securing applications with picketlink
DESCRIPTION
Anil Saldhana and Pete Muir presented securing applications with PicketLink at Red Hat Summit 2013. For more information, please refer to http://www.picketlink.org and JDF. TicketMonster is a Java EE app with HTML5 (http://www.jboss.org/jdf/examples/ticket-monster/tutorial/WhatIsTicketMonster/). This presentation talked about securing TicketMonster using PicketLink.TRANSCRIPT
1
Sunday, July 7, 13
SECURING APPLICATIONS WITH PICKETLINK
Anil Saldhana, Red HatPete Muir, Red HatJune 2013
2
Sunday, July 7, 13
What is it?
Security framework for Java EE● Apache License V2● First class support for CDI● Secures your beans, bean methods, view layer,
RESTful endpoints, servlets and more● Simple API for managing Users, Groups and Roles● Authenticate any way you want● Federation (SAML, WS-Trust, OpenID)
3
Sunday, July 7, 13
Overview
4
Sunday, July 7, 13
Identity Management
Manage users, groups, roles and more● Built in support for storing your identities in:
● File system● A relational database (using JPA)● LDAP
● Well defined SPI for creating custom identity stores● Powerful query API for querying identities● All operations done through IdentityManager,
which can be simply @Injected into your beans
5
Sunday, July 7, 13
BYO Identity Model
● We provide you with optional User, Group, Role classes
● We also provide a few default relationships – group membership, group role and application role
● But custom relationships (between two or more participating identities) are also easy to define
● Provides the flexibility you need to meet the requirements of your business or project
6
Sunday, July 7, 13
Authentication
Authentication is initiated with Identity.login()● Identity bean is a session-scoped bean that tracks
the current user
Authenticator can be configured per application or per request
● Supports multiple authentication methods in a single application (e.g. Username/password and OpenID)
● We provide some default (optional) support for some credential types
7
Sunday, July 7, 13
8
Sunday, July 7, 13
9
Sunday, July 7, 13
10
Sunday, July 7, 13
RESTful Authentication Endpoint
org.jboss.jdf.example.ticketmonster.security.rest.LoginService
● Username/password passed in via the credential param● Identity.login() invoked
● If authentication successful, the User object is read from the Identity bean and passed back in the REST response
● We haven't configured an Authenticator for this application, so by default Identity Management is used to authenticate
11
Sunday, July 7, 13
Where are our users defined?
org.jboss.jdf.example.ticketmonster.security.IdentityManagementInitializer● @Startup bean is instantiated during app startup
● IdentityManager is @Injected
● initialize() is a @PostConstruct method● Is executed automatically● Creates the users, roles and default passwords for our
application● Sensible IDM configuration defaults make this possible
12
Sunday, July 7, 13
Securing application methods
org.jboss.jdf.example.ticketmonster.rest.BookingService● We want to restrict the createBooking() method to
only logged-in users● @UserLoggedIn is a Security Binding Type, an
annotation used to restrict access to beans and bean methods
● This feature is provided by Apache DeltaSpike● A Security Binding Type requires an Authorizer method,
annotated with @Secures in addition to the binding annotation
13
Sunday, July 7, 13
Implementing the Authorizer method
org.jboss.jdf.example.ticketmonster.security.AuthorizationManager● The isUserLoggedIn() method controls access to
methods annotated with @UserLoggedIn● Is annotated with both @Secures and @UserLoggedIn● Parameters of an authorizer method are treated as
injection points● Must return a boolean to indicate whether the
authorization was successful – a result of true means the restricted method may be invoked by the current user
14
Sunday, July 7, 13
Servlet security
org.jboss.jdf.example.ticketmonster.security.RoleBasedAuthorizationFilter● Standard servlet filter, active for all requests
● Delegates authorization check to AuthorizationManager.isAllowed()
● Only allows requests to /admin/* URLs if user has the Administrator role
● IdentityManager.hasRole() method used to check if the current user has the required role
15
Sunday, July 7, 13
View layer security
We can also tailor the user experience based on the current user's privileges
● JSF <ui:fragment> control can be used to show or hide parts of the page based on roles
● Can access the Identity bean directly via EL, e.g. #{identity.loggedIn}
● Can also use application-specific checks, e.g. AuthorizationManager.isAdmin()
16
Sunday, July 7, 13
User Registration
IDM makes it easy to implement user self-registration● org.jboss.jdf.example.ticketmonster.security.rest.RegistrationService
● The register() method receives a user registration request
● The performRegistration() method creates a new User, assigns them the User role, and adds them to the Users group.
● The registering user is even automatically logged in by the performSilentAuthentication() method
● An alternative would be to send a confirmation e-mail
17
Sunday, July 7, 13
Other IDM Features
Built-in authentication support for● Form-based, BASIC, DIGEST, X509 Certificate,
Username/PasswordPassword encoding● Defaults to a salted hash, or BYOMix and match identity stores● Store your users in LDAP, roles and groups in DB
18
Sunday, July 7, 13
Other Features of PicketLink
PicketLink Federation (SSO and Trust)● SAML 2.0● SAML 1.1● WS-Trust 1.3
19
Sunday, July 7, 13
Other Features of PicketLink
PicketLink Social Login● Login using Facebook● Login using Twitter● Login using Google● Login using OpenID
20
Sunday, July 7, 13
PicketLink RoadMap
PicketLink v2.5.0 is the target● Currently in frequent beta releases (Last Beta4)● CR cycles to start soon● Current emphasis on QE, Quickstarts and Demos● Final planned mid-july (+ or - 2 weeks)
21
Sunday, July 7, 13
PicketLink Resources
PicketLink has an one stop resource● http://www.picketlink.org● JDF Quickstarts
22
Sunday, July 7, 13
Questions?
23
Sunday, July 7, 13