Security Patterns

For
J2EE Applications, Web Services, Identity Management, and
Service Provisioning
Good application design is often rooted in appropriate design strategies and leverages proven
best practices using design patterns. Design strategies determine which application tactics or
design patterns should be used for particular application security scenarios and constraints.
Security Design patterns are an abstraction of business problems that address a variety of security
requirements and provide a solution to the known security related problem(s). They can be
architectural patterns that depict how a security problem can be resolved architecturally (or
conceptually), or they can be defensive design strategies upon which secure code can later be
built.
Core security patterns is a collection of proven design patterns for delivering end-to-end security in
J2EE applications, Web services, identity management, and service provisioning. These security
patterns differ from traditional infrastructure security design patterns in terms of addressing the
end-to-end security requirements of an application by mitigating security risks at the functional and
deployment level, securing business objects and data across logical tiers, securing
communications, and protecting the application from unauthorized internal and external threats
and vulnerabilities.
Typical to Gang-of-four patterns, Core security patterns are structured and represented using a
standard pattern template that allows expressing a solution for solving a common or recurring
problem. The template captures all the elements of a pattern and describes its motivation, issues,
strategies, technology, applicable scenarios, solutions, and examples.

Security Pattern Template

To facilitate using the security patterns, we adopted a pattern template that consists of the following:

Problem: Describes the security issues addressed by the pattern.

Forces: Describes the motivations and constraints that affect the security problem.
Highlights the reasons for choosing the pattern and provides justification.
Solution: Describes the approach briefly and the associated mechanisms in detail.

www.coresecuritypatterns.com

Structure: Describes the basic structure of the solution using UML sequence
diagrams and details the participants.
Strategies: Describes different ways a security pattern may be implemented and
deployed.
Consequences: Describes the results of using the security pattern as a safeguard and
control measure. It also describes the trade-offs.
Security Factors and Risks: Describes the factors and risks to be considered while applying
the pattern.
Reality Checks: Describes a set of review items to identify the feasibility and practicality of the
pattern.
Related Patterns: Lists other related patterns from the Security Patterns Catalog or from other
related sources.

Core Security Patterns facilitate securing J2EE based application architecture by applying them in
the components and logical tiers such as Web Tier, Business Tier, Web Services Tier, and Identity
Tier. In the following sections, we present the security patterns catalog and briefly discuss each
pattern specific to its logical tier, how they relate to each other with coexisting component tiers and
finally how it contributes to the end-to-end security of an application.

Core Security Patterns Catalog

Web Tier Security Patterns

www.coresecuritypatterns.com

Pattern Name

Standards &
Technologies

Authentication
Enforcer

HTTPS;
SSL/TLS;
IPsec

Description

Related Patterns

This pattern illustrates Context Object [CJP];

how a J2EE based
application client
Intercepting Filter
should authenticate
[CJP]
with a J2EE
application.

JAAS;
JSSE;
JCE;
JGSS;
Authorization
Enforcer

JACC
JAAS;
JSSE;
JCE;
JGSS;

Intercepting
Validator

JSP
Servlets

Refer to Chapter 9,
Securing the Web
Tier: Design Strategies
and Best Practices,
for details.
This pattern illustrates Context Object;
how authorization
should be enforced
Intercepting Filter
after user
[CJP]
authentication with a
J2EE application.
Refer to Chapter 9,
Securing the Web
Tier: Design Strategies
and Best Practices,
for details.
This pattern refers to Message Inspector;
secure mechanisms for Message Interceptor
validating parameters Gateway
before invoking a
transaction.
Unchecked parameters
may lead to buffer
overrun, arbitrary
command execution,
and SQL injection
attacks. The validation
of application-specific

www.coresecuritypatterns.com

parameters includes
validating business
data and
characteristics such as
data type (string,
integer), format, length,
range, null-value
handling, and verifying
for character-set,
locale, patterns,
context, and legal
values.

Secure Base
Action

JSP
Servlets

Refer to Chapter 9,
Securing the Web
Tier: Design Strategies
and Best Practices,
for details.
The secure base
FrontController [CJP];
action is a pattern for
centralizing and
Command[GoF];
coordinating securityrelated tasks within the Authentication
Presentation Tier. It
Enforcer;
serves as the primary
entry point into the
Authorization
Presentation Tier and Enforcer;
should be extended, or
used by a Front
Secure Logger;
Controller. It
coordinates use of the Intercepting Validator
Authentication
Enforcer, Authorization
Enforcer, Secure
Session Manager,
Intercepting Validator,
and Secure Logger to
ensure cohesive
security architecture
throughout the Web
Tier.
Refer to Chapter 9,
Securing the Web
Tier: Design Strategies
and Best Practices,

www.coresecuritypatterns.com

Secure
Logger

JMX;
Java API for
logging

Secure Pipe

HTTPS;
SSL/TLS;
IPsec
JSSE

for details.
This pattern defines
Abstract Factory
how to capture the
Pattern[GoF];
application-specific
events and exceptions Secure Pipe;
in a secure and reliable
manner to support
security auditing. It
accommodates the
different behavioral
nature of HTTP
servlets, EJBs, SOAP
messages, and other
middleware events.
Refer to Chapter 9,
Securing the Web
Tier: Design Strategies
and Best Practices,
for details.
This pattern shows
Message Interceptor
how to secure the
Gateway
connection between
the client and the
server, or between
servers when
connecting between
trading partners. In a
complex distributed
application
environment, there will
be a mixture of security
requirements and
constraints between
clients, servers, and
any intermediaries.
Standardizing the
connection between
external parties using
the same platform and
security protection
mechanism may not be
viable.
It adds value by
requiring mutual

www.coresecuritypatterns.com

authentication and
establishing
confidentiality or nonrepudiation between
trading partners. This
is particularly critical
for B2B integration
using Web services.

Secure
Service Proxy

Servlets
JAX-RPC
SAAJ

Refer to Chapter 9,
Securing the Web
Tier: Design Strategies
and Best Practices,
for details.
This pattern is
Proxy [GoF]
intended to secure and
control access to J2EE Intercepting Web
components exposed Agent;
as Web services
endpoints. It acts as a Secure Message
security proxy by
Router;
providing a common
interface to the
Message Interceptor
underlying service
Gateway;
provider components
(for example, session Extract Adapter
EJBs, servlets, and so [Kerievsky]
forth) and restricting
direct access to the
actual Web services
provider components.
The Secure Service
Proxy pattern can be
implemented as a
Servlet or RPC handler
for basic authentication
of Web services
components that do
not use message-level
security.
Refer to Chapter 9,
Securing the Web
Tier: Design Strategies
and Best Practices,
for details.

www.coresecuritypatterns.com

Secure
Session
Manager

Intercepting
Web Agent

Servlets
EJB

JMX
Web server
plugin

This pattern defines

Context Object [CJP]
how to create a secure
session by capturing
session information.
Use this in conjunction
with Secure Pipe. This
pattern describes the
actions required to
build a secure session
between the client and
the server, or between
the servers. It includes
the creation of session
information in the
HTTP or stateful EJB
sessions and how to
protect the sensitive
business transaction
information during the
session.
Refer to Chapter 9,
Securing the Web
Tier: Design Strategies
and Best Practices,
for details.
This pattern helps
Proxy [GoF]
protecting Web based
J2EE applications
through a Web Agent
that intercepts
requests at the Web
Container and provides
authentication,
authorization,
encryption, and
auditing capabilities.
Refer to Chapter 9,
Securing the Web
Tier: Design Strategies
and Best Practices,
for details.

www.coresecuritypatterns.com

Business Tier Security Patterns

Pattern
Name
Audit
Interceptor

Standards &
Technologies
Java API for
Logging;
Log4J

Container
Managed
Security

Dynamic
Service
Management

EJB

JMX

Description

Related Patterns

Works in conjunction
Secure Logger
with the Secure Logger
pattern provides
Intercepting Filter
instrumentation of the
[CJP]
logging aspects in the
front, and the Audit
Interceptor pattern
enables the
administration and
manages the logging
and audit in the backend.
Refer to Chapter 10,
Securing the Business
Tier Design Strategies
and Best Practices, for
details.
This pattern describes Secure Pipe
when and how to declare
security-related
information for EJBs in a
deployment descriptor.
Refer to Chapter 10,
Securing the Business
Tier Design Strategies
and Best Practices, for
details.
This pattern provides
Secure Pipe;
dynamically adjustable
instrumentation of
Secure Message
security components for Router
monitoring and active
management of
business objects.
Refer to Chapter 10,
www.coresecuritypatterns.com

Obfuscated
Transfer
Object

Policy
Delegate

JCE

JACC
EJB
XACML

Secure
Service
Facade

EJB

Securing the Business

Tier Design Strategies
and Best Practices, for
details.
This pattern describes Transfer Object [CJP];
ways of protecting
business data
represented in transfer
objects and passed
within and between
logical tiers.
Refer to Chapter 10,
Securing the Business
Tier Design Strategies
and Best Practices, for
details.
This pattern creates,
Secure Base Action;
manages, and
administers security
Business Delegate
management policies
[CJP]
governing how EJB tier
objects are accessed
and routed.
Refer to Chapter 10,
Securing the Business
Tier Design Strategies
and Best Practices, for
details.
This pattern provides a Secure Service Proxy;
session faade that can
contain and centralize Session Faade [CJP]
complex interactions
between business
components under a
secure session. It
provides dynamic and
declarative security to
back-end business
objects in the service
faade. It shields off
foreign entities from
performing illegal or
unauthorized service
invocation directly under

www.coresecuritypatterns.com

a secure session.
Session information can
be also captured and
tracked in conjunction
with the Secure Logger
pattern.

Secure
Session
Object

EJB

Refer to Chapter 10,

Securing the Business
Tier Design Strategies
and Best Practices, for
details.
This pattern defines
Transfer Object [CJP];
ways to secure session
information in EJBs
Session Faade[CJP]
facilitating distributed
access and seamless
propagation of security
context.
Refer to Chapter 10,
Securing the Business
Tier Design Strategies
and Best Practices, for
details.

Web Services Tier Security Patterns

Pattern
Name
Message
Inspector

Standards &
Technologies

Description

XML

This pattern checks for

and verifies the quality of
XML message-level
security mechanisms,
such as XML Signature
and XML Encryption in
conjunction with a
security token. The
Message Inspector
pattern also helps in

Encryption;
XML
Signature;
SAAJ;

Related Patterns

Message Interceptor
Gateway,
Secure Message
Router

www.coresecuritypatterns.com

verifying and validating

applied security
WS-Security; mechanisms in a SOAP
message when
processed by multiple
SAML;
intermediaries (actors). It
supports a variety of
XKMS;
signature formats and
encryption technologies
used by these
intermediaries.
JAX-RPC;

Message
Interceptor

JAX-RPC;
SAAJ;

Gateway
WS-Security
XML
Signature;
XML
Encryption;
SAML
XACML
WS-*

Secure
Message
Router

XML
Signature

Refer to Chapter 11,

Securing Web Services:
Design Strategies and
Best Practices, for
details.
This pattern provides a
single entry point and
allows centralization of
security enforcement for
incoming and outgoing
messages. The security
tasks include creating,
modifying, and
administering security
policies for sending and
receiving SOAP
messages. It helps to
apply transport-level and
message-level security
mechanisms required for
securely communicating
with a Web services
endpoint.

Secure Access Point,

Message Inspector,
Secure Message
Router

Refer to Chapter 11,

Securing Web Services:
Design Strategies and
Best Practices, for
details.
This pattern facilitates
Secure Access Point,
secure XML
communication with
Message Inspector,
multiple partner
endpoints that adopt
Message Interceptor

www.coresecuritypatterns.com

message-level security Gateway

and identity-federation
mechanisms. It acts as a
Encryption
security intermediary
WS-Security component that applies
message-level security
Liberty Alliance mechanisms to deliver
messages to multiple
recipients where the
SAML
intended recipient would
be able to access only
XKMS
the required portion of the
message and remaining
message fragments are
made confidential.
XML

Refer to Chapter 11,

Securing Web Services:
Design Strategies and
Best Practices, for
details.

Identity Management and Service Provisioning

Standards
Pattern Name
Assertion
Builder

Credential
Tokenizer

&

Description

Related Patterns

Technologies
This pattern defines how Single Sign-on
SAML;
an identity assertion (for Delegator
Liberty Alliance example, authentication
assertion or
authorization assertion)
can be built.
Refer to Chapter 12,
Securing the Identity:
Design Strategies and
Best Practices, for
details.
This pattern describes Secure Session
SAML;
how a principals security Object
Liberty Alliance token can be
encapsulated,
embedded in a SOAP
www.coresecuritypatterns.com

message, routed, and

processed.

Single Signon (SSO)

Delegator

Password
Synchronizer

Refer to Chapter 12,

Securing the Identity:
Design Strategies and
Best Practices, for
details.
This pattern describes Service Locator
SAML;
how to construct a
[CJP]
Liberty Alliance delegator agent for
handling a legacy
Business Delegate
system for single sign-on [CJP]
(SSO).

SPML

Refer to Chapter 12,

Securing the Identity:
Design Strategies and
Best Practices, for
details.
This pattern describes
how to securely
synchronize principals
across multiple
applications using
service provisioning.
Refer to Chapter 13,
Secure Service
Provisioning: Design
Strategies and Best
Practices, for details.

[CJP] Alur, Crupi and Malk: Core J2EE Patterns (Prentice Hall 2003)
2005 Core Security Patterns Chris Steel, Ramesh Nagappan, Ray Lai (All rights Reserved)

www.coresecuritypatterns.com