP header "SM_USER" is added with the authenticated user name. For example "123". The user header is passed to Spring 3 security. The "Security.jar" is a custom component that knows how to retrieve user roles for a given user like 123 from a database or LDAP server. This custom component is responsible for creating a UserDetails Spring object that contains the roles as authorities. Once you have the authorities or roles for a given user, you can restrict your application URLs and functions to provide proper access control.

Q. What is SSO (i.e. Single Sign-ON)?
A. Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. For example, SiteMinder, TivoliAccessManager (i.e. TAM), etc provides SSO. As shown in the diagram above SiteMinder authenticates the user and adds the SM_USER HTTP header to the application. It removes all the "SM" headers and add them after authenticating the user. This prevents amy malicious headers being injected via the browser with plugins like "Firefox Modify headers".


Q. How will you go about implementing authentication and authorization in a web application?
A. Use SSO application like SIteminder or Tivoli Access Manager to authenticate users, and Spring security 3 for authorization as described in the following Spring 3 security tutorials. Spring security pre-authentication scenario assumes that a valid authenticated user is available via  either Single Sign On (SSO) applications like Siteminder, Tivoli, etc or a X509 certification based authentication. The Spring security in this scenario will only be used for authorization. The links to the tutorials below demonstrates this with code.

• Spring 3 security - part 1
• Spring 3 security - part 2

Q. Can you describe your understanding of SSL, key stores, and trust stores?
A.  SSL, key stores and trust stores


Q. What tools do you use to test your application for security holes?
A. These tests are known as PEN (i.e. penetration) testing or security vulnerability testing. There are tools like

• SkipFish (web application security scanner) from Google.
• Tamper data from Firefox. 

Q. What is a two factor authentication?
A. Two-factor authentication is a security process in which the user provides two means of identification. This includes

• something you have and something you know. For example, a bank card is which something you have and a PIN (i.e. Personal Identification Number) is something you know.
• two forms of identification like password and a biometric data like finger print or voice print. Some security procedures now require three-factor authentication, which involves possession of a physical token and a password, used in conjunction with biometric data. 

Q. What are the different layers of security?
A.

Application-Layer Security: For example, Spring 3 Security, JAAS (Java Authentication and Authorization) that provides a set of APIs to provide authentication and authorization (aka access control), etc. JAAS provides pluggable and extendable  framework for programmatic user authentication and authorization at the JSE level (NOT JEE level). JAAS provides security at the JVM level (e.g. classes, resources). JAAS is the the core underlying technology for JEE Security. Spring security tackles security at the JEE level (e.g. URLs, Controller methods, service methods, etc)

Transport-Layer Security: Java Secure Sockets Extension (JSSE) provides a framework and an implementation for a Java version of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication to enable secure Internet communications. (TLS) 1.0 / (SSL) 3.0, is the mechanism to provide private, secured and reliable communication over the internet between the client and the server. It is the most widely used protocol that provides HTTPS for internet communications between the client (web browsers) and web servers.

Message-Layer Security: In message-layer security, security information is contained within the SOAP message and/or SOAP message attachment, which allows security information to travel along with the message or attachment. For example, the credit card number is signed by a sender and encrypted for a particular receiver to decrypt. Java Generic Security Services (Java GSS-API) is a token-based API used to securely exchange messages between communicating applications. The GSS-API offers application programmers uniform access to security services on top of a variety of underlying security mechanisms, including Kerberos. The advantage of this over point to point transport layer security is that the security stays with the message over all hops and after the message arrives at its destination. So, it can be used with intermidiaries over multiple hops and protocols (e.g. HTTP, JMS, etc). The major disadvantage is that it is more complex to implement and requires more processing.

Note: Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols.  SASL is an Application-Layer security that supports TLS to compliment the services offered SASL.

Note: The Java security API is complicated and Spring security as demonstrated via the above tutorials might be a better alternative.