Upload
truongthuan
View
224
Download
0
Embed Size (px)
Citation preview
Introduction
• Assumptions– You are running production apps on JBAS– You are planning to use JBoss AS.
• Hobbies or professional grade projects.
– You need security for your applications.
• Use case based approach in this talk.
Questions
• Ask the following questions.– If the application is an EE application, can I
use the container security?• Role based access control is sufficient?
• Integration with security stores – LDAP/DB.
– Do I need advanced security such as fine grained access control/context driven security.
Solutions
• Java EE container security– Should be sufficient for majority of cases.– EE containers are better suited to security
vulnerability patches and other threats.– Servlet Security via web.xml / annotations.– EJB security via ejb-jar.xml / annotations.– JCA security.– JMS security.
PicketBox• Foundational Java library
• Provides:– Authentication.– Authorization.– Mapping.
(Principal,Credential,Role,Attribute)– Audit.
• Usable in a Java environment.
PicketBox• Central Concept : Security Domain
• A Security Domain encompasses– Authentication : login modules– Authorization: policy modules– Audit: audit providers– Mapping: mapping providers
PicketBox• Security Domain in JBoss AS
– Central Configuration: • conf/login-config.xml
– Deployable at the Application level• xxx-jboss-beans.xml
app-jboss-beans.xml
<deployment xmlns="urn:jboss:bean-deployer:2.0">
<application-policy xmlns="urn:jboss:security-beans:1.0" name="web-test"> <authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"flag = "required"> <module-option name = "unauthenticatedIdentity">anonymous</module-option> <module-option name="usersProperties">u.properties</module-option> <module-option name="rolesProperties">r.properties</module-option> </login-module> </authentication></application-policy>
</deployment>
PicketBox• Application Security
– When you want to provide security to your applications.
– Annotations are provided for your POJOs.• @Authentication
• @Authorization• @Audit• @Mapping
PicketBox : Authentication
import org.jboss.security.annotation.Authentication;
import org.jboss.security.annotation.Module;
import org.jboss.security.annotation.ModuleOption;
/*** Pojo with the <code>Authentication</code> annotation */
@Authentication(modules={@Module(code = UsersRolesLoginModule.class, options =
{@ModuleOption})})
public class AuthenticationAnnotatedPOJO
{
}
PicketBox : Authentication@Test
public void testAuthenticationAnnotation() throws Exception{
AuthenticationAnnotatedPOJO pojo = new AuthenticationAnnotatedPOJO();
PicketBoxProcessor processor = new PicketBoxProcessor();
processor.setSecurityInfo("anil", "pass");
processor.process(pojo);
Principal anil = new SimplePrincipal("anil");
assertEquals("Principal == anil", anil, processor.getCallerPrincipal());
Subject callerSubject = processor.getCallerSubject();
assertNotNull("Subject is not null", callerSubject);
assertTrue("Subject contains principal anil", callerSubject.getPrincipals().contains(anil));
}
More Information: http://community.jboss.org/wiki/PicketBoxOverview
PicketBox• Integration with security stores
– Login Modules for authentication• LdapLoginModule• LdapExtLoginModule
• DatabaseLoginModule
• UsersRolesLoginModule
Use Case
• I need fine grained authorization or domain driven authorization– Junior Traders cannot make trades >1M– Web App is unavailable on Thu 1-3pm
• Most of these are rules based
PicketBox XACML• Standards based fine grained
authorization– XML rules based– Rules can be written on a combination of
the subject, resource, action and environment
• XACML engine available starting JBoss AS 5.0
• Web/EJB XACML support available
Use Case
• I need Windows machine desktop SSO to my web applications. My windows machines are governed by Active Directory domain controller
SSO/Federated Identity• Within a single JBoss server for web
apps. -> Tomcat SingleSignOnValve
• Within a JBoss cluster ->JBoss ClusteredSingleSignOnValve
• Central identity source in the enterprise -> PicketLink
• Community integration -> PicketLink Social.
SSO/Federated Identity• Levels of Assurance: NIST 800-63
– Level 1• Little or no assurance in asserted identity• OpenID or Oauth
– Level 2• Some confidence• Password based systems• SAML assertion on password based systems
SSO/Federated Identity• Levels of Assurance: NIST 800-63
– Level 3• High Confidence in asserted identity• Crypto, OTP etc
– Level 4• Very high confidence• Smart Cards, PKI etc.
SSO/Federated Identity• Which Identity Management standard?
– Community Type environment• Low levels of assurance• Choose OpenID or OAuth
– Enterprise Type environment• Need higher levels of assurance• SAML assertions on password based mech• Hardware,crypto,smart cards etc
PicketLink• Identity Model
– User/Role/Group modeling
• SAML based Web Browser SSO– Central Identity Provider (IDP)– Two or more Service Providers (SP)
PicketLink• WS-Trust based Security Token Server
(STS)– Issues SAMLv2 Tokens– Integration with EJB3 and WS
PicketLink Social• Open ID integration
• Facebook based login (coming soon)
• Twitter based login (coming soon)
• OAuth support (coming soon)
Resources• http://jboss.org/picketbox
• http://jboss.org/picketlink
• http://anil-identity.blogspot.com
• JBoss AS community documentation