Security As A Service


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security As A Service

  1. 1. Security As A Service Marc Chanliau, Identity Management Technical Evangelist [email_address]
  2. 2. Agenda <ul><li>Java Security “Refresher” </li></ul><ul><li>Introducing Oracle Platform Security Services (OPSS) </li></ul><ul><li>Focus On Design-Time Security (ADF) </li></ul><ul><li>Demo </li></ul><ul><li>OPSS Use Cases </li></ul>© 2009 Oracle Corporation
  3. 3. The Java EE Security Toolbox <ul><li>Container Managed Security </li></ul><ul><ul><li>Java EE Security </li></ul></ul><ul><li>Java Authentication and Authorization Service (JAAS) </li></ul>
  4. 4. Container Managed Security <ul><li>Java EE security handled by the Java EE container </li></ul><ul><ul><li>Declarative, portable, easy to use </li></ul></ul><ul><ul><li>Decouple security logic application code </li></ul></ul><ul><ul><li>Implementation details hidden from developer </li></ul></ul><ul><li>Authentication </li></ul><ul><ul><li>Configured in web.xml descriptor </li></ul></ul><ul><ul><li>Basic, Form, Certificate, Digest </li></ul></ul><ul><li>Authorization </li></ul><ul><ul><li>Role-based </li></ul></ul><ul><ul><li>Based on URL patterns </li></ul></ul><ul><ul><li>SSL can be enforced on page </li></ul></ul>
  5. 5. Limitations of Container Managed Security <ul><li>Java EE declarative security is… </li></ul><ul><li>Static within a deployed application </li></ul><ul><ul><li>Policies cannot be changed dynamically. </li></ul></ul><ul><ul><li>Constraint cannot be changed (static role mapping) </li></ul></ul><ul><li>Not very Granular </li></ul><ul><ul><li>Protects URL addressable objects </li></ul></ul><ul><ul><li>Does not allow different privileges against a protected object </li></ul></ul><ul><li>Java EE roles are not hierarchical </li></ul><ul><ul><li>Need extra groups to define “rollup” levels of enterprise Roles </li></ul></ul><ul><ul><li>Not very granular </li></ul></ul>
  6. 6. Java Authentication and Authorization Service (JAAS) <ul><li>What JAAS is </li></ul><ul><ul><li>Enables services to authenticate and enforce access controls </li></ul></ul><ul><ul><li>Programmatic security model </li></ul></ul><ul><ul><li>Extends Java 2 Security </li></ul></ul><ul><ul><li>Role-based access control (RBAC) </li></ul></ul><ul><li>Authentication </li></ul><ul><ul><li>Pluggable Authentication Module (PAM) </li></ul></ul><ul><ul><li>Propagates identity via session context </li></ul></ul><ul><li>Authorization </li></ul><ul><ul><li>Grants access to resources and actions </li></ul></ul><ul><ul><li>Executes operations within user context </li></ul></ul>
  7. 7. JAAS Advantages <ul><li>Dynamic and evaluated in real-time </li></ul><ul><ul><li>Policies may be updated in the policy store and reflected in the application </li></ul></ul><ul><li>Secures the ability to perform a “fine-grained action” on the resource, rather than simple access to the URL </li></ul><ul><ul><li>Policies are defined against an action in the policy store not by the URL pattern </li></ul></ul><ul><ul><li>Supports granular privileges against the same object </li></ul></ul><ul><li>Allows for hierarchical policies </li></ul><ul><ul><li>References Enterprise roles directly from the Identity Management System </li></ul></ul>
  8. 8. Summary Of The Challenges To Be Addressed <ul><li>The security capabilities supported and defined by the Java EE standards are limited </li></ul><ul><li>Too much security knowledge is required of application developers who should primarily focus on business logic </li></ul><ul><li>No consistent security experience across platforms and applications </li></ul><ul><li>Third-party security frameworks are non-standard and non-portable, and don’t support the complete application lifecycle </li></ul><ul><li>No support for large enterprise security deployments </li></ul><ul><li>Lack of support for different types of development model, e.g., Java EE and Java SE </li></ul>
  9. 9. Introducing OPSS <ul><li>OPSS provides enterprise product development teams, systems integrators, and independent software vendors with a security framework for Java SE and Java EE applications </li></ul><ul><ul><li>standards-based </li></ul></ul><ul><ul><li>portable </li></ul></ul><ul><ul><li>integrated </li></ul></ul><ul><ul><li>enterprise-grade </li></ul></ul><ul><li>OPSS is an abstraction layer that insulates developers from security and identity management implementation details </li></ul><ul><ul><li>With OPSS, developers don’t need to know the nitty-gritty of cryptographic key management or interfaces with user repositories and other identity management infrastructures </li></ul></ul>
  10. 10. OPSS in Oracle Fusion Middleware Oracle JDeveloper Web Browser Oracle WLS Admin Console Oracle Enterprise Mgr Load Balancer Oracle WebCache Oracle HTTP Server Applications Oracle SOA Suite Oracle Identity Mgt Oracle Platform Security Services Oracle WebCenter Oracle WebLogic Server LDAP RDBMS Web Tier Application Tier Data Tier
  11. 11. OPSS Benefits <ul><li>Customers get what Oracle products get </li></ul><ul><ul><li>OPSS is used as the security platform for Oracle Fusion Applications and Oracle Fusion Middleware components </li></ul></ul><ul><li>OPSS is enterprise ready </li></ul><ul><ul><li>Stress tested to support enterprise deployments </li></ul></ul><ul><ul><li>Interoperability tested across different environments </li></ul></ul><ul><ul><li>Certified on WLS, will be certified on WAS and JBoss </li></ul></ul><ul><ul><li>Standards based </li></ul></ul><ul><li>Protect your investment </li></ul><ul><ul><li>Pre-integrated with Oracle products and technologies </li></ul></ul><ul><li>Consistent security experience for developers and administrators </li></ul><ul><ul><li>Same set of APIs and UI for all types of applications (in-house, third-party, Oracle Fusion) </li></ul></ul><ul><li>Support large enterprise deployments </li></ul><ul><ul><li>Integration with Identity Management </li></ul></ul><ul><li>Enable legacy and third-party security provider integration </li></ul>
  12. 12. OPSS’s Heritage JAZN JPS – Pre BEA CSS – BEA OPSS – Post BEA OAS 9.04 Coupled w/ OC4J OAS 10.1.2 Coupled w/ OC4J OAS 10.1.3 Coupled w/ OC4J (Became known internally as “Security Provider”) <ul><li>11gR1 </li></ul><ul><li>Portable Security Provider to </li></ul><ul><li>- OC4J </li></ul><ul><li>SOA </li></ul><ul><li>WebCenter </li></ul><ul><li>OWSM </li></ul><ul><li>WLS 10.3 </li></ul><ul><li>Portable Security Framework used by </li></ul><ul><li>- Oracle WLS </li></ul><ul><li>OES </li></ul><ul><li>OSB </li></ul><ul><li>etc </li></ul><ul><li>11gR1 </li></ul><ul><li>OPSS = JPS + CSS </li></ul><ul><li>Not coupled w/ app. server </li></ul><ul><li>Portable to third-party app. Servers </li></ul><ul><li>Oracle WLS </li></ul><ul><li>OES </li></ul><ul><li>OSB </li></ul><ul><li>Oracle SOA </li></ul><ul><li>Oracle WebCenter </li></ul><ul><li>OWSM </li></ul><ul><li>JAAS compatible imp. </li></ul><ul><li>AuthN Login module </li></ul><ul><li>AuthZ </li></ul><ul><li>XML/OID providers </li></ul>Added support for third-party LDAP directories <ul><li>- WNA </li></ul><ul><li>JSSO </li></ul><ul><li>User Role API </li></ul><ul><li>OAM integration (JAAS provider) </li></ul><ul><li>Web services security </li></ul><ul><li>JMX/MBeans </li></ul><ul><li>Java2 Policy Provider </li></ul><ul><li>Application Role & Policy Mgmt </li></ul><ul><li>Credential Store </li></ul><ul><li>OSDT </li></ul><ul><li>Auditing Framework </li></ul><ul><li>- SSPI to plug-in custom security providers </li></ul><ul><li>Authentication </li></ul><ul><li>Id Assertion </li></ul><ul><li>Authorization </li></ul><ul><li>Role Mapping </li></ul><ul><li>SSO </li></ul><ul><li>- Supports both JPS & WLS/CSS security </li></ul><ul><li>Java2 Policy Provider </li></ul><ul><li>Application Role & Policy Mgmt </li></ul><ul><li>Credential Store Framework </li></ul><ul><li>UserRole API </li></ul><ul><li>OSDT </li></ul><ul><li>Auditing Framework </li></ul>
  13. 13. Oracle Virtual Directory Virtualizes Identity Store, Credential Store, Policy Store Develop Deploy Manage Oracle Fusion Middleware Components and Oracle Fusion Applications ATN, ATZ, CSF, UserRole, Policy Management, Cryptography (OSDT) Identity Assertion Role Mapping Creds Mapping JEE Policy & Role Deployment Custom SSPI Providers Java2 & JAAS Policy Provider Cert Lookup & Val OPSS Functionality OPSS APIs Audit SSO
  14. 14. Platform to Product Security Domain OPSS Solution (Basic Features) OPSS Product Solution (Advanced Features) Identity Store Embedded LDAP OID Policy Store File - XML OID Credential Store File – Oracle Wallet OID SSO WLS SAML Oracle Access Manager Authorization OPSS CheckPermission Oracle Entitlement Server
  15. 15. Oracle Products Using OPSS Product Name What It Does How It Uses OPSS Oracle ADF / WebCenter ADF is the framework used to develop WebCenter applications (portlets, etc.) Authentication, JAAS Authorization, Application Role,Anonymous and Authenticated Role, Policy Store Abstraction, Policy Management, Credential Store Framework Oracle Web Services Manager (OWSM) OWSM provides SOA and web services security Authentication, JAAS Authorization, Credential Store Framework, Keystore Service, Audit Oracle SOA Provides applications designed to deploy SOA environments (BPEL, ESB, etc.) Authentication, Authorization and Audit Oracle Service Bus (OSB) Connects, mediates, and manages SOA composites interaction Authentication, identity assertion, authorization, Role mapping, credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party integration Oracle Entitlements Service (OES) Provides externalized fine-grained authorization Authentication, identity assertion, authorization, role mapping, credentials mapping, cert. lookup, audit. WebLogic Server (WLS) Container Java EE server / container Authentication, identity assertion, authorization, role mapping, credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party integration Oracle Access Manager Web access and single sign on platform Identity assertion and integration with WebLogic Server security.
  16. 16. OPSS For Developers: ADF Security <ul><li>Oracle ADF (Application Development Framework) is a Java EE development environment </li></ul><ul><ul><li>Oracle ADF simplifies and extends Java EE </li></ul></ul><ul><li>Oracle ADF is the development framework for Oracle products and applications </li></ul><ul><li>Oracle ADF is best used with Oracle JDeveloper </li></ul>© 2009 Oracle Corporation
  17. 17. Oracle ADF 11g Architecture © 2009 Oracle Corporation Struts Business Services Data Services Model Controller JSP View Desktop Browser/ Mobile Devices Metadata Services ADFm (JSR 227) JSF ADF Faces JSF/ADFc Java EJB BAM BPEL ADF BC BI XML Office Swing Web Services Portlet Toplink JMX JCR Relational Data XML Data Legacy Data Packaged Apps
  18. 18. ADF‘s Java EE Runtime Environment <ul><li>Provides Java EE 5 services for applications </li></ul><ul><li>Consumes Oracle Platform Security Services (OPSS) </li></ul><ul><li>Handles authentication, authorization, logging and monitoring </li></ul><ul><li>Pluggable Authentication architecture </li></ul><ul><ul><li>Authentication handled by JAAS Login Modules </li></ul></ul><ul><ul><li>Login Modules are exposed through Authentication Provider </li></ul></ul>
  19. 19. ADF Security <ul><li>Provides declarative protection for ADF applications </li></ul><ul><li>Designed to simplify security in ADF applications </li></ul><ul><li>Enforces Java EE authentication </li></ul><ul><ul><li>Delegated to WebLogic Server Authentication Providers </li></ul></ul><ul><ul><li>Easy to configure via the ADF Security Wizard </li></ul></ul><ul><li>ADF bindings protected by JAAS-based authorization </li></ul><ul><ul><li>Leverages EL to protect UI components </li></ul></ul><ul><ul><li>Security bubbles up from ADF Business Components </li></ul></ul><ul><li>Provides support for XML and LDAP providers </li></ul><ul><li>Integrated with JDeveloper design time and WLS </li></ul>
  20. 20. ADF Security: Authentication Enterprise Identity Management adfAuthentication servlet <ul><li>Acts as a known “endpoint” for a standardized Login or Logout Link </li></ul><ul><li>Is secured by a Java EE Security Constraint </li></ul><ul><ul><li>Delegates Logon to the Java EE container (OPSS) </li></ul></ul><ul><ul><li>Access granted to all valid users </li></ul></ul><ul><li>Redirects to a specified page on successful login or logout </li></ul>WebLogic Server AuthN via OPSS: Authenticator; jazn-xml PAM /AdfSecurityPojoSample-ViewController-context-root/login.html /app/BrowseDepartments.jspx User: sking User: ahunold
  21. 21. ADF Security: Authorization Administrator Clerks HR Sales Dev ADF Security performs authorization check In her manager role, sking can see master and detail views Policy Store BrowseDepartments.jspx Staff <grant> <principal> <type> role </type> <name> manager </name> </principal> <permission> <name> BrowseDep </name> <actions> view </ actions> </permission> </grant> WebLogic Server ADF Security Filter User sking User ahunold BrowseDepartments.jspx In his user role, ahunold can only see master view JAAS AuthZ request
  22. 22. Application Roles, Enterprise Roles <ul><li>Application Roles </li></ul><ul><ul><li>Roles defined in jazn-data.xml </li></ul></ul><ul><ul><li>ADF Security creates &quot;test-all&quot; role </li></ul></ul><ul><ul><li>Permissions are granted to application roles </li></ul></ul><ul><li>Enterprise Roles </li></ul><ul><ul><li>Groups of enterprise users </li></ul></ul><ul><ul><li>Mapped to application roles to grant privileges to user groups </li></ul></ul>
  23. 23. © 2009 Oracle Corporation Demo
  24. 24. © 2009 Oracle Corporation OPSS Use Cases
  25. 25. Use Case: WLS Application Using OPSS <ul><li>Traditional Java EE security enhanced with </li></ul><ul><ul><li>JPSAuth.CheckPermission API for authorization </li></ul></ul><ul><ul><li>UserRole API to query attributes stored in LDAP (or other back ends) </li></ul></ul><ul><ul><li>Use of CSF to secure credentials </li></ul></ul>
  26. 26. Use Case: Container Authentication <ul><li>Java EE application configures authentication method in web.xml </li></ul><ul><li>Application uses container managed authentication </li></ul>
  27. 27. Use Case: Programmatic Authentication <ul><li>Java EE application needs to programmatically authenticate or assert identity, e.g., take username / password or security token to programmatically authenticate </li></ul><ul><li>Application provides a username, password to programmatically authenticate </li></ul><ul><li>Application requires a portable API </li></ul><ul><li>Application provides a security token for Identity Assertion (authenticate without a password) </li></ul><ul><li>Identity Assertion protected by a code source permission </li></ul><ul><li>Subject Security API to run a task as another user. </li></ul>Application Generate Audit Audit Store LDAP Identity Store Login Service Authenticator WLS Admin Console
  28. 28. Use Case: Fine-Grained Authorization <ul><li>Application requires a portable API </li></ul><ul><li>Authorization decisions can be audited </li></ul><ul><li>Application calls JPSAuth.CheckPermission </li></ul><ul><li>Can support custom Authorization logic with Custom Permissions </li></ul>
  29. 29. Use Case: Credential Store Framework (CSF) <ul><li>Application needs to store / access external system credentials </li></ul><ul><li>Credentials (username / password, symmetric keys) stored securely </li></ul><ul><li>OOB, credential store is a file (Oracle Wallet), LDAP supported </li></ul><ul><li>Application uses CSF APIs to access credentials </li></ul><ul><li>Credentials are managed using Oracle EM or WLST </li></ul><ul><li>Credential Store operations (read, write, access etc) can be audited </li></ul>
  30. 30. Use Case: User and Role API <ul><li>Application needs to do a search in identity store, e.g., search for all users in “EMEA” or access email address for all users in a certain role </li></ul><ul><li>User attributes stored in embedded LDAP or other configured LDAP Authenticator </li></ul><ul><li>The same API works irrespective of where user attributes are stored </li></ul><ul><li>App uses UR APIs to access user attributes </li></ul>UR Provider Identity Store Authenticator Application User And Role API WLS Admin Console
  31. 31. Use Case: Audit <ul><li>Java EE application needs to audit security-sensitive operations such as authentication, authorization, credential access </li></ul><ul><li>Application uses Java EE container-based authentication (WLS Authenticator) </li></ul><ul><li>WLS audits authentication and Java EE authorization </li></ul><ul><li>If application uses OPSS, it gets check permission authorization and credential operations audited (OPSS audit API not exposed to applications) </li></ul>Application Container based Authentication / Authorization Audit Store Generate Audit Configure Audit Audit Store Generate WLS Security Audit Application OPSS based Authentication / Authorization BI Publisher View Audit WLS Admin Console Oracle EM FMWControl
  32. 32. Use Case: Java SE Application <ul><li>Java SE Application using </li></ul><ul><ul><li>LoginService API for authentication </li></ul></ul><ul><ul><li>CheckPermission for Authorization </li></ul></ul><ul><ul><li>User and Role API to query attributes stored in LDAP (or other backends) </li></ul></ul><ul><ul><li>Credential Store to secure credentials </li></ul></ul><ul><li>Java SE Application </li></ul><ul><li>LoginService API </li></ul><ul><li>checkPermission </li></ul><ul><li>UserRole API </li></ul><ul><li>Credential Store Framework </li></ul>LDAP Identity Store LDAP Policy Store Authentication Permission Check, Access Credentials
  33. 33. Use Case: ADF Development <ul><li>Developer creates an ADF application using JDeveloper and applies wizard-based ADF security </li></ul><ul><li>Application’s user and groups, authorization policy, and credentials copied by JDeveloper to WLS embedded in JDeveloper </li></ul><ul><li>Developer creates application’s EAR file which contains policy and credentials </li></ul><ul><li>Deployer / Administrator deploys EAR to a remote WLS using Oracle EM </li></ul>ADF Application Users/Groups Policy Credential JDeveloper Integrated WLS File Based Policy & Credential Store Auto Deploy Ear Generate Remote WLS Domain Policy & Credential Store Policy & Credentials Oracle EM FMWControl
  34. 34. Use Case: ADF Authorization <ul><li>ADF application needs to use fine-grained authorization in a portable fashion while using Java EE container-based authentication </li></ul><ul><li>JDeveloper ADF security wizard creates required security configuration </li></ul><ul><li>ADF filter calls JPSAuth.checkPermission </li></ul><ul><li>Can support custom authorization logic with custom permissions </li></ul>Application Policy Store ADF Filer MBeans WLST Policy Provider Audit Store Generate Audit CheckPermission Oracle EM FMWControl
  35. 35. Use Case: Test to Production <ul><li>Administrator tests application in Staging environment; Application’s security policy and credentials need to be migrated to Production environment </li></ul><ul><li>Administrator redeploys application into Production environment </li></ul><ul><li>Administrator runs migrateSecurityStore WLST offline command in Production environment, which copies policy and credential data from Staging to Production store </li></ul>WLST Migrate Security Store Production Policy & Credential Store Staging Policy & Credential Store
  36. 36. Use Case: SSO with OAM . <ul><li>Administrator wants to configure multiple WLS domains to participate in SSO </li></ul><ul><li>Administrator configures OAM and WLS integration using SSPI </li></ul><ul><li>OAM SSPI agent extracts security token and validates it using WLS identity asserter </li></ul>
  37. 37. OPSS Summary <ul><li>OPSS provides </li></ul><ul><ul><li>A suite of application-centric security frameworks </li></ul></ul><ul><ul><li>Abstraction APIs and implementation of basic features </li></ul></ul><ul><ul><li>Lightweight Identity Management infrastructure </li></ul></ul><ul><ul><ul><li>Allows customers to build and deploy small to mid-size applications </li></ul></ul></ul><ul><ul><li>Plug-in interface to Identity Management systems </li></ul></ul><ul><ul><ul><li>Applications build against OPSS can be plugged to a centrally deployed Identity Management system </li></ul></ul></ul><ul><ul><ul><li>Allows customers to scale their applications to switch to a centrally deployed Identity Management system </li></ul></ul></ul><ul><ul><ul><li>No code changes required in the application when switching from one Identity Management system to another Identity Management system </li></ul></ul></ul>
  38. 39. The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. © 2009 Oracle Corporation