Chapter 6. Development Guide for the Common Criteria Certified System

6.1. Enterprise Application

JBoss EAP 7 implements the Java EE 7 Full Platform and Web Profile standards, including:

  • Batch 1.0
  • JSON-P 1.0
  • Concurrency 1.0
  • WebSocket 1.1
  • JMS 2.0
  • JPA 2.1
  • JCA 1.7
  • JAX-RS 2.0
  • JAX-WS 2.2
  • Servlet 3.1
  • JSF 2.2
  • JSP 2.3
  • EL 3.0
  • CDI 1.2
  • JTA 1.2
  • Interceptors 1.2
  • Common Annotations 1.1
  • Managed Beans 1.0
  • EJB 3.2
  • Bean Validation 1.1

Typically the application accepts requests from clients, does some processing and responds with results. The enterprise application that is developed by the trusted developer is hereby referred to as a user application.

6.2. General Restrictions

The trusted software developer must follow the following restrictions when developing secure software for the certified system.

  1. Application Programming Interfaces (APIs) that are not documented in the applicable product documentation must not be used.
  2. The programming restrictions mandated by the Enterprise JavaBeans Specification v3.2 must be strictly followed. For more information, refer to JSR 345: Enterprise JavaBeans 3.2 specification.

Enterprise Java Beans Specification Developer Restrictions

The restrictions are:

  • An enterprise bean must not use read/write static fields. Using read-only static fields is allowed. Therefore, it is recommended that all static fields in the enterprise bean class be declared as final.
  • An enterprise bean must not use thread synchronization primitives to synchronize execution of multiple instances.
  • An enterprise bean must not use the AWT functionality to attempt to output information to a display or to input information from a keyboard.
  • An enterprise bean must not use the java.io package to attempt to access files and directories in the file system.
  • An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast.
  • The enterprise bean must not attempt to query a class to obtain information about the declared members that are not otherwise accessible to the enterprise bean because of the security rules of the Java language. The enterprise bean must not attempt to use the Reflection API to access information that the security rules of the Java programming language make unavailable.

  • The enterprise bean must not attempt to

    • create a class loader
    • obtain the current class loader
    • set the context class loader
    • set security manager
    • create a new security manager
    • stop the JVM
    • change the input, output, and error streams
  • The enterprise bean must not attempt to set the socket factory used by ServerSocket, Socket, or the stream handler factory used by URL.
  • The enterprise bean must not attempt to manage threads. The enterprise bean must not attempt to start, stop, suspend, or resume a thread, or to change a thread’s priority or name. The enterprise bean must not attempt to manage thread groups.
  • The enterprise bean must not attempt to obtain the security policy information for a particular code source.
  • The enterprise bean must not attempt to load a native library.
  • The enterprise bean must not attempt to gain access to packages and classes that the usual rules of the Java programming language make unavailable to the enterprise bean.
  • The enterprise bean must not attempt to define a class in a package.
  • The enterprise bean must not attempt to access or modify the security configuration objects (Policy, Security, Provider, Signer, and Identity).
  • The enterprise bean must not attempt to use the subclass and object substitution features of the Java Serialization Protocol.
  • The enterprise bean must not attempt to pass this as an argument or method result. The enterprise bean must pass the result of SessionContext.getEJBObject, SessionContext.getEJBLocalObject, EntityContext.getEJBObject, or EntityContext.getEJBLocalObject instead.
  • The enterprise bean must not use Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO).

  • The enterprise bean must not use annotations from PicketBox. The following annotations that modify the behavior of the JAAS module must not be used:

    • @AuthenticationMechanism
    • @SecurityMapping
    • @Authentication
    • @Authorization
    • @SecurityConfig
    • @SecurityAudit

These restrictions are enforced by the Java Security Manager when the certified system runs in the security manager enabled mode. The following measures should also be taken to protect against endangering the security and stability of the certified system:

  • System administrators of the certified system must ensure they do not provide user application security permissions that relax any of the aforementioned restrictions.
  • Applications should be audited prior to deployment to ensure that the code contained within the deployments, including the code contained within bundles jars, does not make any calls to the APIs provided by the class ‘org.wildfly.security.manager.WildFlySecurityManager’.

6.3. Developer Advice for User Credentials

To configure authentication for an outbound invocation, the AuthenticationContext can be used. For this outbound invocation, SASL authentication will be used.

Example: Setting the AuthenticationContext

final AuthenticationContext authenticationContext = AuthenticationContext.empty()
.with(
MatchRule.ALL,
AuthenticationConfiguration.empty()
.useName("username")
.useRealm(null)
.usePassword("password"));

The AuthenticationContext can then wrap an outbound call to ensure this policy is used. 

authenticationContext.runCallable(() -> {
     // Make Remote Call
}