JAAS%20Up%20Your%20J2EE%20Apps

1
(No Transcript)
2
Raymond K. NgTechnical Lead - JAAS Platform
Security Oracle Corporation
3
Securing J2EE Applications with Oracle Identity
Management
4
Agenda

• Application Security Overview
• Authentication Requirements
• Authorization Requirements
• J2EE Security
• JAAS
• Oracle Strategy

5
Application Security

• Security is a process, not a product or feature
• No 100 security
• Only as secure as weakest link
• Go beyond firewall security
• Implement multi-layer security
• Considerations
• Authentication
• Authorization
• Accountability/Audit
• Secure Transport

6
Oracle 10g Security Architecture
Oracle HTTP Server
Oracle 10g Containers for J2EE (OC4J)
mod_ossl
mod_osso
JAAS
Browser
Oracle Internet Directory
Single Sign-On
Security Infrastructure Layer
7
Authentication Requirements
8
Use The Appropriate Mechanism

• Username and password
• Client certificate
• Smart Card
• Biometrics

9
Single Sign-On (SSO)

• Why SSO-enable your application?
• User Convenience
• Security
• Cost Reduction
• Factors to consider
• Integration with infrastructure
• Extensible framework

10
Oracle 10g Single Sign-On

• Centralized authentication for web applications
• Multiple authentication options
• Username/password
• Client certificates
• 3rd party API (Biometrics, Smart Card, etc.)
• Single Sign-Off
• Multiple application types
• Integrated across Oracle 10g
• OID, OC4J/JAAS , Portal, OHS, Wireless, Workflow,
  UM, Ultrasearch, Personalization, Reports, Forms,
  Discoverer

11
Relevant Standards

• HTTP
• SSL/X.509
• J2EE
• JAAS
• Java Authentication SPI
• SAML
• WS-Security
• Plus emerging specifications

12
Authorization Requirements
13
Choose The Right Authorization Model

• Roll Your Own (Application-specific)
• Maintenance
• Administrative Cost
• Inconsistent Authorization Policy gt Insecurity
• Understand The Relevant Standards
• J2EE Security
• Java 2 Security
• JAAS
• JACC

14
J2EE Security
15
J2EE Security

• Design Principles
• Declarative security model
• Decouple security logic from application logic
• Write once run anywhere (WORA)
• Leverage existing security infrastructure
• J2EE Roles
• Application Provider
• Application Assembler
• Application Deployer
• System Administrator

16
J2EE Security Authentication

• Multiple Authentication Methods
• - Basic, Form, SSL client certificate, etc.
• Declarative Security
• Deployment descriptors web.xml, ejb-jar.xml
• JSR 196 Java Authentication SPI
• J2EE 1.5
• JAAS LoginModule integration
• Missing
• Single Sign-On support

17
J2EE Security Authorization

• Protected Resources
• Web Resources URL-patterns
• Enterprise Beans Method permissions
• Role-based Authorization
• Not Role Based Access Control (RBAC)
• Portability
• JSR 115 Integration with Java2/JAAS
• Pluggable security (authorization) provider
• J2EE security constraints gt Java2 permissions

18
JAASJava Authentication and Authorization
Service
19
Java 2 Security

• Key Components
• Security Policy defines authorization policy
• SecurityManager/AccessController is security
  monitor
• Necessary if running any untrusted code in your
  JVM
• Limitations
• Code-based security only
• No policy management API
• File-based implementation doesnt scale

20
What is JAAS?

• Principal-Based security
• Authentication
• Pluggable Authentication Module (PAM) framework
• Authorization
• Extension to Java2 Security Model
• Optional Package to JDK 1.3
• JDK 1.4 Core API
• J2EE 1.3 Requirement
• J2EE 1.4 JACC (JSR 115)
• J2EE 1.5 Java Authentication SPI (JSR 196)

21
Oracle 10g JAAS Provider

• Oracles JAAS (Java Authentication and
  Authorization Services) Implementation, plus
  Extensions
• Integrated with Oracle 10g SSO and OID
• Default Security Provider for Oracle 10g
  Containers for J2EE

22
Oracle 10g JAAS ProviderUser Manager
Oracle 10g Containers for J2EE
JAZNUserManager
XML-based Provider type
LDAP-based Provider type
OID repository
jazn-data.xml repository
23
Oracle 10g JAAS Provider Authentication

• Oracles RealmLoginModule Integrated with OC4J
  Authentication
• Declarative model
• Integrated with J2EE security model
• Integrated with Realm framework for user
  communities
• Support custom JAAS LoginModules
• Programmatic and declarative
• Integrated with J2EE security model
• Option to Use Oracle 10g Single Sign-On (SSO)

24
Oracle 10g JAAS Provider Authorization

• JAAS Authorization
• Principal (i.e. user) and code-based policies
• Hierarchical, role-based access control (RBAC)
• Realm framework to support multiple user
  communities
• Authorization Repository
• XML flat-file
• Oracle Internet Directory (OID)
• 3 methods of Management
• Oracle Enterprise Manager
• JAZN Admintool
• Programmatic API

25
Oracle 10g JAAS Provider Whats New

• Custom JAAS LoginModules
• Leverage any JAAS-compliant LoginModules
• Integration with J2EE security model
• Performance Scalability Enhancements
• OC4J Integration
• Password hiding (data-sources.xml, oc4j-ra.xml)
• Tool Integration
• JDeveloper / BC4J

26
Oracle 10g JAAS Provider Future Directions

• Support for 3rd party LDAP directories
• Default LoginModule certified against AD and
  SunONE
• JACC Provider (JSR 115)
• Unified authorization model for managed
  components
• Java Authentication SPI (JSR 196)
• Unified authentication model for managed
  components
• Portlet Integration (JSR 168)
• J2EE/JAAS authorization model for portlets
• Management Deployment Enhancements
• JSR 77 88
• XML Services Security
• Web Services Security

27
JAAS Up Your J2EE Apps
28
JAAS Up your J2EE Apps Putting the Pieces
Together

• Define your security policy
• Enterprise policy
• role hierarchy
• user-gtrole assignment
• permission-gtrole assignment
• Application-specific policy
• authentication method
• authorization constraints (security-roles)
• Deploy your J2EE Application
• authentication method
• authorization constraints (security-role-mappings
  )
• RunAs identity

29
JAAS Up Your J2EE Apps SSO-enabling your J2EE
Apps

• Specify static declarative constraints
• in web.xml or ejb-jar.xml
• Deploy your J2EE applications
• specify JAZN-LDAP UserManager
• security-role mappings
• OID realms, users and groups
• Specify authentication method as SSO
• in orion-web.xml
• ltjazn-web-app auth-methodSSO /gt

30
JAAS Up Your J2EE Apps Custom LoginModule
Integration

• Develop, package deploy your application as
  usual
• Package deploy your custom LoginModule
• As an independent JAR or as part of your
  application
• Configure your application
• Set JAZN property role.mapping.dynamic to
  true
• Set application classpath as appropriate
• Set security role mapping as appropriate
• Register your custom LoginModule
• Associate your custom LoginModule with your
  application
• JAZN Admintool -addloginmodule option

31
JAAS Up Your J2EE Apps Tips Tricks

• JAZN-LDAP
• User/group management delegated to DAS
• grant RMIPermission to user accessing EJBs
• JAZN-LDAP Cache
• Tuning parameters ldap.cache.
• Identity Management Realm
• SSO integration
• External Synchronization
• Performance vs. Ease-of-development
• Public Group
• Authentication only

32
Oracle Strategy
33
Distributed Systems Security Reference
Architecture
Users
Application
Audit
Protected Resources
Authorization
Authentication
Privacy
Application Security Services
Identity Policy Store
Identity Profile Assertion Services
Policy Decision Services
Identity Management Infrastructure
Administration Provisioning
34
Oracle 10g Security Solution

• Oracle Identity Management Infrastructure for the
  enterprise
• Platform security enabled by Oracle Identity
  Management
• Platform components with high security assurance

35
Oracle Security Architecture
Oracle E-Business Suite
Oracle Collaboration Suite
OracleAS Portal Wireless
Application Component Security
Responsibilities, Roles .
Secure Mail, Interpersonal Rights
Roles, Privilege Groups
OracleAS 10g
Oracle 10g
OracleAS 10g
Oracle 10g
OracleAS 10g
Oracle 10g Database
Oracle 10g Platform Security Bindings
JAAS, WS Security Java2 Permissions..
Enterprise users, VPD, Encryption Label Security
JAAS, WS Security Java2 Permissions..
Enterprise users, VPD, Encryption Label Security
JAAS, WS Security Java2 Permissions..
Enterprise users, VPD, Encryption Label Security
External Security Services
Access Management
OracleAS Certificate Authority
Directory Integration Provisioning
OracleAS Single Sign-on
Delegated Administration Services
Enterprise Security Infrastructure
Directory Services
Oracle Internet Directory
Provisioning Services
Oracle Identity Management
36
Oracle Identity Management Benefits

• Enables deployment of all Oracle products out of
  the box
• AS, DB, OCS, eBiz
• An enterprise infrastructure that leverages
  Oracles unbreakable technology
• Reliability, scalability, security, performance
• A single point of integration for customers
  existing identity management solutions
• Transparent 3rd party integration for OIM enabled
  products
• Accommodates wide variety of partner solutions
  and customer deployments
• Open, standards-based infrastructure enables
  integration

37
Whats Next

• Implementing Identity Management at Lawrence
  Livermore National Labs
• ID 40287
• Presentor Tony Macedo, Computer Scientist, LLNL
• Date Thursday, 9/11
• Time 315 - 415
• Location Moscone Center room 120

38
A
39
Raymond K. NgTechnical Lead - JAAS Platform
Security Oracle Corporation
40
(No Transcript)