Federated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPIC

Editor's Notes

• #10: Talk to the simplification of binding methods to permissions. When the RolesAllowed references permissions, you can modify the permissions assigned to a role at runtime in order to change the system's configuration. Also, adding additional roles at runtime is possible without having to redeploy the application. Roles - Static assignment Permissions - Dynamic assignment Map Users to Permissions through roles. Grant Permissions to a role, and assign users into that role.
• #11: Talk to the simplification of binding methods to permissions. When the RolesAllowed references permissions, you can modify the permissions assigned to a role at runtime in order to change the system's configuration. Also, adding additional roles at runtime is possible without having to redeploy the application. Roles - Static assignment Permissions - Dynamic assignment Map Users to Permissions through roles. Grant Permissions to a role, and assign users into that role.
• #12: Talk to the simplification of binding methods to permissions. When the RolesAllowed references permissions, you can modify the permissions assigned to a role at runtime in order to change the system's configuration. Also, adding additional roles at runtime is possible without having to redeploy the application. Roles - Static assignment Permissions - Dynamic assignment Map Users to Permissions through roles. Grant Permissions to a role, and assign users into that role.
• #13: Talk to the simplification of binding methods to permissions. When the RolesAllowed references permissions, you can modify the permissions assigned to a role at runtime in order to change the system's configuration. Also, adding additional roles at runtime is possible without having to redeploy the application. Roles - Static assignment Permissions - Dynamic assignment Map Users to Permissions through roles. Grant Permissions to a role, and assign users into that role.
• #15: A delegated authority is assigned who can create roles, grant permissions to roles, and assign users into that role.
• #18: Preview the OAuth discussion SSO authenticates users at the webapp OAuth authenticates REST calls OAuth is delegated authentication delegated access for use in situations where the user is not present like a webapp authenticate the end user, but needs to call back end services that need to authenticate calls Application Grant changes based on who the user is, and which system is requesting the token.
• #19: Provide examples of each type Service Account - some backend process. Internal to Penn State - internal department application and also other trusted applications from other departments. Need to verify that those systems are trusted and follow best practices External to Penn State - student run organization or group wants to create a mobile app that can access the schedule of classes, your degree information, list of required classes and the real-time local bus data in order to create an optimized schedule and route you around campus. It’s not a Penn State sponsored app, but it needs access to a student’s data.
• #20: Clients must register with the OAuth server Clients receive a client_id (public) and client_secret (private) These can be used to obtain an auth token that represents the service account
• #23: Examples: Student mobile app that wants to access your course history and required classes to create an optimal schedule. Allow systems to refresh a token after it’s expired… Client must register with OAuth server before being allowed to auth. Possible approval process in place prior to allowing access.
• #24: Validate Options - OAuth Server and Resource Server team together in authentication. JWT option allows the RS to validate a token without calling the OAuth server, but increases the complexity of revoking a token Talk Caching of token-info at the RS. Increased overhead of calls to obtain tokens and validate tokens is limited to 2 extra calls per token lifespan (obtaining a token) / caching duration (validating a token)
• #25: Why JASPI? Two authentication cases, webapps and REST services PSU uses a SSO solution based on an Apache plugin to authenticate users We tried JAAS, but the solution was a bit awkward. HttpServletRequest.login(“username”, “password”) JASPI allows direct access to authenticate the HTTPServletRrequest - HttpServletRequest.authenticate() This allows us to access the SSO Headers and OAuth Headers directly in order to authenticate the request.
• #27: hack to enable security within Wildfly We’re using Wildfly 8. Tried using Wildfly’s JASPI Implementation, but rant into problems Wildfly Implementation - Wildfly bug that prevented principal from propagating into the EJB tier Wildfly JAAS SAM - picketbox JASPI SAM that delegated to a JAAS Login Module did as expected One solution worked but session caching broke. jboss-web.xml and jboss-ejb3.xml files enable the security interceptors in the web and ejb tiers DummyLoginModule doesn’t do anything but is required as a placeholder Monitoring Wildlfy future releases and are willing to go back to built in soldution at some point.
• #28: AuthConfigFactory.getFactory().registerConfigProvider() PsuAuthConfigProvider → PsuServerAuthConfig → PsuServerAuthContext → ServerAuthModule
• #30: Client library is responsible for Managing the clients shared secret with the OAuth server Requesting a valid token before making a request to the RS Adding the token into the HTTP Request in the Authorization header Managing the lifecycle of an auth token Handling errors and retrying when possible. Server Module is responsible for Extracting the token for every inbound request Determining if the token is valid Resolving the token to a user principal Looking up the roles/permissions associated with the user Establishing the security context within the application server