SlideShare a Scribd company logo
1 of 27
Download to read offline
Java EE Application Security 
With PicketLink 
Pedro Igor
What is PicketLink ? 
● Umbrella project for security related projects 
● Open and Security Standards 
● Each project with focus on a specific security aspect 
– Federation 
– Application Security 
– Security As a Service (SecaaS) 
● Toolbox for Application Security 
● Apache License v2 
Java EE Application Security With PicketLink
About PicketLink 
● Java EE Security Alternative for Authentication 
and Authorization 
● First class support for CDI 
● Identity Management API 
● Web and REST Security / Servlet API Integration 
● JWT and JOSE Token Support 
● Social Authentication 
● Federation Protocols : SAML v1 and v2, oAuth, 
OpenID and WS-Trust STS 
● Security for Cloud-based Applications 
● A plenty of example applications (quickstarts) 
Java EE Application Security With PicketLink
Reduce Design Flaws 
● Covers the most common security concepts in a simple and easy to 
use API 
– How to represent identities ? Users, roles, groups, applications, etc. 
– How to authenticate and authorize ? 
– How to protect my application resources ? Beans, pages, servlets, REST 
endpoints, etc. 
– How to consume and produce security tokens ? 
– How to enable Single Sign-On across different applications ? 
● Focus on flexibility for specific security requirements 
Java EE Application Security With PicketLink
Agenda 
Authentication 
Http Security 
Identity Management 
LDAP DB 
Java EE Application Security With PicketLink 
Authorization 
BYO 
Security
Configuration 
● Configure PicketLink BOM (Bill of Materials) 
and dependencies 
● Listen to an event to configure behavior: 
public void onInit(@Observes SecurityConfigurationEvent event) { 
SecurityConfigurationBuilder builder = event.getBuilder(); 
builder 
.identity() // the identity bean options 
.idmConfig() // identity management options 
.http() // http and web security options 
} 
Java EE Application Security With PicketLink
Authentication 
● Single method invocation 
credentials.setCredential(anyCredentialType); 
Identity.login(); 
If (identity.isLoggedIn()) { 
// user is now authenticated 
} 
Identity.logout(); 
● Useful events are fired during the authentication 
Java EE Application Security With PicketLink
Authentication Flow 
Java EE Application Security With PicketLink
Identity Bean 
● CDI Bean representing the authenticated user and acting as a central point for 
authentication, logout and permissioning 
private @Inject Identity identity; 
● Authentication Scope. Defaults to Session Scope, but you can change that: 
builder.identity().scope(RequestScoped.class) 
● Stateless can be used with REST to consume 
security tokens 
● It may be exposed as as a service 
– Expose through Servlet, JAX-RS, JAX-WS, EJB ... 
Java EE Application Security With PicketLink
Authenticator 
● A CDI bean that understands one or more credential 
types and how to perform authentication 
● By default, PicketLink uses a IdmAuthenticator 
– Fully integrated with PicketLink IDM 
● Write your own 
● You can choose between different authenticators at 
runtime 
Java EE Application Security With PicketLink
Authenticator Example 
@RequestScoped 
@PicketLink 
public class CustomAuthenticator extends BaseAuthenticator { 
@Inject 
private DefaultLoginCredentials credentials; 
@Override 
public void authenticate() { 
If (validCredentials()) { 
setStatus(AuthenticationStatus.SUCCESS); 
setAccount(loadAccount()); 
} 
} 
} 
Java EE Application Security With PicketLink
Credentials 
● Provides what you need to verify user authenticity 
● Usually it defines which authentication mechanism is going to be used 
● Built-in credential types 
– Username/Password, TOTP, DIGEST, X509, TOKEN 
● Token-based Credentials can be used to 
– Produce and consume your own tokens 
– Consume tokens from 3rd party Identity Providers. Eg.: SAML, OpenID, CAS 
● You can always write your own credential types. Just remember to also 
provide the corresponding Authenticator. 
Java EE Application Security With PicketLink
Credential Example 
public class UsernamePasswordCredentials extends AbstractBaseCredentials { 
private String userName; 
private String password; 
// getters and setters 
} 
Java EE Application Security With PicketLink
Http Security 
● Useful for Web and RESTful applications 
● Path-based protection 
– Authentication 
– Authorization 
● URL Rewriting 
– /demo-app/#{identity.account.id} 
● Authentication Schemes 
builder.http() 
– FORM, DIGEST, BASIC, CLIENT-CERT, TOKEN 
– Write Your Own 
Java EE Application Security With PicketLink 
.allPaths() 
.authenticateWith() 
.form() 
.authorizeWith() 
.role("Administrator") 
.forPath("/logout") 
.logout();
Multiple Authentication Paths 
● Authenticate based on a specific path 
configuration 
builder.http() 
.forPath("/webpages/*") 
.authenticateWith() 
.form() 
.forPath("/rest/*") 
.withHeaders() 
.requestedWith("XMLHttpRequest") 
.authenticateWith() 
.token() 
.realmName("Ajax Requests Realm"); 
Java EE Application Security With PicketLink
Path Groups 
● Common policies may be enforced to different 
paths 
String adminPathGroup = “Admin Resources” 
builder.http() 
.forGroup(adminPathGroup) 
.authenticateWith() 
.form() 
.authorizeWith() 
.group(“Administrators”) 
.forPath("/admin/*", adminPathGroup) 
Java EE Application Security With PicketLink
PicketLink Identity Management API 
● What is it ? 
– Build Your Own Security Model 
– Identity and Access Management API 
– Built-In Identity Stores: 
● LDAP, Relational Database, Filesystem, 
Token, Mixed 
● Write Your Own 
– Multi-tenancy 
– Flexible Identity Model 
Java EE Application Security With PicketLink
Identity Model Example 
● Custom Identity Model Guide 
– http://picketlink.org/gettingstarted/custom_idm_model/ 
● Common requirements for SaaS 
– Realm 
– User 
– Application 
– Global and Application Roles 
– Global and Application Groups 
Java EE Application Security With PicketLink
Basic Identity Model 
● Out-of-the-box implementation for very simple use cases 
● You are not forced to use it 
● Help you to quickly evaluate 
PL features 
● In real world use cases, you 
would prefer writing your own 
Identity Model 
Java EE Application Security With PicketLink
Example Code 
private @Inject IdentityManager identityManager; 
public void addUser(String userName, String password) { 
User john = new User(userName); 
// add user 
identityManager.add(john); 
Password password = new Password(password) 
// update credential 
identityManager.updateCredential(john, password); 
Java EE Application Security With PicketLink 
} 
private @Inject IdentityManager identityManager; 
public void addRole(String roleName) { 
Role manager = new Role(roleName); 
// add role 
identityManager.add(manager); 
} 
private @Inject RelationshipManager relationshipManager; 
public void grantRole(User assignee, Role role) { 
Grant grant = new Grant(assignee, role); 
// create relationship, granting role to user 
relationshipManager.add(grant); 
}
Authorization 
RelationshipQuery<Grant> query = 
relationshipManager.createRelationshipQuery(Grant.class); 
query.setParameter(Grant.ASSIGNEE, assignee); 
query.setParameter(GroupRole.ROLE, role); 
boolean hasRole = !query.getResultList().isEmpty(); 
Java EE Application Security With PicketLink 
● Annotation-based Authorization 
–@LoggedIn, 
–@RolesAllowed 
–@GroupsAllowed 
–@PartitionsAllowed 
–@RequiresPermission 
–@Restrict 
–Write Your Own 
● Programmatic Authorization 
– Using PicketLink IDM 
Query API
Permissioning 
● Privileges for application resources 
– Assignee is allowed to perform operation on resource 
● Provided by PicketLink IDM 
– John has permission to read file.txt 
– John has permission on classes of type 
– John has permission on JPA Entity with identifier 
● Identity Bean methods for permission checks 
– boolean hasPermission(Object resource, String operation); 
– boolean hasPermission(Class<?> resourceClass, Serializable identifier, String 
operation); 
Java EE Application Security With PicketLink
PicketLink Forge Addon 
● Useful to quickly configure a project with PicketLink 
● Configures a JPA Identity Store 
– Generate entities from your Identity Types 
● Authentication 
– Choose a method 
● Project Templates 
– Have an idea, help us ! 
$ picketlink-setup --version 2.7.0.Beta2 
$ picketlink-setup --feature idm 
$ picketlink-setup --feature http 
$ picketlink-setup --feature idm --generateEntitiesFromIdentityModel 
Java EE Application Security With PicketLink
PicketLink Quickstarts 
● Over 30 example applications 
● Useful to get started and understand most of PicketLink 
features 
● Clone, import to your IDE, checkout a tag and deploy 
git clone git@github.com:jboss-developer/jboss-picketlink-quickstarts.git 
git checkout v2.7.0.CR1 
mvn clean package jboss-as:deploy or mvn -Pwildfly clean package wildfly:deploy 
Java EE Application Security With PicketLink
Thank You ! 
● Visit our site at http://picketlink.org 
– You can find useful guides 
– Access to documentation 
● GitHub 
– https://github.com/picketlink/ 
● Join us on the #picketlink IRC channel on Freenode 
● Social 
– @picketlink 
– Google+ PicketLink Community 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLink
Creating a Simple Application 
● Using PicketLink Forge Addon 
– FORM-based Authentication 
– RBAC 
– Protect Application Resources 
– User and Role Management 
● Simple application to focus only on the security bits 
Java EE Application Security With PicketLink

More Related Content

What's hot

CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethAndrew Petro
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesAndrew Petro
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right!  How to secure OAuth authentication from your...The Client is not always right!  How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...Mike Schwartz
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 

What's hot (20)

CAS Enhancement
CAS EnhancementCAS Enhancement
CAS Enhancement
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
 
Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and Shibboleth
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten Minutes
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right!  How to secure OAuth authentication from your...The Client is not always right!  How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 

Similar to Java EE Application Security With PicketLink

securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsPuma Security, LLC
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
 Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...WebStackAcademy
 
ASP.NET Single Sign On
ASP.NET Single Sign OnASP.NET Single Sign On
ASP.NET Single Sign Onleastprivilege
 
Java on Google App engine
Java on Google App engineJava on Google App engine
Java on Google App engineMichael Parker
 
Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point SARCCOM
 
WinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test AutomationWinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test AutomationJeremy Kao
 
Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring SecurityJohn Lewis
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular jsStormpath
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8Asika Kuo
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIswesley chun
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringVMware Tanzu
 

Similar to Java EE Application Security With PicketLink (20)

securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdf
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdf
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
 Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
 
ASP.NET Single Sign On
ASP.NET Single Sign OnASP.NET Single Sign On
ASP.NET Single Sign On
 
Java on Google App engine
Java on Google App engineJava on Google App engine
Java on Google App engine
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
 
WinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test AutomationWinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test Automation
 
Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring Security
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
Web security
Web securityWeb security
Web security
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
 

Recently uploaded

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 

Recently uploaded (20)

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 

Java EE Application Security With PicketLink

  • 1. Java EE Application Security With PicketLink Pedro Igor
  • 2. What is PicketLink ? ● Umbrella project for security related projects ● Open and Security Standards ● Each project with focus on a specific security aspect – Federation – Application Security – Security As a Service (SecaaS) ● Toolbox for Application Security ● Apache License v2 Java EE Application Security With PicketLink
  • 3. About PicketLink ● Java EE Security Alternative for Authentication and Authorization ● First class support for CDI ● Identity Management API ● Web and REST Security / Servlet API Integration ● JWT and JOSE Token Support ● Social Authentication ● Federation Protocols : SAML v1 and v2, oAuth, OpenID and WS-Trust STS ● Security for Cloud-based Applications ● A plenty of example applications (quickstarts) Java EE Application Security With PicketLink
  • 4. Reduce Design Flaws ● Covers the most common security concepts in a simple and easy to use API – How to represent identities ? Users, roles, groups, applications, etc. – How to authenticate and authorize ? – How to protect my application resources ? Beans, pages, servlets, REST endpoints, etc. – How to consume and produce security tokens ? – How to enable Single Sign-On across different applications ? ● Focus on flexibility for specific security requirements Java EE Application Security With PicketLink
  • 5. Agenda Authentication Http Security Identity Management LDAP DB Java EE Application Security With PicketLink Authorization BYO Security
  • 6. Configuration ● Configure PicketLink BOM (Bill of Materials) and dependencies ● Listen to an event to configure behavior: public void onInit(@Observes SecurityConfigurationEvent event) { SecurityConfigurationBuilder builder = event.getBuilder(); builder .identity() // the identity bean options .idmConfig() // identity management options .http() // http and web security options } Java EE Application Security With PicketLink
  • 7. Authentication ● Single method invocation credentials.setCredential(anyCredentialType); Identity.login(); If (identity.isLoggedIn()) { // user is now authenticated } Identity.logout(); ● Useful events are fired during the authentication Java EE Application Security With PicketLink
  • 8. Authentication Flow Java EE Application Security With PicketLink
  • 9. Identity Bean ● CDI Bean representing the authenticated user and acting as a central point for authentication, logout and permissioning private @Inject Identity identity; ● Authentication Scope. Defaults to Session Scope, but you can change that: builder.identity().scope(RequestScoped.class) ● Stateless can be used with REST to consume security tokens ● It may be exposed as as a service – Expose through Servlet, JAX-RS, JAX-WS, EJB ... Java EE Application Security With PicketLink
  • 10. Authenticator ● A CDI bean that understands one or more credential types and how to perform authentication ● By default, PicketLink uses a IdmAuthenticator – Fully integrated with PicketLink IDM ● Write your own ● You can choose between different authenticators at runtime Java EE Application Security With PicketLink
  • 11. Authenticator Example @RequestScoped @PicketLink public class CustomAuthenticator extends BaseAuthenticator { @Inject private DefaultLoginCredentials credentials; @Override public void authenticate() { If (validCredentials()) { setStatus(AuthenticationStatus.SUCCESS); setAccount(loadAccount()); } } } Java EE Application Security With PicketLink
  • 12. Credentials ● Provides what you need to verify user authenticity ● Usually it defines which authentication mechanism is going to be used ● Built-in credential types – Username/Password, TOTP, DIGEST, X509, TOKEN ● Token-based Credentials can be used to – Produce and consume your own tokens – Consume tokens from 3rd party Identity Providers. Eg.: SAML, OpenID, CAS ● You can always write your own credential types. Just remember to also provide the corresponding Authenticator. Java EE Application Security With PicketLink
  • 13. Credential Example public class UsernamePasswordCredentials extends AbstractBaseCredentials { private String userName; private String password; // getters and setters } Java EE Application Security With PicketLink
  • 14. Http Security ● Useful for Web and RESTful applications ● Path-based protection – Authentication – Authorization ● URL Rewriting – /demo-app/#{identity.account.id} ● Authentication Schemes builder.http() – FORM, DIGEST, BASIC, CLIENT-CERT, TOKEN – Write Your Own Java EE Application Security With PicketLink .allPaths() .authenticateWith() .form() .authorizeWith() .role("Administrator") .forPath("/logout") .logout();
  • 15. Multiple Authentication Paths ● Authenticate based on a specific path configuration builder.http() .forPath("/webpages/*") .authenticateWith() .form() .forPath("/rest/*") .withHeaders() .requestedWith("XMLHttpRequest") .authenticateWith() .token() .realmName("Ajax Requests Realm"); Java EE Application Security With PicketLink
  • 16. Path Groups ● Common policies may be enforced to different paths String adminPathGroup = “Admin Resources” builder.http() .forGroup(adminPathGroup) .authenticateWith() .form() .authorizeWith() .group(“Administrators”) .forPath("/admin/*", adminPathGroup) Java EE Application Security With PicketLink
  • 17. PicketLink Identity Management API ● What is it ? – Build Your Own Security Model – Identity and Access Management API – Built-In Identity Stores: ● LDAP, Relational Database, Filesystem, Token, Mixed ● Write Your Own – Multi-tenancy – Flexible Identity Model Java EE Application Security With PicketLink
  • 18. Identity Model Example ● Custom Identity Model Guide – http://picketlink.org/gettingstarted/custom_idm_model/ ● Common requirements for SaaS – Realm – User – Application – Global and Application Roles – Global and Application Groups Java EE Application Security With PicketLink
  • 19. Basic Identity Model ● Out-of-the-box implementation for very simple use cases ● You are not forced to use it ● Help you to quickly evaluate PL features ● In real world use cases, you would prefer writing your own Identity Model Java EE Application Security With PicketLink
  • 20. Example Code private @Inject IdentityManager identityManager; public void addUser(String userName, String password) { User john = new User(userName); // add user identityManager.add(john); Password password = new Password(password) // update credential identityManager.updateCredential(john, password); Java EE Application Security With PicketLink } private @Inject IdentityManager identityManager; public void addRole(String roleName) { Role manager = new Role(roleName); // add role identityManager.add(manager); } private @Inject RelationshipManager relationshipManager; public void grantRole(User assignee, Role role) { Grant grant = new Grant(assignee, role); // create relationship, granting role to user relationshipManager.add(grant); }
  • 21. Authorization RelationshipQuery<Grant> query = relationshipManager.createRelationshipQuery(Grant.class); query.setParameter(Grant.ASSIGNEE, assignee); query.setParameter(GroupRole.ROLE, role); boolean hasRole = !query.getResultList().isEmpty(); Java EE Application Security With PicketLink ● Annotation-based Authorization –@LoggedIn, –@RolesAllowed –@GroupsAllowed –@PartitionsAllowed –@RequiresPermission –@Restrict –Write Your Own ● Programmatic Authorization – Using PicketLink IDM Query API
  • 22. Permissioning ● Privileges for application resources – Assignee is allowed to perform operation on resource ● Provided by PicketLink IDM – John has permission to read file.txt – John has permission on classes of type – John has permission on JPA Entity with identifier ● Identity Bean methods for permission checks – boolean hasPermission(Object resource, String operation); – boolean hasPermission(Class<?> resourceClass, Serializable identifier, String operation); Java EE Application Security With PicketLink
  • 23. PicketLink Forge Addon ● Useful to quickly configure a project with PicketLink ● Configures a JPA Identity Store – Generate entities from your Identity Types ● Authentication – Choose a method ● Project Templates – Have an idea, help us ! $ picketlink-setup --version 2.7.0.Beta2 $ picketlink-setup --feature idm $ picketlink-setup --feature http $ picketlink-setup --feature idm --generateEntitiesFromIdentityModel Java EE Application Security With PicketLink
  • 24. PicketLink Quickstarts ● Over 30 example applications ● Useful to get started and understand most of PicketLink features ● Clone, import to your IDE, checkout a tag and deploy git clone git@github.com:jboss-developer/jboss-picketlink-quickstarts.git git checkout v2.7.0.CR1 mvn clean package jboss-as:deploy or mvn -Pwildfly clean package wildfly:deploy Java EE Application Security With PicketLink
  • 25. Thank You ! ● Visit our site at http://picketlink.org – You can find useful guides – Access to documentation ● GitHub – https://github.com/picketlink/ ● Join us on the #picketlink IRC channel on Freenode ● Social – @picketlink – Google+ PicketLink Community Java EE Application Security With PicketLink
  • 27. Creating a Simple Application ● Using PicketLink Forge Addon – FORM-based Authentication – RBAC – Protect Application Resources – User and Role Management ● Simple application to focus only on the security bits Java EE Application Security With PicketLink