Raymond K. NgTechnical Lead - JAASPlatform SecurityOracle Corporation
Securing J2EE Applications with Oracle Identity Management
Agenda
Application Security Overview Authentication Requirements Authorization Requirements J2EE Security JAAS Oracle Strategy
Application Security
Security is a process, not a product or feature– No 100% security
Only as secure as weakest link– Go beyond firewall security– Implement multi-layer security
Considerations– Authentication– Authorization– Accountability/Audit– Secure Transport
Oracle 10g Security Architecture
Single
Sign-On
Oracle
InternetDirectory
mod_ossl
Browser
Oracle HTTP Server
JAAS
Oracle 10g Containers
for J2EE (OC4J)
mod_osso
SecurityInfrastructure
Layer
Authentication Requirements
Use The Appropriate Mechanism
Username and password Client certificate Smart Card Biometrics
Single Sign-On (SSO)
Why SSO-enable your application?– User Convenience– Security– Cost Reduction
Factors to consider– Integration with infrastructure– Extensible framework
Oracle 10g Single Sign-On
Centralized authentication for web applications Multiple authentication options
– Username/password– Client certificates– 3rd party API (Biometrics, Smart Card, etc.)
Single Sign-Off Multiple application types Integrated across Oracle 10g
– OID, OC4J/JAAS , Portal, OHS, Wireless, Workflow, UM, Ultrasearch, Personalization, Reports, Forms, Discoverer…
Relevant Standards
HTTP SSL/X.509 J2EE JAAS Java Authentication SPI SAML WS-Security Plus emerging specifications
Authorization Requirements
Choose The Right Authorization Model
Roll Your Own (Application-specific)– Maintenance– Administrative Cost– Inconsistent Authorization Policy => Insecurity
Understand The Relevant Standards– J2EE Security– Java 2 Security– JAAS– JACC
J2EE Security
J2EE Security
Design Principles– Declarative security model
Decouple security logic from application logicWrite once run anywhere (WORA)
– Leverage existing security infrastructure J2EE Roles
– Application Provider– Application Assembler– Application Deployer– System Administrator
J2EE Security: Authentication
Multiple Authentication Methods- Basic, Form, SSL client certificate, etc.
Declarative Security– Deployment descriptors: web.xml, ejb-jar.xml
JSR 196: Java Authentication SPI– J2EE 1.5– JAAS LoginModule integration
Missing– Single Sign-On support
J2EE Security: Authorization
Protected Resources– Web Resources: URL-patterns– Enterprise Beans: Method permissions
“Role”-based Authorization– Not “Role Based Access Control (RBAC)”– Portability
JSR 115: Integration with Java2/JAAS– Pluggable security (authorization) provider– J2EE security constraints => Java2 permissions
JAAS:Java Authentication and
Authorization Service
Java 2 Security
Key Components– Security Policy defines authorization policy– SecurityManager/AccessController is security
monitor Necessary if running any untrusted code in
your JVM Limitations
– Code-based security only– No policy management API– File-based implementation doesn’t scale
What is JAAS? Principal-Based security Authentication
– Pluggable Authentication Module (PAM) framework
Authorization– Extension to Java2 Security Model
Optional Package to JDK 1.3– JDK 1.4 Core API
J2EE 1.3 Requirement– J2EE 1.4: JACC (JSR 115)– J2EE 1.5: Java Authentication SPI (JSR 196)
Oracle 10g JAAS Provider
Oracle’s JAAS (Java Authentication and Authorization Services) Implementation, plus Extensions
Integrated with Oracle 10g SSO and OID Default Security Provider for Oracle 10g
Containers for J2EE
Oracle 10g JAAS Provider:User Manager
LDAP-based
Provider type
XML-based
Provider type
OID
repositoryjazn-data.xml
repository
JAZNUserManager
Oracle 10g
Containers
for J2EE
Oracle 10g JAAS Provider: Authentication
Oracle’s RealmLoginModule Integrated with OC4J Authentication
– Declarative model– Integrated with J2EE security model– Integrated with Realm framework for user communities
Support custom JAAS LoginModules– Programmatic and declarative– Integrated with J2EE security model
Option to Use Oracle 10g Single Sign-On (SSO)
Oracle 10g JAAS Provider: Authorization
JAAS Authorization– Principal (i.e. user) and code-based policies– Hierarchical, role-based access control (RBAC)– Realm framework to support multiple user communities
Authorization Repository– XML flat-file– Oracle Internet Directory (OID)
3 methods of Management– Oracle Enterprise Manager– JAZN Admintool– Programmatic API
Oracle 10g JAAS Provider: What’s New
Custom JAAS LoginModules– Leverage any JAAS-compliant LoginModules– Integration with J2EE security model
Performance & Scalability Enhancements OC4J Integration
– Password hiding (data-sources.xml, oc4j-ra.xml)
Tool Integration– JDeveloper / BC4J
Oracle 10g JAAS Provider: Future Directions Support for 3rd party LDAP directories
– Default LoginModule certified against AD and SunONE JACC Provider (JSR 115)
– Unified authorization model for managed components Java Authentication SPI (JSR 196)
– Unified authentication model for managed components Portlet Integration (JSR 168)
– J2EE/JAAS authorization model for portlets Management & Deployment Enhancements
– JSR 77 & 88 XML Services Security Web Services Security
JAAS Up Your J2EE Apps
JAAS Up your J2EE Apps: Putting the Pieces Together Define your security policy
– Enterprise policy:
role hierarchyuser->role assignmentpermission->role assignment
– Application-specific policy:
authentication methodauthorization constraints (“security-roles”)
Deploy your J2EE Application– authentication method– authorization constraints (“security-role-mappings”)– RunAs identity
JAAS Up Your J2EE Apps: SSO-enabling your J2EE Apps
Specify static declarative constraints – in web.xml or ejb-jar.xml
Deploy your J2EE applications– specify JAZN-LDAP UserManager– security-role mappings
OID realms, users and groups
Specify authentication method as SSO– in orion-web.xml:
<jazn-web-app auth-method=“SSO” />
JAAS Up Your J2EE Apps: Custom LoginModule Integration
Develop, package & deploy your application as usual Package & deploy your custom LoginModule
– As an independent JAR or as part of your application
Configure your application– Set JAZN property “role.mapping.dynamic” to “true”– Set application classpath as appropriate– Set security role mapping as appropriate
Register your custom LoginModule– Associate your custom LoginModule with your application– JAZN Admintool: “-addloginmodule” option
JAAS Up Your J2EE Apps: Tips & Tricks
JAZN-LDAP– User/group management delegated to DAS– grant RMIPermission to user accessing EJBs
JAZN-LDAP Cache– Tuning parameters: “ldap.cache.*”
Identity Management Realm– SSO integration
External Synchronization– Performance vs. Ease-of-development
Public Group– Authentication only
Oracle Strategy
Distributed Systems Security Reference Architecture
Identity & Profile Assertion Services
Policy Decision Services
Identity Management
Infrastructure
Identity &Policy Store
ProtectedResources
Authentication
Application
AuthorizationPrivacy
Audit
Application Security Services
Administration & Provisioning
Users
Oracle 10g Security Solution
Oracle Identity Management Infrastructure for the enterprise Platform security enabled by Oracle Identity Management Platform components with high security assurance
Oracle Security Architecture
Oracle Internet Directory
OracleASCertificate Authority
DirectoryIntegration &Provisioning
OracleASSingle Sign-on
Delegated AdministrationServices
OracleAS 10g
JAAS, WS SecurityJava2 Permissions..
OracleE-Business Suite
Responsibilities, Roles ….
Oracle 10g
Enterprise users, VPD, EncryptionLabel Security
OracleCollaboration Suite
Secure Mail, Interpersonal Rights …
Access ManagementDirectory Services
Provisioning Services
External Security Services
Oracle Identity Management
Oracle 10g Platform Security Bindings
OracleASPortal & Wireless
Roles, Privilege Groups …
Application Component Security
OracleAS 10g
JAAS, WS SecurityJava2 Permissions..
Oracle 10g
Enterprise users, VPD, EncryptionLabel Security
OracleAS 10g
JAAS, WS SecurityJava2 Permissions..
Oracle 10g Database
Enterprise users, VPD, EncryptionLabel Security
Enterprise SecurityInfrastructure
Oracle Identity Management Benefits
Enables deployment of all Oracle products out of the box
– AS, DB, OCS, eBiz An enterprise infrastructure that leverages Oracle’s
“unbreakable” technology– Reliability, scalability, security, performance
A single point of integration for customer’s existing identity management solutions
– Transparent 3rd party integration for OIM enabled products Accommodates wide variety of partner solutions and
customer deployments– Open, standards-based infrastructure enables integration
What’s Next
Implementing Identity Management at Lawrence Livermore National Labs
– ID: 40287 – Presentor: Tony Macedo, Computer Scientist,
LLNL – Date: Thursday, 9/11 – Time: 3:15 - 4:15 – Location: Moscone Center room 120
AQ&Q U E S T I O N SQ U E S T I O N S
A N S W E R SA N S W E R S
Raymond K. NgTechnical Lead - JAASPlatform SecurityOracle Corporation