securing web applications

Click here to load reader

Post on 11-May-2015




1 download

Embed Size (px)


  • 1.WEB DEVELOPMENTSecuring Web Applicationswith OpenAMAs software developers, we seek to design software that gets peoplesattention. Software that meets the needs of the user, performs well, andpleases the eye is sure to get users attention. The security model of anapplication, on the other hand, gets very little attention from the averageuser - that is until something goes wrong. One serious security breach couldpermanently blacklist an application or even a developer in the eyes of theusers affected by that breach.Youll learn:You should know: How OpenAM can secure web applications and how to Should have a clear understanding of how web appli-set up OpenAM in a development environment.cations work. For the tutorial, some experience with Linux and the Li- nux command line will be helpful. Good software design dictates that security be ta-ken into account throughout the requirements--gathering process and the actual build. Unfortu- be scalable. For example, an application server may store nately, security considerations are often an afterthoughtsession state for each user and expect the user to send in software design, again because developers are often a session cookie with each request. This is a very com- so focused on functionality, performance and looks thatmon approach and honestly works well for most one-off security ends up taking a backseat. Even if you as a de- applications. But what happens when one of our applica- veloper give careful consideration to security in all your tions needs to connect (on behalf of the user) to some applications, you may end up inheriting an application service weve written. Lets say the service runs on a se- with a weak security model.cond server and also requires authentication? The ses-sion cookie means nothing to that second server so will Authentication and Authorization we force the user to pass in credentials again? Or will Security in web applications is a very broad topic. Letsthe developer compromise and hard code some creden- narrow it down by talking about two major security con-tials in the application for making the call to the external siderations - authentication and authorization. Authen-service? tication is about verifying that the user is who they say Or what if the developer simply wants to distribute they are. For example I may enter my username anda large application across multiple servers for perfor- password to identify myself to an application. Depending mance but doesnt want the user to have to log in more on the circumstances, I may have to answer some per- than once? Each of those servers would need to know sonal questions or I may be prompted to install a certifi- about the users session. cate in my web browsers store.Once an application knows who the user is, it can HTTP Authentication move onto the authorization phase which is decidingUp until this point we have talked about users being pro- whether to fulfill or deny a particular request (i.e. to ac- visioned a session and that session being tracked by so- cess a resource, take a certain action, etc.) on behalf of me stateful server. But it should be noted that we could that particular user. For example, user pmorris may be build our web applications such that their servers could authorized to view resource x but may not be autho-be essentially stateless. In other words each request wo- rized to edit resource x.uld be made in isolation. In such a case the user wouldhave to be authenticated and authorized for each and Will it scale? every request. Some may frown upon such a design but a In some cases a web application may handle authentica- stateless design is inherently scalable.Take a look at how tion and authorization very well but the solution may notwell the World Wide Web has scaled over the past 2034 5/2011

2. Securing Web Applications with OpenAMyears. This is due in large measure to its stateless design.So where does that leave us then? Well were back toMost calls that happen over HTTP are in isolation altho-a stateful server maintaining sessions for all our usersugh it has to be admitted that most requests made overand were back to the problems with scalability that weHTTP do not need to be authenticated or authorized. mentioned earlier. HTTP as a protocol does include standards for authen-tication, namely Basic and Digest Authentication both ofOpenAM as an Authentication andwhich allow for a stateless approach. So why dont we see Authorization Solutionmore applications using Basic or Digest Authentication? Meet OpenAM. (You see? I didnt forget the title of this ar-In the case of Basic authentication there are inherent se-ticle.) The AM stands for Access Management. OpenAMcurity weaknesses since credentials are passed over the is a child project of OpenSSO (SSO for single-sign-on),wire in clear text. Digest Authentication is very securean open source product formerly sponsored by Sun Mi-however since it uses one-way hashing to obscure thecrosystems, now by Oracle.When Oracle bought out Suncredentials such that its impossible to extract them. It al- they took back the latest release of OpenSSO (versionso includes policies for preventing the harvesting and re-9.x) and now offer 8.x as the latest and greatest.A numberplaying of hashed credentials. So why dont we see Digest of former Sun executives went on to head up a companyAuthentication more in web applications? Well for one called Forge Rock, which has taken version 9.x of OpenS-thing it is not trivial to learn and implement the standard.SO, named it OpenAM and started to maintain and buildBut the overriding reason is that frankly HTTP authen-on it (up to 9.5.x now), pledging to follow its original pro-tication is just not there yet. A lot of it seems to have ject roadmap from when it was under the oversight of do with the inconsistent and incomplete manner that I see OpenAM as a solution for building security intoweb browsers have implemented the Digest Authentica-your distributed applications from the start, as well as ation standard. The details on that are beyond the scope way to secure that pre-existing, not-so-secure applica-of this article, (Did you notice I havent mentioned Ope- tion that you may have inherited as a hired developernAM once yet?) so I encourage you to read these two (since we know you would never build an unsecure ap-articles if you want to learn those details:plication yourself). with OpenAMad=155252 and So OpenAM can be our stateful server for provisioningpers/WeaningTheWebOffOfSessionCookies.pdf and tracking sessions for users. It can hook into an iden-Figure 1. OpenDJ Server SettingsFigure 3. OpenDJ Directory DataFigure 2. OpenDJ Topology Options Figure 4. OpenDJ Runtime Optionsen.sdjournal.org35 3. WEB DEVELOPMENT tity repository that already exists (i.e. Microsoft ActiveScale Applications Securely with Directory) or you could set up its sister application,OpenAM OpenDJ (formerly OpenDS) as the user store. OpenDJLets talk about why OpenAM scales so well. OpenAM is is an open source LDAP directory service also sponso- a Java-based application that runs within a servlet conta- red by Forge Rock. And apparently, at least some usersiner (Apache Tomcat, Glassfish, JBoss, etc.). So OpenAM just use a plain old relational database as the identityis itself a web application but it is not your web applica- store. Using the identity repository to verify the identity tion. It partners with your web application. It has a sin- of each user, OpenAM provisions a session and can set gle responsibility: to keep other applications secure. To cookies that represent that session in the users browser.illustrate: large office buildings with offices that handle (I actually put together a proof of concept that elimina- very sensitive or secured resources often have a securi- tes the need for OpenAM to set cookies in the usersty team operating within the building. That teams focus browser.) is to keep the building and everything in it secure. The other teams of people within the building dont have to Authorizing with OpenAM focus so much on security since there is already a team OpenAM can be conFigured with fine-grained poli-dedicated to that purpose operating within the building. cies that dictate which identity subjects (users and/ The other teams are able to focus on what they do best or groups) have access to which resources and even(whatever that might be). which HTTP methods can be invoked by a particu-OpenAM as a framework operates as that security lar subject against a particular resource. So in otherteam in your infrastructure, keeping your applications words OpenAM can be conFigured to allow usersecure so that your application code can focus more on pmorris to GET the resource at http://www.exam- things like functionality, usability and performance. but not POST to that same resourceOpenAM exposes services (SOAP or REST) that can (that same URL).be invoked from your applications for authenticating Figure 5. OpenAM GeneralFigure 7. OpenAM Configuration Store Figure 6. OpenAM Server SettingsFigure 8. OpenAM User Store365/2011 4. Securing Web Applications with OpenAMusers, checking their authorization to make a certain Take OpenAM for a Test Driverequest, and even interacting with your identity reposi-So if youre like me you like getting your hands on atory to add users, to get the groups a user belongs to, technology so you can evaluate it yourself. Followingetc. For the proof of concept I spoke of earlier I set up is a step-by-step tutorial on how to set up OpenAMvery simple filters in front of a RESTful service to per- with OpenDJ as a user repository. All the prerequi-form authentication and authorization before allowing sites for our tutorial, from the OS (Ubuntu 10.04), toaccess to the service itself. Can you see how such an the servlet container (Apache Tomcat 7.0), to

View more