Security requirements are addressed iteratively through out the project life cycle. The following is an outline of additional security tasks that need to be weaved into the execution of the various Agile Unified Process Disciplines.

Contents 1 Disciplines 1.1 Modeling 1.2 Implementation 1.2.1 Domain Layer 1.2.2 Service Layer 1.2.3 Presentation Layer 1.3 Testing 1.4 Project Management 1.5 Deployment 1.5.1 Server 1.5.2 Administration

Disciplines

Modeling

During requirements analysis:

• Model security roles as UML actors: User, Manager, Admin, etc..
• Derive the permissions for your domain entities and services from the use stories and actors

Implementation

When implementing a security requirement it is helpful to think of it based on the layer in which it is implemented (domain, service, and/or presentation layers) and the level at which it applies (class, instance, and/or field levels).

Domain Layer

• Secure the entities with @Permissions/@PrincipalsAllowed stereotypes [Class & Instance Level Security]
  • See Blog for more details
• Secure entity properties with the @Encrypted stereotype [Field Level Security]

Service Layer

• Secure services and operations with @RolesAllowed stereotypes [Class Level Security]
• For web services configure the following jboss-wsse-server.xml and jboss-wsse-client.xml files:
  • Digital signatures [Instance Level Security]
  • Encryption [Field Level Security]

Presentation Layer

• Organize and secure the pages by role [Class Level Security]
• Filter results based on permissions [Instance Level Security]
• Use expressions, such as #{s:hasRole['Admin']), in the facelets to control whether fields, sections, and buttons are rendered or disabled [Field Level Security]

Testing

Testing security requirements is just a part of the regular testing effort.

• Testing should be automated and continuous per usual
• Be sure to add Negative Testing to test the security requirements
• Do container-less unit testing and in-container integration testing
• Do performance testing to see the impact of different security requirements

Project Management

• Changes to security requirements are handled the same as other requirements and change requests
• Make certain to plan for the additional negative tests

Deployment

Server

The following are things to consider when setting up the server.

• Configure LoginModules
  • Use the LDAP module
• Secure the server entry points
  • jmx-console
  • web-console
  • JNDI
  • RMI HTTP Invoker
  • JMX Invoker
  • JMS
  • Tomcat
• Use SSL
  • Will need to setup key stores
• Setup Firewall Ports
• Setup Proxies
  • inbound & outbound
• JBoss Security Details

Administration

• Maintenance of User, Role, and Permission data
  • Users are generally stored in LDAP
  • Application specific roles and permissions may be stored in the application data source
• Self-Services - Users should be able to create a new account and a New User business process should be triggered