Opensource Authentication and Authorization
Transcript of Opensource Authentication and Authorization
New Application Demands
4
CollaborativeWorkgroupsClient - ServerMulti user...In the cloud?
Wednesday, March 9, 2011
Oh yes, LOTS of help!
8
PEAR
JSF
AJAX
Hibernate
Ice FacesSpring
Velocity
Frameworks...
Wednesday, March 9, 2011
10
Access Control
Who are our users?Who can access what?
What can they do?How do we manage this?
Wednesday, March 9, 2011
Authentication isn’t enough...
18
SSO is expected!
I have one set of credentials, Why
can’t I just use them ONCE?
Wednesday, March 9, 2011
33
Authentication is NOT
Identity Management
Validation against EXISTING identity sources!
Wednesday, March 9, 2011
34
We don’t need to know user implementation details
We only need to know
User Identity
and possibly some user attributes.
Wednesday, March 9, 2011
Integrate into existing process
35
Plugable Authentication modules
Built on Standards - JAAS
Multiple Modules & Chains
Wednesday, March 9, 2011
36
LDAP
x509 Certificate
SecureID
SafeWordJDBC
MSISDN
Unix
AD -
SPNE
GO
SmartCardsCustom
Membership
SAML2
Extensible
Wednesday, March 9, 2011
37
Authentication determines identity
Identity is what matters..
NOT
the method it is determined
Wednesday, March 9, 2011
39
Browser ApplicaAon OpenAM
Request applicaAon content
Redirect for AuthenAcaAon
Request AuthenAcaAon from AuthenAcaAon server
NegoAate AuthenAcaAon...
Redirect back to ApplicaAon with Token
Request applicaAon content
Validate Token
ValidaAon Response
Provide applicaAon content
Wednesday, March 9, 2011
50
We don’t “Login”
We validate Identity.
This is a conceptual hurdle for developers!
Wednesday, March 9, 2011
51
Authentication service determines identity
Authentication service issues tokens
Wednesday, March 9, 2011
52
Browser ApplicaAon OpenAM
Request applicaAon
Validate Token
ValidaAon Response
Provide applicaAon content
Wednesday, March 9, 2011
Access Control can be
57
Very ComplexDomain Specific
Dependent on Many Conditions
Wednesday, March 9, 2011
Several Options
58
• Ad Hoc• J2EE Policy• URL Access• Custom Developed• External Policy Engine
Wednesday, March 9, 2011
Ad Hoc
59
•Localized if - then - else
•Cumbersome•No Reuse•Inconsistent enforcement•Unverifiable•Possible security holes
Wednesday, March 9, 2011
J2EE Policy
60
•Standards..•Role Based•Supported in the deployment•Designed from the start•Difficult to change•Domino Effect
Wednesday, March 9, 2011
URL Access
61
•Course Grained•Tree Level Access•Often at Application or server Level•Access Control NOT Entitlements
Wednesday, March 9, 2011
Custom Policy
62
•Expensive•Hard to Maintain•Proprietary•Administration is Daunting!•Difficult to change and adapt
Wednesday, March 9, 2011
External Policy Engine
63
•Policy Evaluation•Extensible•Flexible•Centralized Administration•What about domain specifics?
Wednesday, March 9, 2011
66
Define Rules for Access
Rules can be changed dynamically
Standards based - XACML3
Wednesday, March 9, 2011
Resources
68
URLsAccountsButtonsProjectsetc......
HierarchicalScalable
Plugable API
Wednesday, March 9, 2011
Actions
69
Performed on a resource
Fine Grained access
WithdrawBalanceTransfer
GETPOSTDELETE
COPY
CreateReadUpdateDelete
Wednesday, March 9, 2011
Subjects
70
Who does the rule apply to?
Member LDAP GroupDatastore Attribute
Session AttributeDatastore Attribute Custom Subject
Plugable API Combination Logic
Wednesday, March 9, 2011
Conditions
71
Simple or Complex Dependencies
IP Address
Session Attribute
Bank Balance Time of DayAuthenticationlevel
Attribute
Plugable API Combination Logic
Session Timout
Wednesday, March 9, 2011
73
Policy Decision Point
Policy Enforcement Point
Policy Administration Point
Wednesday, March 9, 2011
Policy Enforcement Point
75
Simplest case
Agent plugged into web container.
ISapiNSApi
Mod_auth
Wednesday, March 9, 2011
Policy Enforcement Point
77
Fine for URL access controlwhen resource is a URL.
But how do we address entitlements?
Wednesday, March 9, 2011
Policy Enforcement Point
78
Simple Web Service Call wrapperCoded into Application
if (entitled(userToken, resource, env)) { ... ...}
Language Agnostic!
This User This Resource These CondiAons
Wednesday, March 9, 2011
Simple JSON responses
79
{ "statusCode":200, "statusMessage":"OK" "body":{ "actionsValues":{"GET":true}, "attributes":{}, "advices":{}, "resourceName":"http://www.anotherexample.com:80/index.html" } }
Wednesday, March 9, 2011
Policy Decision Point
81
Policy Evaluation
Separate the Rule evaluation
from the enforcement
Wednesday, March 9, 2011
82
Scalable and extensible policy engine
Scalable to millions of entitlements
Standards based - XACML3
Wednesday, March 9, 2011
Policy Administration
84
Administration UI Dynamic rule changes
AuditabilityConsistency
Wednesday, March 9, 2011
Separate Administration
88
Application Administration is
separate from
Entitlement Administration
Wednesday, March 9, 2011
89
Simplify the app admin
Consistent administration of
permissionsfor all apps.
Wednesday, March 9, 2011
OpenAM
91
OpenAM As A Servicegives
Flexibility, Consistency &Management
to Authentication
and Entitlements.
Wednesday, March 9, 2011
OpenAM
92
Started life as Sun Access Manager
OpenSourced in 2007
Strong Community
Wednesday, March 9, 2011
OpenAM
93
OpenAM is
fully opensource, 100% Java,
scalable,high performance,
AuthN and AuthZ
Wednesday, March 9, 2011
OpenAM
94
Full XACML3 SupportSimple policies and Complex
EntitlementsExtensible Plugins
Central AdministrationLeverage existing SSO
Wednesday, March 9, 2011
OpenAM
95
OpenAM Community
ForgeRock
http://www.forgerock.com
Wednesday, March 9, 2011
96
Download it.Use it.
Get involved!
Wednesday, March 9, 2011