CamelOne 2013 Karaf A-MQ Camel CXF Security


Published on

Middleware Security for Apache CXF, Camel, ActiveMQ and Karaf as well as others continue to be an ongoing concern especially around Authentication, Authorization, Data at Rest and Data in Transit. The session will include a presentation and demonstrations of implementing Authentication (AuthN) and Authorization (AuthZ) as well as other security topics.

Published in: Technology, News & Politics

CamelOne 2013 Karaf A-MQ Camel CXF Security

  1. 1. CamelOne 20131Apache Karaf, ActiveMQ,Camel and CXF SecurityKenny PeeplesJBoss Technology Evangelist, Red Hat
  2. 2. 2CamelOne 2013CamelOneSession OverviewMiddleware Security for Apache CXF, Camel,ActiveMQ and Karaf as well as others continue tobe an ongoing concern especially aroundAuthentication,Authorization, Data at Rest and Datain Transit.The session will include a presentation anddemonstrations of implementing Authentication(AuthN) and Authorization (AuthZ) as well as othersecurity topics.
  3. 3. 3CamelOne 2013CamelOneSpeaker BioKenneth has spent the last 7 years, with the last 3 being with Red Hat, working as aConsultant for the government for the Department of Defense, Department ofHomeland Security and Intelligence Community. He designed, built and lead multipleprojects including the Enterprise Security Federation Framework (ESF2), InformationAssured Android Device (IA2D) and JBoss SCAP Content. During this time he hasworked with Open Source Software with a focus on Red Hat and JBoss Products andInformation Assurance. He also received his Security+ and Computer HackingForensic Investigator (CHFI) certifications.Kenneth works in the Red Hat Middleware Product Business Unit as a JBossTechnology Evangelist with a focus on Fuse, SOA and EDS products.Kenneths Social Media LinksWebsite:
  4. 4. 4CamelOne 2013CamelOneJBoss.org software downloads for developers
  5. 5. 5CamelOne 2013CamelOneMiddleware SecurityConcepts• Authentication• Authorization• Auditing• Encryption
  6. 6. 6CamelOne 2013CamelOne2-way SSLMutual authentication or two-way authentication
  7. 7. 7CamelOne 2013CamelOnePassword MaskingWhen securing a container or its components it is undesirable touse plain text passwords in configuration files. One way to avoidthis problem is to use encrypted property placeholders when everpossible.This is done in Fuse with the Java Simplified Encryption.•••
  8. 8. 8CamelOne 2013CamelOneWhat is JAAS?The Java Authentication and Authorization Service (JAAS)can be used for two purposes:• for authentication of users, to reliably and securelydetermine who is currently executing Java code, regardlessof whether the code is running as an application, an applet,a bean, or a servlet; and• for authorization of users to ensure they have the accesscontrol rights (permissions) required to do the actionsperformed.
  9. 9. 9CamelOne 2013CamelOne Apache ActiveMQSecuritySSL/TLS securityApache ActiveMQ supports the use of SSL/TLS to secure client-to-broker and broker-to-broker connections, where theunderlying SSL/TLS implementation is provided by the JavaSecure Socket Extension (JSSE).JAAS securityApache ActiveMQ also supports JAAS security, which typicallyrequires clients to log on to the broker by providing usernameand password credentials.
  10. 10. 10CamelOne 2013CamelOne Apache ActiveMQSecurity (Continued)To enable JAAS security in a broker, you install one of the supported JAAS plug-ins.Each of the JAAS plug-ins supports a different kind of credentials or implements asomewhat different login procedure.The following JAAS plug-ins are currently supported by Apache ActiveMQ:• jaasAuthenticationPlugin• jaasCertificateAuthenticationPlugin• JaasDulAuthenticationPlugin
  11. 11. 11CamelOne 2013CamelOne Apache ActiveMQSecurity (Continued)Apache ActiveMQ provides a number of different JAAS login moduleimplementations, which are used to define JAAS realms.The following JAAS loginmodules are currently implemented by Apache ActiveMQ:• PropertiesLoginModule• LDAPLoginModule• GuestLoginModule• TextFileCertificateLoginModule
  12. 12. 12CamelOne 2013CamelOneApache Camel SecurityCamel offers several forms & levels of security capabilities that can be utilizedon camel routes.These various forms of security may be used in conjunctionwith each other or separately.The broad categories offered are• Route Security• Payload Security• Endpoint Security• Configuration Security
  13. 13. 13CamelOne 2013CamelOne Apache Camel Security(Continued)This figure shows an overview of the basic options for securely routing messages betweenApache Camel endpoints.
  14. 14. 14CamelOne 2013CamelOne Apache Camel Security(Continued)As shown in the figure above, you have the followingoptions for securing messages:Endpoint security—part (a) shows a message sentbetween two routes with secure endpoints.Payload security—part (b) shows a message sentbetween two routes where the endpoints are bothinsecure.
  15. 15. 15CamelOne 2013CamelOne Apache Camel Security(Continued)Some of the Camel components that currently support security are, as follows:• JMS and ActiveMQ—SSL/TLS security and JAAS security for client-to-broker andbroker-to-broker communication.• Jetty—HTTP Basic Authentication and SSL/TLS security.• CXF—SSL/TLS security andWS-Security.• Crypto—creates and verifies digital signatures in order to guarantee messageintegrity.• Netty—SSL/TLS security.• MINA—SSL/TLS security.• Cometd—SSL/TLS security.• glogin and gauth—authorization in the context of Google applications.
  16. 16. 16CamelOne 2013CamelOneApache Camel Security(Continued)Apache Camel provides the following payload securityimplementations, where the encryption and decryption steps areexposed as data formats on the marshal() and unmarshal()operations• XMLSecurity data formatFor more details, see• Crypto data formatFor more details, see
  17. 17. 17CamelOne 2013CamelOneApache Camel SecurityExampleIn order to explain how to secure a Camel CXF endpoint in OSGi, the tutorial below builds on anexample available from the standalone distribution of Apache Camel, the Camel CXF proxydemonstration. The figure below gives an overview of how this demonstration works.
  18. 18. 18CamelOne 2013CamelOneKaraf (OSGi) ContainerSecurityJAAS realms - Red Hat JBoss Fuse supports a special mechanism fordefining JAAS login modules (in either a Spring or a blueprint file)karaf realm - The OSGi container has a predefined JAAS realm, the karafrealm. Red Hat JBoss Fuse uses the karaf realm to provide authenticationfor remote administration of the OSGi runtime, for the Web Console, andfor JMX management.Console port - You can administer the OSGi container remotely either byconnecting to the console port with a Karaf client or using the Karafssh:ssh command.JMX port - You can manage the OSGi container by connecting to the JMXport. The JMX port is also secured by a JAAS login feature that connectsto the karaf realm.Application bundles and JAAS security - Any application bundles that youdeploy into the OSGi container can access the containers JAAS realms.
  19. 19. 19CamelOne 2013CamelOneKaraf Security ExampleThis tutorial below explains how to set up an X.500 directory server and configurethe OSGi container to use LDAP authentication.• install Apache Directory Server and Apache Directory Studio• add user entries into the LDAP server• add a group to manage security role• configure Red Hat JBoss Fuse to use LDAP authentication• configure JBoss Fuse to use roles for authorization• configure an instance of Apache ActiveMQ to use LDAP authentication• configure SSL/TLS connections to the LDAP server
  20. 20. 20CamelOne 2013CamelOneApache CXF SecuritySecuring CXF Services• Secure Transports• WS-* Security• WS-Trust, STS• SAML Web SSO• Oauth• Authentication with JAASLoginInterceptor and Kerberos• Authorization• Large Data Stream Caching
  21. 21. 21CamelOne 2013CamelOneApache CXF ExampleAn example of Apache CXF security is the same asthe Camel Security example above
  22. 22. 22CamelOne 2013CamelOnePicketlink• IDM: Provide an object model for managing Identities(Users/Groups/Roles) and associated behavior using different identitystore backends like LDAP and RDBMS.• Federated Identity: Support SAMLv2,WS-Trust and OpenID.• XACML: Oasis XACMLv2 implementation.• Negotiation: Provide SPNego/Kerberos based Desktop SSO.For latest information, please refer to
  23. 23. 23CamelOne 2013CamelOnePicketlink - OASISOASIS (Organization for the Advancement ofStructured Information Standards) is a non-profitconsortium that drives the development,convergence and adoption of open standards for theglobal information society.
  24. 24. 24CamelOne 2013CamelOnePicketlink - SAMLSecurity Assertion Markup Language (SAML) is anXML-based open standard data format forexchanging authentication and authorization databetween parties, in particular, between an identityprovider and a service provider.
  25. 25. 25CamelOne 2013CamelOnePicketlink - FedThe following features are provided by the Fed component ofPicketLink:• Federated Authentication and SSO using Oasis SAML v2.0.• Trusted Security System using a SecurityToken Server (STS) inan heterogeneous environment, using Oasis WS-Trust.• Decentralized user driven Identity support via OpenID.
  26. 26. 26CamelOne 2013CamelOnePicketlink - XACMLeXtensible Access Control Markup Language(XACML) is the standard that defines a declarativeaccess control policy language implemented in XMLand a processing model describing how to evaluateauthorization requests according to the rulesdefined in policies.
  27. 27. 27CamelOne 2013CamelOnePicketlink - XACMLThe following features are provided by the XACML component of PicketLink:• Oasis XACML v2.0 library• JAXB v2.0 based object model• Multiple Database Integration for storing/retrieving XACML Policies andAttributes• SAML v2.0 Profile of XACML v2.0• RBAC Profile of XACML v2.0• WSDL based SOAP PDP Service• Servlet that accepts SOAP/SAML/XACML Payload
  28. 28. 28CamelOne 2013CamelOnePicketlink - XACML
  29. 29. 29CamelOne 2013CamelOne Access Control BestPractices1. Know that you will need access control/authorization – spend time on it2. Externalize the access control policy processing – do not hard code3. Understand the difference between coarse grained and fine grained authorization – spend timeduring intitial design4. Design for coarse grained authorization but keep the design flexible for fine grained authorization– loosely couple access control5. Know the difference between Access Control Lists and Access Control standards – ACLS usuallyproprietary and not interoperable6.Adopt Rule Based Access Control : view Access Control as Rules and Attributes – spend time ondesigning the rules and attributes7.Adopt REST Style Architecture when your situation demands scale and thus REST authorizationstandards - Oauth or REST profile of XACML8. Understand the difference between Enforcement versus Entitlement model – yes/no or what
  30. 30. 30CamelOne 2013CamelOnePicketlink SecurityPicketlink and Fuse Integration• Camel - Route SecurityPicketLink provided Camel Route Policy SecurityInterceptor• ActiveMQPicketLink provided Security Classes
  31. 31. 31CamelOne 2013CamelOneSpring SecurityThe camel-spring-security component provides role-based authorization for Camel routes. It leveragesthe authentication and user services provided bySpring Security and adds a declarative, role-basedpolicy system to control whether a route can beexecuted by a given principal.
  32. 32. 32CamelOne 2013CamelOneSpring SecurityThe camel-spring-security component provides role-based authorization for Camel routes. It leveragesthe authentication and user services provided bySpring Security and adds a declarative, role-basedpolicy system to control whether a route can beexecuted by a given principal.
  33. 33. 33CamelOne 2013CamelOneShiro SecurityApache Shiro is a security framework that handles authentication, authorization,enterprise session management and cryptography. The camel shiro-securitycomponent allows authentication and authorization support to be applied todifferent segments of a camel route. Shiro security is applied on a route using aCamel Policy.Security Examples on the security page:• Applying Shiro Authentication on a Camel Route• Applying Shiro Authorization on a Camel Route• Creating a ShiroSecurityToken and injecting it into a Message Exchange• Sending Messages to routes secured by a ShiroSecurityPolicy
  34. 34. 34CamelOne 2013CamelOneDemonstrations• Web Console Security• ActiveMQ Broker, Producer, Consumer with SSL andJBDS
  35. 35. 35CamelOne 2013CamelOneQuestions