JAAS Up Your J2EE Apps
Download
Report
Transcript JAAS Up Your J2EE Apps
Raymond K. Ng
Technical Lead - JAAS
Platform Security
Oracle Corporation
Securing J2EE
Applications with
Oracle Identity
Management
Agenda
Application Security Overview
Authentication Requirements
Authorization Requirements
J2EE Security
JAAS
Oracle Strategy
Application Security
Security is a process, not a product or feature
–
No 100% security
Only as secure as weakest link
–
–
Go beyond firewall security
Implement multi-layer security
Considerations
–
–
–
–
Authentication
Authorization
Accountability/Audit
Secure Transport
Oracle 10g Security Architecture
Oracle HTTP
Server
mod_ossl
mod_osso
Browser
Security
Infrastructure
Layer
Single
Sign-On
Oracle 10g Containers
for J2EE (OC4J)
JAAS
Oracle
Internet
Directory
Authentication Requirements
Use The Appropriate Mechanism
Username and password
Client certificate
Smart Card
Biometrics
Single Sign-On (SSO)
Why SSO-enable your application?
–
–
–
User Convenience
Security
Cost Reduction
Factors to consider
–
–
Integration with infrastructure
Extensible framework
Oracle 10g Single Sign-On
Centralized authentication for web applications
Multiple authentication options
–
–
–
Username/password
Client certificates
3rd party API (Biometrics, Smart Card, etc.)
Single Sign-Off
Multiple application types
Integrated across Oracle 10g
–
OID, OC4J/JAAS , Portal, OHS, Wireless, Workflow, UM,
Ultrasearch, Personalization, Reports, Forms, Discoverer…
Relevant Standards
HTTP
SSL/X.509
J2EE
JAAS
Java Authentication SPI
SAML
WS-Security
Plus emerging specifications
Authorization Requirements
Choose The Right
Authorization Model
Roll Your Own (Application-specific)
–
–
–
Maintenance
Administrative Cost
Inconsistent Authorization Policy => Insecurity
Understand The Relevant Standards
–
–
–
–
J2EE Security
Java 2 Security
JAAS
JACC
J2EE Security
J2EE Security
Design Principles
–
–
Declarative security model
Decouple security logic from application logic
Write once run anywhere (WORA)
Leverage existing security infrastructure
J2EE Roles
–
–
–
–
Application Provider
Application Assembler
Application Deployer
System Administrator
J2EE Security: Authentication
Multiple Authentication Methods
- Basic, Form, SSL client certificate, etc.
Declarative Security
–
Deployment descriptors: web.xml, ejb-jar.xml
JSR 196: Java Authentication SPI
–
–
J2EE 1.5
JAAS LoginModule integration
Missing
–
Single Sign-On support
J2EE Security: Authorization
Protected Resources
–
–
Web Resources: URL-patterns
Enterprise Beans: Method permissions
“Role”-based Authorization
–
–
Not “Role Based Access Control (RBAC)”
Portability
JSR 115: Integration with Java2/JAAS
–
–
Pluggable security (authorization) provider
J2EE security constraints => Java2 permissions
JAAS:
Java Authentication and
Authorization Service
Java 2 Security
Key Components
–
–
Security Policy defines authorization policy
SecurityManager/AccessController is security
monitor
Necessary if running any untrusted code in
your JVM
Limitations
–
–
–
Code-based security only
No policy management API
File-based implementation doesn’t scale
What is JAAS?
Principal-Based security
Authentication
–
Pluggable Authentication Module (PAM)
framework
Authorization
–
Extension to Java2 Security Model
Optional Package to JDK 1.3
–
JDK 1.4 Core API
J2EE 1.3 Requirement
–
–
J2EE 1.4: JACC (JSR 115)
J2EE 1.5: Java Authentication SPI (JSR 196)
Oracle 10g JAAS Provider
Oracle’s JAAS (Java Authentication and
Authorization Services) Implementation, plus
Extensions
Integrated with Oracle 10g SSO and OID
Default Security Provider for Oracle 10g
Containers for J2EE
Oracle 10g JAAS Provider:
User Manager
Oracle 10g
Containers
for J2EE
JAZNUserManager
LDAP-based
Provider type
XML-based
Provider type
OID
repository
jazn-data.xml
repository
Oracle 10g JAAS Provider:
Authentication
Oracle’s RealmLoginModule Integrated with OC4J
Authentication
–
–
–
Declarative model
Integrated with J2EE security model
Integrated with Realm framework for user communities
Support custom JAAS LoginModules
–
–
Programmatic and declarative
Integrated with J2EE security model
Option to Use Oracle 10g Single Sign-On (SSO)
Oracle 10g JAAS Provider:
Authorization
JAAS Authorization
–
–
–
Principal (i.e. user) and code-based policies
Hierarchical, role-based access control (RBAC)
Realm framework to support multiple user communities
Authorization Repository
–
–
XML flat-file
Oracle Internet Directory (OID)
3 methods of Management
–
–
–
Oracle Enterprise Manager
JAZN Admintool
Programmatic API
Oracle 10g JAAS Provider:
What’s New
Custom JAAS LoginModules
–
–
Leverage any JAAS-compliant LoginModules
Integration with J2EE security model
Performance & Scalability Enhancements
OC4J Integration
–
Password hiding (data-sources.xml, oc4j-ra.xml)
Tool Integration
–
JDeveloper / BC4J
Oracle 10g JAAS Provider:
Future Directions
Support for 3rd party LDAP directories
–
Default LoginModule certified against AD and SunONE
JACC Provider (JSR 115)
–
Unified authorization model for managed components
Java Authentication SPI (JSR 196)
–
Unified authentication model for managed components
Portlet Integration (JSR 168)
–
J2EE/JAAS authorization model for portlets
Management & Deployment Enhancements
–
JSR 77 & 88
XML Services Security
Web Services Security
JAAS Up Your J2EE Apps
JAAS Up your J2EE Apps:
Putting the Pieces Together
Define your security policy
–
Enterprise policy:
role hierarchy
user->role assignment
permission->role assignment
–
Application-specific policy:
authentication method
authorization constraints (“security-roles”)
Deploy your J2EE Application
–
–
–
authentication method
authorization constraints (“security-role-mappings”)
RunAs identity
JAAS Up Your J2EE Apps:
SSO-enabling your J2EE Apps
Specify static declarative constraints
–
in web.xml or ejb-jar.xml
Deploy your J2EE applications
–
–
specify JAZN-LDAP UserManager
security-role mappings
OID realms, users and groups
Specify authentication method as SSO
–
in orion-web.xml:
<jazn-web-app auth-method=“SSO” />
JAAS Up Your J2EE Apps:
Custom LoginModule Integration
Develop, package & deploy your application as usual
Package & deploy your custom LoginModule
–
As an independent JAR or as part of your application
Configure your application
–
–
–
Set JAZN property “role.mapping.dynamic” to “true”
Set application classpath as appropriate
Set security role mapping as appropriate
Register your custom LoginModule
–
–
Associate your custom LoginModule with your application
JAZN Admintool: “-addloginmodule” option
JAAS Up Your J2EE Apps:
Tips & Tricks
JAZN-LDAP
–
–
User/group management delegated to DAS
grant RMIPermission to user accessing EJBs
JAZN-LDAP Cache
–
Tuning parameters: “ldap.cache.*”
Identity Management Realm
–
SSO integration
External Synchronization
–
Performance vs. Ease-of-development
Public Group
–
Authentication only
Oracle Strategy
Distributed Systems Security Reference
Architecture
Users
Application
Audit
Authentication
Privacy
Protected
Resources
Authorization
Application Security Services
Policy Decision
Services
Identity &
Policy
Store
Identity & Profile
Assertion Services
Administration & Provisioning
Identity
Management
Infrastructure
Oracle 10g Security
Solution
Oracle Identity Management Infrastructure for the
enterprise
Platform security enabled by Oracle Identity
Management
Platform components with high security assurance
Oracle Security Architecture
Oracle
E-Business Suite
Oracle
Collaboration Suite
OracleAS
Portal & Wireless
Responsibilities,
Roles ….
Secure Mail,
Interpersonal Rights
…
Roles, Privilege
Groups …
OracleAS
OracleAS
10g
10g
10g
OracleOracle
10g Database
JAAS,
JAAS,
WSWS
Security
Security
Java2
Java2
Permissions..
Permissions..
Enterprise
users,
Enterprise
users,
VPD,
Encryption
VPD,
Encryption
Label
Security
Label
Security
Application
Component
Security
Oracle 10g
Platform Security
Bindings
External Security
Services
Access
Management
Directory
Services
Provisioning
Services
OracleAS
Certificate
Authority
Delegated
Administration
Services
OracleAS
Single
Sign-on
Directory
Integration &
Provisioning
Oracle Internet Directory
Oracle Identity Management
Enterprise
Security
Infrastructure
Oracle Identity Management
Benefits
Enables deployment of all Oracle products out of the
box
–
AS, DB, OCS, eBiz
An enterprise infrastructure that leverages Oracle’s
“unbreakable” technology
–
Reliability, scalability, security, performance
A single point of integration for customer’s existing
identity management solutions
–
Transparent 3rd party integration for OIM enabled products
Accommodates wide variety of partner solutions and
customer deployments
–
Open, standards-based infrastructure enables integration
What’s Next
Implementing Identity Management at
Lawrence Livermore National Labs
–
–
–
–
–
ID: 40287
Presentor: Tony Macedo, Computer Scientist,
LLNL
Date: Thursday, 9/11
Time: 3:15 - 4:15
Location: Moscone Center room 120
QUESTIONS
ANSWERS
Raymond K. Ng
Technical Lead - JAAS
Platform Security
Oracle Corporation