securing applications with picketlink

1

Sunday, July 7, 13

SECURING APPLICATIONS WITH PICKETLINK

Anil Saldhana, Red HatPete Muir, Red HatJune 2013

2

Sunday, July 7, 13

What is it?

Security framework for Java EE● Apache License V2● First class support for CDI● Secures your beans, bean methods, view layer,

RESTful endpoints, servlets and more● Simple API for managing Users, Groups and Roles● Authenticate any way you want● Federation (SAML, WS-Trust, OpenID)

3

Sunday, July 7, 13

Overview

4

Sunday, July 7, 13

Identity Management

Manage users, groups, roles and more● Built in support for storing your identities in:

● File system● A relational database (using JPA)● LDAP

● Well defined SPI for creating custom identity stores● Powerful query API for querying identities● All operations done through IdentityManager,

which can be simply @Injected into your beans

5

Sunday, July 7, 13

BYO Identity Model

● We provide you with optional User, Group, Role classes

● We also provide a few default relationships – group membership, group role and application role

● But custom relationships (between two or more participating identities) are also easy to define

● Provides the flexibility you need to meet the requirements of your business or project

6

Sunday, July 7, 13

Authentication

Authentication is initiated with Identity.login()● Identity bean is a session-scoped bean that tracks

the current user

Authenticator can be configured per application or per request

● Supports multiple authentication methods in a single application (e.g. Username/password and OpenID)

● We provide some default (optional) support for some credential types

7

Sunday, July 7, 13

8

Sunday, July 7, 13

9

Sunday, July 7, 13

10

Sunday, July 7, 13

RESTful Authentication Endpoint

org.jboss.jdf.example.ticketmonster.security.rest.LoginService

● Username/password passed in via the credential param● Identity.login() invoked

● If authentication successful, the User object is read from the Identity bean and passed back in the REST response

● We haven't configured an Authenticator for this application, so by default Identity Management is used to authenticate

11

Sunday, July 7, 13

Where are our users defined?

org.jboss.jdf.example.ticketmonster.security.IdentityManagementInitializer● @Startup bean is instantiated during app startup

● IdentityManager is @Injected

● initialize() is a @PostConstruct method● Is executed automatically● Creates the users, roles and default passwords for our

application● Sensible IDM configuration defaults make this possible

12

Sunday, July 7, 13

Securing application methods

org.jboss.jdf.example.ticketmonster.rest.BookingService● We want to restrict the createBooking() method to

only logged-in users● @UserLoggedIn is a Security Binding Type, an

annotation used to restrict access to beans and bean methods

● This feature is provided by Apache DeltaSpike● A Security Binding Type requires an Authorizer method,

annotated with @Secures in addition to the binding annotation

13

Sunday, July 7, 13

Implementing the Authorizer method

org.jboss.jdf.example.ticketmonster.security.AuthorizationManager● The isUserLoggedIn() method controls access to

methods annotated with @UserLoggedIn● Is annotated with both @Secures and @UserLoggedIn● Parameters of an authorizer method are treated as

injection points● Must return a boolean to indicate whether the

authorization was successful – a result of true means the restricted method may be invoked by the current user

14

Sunday, July 7, 13

Servlet security

org.jboss.jdf.example.ticketmonster.security.RoleBasedAuthorizationFilter● Standard servlet filter, active for all requests

● Delegates authorization check to AuthorizationManager.isAllowed()

● Only allows requests to /admin/* URLs if user has the Administrator role

● IdentityManager.hasRole() method used to check if the current user has the required role

15

Sunday, July 7, 13

View layer security

We can also tailor the user experience based on the current user's privileges

● JSF <ui:fragment> control can be used to show or hide parts of the page based on roles

● Can access the Identity bean directly via EL, e.g. #{identity.loggedIn}

● Can also use application-specific checks, e.g. AuthorizationManager.isAdmin()

16

Sunday, July 7, 13

User Registration

IDM makes it easy to implement user self-registration● org.jboss.jdf.example.ticketmonster.security.rest.RegistrationService

● The register() method receives a user registration request

● The performRegistration() method creates a new User, assigns them the User role, and adds them to the Users group.

● The registering user is even automatically logged in by the performSilentAuthentication() method

● An alternative would be to send a confirmation e-mail

17

Sunday, July 7, 13

Other IDM Features

Built-in authentication support for● Form-based, BASIC, DIGEST, X509 Certificate,

Username/PasswordPassword encoding● Defaults to a salted hash, or BYOMix and match identity stores● Store your users in LDAP, roles and groups in DB

18

Sunday, July 7, 13

Other Features of PicketLink

PicketLink Federation (SSO and Trust)● SAML 2.0● SAML 1.1● WS-Trust 1.3

19

Sunday, July 7, 13

Other Features of PicketLink

PicketLink Social Login● Login using Facebook● Login using Twitter● Login using Google● Login using OpenID

20

Sunday, July 7, 13

PicketLink RoadMap

PicketLink v2.5.0 is the target● Currently in frequent beta releases (Last Beta4)● CR cycles to start soon● Current emphasis on QE, Quickstarts and Demos● Final planned mid-july (+ or - 2 weeks)

21

Sunday, July 7, 13

PicketLink Resources

PicketLink has an one stop resource● http://www.picketlink.org● JDF Quickstarts

22

Sunday, July 7, 13

Questions?

23

Sunday, July 7, 13