Security As A Service
-
Upload
guest536dd0e -
Category
Technology
-
view
4.747 -
download
0
Transcript of Security As A Service
Security As A ServiceMarc Chanliau, Identity Management Technical Evangelist
Agenda
• Java Security “Refresher”• Introducing Oracle Platform Security Services (OPSS)• Focus On Design-Time Security (ADF)• Demo• OPSS Use Cases
© 2009 Oracle Corporation 2
The Java EE Security Toolbox
• Container Managed Security– Java EE Security
• Java Authentication and Authorization Service (JAAS)
Container Managed Security
• Java EE security handled by the Java EE container– Declarative, portable, easy to use– Decouple security logic application code– Implementation details hidden from developer
• Authentication– Configured in web.xml descriptor– Basic, Form, Certificate, Digest
• Authorization– Role-based– Based on URL patterns– SSL can be enforced on page
Limitations of Container Managed Security
Java EE declarative security is… • Static within a deployed application– Policies cannot be changed dynamically.– Constraint cannot be changed (static role mapping)
• Not very Granular– Protects URL addressable objects– Does not allow different privileges against a protected object
• Java EE roles are not hierarchical– Need extra groups to define “rollup” levels of enterprise Roles– Not very granular
Java Authentication and Authorization Service (JAAS)
• What JAAS is– Enables services to authenticate and enforce access
controls– Programmatic security model – Extends Java 2 Security – Role-based access control (RBAC)
• Authentication – Pluggable Authentication Module (PAM)– Propagates identity via session context
• Authorization – Grants access to resources and actions– Executes operations within user context
JAAS Advantages
• Dynamic and evaluated in real-time– Policies may be updated in the policy store and reflected in
the application
• Secures the ability to perform a “fine-grained action” on the resource, rather than simple access to the URL– Policies are defined against an action in the policy store not
by the URL pattern– Supports granular privileges against the same object
• Allows for hierarchical policies– References Enterprise roles directly from the Identity
Management System
Summary Of The Challenges To Be Addressed
• The security capabilities supported and defined by the Java EE standards are limited• Too much security knowledge is required of application
developers who should primarily focus on business logic
• No consistent security experience across platforms and applications• Third-party security frameworks are non-standard and
non-portable, and don’t support the complete application lifecycle• No support for large enterprise security deployments• Lack of support for different types of development
model, e.g., Java EE and Java SE
Introducing OPSS
• OPSS provides enterprise product development teams, systems integrators, and independent software vendors with a security framework for Java SE and Java EE applications– standards-based – portable – integrated – enterprise-grade
• OPSS is an abstraction layer that insulates developers from security and identity management implementation details – With OPSS, developers don’t need to know the nitty-gritty of
cryptographic key management or interfaces with user repositories and other identity management infrastructures
OPSS in Oracle Fusion Middleware
Oracle JDeveloper
Web Browser Oracle WLS Admin Console Oracle Enterprise Mgr
Load Balancer
Oracle WebCache
Oracle HTTP Server
Applications
Oracle SOA Suite
Oracle Identity Mgt
Oracle Platform Security Services
Oracle WebCenter
Oracle WebLogic Server
LDAP
RDBMS
Web Tier Application Tier Data Tier
OPSS Benefits
• Customers get what Oracle products get– OPSS is used as the security platform for Oracle Fusion Applications and Oracle
Fusion Middleware components
• OPSS is enterprise ready– Stress tested to support enterprise deployments– Interoperability tested across different environments– Certified on WLS, will be certified on WAS and JBoss– Standards based
• Protect your investment– Pre-integrated with Oracle products and technologies
• Consistent security experience for developers and administrators– Same set of APIs and UI for all types of applications (in-house, third-party, Oracle
Fusion)
• Support large enterprise deployments– Integration with Identity Management
• Enable legacy and third-party security provider integration
OPSS’s Heritage
OAS 9.04Coupled w/ OC4J
OAS 10.1.2Coupled w/ OC4J
OAS 10.1.3Coupled w/ OC4J(Became known internally as “Security Provider”)
11gR1Portable Security Provider to - OC4J- SOA- WebCenter-OWSM
WLS 10.3Portable Security Framework used by - Oracle WLS - OES- OSB- etc
11gR1- OPSS = JPS + CSS- Not coupled w/ app. server - Portable to third-party app. Servers- Oracle WLS - OES- OSB- Oracle SOA- Oracle WebCenter- OWSM
JAAS compatible imp.-AuthN Login module- AuthZ- XML/OID providers
Added support for third-party LDAP directories
- WNA- JSSO- User Role API- OAM integration (JAAS provider)- Web services security- JMX/MBeans
-Java2 Policy Provider-Application Role & Policy Mgmt- Credential Store- OSDT-Auditing Framework
- SSPI to plug-in custom security providers- Authentication- Id Assertion- Authorization- Role Mapping- SSO
- Supports both JPS & WLS/CSS security- Java2 Policy Provider- Application Role & Policy Mgmt- Credential Store Framework- UserRole API- OSDT- Auditing Framework
JAZN JPS – Pre BEA CSS – BEA OPSS – Post BEA
Oracle Virtual DirectoryVirtualizes Identity Store, Credential Store, Policy Store
DevelopDevelop DeployDeploy ManageManage
Oracle Fusion Middleware Components and Oracle Fusion Applications
ATN, ATZ, CSF, UserRole, Policy Management, Cryptography (OSDT)
Identity Assertion
Role Mapping
Creds Mapping
JEE Policy & Role Deployment
Custom SSPI Providers Java2 & JAAS Policy Provider
Cert Lookup & Val
OPSS Functionality
OPSS APIs
Audit SSO
Platform to Product
Security Domain OPSS Solution
(Basic Features)
OPSS Product Solution (Advanced Features)
Identity Store Embedded LDAP OID
Policy Store File - XML OID
Credential Store File – Oracle Wallet OID
SSO WLS SAML Oracle Access Manager
Authorization OPSS CheckPermission Oracle Entitlement Server
Oracle Products Using OPSS
Product Name What It Does How It Uses OPSS
Oracle ADF / WebCenter
ADF is the framework used to develop WebCenter applications (portlets, etc.)
Authentication, JAAS Authorization, Application Role,Anonymous and Authenticated Role, Policy Store Abstraction, Policy Management, Credential Store Framework
Oracle Web Services Manager (OWSM)
OWSM provides SOA and web services security
Authentication, JAAS Authorization, Credential Store Framework, Keystore Service, Audit
Oracle SOA Provides applications designed to deploy SOA environments (BPEL, ESB, etc.)
Authentication, Authorization and Audit
Oracle Service Bus (OSB)
Connects, mediates, and manages SOA composites interaction
Authentication, identity assertion, authorization, Role mapping, credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party integration
Oracle Entitlements Service (OES)
Provides externalized fine-grained authorization
Authentication, identity assertion, authorization, role mapping, credentials mapping, cert. lookup, audit.
WebLogic Server (WLS) Container
Java EE server / container
Authentication, identity assertion, authorization, role mapping, credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party integration
Oracle Access Manager Web access and single sign on platform
Identity assertion and integration with WebLogic Server security.
OPSS For Developers: ADF Security
• Oracle ADF (Application Development Framework) is a Java EE development environment– Oracle ADF simplifies and extends Java EE
• Oracle ADF is the development framework for Oracle products and applications• Oracle ADF is best used with Oracle JDeveloper
© 2009 Oracle Corporation 16
Oracle ADF 11g Architecture
© 2009 Oracle Corporation
Struts
Relational Data XML Data Legacy Data
Business Services
Data Services
Model
Controller
JSP View
Desktop Browser/ Mobile Devices
Me
tad
ata
Se
r vi c
es
ADFm (JSR 227)
Packaged Apps
JSF ADF Faces
JSF/ADFc
Java EJB BAM BPEL ADF BC BI XML
OfficeSwing
Web Services
Portlet Toplink JMXJCR
ADF‘s Java EE Runtime Environment
• Provides Java EE 5 services for applications• Consumes Oracle Platform Security Services (OPSS)• Handles authentication, authorization, logging and
monitoring• Pluggable Authentication architecture– Authentication handled by JAAS Login Modules– Login Modules are exposed through Authentication Provider
ADF Security
• Provides declarative protection for ADF applications• Designed to simplify security in ADF applications• Enforces Java EE authentication– Delegated to WebLogic Server Authentication Providers– Easy to configure via the ADF Security Wizard
• ADF bindings protected by JAAS-based authorization– Leverages EL to protect UI components– Security bubbles up from ADF Business Components
• Provides support for XML and LDAP providers• Integrated with JDeveloper design time and WLS
ADF Security: Authentication
Enterprise Identity
Management
User: sking
User: ahunold
adfAuthentication servlet
Acts as a known “endpoint” for a standardized Login or Logout Link
Is secured by a Java EE Security Constraint
Delegates Logon to the Java EE container (OPSS)
Access granted to all valid users
Redirects to a specified page on successful login or logout
WebLogic Server
AuthN via OPSS: Authenticator; jazn-xmlPAM
/AdfSecurityPojoSample-ViewController-context-root/login.html
/app/BrowseDepartments.jspx
ADF Security: Authorization
Administrator
Clerks
HR
Sales
Dev
ADF Security performs authorization check
In her manager role, sking can see master and detail views
Policy Store
BrowseDepartments.jspx
JAAS AuthZ request
JAAS AuthZ request
Staff
<grant> <principal> <type>role</type> <name>manager</name> </principal> <permission> <name>BrowseDep</name> <actions>view</actions> </permission></grant>
WebLogic Server
ADF Security Filter
User sking
User ahunold
BrowseDepartments.jspx
In his user role, ahunold can only see master view
Application Roles, Enterprise Roles
• Application Roles– Roles defined in jazn-data.xml– ADF Security creates "test-all" role– Permissions are granted to application roles
• Enterprise Roles– Groups of enterprise users–Mapped to application roles to grant privileges to
user groups
© 2009 Oracle Corporation 23
Demo
© 2009 Oracle Corporation 24
OPSS Use Cases
Use Case: WLS Application Using OPSS
• Traditional Java EE security enhanced with – JPSAuth.CheckPermission API for authorization– UserRole API to query attributes stored in LDAP (or other back ends)– Use of CSF to secure credentials
Use Case: Container Authentication
• Java EE application configures authentication method in web.xml• Application uses container managed authentication
Use Case: Programmatic Authentication
• Java EE application needs to programmatically authenticate or assert identity,e.g., take username / password or security token to programmatically authenticate
• Application provides a username, password to programmatically authenticate• Application requires a portable API• Application provides a security token for Identity Assertion (authenticate without a
password)• Identity Assertion protected by a code source permission• Subject Security API to run a task as another user.
ApplicationApplication
Generate AuditGenerate AuditAudit Store
LDAP
Identity Store
Login ServiceLogin Service
AuthenticatorAuthenticator
WLS Admin WLS Admin ConsoleConsole
Use Case: Fine-Grained Authorization
• Application requires a portable API• Authorization decisions can be audited• Application calls JPSAuth.CheckPermission• Can support custom Authorization logic with Custom Permissions
Use Case: Credential Store Framework (CSF)
• Application needs to store / access external system credentials• Credentials (username / password, symmetric keys) stored securely• OOB, credential store is a file (Oracle Wallet), LDAP supported• Application uses CSF APIs to access credentials • Credentials are managed using Oracle EM or WLST• Credential Store operations (read, write, access etc) can be audited
Use Case: User and Role API
• Application needs to do a search in identity store, e.g., search for all users in “EMEA” or access email address for all users in a certain role
• User attributes stored in embedded LDAP or other configured LDAP Authenticator
• The same API works irrespective of where user attributes are stored• App uses UR APIs to access user attributes
UR Provider
Identity StoreAuthenticator
ApplicationApplication
User And Role User And Role APIAPI
WLS Admin WLS Admin ConsoleConsole
Use Case: Audit • Java EE application needs to audit security-sensitive operations such as
authentication, authorization, credential access• Application uses Java EE container-based authentication (WLS Authenticator)• WLS audits authentication and Java EE authorization• If application uses OPSS, it gets check permission authorization and credential
operations audited (OPSS audit API not exposed to applications)
Application
Container based Authentication / Authorization
Audit Store
Generate AuditGenerate Audit
Configure AuditConfigure Audit
Audit Store
Generate WLS Security AuditGenerate WLS Security Audit
Application
OPSS based Authentication / Authorization
BI Publisher
View AuditView Audit
WLS Admin WLS Admin ConsoleConsole
Oracle EMOracle EMFMWControlFMWControl
Use Case: Java SE Application
• Java SE Application using – LoginService API for authentication– CheckPermission for Authorization– User and Role API to query attributes stored in LDAP (or other backends)– Credential Store to secure credentials
Java SE Application
•LoginService API
•checkPermission
•UserRole API
•Credential Store Framework
LDAP
Identity Store
LDAP
Policy Store
Authentication
Permission Check, Access Credentials
Use Case: ADF Development
• Developer creates an ADF application using JDeveloper and applies wizard-based ADF security
• Application’s user and groups, authorization policy, and credentials copied by JDeveloper to WLS embedded in JDeveloper
• Developer creates application’s EAR file which contains policy and credentials• Deployer / Administrator deploys EAR to a remote WLS using Oracle EM
ADF Application
Users/Groups
Policy
Credential
JDeveloperJDeveloper
Integrated WLS
File Based Policy & Credential Store
Auto DeployAuto
Deploy
EarEar
GenerateGenerate
Remote WLS
Domain Policy & Credential Store
Policy & Credentials
Oracle EMOracle EMFMWControlFMWControl
Use Case: ADF Authorization
• ADF application needs to use fine-grained authorization in a portable fashion while using Java EE container-based authentication
• JDeveloper ADF security wizard creates required security configuration• ADF filter calls JPSAuth.checkPermission• Can support custom authorization logic with custom permissions
Application
Policy Store
ADF Filer
MBeans
WLST
Policy Provider
Audit Store
Generate AuditGenerate Audit
CheckPermission
Oracle EMOracle EMFMWControlFMWControl
Use Case: Test to Production
• Administrator tests application in Staging environment; Application’s security policy and credentials need to be migrated to Production environment
• Administrator redeploys application into Production environment• Administrator runs migrateSecurityStore WLST offline command in Production
environment, which copies policy and credential data from Staging to Production store
WLST
Migrate Security Store
Production Policy &
Credential Store
Staging Policy &
Credential Store
Use Case: SSO with OAM .
• Administrator wants to configure multiple WLS domains to participate in SSO • Administrator configures OAM and WLS integration using SSPI• OAM SSPI agent extracts security token and validates it using WLS identity
asserter
OPSS Summary
• OPSS provides– A suite of application-centric security frameworks– Abstraction APIs and implementation of basic features– Lightweight Identity Management infrastructure• Allows customers to build and deploy small to mid-size
applications
– Plug-in interface to Identity Management systems • Applications build against OPSS can be plugged to a centrally
deployed Identity Management system• Allows customers to scale their applications to switch to a
centrally deployed Identity Management system• No code changes required in the application when switching from
one Identity Management system to another Identity Management system
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
39© 2009 Oracle Corporation