Trusted Security With &

About the Speaker

• Anil Saldhana – Lead Security Architect at JBoss.

Agenda • • • •

Introduction Use Cases with PicketBox Use Cases with PicketLink Q&A

Introduction • Assumptions – You are running production apps on JBAS – You are planning to use JBoss AS. • Hobbies or professional grade projects.

– You need security for your applications.

• Use case based approach in this talk.

Use Case • I need security for my Java application.

Questions • Ask the following questions. – If the application is an EE application, can I use the container security? • Role based access control is sufficient? • Integration with security stores – LDAP/DB.

– Do I need advanced security such as fine grained access control/context driven security.

Solutions • Java EE container security – Should be sufficient for majority of cases. – EE containers are better suited to security vulnerability patches and other threats. – Servlet Security via web.xml / annotations. – EJB security via ejb-jar.xml / annotations. – JCA security. – JMS security.

PicketBox • Foundational Java library • Provides: – Authentication. – Authorization. – Mapping. (Principal,Credential,Role,Attribute) – Audit.

• Usable in a Java environment.

PicketBox • Central Concept : Security Domain • A Security Domain encompasses – Authentication : login modules – Authorization: policy modules – Audit: audit providers – Mapping: mapping providers

PicketBox • Security Domain in JBoss AS – Central Configuration: • conf/login-config.xml

– Deployable at the Application level • xxx-jboss-beans.xml

Deploy security domains at the app level for hot deployment and isolation

app-jboss-beans.xml anonymous u.properties r.properties

PicketBox • Application Security – When you want to provide security to your applications. – Annotations are provided for your POJOs. • • • •

@Authentication @Authorization @Audit @Mapping

PicketBox : Authentication import org.jboss.security.annotation.Authentication; import org.jboss.security.annotation.Module; import org.jboss.security.annotation.ModuleOption;

/*** Pojo with the Authentication annotation */ @Authentication(modules={@Module(code = UsersRolesLoginModule.class, options = {@ModuleOption})}) public class AuthenticationAnnotatedPOJO { }

PicketBox : Authentication @Test public void testAuthenticationAnnotation() throws Exception{ AuthenticationAnnotatedPOJO pojo = new AuthenticationAnnotatedPOJO(); PicketBoxProcessor processor = new PicketBoxProcessor(); processor.setSecurityInfo("anil", "pass"); processor.process(pojo); Principal anil = new SimplePrincipal("anil"); assertEquals("Principal == anil", anil, processor.getCallerPrincipal()); Subject callerSubject = processor.getCallerSubject(); assertNotNull("Subject is not null", callerSubject); assertTrue("Subject contains principal anil", callerSubject.getPrincipals().contains(anil)); }

More Information: http://community.jboss.org/wiki/PicketBoxOverview

PicketBox • Integration with security stores – Login Modules for authentication • • • •

LdapLoginModule LdapExtLoginModule DatabaseLoginModule UsersRolesLoginModule

Use PicketBox provided login modules

Use Case • I need fine grained authorization or domain driven authorization – Junior Traders cannot make trades >1M – Web App is unavailable on Thu 1-3pm

• Most of these are rules based

PicketBox XACML • Standards based fine grained authorization – XML rules based – Rules can be written on a combination of the subject, resource, action and environment

• XACML engine available starting JBoss AS 5.0 • Web/EJB XACML support available

Use XACML for fine grained authorization needs

Use Case • I need Windows machine desktop SSO to my web applications. My windows machines are governed by Active Directory domain controller

Negotiation • JBossNegotiation provides Kerberos/SPNego based Desktop SSO.

Use JBossNegotiation for Kerberos based Desktop SSO

Use Case • I need Single Sign On

SSO/Federated Identity • Within a single JBoss server for web apps. -> Tomcat SingleSignOnValve • Within a JBoss cluster ->JBoss ClusteredSingleSignOnValve • Central identity source in the enterprise -> PicketLink • Community integration -> PicketLink Social.

SSO/Federated Identity • Levels of Assurance: NIST 800-63 – Level 1 • Little or no assurance in asserted identity • OpenID or Oauth

– Level 2 • Some confidence • Password based systems • SAML assertion on password based systems

SSO/Federated Identity • Levels of Assurance: NIST 800-63 – Level 3 • High Confidence in asserted identity • Crypto, OTP etc

– Level 4 • Very high confidence • Smart Cards, PKI etc.

SSO/Federated Identity • Which Identity Management standard? – Community Type environment • Low levels of assurance • Choose OpenID or OAuth

– Enterprise Type environment • Need higher levels of assurance • SAML assertions on password based mech • Hardware,crypto,smart cards etc

Be aware of level of assurance for SSO

PicketLink • Identity Model – User/Role/Group modeling

• SAML based Web Browser SSO – Central Identity Provider (IDP) – Two or more Service Providers (SP)

PicketLink • WS-Trust based Security Token Server (STS) – Issues SAMLv2 Tokens – Integration with EJB3 and WS

PicketLink Social • • • •

Open ID integration Facebook based login (coming soon) Twitter based login (coming soon) OAuth support (coming soon)

QA

Resources • • • •

http://jboss.org/picketbox http://jboss.org/picketlink http://anil-identity.blogspot.com JBoss AS community documentation