SlideShare a Scribd company logo
Third Party Auth in WO
Joe Little and Daniel Beatty
Authentication Methods
•   Storing passwords in your DB (Model)
•   Authenticating against LDAP services
•   LDAP via your Model and hybrid solutions
•   Kerberos/SSO and hybrid redux
•   WebAuth and gateway solutions
•   Shibboleth and the future
Auth in DB

•   The default approach
•   With little database security, the hash must be secure
•   SHA-1 (160) or SHA-2 (256) and friends
•   Sample code...
SHA-2 in the Database
qual = UserAccount.USERNAME.eq(username).and(UserAccount.PASSWORD.eq(digestedString(password)));

....



public String digestedString(String aString) {
	     String digestedString;
	
	     try {
	   	     MessageDigest md = MessageDigest.getInstance("SHA-256");
	   	     md.reset();
	   	     digestedString = new sun.misc.BASE64Encoder().encode (md.digest(aString.getBytes("UTF-8")));
	     }
	     catch (NoSuchAlgorithmException e) {
	   	     throw new NSForwardException(e);
	     }
	     catch (UnsupportedEncodingException e){
	   	     throw new NSForwardException(e);
	     }
	     return digestedString;
}
LDAP
•   JNDI can be used for EOs, but NOT for passwords!
•   Generally restricted by sites LDAP configuration
•   Standard method is to try a “simple bind” against LDAP
    •   LDAPS:// - Port 636 if possible (SSL), DIGEST otherwise
    •   StartTLS is not an option
    •   http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html
Java LDAP Authentication
      if (LDAPAuth.LDAPAuthenticate(username, password))

...


public class LDAPAuth {
	   public static final boolean LDAPAuthenticate (String userid, String password)
	   {
	   	   Hashtable env = new Hashtable();
	   	   env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
	   	   env.put(Context.PROVIDER_URL, "ldap://172.16.113.129:389/dc=example,dc=com");

	     	   env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5"); // or “simple”
	     	   env.put(Context.SECURITY_PRINCIPAL, "uid=" + userid + ", ou=People, dc=example, dc=com");
	     	   env.put(Context.SECURITY_CREDENTIALS, password);

	     	   // Create the initial context
	     	   try {
	     	   	   DirContext ctx = new InitialDirContext(env);
	     	   } catch (NamingException e) {
	     	   	   return false; // Failed to auth
	     	   	   //e.printStackTrace();
	     	   }
	     	
	     	   return true;

	     }
}
LDAP via EOModel

•   WebObjects lets you access LDAP via JNDI
•   Insecure
    •   SSL supposedly should work

•   Not good for authentication, but other info is there
•   Great for the “hybrid” approach to authentication
The Hybrid Approach
•   Define user attributes in your DB-based EOs

•   Authenticate user that is also in LDAP tree

•   1st time auth: use JNDI EO

    •   Must have matching name between auth and LDAP

    •   Use JNDI EO in read-only fashion to get user attributes

    •   Store in your DB user EOs for future use

•   Considerations for future JNDI updates
LDAP EOModel
LDAP Connection Dictionary
All LDAP Hybrid Approach
      if (LDAPAuth.LDAPAuthenticate(username, password))
                  	   	   {
                  	   	   	   qual = UserAccount.USERNAME.eq(username);
                  	   	   	   NSLog.out.appendln("LDAP authenticated: " + username);
                  	   	   }
                  	   	   if (qual != null)
                  	   	   try {
                  	   	   user = UserAccount.fetchRequiredUserAccount(ERXEC.newEditingContext(), qual);

                         } catch (NoSuchElementException e) {
                                 // Make a new user from LDAP
                         	   	   qual = PosixAccount.UID.eq(username);
                         	   	   EOEditingContext ec = ERXEC.newEditingContext();
                         	   	   PosixAccount ldapAccount = PosixAccount.fetchPosixAccount(ec, qual);
                         	   	   user = UserAccount.createUserAccount(ec, ldapAccount.gecos(), username);
                         	   	   ec.saveChanges();
                         	   	
                         }

...

public static UserAccount createUserAccount(EOEditingContext editingContext, String fullName, String username) {
    UserAccount eo = (UserAccount) EOUtilities.createAndInsertInstance(editingContext, _UserAccount.ENTITY_NAME);
	   	   eo.setFullName(fullName);
	   	   eo.setUsername(username);
    return eo;
  }
SSO: Kerberos

•   Many Single-Sign On (SSO) solutions

•   Kerberos / Active Directory are most common today

•   AD and OpenDirectory marry LDAP w/ Kerberos: hybrid!

•   Heavily tied into Java Crypto APIs, so Frustration-By-Design

•   Remember to set classes.include.patternset in woproject to have “**/*.conf”

•   Best seen by example... (Thanks Mike!)
Kerberos Methods

    public class KerberosAuth {

	   static final String krbPath = "/Library/Preferences/edu.mit.Kerberos";
	   public static final boolean KerberosAuthenticate (String userid, char[] password)
	   {
	   	   System.setProperty("java.security.krb5.conf", krbPath);
	   	   System.setProperty("java.security.auth.login.config", KerberosAuth.class.getResource("/kerberos.conf").toExternalForm());
	   	   try {
	   	   	   LoginContext lc = new LoginContext("primaryLoginContext", new UserNamePasswordCallbackHandler(userid, password));
	   	   	   lc.login();
	   	   	   }
	   	   	   catch (LoginException e) {
	   	   	   	   // e.printStackTrace();
	   	   	   	   return false; // Consider all failures as equal
	   	       }
	   	   return true;
	   }
Kerberos Method Part 2

public static class UserNamePasswordCallbackHandler implements CallbackHandler {
	
	   	   private String _userName;
	   	   private char[] _password;
	
	   	   public UserNamePasswordCallbackHandler(String userName, char[] password) {
	   	   	   _userName = userName;
	   	   	   _password = password;
	   	   }
	
	       public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
	       	     for (Callback callback : callbacks) {
	       	   	   if (callback instanceof NameCallback && _userName != null) {
	       	   	   	   ((NameCallback) callback).setName(_userName);
	       	   	   }
	       	   	   else if (callback instanceof PasswordCallback && _password != null) {
	       	   	   	   ((PasswordCallback) callback).setPassword(_password);
	       	   	   }
	       	     }
	       }
	   }
Kerberos.conf in Sources folder
primaryLoginContext {

com.sun.security.auth.module.Krb5LoginModule required client=true
useTicketCache=false;

};
Kerberos Authentication
  if (KerberosAuth.KerberosAuthenticate(username, password.toCharArray()))
  {
      qual = UserAccount.USERNAME.eq(username);
      NSLog.out.appendln("Kerberos authenticated: " + username);
  }



...


UserAccount user = UserAccount.fetchRequiredUserAccount(ERXEC.newEditingContext(), qual);
((Session)session()).setCurrentUser(user);
if (((Session)session()).currentUser() != null)
{
   nextPage = D2W.factory().defaultPage(session());
}
Demo and Review
WebAuth
•   External authentication handled in Apache

•   More involved site setup

•   Must trust the Gateway (Apache) for security

•   Deceptively simple

•   Interesting solutions:

    •   Multiple authentications

    •   Trust-to-Set applications
Gateway Approach
                  Considerations
•   Does make Developer Mode a bit more interesting

•   Mixing up DirectAction logins w/ gateway header request check

•   DirectConnect can be good here.. (Thanks Chuck!)

•   Best practices:

    •   Put values you want into your session object

    •   make sure your session is SSL-enabled!

    •   useExternalAuth boolean in User-type entity?
WebAuth Method
    public class WebauthAuth {
	   public static final String WebauthAuthenticate (WOContext context)
	   {	
	   	 // If unauthenticated, this will be blank
	   	 // assumes that web location is WebAuth protected to restrict this setting
	   	 return context.request().headerForKey("webauth_user");
	   }
}
Which brings us too...

“Gilead then cut Ephraim off from the fords of the Jordan, and whenever
Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you
an Ephraimite?' If he said, 'No,' they then said, 'Very well, say
"Shibboleth" (‫ '.)שיבולת‬If anyone said, "Sibboleth" (‫ ,)סיבולת‬because he could
not pronounce it, then they would seize him and kill him by the fords of the
Jordan. Forty-two thousand Ephraimites fell on this occasion.”
Shibboleth Topics

•   Shibboleth Authentication Point of View

•   Federated Frameworks

•   How is IdP put together

•   General Shibboleth Service Provision Scenario

•   Classic Computer Security
The Shibboleth Point of View

•   Stone Age: Application maintains unique credential and identity
    information for each user.

•   Bronze Age: Credentials are centralized but applications maintain
    all user identity information

•   Iron Age: Credentials and core identity information are
    centralized and application maintains only app-specific user data.
Fallacies of Distributed Computing

1.The Network is reliable
2.Latency is Zero
3.Bandwidth is infinite
4.The network is secure
5.Topology doesn’t change
6.There is one administrator
7.Transportation cost is zero
8.The network is homogeneous


                              Peter Deutsch, James Gosling
Computer Security Subjects 101

                                              Resource                                                Subject
    AllowedOperations          owner: User                                            operations: Array<Allowed Operations>
canRead: Boolean                                                                      name: String
canUpdate: Boolean             permissions: allowedOperations
canDelete: Boolean             creationTime
entity: Resource
                               modificationTime
                               (Boolean) canRead
                               (Boolean) canUpdate
        Subject Allowed
                               (Boolean) canDelete
            Operation                                                 User                         Group
      subject: Subject                                    no attributes                  owner: Subject
                                                          members(): Array<Subject>      members(): Array<Subject>
                                                          provider(): Provider
       General Operations
              Allowed
      No Attributes
                                                                     Local User
                                                         givenName: String
                                                         surName: String
                                                         commonName: String
                                                         telephoneNumber: String
                                                         address: String
                                                         organization: String
                                                         jobTitle: String
                                                         password: String
Fallacies of Distributed Computing

1.The network is reliable
2.Latency is zero
3.Bandwidth is infinite
4.The network is secure
5.Topology doesn’t change
6.There is one administrator
7.Transportation cost is zero
8.The network is homogeneous
Computer Security Subjects 101
           AllowedOperations                        Resource                                  Subject
       canRead: Boolean              owner: User                              operations: Array<Allowed Operations>
       canUpdate: Boolean            permissions: allowedOperations           name: String
       canDelete: Boolean            creationTime
       entity: Resource              modificationTime
                                     (Boolean) canRead
                                     (Boolean) canUpdate
                                     (Boolean) canDelete

               Subject Allowed
                   Operation
             subject: Subject
                                                             User                          Group
              General Operations                  no attributes                  owner: Subject
                     Allowed                      members(): Array<Subject>      members(): Array<Subject>
             No Attributes                        provider(): Provider




! ❑!Classic Subjects Problems:                              Local User
                                                givenName: String
  ! •! ❑!Group Information                      surName: String
                                                commonName: String
    Compromise                                  telephoneNumber: String
                                                address: String

  ! •! ❑!User info compromise                   organization: String
                                                jobTitle: String
                                                password: String
Computer Security Subjects with Shibboleth

    AllowedOperations                      Resource                              Subject
canRead: Boolean            owner: User                         operations: Array<Allowed Operations>
canUpdate: Boolean          permissions: allowedOperations      name: String
canDelete: Boolean          creationTime                        ticket: Shibboleth Assertion
entity: Resource            modificationTime
                            (Boolean) canRead
                            (Boolean) canUpdate
                            (Boolean) canDelete

        Subject Allowed
            Operation
      subject: Subject
                                                         User                     Group
       General Operations                no attributes             no attribute
              Allowed
      No Attributes
Federated Identity Frameworks


•   Shibboleth (http://shibboleth.internet2.edu/)

•   OpenID (http://openid.net)
Concept of a Shibboleth Type Federation


                              Identity Provider
   Service Provider




                                Discovery
                                 Service




                 User
Shibboleth Identity Provider Architecture

Shibboleth     CAS
                                               !
   IdP         SSO                                 !

                                               !
                                                   !


                                                   !



                                                   !
Commercial Providers

•   Test Shibboleth Two (https://www.testshib.org)

•   Protect Network (http://www.protectnetwork.org/)

•   NJ Trust (http://njtrust.net/)

•   SWITCH (http://www.switch.ch/uni/security/) (Switzerland)

•   UK Federation (http://www.ukfederation.org.uk/content/
    Documents/Setup2IdP)
Service Provider




        mod_shib          mod_php             mod_jk




                            PHP
shibd
                         Applications
           cgi-bin
           Adaptor

                       • ! Runs on: Mac OS X, FreeBSD, Linux, Solaris,
                          Windows
                       • ! Protects Web Applications
                       • ! The Shibboleth Daemon processes attributes
                       ▼! Can authorize users with
                           •! Apache directives
                           •! Shibboleth XML Access rules
                       • !Provides attributes to applications
General Play-by-Play Scenario



                Service Provider
                                                  6a. Assertion
                                                  Confirmation                            Identity Provider




                                      7. Provide Content
                               2. SAML2 Discovery Request
                     1. Access
                    Service URL

                                                                                                    Discovery
                                                              2.1 Discovery Request
                                                                                                     Service
                                                            User

6. Authenticate w/ Assertion

                                                                            3. Select Home Organization




                                                                          4. SAML2 Authn Request
                                                                      5. Authenticate
Installation on Mac OS X

•   IdP: Note do not have IdP compete with Teams/ Podcast
    Producer

•   MacPorts SP Install: Note, install curl +ssl first. (https://
    spaces.internet2.edu/display/SHIB2/NativeSPMacPortInstallation)

•   Do the registry steps with IdP/SP and federation.

•   Demo:
Q&A
Shibboleth in Production


    Stanford Shibboleth Example
Mobility Trends

•   “Cached Credentials” approach for mobile devices: Browser local storage

•   Using your User EO for credential storage and remote wiping

•   RESTful interfaces and authentication approaches

•   Issues with “gateway” authentication with unknown site authenticators: Split
    Authentication

More Related Content

PDF
Modern Web development and operations practices
PDF
Automating CloudStack with Puppet - David Nalley
PPTX
An intro to Docker, Terraform, and Amazon ECS
ODP
Infrastructure as code with Puppet and Apache CloudStack
PDF
Building servers with Node.js
PDF
Multithreading on iOS
PDF
Using OpenStack With Fog
PDF
CloudFormation vs. Elastic Beanstalk & Use cases
Modern Web development and operations practices
Automating CloudStack with Puppet - David Nalley
An intro to Docker, Terraform, and Amazon ECS
Infrastructure as code with Puppet and Apache CloudStack
Building servers with Node.js
Multithreading on iOS
Using OpenStack With Fog
CloudFormation vs. Elastic Beanstalk & Use cases

What's hot (20)

PDF
A Hands-on Introduction on Terraform Best Concepts and Best Practices
PDF
AWS DevOps - Terraform, Docker, HashiCorp Vault
KEY
node.js: Javascript's in your backend
KEY
Writing robust Node.js applications
ODP
Deploy Mediawiki Using FIWARE Lab Facilities
PDF
Terraform at Scale - All Day DevOps 2017
ODP
Puppet and Apache CloudStack
PDF
Declarative & workflow based infrastructure with Terraform
PDF
Artem Zhurbila - docker clusters (solit 2015)
KEY
NodeJS
ODP
Introduce about Nodejs - duyetdev.com
PDF
Terraform - Taming Modern Clouds
PPTX
How to deploy spark instance using ansible 2.0 in fiware lab v2
PDF
Developing Terraform Modules at Scale - HashiTalks 2021
PPTX
introduction to node.js
PDF
Terraform in deployment pipeline
PPTX
Luc Dekens - Italian vmug usercon
PDF
Infrastructure as Code with Terraform
PDF
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
PDF
NodeJS
A Hands-on Introduction on Terraform Best Concepts and Best Practices
AWS DevOps - Terraform, Docker, HashiCorp Vault
node.js: Javascript's in your backend
Writing robust Node.js applications
Deploy Mediawiki Using FIWARE Lab Facilities
Terraform at Scale - All Day DevOps 2017
Puppet and Apache CloudStack
Declarative & workflow based infrastructure with Terraform
Artem Zhurbila - docker clusters (solit 2015)
NodeJS
Introduce about Nodejs - duyetdev.com
Terraform - Taming Modern Clouds
How to deploy spark instance using ansible 2.0 in fiware lab v2
Developing Terraform Modules at Scale - HashiTalks 2021
introduction to node.js
Terraform in deployment pipeline
Luc Dekens - Italian vmug usercon
Infrastructure as Code with Terraform
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
NodeJS
Ad

Similar to Third Party Auth in WebObjects (20)

PPTX
Java EE 8 security and JSON binding API
PPTX
Code your Own: Authentication Provider for Blackboard Learn
PPTX
Utilize the Full Power of GlassFish Server and Java EE Security
PDF
Lesson_07_Spring_Security_Register_NEW.pdf
PDF
Lesson07_Spring_Security_API.pdf
PDF
ERRest
PDF
From 0 to Spring Security 4.0
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
PPTX
Intro to Apache Shiro
PDF
Lesson07-UsernamePasswordAuthenticationFilter.pdf
PPTX
Comprehensive_SpringBoot_Auth.pptx wokring
PDF
Implementing Microservices Security Patterns & Protocols with Spring
PDF
Introduction to PicketLink
PDF
The hidden gems of Spring Security
PDF
Super simple application security with Apache Shiro
DOCX
Exploration note - none windows based authentication for WCF
PPTX
Centralizing users’ authentication at Active Directory level 
PPT
JavaEE Security
PDF
Make Your SW Component Testable
PDF
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
Java EE 8 security and JSON binding API
Code your Own: Authentication Provider for Blackboard Learn
Utilize the Full Power of GlassFish Server and Java EE Security
Lesson_07_Spring_Security_Register_NEW.pdf
Lesson07_Spring_Security_API.pdf
ERRest
From 0 to Spring Security 4.0
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Intro to Apache Shiro
Lesson07-UsernamePasswordAuthenticationFilter.pdf
Comprehensive_SpringBoot_Auth.pptx wokring
Implementing Microservices Security Patterns & Protocols with Spring
Introduction to PicketLink
The hidden gems of Spring Security
Super simple application security with Apache Shiro
Exploration note - none windows based authentication for WCF
Centralizing users’ authentication at Active Directory level 
JavaEE Security
Make Your SW Component Testable
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
Ad

More from WO Community (20)

PDF
KAAccessControl
PDF
In memory OLAP engine
PDF
Using Nagios to monitor your WO systems
PDF
Build and deployment
PDF
High availability
PDF
Reenabling SOAP using ERJaxWS
PDF
Chaining the Beast - Testing Wonder Applications in the Real World
PDF
D2W Stateful Controllers
PDF
Deploying WO on Windows
PDF
Unit Testing with WOUnit
PDF
Life outside WO
PDF
Apache Cayenne for WO Devs
PDF
Advanced Apache Cayenne
PDF
Migrating existing Projects to Wonder
PDF
iOS for ERREST - alternative version
PDF
iOS for ERREST
PDF
"Framework Principal" pattern
PDF
Filtering data with D2W
PDF
PDF
Localizing your apps for multibyte languages
KAAccessControl
In memory OLAP engine
Using Nagios to monitor your WO systems
Build and deployment
High availability
Reenabling SOAP using ERJaxWS
Chaining the Beast - Testing Wonder Applications in the Real World
D2W Stateful Controllers
Deploying WO on Windows
Unit Testing with WOUnit
Life outside WO
Apache Cayenne for WO Devs
Advanced Apache Cayenne
Migrating existing Projects to Wonder
iOS for ERREST - alternative version
iOS for ERREST
"Framework Principal" pattern
Filtering data with D2W
Localizing your apps for multibyte languages

Recently uploaded (20)

PPTX
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
PDF
Chapter 3 Spatial Domain Image Processing.pdf
PDF
Modernizing your data center with Dell and AMD
PDF
Network Security Unit 5.pdf for BCA BBA.
PPTX
Big Data Technologies - Introduction.pptx
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
PDF
Advanced Soft Computing BINUS July 2025.pdf
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
PDF
Electronic commerce courselecture one. Pdf
PPTX
Understanding_Digital_Forensics_Presentation.pptx
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
PDF
Approach and Philosophy of On baking technology
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
Chapter 3 Spatial Domain Image Processing.pdf
Modernizing your data center with Dell and AMD
Network Security Unit 5.pdf for BCA BBA.
Big Data Technologies - Introduction.pptx
“AI and Expert System Decision Support & Business Intelligence Systems”
Per capita expenditure prediction using model stacking based on satellite ima...
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Advanced Soft Computing BINUS July 2025.pdf
Mobile App Security Testing_ A Comprehensive Guide.pdf
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
Advanced methodologies resolving dimensionality complications for autism neur...
CIFDAQ's Market Insight: SEC Turns Pro Crypto
Electronic commerce courselecture one. Pdf
Understanding_Digital_Forensics_Presentation.pptx
Reach Out and Touch Someone: Haptics and Empathic Computing
Diabetes mellitus diagnosis method based random forest with bat algorithm
Approach and Philosophy of On baking technology
Bridging biosciences and deep learning for revolutionary discoveries: a compr...

Third Party Auth in WebObjects

  • 1. Third Party Auth in WO Joe Little and Daniel Beatty
  • 2. Authentication Methods • Storing passwords in your DB (Model) • Authenticating against LDAP services • LDAP via your Model and hybrid solutions • Kerberos/SSO and hybrid redux • WebAuth and gateway solutions • Shibboleth and the future
  • 3. Auth in DB • The default approach • With little database security, the hash must be secure • SHA-1 (160) or SHA-2 (256) and friends • Sample code...
  • 4. SHA-2 in the Database qual = UserAccount.USERNAME.eq(username).and(UserAccount.PASSWORD.eq(digestedString(password))); .... public String digestedString(String aString) { String digestedString; try { MessageDigest md = MessageDigest.getInstance("SHA-256"); md.reset(); digestedString = new sun.misc.BASE64Encoder().encode (md.digest(aString.getBytes("UTF-8"))); } catch (NoSuchAlgorithmException e) { throw new NSForwardException(e); } catch (UnsupportedEncodingException e){ throw new NSForwardException(e); } return digestedString; }
  • 5. LDAP • JNDI can be used for EOs, but NOT for passwords! • Generally restricted by sites LDAP configuration • Standard method is to try a “simple bind” against LDAP • LDAPS:// - Port 636 if possible (SSL), DIGEST otherwise • StartTLS is not an option • http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html
  • 6. Java LDAP Authentication if (LDAPAuth.LDAPAuthenticate(username, password)) ... public class LDAPAuth { public static final boolean LDAPAuthenticate (String userid, String password) { Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://172.16.113.129:389/dc=example,dc=com"); env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5"); // or “simple” env.put(Context.SECURITY_PRINCIPAL, "uid=" + userid + ", ou=People, dc=example, dc=com"); env.put(Context.SECURITY_CREDENTIALS, password); // Create the initial context try { DirContext ctx = new InitialDirContext(env); } catch (NamingException e) { return false; // Failed to auth //e.printStackTrace(); } return true; } }
  • 7. LDAP via EOModel • WebObjects lets you access LDAP via JNDI • Insecure • SSL supposedly should work • Not good for authentication, but other info is there • Great for the “hybrid” approach to authentication
  • 8. The Hybrid Approach • Define user attributes in your DB-based EOs • Authenticate user that is also in LDAP tree • 1st time auth: use JNDI EO • Must have matching name between auth and LDAP • Use JNDI EO in read-only fashion to get user attributes • Store in your DB user EOs for future use • Considerations for future JNDI updates
  • 11. All LDAP Hybrid Approach if (LDAPAuth.LDAPAuthenticate(username, password)) { qual = UserAccount.USERNAME.eq(username); NSLog.out.appendln("LDAP authenticated: " + username); } if (qual != null) try { user = UserAccount.fetchRequiredUserAccount(ERXEC.newEditingContext(), qual); } catch (NoSuchElementException e) { // Make a new user from LDAP qual = PosixAccount.UID.eq(username); EOEditingContext ec = ERXEC.newEditingContext(); PosixAccount ldapAccount = PosixAccount.fetchPosixAccount(ec, qual); user = UserAccount.createUserAccount(ec, ldapAccount.gecos(), username); ec.saveChanges(); } ... public static UserAccount createUserAccount(EOEditingContext editingContext, String fullName, String username) { UserAccount eo = (UserAccount) EOUtilities.createAndInsertInstance(editingContext, _UserAccount.ENTITY_NAME); eo.setFullName(fullName); eo.setUsername(username); return eo; }
  • 12. SSO: Kerberos • Many Single-Sign On (SSO) solutions • Kerberos / Active Directory are most common today • AD and OpenDirectory marry LDAP w/ Kerberos: hybrid! • Heavily tied into Java Crypto APIs, so Frustration-By-Design • Remember to set classes.include.patternset in woproject to have “**/*.conf” • Best seen by example... (Thanks Mike!)
  • 13. Kerberos Methods public class KerberosAuth { static final String krbPath = "/Library/Preferences/edu.mit.Kerberos"; public static final boolean KerberosAuthenticate (String userid, char[] password) { System.setProperty("java.security.krb5.conf", krbPath); System.setProperty("java.security.auth.login.config", KerberosAuth.class.getResource("/kerberos.conf").toExternalForm()); try { LoginContext lc = new LoginContext("primaryLoginContext", new UserNamePasswordCallbackHandler(userid, password)); lc.login(); } catch (LoginException e) { // e.printStackTrace(); return false; // Consider all failures as equal } return true; }
  • 14. Kerberos Method Part 2 public static class UserNamePasswordCallbackHandler implements CallbackHandler { private String _userName; private char[] _password; public UserNamePasswordCallbackHandler(String userName, char[] password) { _userName = userName; _password = password; } public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (Callback callback : callbacks) { if (callback instanceof NameCallback && _userName != null) { ((NameCallback) callback).setName(_userName); } else if (callback instanceof PasswordCallback && _password != null) { ((PasswordCallback) callback).setPassword(_password); } } } }
  • 15. Kerberos.conf in Sources folder primaryLoginContext { com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=false; };
  • 16. Kerberos Authentication if (KerberosAuth.KerberosAuthenticate(username, password.toCharArray())) { qual = UserAccount.USERNAME.eq(username); NSLog.out.appendln("Kerberos authenticated: " + username); } ... UserAccount user = UserAccount.fetchRequiredUserAccount(ERXEC.newEditingContext(), qual); ((Session)session()).setCurrentUser(user); if (((Session)session()).currentUser() != null) { nextPage = D2W.factory().defaultPage(session()); }
  • 18. WebAuth • External authentication handled in Apache • More involved site setup • Must trust the Gateway (Apache) for security • Deceptively simple • Interesting solutions: • Multiple authentications • Trust-to-Set applications
  • 19. Gateway Approach Considerations • Does make Developer Mode a bit more interesting • Mixing up DirectAction logins w/ gateway header request check • DirectConnect can be good here.. (Thanks Chuck!) • Best practices: • Put values you want into your session object • make sure your session is SSL-enabled! • useExternalAuth boolean in User-type entity?
  • 20. WebAuth Method public class WebauthAuth { public static final String WebauthAuthenticate (WOContext context) { // If unauthenticated, this will be blank // assumes that web location is WebAuth protected to restrict this setting return context.request().headerForKey("webauth_user"); } }
  • 21. Which brings us too... “Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say "Shibboleth" (‫ '.)שיבולת‬If anyone said, "Sibboleth" (‫ ,)סיבולת‬because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion.”
  • 22. Shibboleth Topics • Shibboleth Authentication Point of View • Federated Frameworks • How is IdP put together • General Shibboleth Service Provision Scenario • Classic Computer Security
  • 23. The Shibboleth Point of View • Stone Age: Application maintains unique credential and identity information for each user. • Bronze Age: Credentials are centralized but applications maintain all user identity information • Iron Age: Credentials and core identity information are centralized and application maintains only app-specific user data.
  • 24. Fallacies of Distributed Computing 1.The Network is reliable 2.Latency is Zero 3.Bandwidth is infinite 4.The network is secure 5.Topology doesn’t change 6.There is one administrator 7.Transportation cost is zero 8.The network is homogeneous Peter Deutsch, James Gosling
  • 25. Computer Security Subjects 101 Resource Subject AllowedOperations owner: User operations: Array<Allowed Operations> canRead: Boolean name: String canUpdate: Boolean permissions: allowedOperations canDelete: Boolean creationTime entity: Resource modificationTime (Boolean) canRead (Boolean) canUpdate Subject Allowed (Boolean) canDelete Operation User Group subject: Subject no attributes owner: Subject members(): Array<Subject> members(): Array<Subject> provider(): Provider General Operations Allowed No Attributes Local User givenName: String surName: String commonName: String telephoneNumber: String address: String organization: String jobTitle: String password: String
  • 26. Fallacies of Distributed Computing 1.The network is reliable 2.Latency is zero 3.Bandwidth is infinite 4.The network is secure 5.Topology doesn’t change 6.There is one administrator 7.Transportation cost is zero 8.The network is homogeneous
  • 27. Computer Security Subjects 101 AllowedOperations Resource Subject canRead: Boolean owner: User operations: Array<Allowed Operations> canUpdate: Boolean permissions: allowedOperations name: String canDelete: Boolean creationTime entity: Resource modificationTime (Boolean) canRead (Boolean) canUpdate (Boolean) canDelete Subject Allowed Operation subject: Subject User Group General Operations no attributes owner: Subject Allowed members(): Array<Subject> members(): Array<Subject> No Attributes provider(): Provider ! ❑!Classic Subjects Problems: Local User givenName: String ! •! ❑!Group Information surName: String commonName: String Compromise telephoneNumber: String address: String ! •! ❑!User info compromise organization: String jobTitle: String password: String
  • 28. Computer Security Subjects with Shibboleth AllowedOperations Resource Subject canRead: Boolean owner: User operations: Array<Allowed Operations> canUpdate: Boolean permissions: allowedOperations name: String canDelete: Boolean creationTime ticket: Shibboleth Assertion entity: Resource modificationTime (Boolean) canRead (Boolean) canUpdate (Boolean) canDelete Subject Allowed Operation subject: Subject User Group General Operations no attributes no attribute Allowed No Attributes
  • 29. Federated Identity Frameworks • Shibboleth (http://shibboleth.internet2.edu/) • OpenID (http://openid.net)
  • 30. Concept of a Shibboleth Type Federation Identity Provider Service Provider Discovery Service User
  • 31. Shibboleth Identity Provider Architecture Shibboleth CAS ! IdP SSO ! ! ! ! !
  • 32. Commercial Providers • Test Shibboleth Two (https://www.testshib.org) • Protect Network (http://www.protectnetwork.org/) • NJ Trust (http://njtrust.net/) • SWITCH (http://www.switch.ch/uni/security/) (Switzerland) • UK Federation (http://www.ukfederation.org.uk/content/ Documents/Setup2IdP)
  • 33. Service Provider mod_shib mod_php mod_jk PHP shibd Applications cgi-bin Adaptor • ! Runs on: Mac OS X, FreeBSD, Linux, Solaris, Windows • ! Protects Web Applications • ! The Shibboleth Daemon processes attributes ▼! Can authorize users with •! Apache directives •! Shibboleth XML Access rules • !Provides attributes to applications
  • 34. General Play-by-Play Scenario Service Provider 6a. Assertion Confirmation Identity Provider 7. Provide Content 2. SAML2 Discovery Request 1. Access Service URL Discovery 2.1 Discovery Request Service User 6. Authenticate w/ Assertion 3. Select Home Organization 4. SAML2 Authn Request 5. Authenticate
  • 35. Installation on Mac OS X • IdP: Note do not have IdP compete with Teams/ Podcast Producer • MacPorts SP Install: Note, install curl +ssl first. (https:// spaces.internet2.edu/display/SHIB2/NativeSPMacPortInstallation) • Do the registry steps with IdP/SP and federation. • Demo:
  • 36. Q&A
  • 37. Shibboleth in Production Stanford Shibboleth Example
  • 38. Mobility Trends • “Cached Credentials” approach for mobile devices: Browser local storage • Using your User EO for credential storage and remote wiping • RESTful interfaces and authentication approaches • Issues with “gateway” authentication with unknown site authenticators: Split Authentication