SlideShare a Scribd company logo

Securing web applications

Supreme O, profile picture
Supreme O

The document provides information about securing web applications with OpenAM. It discusses authentication and authorization as two major security considerations. It notes that while authentication verifies a user's identity, authorization determines what resources a user can access. The document then discusses challenges around scaling authentication solutions and how stateful servers may not scale well. It introduces OpenAM as an open source access management solution that can handle authentication, authorization, and identity management. OpenAM allows applications to focus on functionality while it focuses on security. It can integrate with identity stores and uses policy agents to enforce access policies across distributed systems.

AutomotiveTechnology
Related topics:
Web Application
1 of 10
Downloaded 193 times
1
2
3
4
5
6
7
8
9
10
WEB DEVELOPMENT Securing Web Applications with OpenAM As software developers, we seek to design software that gets people’s attention. Software that meets the needs of the user, performs well, and pleases the eye is sure to get users’ attention. The security model of an application, on the other hand, gets very little attention from the average user - that is until something goes wrong. One serious security breach could permanently blacklist an application or even a developer in the eyes of the users affected by that breach. You’ll learn: You should know: • How OpenAM can secure web applications and how to • Should have a clear understanding of how web appli- set up OpenAM in a development environment. cations work. • For the tutorial, some experience with Linux and the Li- nux command line will be helpful. G ood software design dictates that security be ta- ken into account throughout the requirements- -gathering process and the actual build. Unfortu- be scalable. For example, an application server may store nately, security considerations are often an afterthought session state for each user and expect the user to send in software design, again because developers are often a session cookie with each request. This is a very com- so focused on functionality, performance and looks that mon approach and honestly works well for most one-off security ends up taking a backseat. Even if you as a de- applications. But what happens when one of our applica- veloper give careful consideration to security in all your tions needs to connect (on behalf of the user) to some applications, you may end up “inheriting” an application service we’ve written. Let’s say the service runs on a se- with a weak security model. cond server and also requires authentication? The ses- sion cookie means nothing to that second server so will Authentication and Authorization we force the user to pass in credentials again? Or will Security in web applications is a very broad topic. Let’s the developer compromise and hard code some creden- narrow it down by talking about two major security con- tials in the application for making the call to the external siderations - authentication and authorization. Authen- service? tication is about verifying that the user is who they say Or what if the developer simply wants to distribute they are. For example I may enter my username and a large application across multiple servers for perfor- password to identify myself to an application. Depending mance but doesn’t want the user to have to log in more on the circumstances, I may have to answer some per- than once? Each of those servers would need to “know” sonal questions or I may be prompted to install a certifi- about the user’s session. cate in my web browser’s store. Once an application “knows” who the user is, it can HTTP Authentication move onto the authorization phase which is deciding Up until this point we have talked about users being pro- whether to fulfill or deny a particular request (i.e. to ac- visioned a session and that session being tracked by so- cess a resource, take a certain action, etc.) on behalf of me stateful server. But it should be noted that we could that particular user. For example, user “pmorris” may be build our web applications such that their servers could authorized to view resource “x” but may not be autho- be essentially stateless. In other words each request wo- rized to edit resource “x”. uld be made in isolation. In such a case the user would have to be authenticated and authorized for each and Will it scale? every request. Some may frown upon such a design but a In some cases a web application may handle authentica- stateless design is inherently scalable.Take a look at how tion and authorization very well but the solution may not well the World Wide Web has scaled over the past 20 34 5/2011
Securing Web Applications with OpenAM years. This is due in large measure to its stateless design. So where does that leave us then? Well we’re back to Most calls that happen over HTTP are in isolation altho- a stateful server maintaining sessions for all our users ugh it has to be admitted that most requests made over and we’re back to the problems with scalability that we HTTP do not need to be authenticated or authorized. mentioned earlier. HTTP as a protocol does include standards for authen- tication, namely Basic and Digest Authentication both of OpenAM as an Authentication and which allow for a stateless approach. So why don’t we see Authorization Solution more applications using Basic or Digest Authentication? Meet OpenAM. (You see? I didn’t forget the title of this ar- In the case of Basic authentication there are inherent se- ticle.) The “AM” stands for Access Management. OpenAM curity weaknesses since credentials are passed over the is a child project of OpenSSO (“SSO” for single-sign-on), wire in clear text. Digest Authentication is very secure an open source product formerly sponsored by Sun Mi- however since it uses one-way hashing to obscure the crosystems, now by Oracle.When Oracle bought out Sun credentials such that it’s impossible to extract them. It al- they took back the latest release of OpenSSO (version so includes policies for preventing the harvesting and re- 9.x) and now offer 8.x as the latest and greatest.A number playing of hashed credentials. So why don’t we see Digest of former Sun executives went on to head up a company Authentication more in web applications? Well for one called Forge Rock, which has taken version 9.x of OpenS- thing it is not trivial to learn and implement the standard. SO, named it OpenAM and started to maintain and build But the overriding reason is that frankly HTTP authen- on it (up to 9.5.x now), pledging to follow its original pro- tication is just “not there yet.” A lot of it seems to have ject roadmap from when it was under the oversight of Sun. to do with the inconsistent and incomplete manner that I see OpenAM as a solution for building security into web browsers have implemented the Digest Authentica- your distributed applications from the start, as well as a tion standard. The details on that are beyond the scope way to secure that pre-existing, not-so-secure applica- of this article, (Did you notice I haven’t mentioned Ope- tion that you may have “inherited” as a hired developer nAM once yet?) so I encourage you to read these two (since we know you would never build an unsecure ap- articles if you want to learn those details: plication yourself). http://www.artima.com/weblogs/viewpost.jsp?thre- Authenticating with OpenAM ad=155252 and http://www.vsecurity.com/download/pa- So OpenAM can be our stateful server for provisioning pers/WeaningTheWebOffOfSessionCookies.pdf and tracking sessions for users. It can hook into an iden- Figure 1. OpenDJ Server Settings Figure 3. OpenDJ Directory Data Figure 2. OpenDJ Topology Options Figure 4. OpenDJ Runtime Options en.sdjournal.org 35
WEB DEVELOPMENT tity repository that already exists (i.e. Microsoft Active Scale Applications Securely with Directory) or you could set up its “sister” application, OpenAM OpenDJ (formerly OpenDS) as the user store. OpenDJ Let’s talk about why OpenAM scales so well. OpenAM is is an open source LDAP directory service also sponso- a Java-based application that runs within a servlet conta- red by Forge Rock. And apparently, at least some users iner (Apache Tomcat, Glassfish, JBoss, etc.). So OpenAM just use a plain old relational database as the identity is itself a web application but it is not your web applica- store. Using the identity repository to verify the identity tion. It partners with your web application. It has a sin- of each user, OpenAM provisions a session and can set gle responsibility: to keep other applications secure. To cookies that represent that session in the user’s browser. illustrate: large office buildings with offices that handle (I actually put together a proof of concept that elimina- very sensitive or secured resources often have a securi- tes the need for OpenAM to set cookies in the user’s ty team operating within the building. That team’s focus browser.) is to keep the building and everything in it secure. The other teams of people within the building don’t have to Authorizing with OpenAM focus so much on security since there is already a team OpenAM can be conFigured with fine-grained poli- dedicated to that purpose operating within the building. cies that dictate which identity subjects (users and/ The other teams are able to focus on what they do best or groups) have access to which resources and even (whatever that might be). which HTTP methods can be invoked by a particu- OpenAM as a framework operates as that security lar subject against a particular resource. So in other team in your infrastructure, keeping your applications words OpenAM can be conFigured to allow user secure so that your application code can focus more on “pmorris” to GET the resource at http://www.exam- things like functionality, usability and performance. ple.com/resource but not POST to that same resource OpenAM exposes services (SOAP or REST) that can (that same URL). be invoked from your applications for authenticating Figure 5. OpenAM General Figure 7. OpenAM Configuration Store Figure 6. OpenAM Server Settings Figure 8. OpenAM User Store 36 5/2011
Securing Web Applications with OpenAM users, checking their authorization to make a certain Take OpenAM for a Test Drive request, and even interacting with your identity reposi- So if you’re like me you like getting your hands on a tory to add users, to get the groups a user belongs to, technology so you can evaluate it yourself. Following etc. For the proof of concept I spoke of earlier I set up is a step-by-step tutorial on how to set up OpenAM very simple filters in front of a RESTful service to per- with OpenDJ as a user repository. All the prerequi- form authentication and authorization before allowing sites for our tutorial, from the OS (Ubuntu 10.04), to access to the service itself. Can you see how such an the servlet container (Apache Tomcat 7.0), to the two approach can scale to practically any size? As long as applications themselves, they’re all open source (i.e. you have the session token representing the session, free!) so you’ve got no reason not to jump right in! you can call OpenAM’s services from anywhere (even Let’s get started. outside your own domain) to authenticate and autho- rize a request. Set up Ubuntu The OpenAM framework not only includes the central Download Ubuntu 10.04 LTS from http://releases.ubuntu. application itself but also a family of policy agents that com/lucid/ubuntu-10.04.2-desktop-i386.iso can be deployed to remote application servers or web If you’re setting up Ubuntu as a virtual machine be servers to “police” said servers and all the applications sure and up the RAM to at least 1024MB. running on them.There are policy agents for J2EE servlet Walk through the installation process containers, and web servers (i.e. Apache and IIS). A policy normally. agent is like a remote “security officer” that intercepts Once logged in go to System -> Administration -> Users all requests coming in to the server (J2EE container, web and Groups and change the user you created to an Ad- server) and consults with the “chief security officer”, the ministrator. OpenAM application itself, to determine if the request should be fulfilled or denied. Figure 11. OpenAM Subjects Figure 9. OpenAM Site Configuration Figure 10. OpenAM Agent Information Figure 12. OpenDJ Control Panel en.sdjournal.org 37
WEB DEVELOPMENT Install Java While an OpenJDK package is available out-of the-box with 10.04, the Sun JDK is not, and that’s the one we want. So open a terminal window and run the following commands first: sudo add-apt-repository „deb http://archive. canonical.com/ lucid partner” sudo apt-get update Then install the Sun JDK: sudo apt-get install sun-java6-jdk Install Tomcat We need a fully qualified domain name (FQDN) when we install OpenAM (i.e. localhost will not work for con- figuration) so we need to add an entry to the hosts file. Run the following command to edit the file: Figure 13. OpenDJ Manage Entries sudo nano /etc/hosts I added this line: 127.0.0.1 devbox.apius.org Be sure and exit (Command + x on the Mac), and save changes on the way out (“y” followed by Enter) Download Apache Tomcat 7 by running wget with a current link address as in: wget http://apache.ziply.com/tomcat/tomcat-7/v7.0.12/ bin/apache-tomcat-7.0.12.tar.gz Untar it with this command: tar xzvf apache-tomcat-7.0.12.tar.gz Figure 14. OpenDJ New User If running on VMware Fusion follow this documenta- I decided to move it to a more standardized folder lo- tion to install VMware Tools: https://help.ubuntu.com/com- cation with: munity/VMware/Tools Reboot. mv apache-tomcat-7.0.12 /usr/local/tomcat7 Figure 15. OpenAM New User 38 5/2011
Securing Web Applications with OpenAM Figure 16. OpenAM REST Authentication Response Figure 17. OpenAM REST Validate Token Response We need to set a couple of environment variables to Install OpenAM ensure the Tomcat 7 instance uses the Sun JDK and Download OpenAM 9.5.2.The 9.5.x releases take advan- that OpenAM will have sufficient memory to install tage of Java EE 6. and run. Run the following command: sudo nano /usr/local/tomcat7/bin/setenv.sh And add these two lines: JAVA_HOME=/usr/lib/jvm/java-6-sun export CATALINA_OPTS=“$CATALINA_OPTS -Xms128m -Xmx1024m -XX:MaxPermSize=256m” Next run: sudo nano /usr/local/tomcat7/conf/tomcat-users.xml I added what is in listing 1 so as to access the Tomcat management console. Start Apache Tomcat with: /usr/local/tomcat7/bin/startup.sh Figure 18. OpenAM Identity Subject 1 en.sdjournal.org 39
WEB DEVELOPMENT Extract it and move it into place using the following two commands: unzip OpenDJ-2.4.1.zip sudo mv OpenDJ-2.4.1 /usr/local/opendj These commands should be run in order to conFigure the installation and open the GUI interface for final con- figuration settings. sudo /usr/local/opendj/bin/create-rc-script --outputFile /etc/init.d/opendj sudo update-rc.d opendj defaults /etc/init.d/opendj start cd /usr/local/opendj/ ./setup Figure 19. OpenAM Identity Subject 2 wget http://www.forgerock.org/downloads/openam/ ConFigure OpenDJ snapshot9.5/openam_s952.war Choose a password for the Directory Manager (admin) account. (Figure 1 – OpenDJ Server Settings) Moving the war to the webapps folder of the Tomcat Select stand alone. (Figure 2 – OpenDJ Topology installation will deploy it. Options) Just create a base DN using whatever domain you pre- sudo mv openam_s952.war usr/local/tomcat7/webapps/ fer. (Figure 3 – OpenDJ Directory Data) openam.war Keep the defaults. (Figure 4 – OpenDJ Runtime Options) Install OpenDJ Review the configuration settings and hit “Finish”. Once Now download OpenDJ using: the installation is complete go ahead and launch the Con- trol Panel and log in to “Local Server” using the Directory wget http://www.forgerock.org/downloads/opendj/2.4.1/ Manager password you entered during setup. Go ahead and OpenDJ-2.4.1.zip minimize the Control Panel and let’s conFigure OpenAM. Figure 20. OpenAM URL Policy 1 40 5/2011
Securing Web Applications with OpenAM ConFigure OpenAM with OpenDJ as user store http://devbox.apius.org:8080/openam will open the web Listing 1. Tomcat configuration configurator. <role rolename=”manager-gui”/> Enter a password of at least 8 characters. (Figure 5 – <role rolename=”manager-script”/> OpenAM General) <role rolename=”manager-jmx”/> Note the following use of that FQDN we added to our <role rolename=”manager-status”/> hosts file earlier. (Figure 6 – OpenAM Server Settings) <user username=”admin” password=”admin” We’ll use OpenAM’s embedded optimized OpenDS roles=”manager-gui,manager- application to store configuration settings. (Figure 7 – script,manager-jmx,manager- OpenAM Configuration Store status”/> Select OpenDS (the predecessor of OpenDJ) as the user store and make sure the Directory Name is cor- /usr/local/opendj/bin/control-panel rect. It should automatically grab the first host name that the loopback address (127.0.0.1) resolves to. Enter the (Figure 12 – OpenDJ Control Panel) Directory Manager’s password that you set at installa- Select “Manage Entries” from the left menu. tion. (Figure 8 – OpenAM User Store) Right click on “people” and select “New User”. (Figure This is a development environment so we won’t worry 13 – OpenDJ Manage Entries) about load balancing. (Figure 9 – OpenAM Site Configu- Be sure and change the “Naming Attribute” to “uid”. ration) Click OK and look for the Entry Created message. (Figu- Choose another password 8 characters or longer. (Fi- re 14 – OpenDJ New User) gure 10 – OpenAM Agent Information) Now go back to the OpenAM console and refresh the In the final screen, verify your configuration and press page. You should see the new user you created in the the Create Configuration button. OpenDJ repository. (Figure 15 – OpenAM New User) Test OpenAM Authentication Service Add User Let’s run a quick and simple test using the REST au- Log in to OpenAM using amadmin as a username and the thentication service in OpenAM to create a session. En- password you entered in Step 1 of the setup. ter the following into your web browser’s address bar. We’re going to test the authentication interface using Adjust the URL and the parameter values based on your OpenAM’s REST services but first we’ll create a user ac- settings: count. A user account can be created using one of the REST services or from the OpenAM console itself but http://devbox.apius.org:8080/openam/identity/authenticate? to illustrate the relationship between OpenAM and the username=pmorris&password=pmorrispmorris underlying user data store, OpenDJ, we’ll add the user from the OpenDJ control panel. This action requests OpenAM to create a session “Access Control” tab. -> “(Top Level Realm)” -> “Sub- for the specified user and once created a token re- jects” tab. I see two users, namely “amadmin” and “ano- presenting that session is passed back to the caller. nymous”. (Figure 11 – OpenAM Subjects) Again, we could add a new user from here but let’s do it from OpenDJ. If the Control Panel is still minimized go ahead and pull it up if it’s not running, run this command: Figure 21. OpenAM URL Policy 2 Figure 22. OpenAM URL Policy 3 en.sdjournal.org 41
WEB DEVELOPMENT (Figure 16 - OpenAM REST Authentication Respon- You should get back the following response. (Figure 17 se) - OpenAM REST Validate Token Response) One note though: What I did above I did only to expedite the tutorial. In reality this is a poor prac- Test OpenAM Authorization Service tice. Why? Since I used a browser’s address bar to Now let’s create a URL policy and test out the authori- make this call we know that the HTTP method was zation feature. Go to the “Access Control” tab. -> “(Top a GET. Obviously this will work but in a real world Level Realm)” -> “Policies” tab. Click on “New Policy”. implementation it’s a bad idea. For one thing, with a I’m calling mine “Hello World Policy”. We need to assign GET request the password parameter value will be this policy to the user we created so scroll down and written to server logs and for another this practice click on “New” in the “Subjects” section. breaks RESTful constraints. HTTP as a standard sta- Let’s make this a specific subject, not just any authen- tes that GET should have no side effects. Creating ticated user. Click “Next”. (Figure 18 - OpenAM Identity a session is definitely a side effect (a desirable side Subject) effect but a side effect nonetheless). So in produc- Next, we’ll give the Identity Subject a name and in tion it’s best practice to always coerce this call to our case search for our user using the “User” filter and a POST. “Add” the user (in my case “pmorris”) to the Identity Now let’s test the authentication service using the Subject and click “Finish” and “OK” in the next screen. token value as a parameter. Copy the token value from (Figure 19 - OpenAM Identity Subject 2) the response page and paste it into another call like Keep in mind that we would probably not do this in so: real life – that is assign a single user to an Identity Sub- ject. More likely we would create a group, add pmorris http://devbox.apius.org:8080/openam/identity/isTokenValid- to that group and then add the group to the Identity ?token=AQIC5wM2LY4SfcxmYwlY5mX1vtaiGhw8cJd8TGJY Subject. But again, to expedite the tutorial we’ll do it Hv6ar4M.*AAJTSQACMDE.* this way. Figure 23. OpenAM REST Authorization Response 42 5/2011
Securing Web Applications with OpenAM You should be back out at the policy listing now. (Figu- http://devbox.apius.org:8080/openam/identity/authori- re 20 - OpenAM URL Policy 1) ze?uri=hello-world&action=POST&subjectid=AQIC5wM2LY Under “Rules” click on “New” and make sure the set- 4SfcwUIYd-YJ4_0ubuuGDJ6-_jzFrwrDrHhsg.*AAJTSQACM- ting is “URL Policy Agent”. Then click “Next”. (Figure 21 DE.* - OpenAM URL Policy 2) Name the new URL Policy Agent and assign it to a I won’t add another screen shot because the only chan- particular URL. In our case “hello-world”. Don’t worry if ge you see is that the response now reads “boole- that resource doesn’t actually exist on the server. Note an=false”, which is precisely what we expect based on that I am allowing the Hello World Identity Subject to the URL Policy Agent we conFigured earlier. GET the resource but not POST to it. Click “Finish”. NOTE: By default, the OpenAM allows for control Conclusion over GET and POST actions on resources, but does not OenAM is a mature application and, as such, feature-rich. offer options for the other HTTP methods like PUT There’s full support for OAuth, which is widely used in and DELETE. Thanks to the http://blogs.sun.com/docte- social networking sites. Identity federation is also an im- ger/entry/enabling_put_and_delete_actions I was able to portant part of OpenAM services. Federation refers to find and successfully modify the two files that provide storing an identity across multiple identity management sys- the options for this configuration view within the Ope- tems or multiple organizations so that disparate systems nAM console, namely amWebAgent.xml and amWebA- can establish a circle of trust for authenticating a user. In gent.properties. Both are found under /WEB-INF/clas- other words, if I log in at Company X’s web application ses of the OpenAM web application that we’re going to ad am redirected to Company Y’s web application, Com- deploy. For each method you wish to add, simply create pany Y considers me authenticated to their application ba- the desired AttributeSchema elements in the XML file sed on the trust relationship between the two systems. A with their nested tags and add the name-value pairs to framework for logging and monitoring is included to sa- the properties file. It’s simply a matter of repeating the tisfy stringent auditing requirements in some enterprises. pattern of the GET and POST actions that are already As already mentioned for many small, one-off applications accounted for in each the files. (Figure 22 - OpenAM OpenAM would probably be overkill. But it’s a viable candi- URL Policy 3) date for distributed architectures and use cases of dispara- We’ve now told OpenAM that this policy with its rule te applications needing to interface with one another and applies to the indicated Identity Subject. share a common authentication and authorization scheme. Let’s get a fresh session token now. Once again follow OpenAM is open source so the only up-front commit- the pattern below and copy the response token value to ment to adoption is time to get over the learning curve. I your clipboard: hope this article and the accompanying tutorial have given you a boost if you are interested in learning this technolo- http://devbox.apius.org:8080/openam/identity/authenticate? gy.Although OpenAM and OpenDJ are open source, Forge username=pmorris&password=pmorrispmorris Rock offers support for everything from proof of concept engagements to robust 24 hours a day by 7 days a week by Let’s use the authorization service to check for access 2 hour response time support contracts. rights. Enter a URL following the pattern below aga- If you think OpenAM might end up in your toolbox, check in adjusting the path and parameters to your configu- out these additional resources for learning. ration: https://www.packtpub.com/glassish-security-with-java-ee/book Glassfish Security by Masou Kalali – Chapter 7, http://blogs. http://devbox.apius.org:8080/openam/identity/authorize?uri- sun.com/doceger Doc Teger’s blog, https://wikis.forgerockorg/ =hello-world&action=GET&subjectid=AQIC5wM2LY4SfcwU confluence/display/openam/OpenAM+Documentation Forge IYd-YJ4_0ubuuGDJ6-_jzFrwrDrHhsg.*AAJTSQACMDE.* Rck’s site, https://www.packtpub.com/openam-snaphot-9-for- securing-your-web-applications/book New book abou Ope- The “uri” parameter is the resource for which we are nAM checking user authorization, the “action” is the HTTP method, and the “subjectid” is the token value repre- PAUL MORRIS senting pmorris’s active session. We set the policy to Paul is a Java and ActionScript developer in allow pmorris to GET this resource so we expect a the Chicago area. He colaborates with a di- “true” response when we inquire regarding authori- stributed team of developers in the United zation. (Figure 23 - OpenAM REST Authorization Re- States and Canada. sponse) Contact to the author (paul@quietbus.com, Now let’s try this same request but change the “ac- http://paulmorris.drupalgardens.com/) tion” parameter to POST as in: en.sdjournal.org 43

More Related Content

PDF
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
DOCX
Mahesh_Dimble
Mahesh Dimble
 
PPTX
Web 2.0 security woes
SensePost
 
PPTX
W3 conf hill-html5-security-realities
Brad Hill
 
DOCX
Basic Java script handouts for students
shafiq sangi
 
PDF
Architecting your app in ext js 4, part 1 learn sencha
Rahul Kumar
 
PDF
Web Test Automation Framework - IndicThreads Conference
IndicThreads
 
PPTX
Presentation web based application|Web designing training center in coimbator...
Vignesh026
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
Mahesh_Dimble
Mahesh Dimble
 
Web 2.0 security woes
SensePost
 
W3 conf hill-html5-security-realities
Brad Hill
 
Basic Java script handouts for students
shafiq sangi
 
Architecting your app in ext js 4, part 1 learn sencha
Rahul Kumar
 
Web Test Automation Framework - IndicThreads Conference
IndicThreads
 
Presentation web based application|Web designing training center in coimbator...
Vignesh026
 

Similar to Securing web applications (20)

PPTX
Packt publishing book proposal api and mobile access management
Gluu
 
PDF
Protecting Your APIs Against Attack & Hijack
CA API Management
 
PPTX
Identity Management: Using OIDC to Empower the Next-Generation Apps
Tom Freestone
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
PPTX
OpenAM - An Introduction
ForgeRock
 
PDF
A security note for web developers
John Ombagi
 
PDF
Web vulnerabilities
Krishna Gehlot
 
PPTX
Owasp top 10 2017
ibrahimumer2
 
PPTX
00. introduction to app sec v3
Eoin Keary
 
PDF
Web Application Vulnerabilities
Pamela Wright
 
PDF
Web Application Security with PHP
jikbal
 
PDF
Analyzing OAuth
Oliver Pfaff
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
DOCX
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
Rajkumars275092
 
PDF
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP
 
PDF
04812167
ankushsawarkar
 
PDF
Owasp top 10 2013
Edouard de Lansalut
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PDF
Web Application Scanning 101
Sasha Nunke
 
PPTX
CyberSecurityppt. pptx
iamayesha2526
 
Packt publishing book proposal api and mobile access management
Gluu
 
Protecting Your APIs Against Attack & Hijack
CA API Management
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
Tom Freestone
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
OpenAM - An Introduction
ForgeRock
 
A security note for web developers
John Ombagi
 
Web vulnerabilities
Krishna Gehlot
 
Owasp top 10 2017
ibrahimumer2
 
00. introduction to app sec v3
Eoin Keary
 
Web Application Vulnerabilities
Pamela Wright
 
Web Application Security with PHP
jikbal
 
Analyzing OAuth
Oliver Pfaff
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
Rajkumars275092
 
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP
 
04812167
ankushsawarkar
 
Owasp top 10 2013
Edouard de Lansalut
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Web Application Scanning 101
Sasha Nunke
 
CyberSecurityppt. pptx
iamayesha2526
 
Ad

Recently uploaded (20)

PDF
EC290C NL EC290CNL Volvo excavator specs.pdf
Service Repair Manual
 
PPTX
Lecture 3b C Library xnxjxjxjxkx_ ESP32.pptx
indalrenu
 
PPTX
Robot_ppt_YRG[1] [Read-Only]bestppt.pptx
Shivam463160
 
PDF
Volvo EC290C NL EC290CNL Excavator Service Repair Manual Instant Download.pdf
Service Repair Manual
 
PDF
industrial engineering and safety system
samy709581
 
PPTX
laws of thermodynamics with diagrams details
parvindersinghsandhu1
 
PPT
Mettal aloys and it's application and theri composition
hydanfot2023
 
PPT
Kaizen for Beginners and how to implement Kaizen
pugal801
 
PPTX
Materi Kuliah Umum Prof. Hsien Tsai Wu.pptx
MUHAMMADMAULIDAN7
 
PPTX
laws of thermodynamics with complete explanation
parvindersinghsandhu1
 
PDF
Honda Dealership SNS Evaluation pdf/ppts
savleenk88
 
PDF
3-REasdfghjkl;[poiunvnvncncn-Process.pdf
FadyFady9
 
PPTX
Type of Sentence & SaaaaaaaaaadddVA.pptx
BaihaqiZakariaMuslim
 
PPTX
IMMUNITY TYPES PPT.pptx very good , sufficient
SomaPal11
 
PDF
Caterpillar CAT 311B EXCAVATOR (8GR00001-UP) Operation and Maintenance Manual...
ovhzz53
 
PDF
Volvo EC290C NL EC290CNL engine Manual.pdf
Service Repair Manual
 
PDF
computer system to create, modify, analyse or optimize an engineering design.
norazamaliman1
 
PDF
Renesas R-Car_Cockpit_overview210214-Gen4.pdf
wenhu10
 
PDF
higher edu open stores 12.5.24 (1).pdf forreal
Ahii2
 
PDF
Caterpillar Cat 315C Excavator (Prefix CJC) Service Repair Manual Instant Dow...
ovics74
 
EC290C NL EC290CNL Volvo excavator specs.pdf
Service Repair Manual
 
Lecture 3b C Library xnxjxjxjxkx_ ESP32.pptx
indalrenu
 
Robot_ppt_YRG[1] [Read-Only]bestppt.pptx
Shivam463160
 
Volvo EC290C NL EC290CNL Excavator Service Repair Manual Instant Download.pdf
Service Repair Manual
 
industrial engineering and safety system
samy709581
 
laws of thermodynamics with diagrams details
parvindersinghsandhu1
 
Mettal aloys and it's application and theri composition
hydanfot2023
 
Kaizen for Beginners and how to implement Kaizen
pugal801
 
Materi Kuliah Umum Prof. Hsien Tsai Wu.pptx
MUHAMMADMAULIDAN7
 
laws of thermodynamics with complete explanation
parvindersinghsandhu1
 
Honda Dealership SNS Evaluation pdf/ppts
savleenk88
 
3-REasdfghjkl;[poiunvnvncncn-Process.pdf
FadyFady9
 
Type of Sentence & SaaaaaaaaaadddVA.pptx
BaihaqiZakariaMuslim
 
IMMUNITY TYPES PPT.pptx very good , sufficient
SomaPal11
 
Caterpillar CAT 311B EXCAVATOR (8GR00001-UP) Operation and Maintenance Manual...
ovhzz53
 
Volvo EC290C NL EC290CNL engine Manual.pdf
Service Repair Manual
 
computer system to create, modify, analyse or optimize an engineering design.
norazamaliman1
 
Renesas R-Car_Cockpit_overview210214-Gen4.pdf
wenhu10
 
higher edu open stores 12.5.24 (1).pdf forreal
Ahii2
 
Caterpillar Cat 315C Excavator (Prefix CJC) Service Repair Manual Instant Dow...
ovics74
 
Ad

Securing web applications

  • 1. WEB DEVELOPMENT Securing Web Applications with OpenAM As software developers, we seek to design software that gets people’s attention. Software that meets the needs of the user, performs well, and pleases the eye is sure to get users’ attention. The security model of an application, on the other hand, gets very little attention from the average user - that is until something goes wrong. One serious security breach could permanently blacklist an application or even a developer in the eyes of the users affected by that breach. You’ll learn: You should know: • How OpenAM can secure web applications and how to • Should have a clear understanding of how web appli- set up OpenAM in a development environment. cations work. • For the tutorial, some experience with Linux and the Li- nux command line will be helpful. G ood software design dictates that security be ta- ken into account throughout the requirements- -gathering process and the actual build. Unfortu- be scalable. For example, an application server may store nately, security considerations are often an afterthought session state for each user and expect the user to send in software design, again because developers are often a session cookie with each request. This is a very com- so focused on functionality, performance and looks that mon approach and honestly works well for most one-off security ends up taking a backseat. Even if you as a de- applications. But what happens when one of our applica- veloper give careful consideration to security in all your tions needs to connect (on behalf of the user) to some applications, you may end up “inheriting” an application service we’ve written. Let’s say the service runs on a se- with a weak security model. cond server and also requires authentication? The ses- sion cookie means nothing to that second server so will Authentication and Authorization we force the user to pass in credentials again? Or will Security in web applications is a very broad topic. Let’s the developer compromise and hard code some creden- narrow it down by talking about two major security con- tials in the application for making the call to the external siderations - authentication and authorization. Authen- service? tication is about verifying that the user is who they say Or what if the developer simply wants to distribute they are. For example I may enter my username and a large application across multiple servers for perfor- password to identify myself to an application. Depending mance but doesn’t want the user to have to log in more on the circumstances, I may have to answer some per- than once? Each of those servers would need to “know” sonal questions or I may be prompted to install a certifi- about the user’s session. cate in my web browser’s store. Once an application “knows” who the user is, it can HTTP Authentication move onto the authorization phase which is deciding Up until this point we have talked about users being pro- whether to fulfill or deny a particular request (i.e. to ac- visioned a session and that session being tracked by so- cess a resource, take a certain action, etc.) on behalf of me stateful server. But it should be noted that we could that particular user. For example, user “pmorris” may be build our web applications such that their servers could authorized to view resource “x” but may not be autho- be essentially stateless. In other words each request wo- rized to edit resource “x”. uld be made in isolation. In such a case the user would have to be authenticated and authorized for each and Will it scale? every request. Some may frown upon such a design but a In some cases a web application may handle authentica- stateless design is inherently scalable.Take a look at how tion and authorization very well but the solution may not well the World Wide Web has scaled over the past 20 34 5/2011
  • 2. Securing Web Applications with OpenAM years. This is due in large measure to its stateless design. So where does that leave us then? Well we’re back to Most calls that happen over HTTP are in isolation altho- a stateful server maintaining sessions for all our users ugh it has to be admitted that most requests made over and we’re back to the problems with scalability that we HTTP do not need to be authenticated or authorized. mentioned earlier. HTTP as a protocol does include standards for authen- tication, namely Basic and Digest Authentication both of OpenAM as an Authentication and which allow for a stateless approach. So why don’t we see Authorization Solution more applications using Basic or Digest Authentication? Meet OpenAM. (You see? I didn’t forget the title of this ar- In the case of Basic authentication there are inherent se- ticle.) The “AM” stands for Access Management. OpenAM curity weaknesses since credentials are passed over the is a child project of OpenSSO (“SSO” for single-sign-on), wire in clear text. Digest Authentication is very secure an open source product formerly sponsored by Sun Mi- however since it uses one-way hashing to obscure the crosystems, now by Oracle.When Oracle bought out Sun credentials such that it’s impossible to extract them. It al- they took back the latest release of OpenSSO (version so includes policies for preventing the harvesting and re- 9.x) and now offer 8.x as the latest and greatest.A number playing of hashed credentials. So why don’t we see Digest of former Sun executives went on to head up a company Authentication more in web applications? Well for one called Forge Rock, which has taken version 9.x of OpenS- thing it is not trivial to learn and implement the standard. SO, named it OpenAM and started to maintain and build But the overriding reason is that frankly HTTP authen- on it (up to 9.5.x now), pledging to follow its original pro- tication is just “not there yet.” A lot of it seems to have ject roadmap from when it was under the oversight of Sun. to do with the inconsistent and incomplete manner that I see OpenAM as a solution for building security into web browsers have implemented the Digest Authentica- your distributed applications from the start, as well as a tion standard. The details on that are beyond the scope way to secure that pre-existing, not-so-secure applica- of this article, (Did you notice I haven’t mentioned Ope- tion that you may have “inherited” as a hired developer nAM once yet?) so I encourage you to read these two (since we know you would never build an unsecure ap- articles if you want to learn those details: plication yourself). http://www.artima.com/weblogs/viewpost.jsp?thre- Authenticating with OpenAM ad=155252 and http://www.vsecurity.com/download/pa- So OpenAM can be our stateful server for provisioning pers/WeaningTheWebOffOfSessionCookies.pdf and tracking sessions for users. It can hook into an iden- Figure 1. OpenDJ Server Settings Figure 3. OpenDJ Directory Data Figure 2. OpenDJ Topology Options Figure 4. OpenDJ Runtime Options en.sdjournal.org 35
  • 3. WEB DEVELOPMENT tity repository that already exists (i.e. Microsoft Active Scale Applications Securely with Directory) or you could set up its “sister” application, OpenAM OpenDJ (formerly OpenDS) as the user store. OpenDJ Let’s talk about why OpenAM scales so well. OpenAM is is an open source LDAP directory service also sponso- a Java-based application that runs within a servlet conta- red by Forge Rock. And apparently, at least some users iner (Apache Tomcat, Glassfish, JBoss, etc.). So OpenAM just use a plain old relational database as the identity is itself a web application but it is not your web applica- store. Using the identity repository to verify the identity tion. It partners with your web application. It has a sin- of each user, OpenAM provisions a session and can set gle responsibility: to keep other applications secure. To cookies that represent that session in the user’s browser. illustrate: large office buildings with offices that handle (I actually put together a proof of concept that elimina- very sensitive or secured resources often have a securi- tes the need for OpenAM to set cookies in the user’s ty team operating within the building. That team’s focus browser.) is to keep the building and everything in it secure. The other teams of people within the building don’t have to Authorizing with OpenAM focus so much on security since there is already a team OpenAM can be conFigured with fine-grained poli- dedicated to that purpose operating within the building. cies that dictate which identity subjects (users and/ The other teams are able to focus on what they do best or groups) have access to which resources and even (whatever that might be). which HTTP methods can be invoked by a particu- OpenAM as a framework operates as that security lar subject against a particular resource. So in other team in your infrastructure, keeping your applications words OpenAM can be conFigured to allow user secure so that your application code can focus more on “pmorris” to GET the resource at http://www.exam- things like functionality, usability and performance. ple.com/resource but not POST to that same resource OpenAM exposes services (SOAP or REST) that can (that same URL). be invoked from your applications for authenticating Figure 5. OpenAM General Figure 7. OpenAM Configuration Store Figure 6. OpenAM Server Settings Figure 8. OpenAM User Store 36 5/2011
  • 4. Securing Web Applications with OpenAM users, checking their authorization to make a certain Take OpenAM for a Test Drive request, and even interacting with your identity reposi- So if you’re like me you like getting your hands on a tory to add users, to get the groups a user belongs to, technology so you can evaluate it yourself. Following etc. For the proof of concept I spoke of earlier I set up is a step-by-step tutorial on how to set up OpenAM very simple filters in front of a RESTful service to per- with OpenDJ as a user repository. All the prerequi- form authentication and authorization before allowing sites for our tutorial, from the OS (Ubuntu 10.04), to access to the service itself. Can you see how such an the servlet container (Apache Tomcat 7.0), to the two approach can scale to practically any size? As long as applications themselves, they’re all open source (i.e. you have the session token representing the session, free!) so you’ve got no reason not to jump right in! you can call OpenAM’s services from anywhere (even Let’s get started. outside your own domain) to authenticate and autho- rize a request. Set up Ubuntu The OpenAM framework not only includes the central Download Ubuntu 10.04 LTS from http://releases.ubuntu. application itself but also a family of policy agents that com/lucid/ubuntu-10.04.2-desktop-i386.iso can be deployed to remote application servers or web If you’re setting up Ubuntu as a virtual machine be servers to “police” said servers and all the applications sure and up the RAM to at least 1024MB. running on them.There are policy agents for J2EE servlet Walk through the installation process containers, and web servers (i.e. Apache and IIS). A policy normally. agent is like a remote “security officer” that intercepts Once logged in go to System -> Administration -> Users all requests coming in to the server (J2EE container, web and Groups and change the user you created to an Ad- server) and consults with the “chief security officer”, the ministrator. OpenAM application itself, to determine if the request should be fulfilled or denied. Figure 11. OpenAM Subjects Figure 9. OpenAM Site Configuration Figure 10. OpenAM Agent Information Figure 12. OpenDJ Control Panel en.sdjournal.org 37
  • 5. WEB DEVELOPMENT Install Java While an OpenJDK package is available out-of the-box with 10.04, the Sun JDK is not, and that’s the one we want. So open a terminal window and run the following commands first: sudo add-apt-repository „deb http://archive. canonical.com/ lucid partner” sudo apt-get update Then install the Sun JDK: sudo apt-get install sun-java6-jdk Install Tomcat We need a fully qualified domain name (FQDN) when we install OpenAM (i.e. localhost will not work for con- figuration) so we need to add an entry to the hosts file. Run the following command to edit the file: Figure 13. OpenDJ Manage Entries sudo nano /etc/hosts I added this line: 127.0.0.1 devbox.apius.org Be sure and exit (Command + x on the Mac), and save changes on the way out (“y” followed by Enter) Download Apache Tomcat 7 by running wget with a current link address as in: wget http://apache.ziply.com/tomcat/tomcat-7/v7.0.12/ bin/apache-tomcat-7.0.12.tar.gz Untar it with this command: tar xzvf apache-tomcat-7.0.12.tar.gz Figure 14. OpenDJ New User If running on VMware Fusion follow this documenta- I decided to move it to a more standardized folder lo- tion to install VMware Tools: https://help.ubuntu.com/com- cation with: munity/VMware/Tools Reboot. mv apache-tomcat-7.0.12 /usr/local/tomcat7 Figure 15. OpenAM New User 38 5/2011
  • 6. Securing Web Applications with OpenAM Figure 16. OpenAM REST Authentication Response Figure 17. OpenAM REST Validate Token Response We need to set a couple of environment variables to Install OpenAM ensure the Tomcat 7 instance uses the Sun JDK and Download OpenAM 9.5.2.The 9.5.x releases take advan- that OpenAM will have sufficient memory to install tage of Java EE 6. and run. Run the following command: sudo nano /usr/local/tomcat7/bin/setenv.sh And add these two lines: JAVA_HOME=/usr/lib/jvm/java-6-sun export CATALINA_OPTS=“$CATALINA_OPTS -Xms128m -Xmx1024m -XX:MaxPermSize=256m” Next run: sudo nano /usr/local/tomcat7/conf/tomcat-users.xml I added what is in listing 1 so as to access the Tomcat management console. Start Apache Tomcat with: /usr/local/tomcat7/bin/startup.sh Figure 18. OpenAM Identity Subject 1 en.sdjournal.org 39
  • 7. WEB DEVELOPMENT Extract it and move it into place using the following two commands: unzip OpenDJ-2.4.1.zip sudo mv OpenDJ-2.4.1 /usr/local/opendj These commands should be run in order to conFigure the installation and open the GUI interface for final con- figuration settings. sudo /usr/local/opendj/bin/create-rc-script --outputFile /etc/init.d/opendj sudo update-rc.d opendj defaults /etc/init.d/opendj start cd /usr/local/opendj/ ./setup Figure 19. OpenAM Identity Subject 2 wget http://www.forgerock.org/downloads/openam/ ConFigure OpenDJ snapshot9.5/openam_s952.war Choose a password for the Directory Manager (admin) account. (Figure 1 – OpenDJ Server Settings) Moving the war to the webapps folder of the Tomcat Select stand alone. (Figure 2 – OpenDJ Topology installation will deploy it. Options) Just create a base DN using whatever domain you pre- sudo mv openam_s952.war usr/local/tomcat7/webapps/ fer. (Figure 3 – OpenDJ Directory Data) openam.war Keep the defaults. (Figure 4 – OpenDJ Runtime Options) Install OpenDJ Review the configuration settings and hit “Finish”. Once Now download OpenDJ using: the installation is complete go ahead and launch the Con- trol Panel and log in to “Local Server” using the Directory wget http://www.forgerock.org/downloads/opendj/2.4.1/ Manager password you entered during setup. Go ahead and OpenDJ-2.4.1.zip minimize the Control Panel and let’s conFigure OpenAM. Figure 20. OpenAM URL Policy 1 40 5/2011
  • 8. Securing Web Applications with OpenAM ConFigure OpenAM with OpenDJ as user store http://devbox.apius.org:8080/openam will open the web Listing 1. Tomcat configuration configurator. <role rolename=”manager-gui”/> Enter a password of at least 8 characters. (Figure 5 – <role rolename=”manager-script”/> OpenAM General) <role rolename=”manager-jmx”/> Note the following use of that FQDN we added to our <role rolename=”manager-status”/> hosts file earlier. (Figure 6 – OpenAM Server Settings) <user username=”admin” password=”admin” We’ll use OpenAM’s embedded optimized OpenDS roles=”manager-gui,manager- application to store configuration settings. (Figure 7 – script,manager-jmx,manager- OpenAM Configuration Store status”/> Select OpenDS (the predecessor of OpenDJ) as the user store and make sure the Directory Name is cor- /usr/local/opendj/bin/control-panel rect. It should automatically grab the first host name that the loopback address (127.0.0.1) resolves to. Enter the (Figure 12 – OpenDJ Control Panel) Directory Manager’s password that you set at installa- Select “Manage Entries” from the left menu. tion. (Figure 8 – OpenAM User Store) Right click on “people” and select “New User”. (Figure This is a development environment so we won’t worry 13 – OpenDJ Manage Entries) about load balancing. (Figure 9 – OpenAM Site Configu- Be sure and change the “Naming Attribute” to “uid”. ration) Click OK and look for the Entry Created message. (Figu- Choose another password 8 characters or longer. (Fi- re 14 – OpenDJ New User) gure 10 – OpenAM Agent Information) Now go back to the OpenAM console and refresh the In the final screen, verify your configuration and press page. You should see the new user you created in the the Create Configuration button. OpenDJ repository. (Figure 15 – OpenAM New User) Test OpenAM Authentication Service Add User Let’s run a quick and simple test using the REST au- Log in to OpenAM using amadmin as a username and the thentication service in OpenAM to create a session. En- password you entered in Step 1 of the setup. ter the following into your web browser’s address bar. We’re going to test the authentication interface using Adjust the URL and the parameter values based on your OpenAM’s REST services but first we’ll create a user ac- settings: count. A user account can be created using one of the REST services or from the OpenAM console itself but http://devbox.apius.org:8080/openam/identity/authenticate? to illustrate the relationship between OpenAM and the username=pmorris&password=pmorrispmorris underlying user data store, OpenDJ, we’ll add the user from the OpenDJ control panel. This action requests OpenAM to create a session “Access Control” tab. -> “(Top Level Realm)” -> “Sub- for the specified user and once created a token re- jects” tab. I see two users, namely “amadmin” and “ano- presenting that session is passed back to the caller. nymous”. (Figure 11 – OpenAM Subjects) Again, we could add a new user from here but let’s do it from OpenDJ. If the Control Panel is still minimized go ahead and pull it up if it’s not running, run this command: Figure 21. OpenAM URL Policy 2 Figure 22. OpenAM URL Policy 3 en.sdjournal.org 41
  • 9. WEB DEVELOPMENT (Figure 16 - OpenAM REST Authentication Respon- You should get back the following response. (Figure 17 se) - OpenAM REST Validate Token Response) One note though: What I did above I did only to expedite the tutorial. In reality this is a poor prac- Test OpenAM Authorization Service tice. Why? Since I used a browser’s address bar to Now let’s create a URL policy and test out the authori- make this call we know that the HTTP method was zation feature. Go to the “Access Control” tab. -> “(Top a GET. Obviously this will work but in a real world Level Realm)” -> “Policies” tab. Click on “New Policy”. implementation it’s a bad idea. For one thing, with a I’m calling mine “Hello World Policy”. We need to assign GET request the password parameter value will be this policy to the user we created so scroll down and written to server logs and for another this practice click on “New” in the “Subjects” section. breaks RESTful constraints. HTTP as a standard sta- Let’s make this a specific subject, not just any authen- tes that GET should have no side effects. Creating ticated user. Click “Next”. (Figure 18 - OpenAM Identity a session is definitely a side effect (a desirable side Subject) effect but a side effect nonetheless). So in produc- Next, we’ll give the Identity Subject a name and in tion it’s best practice to always coerce this call to our case search for our user using the “User” filter and a POST. “Add” the user (in my case “pmorris”) to the Identity Now let’s test the authentication service using the Subject and click “Finish” and “OK” in the next screen. token value as a parameter. Copy the token value from (Figure 19 - OpenAM Identity Subject 2) the response page and paste it into another call like Keep in mind that we would probably not do this in so: real life – that is assign a single user to an Identity Sub- ject. More likely we would create a group, add pmorris http://devbox.apius.org:8080/openam/identity/isTokenValid- to that group and then add the group to the Identity ?token=AQIC5wM2LY4SfcxmYwlY5mX1vtaiGhw8cJd8TGJY Subject. But again, to expedite the tutorial we’ll do it Hv6ar4M.*AAJTSQACMDE.* this way. Figure 23. OpenAM REST Authorization Response 42 5/2011
  • 10. Securing Web Applications with OpenAM You should be back out at the policy listing now. (Figu- http://devbox.apius.org:8080/openam/identity/authori- re 20 - OpenAM URL Policy 1) ze?uri=hello-world&action=POST&subjectid=AQIC5wM2LY Under “Rules” click on “New” and make sure the set- 4SfcwUIYd-YJ4_0ubuuGDJ6-_jzFrwrDrHhsg.*AAJTSQACM- ting is “URL Policy Agent”. Then click “Next”. (Figure 21 DE.* - OpenAM URL Policy 2) Name the new URL Policy Agent and assign it to a I won’t add another screen shot because the only chan- particular URL. In our case “hello-world”. Don’t worry if ge you see is that the response now reads “boole- that resource doesn’t actually exist on the server. Note an=false”, which is precisely what we expect based on that I am allowing the Hello World Identity Subject to the URL Policy Agent we conFigured earlier. GET the resource but not POST to it. Click “Finish”. NOTE: By default, the OpenAM allows for control Conclusion over GET and POST actions on resources, but does not OenAM is a mature application and, as such, feature-rich. offer options for the other HTTP methods like PUT There’s full support for OAuth, which is widely used in and DELETE. Thanks to the http://blogs.sun.com/docte- social networking sites. Identity federation is also an im- ger/entry/enabling_put_and_delete_actions I was able to portant part of OpenAM services. Federation refers to find and successfully modify the two files that provide storing an identity across multiple identity management sys- the options for this configuration view within the Ope- tems or multiple organizations so that disparate systems nAM console, namely amWebAgent.xml and amWebA- can establish a circle of trust for authenticating a user. In gent.properties. Both are found under /WEB-INF/clas- other words, if I log in at Company X’s web application ses of the OpenAM web application that we’re going to ad am redirected to Company Y’s web application, Com- deploy. For each method you wish to add, simply create pany Y considers me authenticated to their application ba- the desired AttributeSchema elements in the XML file sed on the trust relationship between the two systems. A with their nested tags and add the name-value pairs to framework for logging and monitoring is included to sa- the properties file. It’s simply a matter of repeating the tisfy stringent auditing requirements in some enterprises. pattern of the GET and POST actions that are already As already mentioned for many small, one-off applications accounted for in each the files. (Figure 22 - OpenAM OpenAM would probably be overkill. But it’s a viable candi- URL Policy 3) date for distributed architectures and use cases of dispara- We’ve now told OpenAM that this policy with its rule te applications needing to interface with one another and applies to the indicated Identity Subject. share a common authentication and authorization scheme. Let’s get a fresh session token now. Once again follow OpenAM is open source so the only up-front commit- the pattern below and copy the response token value to ment to adoption is time to get over the learning curve. I your clipboard: hope this article and the accompanying tutorial have given you a boost if you are interested in learning this technolo- http://devbox.apius.org:8080/openam/identity/authenticate? gy.Although OpenAM and OpenDJ are open source, Forge username=pmorris&password=pmorrispmorris Rock offers support for everything from proof of concept engagements to robust 24 hours a day by 7 days a week by Let’s use the authorization service to check for access 2 hour response time support contracts. rights. Enter a URL following the pattern below aga- If you think OpenAM might end up in your toolbox, check in adjusting the path and parameters to your configu- out these additional resources for learning. ration: https://www.packtpub.com/glassish-security-with-java-ee/book Glassfish Security by Masou Kalali – Chapter 7, http://blogs. http://devbox.apius.org:8080/openam/identity/authorize?uri- sun.com/doceger Doc Teger’s blog, https://wikis.forgerockorg/ =hello-world&action=GET&subjectid=AQIC5wM2LY4SfcwU confluence/display/openam/OpenAM+Documentation Forge IYd-YJ4_0ubuuGDJ6-_jzFrwrDrHhsg.*AAJTSQACMDE.* Rck’s site, https://www.packtpub.com/openam-snaphot-9-for- securing-your-web-applications/book New book abou Ope- The “uri” parameter is the resource for which we are nAM checking user authorization, the “action” is the HTTP method, and the “subjectid” is the token value repre- PAUL MORRIS senting pmorris’s active session. We set the policy to Paul is a Java and ActionScript developer in allow pmorris to GET this resource so we expect a the Chicago area. He colaborates with a di- “true” response when we inquire regarding authori- stributed team of developers in the United zation. (Figure 23 - OpenAM REST Authorization Re- States and Canada. sponse) Contact to the author (paul@quietbus.com, Now let’s try this same request but change the “ac- http://paulmorris.drupalgardens.com/) tion” parameter to POST as in: en.sdjournal.org 43