raymond k. ng technical lead - jaas platform security oracle corporation

Raymond K. NgTechnical Lead - JAASPlatform SecurityOracle Corporation

Securing J2EE Applications with Oracle Identity Management

Agenda

Application Security Overview Authentication Requirements Authorization Requirements J2EE Security JAAS Oracle Strategy

Application Security

Security is a process, not a product or feature– No 100% security

Only as secure as weakest link– Go beyond firewall security– Implement multi-layer security

Considerations– Authentication– Authorization– Accountability/Audit– Secure Transport

Oracle 10g Security Architecture

Single

Sign-On

Oracle

InternetDirectory

mod_ossl

Browser

Oracle HTTP Server

JAAS

Oracle 10g Containers

for J2EE (OC4J)

mod_osso

SecurityInfrastructure

Layer

Authentication Requirements

Use The Appropriate Mechanism

Username and password Client certificate Smart Card Biometrics

Single Sign-On (SSO)

Why SSO-enable your application?– User Convenience– Security– Cost Reduction

Factors to consider– Integration with infrastructure– Extensible framework

Oracle 10g Single Sign-On

Centralized authentication for web applications Multiple authentication options

– Username/password– Client certificates– 3rd party API (Biometrics, Smart Card, etc.)

Single Sign-Off Multiple application types Integrated across Oracle 10g

– OID, OC4J/JAAS , Portal, OHS, Wireless, Workflow, UM, Ultrasearch, Personalization, Reports, Forms, Discoverer…

Relevant Standards

HTTP SSL/X.509 J2EE JAAS Java Authentication SPI SAML WS-Security Plus emerging specifications

Authorization Requirements

Choose The Right Authorization Model

Roll Your Own (Application-specific)– Maintenance– Administrative Cost– Inconsistent Authorization Policy => Insecurity

Understand The Relevant Standards– J2EE Security– Java 2 Security– JAAS– JACC

J2EE Security

J2EE Security

Design Principles– Declarative security model

Decouple security logic from application logicWrite once run anywhere (WORA)

– Leverage existing security infrastructure J2EE Roles

– Application Provider– Application Assembler– Application Deployer– System Administrator

J2EE Security: Authentication

Multiple Authentication Methods- Basic, Form, SSL client certificate, etc.

Declarative Security– Deployment descriptors: web.xml, ejb-jar.xml

JSR 196: Java Authentication SPI– J2EE 1.5– JAAS LoginModule integration

Missing– Single Sign-On support

J2EE Security: Authorization

Protected Resources– Web Resources: URL-patterns– Enterprise Beans: Method permissions

“Role”-based Authorization– Not “Role Based Access Control (RBAC)”– Portability

JSR 115: Integration with Java2/JAAS– Pluggable security (authorization) provider– J2EE security constraints => Java2 permissions

JAAS:Java Authentication and

Authorization Service

Java 2 Security

Key Components– Security Policy defines authorization policy– SecurityManager/AccessController is security

monitor Necessary if running any untrusted code in

your JVM Limitations

– Code-based security only– No policy management API– File-based implementation doesn’t scale

What is JAAS? Principal-Based security Authentication

– Pluggable Authentication Module (PAM) framework

Authorization– Extension to Java2 Security Model

Optional Package to JDK 1.3– JDK 1.4 Core API

J2EE 1.3 Requirement– J2EE 1.4: JACC (JSR 115)– J2EE 1.5: Java Authentication SPI (JSR 196)

Oracle 10g JAAS Provider

Oracle’s JAAS (Java Authentication and Authorization Services) Implementation, plus Extensions

Integrated with Oracle 10g SSO and OID Default Security Provider for Oracle 10g

Containers for J2EE

Oracle 10g JAAS Provider:User Manager

LDAP-based

Provider type

XML-based

Provider type

OID

repositoryjazn-data.xml

repository

JAZNUserManager

Oracle 10g

Containers

for J2EE

Oracle 10g JAAS Provider: Authentication

Oracle’s RealmLoginModule Integrated with OC4J Authentication

– Declarative model– Integrated with J2EE security model– Integrated with Realm framework for user communities

Support custom JAAS LoginModules– Programmatic and declarative– Integrated with J2EE security model

Option to Use Oracle 10g Single Sign-On (SSO)

Oracle 10g JAAS Provider: Authorization

JAAS Authorization– Principal (i.e. user) and code-based policies– Hierarchical, role-based access control (RBAC)– Realm framework to support multiple user communities

Authorization Repository– XML flat-file– Oracle Internet Directory (OID)

3 methods of Management– Oracle Enterprise Manager– JAZN Admintool– Programmatic API

Oracle 10g JAAS Provider: What’s New

Custom JAAS LoginModules– Leverage any JAAS-compliant LoginModules– Integration with J2EE security model

Performance & Scalability Enhancements OC4J Integration

– Password hiding (data-sources.xml, oc4j-ra.xml)

Tool Integration– JDeveloper / BC4J

Oracle 10g JAAS Provider: Future Directions Support for 3rd party LDAP directories

– Default LoginModule certified against AD and SunONE JACC Provider (JSR 115)

– Unified authorization model for managed components Java Authentication SPI (JSR 196)

– Unified authentication model for managed components Portlet Integration (JSR 168)

– J2EE/JAAS authorization model for portlets Management & Deployment Enhancements

– JSR 77 & 88 XML Services Security Web Services Security

JAAS Up Your J2EE Apps

JAAS Up your J2EE Apps: Putting the Pieces Together Define your security policy

– Enterprise policy:

role hierarchyuser->role assignmentpermission->role assignment

– Application-specific policy:

authentication methodauthorization constraints (“security-roles”)

Deploy your J2EE Application– authentication method– authorization constraints (“security-role-mappings”)– RunAs identity

JAAS Up Your J2EE Apps: SSO-enabling your J2EE Apps

Specify static declarative constraints – in web.xml or ejb-jar.xml

Deploy your J2EE applications– specify JAZN-LDAP UserManager– security-role mappings

OID realms, users and groups

Specify authentication method as SSO– in orion-web.xml:

<jazn-web-app auth-method=“SSO” />

JAAS Up Your J2EE Apps: Custom LoginModule Integration

Develop, package & deploy your application as usual Package & deploy your custom LoginModule

– As an independent JAR or as part of your application

Configure your application– Set JAZN property “role.mapping.dynamic” to “true”– Set application classpath as appropriate– Set security role mapping as appropriate

Register your custom LoginModule– Associate your custom LoginModule with your application– JAZN Admintool: “-addloginmodule” option

JAAS Up Your J2EE Apps: Tips & Tricks

JAZN-LDAP– User/group management delegated to DAS– grant RMIPermission to user accessing EJBs

JAZN-LDAP Cache– Tuning parameters: “ldap.cache.*”

Identity Management Realm– SSO integration

External Synchronization– Performance vs. Ease-of-development

Public Group– Authentication only

Oracle Strategy

Distributed Systems Security Reference Architecture

Identity & Profile Assertion Services

Policy Decision Services

Identity Management

Infrastructure

Identity &Policy Store

ProtectedResources

Authentication

Application

AuthorizationPrivacy

Audit

Application Security Services

Administration & Provisioning

Users

Oracle 10g Security Solution

Oracle Identity Management Infrastructure for the enterprise Platform security enabled by Oracle Identity Management Platform components with high security assurance

Oracle Security Architecture

Oracle Internet Directory

OracleASCertificate Authority

DirectoryIntegration &Provisioning

OracleASSingle Sign-on

Delegated AdministrationServices

OracleAS 10g

JAAS, WS SecurityJava2 Permissions..

OracleE-Business Suite

Responsibilities, Roles ….

Oracle 10g

Enterprise users, VPD, EncryptionLabel Security

OracleCollaboration Suite

Secure Mail, Interpersonal Rights …

Access ManagementDirectory Services

Provisioning Services

External Security Services

Oracle Identity Management

Oracle 10g Platform Security Bindings

OracleASPortal & Wireless

Roles, Privilege Groups …

Application Component Security

OracleAS 10g

JAAS, WS SecurityJava2 Permissions..

Oracle 10g

Enterprise users, VPD, EncryptionLabel Security

OracleAS 10g

JAAS, WS SecurityJava2 Permissions..

Oracle 10g Database

Enterprise users, VPD, EncryptionLabel Security

Enterprise SecurityInfrastructure

Oracle Identity Management Benefits

Enables deployment of all Oracle products out of the box

– AS, DB, OCS, eBiz An enterprise infrastructure that leverages Oracle’s

“unbreakable” technology– Reliability, scalability, security, performance

A single point of integration for customer’s existing identity management solutions

– Transparent 3rd party integration for OIM enabled products Accommodates wide variety of partner solutions and

customer deployments– Open, standards-based infrastructure enables integration

What’s Next

Implementing Identity Management at Lawrence Livermore National Labs

– ID: 40287 – Presentor: Tony Macedo, Computer Scientist,

LLNL – Date: Thursday, 9/11 – Time: 3:15 - 4:15 – Location: Moscone Center room 120

AQ&Q U E S T I O N SQ U E S T I O N S

A N S W E R SA N S W E R S

Raymond K. NgTechnical Lead - JAASPlatform SecurityOracle Corporation