Upload
orlando-estes
View
38
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Single Sign-On for Java Web Start Applications Using MyProxy. Terry Fleury, Jim Basney, and Von Welch November 3, 2006. Idea. Goal: enable “web” single sign-on (SSO) for non-web applications Restriction: utilize the available authentication protocols for all applications involved - PowerPoint PPT Presentation
Citation preview
Single Sign-On for Java Web Start Applications
Using MyProxy
Terry Fleury, Jim Basney, and Von Welch
November 3, 2006
Nov. 3, 2006 2http://myproxy.ncsa.uiuc.edu/sessions/
Idea• Goal: enable “web” single sign-on
(SSO) for non-web applications
• Restriction: utilize the available authentication protocols for all applications involved
• Requirement: minimize exposure of a user’s long-term authentication credentials (e.g. private password)
Nov. 3, 2006 3http://myproxy.ncsa.uiuc.edu/sessions/
Related SSO Solutions• Kerberos
– Issues cryptographic software tokens– Can integrate with Java via GSS-API– But, underlying application must be modified to understand
the Kerberos protocol
• Session cookies– JSESSIONID allows JWS application to “inherit” the
browser’s security context– But, security context only valid with the web server initially
contacted
• Browser-based SSO– Examples: Microsoft’s Passport, Pubcookie, and Shibboleth– But, not useful in non-browser applications such as JWS
Nov. 3, 2006 4http://myproxy.ncsa.uiuc.edu/sessions/
Motivation• Real-world development effort: MAEviz
• Three main components– Web portal / application server– Data server– Java Web Start visualization application
• Web portal and Data server use password-based authentication
• Portal and JWS application do not share a session context
Nov. 3, 2006 5http://myproxy.ncsa.uiuc.edu/sessions/
Scenario• User connects to grid portal
– Username/password authentication
• Portal connects to data server for listing– Also username/password authentication
• Web portal launches JWS application– JWS appl authenticates to data server
• Desire: user authenticates only once– The goal of Single Sign-On (SSO)
Nov. 3, 2006 6http://myproxy.ncsa.uiuc.edu/sessions/
ApplicationServer
DataServer
`
User’sClient
Portal + Java Web Start
(1) Login
(2) DataRequest
(3) Data
(4) JNLP
(5) DataRequest
(6) RenderData
Nov. 3, 2006 7http://myproxy.ncsa.uiuc.edu/sessions/
MAE Center Portal
Nov. 3, 2006 8http://myproxy.ncsa.uiuc.edu/sessions/
MAEviz JWS Application
Nov. 3, 2006 9http://myproxy.ncsa.uiuc.edu/sessions/
Multiple Protocols• Portal server is Sakai
– Web browser front-end– Web services (Axis), JSP, Java back-end
• Data server is SAM– WebDAV server– Metadata Mgmt. and Notebook Services
• MAEviz application is JWS– Launched via JNLP file– Distinct from web browser session
• How to effect a shared security session?
Nov. 3, 2006 10http://myproxy.ncsa.uiuc.edu/sessions/
Password Authentication• Good news – all components
understand username/password authentication
• Obvious solution – pass around the user’s name and password
• Bad news – don’t want to expose user’s long-lived password
• Solution – use short-lived “session passwords” instead
Nov. 3, 2006 11http://myproxy.ncsa.uiuc.edu/sessions/
Session Passwords• Associate multiple short-lived “session”
passwords with a given username
• Can be used in lieu of a user’s long-lived password
• Expire after a few hours
• Use an external authentication service
• Allow for a “password based” SSO solution
Nov. 3, 2006 12http://myproxy.ncsa.uiuc.edu/sessions/
Solution: MyProxy• Originally used for X.509 credential
storage and retrieval
• Can also be configured as a Certificate Authority (CA) to issue credentials
• Server configuration option allows for storage and retrieval of any number of session passwords for a user
• Multiple external authentication– PAM and SASL
Nov. 3, 2006 13http://myproxy.ncsa.uiuc.edu/sessions/
Client A
External UserDatabase
Local Cert Storage
MyProxy Server
Creating Session Password(1) Username & Password
(2) AuthnU/P
(3) Credential
(4) Generate P’
(5) Put(Cred,U,P’) (5) Cred
Nov. 3, 2006 14http://myproxy.ncsa.uiuc.edu/sessions/
Using Session Password
Client B
Local Cert Storage
MyProxy Server
(1) Username & Session P’assword
(2) AuthnU/P’
(3) Cred /Authn OK
(2) Cred
Nov. 3, 2006 15http://myproxy.ncsa.uiuc.edu/sessions/
MyProxy Configuration• Checks all stored credentials
– When authenticating a password, ALL credentials for a given username on the MyProxy server are checked for a match
• Falls back to external authentication– If no password match to stored credentials,
MyProxy falls back to external authentication methods (e.g. PAM)
• Result: MyProxy authenticates a user’s original long-lived password AND any session passwords
Nov. 3, 2006 16http://myproxy.ncsa.uiuc.edu/sessions/
ApplicationServer
DataServer
`
User’sClient
External UserDatabase
MyProxyServer
Local CertStorage
(12) U/P’Authn
(8) U/P’Authn
(6) Cred
(12) Cred /Authn OK(8) Cred /Authn OK
(3) U/PAuthn
MyProxy Single Sign-On
(1) U/P
(2) U/P
(9) Data
(10) JNLPw/ U/P’
(11) U/P’
(13) RenderData
(4) Cred
(5) Generate P’
(6) Put(Cred,U,P’)
(7) U/P’
(8) U/P’Authn
(12) U/P’Authn
(12) Cred(8) Cred
Nov. 3, 2006 17http://myproxy.ncsa.uiuc.edu/sessions/
Security Concerns• JNLP File on multi-user systems
– Downloaded to user’s local file system– Not deleted upon session exit– Might have permissive umask setting– Only solution is “user education”
• Session passwords have a finite lifetime– Client can also explicitly destroy a session
password before it expires
Nov. 3, 2006 18http://myproxy.ncsa.uiuc.edu/sessions/
Conclusion• Enable SSO for legacy applications
• Client creates any number of “session passwords” for a username stored on a MyProxy server
• Session passwords are passed among clients/programs
• Clients need only understand username/password authentication
Nov. 3, 2006 19http://myproxy.ncsa.uiuc.edu/sessions/
Acknowledgements• National Center for Supercomputing
Applications (NCSA)– Funded by the NSF (National Science
Foundation) under Grant No.SCI-0438712
• Mid-America Earthquake (MAE) Center – Funded by the NSF (National Science
Foundation) under Grant No.EEC-9701785
• Additional thanks to – Jim Myers and Kevin Price, at NCSA