Security As A Service

Security As A Service Marc Chanliau, Identity Management Technical Evangelist [email_address]

The Java EE Security Toolbox Container Managed Security Java EE Security Java Authentication and Authorization Service (JAAS)

Container Managed Security Java EE security handled by the Java EE container Declarative, portable, easy to use Decouple security logic application code Implementation details hidden from developer Authentication Configured in web.xml descriptor Basic, Form, Certificate, Digest Authorization Role-based Based on URL patterns SSL can be enforced on page

Limitations of Container Managed Security Java EE declarative security is… Static within a deployed application Policies cannot be changed dynamically. Constraint cannot be changed (static role mapping) Not very Granular Protects URL addressable objects Does not allow different privileges against a protected object Java EE roles are not hierarchical Need extra groups to define “rollup” levels of enterprise Roles Not very granular

Java Authentication and Authorization Service (JAAS) What JAAS is Enables services to authenticate and enforce access controls Programmatic security model Extends Java 2 Security Role-based access control (RBAC) Authentication Pluggable Authentication Module (PAM) Propagates identity via session context Authorization Grants access to resources and actions Executes operations within user context

JAAS Advantages Dynamic and evaluated in real-time Policies may be updated in the policy store and reflected in the application Secures the ability to perform a “fine-grained action” on the resource, rather than simple access to the URL Policies are defined against an action in the policy store not by the URL pattern Supports granular privileges against the same object Allows for hierarchical policies References Enterprise roles directly from the Identity Management System

Summary Of The Challenges To Be Addressed The security capabilities supported and defined by the Java EE standards are limited Too much security knowledge is required of application developers who should primarily focus on business logic No consistent security experience across platforms and applications Third-party security frameworks are non-standard and non-portable, and don’t support the complete application lifecycle No support for large enterprise security deployments Lack of support for different types of development model, e.g., Java EE and Java SE

Introducing OPSS OPSS provides enterprise product development teams, systems integrators, and independent software vendors with a security framework for Java SE and Java EE applications standards-based portable integrated enterprise-grade OPSS is an abstraction layer that insulates developers from security and identity management implementation details With OPSS, developers don’t need to know the nitty-gritty of cryptographic key management or interfaces with user repositories and other identity management infrastructures

OPSS in Oracle Fusion Middleware Oracle JDeveloper Web Browser Oracle WLS Admin Console Oracle Enterprise Mgr Load Balancer Oracle WebCache Oracle HTTP Server Applications Oracle SOA Suite Oracle Identity Mgt Oracle Platform Security Services Oracle WebCenter Oracle WebLogic Server LDAP RDBMS Web Tier Application Tier Data Tier

OPSS Benefits Customers get what Oracle products get OPSS is used as the security platform for Oracle Fusion Applications and Oracle Fusion Middleware components OPSS is enterprise ready Stress tested to support enterprise deployments Interoperability tested across different environments Certified on WLS, will be certified on WAS and JBoss Standards based Protect your investment Pre-integrated with Oracle products and technologies Consistent security experience for developers and administrators Same set of APIs and UI for all types of applications (in-house, third-party, Oracle Fusion) Support large enterprise deployments Integration with Identity Management Enable legacy and third-party security provider integration

OPSS’s Heritage JAZN JPS – Pre BEA CSS – BEA OPSS – Post BEA OAS 9.04 Coupled w/ OC4J OAS 10.1.2 Coupled w/ OC4J OAS 10.1.3 Coupled w/ OC4J (Became known internally as “Security Provider”) 11gR1 Portable Security Provider to - OC4J SOA WebCenter OWSM WLS 10.3 Portable Security Framework used by - Oracle WLS OES OSB etc 11gR1 OPSS = JPS + CSS Not coupled w/ app. server Portable to third-party app. Servers Oracle WLS OES OSB Oracle SOA Oracle WebCenter OWSM JAAS compatible imp. AuthN Login module AuthZ XML/OID providers Added support for third-party LDAP directories - WNA JSSO User Role API OAM integration (JAAS provider) Web services security JMX/MBeans Java2 Policy Provider Application Role & Policy Mgmt Credential Store OSDT Auditing Framework - SSPI to plug-in custom security providers Authentication Id Assertion Authorization Role Mapping SSO - Supports both JPS & WLS/CSS security Java2 Policy Provider Application Role & Policy Mgmt Credential Store Framework UserRole API OSDT Auditing Framework

Oracle Virtual Directory Virtualizes Identity Store, Credential Store, Policy Store Develop Deploy Manage Oracle Fusion Middleware Components and Oracle Fusion Applications ATN, ATZ, CSF, UserRole, Policy Management, Cryptography (OSDT) Identity Assertion Role Mapping Creds Mapping JEE Policy & Role Deployment Custom SSPI Providers Java2 & JAAS Policy Provider Cert Lookup & Val OPSS Functionality OPSS APIs Audit SSO

Platform to Product Security Domain OPSS Solution (Basic Features) OPSS Product Solution (Advanced Features) Identity Store Embedded LDAP OID Policy Store File - XML OID Credential Store File – Oracle Wallet OID SSO WLS SAML Oracle Access Manager Authorization OPSS CheckPermission Oracle Entitlement Server

Oracle Products Using OPSS Product Name What It Does How It Uses OPSS Oracle ADF / WebCenter ADF is the framework used to develop WebCenter applications (portlets, etc.) Authentication, JAAS Authorization, Application Role,Anonymous and Authenticated Role, Policy Store Abstraction, Policy Management, Credential Store Framework Oracle Web Services Manager (OWSM) OWSM provides SOA and web services security Authentication, JAAS Authorization, Credential Store Framework, Keystore Service, Audit Oracle SOA Provides applications designed to deploy SOA environments (BPEL, ESB, etc.) Authentication, Authorization and Audit Oracle Service Bus (OSB) Connects, mediates, and manages SOA composites interaction Authentication, identity assertion, authorization, Role mapping, credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party integration Oracle Entitlements Service (OES) Provides externalized fine-grained authorization Authentication, identity assertion, authorization, role mapping, credentials mapping, cert. lookup, audit. WebLogic Server (WLS) Container Java EE server / container Authentication, identity assertion, authorization, role mapping, credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party integration Oracle Access Manager Web access and single sign on platform Identity assertion and integration with WebLogic Server security.

OPSS For Developers: ADF Security Oracle ADF (Application Development Framework) is a Java EE development environment Oracle ADF simplifies and extends Java EE Oracle ADF is the development framework for Oracle products and applications Oracle ADF is best used with Oracle JDeveloper © 2009 Oracle Corporation

Oracle ADF 11g Architecture © 2009 Oracle Corporation Struts Business Services Data Services Model Controller JSP View Desktop Browser/ Mobile Devices Metadata Services ADFm (JSR 227) JSF ADF Faces JSF/ADFc Java EJB BAM BPEL ADF BC BI XML Office Swing Web Services Portlet Toplink JMX JCR Relational Data XML Data Legacy Data Packaged Apps

ADF‘s Java EE Runtime Environment Provides Java EE 5 services for applications Consumes Oracle Platform Security Services (OPSS) Handles authentication, authorization, logging and monitoring Pluggable Authentication architecture Authentication handled by JAAS Login Modules Login Modules are exposed through Authentication Provider

ADF Security Provides declarative protection for ADF applications Designed to simplify security in ADF applications Enforces Java EE authentication Delegated to WebLogic Server Authentication Providers Easy to configure via the ADF Security Wizard ADF bindings protected by JAAS-based authorization Leverages EL to protect UI components Security bubbles up from ADF Business Components Provides support for XML and LDAP providers Integrated with JDeveloper design time and WLS

ADF Security: Authentication Enterprise Identity Management adfAuthentication servlet Acts as a known “endpoint” for a standardized Login or Logout Link Is secured by a Java EE Security Constraint Delegates Logon to the Java EE container (OPSS) Access granted to all valid users Redirects to a specified page on successful login or logout WebLogic Server AuthN via OPSS: Authenticator; jazn-xml PAM /AdfSecurityPojoSample-ViewController-context-root/login.html /app/BrowseDepartments.jspx User: sking User: ahunold

ADF Security: Authorization Administrator Clerks HR Sales Dev ADF Security performs authorization check In her manager role, sking can see master and detail views Policy Store BrowseDepartments.jspx Staff <grant> <principal> <type> role </type> <name> manager </name> </principal> <permission> <name> BrowseDep </name> <actions> view </ actions> </permission> </grant> WebLogic Server ADF Security Filter User sking User ahunold BrowseDepartments.jspx In his user role, ahunold can only see master view JAAS AuthZ request

Application Roles, Enterprise Roles Application Roles Roles defined in jazn-data.xml ADF Security creates "test-all" role Permissions are granted to application roles Enterprise Roles Groups of enterprise users Mapped to application roles to grant privileges to user groups

Use Case: WLS Application Using OPSS Traditional Java EE security enhanced with JPSAuth.CheckPermission API for authorization UserRole API to query attributes stored in LDAP (or other back ends) Use of CSF to secure credentials

Use Case: Container Authentication Java EE application configures authentication method in web.xml Application uses container managed authentication

Use Case: Programmatic Authentication Java EE application needs to programmatically authenticate or assert identity, e.g., take username / password or security token to programmatically authenticate Application provides a username, password to programmatically authenticate Application requires a portable API Application provides a security token for Identity Assertion (authenticate without a password) Identity Assertion protected by a code source permission Subject Security API to run a task as another user. Application Generate Audit Audit Store LDAP Identity Store Login Service Authenticator WLS Admin Console

Use Case: Fine-Grained Authorization Application requires a portable API Authorization decisions can be audited Application calls JPSAuth.CheckPermission Can support custom Authorization logic with Custom Permissions

Use Case: Credential Store Framework (CSF) Application needs to store / access external system credentials Credentials (username / password, symmetric keys) stored securely OOB, credential store is a file (Oracle Wallet), LDAP supported Application uses CSF APIs to access credentials Credentials are managed using Oracle EM or WLST Credential Store operations (read, write, access etc) can be audited

Use Case: User and Role API Application needs to do a search in identity store, e.g., search for all users in “EMEA” or access email address for all users in a certain role User attributes stored in embedded LDAP or other configured LDAP Authenticator The same API works irrespective of where user attributes are stored App uses UR APIs to access user attributes UR Provider Identity Store Authenticator Application User And Role API WLS Admin Console

Use Case: Audit Java EE application needs to audit security-sensitive operations such as authentication, authorization, credential access Application uses Java EE container-based authentication (WLS Authenticator) WLS audits authentication and Java EE authorization If application uses OPSS, it gets check permission authorization and credential operations audited (OPSS audit API not exposed to applications) Application Container based Authentication / Authorization Audit Store Generate Audit Configure Audit Audit Store Generate WLS Security Audit Application OPSS based Authentication / Authorization BI Publisher View Audit WLS Admin Console Oracle EM FMWControl

Use Case: Java SE Application Java SE Application using LoginService API for authentication CheckPermission for Authorization User and Role API to query attributes stored in LDAP (or other backends) Credential Store to secure credentials Java SE Application LoginService API checkPermission UserRole API Credential Store Framework LDAP Identity Store LDAP Policy Store Authentication Permission Check, Access Credentials

Use Case: ADF Development Developer creates an ADF application using JDeveloper and applies wizard-based ADF security Application’s user and groups, authorization policy, and credentials copied by JDeveloper to WLS embedded in JDeveloper Developer creates application’s EAR file which contains policy and credentials Deployer / Administrator deploys EAR to a remote WLS using Oracle EM ADF Application Users/Groups Policy Credential JDeveloper Integrated WLS File Based Policy & Credential Store Auto Deploy Ear Generate Remote WLS Domain Policy & Credential Store Policy & Credentials Oracle EM FMWControl

Use Case: ADF Authorization ADF application needs to use fine-grained authorization in a portable fashion while using Java EE container-based authentication JDeveloper ADF security wizard creates required security configuration ADF filter calls JPSAuth.checkPermission Can support custom authorization logic with custom permissions Application Policy Store ADF Filer MBeans WLST Policy Provider Audit Store Generate Audit CheckPermission Oracle EM FMWControl

Use Case: Test to Production Administrator tests application in Staging environment; Application’s security policy and credentials need to be migrated to Production environment Administrator redeploys application into Production environment Administrator runs migrateSecurityStore WLST offline command in Production environment, which copies policy and credential data from Staging to Production store WLST Migrate Security Store Production Policy & Credential Store Staging Policy & Credential Store

Use Case: SSO with OAM . Administrator wants to configure multiple WLS domains to participate in SSO Administrator configures OAM and WLS integration using SSPI OAM SSPI agent extracts security token and validates it using WLS identity asserter

OPSS Summary OPSS provides A suite of application-centric security frameworks Abstraction APIs and implementation of basic features Lightweight Identity Management infrastructure Allows customers to build and deploy small to mid-size applications Plug-in interface to Identity Management systems Applications build against OPSS can be plugged to a centrally deployed Identity Management system Allows customers to scale their applications to switch to a centrally deployed Identity Management system No code changes required in the application when switching from one Identity Management system to another Identity Management system

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. © 2009 Oracle Corporation

Security As A Service

More Related Content

What's hot (20)

Viewers also liked (12)

Similar to Security As A Service (20)

Recently uploaded (20)

Security As A Service