How I Built an Access Management System Using Apache ......2. A counter to track the number of...
Transcript of How I Built an Access Management System Using Apache ......2. A counter to track the number of...
![Page 1: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/1.jpg)
How I Built an Access Management System Using
Apache Directory Fortress
Shawn McKinney
Nov 18, 2016
ApacheCon EU, Seville
![Page 2: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/2.jpg)
Session Objectives
Learn about some access management specifications
Take an unflinching look at an open source project named Apache Directory Fortress
2 ApacheCon EU, Seville 2016
![Page 3: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/3.jpg)
Introductions Shawn McKinney • Software Architect • PMC Apache Directory Project • Engineering Team
3
![Page 4: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/4.jpg)
Agenda We’ve got options:
1. What it does (specs & requirements)
2. How it works (design)
3. How it built (implementation)
4. What can it do (demos)
ApacheCon EU, Seville 2016 4
Pick any three
![Page 5: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/5.jpg)
Demo Menu 1. Learn about some
– Basic integration - RBAC0 – Intermediate - RBAC1 – Advanced - RBAC2 & 3
2. Testing on – Fortress Web – “ ” Rest – “ ” Console – “ ” Command Line Interface
3. Have fun with – Multi-tenancy & / or Benchmarking
ApacheCon EU, Seville 2016 5
- wicket-sample - role-engineering-sample - apache-fortress-demo
- manual or selenium - junit
- ad-hoc - sys-admin stuff
- setting up, running, verifying
![Page 6: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/6.jpg)
Cut to the Chase The recipe for any successful technology project:
Mix well:
• Well defined set of functional specifications
• Understanding of the non-functional requirements
• Usage of common platform elements
• Practice accepted development methodologies
ApacheCon EU, Seville 2016 6
![Page 7: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/7.jpg)
Specs & Requirements
Image from: http://www.cockpitseeker.com/aircraft/
7 ApacheCon EU, Seville 2016
What do we Build?
![Page 8: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/8.jpg)
System Requirements
• Policy Enforcement APIs – Works on multiple platforms • Authentication – Works within various protocols, i.e.
SAML, OpenID Connect • Authorization – Fine-grained and standards-based • Audit Trail – Centralized and queryable • Administration – Manage policy lifecycle • Service-based SLA – Security, performance, and
reliability
ApacheCon EU, Seville 2016 8
![Page 9: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/9.jpg)
Why Use Functional Specifications?
• Don’t have to (repeatedly) explain yourself.
• Saves the trouble (and risk) of deciding what.
• Instead focus on how.
• Satisfies req’s didn’t know about (yet).
ApacheCon EU, Seville 2016 9
![Page 10: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/10.jpg)
Which Functional Specifications
• Protocols Must Be Standards-Based:
– Role-Based Access Control - ANSI INCITS 359
– Attribute-Based Access Control (ABAC)
– IETF Password Policies (Draft)
– ARBAC02 Delegated Administration Model
10 ApacheCon EU, Seville 2016
![Page 11: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/11.jpg)
Role-Based Access Control (RBAC)
11 ApacheCon EU, Seville 2016
![Page 12: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/12.jpg)
Role-Based Access Control (RBAC) • RBAC0
– Users, Roles, Perms, Sessions
• RBAC1 – Hierarchical Roles
• RBAC2 – Static Separation of Duties
(SSD)
• RBAC3 – Dynamic Separation of
Duties (DSD)
http://csrc.nist.gov/groups/SNS/rbac/
12 ApacheCon EU, Seville 2016
ANSI INCITS 359
![Page 13: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/13.jpg)
Static Separation of Duty Use Case
Set Name
Role Name Type Cardinality
Activities Football Static 3
Band
Debate
13 ApacheCon EU, Seville 2016
(at most two)
![Page 14: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/14.jpg)
Dynamic Separation of Duty Use Case
Set Name
Role Name Type Cardinality
Sat Nite Date Dynamic 2
Camping
Game
14 ApacheCon EU, Seville 2016
(at most one)
![Page 15: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/15.jpg)
Other SoD Use Cases
ApacheCon EU, Seville 2016 15
Many possibilities apply to financial, government, health care, education and business use cases.
![Page 16: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/16.jpg)
RBAC Functional Model
Z-notation
16
![Page 17: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/17.jpg)
ANSI RBAC Functional Model
Three standard interfaces:
1. Administrative – CRUD
2. Review – policy interrogation
3. System – policy enforcement
17 ApacheCon EU, Seville 2016
![Page 18: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/18.jpg)
Admin RBAC public interface AdminMgr {
User addUser( User user );
void deleteUser( User user );
Role addRole( Role role );
void deleteRole( Role role );
void assignUser( UserRole uRole );
void deassignUser( UserRole uRole );
Permission addPermission( Permission perm );
void deletePermission( Permission perm );
void grantPermission( Permission perm, Role role );
void addAscendant( Role childRole, Role parentRole);
void addDescendant(Role parentRole, Role childRole);
void addDsdRoleMember(SDSet dsdSet, Role role);
void addInheritance(Role parentRole, Role childRole)
…
Link to AdminMgr javadoc
Link to INCITS 359 spec
Fortress Admin APIs map to the INCITS 359 specs
http://git-wip-us.apache.org/repos/asf/directory-fortress-core.git
18
![Page 19: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/19.jpg)
Review RBAC public interface ReviewMgr {
Permission readPermission( Permission permission );
List<Permission> findPermissions( Permission permission );
User readUser( User user );
List<User> findUsers( OrgUnit ou );
List<User> assignedUsers( Role role );
Set<String> authorizedRoles( User user );
List<Permission> rolePermissions( Role role );
List<Permission> userPermissions( User user );
Set<String> authorizedPermissionUsers(Permission perm);
SDSet dsdRoleSet(SDSet set);
Set<String> dsdRoleSetRoles(SDSet dsd);
List<SDSet> dsdRoleSets(Role role);
SDSet ssdRoleSet(SDSet set);
Set<String> ssdRoleSetRoles(SDSet dsd);
List<SDSet> ssdRoleSets(Role role);
List<Role> findRoles(String searchVal);
…
Link to ReviewMgr javadoc
Link to INCITS 359 spec
Fortress Review APIs map to the INCITS 359 specs
http://git-wip-us.apache.org/repos/asf/directory-fortress-core.git
![Page 20: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/20.jpg)
System RBAC public interface AccessMgr {
Session createSession( User user, boolean isTrusted );
List<Permission> sessionPermissions( Session session );
Set<String> authorizedRoles( Session session );
void addActiveRole( Session session, UserRole role );
void dropActiveRole( Session session, UserRole role );
User getUser( Session session );
boolean checkAccess( Session session, Permission perm);
}
Link to AccessMgr javadoc
Link to INCITS 359 spec
Fortress AccessMgr APIs map to the INCITS 359 specs
http://git-wip-us.apache.org/repos/asf/directory-fortress-core.git
![Page 21: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/21.jpg)
Administration Requirements
• Decentralize and distribute administrative capabilities widely
• Tight restrictions administrators
• RBAC system to control the RBAC system
21 ApacheCon EU, Seville 2016
![Page 22: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/22.jpg)
Admin Role-Based Access Control (ARBAC)
• Use ARBAC02 Model for administrative delegation
• Object Model: – AdminRoles, AdminPerms,
User Orgs, Perm Orgs
• Functional Model:
– Delegated Administration – Delegated Review – Delegated System Mgr
http://profsandhu.com/journals/tissec/p113-oh.pdf
(APIs)
(Data)
22 ApacheCon EU, Seville 2016
![Page 23: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/23.jpg)
Password Policies 1. A configurable limit on failed authentication attempts. 2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed authentication attempts. 4. The action to be taken when the limit is reached. 5. An amount of time the account is locked (if it is to be locked) 6. Password expiration. 7. Expiration warning 8. Grace authentications 9. Password history 10. Password minimum age 11. Password minimum length 12. Password Change after Reset 13. Safe Modification of Password
23 ApacheCon EU, Seville 2016
https://tools.ietf.org/html/draft-behera-ldap-password-policy-10
![Page 24: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/24.jpg)
Other Requirements
• Audit Trail
• Lockout Procedures based on Time & Date
ApacheCon EU, Seville 2016 24
![Page 25: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/25.jpg)
Temporal Constraints
• Time of Day
• Day of Week
• Begin and End Date
• Lockout Periods
25
Applies to User and Role activations
![Page 26: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/26.jpg)
Non-Functional Requirements
• Fault Tolerant
• Highly Available
• Multitenant
• Highly Performant
System Requirements
User Requirements
Business Requirements
26 ApacheCon EU, Seville 2016
![Page 27: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/27.jpg)
Design
Image from: http://flaviendachet.blogspot.com/2011/11/lockheed-sr-71-cutaways.html
27 ApacheCon EU, Seville 2016
How do we Build?
![Page 28: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/28.jpg)
Design Considerations • Many problems to solve:
– Graphing, caching, configuration, persistence, logging, multitenancy, session storage, replication and performance.
– Not to mention testing, packaging, documentation and integration.
– But, Strive to Keep It Simple Stupid (KISS).
– Reuse, don’t reinvent.
Image from: http://wfps.k12.mt.us/teachers/carmichaelg/homework.htm Reuse, don’t reinvent.
28 ApacheCon EU, Seville 2016
![Page 29: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/29.jpg)
Data Persistence
• Choose between Database or LDAP for Physical Model
• Need Java framework for data access operations (DAO)
ApacheCon EU, Seville 2016 29
![Page 30: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/30.jpg)
LDAP Persistence Satisfies the SLAs:
• OpenLDAP – Reads/Search/Bind > 75K/second
– Update/Delete > 10K/second
– Replication/Highly-Available
– Audit Trail
– Runs on most platforms
– Commercial support options available
30 ApacheCon EU, Seville 2016
![Page 31: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/31.jpg)
Java LDAP SDK Options
• JNDI – many problems
• Netscape / Mozilla LDAP API - obsolete
• UnboundID Java LDAP API – license concerns
• Apache LDAP API – just right
ApacheCon EU, Seville 2016 31
![Page 33: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/33.jpg)
Data Structures
RBAC1 Limited Role Hierarchy • Single Inheritance
• Less flexible (not useful)
• Maps onto the LDAP physical hier data model just fine
ApacheCon EU, Seville 2016
![Page 34: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/34.jpg)
Data Structures
RBAC1 General Role Hierarchy • Multiple Inheritance
• More flexible (very usable)
• A graph doesn’t map onto LDAP physical model
Can’t do this with LDAP
ApacheCon EU, Seville 2016
![Page 35: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/35.jpg)
Graph Stored Flat in the Tree
1. Roles all at same depth 2. Use a multi-occurring parent attribute
![Page 36: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/36.jpg)
Use Simple Directed Graph • http://jgrapht.org/
• A simple directed graph. A simple directed graph is a directed graph in which neither multiple edges between any two vertices nor loops are permitted.
• http://jgrapht.org/javadoc/org/jgrapht/graph/SimpleDirectedGraph.html
Image from: https://code.google.com/p/fluentdot/wiki/DemoSimpleDirectedGraph
36 ApacheCon EU, Seville 2016
![Page 37: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/37.jpg)
What About Firewalls?
(LDAPv3 protocol isn’t always allowed)
• Core API can transmit using either LDAPv3 or HTTP.
37 ApacheCon EU, Seville 2016
![Page 38: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/38.jpg)
Audit • Use OpenLDAP access log
to record events:
– Authentication
– Check Access
– Edits
– Interrogations
ApacheCon EU, Seville 2016
![Page 39: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/39.jpg)
Authorization Events
ApacheCon EU, Seville 2016 39
![Page 40: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/40.jpg)
Administration Events
40
![Page 41: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/41.jpg)
Authorization API
41
![Page 42: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/42.jpg)
Configuration
• Must be capable of retrieving properties from multiple data locations
– File, directory, system properties, other
• Can be extended or replaced later if need be
ApacheCon EU, Seville 2016 42
![Page 43: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/43.jpg)
Use Apache Commons Configuration
• Application uses façade
• Properties may be overwritten at runtime
![Page 44: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/44.jpg)
Local and Remote Config
ApacheCon EU, Seville 2016 44
![Page 45: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/45.jpg)
Data Model Questions
• How do I represent the physical data model?
• How do I represent the logical data model?
• How do I support multitenancy?
ApacheCon EU, Seville 2016 45
![Page 46: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/46.jpg)
Logical RBAC Model
46
![Page 47: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/47.jpg)
Logical Model
![Page 48: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/48.jpg)
Physical RBAC Model
• Users
• Roles
• Permissions
• Constraints
Segregation of Duties (RBAC2 and 3)
Session (RBAC0)
Hierarchical Roles (RBAC1)
48
Perm(RBAC0)
![Page 49: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/49.jpg)
Physical Model - Permissions
ApacheCon NA, Vancouver 2016 49 Roles here is efficient at runtime
![Page 50: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/50.jpg)
Multitenancy
Image from: https://directory.apache.org/fortress/user-guide/2.1-fortress-multitenancy.html
50 ApacheCon EU, Seville 2016
![Page 51: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/51.jpg)
Multitenancy Defined
51 ApacheCon EU, Seville 2016
![Page 52: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/52.jpg)
Multitenant DIT
ApacheCon EU, Seville 2016 52
![Page 53: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/53.jpg)
Multitenant Object Model
• Client’s id is passed in factory initialization
• Lifecycle of object processes data on behalf of the client id passed during initialization
– AnyMgr:
• createInstance(tenantId);
// Instantiate the AccessMgr implementation.
AccessMgr accessMgr =
AccessMgrFactory.createInstance(“Client123”);
![Page 54: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/54.jpg)
Web & Realm run in separate contexts
ApacheCon EU, Seville 2016 54
![Page 55: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/55.jpg)
Caching
Need it for:
• Hierarchical Roles
• Static Separation of Duty datasets
• Dynamic Separation of Duty datasets
• Organizational Structures
55 ApacheCon EU, Seville 2016
![Page 56: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/56.jpg)
Use Ehcache
Hide it behind a Facade
56
![Page 57: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/57.jpg)
Implementation
Image from: http://sploid.gizmodo.com/fascinating-photos-reveal-how-they-built-the-sr-71-blac-1683754944
57 ApacheCon EU, Seville 2016
Intro to Apache Fortress
![Page 58: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/58.jpg)
Project Guidelines
• Open Source with permissive license
• High Quality and Well Maintained
• Diverse and Active Community
• Accepted and Transparent Dev Processes
• Extensible and Supportable for Many Years
58 ApacheCon EU, Seville 2016
![Page 59: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/59.jpg)
Project Advantages
• Established Project Methodologies
• Well defined and understood specifications.
• Well understood technology base to build on.
• 3rd time implementing solution of this type.
– Practice makes perfect
59 ApacheCon EU, Seville 2016
![Page 60: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/60.jpg)
Project Dev Processes Need a sponsor that provides:
• Source Code Management
• Bug Tracking
• Mailing Lists
• Build Servers
• Binary Code Distribution
• Automated Testing
ApacheCon EU, Seville 2016 60
![Page 61: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/61.jpg)
![Page 62: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/62.jpg)
Overview • Sub-project of Apache Directory
• Written in Java
• Four Components: – Core – Java APIs + utilities
– Realm – Java EE policy enforcement
– Web – Administrative UI
– Rest – APIs over HTTP interface
62 ApacheCon EU, Seville 2016
![Page 63: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/63.jpg)
Project History
http://en.wikipedia.org/wiki/Apache_Fortress
![Page 64: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/64.jpg)
History (cont)
25 Prior Releases
http://mvnrepository.com/artifact/us.joshuatreesoftware
http://mvnrepository.com/artifact/org.openldap
http://mvnrepository.com/artifact/org.apache.directory.fortress
1
2
3
64 ApacheCon EU, Seville 2016
![Page 65: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/65.jpg)
Page Views
ApacheCon EU, Seville 2016 65
1.0-RC42 1.0.0
![Page 66: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/66.jpg)
Maven Downloads
ApacheCon EU, Seville 2016 66
![Page 67: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/67.jpg)
67 ApacheCon NA, Vancouver 2016
Open HUB
![Page 68: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/68.jpg)
Open HUB Details
![Page 69: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/69.jpg)
Project Releases
https://directory.apache.org/fortress/downloads.html
![Page 70: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/70.jpg)
Bug Tracking
70
![Page 71: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/71.jpg)
Static Code Analysis
SonarQube code scans run nightly: • Fortress Core: https://analysis.apache.org/dashboard/index/211987 • Fortress Realm: https://analysis.apache.org/dashboard/index/212344 • Fortress Web: https://analysis.apache.org/dashboard/index/212576 • Fortress Rest: https://analysis.apache.org/dashboard/index/212372
71 ApacheCon EU, Seville 2016
Excellent rule compliance
![Page 72: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/72.jpg)
Mailing List http://mail-archives.apache.org/mod_mbox/directory-fortress/
ApacheCon EU, Seville 2016
![Page 73: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/73.jpg)
Mailing List
http://mail-archives.apache.org/mod_mbox/directory-fortress/
Low activity
Crickets chirping
Med activity
![Page 74: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/74.jpg)
Notability Concerns
ApacheCon EU, Seville 2016 74
![Page 75: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/75.jpg)
Notability Concerns
ApacheCon EU, Seville 2016 75
![Page 76: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/76.jpg)
Notability Concerns (cont)
ApacheCon EU, Seville 2016 76
![Page 77: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/77.jpg)
Components
1. Core – Java SDK
2. Realm – Java EE Policy Enforcement
3. Rest – HTTP Interface
4. Web – HTML Interface
ApacheCon EU, Seville 2016 77
![Page 78: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/78.jpg)
Core System Architecture
Either is Supported
Any directory is possible
![Page 79: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/79.jpg)
Testing
![Page 80: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/80.jpg)
• Full test coverage of the APIs
• Positive and Negative Use Cases
• No manual testing
Integration Tests
80 ApacheCon EU, Seville 2016
![Page 81: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/81.jpg)
Automated Testing
https://builds.apache.org/view/All/job/dir-fortress-core-docker-test/org.apache.directory.fortress$fortress-core/
![Page 82: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/82.jpg)
Core Benchmarks
• Jmeter tests for various scenarios
– Fortress createSession, checkAccess
– Accelerator createSession, checkAccess
82 ApacheCon EU, Seville 2016
![Page 83: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/83.jpg)
Rest System Architecture
Use any 3rd party rest lib or Fortress Core to connect with Fortress Rest
Or
![Page 84: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/84.jpg)
Web System Architecture Option to use either HTTP or LDAPv3 protocol
Or
![Page 85: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/85.jpg)
Demo
ApacheCon EU, Seville 2016 85
![Page 86: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/86.jpg)
Menu 1. Learn about some
– Basic integration - RBAC0 – Intermediate - RBAC1 – Advanced - RBAC2 & 3
2. Testing on – Fortress Web – “ ” Rest – “ ” Console – “ ” Command Line Interface
3. Have fun with – Multi-tenancy & / or Benchmarking
ApacheCon EU, Seville 2016 86
- wicket-sample - role-engineering-sample - apache-fortress-demo
- manual or selenium - junit
- ad-hoc - sys-admin stuff
- setting up, running, verifying
![Page 87: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/87.jpg)
Apache Fortress Demo • Three Pages and Three Customers
• One role for every page to customer combo
• Users may be assigned to one or more roles
• At most one role may be activated
ApacheCon EU, Seville 2016 87
Pages Customer 123 Customer 456 Customer 789
Page One PAGE1_123 PAGE1_456 PAGE1_789
Page Two PAGE2_123 PAGE2_456 PAGE2_789
Page Three PAGE3_123 PAGE3_456 PAGE3_789
![Page 88: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/88.jpg)
Demo 1 Usage Policy • Both super and power users may access everything.
• But power users are limited to one role activation at a time.
• Super users are not restricted.
ApacheCon EU, Seville 2016 88
Super & Power Users
Customer 123 Customer 456 Customer 789
Page1 True True True
Page2 True True True
Page3 True True True
![Page 89: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/89.jpg)
ApacheCon EU, Seville 2016 89
User123 Customer 123 Customer 456 Customer 789
Page1 True False False
Page2 True False False
Page3 True False False
User1 Customer 123 Customer 456 Customer 789
Page1 True True True
Page2 False False False
Page3 False False False
User1_123 Customer 123 Customer 456 Customer 789
Page1 True False False
Page2 False False False
Page3 False False False
![Page 90: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/90.jpg)
Apache Fortress Demo
• https://github.com/shawnmckinney/apache-fortress-demo
ApacheCon EU, Seville 2016 90
User-tic-tac-toe Customer 123 Customer 456 Customer 789
Page1 False True True
Page2 True False False
Page3 True False False
![Page 91: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/91.jpg)
Demo 2 Role Engineering
Sample
ApacheCon EU, Seville 2016
![Page 92: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/92.jpg)
Demo 2 Role Engineering Sample
1. Java EE Authentication and Authorization 2. Spring Page-level Authorization 3. RBAC Permission Checks
– Links – Buttons
4. Other RBAC Controls – Dynamic Separation of Duty – Role Switcher
92 ApacheCon EU, Seville 2016
Declarative
![Page 93: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/93.jpg)
Demo 2 Role Engineering Sample
93 ApacheCon EU, Seville 2016
https://github.com/shawnmckinney/role-engineering-sample
![Page 94: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/94.jpg)
Demo 2 Role Engineering Sample • Two pages
• Each has buttons controlled by RBAC Permissions.
• One Role per page.
94
User to Role Buyers Page Sellers Page
ssmith True False
jtaylor False True
Johndoe* True True
* DSD constraint limits user from activating both roles simultaneously.
ApacheCon EU, Seville 2016
![Page 95: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/95.jpg)
Demo 2 Role Engineering Sample
95
Permission ssmith rtaylor johndoe*
1 Item.bid True False True
2 Item.purchase True False True
3 Item.ship False True True
4 Item.search True True True
5 Account.create True True True
6 Auction.create False True True
* DSD constraint limits user from activating both roles simultaneously.
Buyer Seller Both
ApacheCon EU, Seville 2016
![Page 96: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/96.jpg)
Demo 3 Web Sample
96 ApacheCon EU, Seville 2016
https://github.com/shawnmckinney/wicket-sample
![Page 97: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/97.jpg)
ApacheCon EU, Seville 2016
Demo 3 System Architecture
IAAS Cloud
97
![Page 98: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/98.jpg)
Security Layers with Wicket Sample
1.JSSE
2.Java EE Security
3.Web App Framework
ApacheCon EU, Seville 2016 98
Confidentiality and Itegrity
authN and coarse-grained authZ
fine-grained authZ
![Page 99: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/99.jpg)
Add Web Framework Security add(
{
@Override
protected void onSubmit( ... )
{
{
// do something here:
}
else
{
target.appendJavaScript( ";alert('Unauthorized');" );
}
}
});
ApacheCon EU, Seville 2016 99
new SecureIndicatingAjaxButton( "Page1", "Add" )
if( checkAccess( customerNumber ) fine-grained authorization (programmatic)
![Page 100: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/100.jpg)
Demo 3 Web Sample
Wicket Sample Policy File
Github link to
User Page1 Page2 Page3
wsUser1 True False False
wsUser2 False True False
wsUser3 False False True
wsSuperUser True True True
ApacheCon EU, Seville 2016
![Page 101: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/101.jpg)
Tutorial Links In Gitub: 1. Wicket Sample:
– https://github.com/shawnmckinney/wicket-sample
2. End-to-End Security Demo: – https://github.com/shawnmckinney/apache-fortress-
demo
101 ApacheCon EU, Seville 2016
![Page 102: How I Built an Access Management System Using Apache ......2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed](https://reader033.fdocuments.net/reader033/viewer/2022060303/5f08d62d7e708231d423f583/html5/thumbnails/102.jpg)
https://iamfortress.net
https://symas.com
@shawnmckinney Twitter:
Website:
Email:
Project: https://directory.apache.org/fortress
Blog:
102 ApacheCon EU, Seville 2016