Вы находитесь на странице: 1из 11

Eclipse as Platform for Security Applications

Security for Java and E-Commerce Environments

Matei Ciobanu Morogan

What is Eclipse? Overview of Eclipse platform Eclipse plug-in architecture Rich client platform ( p (RCP) ) RCP for secure enterprise applications

What is Eclipse?
Provide open platform for application development tools Provide a platform for (commercial) Java application
GUI and non-GUI Multiple OS

Facilitate seamless tool integration Attract community of tool developers Open source www.eclipse.org

November 1998, IBM Software Group began to create a development tools platform November 2000 they adopted the open source licensing and operating model (eclipse.org) By 2002, the first major releases of Eclipse were available Today, large community and many companies serving as add-in providers

Eclipse overview

Eclipse overview
Eclipse is a universal platform for integrating development tools Provides a runtime environment and platform for rich client applications Open, extensible architecture based on plug-ins

Eclipse plug-in architecture

Plug-in smallest unit of Eclipse function
Example: HTML editor, etc.

Extension point named entity for collecting contributions

Example: extension p p point to add a view

Extension a contribution
Example: a particular view showing HTML tags

Eclipse plug-in architecture

Each plug-in
Contributes to 1 or more extension points Optionally declares new extension points Depends on a set of other plug-ins Contains Java code libraries and other files May export Java-based APIs for downstream plug-ins Lives in its own plug-in subdirectory

plug-in manifest
Manifest declares contributions Code implements contributions and provides API plugin.xml file in root of plug-in subdirectory

Eclipse plug-in architecture

Plug-in Manifest

Eclipse plug-in architecture

Typical arrangement

Plug-in A
Declares extension point P Declares interface I to go with P

Plug-in B
Implements interface I with its own class C Contributes class C to extension point P

Plug-in A instantiates C and calls its interface I methods

Eclipse plug-in architecture

Eclipse Platform Runtime is micro-kernel
All functionality supplied by plug-ins

Eclipse Platform Runtime handles start up

Discovers p ug s installed o d s sco e s plug-ins s a ed on disk Matches up extensions with extension points Builds global plug-in registry Caches registry on disk for next time

Eclipse plug-in architecture

Plug-in Namespaces
Each plug-in has its own class loader Requests are delegated to the respective plug-ins Secure Classloader!

Plug-in activation
Each plug-in gets its own Java class loader
Delegates to required plug-ins Restricts class visibility to exported APIs

Contributions processed without p g activation p plug-in

Example: Menu constructed from manifest info for contributed items

Plug-ins are activated only as needed

Example: Plug-in activated only when user selects its menu item Scalable for large base of installed plug-ins Helps avoid long start up times

Plug-in install/update
Features group plug-ins into installable chunks
Feature manifest file

Plug-ins and features bear version identifiers

major . minor . se ce ajo o service Multiple versions may co-exist on disk

Features downloadable from web site

Using Eclipse Platform update manager Obtain and install new plug-ins Obtain and install updates to existing plug-ins

Eclipse platform
Eclipse Platform is the common base Consists of several key components

SWT and JFace

SWT = Standard Widget Toolkit
Generic graphics and GUI widget set buttons, lists, text, menus, trees, styled text... Simple Small Fast OS-independent API Uses native widgets where available Emulates widgets where unavailable

JFace is set of UI frameworks for common UI tasks

Designed to be used in conjunction with SWT Classes for handling common UI tasks API and implementation are window-system independent

SWT native widgets

Eclipse workbench

Select a framework for an application

Focus on your domain rather than infrastructure -more logic programming Help to reduce time of development, reuse constructions and enhance quality Improve the user experience Support componentization for adaptation to changing requirements Have a good level of control and responsibility when writing an app Support the framework an active and strong community Support the framework a leader in the informatics industrial field

Eclipse Rich Client Platform (RCP)

Bug #36967

Eclipse Rich Client Platform (RCP)

A subset of the full platform For building client applications with Rich functionality There are other subsets (EMF, GEF, ..) Provide a module reusability (plug-ins), not just class reusability Run in multiple platforms (Windows, Linux,..) Common interface for applications to reduce user training costs

Eclipse Rich Client Platform (RCP)

A subset of the full platform For building client applications with Rich functionality There are other subsets (EMF, GEF, ..) Provide a module reusability (plug-ins), not just class reusability Run in multiple platforms (Windows, Linux,..) Common interface for applications to reduce user training costs

Eclipse Rich Client Platform (RCP)

Eclipse workbench
Views Editors Action sets Perspectives Wizards Preference pages Commands and Ke Key Bindings Undo/Redo support Presentations and Themes

Eclipse RCP Model

Eclipse RCP Applications and Enterprise Security

What needs to be done to Eclipse and the Eclipse RCP platform to make it easier to build trusted and secure enterprise applications? pp

Enterprise Application Technologies

Web Services JavaServer Pages (JSP) Servlets Enterprise JavaBeans (EJB) Middle tier and backend databases Variety of protocols HTTP, SOAP, RMI, RMI-IIOP Proprietary, Notes NRPC Thin clients, web browsers Internet Explorer, Netscape, Mozilla FireFox, Safari Fat Clients Notes, Microsoft Office, OpenOffice Etc, etc.

What is needed to Secure Enterprise Applications ?

Username/Password, digital certificates, tokens

Authorization Network Security

SSL, TLS, Kerberos Firewalls

External Single Sign-On providers

For example Tivoli Access Manager, Netegrity SiteMinder, etc.

Cryptographic Services JavaTM and J2EE Security Technologies Etc, etc, etc

What does Eclipse RCP platform provide today?

JRE/JDK core security is there (depending on the one you use)
JCA,JCE,JSSE,JAAS,JGSS-API/Kerberos, etc, etc Up to you to integrate into RCP platform and then integrate your applications and infrastructure

OSGi Services
NOTE: Turning this on technically violates the Principle of Least Privilege by defaulting to AllPermissions

Jarverifier service, org.eclipse.osgi.verifier J ifi i li i ifi

Recently incorporated into Equinox Bugzilla: https://bugs.eclipse.org/bugs/show_bug.cgi?id=127110 Other available services PermissionAdmin, ConditionalPermissionAdmin, UserAdmin

Digital Signature validation

At Installation/Update time via Update Manager At runtime via OSGi bundle verifier

Digitally Signed Bundles

Prevent RCP platform from being spoofed or unknowingly hijacked, or at least allow such attacks to be detected Lays foundation for future ability run with Java SecurityManager and enforce access control based on CodeSource

What can Eclipse RCP platform provide in the future ?

Framework to enable and customize a Platform login Consistent representation of user and user identity
Based on JAAS Subject and Principal

J2SE Permissions for Code Security (details on next slides) Better, Easier integration with core Java Security Leverage flexibility and extensibility of Eclipse RCP using plugins RCP, to provide Java Security implementations Extensible and flexible user interface to interact with security subsystems SSL/TLS Trust Server prompts, Host Name mismatch Dialogs and behaviors to interact with permission and code execution exceptions Functions around policy distribution and administration


Eclipse projects
Eclipse platform Eclipse modeling framework (EMF) Graphical editing framework (GEF) Data tools platform Platform for mobile devices Web tools platform Reporting tools (BIRT) Numerous technology projects


Thank you!