1 / 40

Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation

Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation. Securing J2EE Applications with Oracle Identity Management. Agenda. Application Security Overview Authentication Requirements Authorization Requirements J2EE Security JAAS Oracle Strategy. Application Security.

aneko
Download Presentation

Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Raymond K. NgTechnical Lead - JAAS Platform Security Oracle Corporation

  2. Securing J2EE Applications with Oracle Identity Management

  3. Agenda • Application Security Overview • Authentication Requirements • Authorization Requirements • J2EE Security • JAAS • Oracle Strategy

  4. Application Security • Security is a process, not a product or feature • No 100% security • Only as secure as weakest link • Go beyond firewall security • Implement multi-layer security • Considerations • Authentication • Authorization • Accountability/Audit • Secure Transport

  5. Oracle 10g Security Architecture Oracle HTTP Server Oracle 10g Containers for J2EE (OC4J) mod_ossl mod_osso JAAS Browser Oracle Internet Directory Single Sign-On Security Infrastructure Layer

  6. Authentication Requirements

  7. Use The Appropriate Mechanism • Username and password • Client certificate • Smart Card • Biometrics

  8. Single Sign-On (SSO) • Why SSO-enable your application? • User Convenience • Security • Cost Reduction • Factors to consider • Integration with infrastructure • Extensible framework

  9. Oracle 10g Single Sign-On • Centralized authentication for web applications • Multiple authentication options • Username/password • Client certificates • 3rd party API (Biometrics, Smart Card, etc.) • Single Sign-Off • Multiple application types • Integrated across Oracle 10g • OID, OC4J/JAAS , Portal, OHS, Wireless, Workflow, UM, Ultrasearch, Personalization, Reports, Forms, Discoverer…

  10. Relevant Standards • HTTP • SSL/X.509 • J2EE • JAAS • Java Authentication SPI • SAML • WS-Security • Plus emerging specifications

  11. Authorization Requirements

  12. Choose The Right Authorization Model • Roll Your Own (Application-specific) • Maintenance • Administrative Cost • Inconsistent Authorization Policy => Insecurity • Understand The Relevant Standards • J2EE Security • Java 2 Security • JAAS • JACC

  13. J2EE Security

  14. J2EE Security • Design Principles • Declarative security model • Decouple security logic from application logic • Write once run anywhere (WORA) • Leverage existing security infrastructure • J2EE Roles • Application Provider • Application Assembler • Application Deployer • System Administrator

  15. J2EE Security: Authentication • Multiple Authentication Methods - Basic, Form, SSL client certificate, etc. • Declarative Security • Deployment descriptors: web.xml, ejb-jar.xml • JSR 196: Java Authentication SPI • J2EE 1.5 • JAAS LoginModule integration • Missing • Single Sign-On support

  16. J2EE Security: Authorization • Protected Resources • Web Resources: URL-patterns • Enterprise Beans: Method permissions • “Role”-based Authorization • Not “Role Based Access Control (RBAC)” • Portability • JSR 115: Integration with Java2/JAAS • Pluggable security (authorization) provider • J2EE security constraints => Java2 permissions

  17. JAAS:Java Authentication and Authorization Service

  18. Java 2 Security • Key Components • Security Policy defines authorization policy • SecurityManager/AccessController is security monitor • Necessary if running any untrusted code in your JVM • Limitations • Code-based security only • No policy management API • File-based implementation doesn’t scale

  19. What is JAAS? • Principal-Based security • Authentication • Pluggable Authentication Module (PAM) framework • Authorization • Extension to Java2 Security Model • Optional Package to JDK 1.3 • JDK 1.4 Core API • J2EE 1.3 Requirement • J2EE 1.4: JACC (JSR 115) • J2EE 1.5: Java Authentication SPI (JSR 196)

  20. Oracle 10g JAAS Provider • Oracle’s JAAS (Java Authentication and Authorization Services) Implementation, plus Extensions • Integrated with Oracle 10g SSO and OID • Default Security Provider for Oracle 10g Containers for J2EE

  21. Oracle 10g JAAS Provider:User Manager Oracle 10g Containers for J2EE JAZNUserManager XML-based Provider type LDAP-based Provider type OID repository jazn-data.xml repository

  22. Oracle 10g JAAS Provider: Authentication • Oracle’s RealmLoginModule Integrated with OC4J Authentication • Declarative model • Integrated with J2EE security model • Integrated with Realm framework for user communities • Support custom JAAS LoginModules • Programmatic and declarative • Integrated with J2EE security model • Option to Use Oracle 10g Single Sign-On (SSO)

  23. Oracle 10g JAAS Provider: Authorization • JAAS Authorization • Principal (i.e. user) and code-based policies • Hierarchical, role-based access control (RBAC) • Realm framework to support multiple user communities • Authorization Repository • XML flat-file • Oracle Internet Directory (OID) • 3 methods of Management • Oracle Enterprise Manager • JAZN Admintool • Programmatic API

  24. Oracle 10g JAAS Provider: What’s New • Custom JAAS LoginModules • Leverage any JAAS-compliant LoginModules • Integration with J2EE security model • Performance & Scalability Enhancements • OC4J Integration • Password hiding (data-sources.xml, oc4j-ra.xml) • Tool Integration • JDeveloper / BC4J

  25. Oracle 10g JAAS Provider: Future Directions • Support for 3rd party LDAP directories • Default LoginModule certified against AD and SunONE • JACC Provider (JSR 115) • Unified authorization model for managed components • Java Authentication SPI (JSR 196) • Unified authentication model for managed components • Portlet Integration (JSR 168) • J2EE/JAAS authorization model for portlets • Management & Deployment Enhancements • JSR 77 & 88 • XML Services Security • Web Services Security

  26. JAAS Up Your J2EE Apps

  27. JAAS Up your J2EE Apps: Putting the Pieces Together • Define your security policy • Enterprise policy: • role hierarchy • user->role assignment • permission->role assignment • Application-specific policy: • authentication method • authorization constraints (“security-roles”) • Deploy your J2EE Application • authentication method • authorization constraints (“security-role-mappings”) • RunAs identity

  28. JAAS Up Your J2EE Apps: SSO-enabling your J2EE Apps • Specify static declarative constraints • in web.xml or ejb-jar.xml • Deploy your J2EE applications • specify JAZN-LDAP UserManager • security-role mappings • OID realms, users and groups • Specify authentication method as SSO • in orion-web.xml: • <jazn-web-app auth-method=“SSO” />

  29. JAAS Up Your J2EE Apps: Custom LoginModule Integration • Develop, package & deploy your application as usual • Package & deploy your custom LoginModule • As an independent JAR or as part of your application • Configure your application • Set JAZN property “role.mapping.dynamic” to “true” • Set application classpath as appropriate • Set security role mapping as appropriate • Register your custom LoginModule • Associate your custom LoginModule with your application • JAZN Admintool: “-addloginmodule” option

  30. JAAS Up Your J2EE Apps: Tips & Tricks • JAZN-LDAP • User/group management delegated to DAS • grant RMIPermission to user accessing EJBs • JAZN-LDAP Cache • Tuning parameters: “ldap.cache.*” • Identity Management Realm • SSO integration • External Synchronization • Performance vs. Ease-of-development • Public Group • Authentication only

  31. Oracle Strategy

  32. Distributed Systems Security Reference Architecture Users Application Audit Protected Resources Authorization Authentication Privacy Application Security Services Identity & Policy Store Identity & Profile Assertion Services Policy Decision Services Identity Management Infrastructure Administration & Provisioning

  33. Oracle 10g Security Solution • Oracle Identity Management Infrastructure for the enterprise • Platform security enabled by Oracle Identity Management • Platform components with high security assurance

  34. Oracle Security Architecture Oracle E-Business Suite Oracle Collaboration Suite OracleAS Portal & Wireless Application Component Security Responsibilities, Roles …. Secure Mail, Interpersonal Rights … Roles, Privilege Groups … OracleAS 10g OracleAS 10g OracleAS 10g Oracle 10g Oracle 10g Oracle 10g Database Oracle 10g Platform Security Bindings JAAS, WS Security Java2 Permissions.. JAAS, WS Security Java2 Permissions.. JAAS, WS Security Java2 Permissions.. Enterprise users, VPD, Encryption Label Security Enterprise users, VPD, Encryption Label Security Enterprise users, VPD, Encryption Label Security External Security Services Access Management OracleAS Single Sign-on OracleAS Certificate Authority Delegated Administration Services Directory Integration & Provisioning Enterprise Security Infrastructure Directory Services Oracle Internet Directory Provisioning Services Oracle Identity Management

  35. Oracle Identity Management Benefits • Enables deployment of all Oracle products out of the box • AS, DB, OCS, eBiz • An enterprise infrastructure that leverages Oracle’s “unbreakable” technology • Reliability, scalability, security, performance • A single point of integration for customer’s existing identity management solutions • Transparent 3rd party integration for OIM enabled products • Accommodates wide variety of partner solutions and customer deployments • Open, standards-based infrastructure enables integration

  36. What’s Next • Implementing Identity Management at Lawrence Livermore National Labs • ID: 40287 • Presentor: Tony Macedo, Computer Scientist, LLNL • Date: Thursday, 9/11 • Time: 3:15 - 4:15 • Location: Moscone Center room 120

  37. Q & Q U E S T I O N S A N S W E R S A

  38. Raymond K. NgTechnical Lead - JAAS Platform Security Oracle Corporation

More Related