aqualogic user interaction security
DESCRIPTION
AquaLogic User Interaction Security. LiJie Senior SE. Module Roadmap. Users, Groups and Object Access. Knowledge Directory Security. Community Security. Admin Folder Security. Single Sign-On. Portal Users. - PowerPoint PPT PresentationTRANSCRIPT
ALUI Technique Document
AquaLogic User Interaction Security
LiJieSenior SE
BEA Confidential | 2BEA ALUI Technique Document, BID China
Knowledge Directory Security
Users, Groups and Object Access
Community Security
Admin Folder Security
Module Roadmap
Single Sign-On
BEA Confidential | 3BEA ALUI Technique Document, BID China
Portal Users
The Portal administrator creates users in the Portal, or syncs users into the Portal
The user can then log in
Each user is defined by an object in the Portal
George
Keith
Helen
Erica
Ben
BEA Confidential | 4BEA ALUI Technique Document, BID China
Portal Groups
The Portal administrator creates and manages groups
A group has one or more members*
A user belongs to one or more groups
Executive CommunityMembers
Executive CommunityManagers
1. George2. Helen3. Christine4. Jack5. Jim
– All these users are in the Executive Community Members group
– Helen is a member or two groups
BEA Confidential | 5BEA ALUI Technique Document, BID China
Portal Objects
Almost everything in the Portal is considered an object
Communities
Subcommunities
Portlets
Administrative folders
Document folders
Documents
Users
Groups …
Every object in the Portal has a list describing who can access that object – it is called an Access Control List (ACL)
BEA Confidential | 6BEA ALUI Technique Document, BID China
Access Control List
An Access Control list specifies which uses and groups have access to an object (and what kind of access privileges they have… see next page)
Executive Community
Administrators Group
Executive Community Members
Executive Community Managers
Administrator
…
BEA Confidential | 7BEA ALUI Technique Document, BID China
Access Privileges
ACLs have privileges that specify what a user/group can do with an object
READ View the object only
SELECT Add this object to other objects e.g., add a portlet to a My Page
EDIT Create and modify objects
ADMIN All rights, including delete objects and change object ACLs
If users are not listed on an ACL (access of NONE), they do not know the object exists
BEA Confidential | 8BEA ALUI Technique Document, BID China
Example: ACL for a Community
Groups
User
Object
AccessPrivileges
BEA Confidential | 9BEA ALUI Technique Document, BID China
Module Roadmap
Knowledge Directory Security
Users, Groups and Object Access
Community Security
Admin Folder Security
Single Sign-On
BEA Confidential | 10BEA ALUI Technique Document, BID China
Security Scenario #1
The Knowledge Directory contains folders and objects (i.e., links to documents) within those folders
A user may be able to see some folders and not see others
If a user cannot see a folder, he cannot see or search for objects within that folder
Both folders and the objects within them are secured with ACLs
BEA Confidential | 11BEA ALUI Technique Document, BID China
Steps: View Document Folder Security
Steps to witness Knowledge Directory security
1. Log in as a George, a member of the Executive team and browse the Knowledge Directory
2. Log in as Keith, a member of Marketing and view the Knowledge Directory
3. View security on the Document folder and explain what is happening
See next slides for details…
BEA Confidential | 12BEA ALUI Technique Document, BID China
Step 1: Log in as George
Log in as George, who is in the Executive Community Members group
1
BEA Confidential | 13BEA ALUI Technique Document, BID China
Step 1: Browse the Directory
Choose Directory -> Browse Directory
2
Click on the Financials subfolder, inside the Executive folder
3
BEA Confidential | 14BEA ALUI Technique Document, BID China
Step 1: Click a Link to a Document
The contents of the Financial subfolder display
Click on a link to see the underlying content
4
Click Back
5
Note that George can Submit links to this folder
BEA Confidential | 15BEA ALUI Technique Document, BID China
Step 2: Log in as Keith
Log in as Keith, who is in the Marketing Community Members group
1
BEA Confidential | 16BEA ALUI Technique Document, BID China
Step 2: Browse the Directory
???
Choose Directory -> Browse Directory
2
The Financials subfolder does NOT appear to Keith
3
BEA Confidential | 17BEA ALUI Technique Document, BID China
Step 3: View Document Folder ACL
Access Control List for the Financials folder
Conclusion: The group that Keith is in (Marketing Community Members group) is not listed on the ACL; therefore, he cannot see the Financials folder or any documents inside of it. George is in Executive Community Members; he can access, view and submit documents to the Financials folder
George is in this group
BEA Confidential | 18BEA ALUI Technique Document, BID China
Access Levels: Folders, Objects in Folders
What ACLs mean to document folders
NONE: Cannot see folder
READ or SELECT: Can view the folder
EDIT: Can submit or crawl content into folder
ADMIN: Can approve documents for this folder
What ACLs mean on objects in folders
NONE: Cannot see object (search or browse)
READ or SELECT: Can view object
EDIT: Can overwrite object’s properties
ADMIN: Can edit the object’s ACL and delete object
Note: You cannot update the content of a document in the Knowledge Directory
BEA Confidential | 19BEA ALUI Technique Document, BID China
Module Roadmap
Knowledge Directory Security
Users, Groups and Object Access
Community Security
Admin Folder Security
Single Sign-On
BEA Confidential | 20BEA ALUI Technique Document, BID China
Security Scenario #2
Users can access a Community at various levels
Cannot see it at all (don’t know it exists)
Can browse the Community without joining it
Can join the Community and become a “member”
Can edit the Community
Can change the security settings
In scenario #2, you will see the difference between users with NONE, SELECT, EDIT and ADMIN access to a Community
Based on what you know about Access Control List privileges,Which privileges do you think correspond to each above? READ, EDIT, SELECT, ADMIN, NONE
BEA Confidential | 21BEA ALUI Technique Document, BID China
Steps: Observe Community Security
Steps to experience Community security
1. Log in as George, and go to the Executive Community
2. Log in as Keith and (try to) join the Executive Community
3. Log in as Helen and join the Executive Community
4. Log in as Erica 5. View security on the Admin folders and explain
what is happening
See next slides for details…
BEA Confidential | 22BEA ALUI Technique Document, BID China
Step 1: Log in as George
Log in as George, who is in the Executive Community Members group
1
Go to the Executive Community (George is already a member)
2
BEA Confidential | 23BEA ALUI Technique Document, BID China
Step 1: View the Community
BEA Confidential | 24BEA ALUI Technique Document, BID China
Step 2: Log in as Keith
Log in as Keith, who is in the Marketing Community Members group
1
BEA Confidential | 25BEA ALUI Technique Document, BID China
Step 2: Join Executive CommunityAttempt to join the Executive Community
Choose My Communities -> Join Communities
2
Since it is not listed, search for Executive Community, then click
3
BEA Confidential | 26BEA ALUI Technique Document, BID China
Step 2: Join Executive Community
Result: Nothing is returned from Keith’s search because he does not have access to the Executive Community
Click Cancel
4
BEA Confidential | 27BEA ALUI Technique Document, BID China
Step 3: Log in as Helen
Log in as Helen, who is in the Executive Community Managers group
1
Go to the Executive Community(Helen is already a member)
2
BEA Confidential | 28BEA ALUI Technique Document, BID China
Step 3: View the Community
Result: Helen sees the Community and also has the option, Edit This Community; click on this link
3
BEA Confidential | 29BEA ALUI Technique Document, BID China
Step 3: View Community Security
The Community editor appears … Helen can edit the Community
Click Security
4
BEA Confidential | 30BEA ALUI Technique Document, BID China
Step 3: View Community Security
Result:
Helen can view the security settings of the Community but she cannot change any security settings
Click Cancel
BEA Confidential | 31BEA ALUI Technique Document, BID China
Step 4: Log in as Erica
Log in as Erica, who is in the Portal Managers group
1
Go to the Executive Community(Erica is already a member)
2
BEA Confidential | 32BEA ALUI Technique Document, BID China
Step 4: Edit the Community
Result: Like Helen, Erica sees the Community and also has the option, Edit This Community; click on the link
3
BEA Confidential | 33BEA ALUI Technique Document, BID China
Step 4: Edit the Community
The Community editor appears … Erica can edit the Community
Click Security
4
BEA Confidential | 34BEA ALUI Technique Document, BID China
Step 4: Edit Community SecurityResult: Erica can CHANGE the security settings for this Community -- add and delete users and groups to the ACL, change the privileges
Click Cancel (please do not change any settings!)
Erica is in this group
George is in this group
Helen is in this group
The group that Keith is in (Marketing Community Members group) is not on the ACL … therefore, he cannot view or join the Executive Community
BEA Confidential | 35BEA ALUI Technique Document, BID China
Security Scenario #3
There may be reasons to allow a user to view a Community without joining it
Differences to end user
Does not have to join and become a member
Community does not appear on My Communities tab
In the next example, Keith is in a group that has READ access to the Evergreen Community … see what happens!
BEA Confidential | 36BEA ALUI Technique Document, BID China
Log in as Keith
Log in as Keith, who is in the Marketing Community Members group
1
Try to join the Evergreen Community
2
BEA Confidential | 37BEA ALUI Technique Document, BID China
Try to Join Evergreen Community
Search for Evergreen Community
2
Keith cannot JOIN the Community … but he knows it exists and that he should be able to see it!
Click Cancel
3
BEA Confidential | 38BEA ALUI Technique Document, BID China
Try to View Evergreen Community
Submit a Portal search … search for Evergreen Community
4
The Portal returns the Evergreen Community this time…
Click on it
5
BEA Confidential | 39BEA ALUI Technique Document, BID China
View the Evergreen Community
Result: Keith is allowed to VIEW but not JOIN the Community
BEA Confidential | 40BEA ALUI Technique Document, BID China
Module Roadmap
Knowledge Directory Security
Users, Groups and Object Access
Community Security
Admin Folder Security
Single Sign-On
BEA Confidential | 41BEA ALUI Technique Document, BID China
Access Levels: Administrative Folders
Like Document folders, Administrative folders are secured
What ACLs mean to Administrative folders
NONE: User cannot see the folder
READ or SELECT: User can see the folder
EDIT: User can create objects in the folder
ADMIN: User can delete the folder and change folder security
BEA Confidential | 42BEA ALUI Technique Document, BID China
Steps: View Admin Folder Security
Steps to experience administrative folder security
1. Log in as StudentN and go to the Administration page Make a note of the folders you can see
2. Log in as Ben and go to the Administration page; Make a note of the folders you can see
3. Log in as Erica and go to the Administration page; Make a note of the folders you can see
4. View security on the Admin folders and explain what is happening
5. As StudentN, try to create an object in an administrative folder
See next slides for details…
BEA Confidential | 43BEA ALUI Technique Document, BID China
Step 1: Log in as StudentN
Log in as StudentN (where N is your student number), who is a member of a group called Students
1
Go to the Administration page
2
BEA Confidential | 44BEA ALUI Technique Document, BID China
Step 1: Observe What StudentN Can See
Note that you can see a folder called Community Lab and one subfolder … StudentN, where N is your student number
3
BEA Confidential | 45BEA ALUI Technique Document, BID China
Step 2: Log in as Ben
Log in as Ben, who is in the Sales Community Managers group
1
Go to the Administration page
2
BEA Confidential | 46BEA ALUI Technique Document, BID China
Step 2: Observe What Ben Can See
Note that Ben cannot see the Community Lab or any of its subfolders
3
???
BEA Confidential | 47BEA ALUI Technique Document, BID China
Step 3: Log in as Erica
Log in as Erica, who is in the Portal Managers group
1
Go to the Administration page
2
BEA Confidential | 48BEA ALUI Technique Document, BID China
Step 3: Observe What Erica Can See
Note that Erica can see the Community Lab folder and many subfolders…
3
BEA Confidential | 49BEA ALUI Technique Document, BID China
Step 4: View Folder Security
Security for the Community Lab folder
Do you think StudentN or Erica can create anything in this folder? Why or why not?
StudentN is in this group
Erica is in this group
Community Lab
StudentN
BEA Confidential | 50BEA ALUI Technique Document, BID China
Step 4: View Folder Security
Security for the StudentN Folder
Can StudentN create anything in the StudentN folder?Why or Why not?
StudentN is in this user…
(where N is your student number)
Community Lab
StudentN
BEA Confidential | 51BEA ALUI Technique Document, BID China
Step 5: Log in as StudentN
Log in as StudentN (where N is your student number)
1
BEA Confidential | 52BEA ALUI Technique Document, BID China
Step 5: Go to the StudentN Folder
Go to the Administration page
2
Click on the subfolder in the Community Lab folder that StudentN can see
3
BEA Confidential | 53BEA ALUI Technique Document, BID China
Step 5: Create an Object
Advanced Security note: In order to create anything, StudentN also needs activity rights (which you have)!All students have activity rights of Access Administration, Create Community and Create Administrative Folder
Choose Create Object… then Administrative Folder
4
Name it Test Folder, then click OK
5
Result: Folder created
BEA Confidential | 54BEA ALUI Technique Document, BID China
Admin Folder Security
Module Roadmap
Knowledge Directory Security
Users, Groups and Object Access
Community Security
Single Sign-On
BEA Confidential | 55BEA ALUI Technique Document, BID China
Single Sign-On (SSO)
What is SSO and what is it not?
How do SSO products work?
How does ALUI integrate with SSO Solutions?
Working around SSO limitations
Lab Info
BEA Confidential | 56BEA ALUI Technique Document, BID China
SSO – What is it?
What problem is Single Sign-On trying to address?
Enterprises have many Web applications
Separate Web applications require separate login credentials
Managing identity within a topology of many applications is inefficient
What do Single Sign-On vendors sell?
Users login once to access all enterprise resources
Centralized location for authentication and authorization
Authentication: whether or not a user’s name and password are correct
Authorization: whether or not said user has access to a network resource
Streamlined user experience and global security administration
BEA Confidential | 57BEA ALUI Technique Document, BID China
SSO – The Reality
What does SSO actually provide out-of-the-box?
Virtual directory level authentication and authorization to Web sites
A single place to manage authorization for Web sites
What does SSO NOT provide out-of-the-box?
A way to login to arbitrary vendors’ backend servers
A way to pass login information to a server API
We’ll call it the “Backend Problem”
This is a difficult problem
SSO products do not provide an out-of-the-box solution
Customizations can often provide a solution
BEA Confidential | 58BEA ALUI Technique Document, BID China
SSO – How Do SSO Products Work?
Three main components
Directory Server (LDAP / AD)
“Access Server”
“SSO Gate”
“Access Server” synchronized with
Directory Server
User authorization managed
on “Access Server”
“SSO Gate” intercepts HTTP
requests to Web applications
LDAP
AccessServer
(Oblix, Netegrity)
SSO Gate
ALUIPortal
Other Web App
Application Server
BEA Confidential | 59BEA ALUI Technique Document, BID China
SSO – How Do SSO Products Work?
用户通过浏览器访问 ALUI门户SSO Gate 截获用户请求,访问服务器通过浏览器向用户显示器安全认证信息SSO Gate 需要用户输入认证信息认证信息被传输到访问服务器 , 由访问服务器将认证信息与 LDAP / AD存储的用户信息进行匹配如果认证通过,用户被授权访问 ALUI门户 , SSO 令牌将存在于整个用户会话中在进入 ALUI门户后,将不再提示用户输入认证信息,系统自动通过用户会话中的 SSO令牌进行认证
LDAP
AccessServer
123
4
SSO Gate
ALUIPortal
Application Server
Other Web App
5
BEA Confidential | 60BEA ALUI Technique Document, BID China
SSO – ALUI Integration
当 ALUI 检测到用户通过单点登陆进入时假定用户已经通过系统的单点登陆认证将浏览器重定向到 ALUI SSO 的专用登录界面检查位于 HTTP 头的用户名 如果用户名及认证信息正确, ALUI 接受由访问服务器颁布的 SSO 令牌在认证的过程中 ALUI 会尝试在多个的用户数据源中进行匹配如果没有匹配的用户, ALUI 会将用户重定向到 My Page
SSOALUI
PortalALUI
SSO Page
Authenticate
Redirect
Forward
Request
Logged In
BEA Confidential | 61BEA ALUI Technique Document, BID China
SSO – ALUI Integration
Integration with the login process is complex
When SSO is enabled, Guest access still works if the user clicks Logout
KB Article DA_218443
You protect /portal/SSOServlet
Diagram at the left shows what happens after SSO authenticates and authorizes the user
BEA Confidential | 62BEA ALUI Technique Document, BID China
SSO – Supported Vendors
5.0J supports three SSO vendors out of the box:
1. Oblix NetPoint
2. Netegrity SiteMinder
• Siteminder Terminology
WebAgent – Intercepts calls to protected resources and Authenticates the user. Sits on Portal Server.
Policy Server – Authorizes the given user to access the given resource. Other restrictions like time can be applied to Policy Server rules.
Directory Server – the user repository
BEA Confidential | 63BEA ALUI Technique Document, BID China
Summary
Portal security works the same for ALL Portal objects (except users) – each has an Access Control List, indicating
who can interact with that object
and at what level
This module is intended to give you a primer on Portal Security from an end-user perspective
For full coverage of Portal Security, please refer to the Portal Administration 5.0 course or to the E-learning Administration learning modules
ALUI Technique Document
Q&A