Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation Securing J2EE Applications with Oracle Identity Management Agenda Application Security Overview Authentication Requirements Authorization Requirements J2EE Security JAAS Oracle Strategy Application Security Security is a process, not a product or feature – No 100% security Only as secure as weakest link – – Go beyond firewall security Implement multi-layer security Considerations – – – – Authentication Authorization Accountability/Audit Secure Transport Oracle 10g Security Architecture Oracle HTTP Server mod_ossl mod_osso Browser Security Infrastructure Layer Single Sign-On Oracle 10g Containers for J2EE (OC4J) JAAS Oracle Internet Directory Authentication Requirements Use The Appropriate Mechanism Username and password Client certificate Smart Card Biometrics Single Sign-On (SSO) Why SSO-enable your application? – – – User Convenience Security Cost Reduction Factors to consider – – Integration with infrastructure Extensible framework Oracle 10g Single Sign-On Centralized authentication for web applications Multiple authentication options – – – Username/password Client certificates 3rd party API (Biometrics, Smart Card, etc.) Single Sign-Off Multiple application types Integrated across Oracle 10g – OID, OC4J/JAAS , Portal, OHS, Wireless, Workflow, UM, Ultrasearch, Personalization, Reports, Forms, Discoverer… Relevant Standards HTTP SSL/X.509 J2EE JAAS Java Authentication SPI SAML WS-Security Plus emerging specifications Authorization Requirements Choose The Right Authorization Model Roll Your Own (Application-specific) – – – Maintenance Administrative Cost Inconsistent Authorization Policy => Insecurity Understand The Relevant Standards – – – – J2EE Security Java 2 Security JAAS JACC J2EE Security J2EE Security Design Principles – – Declarative security model Decouple security logic from application logic Write once run anywhere (WORA) Leverage existing security infrastructure J2EE Roles – – – – Application Provider Application Assembler Application Deployer System Administrator J2EE Security: Authentication Multiple Authentication Methods - Basic, Form, SSL client certificate, etc. Declarative Security – Deployment descriptors: web.xml, ejb-jar.xml JSR 196: Java Authentication SPI – – J2EE 1.5 JAAS LoginModule integration Missing – Single Sign-On support J2EE Security: Authorization Protected Resources – – Web Resources: URL-patterns Enterprise Beans: Method permissions “Role”-based Authorization – – Not “Role Based Access Control (RBAC)” Portability JSR 115: Integration with Java2/JAAS – – Pluggable security (authorization) provider J2EE security constraints => Java2 permissions JAAS: Java Authentication and Authorization Service Java 2 Security Key Components – – Security Policy defines authorization policy SecurityManager/AccessController is security monitor Necessary if running any untrusted code in your JVM Limitations – – – Code-based security only No policy management API File-based implementation doesn’t scale What is JAAS? Principal-Based security Authentication – Pluggable Authentication Module (PAM) framework Authorization – Extension to Java2 Security Model Optional Package to JDK 1.3 – JDK 1.4 Core API J2EE 1.3 Requirement – – J2EE 1.4: JACC (JSR 115) J2EE 1.5: Java Authentication SPI (JSR 196) Oracle 10g JAAS Provider Oracle’s JAAS (Java Authentication and Authorization Services) Implementation, plus Extensions Integrated with Oracle 10g SSO and OID Default Security Provider for Oracle 10g Containers for J2EE Oracle 10g JAAS Provider: User Manager Oracle 10g Containers for J2EE JAZNUserManager LDAP-based Provider type XML-based Provider type OID repository jazn-data.xml repository Oracle 10g JAAS Provider: Authentication Oracle’s RealmLoginModule Integrated with OC4J Authentication – – – Declarative model Integrated with J2EE security model Integrated with Realm framework for user communities Support custom JAAS LoginModules – – Programmatic and declarative Integrated with J2EE security model Option to Use Oracle 10g Single Sign-On (SSO) Oracle 10g JAAS Provider: Authorization JAAS Authorization – – – Principal (i.e. user) and code-based policies Hierarchical, role-based access control (RBAC) Realm framework to support multiple user communities Authorization Repository – – XML flat-file Oracle Internet Directory (OID) 3 methods of Management – – – Oracle Enterprise Manager JAZN Admintool Programmatic API Oracle 10g JAAS Provider: What’s New Custom JAAS LoginModules – – Leverage any JAAS-compliant LoginModules Integration with J2EE security model Performance & Scalability Enhancements OC4J Integration – Password hiding (data-sources.xml, oc4j-ra.xml) Tool Integration – JDeveloper / BC4J Oracle 10g JAAS Provider: Future Directions Support for 3rd party LDAP directories – Default LoginModule certified against AD and SunONE JACC Provider (JSR 115) – Unified authorization model for managed components Java Authentication SPI (JSR 196) – Unified authentication model for managed components Portlet Integration (JSR 168) – J2EE/JAAS authorization model for portlets Management & Deployment Enhancements – JSR 77 & 88 XML Services Security Web Services Security JAAS Up Your J2EE Apps JAAS Up your J2EE Apps: Putting the Pieces Together Define your security policy – Enterprise policy: role hierarchy user->role assignment permission->role assignment – Application-specific policy: authentication method authorization constraints (“security-roles”) Deploy your J2EE Application – – – authentication method authorization constraints (“security-role-mappings”) RunAs identity JAAS Up Your J2EE Apps: SSO-enabling your J2EE Apps Specify static declarative constraints – in web.xml or ejb-jar.xml Deploy your J2EE applications – – specify JAZN-LDAP UserManager security-role mappings OID realms, users and groups Specify authentication method as SSO – in orion-web.xml: <jazn-web-app auth-method=“SSO” /> JAAS Up Your J2EE Apps: Custom LoginModule Integration Develop, package & deploy your application as usual Package & deploy your custom LoginModule – As an independent JAR or as part of your application Configure your application – – – Set JAZN property “role.mapping.dynamic” to “true” Set application classpath as appropriate Set security role mapping as appropriate Register your custom LoginModule – – Associate your custom LoginModule with your application JAZN Admintool: “-addloginmodule” option JAAS Up Your J2EE Apps: Tips & Tricks JAZN-LDAP – – User/group management delegated to DAS grant RMIPermission to user accessing EJBs JAZN-LDAP Cache – Tuning parameters: “ldap.cache.*” Identity Management Realm – SSO integration External Synchronization – Performance vs. Ease-of-development Public Group – Authentication only Oracle Strategy Distributed Systems Security Reference Architecture Users Application Audit Authentication Privacy Protected Resources Authorization Application Security Services Policy Decision Services Identity & Policy Store Identity & Profile Assertion Services Administration & Provisioning Identity Management Infrastructure Oracle 10g Security Solution Oracle Identity Management Infrastructure for the enterprise Platform security enabled by Oracle Identity Management Platform components with high security assurance Oracle Security Architecture Oracle E-Business Suite Oracle Collaboration Suite OracleAS Portal & Wireless Responsibilities, Roles …. Secure Mail, Interpersonal Rights … Roles, Privilege Groups … OracleAS OracleAS 10g 10g 10g OracleOracle 10g Database JAAS, JAAS, WSWS Security Security Java2 Java2 Permissions.. Permissions.. Enterprise users, Enterprise users, VPD, Encryption VPD, Encryption Label Security Label Security Application Component Security Oracle 10g Platform Security Bindings External Security Services Access Management Directory Services Provisioning Services OracleAS Certificate Authority Delegated Administration Services OracleAS Single Sign-on Directory Integration & Provisioning Oracle Internet Directory Oracle Identity Management Enterprise Security Infrastructure Oracle Identity Management Benefits Enables deployment of all Oracle products out of the box – AS, DB, OCS, eBiz An enterprise infrastructure that leverages Oracle’s “unbreakable” technology – Reliability, scalability, security, performance A single point of integration for customer’s existing identity management solutions – Transparent 3rd party integration for OIM enabled products Accommodates wide variety of partner solutions and customer deployments – Open, standards-based infrastructure enables integration What’s Next Implementing Identity Management at Lawrence Livermore National Labs – – – – – ID: 40287 Presentor: Tony Macedo, Computer Scientist, LLNL Date: Thursday, 9/11 Time: 3:15 - 4:15 Location: Moscone Center room 120 QUESTIONS ANSWERS Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation