Tutorial: 02 Security

Child's:

Introduction

UnityBase is platform for building complex enterprise application. So security is one of most important part of platform. UnityBase security mechanism includes:

  • different types of authentication and authorization - modified DIGEST, Kerberos, via public/private key, using LDAP
  • encrypted communication - either HTTPS or more secure internal mechanism
  • audit - all operation is logged to audit tables (both old and new values are logged)
  • simple row level audit - ability to memorize creator, modifier and owner of each entity row
  • safe delete - ability to mark entity row as deleted without psychically delete it from database (or other store)
  • data history - ability to track history of entity row modification and show row content on specified date
  • entity-level security (ELS) - ability to restrict access to entity methods
  • row-level security (RLS) - ability to restrict access to entity data based on row attribute values
  • access control list (ACL) - ability to restrict access to entity data based on security principal assigned for each entity row
  • attribute-level security (ALS) - ability to restrict access to entity attribute values based on different criteria
  • record signing - ability to sign entity attributes using electronic signature
  • PDF signing - ability to sign PDF documents, including visual signatures
  • advanced logging mechanism - almost everything server do can be logged without performance lost

In this article we discuss a authorization & authentication.

What Is The Difference Between Authentication And Authorization?

Authentication

Authentication verifies who you are. For example, you can login into your Unix server using the ssh client, or access your email server using the POP3 and SMTP client.

Authorization

Authorization verifies what you are authorized to do. For example, you are allowed to login into your Unix server via ssh client, but you are not authorized to browser /data2 or any other file system. Authorization occurs after successful authentication. Authorization can be controlled at file system level or using various application level configuration options such as chroot(2).

Usually, the connection attempt must be both authenticated and authorized by the system. You can easily find out why connection attempts are either accepted or denied with the help of these two factors.

UnityBase authentication schemas

UnityBase support several authentication algorithm with different level of security. While configuring your application you can set security.authenticationMethods config parameter to array or possible supported authentication algorithm.

Authentication schema Description Authorization method
Basic HTTP Basic. Not recommended for a production Basic
UB Modified DIGEST UB
UBLDAP Based on a LDAP catalog UB
UBIP Based on a caller IP. For a server <-> server communication UBIP
Negotiate SSO using MS Windows domain. Enterprise edition only UB
CERT Based on a private/public keys. Defence edition only UB
OpenIDConnect Authentication layer on top of OAuth 2.0 UB
JWT JSON Web Token - coming soon JWT

Some schemas have it own authorization some are only for a authentication - the last column it the table above note a authorization method.

UB authorization

If future client requests are authorized using UB method, the task of authentication is to elaborate two parameters between client and server: clientSessionID and sessionPrivateKey. With knowledge of a secretWord - something only client is know, we can calculate a authentication header and add it to every request what require authentication.

After authentication all requests to a serve must include a Authorization: UB signature header, where signature is:

signature = hexa8(clientSessionID) + hexaTime + hexa8(crc32(sessionPrivateKey + secretWord + hexaTime));

Adding a time to a signature prevent from a relplay attack (server check time is growing in each request).

For any request server MAY response with 401 - this mean session is expired and client must repeat the authorization.

Authorization signature calculation (JavaScript):

function hexa8(value){
    var num = parseInt(value, 10),
        res = isNaN(num) ? '00000000' : num.toString(16);
    while(res.length < 8) {
        res = '0' + res;
    }
    return res;
};

 function getSignature() {
 var
    timeStampI = Math.floor((new Date()).getTime() /  1000),
    hexaTime = hexa8(timeStampI);

    return  hexa(clientSessionID) + hexaTime + hexa8(crc32(sessionPrivateKey + secretWord + hexaTime));
 }

UnityBase Administration (UBA) model

The basis of all security mechanism is UnityBase Administration (UBA) model. To enable build-in security developer must include UBA model to application domain.

This model define entities:

  • uba_role - security roles list
  • uba_user - user list
  • uba_userrole - user roles
  • uba_usercertificate - user certificates (used for public/private key authentication schema)
  • uba_els - entity level security information
  • uba_als - attribute-level security information
  • uba_audit - audit of security related operations
  • uba_subject - unity for uba_user and uba_role entities. Used as security principal for RLS and ACL security

If model UBA is not included into domain, UnityBase work in "authentication not used" mode. In this mode there is no Session context for method execution. This mode can be used in several cases:

  • for simple services what not require authentication
  • during database initialization
  • for test or developing purpose

Also developer can turn on "authentication not used" mode by comment "authMethods" section in application config.

Password policy

For authentication schemas what based on a password, stored in the uba_user entity (Basic, UB & CERT) administrator can define a policies. The policies is stored in the ubs_settings entity, so the UBS model must be in application domain. In other case default values are applied.

Parameter Description Default value
UBA.passwordPolicy.maxDurationDays Password expiration. Calculated form a last password change date. After maxDurationDays days user can't access any endpoint except changePassword and logout. That is, to continue the work the user must change the password. 0 (unlimited)
UBA.passwordPolicy.checkPrevPwdNum When user change password new one must not be equal to a checkPrevPwdNum previous passwords. If it is equal en error Previous password is not allowed is rised 4
UBA.passwordPolicy.minLength Minimal password length in chars. If user password length less to minLength Password is too short exception raised 3
UBA.passwordPolicy.checkCmplexity If true server will check password must contains upper & lower case letters, numbers and special chars [~!@#$%^&**()_+\=-\/'":;<>]. If not - exception Password is too simple* is raised false
UBA.passwordPolicy.checkDictionary Check the password are not a word from a dictionary. If so - Password is dictionary word error is raised false
UBA.passwordPolicy.allowMatchWithLogin Check password not match the user name. If so - Password matches with login error is raised false
UBA.passwordPolicy.maxInvalidAttempts After maxInvalidAttempts unsuccessful authorization user will be locked (uba_user.disabled=1). All attempts will logged to uba_audit as LOGIN FAILED or LOCKED LOGIN FAILED events 0 (unlimited)

Security audit & dashboard

All security - related operations are added to the uba_audit entity. The interface part is available in the adminUI on the path Administrator -> Security -> Security audit.

For user, specified in the UBA.securityDashboard.supervisorUser setting key (by default this is admin user) also available a Security monitor ( Administrator -> Security -> Security monitor ) feature, where all security related events are logged in the real time. For a real-time communication WebSockets must be turned on both server and client side - see WebSockets.

Integrity checking of the application components

UnityBase Defense edition provide a mechanism of self-checking components integrity.

Application server

For the application server the subject of integrity checking are:

  • Application configuration file
  • Files and subfolders* in models folders (models listen in the configuration file)
  • Files and subfolders* in inetPub folder (defined in serverConfig.httpServer.inetPub)
  • Files and folders whose names begin with "_" is ignored during checksum calculation

After set up application on the production environment, the first step is to calculate an application integrity. Command:

>ub -calcIntegrity  

will calculate a MD5 checksum of all application components and write it to system32 folder in the file UB_[applicationServerURL], where applicationServerURL is a full URL of current application. This folder accessible for write only for operation system Administrator, so the command should be executed using Administrator rights.

Every time application is starting, UnityBase will calculate a current application checksum and compare it with checksum, calculated by -calcIntegrity command. If the checksums do not match the application will be terminated with exit code = 1.

Client side

In the security environment instead of usual HTML browsed UBDefenseBrowser must be used. For the UBDefenseBrowser the subject of integrity checking are:

  • UBDefenseBrowser browser itself and all it components
  • offline application part

After set up UBDefenseBrowser on the client, the first step is to calculate an application integrity. Command:

>RunSecureBrowser.cmd -calcIntegrity  

will calculate a CRC32 checksum of all client components.

Every time client part is starting, it will calculate a current checksum and compare it with checksum, calculated by -calcIntegrity command. If the checksum do not match the application will be terminated with exit code = 1.