Although there is no way to guarantee 100% security for any system. However, there are ways in which you can reduce the chance of running into security problems while creating any application on the ONEWEB platform by keeping the following things in mind.

Create a security blueprint. This should include determining the problem areas in your application, the vulnerability points, sensitive data disclosure techniques, and an understanding of the permissions/role structure.

Perform an inventory of your application artifacts. This should include any external data or files used by your application, where are they located and any third-party services used.

Prioritize your application vulnerabilities. For this, you need to decide which vulnerabilities are worth eliminating and which aren’t too worrisome as it is not always possible to completely eliminate all vulnerabilities.

Run applications using the fewest privileges possible. Always use the least permissive settings for all web applications. Only highly authorized people should be able to make system changes.

Have interim protection in place. If your system suffers an attack or if a functionality makes the application more vulnerable to attacks, then it may be worth it to remove that functionality in the meantime. Have a web application firewall in place.

Use cookies securely. Never use cookies to store highly sensitive or critical information. Should not set very long expiration dates for cookies. Consider encrypting the information that is stored in the cookies.

Authentication is the act of proving the identity of a computer system user. Users are usually identified with a user ID, and authentication is accomplished when the user provides a credential, for example, a password that matches the user ID. There are three common ways of authentication.

HTTP Basic Authentication In this approach, an HTTP user agent simply provides a username and password to prove their authentication. This approach does not require cookies, session IDs, login pages, and other such specialty solutions, and because it uses the HTTP header itself.

Token or key-based API Keys were created as somewhat of a fix to the early authentication issues of HTTP Basic Authentication. In this approach, a unique generated value is assigned to each first-time user, signifying that the user is known. When the user attempts to re-enter the system, their unique key is used to prove that they’re the same user as before.

OAuth OAuth is not technically an authentication method, but a method of both authentication and authorization. In this approach, the user logs into a system. That system will then request authentication, usually in the form of a token. The user will then forward this request to an authentication server, which will either reject or allow this authentication. From here, the token is provided to the user, and then to the requester. Such a token can then be checked at any time independently of the user by the requester for validation.

This chapter introduces Web application security and explains the common security terminologies and recommendations used throughout this guide. It presents an overview of the security process and approach to security that covers multiple layers including the network, host, and application.

This article contains some configuration examples for using LDAP for authentication with ONEWEB 4.0. Try to configure this step.

setup LDAP connection

Basic information from a connection would be defined with the following attributes:

security-domain name: The attribute name for ONEWEB 4.0 fixed as "LDAPAuthLocal" reference from jboss-web.xml

url: The url of the LDAP server to connect to. Ex. "ldap://[Server IP Address]:[Port]"

bindDN: The distinguished name to use when establishing a connection to the server. When using a bindDN it usually comes with a password associated with it.

bindCredential: The password required for bindDN name specified to establish the connection to the server.

baseCtxDN: The starting point, where it will start searching.

baseFilter: A search filter used to locate the context of the user to authenticate. The input username/userDN as obtained from the login module callback will be substituted into the filter anywhere a {0} expression is seen. This substitution behavior comes from the standard DirContext.search(Name, String, Object[], SearchControls cons) method. A common example for the search filter is (uid={0})

rolesCtxDN: A search filter used to locate the roles associated with the authenticated user.

roleAttributeID: The name of the role attribute of the context which corresponds to the name of the role.

searchScope: Use default scope is SUBTREE_SCOPE.

For Wildfly configure "stanalone.xml" tag "<profile>" sub tag "<subsystem>" try to insert <security-domains>. See example below

<security-domain name="LDAPAuthLocal" cache-type="default">
        <authentication>
               <login-module code="Remoting" flag="optional">
                       <module-option name="password-stacking" value="useFirstPass"/>
               </login-module>
               <login-module code="LdapExtended" flag="required">
                       <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                       <module-option name="java.naming.provider.url" value="ldap://[IP Address]:[Port]"/>
                       <module-option name="java.naming.security.authentication" value="simple"/>
                       <module-option name="bindDN" value="CN=SystemAdmin,OU=People,dc=example,dc=com"/>
                       <module-option name="bindCredential" value="secret"/>
                       <module-option name="baseCtxDN" value="OU=Roles,dc=example,dc=com"/>
                       <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                       <module-option name="rolesCtxDN" value="OU=People,dc=example,dc=com"/>
                       <module-option name="roleFilter" value="(member={1})"/>
                       <module-option name="roleAttributeID" value="sAMAccountName"/>
                       <module-option name="roleAttributeIsDN" value="true"/>
                       <module-option name="roleRecursion" value="1"/>
                       <module-option name="defaultRole" value="AllUser"/>
                       <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                       <module-option name="allowEmptyPasswords" value="false"/>
                       <module-option name="throwValidateError" value="true"/>
               </login-module>
        </authentication>
</security-domain>

Specify the JBoss Security Domain In the jboss-web.xml file, specify the required security domain. see example below

<jboss-web>
    <security-domain>java:/jaas/LDAPAuthLocal</security-domain>
</jboss-web>

Security in ONEWEB controls the access to applications through the inter-related mechanisms of authentication and authorization. Once a user is authenticated, ONEWEB uses authorization and access control methods to protect and secure resources. Resources are made available to users based on roles that have the right permissions. ONEWEB supports LDAP authentication as well as local repository authentication in ONEWEB.

According to the Access control model in ONEWEB, users are assigned roles and roles have permissions to access objects. This will define what a user and role can and cannot do.

IAM (Identity Access Management) is the Authentication and Access Control module of ONEWEB. It is used to create and manage users, manage roles and permissions, and the different objects in a system.

IAM2 comes with a web application module for easy setting up of objects, roles, and permissions. Alternately, admin users can set up roles and permissions using the IAM2 Web Service API as well. IAM2 can be configured to work with existing LDAP in case the organization has an LDAP already configured.

Security is fundamentally about protecting assets, such as a Web page or your customer data in the database. As you analyze your infrastructure and applications, you identify potential threats and understand that each threat presents a degree of risk. Security is about risk management and implementing effective countermeasures.

The Foundations of Security Security relies on the following elements:

Authentication: "Who are you?" Authentication is the process of identifying the clients of your applications. These might be end-users, services, processes, or computers. Authenticated clients are referred to as principals.

Authorization: "What can you do?" Authorization is the process that governs the resources and operations that the authenticated client is permitted to access. Resources include files, databases, tables, rows, and system resources such as registry keys and configuration data. Operations include performing transactions such as CRUD operations.

Auditing Effective auditing and logging are the keys to non-repudiation, guarantee that a user cannot deny performing an operation.

Confidentiality Confidentiality is the process of making sure that data remains private and confidential, and that it cannot be viewed by unauthorized users or who monitor the traffic across a network. Encryption is frequently used to enforce confidentiality. Access control lists (ACLs) are another means of enforcing confidentiality.

Integrity Integrity is the guarantee that data is protected from accidental or malicious modification. Like privacy, integrity is a key concern, particularly for data passed across networks. Integrity for data in transit is typically provided by using hashing techniques and message authentication codes.

Availability Availability means that systems remain available for service users. The goal for many attackers is a denial of service and they attack to make sure that there are less than sufficient resources so that other users cannot access the application.

How to Build a Secure Web Application? It is not possible to design and build a secure Web application until you know your threats. An increasingly important discipline and one that is recommended to form part of your application's design phase is threat modeling. The purpose of threat modeling is to analyze your application's architecture and design and identify potentially vulnerable areas that may allow a user, perhaps mistakenly, or an attacker with malicious intent, to compromise your system's security.

After that, design with security by applying proven security principles. As developers, you must follow secure coding techniques to develop secure and robust solutions. The design and development of application layer software must be supported by a secure network, host, and application configuration on the servers where the application software is to be deployed.

A design approach to security

Securing Your Network The network infrastructure consists of routers, firewalls, and switches. The role of the secure network is not only to protect itself from TCP/IP-based attacks, but also to implement countermeasures such as secure administrative interfaces and strong passwords. The secure network is also responsible for ensuring the integrity of the traffic that it is forwarding. If you know at the network layer about ports, protocols, or communication that may be harmful, counter those potential threats at that layer.

Table: Network Component Categories [1]

Securing Your Host Secure a host, whether it is your Web server, application server, or database server, this guide breaks down the various secure configuration settings into separate categories. With this approach, you can focus on a specific category and review security, or apply security settings that relate to that specific category. When you install new software on your servers with this approach, you can evaluate the impact on your security settings. For example, you may address the following questions: Does the software create new accounts? Does the software add any default services? Who are the services running as? Are any new script mappings created?

Table: Host Configuration Categories [2]

Securing Your Application The top security issues across many Web applications, you would see a pattern of problems. By organizing these problems into categories, you can systematically tackle them. These problem areas are your application's vulnerability categories.

Table: Application Vulnerability Categories [3]

Summary An ever-increasing number of attacks target your application. They pass straight through your environment's front door using HTTP. The conventional fortress model and the reliance on firewall and host defenses are not sufficient when used in isolation. Securing your application involves applying security at three layers: the network layer, host layer, and the application layer. A secure network and host platform infrastructure is a must. Additionally, your applications must be designed and built using secure design and development guidelines following timeworn security principles.

References [1] Microsoft, "Microsoft Pattern & Practices proven practices for predictable results", Web Application Security Fundamentals, Chapter 1, Network Component Categories, Table 1.1: Avaliable: https://msdn.microsoft.com/en-us/library/ff648636.aspx#c01618429_008. [Accessed Nov 14, 2017]. [2] Microsoft, "Microsoft Pattern & Practices proven practices for predictable results", Web Application Security Fundamentals, Chapter 1, Rationale for Host Configuration Categories, Table 1.2: Avaliable: https://msdn.microsoft.com/en-us/library/ff648636.aspx#c01618429_008. [Accessed Nov 14, 2017]. [3] Microsoft, "Microsoft Pattern & Practices proven practices for predictable results", Web Application Security Fundamentals, Chapter 1, Application Vulnerability Categories, Table 1.3: Avaliable: https://msdn.microsoft.com/en-us/library/ff648636.aspx#c01618429_008. [Accessed Nov 14, 2017].

Open ID is an open standard and decentralized authentication protocol. It is an authentication layer on top of OAuth 2.0. OpenID allows users to use an existing account to sign in to multiple websites, without needing to create new passwords. The user creates accounts by selecting an OpenID identity provider, and then uses those accounts to sign onto any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites according to the OpenID Foundation.

Open ID Connection requires 3 actors:

• Open ID Provider - It is an Authorization Server capable of authenticating an end-user and providing the requisite information to the application requesting the information.

• Relying Party - The client application requests end-user authentication and information about the end-user.

• End-User - The human participant being authenticated and about whom the relying party is requesting information.

From version 4.0.19.10 IAM2 in ONEWEB accepts Open ID authentication. The current version supports only 4 response types: Code, Access Token, ID Token & none.

Response Type: Code When the response type is set as code, an authorization code is returned. The Relying Party’s server component can then exchange the code for the required tokens.

Response Type: Token When the response type is set as a token, it triggers an implicit flow and returns the Access Token directly to the Relying Party. An access token is a credential used to access protected resources. Access tokens represent specific scopes and durations of access.

Response Type: ID Token When the response type is set as id_token, it triggers an implicit flow and returns the ID Token directly to the Relying Party. The ID token contains the claims about the authentication of an End User and their identity. It may optionally contain other data about the End User. A Relying Party wishing to obtain further data about the End User need to present the access token they obtained to the user info endpoint.

Response Type: none When the response type is set as none, the requester doesn’t want any of the above to be returned to them.

The “none” response type is a special case in that it cannot be combined with any of the others. The other three can be combined in any way that you want. But the current version of IAM2 does not support the combination response types. For using combination response types please wait for the future releases of IAM2.

Once the client id is registered with ONEWEB, users can implement open ID authentication through IAM2 as shown in the sample request below

To manage the Role, Permission, and Object of the User follow the below steps.

1. Go to User Profile under the Admin menu. 2. Click expand button on the user who you want to add or remove role/permission/object.

Adding role 1. Click on Add Roles on the user you want to add roles.

2. Select the roles you want to add, it will appear on the right side. Then click Confirm Add Roles to add the roles to the user.

3. Roles you selected will be added to the user.

To delete role 1. Select the Role you want to remove from the user. Then click Remove Roles.

2. Delete Confirmation button will appear. If you want to remove a Role from the user, click on the Delete UserRoles button. If not, you can click Undo to cancel removing the role.

To Add Permission/Object 1. You can add specific permission or object which does not belong in the role to the user. Just click Add Permission/Object button.

2. Object/Permission popup will appear. You can choose Permission and Object from this popup.

3. To add Permission/Object, browse or search for the permission you want to add to the user from the system where you have permission. The Permission/Object you select will be displayed on the right side. Once you complete, just click Confirm Add Object/Permission to add the Permission/Object to the user.

The Permission/Object you add will be added to user.

To delete Permission/Object 1. Select the Permission/Object you want to remove from the user and click to Remove Permission/Object.

2. Delete Confirmation button will appear. If you want to remove Permission/Object from the user, click Delete Object/Permission button. If not, you can click Undo to cancel removing the Object/Permission.

The Access Control model in ONEWEB is based on Roles, Permissions, and Objects. You can control the rights of users using this model.

The Role is a job function that defines an authority level and can be used to assign the level of permissions on each object. You can easily define a role and assign it to many users who have the same permissions.

Permission is approval on the mode of access of an object or a group of objects. You can group similar usage of objects together as single permission to easily manage and assigned to many roles and users.

The Object is a thing that needs to be access-controlled and protected. The object can be anything you need to control permission such as a button, textbox, menu, page, file, etc.

The things to keep in mind are: A user can have many roles. A role can be assigned to multiple users. One role can have multiple permissions and many objects. One permission can be assigned to multiple roles. One permission can have many objects.

To create the user go to IAM in the Setting section of ONEWEB. Then go to the Admin menu section within IAM. (Note: To see the Admin Menu you need to have Admin privileges.)

1. Go to User Profile under the Admin menu. 2. Click Create New User button.

3. Complete user information such as Username, First name, Last name, password, etc., and attach photo. Select "Local Repository" as the Repository option, to store username and password into ONEWEB built-in repository. If you use an external repository like LDAP you can configure the LDAP connection and select LDAP Repository as well. When completed click Save Change to create the user.

You can see the new user on the User Profile screen.

EAF-REST API provides a powerful, convenient, and simple Web services API for interacting with ONEWEB 4.0 for standard CRUD operations to the database. This feature uses the concept of JWT (Json Web Token) for security. The client can connect to a server, send and receive data in JSON (JavaScript Object Notation) format. All requests from the client should send the "Authorization" parameter in the header. See below for the steps to connect to the server.

Request login The first step, the client logs in to the server with user information. EAF-REST provide login service URL "http://[IP Address]:[Port]/eaf-rest/login" Client connects using POST method and sends user information like this

{ 
    "username" : "User Name", 
    "password" : "Password", 
    "ldapproviderurl" : "", 
    "clientId" : "C00292818" 
}

Server create token The server creates payload information and generates a token.

Return token to the client The client receives a message from the server. For example, see the message below.

{ 
    "timestamp": "1510363014419", 
    "validity": 86400, 
    "id_token": "eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJkbXBzeXN0ZW0iLCJjbGllbnRJZCI6ImFiYyIsImV4cCI6MTUxMTIyNzAxNCwiaXNzIjoiY29tLmF2YWxhbnQuand0In0.UXR5LbqWruWy3rJur2Lx2E1nfI73JX3QBQXA4c2u2_CTSSzceRRMyziGevhtRe16AzAgZGKhny3PdfNltIT5Hw"
 }

timestamp: Date and time server generate a token validity: age of token in a millisecond when server return token to the client. The token will expire by calculating validity from timestamp and validity: days = ((validity/3600)/24) ONEWEB 4.0 set default expires in 1 day. id_token: this is the value the client used to attach to http header authorization key

The Client sends a request with an authorization header When the client connects to a server every message should attach the token to the authorization key in the HTTP header

The Server checks the signature and Expire date When the server receives a message from the client, it will check the signature and expiration date of the token to validate the message. If the message is valid, the server will continue to process messages from the client. For invalid messages, the server rejects requests from that client.

Send a response to client After the server process the request, it will send the response to the client.

To Manage Permission and Object follow the below steps.

Open IAM using admin user. 1. Go to Permission menu under Admin menu.

2. There are two sides to consider. Left side is Permission control and Right side is Object control. You can create a new permission and a new object via new button.

To create a new Permission 1. Click New Permission button. Then New Permission popup will appear.

2. Select system for the permission you want to create.

3. Select the parent permission to place the new permission under an existing one or you can leave it blank to make the new permission as a top-level permission.

4. Give a permission name. Click Save Permission to create a new Permission.

5. Go to Permission tree menu you will find the new Permission under the system you chose.

To create Object 1. Click on New Object button. The New Object popup will appear.

2. Select the system for the object you want to create.

3. Give information about the new

• Object Object Id - System will automatically generate object id

• Object Ref Id - Object Ref Id is an id provided by the client system to reference this object

• Object Name - Name of this object

• Object Type - Type of this object

• Object Property - Object Property allow you to customize any specific value of this object and it will be returned to client system when they get the permission.

• Access Type - Access Type of this object. Then click Save Object to create a new Object.

4. Go to Object tree menu you will find the new Object under the system you chose.

To create Role Open IAM using admin user. 1. Go to Role under Admin menu.

2. Click Create New Role button.

3. To create Role Select

• System you want to add Role to.

• Select Parent Role if you want to create this role under another role.

• Input Role Name

• Input Role Description Then click Save Role

4. New Role will appear under the System and Parent Role you selected.

To add user to Role 1. Go to Role under Admin menu. Then click on the role you want to add the user to. 2. On the right side system will display the list of current users in that role. Click Add Users.

3. "Add Users To Role" Popup will be displayed. Search and select the user you want to add. Then click Confirm Users To Roles.

To Add Permission to Role 1. Select the Role you want to add Permission. 2. Click on Permission tab on the right side panel. 3. Click Add Permissions / Objects to add permission or object.

4. Search and Select Permission or Object you want to add. Then click Confirm Add Object/Permission.

Logs monitoring in ONEWEB follows multiple levels. In microservice of ONEWEB, it uses ELK for centralized logging.

• ONEWEB has the write log pattern section stored in property file.

  ONEWEB 4.0 provide logging feature using log4j library. It is very simple to configure log level in the property file log4j.properties and then go to ONEWEB 4.0 constants to configure the path for the output log file. Example file log4j.properties

• ONEWEB uses tools that helps in reading the log and storing data only for the part of the item that needs to be stored.

• We send log data to be stored at the central repository.

• Then it can be visualized for analysis as shown in Figure below.

ONEWEB 4.0 supports SSL by setting up SSL/HTTPS on your server:

Generate key In general, you have two options to generate a key:

• Using the Java Secure Socket Extension(JSSE)

• The native implementation based on OpenSSL

In both cases, you have to configure keys and (self-signed) certificates for your web server.

Configure Wildfly In case generate a key from Step 1 output file from the previous step is "oneweb.keystore" then copy the key file to "[$JBOSS_HOME]/standalone/configuration/". Now edit file standalone.xml

Under the profile option, expand undertow subsystem, there are two main parts which are Server and Servlet container configuration. Add https-listener under server

Under socket binding group Change Default WilfFly https port 8443 to 443.