Security As A ServiceMarc Chanliau, Identity Management Technical Evangelist

marc.chanliau@oracle.com

Agenda

• Java Security “Refresher”• Introducing Oracle Platform Security Services (OPSS)• Focus On Design-Time Security (ADF)• Demo• OPSS Use Cases

© 2009 Oracle Corporation 2

The Java EE Security Toolbox

• Container Managed Security– Java EE Security

• Java Authentication and Authorization Service (JAAS)

Container Managed Security

• Java EE security handled by the Java EE container– Declarative, portable, easy to use– Decouple security logic application code– Implementation details hidden from developer

• Authentication– Configured in web.xml descriptor– Basic, Form, Certificate, Digest

• Authorization– Role-based– Based on URL patterns– SSL can be enforced on page

Limitations of Container Managed Security

Java EE declarative security is… • Static within a deployed application– Policies cannot be changed dynamically.– Constraint cannot be changed (static role mapping)

• Not very Granular– Protects URL addressable objects– Does not allow different privileges against a protected object

• Java EE roles are not hierarchical– Need extra groups to define “rollup” levels of enterprise Roles– Not very granular

Java Authentication and Authorization Service (JAAS)

• What JAAS is– Enables services to authenticate and enforce access

controls– Programmatic security model – Extends Java 2 Security – Role-based access control (RBAC)

• Authentication – Pluggable Authentication Module (PAM)– Propagates identity via session context

• Authorization – Grants access to resources and actions– Executes operations within user context

JAAS Advantages

• Dynamic and evaluated in real-time– Policies may be updated in the policy store and reflected in

the application

• Secures the ability to perform a “fine-grained action” on the resource, rather than simple access to the URL– Policies are defined against an action in the policy store not

by the URL pattern– Supports granular privileges against the same object

• Allows for hierarchical policies– References Enterprise roles directly from the Identity

Management System

Summary Of The Challenges To Be Addressed

• The security capabilities supported and defined by the Java EE standards are limited• Too much security knowledge is required of application

developers who should primarily focus on business logic

• No consistent security experience across platforms and applications• Third-party security frameworks are non-standard and

non-portable, and don’t support the complete application lifecycle• No support for large enterprise security deployments• Lack of support for different types of development

model, e.g., Java EE and Java SE

Introducing OPSS

• OPSS provides enterprise product development teams, systems integrators, and independent software vendors with a security framework for Java SE and Java EE applications– standards-based – portable – integrated – enterprise-grade

• OPSS is an abstraction layer that insulates developers from security and identity management implementation details – With OPSS, developers don’t need to know the nitty-gritty of

cryptographic key management or interfaces with user repositories and other identity management infrastructures

OPSS in Oracle Fusion Middleware

Oracle JDeveloper

Web Browser Oracle WLS Admin Console Oracle Enterprise Mgr

Load Balancer

Oracle WebCache

Oracle HTTP Server

Applications

Oracle SOA Suite

Oracle Identity Mgt

Oracle Platform Security Services

Oracle WebCenter

Oracle WebLogic Server

LDAP

RDBMS

Web Tier Application Tier Data Tier

OPSS Benefits

• Customers get what Oracle products get– OPSS is used as the security platform for Oracle Fusion Applications and Oracle

Fusion Middleware components

• OPSS is enterprise ready– Stress tested to support enterprise deployments– Interoperability tested across different environments– Certified on WLS, will be certified on WAS and JBoss– Standards based

• Protect your investment– Pre-integrated with Oracle products and technologies

• Consistent security experience for developers and administrators– Same set of APIs and UI for all types of applications (in-house, third-party, Oracle

Fusion)

• Support large enterprise deployments– Integration with Identity Management

• Enable legacy and third-party security provider integration

OPSS’s Heritage

OAS 9.04Coupled w/ OC4J

OAS 10.1.2Coupled w/ OC4J

OAS 10.1.3Coupled w/ OC4J(Became known internally as “Security Provider”)

11gR1Portable Security Provider to - OC4J- SOA- WebCenter-OWSM

WLS 10.3Portable Security Framework used by - Oracle WLS - OES- OSB- etc

11gR1- OPSS = JPS + CSS- Not coupled w/ app. server - Portable to third-party app. Servers- Oracle WLS - OES- OSB- Oracle SOA- Oracle WebCenter- OWSM

JAAS compatible imp.-AuthN Login module- AuthZ- XML/OID providers

Added support for third-party LDAP directories

- WNA- JSSO- User Role API- OAM integration (JAAS provider)- Web services security- JMX/MBeans

-Java2 Policy Provider-Application Role & Policy Mgmt- Credential Store- OSDT-Auditing Framework

- SSPI to plug-in custom security providers- Authentication- Id Assertion- Authorization- Role Mapping- SSO

- Supports both JPS & WLS/CSS security- Java2 Policy Provider- Application Role & Policy Mgmt- Credential Store Framework- UserRole API- OSDT- Auditing Framework

JAZN JPS – Pre BEA CSS – BEA OPSS – Post BEA

Oracle Virtual DirectoryVirtualizes Identity Store, Credential Store, Policy Store

DevelopDevelop DeployDeploy ManageManage

Oracle Fusion Middleware Components and Oracle Fusion Applications

ATN, ATZ, CSF, UserRole, Policy Management, Cryptography (OSDT)

Identity Assertion

Role Mapping

Creds Mapping

JEE Policy & Role Deployment

Custom SSPI Providers Java2 & JAAS Policy Provider

Cert Lookup & Val

OPSS Functionality

OPSS APIs

Audit SSO

Platform to Product

Security Domain OPSS Solution

(Basic Features)

OPSS Product Solution (Advanced Features)

Identity Store Embedded LDAP OID

Policy Store File - XML OID

Credential Store File – Oracle Wallet OID

SSO WLS SAML Oracle Access Manager

Authorization OPSS CheckPermission Oracle Entitlement Server

Oracle Products Using OPSS

Product Name What It Does How It Uses OPSS

Oracle ADF / WebCenter

ADF is the framework used to develop WebCenter applications (portlets, etc.)

Authentication, JAAS Authorization, Application Role,Anonymous and Authenticated Role, Policy Store Abstraction, Policy Management, Credential Store Framework

Oracle Web Services Manager (OWSM)

OWSM provides SOA and web services security

Authentication, JAAS Authorization, Credential Store Framework, Keystore Service, Audit

Oracle SOA Provides applications designed to deploy SOA environments (BPEL, ESB, etc.)

Authentication, Authorization and Audit

Oracle Service Bus (OSB)

Connects, mediates, and manages SOA composites interaction

Authentication, identity assertion, authorization, Role mapping, credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party integration

Oracle Entitlements Service (OES)

Provides externalized fine-grained authorization

Authentication, identity assertion, authorization, role mapping, credentials mapping, cert. lookup, audit.

WebLogic Server (WLS) Container

Java EE server / container

Authentication, identity assertion, authorization, role mapping, credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party integration

Oracle Access Manager Web access and single sign on platform

Identity assertion and integration with WebLogic Server security.

OPSS For Developers: ADF Security

• Oracle ADF (Application Development Framework) is a Java EE development environment– Oracle ADF simplifies and extends Java EE

• Oracle ADF is the development framework for Oracle products and applications• Oracle ADF is best used with Oracle JDeveloper

© 2009 Oracle Corporation 16

Oracle ADF 11g Architecture

© 2009 Oracle Corporation

Struts

Relational Data XML Data Legacy Data

Business Services

Data Services

Model

Controller

JSP View

Desktop Browser/ Mobile Devices

Me

tad

ata

Se

r vi c

es

ADFm (JSR 227)

Packaged Apps

JSF ADF Faces

JSF/ADFc

Java EJB BAM BPEL ADF BC BI XML

OfficeSwing

Web Services

Portlet Toplink JMXJCR

ADF‘s Java EE Runtime Environment

• Provides Java EE 5 services for applications• Consumes Oracle Platform Security Services (OPSS)• Handles authentication, authorization, logging and

monitoring• Pluggable Authentication architecture– Authentication handled by JAAS Login Modules– Login Modules are exposed through Authentication Provider

ADF Security

• Provides declarative protection for ADF applications• Designed to simplify security in ADF applications• Enforces Java EE authentication– Delegated to WebLogic Server Authentication Providers– Easy to configure via the ADF Security Wizard

• ADF bindings protected by JAAS-based authorization– Leverages EL to protect UI components– Security bubbles up from ADF Business Components

• Provides support for XML and LDAP providers• Integrated with JDeveloper design time and WLS

ADF Security: Authentication

Enterprise Identity

Management

User: sking

User: ahunold

adfAuthentication servlet

Acts as a known “endpoint” for a standardized Login or Logout Link

Is secured by a Java EE Security Constraint

Delegates Logon to the Java EE container (OPSS)

Access granted to all valid users

Redirects to a specified page on successful login or logout

WebLogic Server

AuthN via OPSS: Authenticator; jazn-xmlPAM

/AdfSecurityPojoSample-ViewController-context-root/login.html

/app/BrowseDepartments.jspx

ADF Security: Authorization

Administrator

Clerks

HR

Sales

Dev

ADF Security performs authorization check

In her manager role, sking can see master and detail views

Policy Store

BrowseDepartments.jspx

JAAS AuthZ request

JAAS AuthZ request

Staff

<grant> <principal> <type>role</type> <name>manager</name> </principal> <permission> <name>BrowseDep</name> <actions>view</actions> </permission></grant>

WebLogic Server

ADF Security Filter

User sking

User ahunold

BrowseDepartments.jspx

In his user role, ahunold can only see master view

Application Roles, Enterprise Roles

• Application Roles– Roles defined in jazn-data.xml– ADF Security creates "test-all" role– Permissions are granted to application roles

• Enterprise Roles– Groups of enterprise users–Mapped to application roles to grant privileges to

user groups

© 2009 Oracle Corporation 23

Demo

© 2009 Oracle Corporation 24

OPSS Use Cases

Use Case: WLS Application Using OPSS

• Traditional Java EE security enhanced with – JPSAuth.CheckPermission API for authorization– UserRole API to query attributes stored in LDAP (or other back ends)– Use of CSF to secure credentials

Use Case: Container Authentication

• Java EE application configures authentication method in web.xml• Application uses container managed authentication

Use Case: Programmatic Authentication

• Java EE application needs to programmatically authenticate or assert identity,e.g., take username / password or security token to programmatically authenticate

• Application provides a username, password to programmatically authenticate• Application requires a portable API• Application provides a security token for Identity Assertion (authenticate without a

password)• Identity Assertion protected by a code source permission• Subject Security API to run a task as another user.

ApplicationApplication

Generate AuditGenerate AuditAudit Store

LDAP

Identity Store

Login ServiceLogin Service

AuthenticatorAuthenticator

WLS Admin WLS Admin ConsoleConsole

Use Case: Fine-Grained Authorization

• Application requires a portable API• Authorization decisions can be audited• Application calls JPSAuth.CheckPermission• Can support custom Authorization logic with Custom Permissions

Use Case: Credential Store Framework (CSF)

• Application needs to store / access external system credentials• Credentials (username / password, symmetric keys) stored securely• OOB, credential store is a file (Oracle Wallet), LDAP supported• Application uses CSF APIs to access credentials • Credentials are managed using Oracle EM or WLST• Credential Store operations (read, write, access etc) can be audited

Use Case: User and Role API

• Application needs to do a search in identity store, e.g., search for all users in “EMEA” or access email address for all users in a certain role

• User attributes stored in embedded LDAP or other configured LDAP Authenticator

• The same API works irrespective of where user attributes are stored• App uses UR APIs to access user attributes

UR Provider

Identity StoreAuthenticator

ApplicationApplication

User And Role User And Role APIAPI

WLS Admin WLS Admin ConsoleConsole

Use Case: Audit • Java EE application needs to audit security-sensitive operations such as

authentication, authorization, credential access• Application uses Java EE container-based authentication (WLS Authenticator)• WLS audits authentication and Java EE authorization• If application uses OPSS, it gets check permission authorization and credential

operations audited (OPSS audit API not exposed to applications)

Application

Container based Authentication / Authorization

Audit Store

Generate AuditGenerate Audit

Configure AuditConfigure Audit

Audit Store

Generate WLS Security AuditGenerate WLS Security Audit

Application

OPSS based Authentication / Authorization

BI Publisher

View AuditView Audit

WLS Admin WLS Admin ConsoleConsole

Oracle EMOracle EMFMWControlFMWControl

Use Case: Java SE Application

• Java SE Application using – LoginService API for authentication– CheckPermission for Authorization– User and Role API to query attributes stored in LDAP (or other backends)– Credential Store to secure credentials

Java SE Application

•LoginService API

•checkPermission

•UserRole API

•Credential Store Framework

LDAP

Identity Store

LDAP

Policy Store

Authentication

Permission Check, Access Credentials

Use Case: ADF Development

• Developer creates an ADF application using JDeveloper and applies wizard-based ADF security

• Application’s user and groups, authorization policy, and credentials copied by JDeveloper to WLS embedded in JDeveloper

• Developer creates application’s EAR file which contains policy and credentials• Deployer / Administrator deploys EAR to a remote WLS using Oracle EM

ADF Application

Users/Groups

Policy

Credential

JDeveloperJDeveloper

Integrated WLS

File Based Policy & Credential Store

Auto DeployAuto

Deploy

EarEar

GenerateGenerate

Remote WLS

Domain Policy & Credential Store

Policy & Credentials

Oracle EMOracle EMFMWControlFMWControl

Use Case: ADF Authorization

• ADF application needs to use fine-grained authorization in a portable fashion while using Java EE container-based authentication

• JDeveloper ADF security wizard creates required security configuration• ADF filter calls JPSAuth.checkPermission• Can support custom authorization logic with custom permissions

Application

Policy Store

ADF Filer

MBeans

WLST

Policy Provider

Audit Store

Generate AuditGenerate Audit

CheckPermission

Oracle EMOracle EMFMWControlFMWControl

Use Case: Test to Production

• Administrator tests application in Staging environment; Application’s security policy and credentials need to be migrated to Production environment

• Administrator redeploys application into Production environment• Administrator runs migrateSecurityStore WLST offline command in Production

environment, which copies policy and credential data from Staging to Production store

WLST

Migrate Security Store

Production Policy &

Credential Store

Staging Policy &

Credential Store

Use Case: SSO with OAM .

• Administrator wants to configure multiple WLS domains to participate in SSO • Administrator configures OAM and WLS integration using SSPI• OAM SSPI agent extracts security token and validates it using WLS identity

asserter

OPSS Summary

• OPSS provides– A suite of application-centric security frameworks– Abstraction APIs and implementation of basic features– Lightweight Identity Management infrastructure• Allows customers to build and deploy small to mid-size

applications

– Plug-in interface to Identity Management systems • Applications build against OPSS can be plugged to a centrally

deployed Identity Management system• Allows customers to scale their applications to switch to a

centrally deployed Identity Management system• No code changes required in the application when switching from

one Identity Management system to another Identity Management system

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

39© 2009 Oracle Corporation