successful soa security integration soa... · 2010-03-28 · successful soa security integration...
TRANSCRIPT
ManTech Proprietary Information
Successful SOA Security IntegrationAir Force SOA Developer’s ConferenceKevin T. Smith, Senior Technical Director
May 21, 2009
ManTech Proprietary Information
About the Presenter
2
Architect and Software Developer:
of SOA Security Solutions for many
government customers
Killer of Trees:
Books and articles focusing on SW
Engineering, Web Services, XML,
Enterprise Architecture, and SOA
Security
Recent Book:
Applied SOA: Service-Oriented
Architecture and Design Strategies
Speaker:
SOA Security Workshop Presenter at
many conferences, such as:
RSA Security Conference, JavaOne,
ApacheCon, Net-Centric Warfare,
AFEI, AFCEA, SemTech, Object
Management Group conferences,
etc.)
Contributing Author
ManTech Proprietary Information
Application
Application
Loose Coupling is Key To SOA
We can now distribute
functionality
to the network and expose
them as services so that many
other applications can reuse
that functionality.
Historically, we have built
monolithic applications
And stovepiped systems,
where data, functionality, and
business rules could not be
reused in other applications.
Services
(Animated Slide – Hard Copy of this Slide will make no sense!)
ManTech Proprietary Information
Loose Security Coupling is Key To SOA Integration
Decouple Security Processing from Business Processing!*From Rosen, Lublinsky, Smith, Balcer, Applied SOA: Service-Oriented Architecture & Design Strategies, Wiley, 2008.
ManTech Proprietary Information
Why is Decoupling of Security Processes
Important?
(1) You don’t want business code & security code tangled up
(2) You should reuse security logic for all services & clients
(3) Exposing Functionality into Reusable Components is what
SOA is all About!
*From Rosen, Lublinsky, Smith, Balcer, Applied SOA: Service-Oriented Architecture & Design Strategies, Wiley, 2008.
ManTech Proprietary Information
High-Level Interceptor Design
6
This is an Implementation-Agnostic Design:
Use it In The Framework of Your Choice
ManTech Proprietary Information
Interceptor Code for You To Inspect
7
Back in the Day, I wrote DIA’s NCES SOA Security Toolkit - Interceptor Code for
Horizontal Fusion (HF)
• Used Apache Axis 1.4.x – a little dated, but still works
• Provides secure messaging, validation, access control using NCES Specification
• WS-Security SAML Token Profile-ish: WS-Security Messaging with SAML, WS-
Addressing MessageID, Timestamp, with digitally signed components
• Customizable Access Control Methods
• Can use Local PDP/PEP - Recommended (old NCES PDS no longer supported)
• Can turn off CVS Checking – Recommended (Now, NCES uses RCVS)
• Client handlers & server handlers for NCES integration
• For other customers, I have
• Used different frameworks (same concept) – Axis2, JAX-WS, JAX-RPC, proprietary
security components (choose the web service container of your choice)
• My Code Online with Documentation & Examples
http://horizontalfusion.dtic.mil/docs/specs/20040417_nces_dia_security.zip
This is just an example – you can also use higher-level frameworks:
(Spring Security, Apache Rampart, etc.)
But The Design on PREVIOUS SLIDE is more important than what you use
ManTech Proprietary Information
• If a service changes its
messaging security
policies, will all of your
service clients break?
• Will your clients have to re-
write client handlers, etc?
• If so, your clients are tightly
coupled to security
messaging.
Are Your Clients Tightly Coupled to Security Policy?
8
Will changes in your service’s
connection policy require
client integration?
Service
A C E
B D
ManTech Proprietary Information
High-Level Design of Dynamic Policy Processing
Don’t hard code security rules in security interceptors!*From K. Smith, “Flexibility by Design: Adapting to Changes at Run-Time in SOA Implementations”, SOAInstitute.org, Sept 2008.
ManTech Proprietary Information
Don’t Forget to Secure and Filter Your Data
10
Service(S)
C (S)
Portal
Secret User
TS OOPS!(S)
A(S) B
(S)
D(S)
• Some focus so much on access
control to services, that they forget to
control access to the data
• Data must be marked with access
control (releasability) markings &
filtered on the way back to the user –
CAPCO standards such as IC-ISM
• Header-vs. Element-Level Marking
Solutions:
• Header-Level separates security
data from business data, placing
the roll-up in header of message
• Element-Level Marking allows
you to do TRUE filtering of the
message, whereas filtering
header-level marked messages
results in a “keep” or “drop.”
ManTech Proprietary Information
Example Filtering Solutions with Marked Data
Get your Security Interceptors to filter responses*From Rosen, Lublinsky, Smith, Balcer, Applied SOA: Service-Oriented Architecture & Design Strategies, Wiley, 2008.
ManTech Proprietary Information
Integrating with Attribute Services
12
All Components of your Solutions must have assurance of:
• Authentication (AuthN) - What is the Subject’s Identity?
• Authorization (AuthZ) – What does the Subject Have Permission to do?
Attribute Services Gaining Popularity for AuthZ
Many organizations in DoD & IC are using attribute services and building ABAC policies
for clearance, compartment, citizenship, etc, and using “role” as another attribute
Typical Integration Issue for Web Servers/App Servers – RBAC vs. ABAC
• RBAC - Java Servlet API uses isUserInRole() and most app servers use roles for
permission management; We need to have a way to map ABAC->RBAC
• Need a way to map ABAC Attributes into J2EE Roles for Web Applications
.
ATTRIBUTES
Clearance = TS
Compartments = MILES,MINGUS
Citizenship = USA
Role = Producer
ROLES
CLEARANCE.TS
COMPARTMENT.MILES
COMPARTMENT.MINGUS
CITIZENSHIP.USA
ROLE.PRODUCER
Typically, if Attribute Services are Specific to Government (ex: web services) & not LDAP,
You May Need to Write Custom Code
EFFECTIVE ABAC->RBAC MAPPING MODEL
ManTech Proprietary Information
Code For You: Custom J2EE Security Realm for
Attribute Service Integration
13
Custom Tomcat 6.0.16+ Security Realm
• Installation ANT build configures Tomcat for Digital Certificate Authentication & Configures Realm
based on Current Security Infrastructure
• Performs Cached CRL Checking (via a directory)
• Retrieves attributes, mapping them to J2EE Roles
• Example Webapp (SecurityTest) Performs RBAC Authorization at Web Container Level
Contains ANT build that prompts user for values, + configures all
What You Need to Do: Extend an Included Class that Accesses Your Attribute Service..
ManTech Proprietary Information
Reuseable Realm Code – Class Diagram
14
The AFRealm class is configured in
<TOMCAT_HOME>/server.xml.
Properties:
-crlCheckingEnabled
-attributeServiceClassName
This is simply example code -- a
concrete implementation of
AttributeServiceIF.
Write your own code HERE
to integrate with the attribute
service of your choice!
After you do, configure the
*className* property of the
Realm in server.xml
CRL Properties configured in
<TOMCAT_HOME>/conf/afReal
m.properties
ManTech Proprietary Information
Skeleton Implementation of your AttributeService accessor class
15
package mil.dod.af.security.tomcat;
import java.util.*;
import org.apache.log4j.Logger;
/***************************************************************************
* This class is an example instance. Your instance will actually call
* an attribute service
*
* @author Kevin T. Smith
* @date 2/28/09
***************************************************************************/
public class ExampleAttributeServiceImpl extends AttributeServiceBase {
private static final Logger log = Logger.getLogger("ExampleAttributeService.class");
public ExampleAttributeServiceImpl ()
{
//Here is where you would create a stub for the service
}
public ArrayList getRolesForUser(String dn)
{
ArrayList roles = new ArrayList();
//Here is where you would call various methods on your attribute service to get attributes
Hashtable hashtable = getAttributes(dn);
Enumeration e = hashtable.keys();
while( e.hasMoreElements() )
{
String attribute = (String)e.nextElement();
super.addToRoles(roles, attribute, hashtable.get(attribute));
}
return (roles);
}
}
}
Calls addToRoles() from the
superclass AttributeServiceBase –
contains convenience methods to
map attributes to roles
getRolesForUser() is the required
method. In this method, query your
attribute service for credentials
ManTech Proprietary Information
Configurable Logging on Security Events -> AFSecurity.log
16
2009-05-12 11:20:57,059 INFO mil.dod.af.security.tomcat.CRLDownloader - ****** U ******
System ID = AF Portal (Security Realm)
User ID = <SYSTEM>
Workstation ID = 192.168.0.126, host = kevin-smiths-macbook-pro.local)
Message = SUCCESSFUL CRL DOWNLOAD: ldap://ldap.digsigtrust.com:389
Successful? = TRUE
May 12, 2009 11:20:58 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8443
May 12, 2009 11:20:58 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2795 ms
2009-05-12 11:21:12,055 INFO mil.dod.af.security.tomcat.CRLChecker - ****** U ******
System ID = AF Portal (Security Realm)
User ID = C=US,O=U.S. Government,OU=MMBI,OU=OPTIC,OU=People,CN=Franco Harris
Workstation ID = 192.168.0.126, host = kevin-smiths-macbook-pro.local)
Message = SUCCESSFUL CRL CHECK - AUTHENTICATED USER NOT REVOKED
Successful? = TRUE
2009-05-12 11:21:12,055 INFO AFRealm.class - ****** U ******
System ID = AF Portal (Security Realm)
User ID = C=US, O=U.S. Government, OU=MMBI, OU=OPTIC, OU=People, CN=Franco Harris
Workstation ID = 192.168.0.126, host = kevin-smiths-macbook-pro.local)
Message = SUCCESSFUL DIGITAL CERTIFICATE AUTHENTICATION
Successful? = TRUE
2009-05-12 11:21:12,058 INFO AFRealm.class - ****** U ******
System ID = AF Portal (Security Realm)
User ID = C=US, O=U.S. Government, OU=MMBI, OU=OPTIC, OU=People, CN=Franco Harris
Workstation ID = 192.168.0.126, host = kevin-smiths-macbook-pro.local)
Message = SUCCESSFUL CREDENTIAL RETRIEVAL. AUTHENTICATED USER's CREDENTIALS ARE:
[CITIZENSHIP.USA, COMPARTMENTS.DIZ, COMPARTMENTS.MONK, COMPARTMENTS.TRANE, COMPARTMENTS.MILES, COMPARTMENTS.BIRD,
CLEARANCE.TS]
Successful? = TRUE Attribute Credential Retrieval
CRL Checking Audit Event
Authentication Audit Event
ManTech Proprietary Information
Further Exercise
17
Extend the Realm to use a Client Interceptor to:
• Propagate Identity & Attributes to Service Tier using WS-Security SAML Token Profile (requires no
attribute service lookup by service; trust of user dependent on trust of the service client)
• Propagate Identity Only using various mechanisms (WS-Security Username Token Profile, etc.) –
requires service to do Attribute Service Lookup, trust of propagated user dependent on trust of
Client Interceptor
Service
ManTech Proprietary Information
Final Thoughts
18
Key Tips for Successful SOA Security
Integration
• Decouple business logic & security
logic into interceptors/security
components (slide 6)
• Decouple security policy logic using
dynamic policy design (slide 9)
• Label & filter your messages (slides
10 & 11)
Enjoy the Custom Realm Code:http://www.mantech.com/afrealm/register.aspx
More SOA Security Blueprints & Best
Practices are available in the “SOA
Security” chapter of: Applied SOA:
Service Oriented Architecture
and Design Strategies
Questions? Email Me – [email protected]