alui technique document aqualogic user interaction security lijie senior se
Post on 18-Jan-2018
227 Views
Preview:
DESCRIPTION
TRANSCRIPT
ALUI Technique Document
AquaLogic User Interaction Security
LiJieSenior SE
BEA Confidential | 2BEA ALUI Technique Document, BID China
Knowledge Directory Security
Users, Groups and Object Access
Community Security
Admin Folder Security
Module Roadmap
Single Sign-On
BEA Confidential | 3BEA ALUI Technique Document, BID China
Portal Users
The Portal administrator creates users in the Portal, or syncs users into the Portal
The user can then log in
Each user is defined by an object in the Portal
George
KeithHelen
Erica
Ben
BEA Confidential | 4BEA ALUI Technique Document, BID China
Portal Groups
The Portal administrator creates and manages groupsA group has one or more members*A user belongs to one or more groups
Executive CommunityMembers
Executive CommunityManagers
1. George2. Helen3. Christine4. Jack5. Jim
– All these users are in the Executive Community Members group
– Helen is a member or two groups
BEA Confidential | 5BEA ALUI Technique Document, BID China
Portal ObjectsAlmost everything in the Portal is considered an object
Communities
Subcommunities
Portlets
Administrative folders
Document folders
Documents
Users
Groups …
Every object in the Portal has a list describing who can access that object – it is called an Access Control List (ACL)
BEA Confidential | 6BEA ALUI Technique Document, BID China
Access Control List
An Access Control list specifies which uses and groups have access to an object (and what kind of access privileges they have… see next page)
Executive Community
Administrators Group
Executive Community Members
Executive Community Managers
Administrator
…
BEA Confidential | 7BEA ALUI Technique Document, BID China
Access Privileges
ACLs have privileges that specify what a user/group can do with an object
READ View the object only
SELECT Add this object to other objects e.g., add a portlet to a My Page
EDIT Create and modify objects
ADMIN All rights, including delete objects and change object ACLs
If users are not listed on an ACL (access of NONE), they do not know the object exists
BEA Confidential | 8BEA ALUI Technique Document, BID China
Example: ACL for a Community
Groups
User
Object
AccessPrivileges
BEA Confidential | 9BEA ALUI Technique Document, BID China
Module Roadmap
Knowledge Directory Security
Users, Groups and Object Access
Community Security
Admin Folder Security
Single Sign-On
BEA Confidential | 10BEA ALUI Technique Document, BID China
Security Scenario #1The Knowledge Directory contains folders and objects (i.e., links to documents) within those foldersA user may be able to see some folders and not see othersIf a user cannot see a folder, he cannot see or search for objects within that folderBoth folders and the objects within them are secured with ACLs
BEA Confidential | 11BEA ALUI Technique Document, BID China
Steps: View Document Folder Security
Steps to witness Knowledge Directory security
1. Log in as a George, a member of the Executive team and browse the Knowledge Directory
2. Log in as Keith, a member of Marketing and view the Knowledge Directory
3. View security on the Document folder and explain what is happening
See next slides for details…
BEA Confidential | 12BEA ALUI Technique Document, BID China
Step 1: Log in as George
Log in as George, who is in the Executive Community Members group
1
BEA Confidential | 13BEA ALUI Technique Document, BID China
Step 1: Browse the DirectoryChoose Directory -> Browse Directory
2
Click on the Financials subfolder, inside the Executive folder
3
BEA Confidential | 14BEA ALUI Technique Document, BID China
Step 1: Click a Link to a Document
The contents of the Financial subfolder display
Click on a link to see the underlying content
4
Click Back
5
Note that George can Submit links to this folder
BEA Confidential | 15BEA ALUI Technique Document, BID China
Step 2: Log in as Keith
Log in as Keith, who is in the Marketing Community Members group
1
BEA Confidential | 16BEA ALUI Technique Document, BID China
Step 2: Browse the Directory
???
Choose Directory -> Browse Directory
2
The Financials subfolder does NOT appear to Keith
3
BEA Confidential | 17BEA ALUI Technique Document, BID China
Step 3: View Document Folder ACLAccess Control List for the Financials folder
Conclusion: The group that Keith is in (Marketing Community Members group) is not listed on the ACL; therefore, he cannot see the Financials folder or any documents inside of it. George is in Executive Community Members; he can access, view and submit documents to the Financials folder
George is in this group
BEA Confidential | 18BEA ALUI Technique Document, BID China
Access Levels: Folders, Objects in Folders
What ACLs mean to document foldersNONE: Cannot see folder
READ or SELECT: Can view the folder
EDIT: Can submit or crawl content into folder
ADMIN: Can approve documents for this folder
What ACLs mean on objects in foldersNONE: Cannot see object (search or browse)
READ or SELECT: Can view object
EDIT: Can overwrite object’s properties
ADMIN: Can edit the object’s ACL and delete object
Note: You cannot update the content of a document in the Knowledge Directory
BEA Confidential | 19BEA ALUI Technique Document, BID China
Module Roadmap
Knowledge Directory Security
Users, Groups and Object Access
Community Security
Admin Folder Security
Single Sign-On
BEA Confidential | 20BEA ALUI Technique Document, BID China
Security Scenario #2Users can access a Community at various levels
Cannot see it at all (don’t know it exists)
Can browse the Community without joining it
Can join the Community and become a “member”
Can edit the Community
Can change the security settings
In scenario #2, you will see the difference between users with NONE, SELECT, EDIT and ADMIN access to a Community
Based on what you know about Access Control List privileges,Which privileges do you think correspond to each above? READ, EDIT, SELECT, ADMIN, NONE
BEA Confidential | 21BEA ALUI Technique Document, BID China
Steps: Observe Community Security
Steps to experience Community security
1. Log in as George, and go to the Executive Community
2. Log in as Keith and (try to) join the Executive Community
3. Log in as Helen and join the Executive Community
4. Log in as Erica 5. View security on the Admin folders and explain
what is happening
See next slides for details…
BEA Confidential | 22BEA ALUI Technique Document, BID China
Step 1: Log in as George
Log in as George, who is in the Executive Community Members group
1
Go to the Executive Community (George is already a member)
2
BEA Confidential | 23BEA ALUI Technique Document, BID China
Step 1: View the Community
BEA Confidential | 24BEA ALUI Technique Document, BID China
Step 2: Log in as Keith
Log in as Keith, who is in the Marketing Community Members group
1
BEA Confidential | 25BEA ALUI Technique Document, BID China
Step 2: Join Executive CommunityAttempt to join the Executive Community
Choose My Communities -> Join Communities
2
Since it is not listed, search for Executive Community, then click
3
BEA Confidential | 26BEA ALUI Technique Document, BID China
Step 2: Join Executive Community
Result: Nothing is returned from Keith’s search because he does not have access to the Executive Community
Click Cancel
4
BEA Confidential | 27BEA ALUI Technique Document, BID China
Step 3: Log in as Helen
Log in as Helen, who is in the Executive Community Managers group
1
Go to the Executive Community(Helen is already a member)
2
BEA Confidential | 28BEA ALUI Technique Document, BID China
Step 3: View the CommunityResult: Helen sees the Community and also has the option, Edit This Community; click on this link
3
BEA Confidential | 29BEA ALUI Technique Document, BID China
Step 3: View Community SecurityThe Community editor appears … Helen can edit the Community
Click Security
4
BEA Confidential | 30BEA ALUI Technique Document, BID China
Step 3: View Community Security
Result:
Helen can view the security settings of the Community but she cannot change any security settings
Click Cancel
BEA Confidential | 31BEA ALUI Technique Document, BID China
Step 4: Log in as Erica
Log in as Erica, who is in the Portal Managers group
1
Go to the Executive Community(Erica is already a member)
2
BEA Confidential | 32BEA ALUI Technique Document, BID China
Step 4: Edit the CommunityResult: Like Helen, Erica sees the Community and also has the option, Edit This Community; click on the link
3
BEA Confidential | 33BEA ALUI Technique Document, BID China
Step 4: Edit the CommunityThe Community editor appears … Erica can edit the Community
Click Security
4
BEA Confidential | 34BEA ALUI Technique Document, BID China
Step 4: Edit Community SecurityResult: Erica can CHANGE the security settings for this Community -- add and delete users and groups to the ACL, change the privileges
Click Cancel (please do not change any settings!)
Erica is in this group
George is in this group
Helen is in this group
The group that Keith is in (Marketing Community Members group) is not on the ACL … therefore, he cannot view or join the Executive Community
BEA Confidential | 35BEA ALUI Technique Document, BID China
Security Scenario #3
There may be reasons to allow a user to view a Community without joining itDifferences to end user
Does not have to join and become a member
Community does not appear on My Communities tab
In the next example, Keith is in a group that has READ access to the Evergreen Community … see what happens!
BEA Confidential | 36BEA ALUI Technique Document, BID China
Log in as Keith
Log in as Keith, who is in the Marketing Community Members group
1
Try to join the Evergreen Community
2
BEA Confidential | 37BEA ALUI Technique Document, BID China
Try to Join Evergreen Community
Search for Evergreen Community
2
Keith cannot JOIN the Community … but he knows it exists and that he should be able to see it!
Click Cancel
3
BEA Confidential | 38BEA ALUI Technique Document, BID China
Try to View Evergreen Community
Submit a Portal search … search for Evergreen Community
4
The Portal returns the Evergreen Community this time…
Click on it
5
BEA Confidential | 39BEA ALUI Technique Document, BID China
View the Evergreen Community
Result: Keith is allowed to VIEW but not JOIN the Community
BEA Confidential | 40BEA ALUI Technique Document, BID China
Module Roadmap
Knowledge Directory Security
Users, Groups and Object Access
Community Security
Admin Folder Security
Single Sign-On
BEA Confidential | 41BEA ALUI Technique Document, BID China
Access Levels: Administrative Folders
Like Document folders, Administrative folders are secured
What ACLs mean to Administrative foldersNONE: User cannot see the folder
READ or SELECT: User can see the folder
EDIT: User can create objects in the folder
ADMIN: User can delete the folder and change folder security
BEA Confidential | 42BEA ALUI Technique Document, BID China
Steps: View Admin Folder Security
Steps to experience administrative folder security
1. Log in as StudentN and go to the Administration page Make a note of the folders you can see
2. Log in as Ben and go to the Administration page; Make a note of the folders you can see
3. Log in as Erica and go to the Administration page; Make a note of the folders you can see
4. View security on the Admin folders and explain what is happening
5. As StudentN, try to create an object in an administrative folder
See next slides for details…
BEA Confidential | 43BEA ALUI Technique Document, BID China
Step 1: Log in as StudentN
Log in as StudentN (where N is your student number), who is a member of a group called Students
1
Go to the Administration page
2
BEA Confidential | 44BEA ALUI Technique Document, BID China
Step 1: Observe What StudentN Can See
Note that you can see a folder called Community Lab and one subfolder … StudentN, where N is your student number
3
BEA Confidential | 45BEA ALUI Technique Document, BID China
Step 2: Log in as Ben
Log in as Ben, who is in the Sales Community Managers group
1
Go to the Administration page
2
BEA Confidential | 46BEA ALUI Technique Document, BID China
Step 2: Observe What Ben Can See
Note that Ben cannot see the Community Lab or any of its subfolders
3
???
BEA Confidential | 47BEA ALUI Technique Document, BID China
Step 3: Log in as Erica
Log in as Erica, who is in the Portal Managers group
1
Go to the Administration page
2
BEA Confidential | 48BEA ALUI Technique Document, BID China
Step 3: Observe What Erica Can See
Note that Erica can see the Community Lab folder and many subfolders…
3
BEA Confidential | 49BEA ALUI Technique Document, BID China
Step 4: View Folder Security
Security for the Community Lab folder
Do you think StudentN or Erica can create anything in this folder? Why or why not?
StudentN is in this group
Erica is in this group
Community Lab
StudentN
BEA Confidential | 50BEA ALUI Technique Document, BID China
Step 4: View Folder Security
Security for the StudentN Folder
Can StudentN create anything in the StudentN folder?Why or Why not?
StudentN is in this user…
(where N is your student number)
Community Lab
StudentN
BEA Confidential | 51BEA ALUI Technique Document, BID China
Step 5: Log in as StudentN
Log in as StudentN (where N is your student number)
1
BEA Confidential | 52BEA ALUI Technique Document, BID China
Step 5: Go to the StudentN Folder
Go to the Administration page
2
Click on the subfolder in the Community Lab folder that StudentN can see
3
BEA Confidential | 53BEA ALUI Technique Document, BID China
Step 5: Create an Object
Advanced Security note: In order to create anything, StudentN also needs activity rights (which you have)!All students have activity rights of Access Administration, Create Community and Create Administrative Folder
Choose Create Object… then Administrative Folder
4
Name it Test Folder, then click OK
5
Result: Folder created
BEA Confidential | 54BEA ALUI Technique Document, BID China
Admin Folder Security
Module Roadmap
Knowledge Directory Security
Users, Groups and Object Access
Community Security
Single Sign-On
BEA Confidential | 55BEA ALUI Technique Document, BID China
Single Sign-On (SSO)
What is SSO and what is it not?How do SSO products work?How does ALUI integrate with SSO Solutions?Working around SSO limitationsLab Info
BEA Confidential | 56BEA ALUI Technique Document, BID China
SSO – What is it?
What problem is Single Sign-On trying to address?Enterprises have many Web applications
Separate Web applications require separate login credentials
Managing identity within a topology of many applications is inefficient
What do Single Sign-On vendors sell?Users login once to access all enterprise resources
Centralized location for authentication and authorizationAuthentication: whether or not a user’s name and password are correct
Authorization: whether or not said user has access to a network resource
Streamlined user experience and global security administration
BEA Confidential | 57BEA ALUI Technique Document, BID China
SSO – The Reality
What does SSO actually provide out-of-the-box?Virtual directory level authentication and authorization to Web sites
A single place to manage authorization for Web sites
What does SSO NOT provide out-of-the-box?A way to login to arbitrary vendors’ backend servers
A way to pass login information to a server API
We’ll call it the “Backend Problem”
This is a difficult problemSSO products do not provide an out-of-the-box solution
Customizations can often provide a solution
BEA Confidential | 58BEA ALUI Technique Document, BID China
SSO – How Do SSO Products Work?
Three main componentsDirectory Server (LDAP / AD)
“Access Server”
“SSO Gate”
“Access Server” synchronized with
Directory Server
User authorization managed
on “Access Server”
“SSO Gate” intercepts HTTP
requests to Web applications
LDAP
AccessServer
(Oblix, Netegrity)
SSO Gate
ALUIPortal
Other Web App
Application Server
BEA Confidential | 59BEA ALUI Technique Document, BID China
SSO – How Do SSO Products Work?用户通过浏览器访问 ALUI门户SSO Gate 截获用户请求,访问服务器通过浏览器向用户显示器安全认证信息SSO Gate 需要用户输入认证信息认证信息被传输到访问服务器 , 由访问服务器将认证信息与 LDAP / AD存储的用户信息进行匹配如果认证通过,用户被授权访问 ALUI门户 , SSO 令牌将存在于整个用户会话中在进入 ALUI门户后,将不再提示用户输入认证信息,系统自动通过用户会话中的 SSO令牌进行认证
LDAP
AccessServer
123
4
SSO Gate
ALUIPortal
Application Server
Other Web App
5
BEA Confidential | 60BEA ALUI Technique Document, BID China
SSO – ALUI Integration
当 ALUI 检测到用户通过单点登陆进入时假定用户已经通过系统的单点登陆认证将浏览器重定向到 ALUI SSO 的专用登录界面检查位于 HTTP 头的用户名 如果用户名及认证信息正确, ALUI 接受由访问服务器颁布的 SSO 令牌在认证的过程中 ALUI 会尝试在多个的用户数据源中进行匹配如果没有匹配的用户, ALUI 会将用户重定向到 My Page
SSO ALUIPortal
ALUISSO Page
Authenticate
Redirect
ForwardRequest
Logged In
BEA Confidential | 61BEA ALUI Technique Document, BID China
SSO – ALUI Integration
Integration with the login process is complexWhen SSO is enabled, Guest access still works if the user clicks LogoutKB Article DA_218443You protect /portal/SSOServletDiagram at the left shows what happens after SSO authenticates and authorizes the user
BEA Confidential | 62BEA ALUI Technique Document, BID China
SSO – Supported Vendors
5.0J supports three SSO vendors out of the box:1. Oblix NetPoint
2. Netegrity SiteMinder
• Siteminder TerminologyWebAgent – Intercepts calls to protected resources and Authenticates the user. Sits on Portal Server.
Policy Server – Authorizes the given user to access the given resource. Other restrictions like time can be applied to Policy Server rules.
Directory Server – the user repository
BEA Confidential | 63BEA ALUI Technique Document, BID China
Summary
Portal security works the same for ALL Portal objects (except users) – each has an Access Control List, indicating
who can interact with that object
and at what level
This module is intended to give you a primer on Portal Security from an end-user perspective
For full coverage of Portal Security, please refer to the Portal Administration 5.0 course or to the E-learning Administration learning modules
ALUI Technique Document
Q&A
top related