Trusted Security With

&

About the Speaker

• Anil Saldhana– Lead Security Architect at JBoss.

Agenda

• Introduction

• Use Cases with PicketBox

• Use Cases with PicketLink• Q & A

Introduction

• Assumptions– You are running production apps on JBAS– You are planning to use JBoss AS.

• Hobbies or professional grade projects.

– You need security for your applications.

• Use case based approach in this talk.

Use Case

• I need security for my Java application.

Questions

• Ask the following questions.– If the application is an EE application, can I

use the container security?• Role based access control is sufficient?

• Integration with security stores – LDAP/DB.

– Do I need advanced security such as fine grained access control/context driven security.

Solutions

• Java EE container security– Should be sufficient for majority of cases.– EE containers are better suited to security

vulnerability patches and other threats.– Servlet Security via web.xml / annotations.– EJB security via ejb-jar.xml / annotations.– JCA security.– JMS security.

PicketBox• Foundational Java library

• Provides:– Authentication.– Authorization.– Mapping.

(Principal,Credential,Role,Attribute)– Audit.

• Usable in a Java environment.

PicketBox• Central Concept : Security Domain

• A Security Domain encompasses– Authentication : login modules– Authorization: policy modules– Audit: audit providers– Mapping: mapping providers

PicketBox• Security Domain in JBoss AS

– Central Configuration: • conf/login-config.xml

– Deployable at the Application level• xxx-jboss-beans.xml

Deploy security domains at the app level for hot

deployment and isolation

app-jboss-beans.xml

<deployment xmlns="urn:jboss:bean-deployer:2.0">

<application-policy xmlns="urn:jboss:security-beans:1.0" name="web-test"> <authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"flag = "required"> <module-option name = "unauthenticatedIdentity">anonymous</module-option> <module-option name="usersProperties">u.properties</module-option> <module-option name="rolesProperties">r.properties</module-option> </login-module> </authentication></application-policy>

</deployment>

PicketBox• Application Security

– When you want to provide security to your applications.

– Annotations are provided for your POJOs.• @Authentication

• @Authorization• @Audit• @Mapping

PicketBox : Authentication

import org.jboss.security.annotation.Authentication;

import org.jboss.security.annotation.Module;

import org.jboss.security.annotation.ModuleOption;

/*** Pojo with the <code>Authentication</code> annotation */

@Authentication(modules={@Module(code = UsersRolesLoginModule.class, options =

{@ModuleOption})})

public class AuthenticationAnnotatedPOJO

{

}

PicketBox : Authentication@Test

public void testAuthenticationAnnotation() throws Exception{

AuthenticationAnnotatedPOJO pojo = new AuthenticationAnnotatedPOJO();

PicketBoxProcessor processor = new PicketBoxProcessor();

processor.setSecurityInfo("anil", "pass");

processor.process(pojo);

Principal anil = new SimplePrincipal("anil");

assertEquals("Principal == anil", anil, processor.getCallerPrincipal());

Subject callerSubject = processor.getCallerSubject();

assertNotNull("Subject is not null", callerSubject);

assertTrue("Subject contains principal anil", callerSubject.getPrincipals().contains(anil));

}

More Information: http://community.jboss.org/wiki/PicketBoxOverview

PicketBox• Integration with security stores

– Login Modules for authentication• LdapLoginModule• LdapExtLoginModule

• DatabaseLoginModule

• UsersRolesLoginModule

Use PicketBox provided login modules

Use Case

• I need fine grained authorization or domain driven authorization– Junior Traders cannot make trades >1M– Web App is unavailable on Thu 1-3pm

• Most of these are rules based

PicketBox XACML• Standards based fine grained

authorization– XML rules based– Rules can be written on a combination of

the subject, resource, action and environment

• XACML engine available starting JBoss AS 5.0

• Web/EJB XACML support available

Use XACML for fine grained authorization needs

Use Case

• I need Windows machine desktop SSO to my web applications. My windows machines are governed by Active Directory domain controller

Negotiation• JBossNegotiation provides

Kerberos/SPNego based Desktop SSO.

Use JBossNegotiation for Kerberos based Desktop

SSO

Use Case

• I need Single Sign On

SSO/Federated Identity• Within a single JBoss server for web

apps. -> Tomcat SingleSignOnValve

• Within a JBoss cluster ->JBoss ClusteredSingleSignOnValve

• Central identity source in the enterprise -> PicketLink

• Community integration -> PicketLink Social.

SSO/Federated Identity• Levels of Assurance: NIST 800-63

– Level 1• Little or no assurance in asserted identity• OpenID or Oauth

– Level 2• Some confidence• Password based systems• SAML assertion on password based systems

SSO/Federated Identity• Levels of Assurance: NIST 800-63

– Level 3• High Confidence in asserted identity• Crypto, OTP etc

– Level 4• Very high confidence• Smart Cards, PKI etc.

SSO/Federated Identity• Which Identity Management standard?

– Community Type environment• Low levels of assurance• Choose OpenID or OAuth

– Enterprise Type environment• Need higher levels of assurance• SAML assertions on password based mech• Hardware,crypto,smart cards etc

Be aware of level of assurance for SSO

PicketLink• Identity Model

– User/Role/Group modeling

• SAML based Web Browser SSO– Central Identity Provider (IDP)– Two or more Service Providers (SP)

PicketLink• WS-Trust based Security Token Server

(STS)– Issues SAMLv2 Tokens– Integration with EJB3 and WS

PicketLink Social• Open ID integration

• Facebook based login (coming soon)

• Twitter based login (coming soon)

• OAuth support (coming soon)

QA

Resources• http://jboss.org/picketbox

• http://jboss.org/picketlink

• http://anil-identity.blogspot.com

• JBoss AS community documentation