Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation
description
Transcript of Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation
![Page 1: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/1.jpg)
![Page 2: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/2.jpg)
Raymond K. NgTechnical Lead - JAASPlatform SecurityOracle Corporation
![Page 3: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/3.jpg)
Securing J2EE Applications with Oracle Identity Management
![Page 4: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/4.jpg)
Agenda
Application Security Overview Authentication Requirements Authorization Requirements J2EE Security JAAS Oracle Strategy
![Page 5: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/5.jpg)
Application Security
Security is a process, not a product or feature– No 100% security
Only as secure as weakest link– Go beyond firewall security– Implement multi-layer security
Considerations– Authentication– Authorization– Accountability/Audit– Secure Transport
![Page 6: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/6.jpg)
Oracle 10g Security Architecture
Single
Sign-On
Oracle
InternetDirectory
mod_ossl
Browser
Oracle HTTP Server
JAAS
Oracle 10g Containers
for J2EE (OC4J)
mod_osso
SecurityInfrastructure
Layer
![Page 7: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/7.jpg)
Authentication Requirements
![Page 8: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/8.jpg)
Use The Appropriate Mechanism
Username and password Client certificate Smart Card Biometrics
![Page 9: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/9.jpg)
Single Sign-On (SSO)
Why SSO-enable your application?– User Convenience– Security– Cost Reduction
Factors to consider– Integration with infrastructure– Extensible framework
![Page 10: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/10.jpg)
Oracle 10g Single Sign-On
Centralized authentication for web applications Multiple authentication options
– Username/password– Client certificates– 3rd party API (Biometrics, Smart Card, etc.)
Single Sign-Off Multiple application types Integrated across Oracle 10g
– OID, OC4J/JAAS , Portal, OHS, Wireless, Workflow, UM, Ultrasearch, Personalization, Reports, Forms, Discoverer…
![Page 11: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/11.jpg)
Relevant Standards
HTTP SSL/X.509 J2EE JAAS Java Authentication SPI SAML WS-Security Plus emerging specifications
![Page 12: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/12.jpg)
Authorization Requirements
![Page 13: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/13.jpg)
Choose The Right Authorization Model
Roll Your Own (Application-specific)– Maintenance– Administrative Cost– Inconsistent Authorization Policy => Insecurity
Understand The Relevant Standards– J2EE Security– Java 2 Security– JAAS– JACC
![Page 14: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/14.jpg)
J2EE Security
![Page 15: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/15.jpg)
J2EE Security
Design Principles– Declarative security model
Decouple security logic from application logicWrite once run anywhere (WORA)
– Leverage existing security infrastructure J2EE Roles
– Application Provider– Application Assembler– Application Deployer– System Administrator
![Page 16: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/16.jpg)
J2EE Security: Authentication
Multiple Authentication Methods- Basic, Form, SSL client certificate, etc.
Declarative Security– Deployment descriptors: web.xml, ejb-jar.xml
JSR 196: Java Authentication SPI– J2EE 1.5– JAAS LoginModule integration
Missing– Single Sign-On support
![Page 17: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/17.jpg)
J2EE Security: Authorization
Protected Resources– Web Resources: URL-patterns– Enterprise Beans: Method permissions
“Role”-based Authorization– Not “Role Based Access Control (RBAC)”– Portability
JSR 115: Integration with Java2/JAAS– Pluggable security (authorization) provider– J2EE security constraints => Java2 permissions
![Page 18: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/18.jpg)
JAAS:Java Authentication and
Authorization Service
![Page 19: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/19.jpg)
Java 2 Security
Key Components– Security Policy defines authorization policy– SecurityManager/AccessController is security
monitor Necessary if running any untrusted code in
your JVM Limitations
– Code-based security only– No policy management API– File-based implementation doesn’t scale
![Page 20: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/20.jpg)
What is JAAS? Principal-Based security Authentication
– Pluggable Authentication Module (PAM) framework
Authorization– Extension to Java2 Security Model
Optional Package to JDK 1.3– JDK 1.4 Core API
J2EE 1.3 Requirement– J2EE 1.4: JACC (JSR 115)– J2EE 1.5: Java Authentication SPI (JSR 196)
![Page 21: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/21.jpg)
Oracle 10g JAAS Provider
Oracle’s JAAS (Java Authentication and Authorization Services) Implementation, plus Extensions
Integrated with Oracle 10g SSO and OID Default Security Provider for Oracle 10g
Containers for J2EE
![Page 22: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/22.jpg)
Oracle 10g JAAS Provider:User Manager
LDAP-based
Provider type
XML-based
Provider type
OID
repositoryjazn-data.xml
repository
JAZNUserManager
Oracle 10g
Containers
for J2EE
![Page 23: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/23.jpg)
Oracle 10g JAAS Provider: Authentication
Oracle’s RealmLoginModule Integrated with OC4J Authentication
– Declarative model– Integrated with J2EE security model– Integrated with Realm framework for user communities
Support custom JAAS LoginModules– Programmatic and declarative– Integrated with J2EE security model
Option to Use Oracle 10g Single Sign-On (SSO)
![Page 24: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/24.jpg)
Oracle 10g JAAS Provider: Authorization
JAAS Authorization– Principal (i.e. user) and code-based policies– Hierarchical, role-based access control (RBAC)– Realm framework to support multiple user communities
Authorization Repository– XML flat-file– Oracle Internet Directory (OID)
3 methods of Management– Oracle Enterprise Manager– JAZN Admintool– Programmatic API
![Page 25: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/25.jpg)
Oracle 10g JAAS Provider: What’s New
Custom JAAS LoginModules– Leverage any JAAS-compliant LoginModules– Integration with J2EE security model
Performance & Scalability Enhancements OC4J Integration
– Password hiding (data-sources.xml, oc4j-ra.xml)
Tool Integration– JDeveloper / BC4J
![Page 26: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/26.jpg)
Oracle 10g JAAS Provider: Future Directions Support for 3rd party LDAP directories
– Default LoginModule certified against AD and SunONE JACC Provider (JSR 115)
– Unified authorization model for managed components Java Authentication SPI (JSR 196)
– Unified authentication model for managed components Portlet Integration (JSR 168)
– J2EE/JAAS authorization model for portlets Management & Deployment Enhancements
– JSR 77 & 88 XML Services Security Web Services Security
![Page 27: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/27.jpg)
JAAS Up Your J2EE Apps
![Page 28: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/28.jpg)
JAAS Up your J2EE Apps: Putting the Pieces Together Define your security policy
– Enterprise policy:
role hierarchyuser->role assignmentpermission->role assignment
– Application-specific policy:
authentication methodauthorization constraints (“security-roles”)
Deploy your J2EE Application– authentication method– authorization constraints (“security-role-mappings”)– RunAs identity
![Page 29: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/29.jpg)
JAAS Up Your J2EE Apps: SSO-enabling your J2EE Apps
Specify static declarative constraints – in web.xml or ejb-jar.xml
Deploy your J2EE applications– specify JAZN-LDAP UserManager– security-role mappings
OID realms, users and groups
Specify authentication method as SSO– in orion-web.xml:
<jazn-web-app auth-method=“SSO” />
![Page 30: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/30.jpg)
JAAS Up Your J2EE Apps: Custom LoginModule Integration
Develop, package & deploy your application as usual Package & deploy your custom LoginModule
– As an independent JAR or as part of your application
Configure your application– Set JAZN property “role.mapping.dynamic” to “true”– Set application classpath as appropriate– Set security role mapping as appropriate
Register your custom LoginModule– Associate your custom LoginModule with your application– JAZN Admintool: “-addloginmodule” option
![Page 31: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/31.jpg)
JAAS Up Your J2EE Apps: Tips & Tricks
JAZN-LDAP– User/group management delegated to DAS– grant RMIPermission to user accessing EJBs
JAZN-LDAP Cache– Tuning parameters: “ldap.cache.*”
Identity Management Realm– SSO integration
External Synchronization– Performance vs. Ease-of-development
Public Group– Authentication only
![Page 32: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/32.jpg)
Oracle Strategy
![Page 33: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/33.jpg)
Distributed Systems Security Reference Architecture
Identity & Profile Assertion Services
Policy Decision Services
Identity Management
Infrastructure
Identity &Policy Store
ProtectedResources
Authentication
Application
AuthorizationPrivacy
Audit
Application Security Services
Administration & Provisioning
Users
![Page 34: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/34.jpg)
Oracle 10g Security Solution
Oracle Identity Management Infrastructure for the enterprise Platform security enabled by Oracle Identity Management Platform components with high security assurance
![Page 35: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/35.jpg)
Oracle Security Architecture
Oracle Internet Directory
OracleASCertificate Authority
DirectoryIntegration &Provisioning
OracleASSingle Sign-on
Delegated AdministrationServices
OracleAS 10g
JAAS, WS SecurityJava2 Permissions..
OracleE-Business Suite
Responsibilities, Roles ….
Oracle 10g
Enterprise users, VPD, EncryptionLabel Security
OracleCollaboration Suite
Secure Mail, Interpersonal Rights …
Access ManagementDirectory Services
Provisioning Services
External Security Services
Oracle Identity Management
Oracle 10g Platform Security Bindings
OracleASPortal & Wireless
Roles, Privilege Groups …
Application Component Security
OracleAS 10g
JAAS, WS SecurityJava2 Permissions..
Oracle 10g
Enterprise users, VPD, EncryptionLabel Security
OracleAS 10g
JAAS, WS SecurityJava2 Permissions..
Oracle 10g Database
Enterprise users, VPD, EncryptionLabel Security
Enterprise SecurityInfrastructure
![Page 36: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/36.jpg)
Oracle Identity Management Benefits
Enables deployment of all Oracle products out of the box
– AS, DB, OCS, eBiz An enterprise infrastructure that leverages Oracle’s
“unbreakable” technology– Reliability, scalability, security, performance
A single point of integration for customer’s existing identity management solutions
– Transparent 3rd party integration for OIM enabled products Accommodates wide variety of partner solutions and
customer deployments– Open, standards-based infrastructure enables integration
![Page 37: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/37.jpg)
What’s Next
Implementing Identity Management at Lawrence Livermore National Labs
– ID: 40287 – Presentor: Tony Macedo, Computer Scientist,
LLNL – Date: Thursday, 9/11 – Time: 3:15 - 4:15 – Location: Moscone Center room 120
![Page 38: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/38.jpg)
AQ&Q U E S T I O N SQ U E S T I O N S
A N S W E R SA N S W E R S
![Page 39: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/39.jpg)
Raymond K. NgTechnical Lead - JAASPlatform SecurityOracle Corporation
![Page 40: Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation](https://reader034.fdocuments.us/reader034/viewer/2022051516/56813fa3550346895daa8fa8/html5/thumbnails/40.jpg)