Third Party Auth in WebObjects
-
Upload
wo-community -
Category
Technology
-
view
2.043 -
download
2
Transcript of Third Party Auth in WebObjects
![Page 1: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/1.jpg)
Third Party Auth in WOJoe Little and Daniel Beatty
![Page 2: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/2.jpg)
• Storing passwords in your DB (Model)
• Authenticating against LDAP services
• LDAP via your Model and hybrid solutions
• Kerberos/SSO and hybrid redux
• WebAuth and gateway solutions
• Shibboleth and the future
Authentication Methods
![Page 3: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/3.jpg)
Auth in DB
• The default approach
• With little database security, the hash must be secure
• SHA-1 (160) or SHA-2 (256) and friends
• Sample code...
![Page 4: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/4.jpg)
SHA-2 in the Database
qual = UserAccount.USERNAME.eq(username).and(UserAccount.PASSWORD.eq(digestedString(password)));
....
public String digestedString(String aString) { String digestedString; try { MessageDigest md = MessageDigest.getInstance("SHA-256"); md.reset(); digestedString = new sun.misc.BASE64Encoder().encode (md.digest(aString.getBytes("UTF-8"))); } catch (NoSuchAlgorithmException e) { throw new NSForwardException(e); } catch (UnsupportedEncodingException e){ throw new NSForwardException(e); } return digestedString;}
![Page 5: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/5.jpg)
LDAP
• JNDI can be used for EOs, but NOT for passwords!
• Generally restricted by sites LDAP configuration
• Standard method is to try a “simple bind” against LDAP
• LDAPS:// - Port 636 if possible (SSL), DIGEST otherwise
• StartTLS is not an option
• http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html
![Page 6: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/6.jpg)
Java LDAP Authentication
if (LDAPAuth.LDAPAuthenticate(username, password))
...
public class LDAPAuth { public static final boolean LDAPAuthenticate (String userid, String password) { Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://172.16.113.129:389/dc=example,dc=com");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5"); // or “simple” env.put(Context.SECURITY_PRINCIPAL, "uid=" + userid + ", ou=People, dc=example, dc=com"); env.put(Context.SECURITY_CREDENTIALS, password);
// Create the initial context try { DirContext ctx = new InitialDirContext(env); } catch (NamingException e) { return false; // Failed to auth //e.printStackTrace(); } return true;
}}
![Page 7: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/7.jpg)
LDAP via EOModel
• WebObjects lets you access LDAP via JNDI
• Insecure
• SSL supposedly should work
• Not good for authentication, but other info is there
• Great for the “hybrid” approach to authentication
![Page 8: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/8.jpg)
The Hybrid Approach
• Define user attributes in your DB-based EOs
• Authenticate user that is also in LDAP tree
• 1st time auth: use JNDI EO
• Must have matching name between auth and LDAP
• Use JNDI EO in read-only fashion to get user attributes
• Store in your DB user EOs for future use
• Considerations for future JNDI updates
![Page 9: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/9.jpg)
LDAP EOModel
![Page 10: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/10.jpg)
LDAP Connection Dictionary
![Page 11: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/11.jpg)
All LDAP Hybrid Approach
if (LDAPAuth.LDAPAuthenticate(username, password)) { qual = UserAccount.USERNAME.eq(username); NSLog.out.appendln("LDAP authenticated: " + username); } if (qual != null) try { user = UserAccount.fetchRequiredUserAccount(ERXEC.newEditingContext(), qual); } catch (NoSuchElementException e) { // Make a new user from LDAP qual = PosixAccount.UID.eq(username); EOEditingContext ec = ERXEC.newEditingContext(); PosixAccount ldapAccount = PosixAccount.fetchPosixAccount(ec, qual); user = UserAccount.createUserAccount(ec, ldapAccount.gecos(), username); ec.saveChanges(); }
...
public static UserAccount createUserAccount(EOEditingContext editingContext, String fullName, String username) { UserAccount eo = (UserAccount) EOUtilities.createAndInsertInstance(editingContext, _UserAccount.ENTITY_NAME); eo.setFullName(fullName); eo.setUsername(username); return eo; }
![Page 12: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/12.jpg)
SSO: Kerberos
• Many Single-Sign On (SSO) solutions
• Kerberos / Active Directory are most common today
• AD and OpenDirectory marry LDAP w/ Kerberos: hybrid!
• Heavily tied into Java Crypto APIs, so Frustration-By-Design
• Remember to set classes.include.patternset in woproject to have “**/*.conf”
• Best seen by example... (Thanks Mike!)
![Page 13: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/13.jpg)
Kerberos Methods
public class KerberosAuth {
static final String krbPath = "/Library/Preferences/edu.mit.Kerberos"; public static final boolean KerberosAuthenticate (String userid, char[] password) { System.setProperty("java.security.krb5.conf", krbPath); System.setProperty("java.security.auth.login.config", KerberosAuth.class.getResource("/kerberos.conf").toExternalForm()); try { LoginContext lc = new LoginContext("primaryLoginContext", new UserNamePasswordCallbackHandler(userid, password)); lc.login(); } catch (LoginException e) { // e.printStackTrace(); return false; // Consider all failures as equal } return true; }
![Page 14: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/14.jpg)
Kerberos Method Part 2
public static class UserNamePasswordCallbackHandler implements CallbackHandler { private String _userName; private char[] _password; public UserNamePasswordCallbackHandler(String userName, char[] password) { _userName = userName; _password = password; } public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (Callback callback : callbacks) { if (callback instanceof NameCallback && _userName != null) { ((NameCallback) callback).setName(_userName); } else if (callback instanceof PasswordCallback && _password != null) { ((PasswordCallback) callback).setPassword(_password); } } } }
![Page 15: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/15.jpg)
Kerberos.conf in Sources folder
primaryLoginContext {
com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=false;
};
![Page 16: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/16.jpg)
Kerberos Authenticationif (KerberosAuth.KerberosAuthenticate(username, password.toCharArray()))
{ qual = UserAccount.USERNAME.eq(username); NSLog.out.appendln("Kerberos authenticated: " + username); }
...
UserAccount user = UserAccount.fetchRequiredUserAccount(ERXEC.newEditingContext(), qual);((Session)session()).setCurrentUser(user);if (((Session)session()).currentUser() != null){ nextPage = D2W.factory().defaultPage(session());}
![Page 17: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/17.jpg)
Demo and Review
![Page 18: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/18.jpg)
WebAuth
• External authentication handled in Apache
• More involved site setup
• Must trust the Gateway (Apache) for security
• Deceptively simple
• Interesting solutions:
• Multiple authentications
• Trust-to-Set applications
![Page 19: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/19.jpg)
Gateway Approach Considerations
• Does make Developer Mode a bit more interesting
• Mixing up DirectAction logins w/ gateway header request check
• DirectConnect can be good here.. (Thanks Chuck!)
• Best practices:
• Put values you want into your session object
• make sure your session is SSL-enabled!
• useExternalAuth boolean in User-type entity?
![Page 20: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/20.jpg)
WebAuth Methodpublic class WebauthAuth {
public static final String WebauthAuthenticate (WOContext context) { // If unauthenticated, this will be blank // assumes that web location is WebAuth protected to restrict this setting return context.request().headerForKey("webauth_user"); }}
![Page 21: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/21.jpg)
Which brings us too...
“Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say "Shibboleth" (שיבולת).' If anyone said, "Sibboleth" (סיבולת), because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion.”
![Page 22: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/22.jpg)
Shibboleth Topics
• Shibboleth Authentication Point of View
• Federated Frameworks
• How is IdP put together
• General Shibboleth Service Provision Scenario
• Classic Computer Security
![Page 23: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/23.jpg)
The Shibboleth Point of View
• Stone Age: Application maintains unique credential and identity information for each user.
• Bronze Age: Credentials are centralized but applications maintain all user identity information
• Iron Age: Credentials and core identity information are centralized and application maintains only app-specific user data.
![Page 24: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/24.jpg)
Fallacies of Distributed Computing
1.The Network is reliable2.Latency is Zero3.Bandwidth is infinite4.The network is secure5.Topology doesn’t change6.There is one administrator7.Transportation cost is zero8.The network is homogeneous
Peter Deutsch, James Gosling
![Page 25: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/25.jpg)
Computer Security Subjects 101
(Boolean) canRead(Boolean) canUpdate(Boolean) canDelete
owner: Userpermissions: allowedOperationscreationTimemodificationTime
Resource
subject: Subject
Subject Allowed Operation
No Attributes
General Operations Allowed
canRead: BooleancanUpdate: BooleancanDelete: Booleanentity: Resource
AllowedOperations operations: Array<Allowed Operations>name: String
Subject
members(): Array<Subject>owner: Subject
Group
members(): Array<Subject>provider(): Provider
no attributesUser
givenName: StringsurName: StringcommonName: StringtelephoneNumber: Stringaddress: String organization: StringjobTitle: Stringpassword: String
Local User
![Page 26: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/26.jpg)
Fallacies of Distributed Computing
1.The network is reliable2.Latency is zero3.Bandwidth is infinite4.The network is secure 5.Topology doesn’t change 6.There is one administrator7.Transportation cost is zero8.The network is homogeneous
![Page 27: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/27.jpg)
Computer Security Subjects 101
operations: Array<Allowed Operations>name: String
Subject
members(): Array<Subject>owner: Subject
Group
members(): Array<Subject>provider(): Provider
no attributesUser
(Boolean) canRead(Boolean) canUpdate(Boolean) canDelete
owner: Userpermissions: allowedOperationscreationTimemodificationTime
Resource
subject: Subject
Subject Allowed Operation
No Attributes
General Operations Allowed
canRead: BooleancanUpdate: BooleancanDelete: Booleanentity: Resource
AllowedOperations
givenName: StringsurName: StringcommonName: StringtelephoneNumber: Stringaddress: String organization: StringjobTitle: Stringpassword: String
Local User▼! ❑!Classic Subjects Problems:! •! ❑!Group Information
Compromise! •! ❑!User info compromise
![Page 28: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/28.jpg)
Computer Security Subjects with Shibboleth
operations: Array<Allowed Operations>name: Stringticket: Shibboleth Assertion
Subject
no attributeGroup
no attributesUser
(Boolean) canRead(Boolean) canUpdate(Boolean) canDelete
owner: Userpermissions: allowedOperationscreationTimemodificationTime
Resource
subject: Subject
Subject Allowed Operation
No Attributes
General Operations Allowed
canRead: BooleancanUpdate: BooleancanDelete: Booleanentity: Resource
AllowedOperations
![Page 29: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/29.jpg)
Federated Identity Frameworks
• Shibboleth (http://shibboleth.internet2.edu/)
• OpenID (http://openid.net)
![Page 30: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/30.jpg)
Concept of a Shibboleth Type Federation
User
Service Provider
DiscoveryService
Identity Provider
![Page 31: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/31.jpg)
Shibboleth Identity Provider Architecture
ShibbolethIdP
CASSSO
� !������������ !�����������������������������
� !������������������ !�������������������������������������������������������
� !������������ ���������������������������������������������
� !�������������������������� ��������� ������������������
![Page 32: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/32.jpg)
Commercial Providers
• Test Shibboleth Two (https://www.testshib.org)
• Protect Network (http://www.protectnetwork.org/)
• NJ Trust (http://njtrust.net/)
• SWITCH (http://www.switch.ch/uni/security/) (Switzerland)
• UK Federation (http://www.ukfederation.org.uk/content/Documents/Setup2IdP)
![Page 33: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/33.jpg)
Service Provider
mod_shib mod_php mod_jk
PHPApplicationsshibd
cgi-binAdaptor
• ! Runs on: Mac OS X, FreeBSD, Linux, Solaris, Windows
• ! Protects Web Applications• ! The Shibboleth Daemon processes attributes▼! Can authorize users with
•! Apache directives •! Shibboleth XML Access rules
• !Provides attributes to applications
![Page 34: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/34.jpg)
General Play-by-Play Scenario
User
Service Provider
1. Access Service URL
2. SAML2 Discovery Request
DiscoveryService2.1 Discovery Request
3. Select Home Organization
Identity Provider
4. SAML2 Authn Request
5. Authenticate
6. Authenticate w/ Assertion
6a. AssertionConfirmation
7. Provide Content
![Page 35: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/35.jpg)
Installation on Mac OS X
• IdP: Note do not have IdP compete with Teams/ Podcast Producer
• MacPorts SP Install: Note, install curl +ssl first. (https://spaces.internet2.edu/display/SHIB2/NativeSPMacPortInstallation)
• Do the registry steps with IdP/SP and federation.
• Demo:
![Page 36: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/36.jpg)
Q&A
![Page 37: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/37.jpg)
Shibboleth in Production
Stanford Shibboleth Example
![Page 38: Third Party Auth in WebObjects](https://reader035.fdocuments.us/reader035/viewer/2022062513/5558766fd8b42aaa7e8b5482/html5/thumbnails/38.jpg)
• “Cached Credentials” approach for mobile devices: Browser local storage
• Using your User EO for credential storage and remote wiping
• RESTful interfaces and authentication approaches
• Issues with “gateway” authentication with unknown site authenticators: Split Authentication
Mobility Trends