Early Adopting Java WSIT-Experiences with Windows CardSpace


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Remark on “Basic truth”: A central question is: how does authz employ authn? The traditional approach was (is) to closely couple authz and authn and embody these security functions within the context of a specific IT-system. This traditional approach does not meet the business requirements of open and agile environments.
  • CardSpace information cards: Issued by identity providers Consumed by identity selectors i.e. on user-side Support users in selecting and interacting with identity providers CardSpace security tokens: Issued by identity providers - based on user authentication Consumed by resource providers Support resource providers in authorizing access requests
  • Apache Axis 2 was the runner-up No (equivalent) commitment to WCF interoperability Stack has similar technical features (cf. http://wiki.apache.org/ws/StackComparison)
  • WSTrustElementFactory issues: CardSpace uses elements outside the WS-Trust namespace in WS-Trust RST/RSTR exchanges. Such elements are defined in InfoCard_rc1.xsd (despite that name of this schema, it also defines elements that are not specific to information card objects but used in WS-Trust exchanges between CardSpace and IdPs). Examples are DisplayClaim, DisplayToken. These elements are not supported in the WSIT WSTrustElementFactory. Running WSIT natively with CardSpace results in a <java.lang.RuntimeException: Invalid KeyType> exception in the RequestSecurityTokenImpl constructor from JAXB RequestSecurityTokenType (note that CardSpace provides the key type identifier: http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey) BaseSTSImpl extending provides no benefits since almost all methods need to be overridden: invoke would have to be overridden (or modified) to employ an extended WS-Trust element factory issue would have to be overridden (or modified) to employ an extended WS-Trust element factory renew would have to be overridden (or modified) to employ an extended WS-Trust element factory validate would have to be overridden (or modified) to employ an extended WS-Trust element factory
  • Early Adopting Java WSIT-Experiences with Windows CardSpace

    1. 1. Early Adopting Java WSIT Experiences With Windows CardSpace Markus Franke, Oliver Pfaff
    2. 2. Contents <ul><li>Motivation </li></ul><ul><ul><li>Which Problem is Addressed? </li></ul></ul><ul><li>Buzzwords </li></ul><ul><ul><li>What is Java WSIT? What is Windows CardSpace? </li></ul></ul><ul><li>Windows CardSpace </li></ul><ul><ul><li>How Does It Work? </li></ul></ul><ul><li>Java WSIT </li></ul><ul><ul><li>What Can It Do For Us? </li></ul></ul><ul><li>Solution </li></ul><ul><ul><li>How Is It Realized? How Does It Look Like? </li></ul></ul><ul><li>Conclusions </li></ul>
    3. 3. Motivation …Still the Same Old IT-Problem <ul><li>Basic truth: </li></ul><ul><ul><li>Serving valuable resources in an automated fashion mandates authorization </li></ul></ul><ul><ul><li>Authorization calls for authentication </li></ul></ul>Resource provider Authz Resources <ul><li>Wish list: </li></ul><ul><ul><li>Maximize resource and identity provider (short: RP and IdP) decoupling </li></ul></ul><ul><ul><li>Be user and privacy-friendly: ease-of-use, user empowerment, self-determination… </li></ul></ul><ul><ul><li>Be secure </li></ul></ul>Identity provider (produces authn identity) Authn User data <ul><li>Goal: want to authorize resource access requests </li></ul><ul><ul><li>without being obliged to maintain user accounts for everybody in the user population i.e. </li></ul></ul><ul><ul><li>without being able to initially authenticate every user </li></ul></ul>(consumes authn identity) User agent
    4. 4. Buzzwords What Is Java WSIT? <ul><li>Java WSIT (Web Services Interoperability Technologies) provides support for WS-* specifications </li></ul><ul><li>Delivers its WS-* functionality as plugins to Sun’s reference implementation for JAX-WS 2.x (JSR 224) </li></ul><ul><li>Supports the creation of Java-based Web services and Web service clients </li></ul><ul><li>Emphasizes interoperability between Java and Microsoft WCF (.NET 3.0) </li></ul><ul><li>Developed as an open-source project. Part of the Metro initiative in the Glassfish community (project Tango; cf. http://wsit.dev.java.net) </li></ul>WSIT Reliable messaging Security Policy Atomic transactions Boot- strapping JAX-WS SOAP messages Java objects Service Handlers Network
    5. 5. Buzzwords What Is WS-Trust? <ul><li>WS-Trust is a key concept in WS-* security that deals with authentication diversity: </li></ul><ul><ul><li>Different systems have different authentication needs and prefer different techniques to prove or verify claimed identity </li></ul></ul><ul><ul><li>Using the same credential for everything is not secure and not practical. </li></ul></ul><ul><li>Abstracts from specific means of authentication by introducing security tokens as an umbrella concept for artifacts that are ubiquitous in authentication systems </li></ul><ul><ul><li>Security token examples: X.509 certificates, Kerberos tickets, SAML assertions… </li></ul></ul><ul><li>Defines a framework for processing security tokens (issuance, renewal, cancellation, validation, negotiation) </li></ul><ul><ul><li>A WS-Trust STS (Security Token Service) is a Web service that processes security tokens </li></ul></ul>WSIT Reliable messaging Security Policy Atomic transactions Boot- strapping
    6. 6. Buzzwords What Is User-Centric Identity? <ul><li>User-centric identity addresses user empowerment and self-determination in sharing personal information and establishing relationships with other parties. </li></ul><ul><li>This is a lively field of innovation that addresses uses within and outside an enterprise infrastructure e.g.: </li></ul><ul><ul><li>CardSpace: described below </li></ul></ul><ul><ul><li>Heraldry: project proposal to the Apache software foundation; plans to provide an CardSpace identity provider for managed information cards and a relying party </li></ul></ul><ul><ul><li>Higgins: enables the integration of identity, profile, and relationship information; provides an identity selector and CardSpace identity provider for self-issued information cards </li></ul></ul><ul><ul><li>OpenID: proposes a non-centralized identity system with the primary use case of transferring user authentication on the Web (by demonstrating control of URLs) </li></ul></ul><ul><ul><li>OSIS: delivers open-source identity selectors (esp. non-Windows platforms) </li></ul></ul><ul><li>Primary approaches in user-centric identity are identifier (such as OpenID) and information card-based (such as CardSpace) systems. </li></ul>
    7. 7. Buzzwords What Is Windows CardSpace? <ul><li>CardSpace is a Microsoft client application helping users to manage and use their digital identities. </li></ul><ul><li>Provides a part of novel user authentication and identity federation systems and represents their identity selector artifact. </li></ul><ul><li>Is a milestone towards an identity metasystem: </li></ul><ul><ul><li>An identity metasystem integrates islands of identity with their “local” identity technologies </li></ul></ul><ul><ul><li>Analogy: IP provides a communication metasystem for integrating islands of LANs with their “local” communication technologies. </li></ul></ul><ul><ul><li>Allows arbitrary parties to become resource and identity providers </li></ul></ul><ul><ul><li>Is standards-based </li></ul></ul>
    8. 8. Windows CardSpace Fundamental to Differentiate <ul><li>Identity metadata: templates for identity data plus references to identity providers </li></ul><ul><ul><li>E.g. Authenticated subjects will be represented by RFC 822 name, organizational affiliation and role values; actual data can be obtained at these endpoints… </li></ul></ul><ul><ul><li>Consists of attributes without their values e.g. name , affiliation , roles </li></ul></ul><ul><ul><li>Represented as long-lived objects called information cards in CardSpace </li></ul></ul><ul><ul><li>Sample: </li></ul></ul><ul><li>Identity data: concrete information about authenticated users </li></ul><ul><ul><li>E.g. This is ‘John Doe’, an employee of ‘Acme’ with the role ‘manager’ </li></ul></ul><ul><ul><li>Consists of attributes with their authenticated values e.g. name =john.doe@acme.example, affiliation =Acme, roles =Manager </li></ul></ul><ul><ul><li>Represented as short-lived objects called security tokens in CardSpace </li></ul></ul><ul><ul><li>Sample: </li></ul></ul>
    9. 9. Windows CardSpace High-Level Architecture Resource provider (consumes identity data) Authz Resources Identity provider (produces identity data Authn User data User agent Identity metadata sharing 1. Security policy 2. Information card selection 3. Security token WS-Trust STS 0. Information card and identity metadata) Identity selector (consumes identity metadata)
    10. 10. Windows CardSpace Sequence Diagram (for Web Browsers) Identity selector RP User agent IdP User Access any resource 1a GET any RP resource 7b Response any resource Authz Authz : HTTP/HTML-defined : WS-*-defined : SAML-defined Return security token 3b 2a 2b GET to RP login page RP login page (with HTML tag representing the RP security token policy) POST to RP FEP (with security token) 6a 6b Redirect to any resource (with RP session cookie) GetBrowserToken (RP policy) Click 3a 1b Redirect to RP login page Select identity 4a 4b WS-MEX GetMetadata Response WS-MEX GetMetadata Request GET any RP resource (with RP session cookie) 7a WS-Trust RST Request (user credentials) WS-Trust RSTR Response (security token) 5a 5b Enter credentials Authn Provide information card (out-of-band) 0
    11. 11. Windows CardSpace Highlights <ul><li>Not “Passport 2.0” </li></ul><ul><li>Compared to traditional identity federation approaches, CardSpace provides several advances: </li></ul><ul><ul><li>Identity metadata sharing between identity providers and users </li></ul></ul><ul><ul><ul><li>Improves identity and resource provider decoupling </li></ul></ul></ul><ul><ul><ul><li>Facilitates user-centric identity and supports users in controlling the proliferation of personal information </li></ul></ul></ul><ul><ul><ul><li>Improves user guidance through login procedures </li></ul></ul></ul><ul><ul><li>Process isolation for the identity selector lifts host-security to a new level (anti-malware / phishing / pharming features) </li></ul></ul><ul><ul><li>Web services security employment resolves HTTP/HTML security restrictions </li></ul></ul><ul><li>CardSpace is not limited to deployments in federated environments. It can also be used for user authentication within an enterprise. </li></ul><ul><li>Note that CardSpace is part of a larger identity metasystem initiative (cf. www.identityblog.com) at Microsoft. </li></ul>
    12. 12. Java WSIT Requirements on Web Service Toolkits <ul><li>Supplying identity and resource provider-side support for CardSpace requires a Java toolkit for Web services that: </li></ul><ul><ul><li>Is interoperable with Microsoft WCF Web service clients (here: CardSpace) </li></ul></ul><ul><ul><li>Provides support for following WS-* technologies: WS-MetadataExchange, WS-Policy, WS-Security, WS-SecurityPolicy, WS-Trust </li></ul></ul><ul><li>WSIT was our toolkit of first choice: </li></ul><ul><ul><li>The WCF interoperability commitment of WSIT is central for CardSpace support </li></ul></ul><ul><ul><li>The WS-* support provided by WSIT matches CardSpace support needs </li></ul></ul><ul><li>WSIT supports a declarative deployment model: </li></ul><ul><ul><li>Applications can deploy the added WS-* functionality transparently </li></ul></ul><ul><ul><ul><li>JAX-WS annotations (e.g. @WebService ) are used to Web service-enable POJO-based services </li></ul></ul></ul><ul><ul><ul><li>Configuration files are used to determine the behavior of the WSIT stack </li></ul></ul></ul><ul><ul><ul><ul><li>Also provide policy input to negotiations with Web service clients </li></ul></ul></ul></ul><ul><ul><ul><ul><li>In Web services, this is the means to determine the employed security protocols </li></ul></ul></ul></ul><ul><ul><li>… but WS-Trust STSs are somewhat different </li></ul></ul>
    13. 13. Java WSIT Sketching a HelloWorld STS HTTP SOAP WS-Trust Protocol stack Tomcat Web application instantiation ( web.xml ) Servlet container configuration ( server.xml ) Servlet container Web service endpoint Web service contract ( stshelloworld.wsdl ) @ServiceMode(value=Service.Mode. PAYLOAD ) @WebServiceProvider(wsdlLocation=&quot;WEB-INF/wsdl/stshelloworld.wsdl&quot;) public class STSHelloWorld extends BaseSTSImpl { … } … public class HelloWorldWSTrustContract implements WSTrustContract { public RequestSecurityTokenResponse issue(RequestSecurityToken rst, IssuedTokenContext ctx…) { GenericToken stringToken = new GenericToken(getStringElement(“HelloWorld”), GenericToken.OPAQUE_TYPE); ctx.setSecurityToken(stringToken); RequestSecurityTokenResponse rstr = eleFac.createRSTRForIssue(rst, ctx …); … } JAX-WS 2.x Web service endpoint instantiation ( sun-jaxws.xml ) Web services infrastructure com.sun.xml.ws.transport.http.servlet.WSServlet com.sun.xml.ws.security.trust.sts.BaseSTSImpl WSIT
    14. 14. Solution Challenges in Creating CardSpace Support <ul><li>Support user authentication across domains (the normal federation scenario: users do not have SP-side accounts) as well as within a domain (the authentication scenario within an enterprise: users do have SP-side accounts) </li></ul><ul><li>Support authentication methods that consider information cards as part of the user credentials (to honor e.g. information card validity period, revocation status) </li></ul><ul><li>Extend user management by the information card abstraction (requires alternative subject identifiers) </li></ul><ul><li>Accommodate extensions to WS-Trust primitives (esp. RST/RSTR child elements outside http://schemas.xmlsoap.org/ws/2005/02/trust) </li></ul><ul><li>Align CardSpace configuration (information card templates, requests for security tokens…) with a traditional federation technology that is information card-unaware </li></ul><ul><li>Realize a framework for WS-Trust STS functionality so that multiple STS profiles can be addressed (CardSpace being ‘just’ an instance of a STS profile) </li></ul>Addressed today Addressed today Addressed today
    15. 15. Conclusions <ul><li>WSIT provides a foundation for our CardSpace identity provider STS functionality. This component is provided as a Web application (.war file). </li></ul><ul><li>Adopting WSIT for CardSpace is largely straight-forward: </li></ul><ul><ul><li>Doing WS-Trust STSs is different from WS-* protecting normal applications </li></ul></ul><ul><ul><ul><li>Declarative means cover SOAP header processing (here: WS-Security) </li></ul></ul></ul><ul><ul><ul><li>Programmatic means needed for SOAP body processing (here: WS-Trust RST/RSTR) </li></ul></ul></ul><ul><ul><li>Following issues were encountered: </li></ul></ul><ul><ul><ul><li>No SAML 2.0 support </li></ul></ul></ul><ul><ul><ul><ul><li>Did not use SAML support from WSIT </li></ul></ul></ul></ul><ul><ul><ul><li>Certificate- and PasswordValidator default semantics </li></ul></ul></ul><ul><ul><ul><ul><li>Deployed validation independently to honor information cards as user credentials </li></ul></ul></ul></ul><ul><ul><ul><li>WSTrustElementFactory fitness for CardSpace </li></ul></ul></ul><ul><ul><ul><ul><li>E xtended the element factory to address CardSpace-specifics (e.g. DisplayToken ) </li></ul></ul></ul></ul><ul><ul><ul><li>BaseSTSImpl re-use </li></ul></ul></ul><ul><ul><ul><ul><li>Did not use BaseSTSImpl as extension point (did subclass JAX-WS Provider) </li></ul></ul></ul></ul>
    16. 16. Glossary <ul><li>eFA – Elektronische Fallakte (engl.: ECR – Electronic Health Record) </li></ul><ul><li>FEP – Federation Endpoint </li></ul><ul><li>IdP – Identity Provider </li></ul><ul><li>JAX-WS – Java API for XML-based Web Services </li></ul><ul><li>OSIS – Open Source Identity Selector </li></ul><ul><li>RP – Resource Provider (aka: SP – Service Provider) </li></ul><ul><li>RST – Request Security Token (WS-Trust) </li></ul><ul><li>RSTR – Request Security Token Response (WS-Trust) </li></ul><ul><li>STS – Security Token Service (WS-Trust) </li></ul><ul><li>WCF – Windows Communication Foundation </li></ul><ul><li>WS – Web Services </li></ul><ul><li>WS-MEX – WS-MetadataExchange </li></ul><ul><li>WSDL – Web Services Description Language </li></ul><ul><li>WSFED – WS-Federation </li></ul><ul><li>WSIT – Web Services Interoperability Technologies </li></ul>
    17. 17. Authors <ul><li>Markus Franke </li></ul><ul><li>Siemens AG </li></ul><ul><li>Med GS SEC DI 1 </li></ul><ul><li>E-Mail: markus.franke@siemens.com </li></ul><ul><li>Dr. Oliver Pfaff </li></ul><ul><li>Siemens AG </li></ul><ul><li>Med GS SEC DI 1 </li></ul><ul><li>E-Mail: oliver.pfaff@siemens.com </li></ul>