Third Party Auth in WOJoe Little and Daniel Beatty
Authentication Methods•   Storing passwords in your DB (Model)•   Authenticating against LDAP services•   LDAP via your Mo...
Auth in DB•   The default approach•   With little database security, the hash must be secure•   SHA-1 (160) or SHA-2 (256)...
SHA-2 in the Databasequal = UserAccount.USERNAME.eq(username).and(UserAccount.PASSWORD.eq(digestedString(password)));....p...
LDAP•   JNDI can be used for EOs, but NOT for passwords!•   Generally restricted by sites LDAP configuration•   Standard me...
Java LDAP Authentication      if (LDAPAuth.LDAPAuthenticate(username, password))...public class LDAPAuth {	   public stati...
LDAP via EOModel•   WebObjects lets you access LDAP via JNDI•   Insecure    •   SSL supposedly should work•   Not good for...
The Hybrid Approach•   Define user attributes in your DB-based EOs•   Authenticate user that is also in LDAP tree•   1st ti...
LDAP EOModel
LDAP Connection Dictionary
All LDAP Hybrid Approach      if (LDAPAuth.LDAPAuthenticate(username, password))                  	   	   {               ...
SSO: Kerberos•   Many Single-Sign On (SSO) solutions•   Kerberos / Active Directory are most common today•   AD and OpenDi...
Kerberos Methods    public class KerberosAuth {	   static final String krbPath = "/Library/Preferences/edu.mit.Kerberos";	...
Kerberos Method Part 2public static class UserNamePasswordCallbackHandler implements CallbackHandler {		   	   private Str...
Kerberos.conf in Sources folderprimaryLoginContext {com.sun.security.auth.module.Krb5LoginModule required client=trueuseTi...
Kerberos Authentication  if (KerberosAuth.KerberosAuthenticate(username, password.toCharArray()))  {      qual = UserAccou...
Demo and Review
WebAuth•   External authentication handled in Apache•   More involved site setup•   Must trust the Gateway (Apache) for se...
Gateway Approach                  Considerations•   Does make Developer Mode a bit more interesting•   Mixing up DirectAct...
WebAuth Method    public class WebauthAuth {	   public static final String WebauthAuthenticate (WOContext context)	   {		 ...
Which brings us too...“Gilead then cut Ephraim off from the fords of the Jordan, and wheneverEphraimite fugitives said, Le...
Shibboleth Topics•   Shibboleth Authentication Point of View•   Federated Frameworks•   How is IdP put together•   General...
The Shibboleth Point of View•   Stone Age: Application maintains unique credential and identity    information for each us...
Fallacies of Distributed Computing1.The Network is reliable2.Latency is Zero3.Bandwidth is infinite4.The network is secure...
Computer Security Subjects 101                                              Resource                                      ...
Fallacies of Distributed Computing1.The network is reliable2.Latency is zero3.Bandwidth is infinite4.The network is secure...
Computer Security Subjects 101           AllowedOperations                        Resource                                ...
Computer Security Subjects with Shibboleth    AllowedOperations                      Resource                             ...
Federated Identity Frameworks•   Shibboleth (http://shibboleth.internet2.edu/)•   OpenID (http://openid.net)
Concept of a Shibboleth Type Federation                              Identity Provider   Service Provider                 ...
Shibboleth Identity Provider ArchitectureShibboleth     CAS                                               !   IdP         ...
Commercial Providers•   Test Shibboleth Two (https://www.testshib.org)•   Protect Network (http://www.protectnetwork.org/)...
Service Provider        mod_shib          mod_php             mod_jk                            PHPshibd                  ...
General Play-by-Play Scenario                Service Provider                                                  6a. Asserti...
Installation on Mac OS X•   IdP: Note do not have IdP compete with Teams/ Podcast    Producer•   MacPorts SP Install: Note...
Q&A
Shibboleth in Production    Stanford Shibboleth Example
Mobility Trends•   “Cached Credentials” approach for mobile devices: Browser local storage•   Using your User EO for crede...
Upcoming SlideShare
Loading in...5
×

Third Party Auth in WebObjects

2,107

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,107
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Third Party Auth in WebObjects

  1. 1. Third Party Auth in WOJoe Little and Daniel Beatty
  2. 2. Authentication Methods• Storing passwords in your DB (Model)• Authenticating against LDAP services• LDAP via your Model and hybrid solutions• Kerberos/SSO and hybrid redux• WebAuth and gateway solutions• Shibboleth and the future
  3. 3. Auth in DB• The default approach• With little database security, the hash must be secure• SHA-1 (160) or SHA-2 (256) and friends• Sample code...
  4. 4. SHA-2 in the Databasequal = UserAccount.USERNAME.eq(username).and(UserAccount.PASSWORD.eq(digestedString(password)));....public String digestedString(String aString) { String digestedString; try { MessageDigest md = MessageDigest.getInstance("SHA-256"); md.reset(); digestedString = new sun.misc.BASE64Encoder().encode (md.digest(aString.getBytes("UTF-8"))); } catch (NoSuchAlgorithmException e) { throw new NSForwardException(e); } catch (UnsupportedEncodingException e){ throw new NSForwardException(e); } return digestedString;}
  5. 5. LDAP• JNDI can be used for EOs, but NOT for passwords!• Generally restricted by sites LDAP configuration• Standard method is to try a “simple bind” against LDAP • LDAPS:// - Port 636 if possible (SSL), DIGEST otherwise • StartTLS is not an option • http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html
  6. 6. Java LDAP Authentication if (LDAPAuth.LDAPAuthenticate(username, password))...public class LDAPAuth { public static final boolean LDAPAuthenticate (String userid, String password) { Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://172.16.113.129:389/dc=example,dc=com"); env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5"); // or “simple” env.put(Context.SECURITY_PRINCIPAL, "uid=" + userid + ", ou=People, dc=example, dc=com"); env.put(Context.SECURITY_CREDENTIALS, password); // Create the initial context try { DirContext ctx = new InitialDirContext(env); } catch (NamingException e) { return false; // Failed to auth //e.printStackTrace(); } return true; }}
  7. 7. LDAP via EOModel• WebObjects lets you access LDAP via JNDI• Insecure • SSL supposedly should work• Not good for authentication, but other info is there• Great for the “hybrid” approach to authentication
  8. 8. The Hybrid Approach• Define user attributes in your DB-based EOs• Authenticate user that is also in LDAP tree• 1st time auth: use JNDI EO • Must have matching name between auth and LDAP • Use JNDI EO in read-only fashion to get user attributes • Store in your DB user EOs for future use• Considerations for future JNDI updates
  9. 9. LDAP EOModel
  10. 10. LDAP Connection Dictionary
  11. 11. All LDAP Hybrid Approach if (LDAPAuth.LDAPAuthenticate(username, password)) { qual = UserAccount.USERNAME.eq(username); NSLog.out.appendln("LDAP authenticated: " + username); } if (qual != null) try { user = UserAccount.fetchRequiredUserAccount(ERXEC.newEditingContext(), qual); } catch (NoSuchElementException e) { // Make a new user from LDAP qual = PosixAccount.UID.eq(username); EOEditingContext ec = ERXEC.newEditingContext(); PosixAccount ldapAccount = PosixAccount.fetchPosixAccount(ec, qual); user = UserAccount.createUserAccount(ec, ldapAccount.gecos(), username); ec.saveChanges(); }...public static UserAccount createUserAccount(EOEditingContext editingContext, String fullName, String username) { UserAccount eo = (UserAccount) EOUtilities.createAndInsertInstance(editingContext, _UserAccount.ENTITY_NAME); eo.setFullName(fullName); eo.setUsername(username); return eo; }
  12. 12. SSO: Kerberos• Many Single-Sign On (SSO) solutions• Kerberos / Active Directory are most common today• AD and OpenDirectory marry LDAP w/ Kerberos: hybrid!• Heavily tied into Java Crypto APIs, so Frustration-By-Design• Remember to set classes.include.patternset in woproject to have “**/*.conf”• Best seen by example... (Thanks Mike!)
  13. 13. Kerberos Methods public class KerberosAuth { static final String krbPath = "/Library/Preferences/edu.mit.Kerberos"; public static final boolean KerberosAuthenticate (String userid, char[] password) { System.setProperty("java.security.krb5.conf", krbPath); System.setProperty("java.security.auth.login.config", KerberosAuth.class.getResource("/kerberos.conf").toExternalForm()); try { LoginContext lc = new LoginContext("primaryLoginContext", new UserNamePasswordCallbackHandler(userid, password)); lc.login(); } catch (LoginException e) { // e.printStackTrace(); return false; // Consider all failures as equal } return true; }
  14. 14. Kerberos Method Part 2public static class UserNamePasswordCallbackHandler implements CallbackHandler { private String _userName; private char[] _password; public UserNamePasswordCallbackHandler(String userName, char[] password) { _userName = userName; _password = password; } public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (Callback callback : callbacks) { if (callback instanceof NameCallback && _userName != null) { ((NameCallback) callback).setName(_userName); } else if (callback instanceof PasswordCallback && _password != null) { ((PasswordCallback) callback).setPassword(_password); } } } }
  15. 15. Kerberos.conf in Sources folderprimaryLoginContext {com.sun.security.auth.module.Krb5LoginModule required client=trueuseTicketCache=false;};
  16. 16. Kerberos Authentication if (KerberosAuth.KerberosAuthenticate(username, password.toCharArray())) { qual = UserAccount.USERNAME.eq(username); NSLog.out.appendln("Kerberos authenticated: " + username); }...UserAccount user = UserAccount.fetchRequiredUserAccount(ERXEC.newEditingContext(), qual);((Session)session()).setCurrentUser(user);if (((Session)session()).currentUser() != null){ nextPage = D2W.factory().defaultPage(session());}
  17. 17. Demo and Review
  18. 18. WebAuth• External authentication handled in Apache• More involved site setup• Must trust the Gateway (Apache) for security• Deceptively simple• Interesting solutions: • Multiple authentications • Trust-to-Set applications
  19. 19. Gateway Approach Considerations• Does make Developer Mode a bit more interesting• Mixing up DirectAction logins w/ gateway header request check• DirectConnect can be good here.. (Thanks Chuck!)• Best practices: • Put values you want into your session object • make sure your session is SSL-enabled! • useExternalAuth boolean in User-type entity?
  20. 20. WebAuth Method public class WebauthAuth { public static final String WebauthAuthenticate (WOContext context) { // If unauthenticated, this will be blank // assumes that web location is WebAuth protected to restrict this setting return context.request().headerForKey("webauth_user"); }}
  21. 21. Which brings us too...“Gilead then cut Ephraim off from the fords of the Jordan, and wheneverEphraimite fugitives said, Let me cross, the men of Gilead would ask, Are youan Ephraimite? If he said, No, they then said, Very well, say"Shibboleth" (‫ .)שיבולת‬If anyone said, "Sibboleth" (‫ ,)סיבולת‬because he couldnot pronounce it, then they would seize him and kill him by the fords of theJordan. Forty-two thousand Ephraimites fell on this occasion.”
  22. 22. Shibboleth Topics• Shibboleth Authentication Point of View• Federated Frameworks• How is IdP put together• General Shibboleth Service Provision Scenario• Classic Computer Security
  23. 23. The Shibboleth Point of View• Stone Age: Application maintains unique credential and identity information for each user.• Bronze Age: Credentials are centralized but applications maintain all user identity information• Iron Age: Credentials and core identity information are centralized and application maintains only app-specific user data.
  24. 24. Fallacies of Distributed Computing1.The Network is reliable2.Latency is Zero3.Bandwidth is infinite4.The network is secure5.Topology doesn’t change6.There is one administrator7.Transportation cost is zero8.The network is homogeneous Peter Deutsch, James Gosling
  25. 25. Computer Security Subjects 101 Resource Subject AllowedOperations owner: User operations: Array<Allowed Operations>canRead: Boolean name: StringcanUpdate: Boolean permissions: allowedOperationscanDelete: Boolean creationTimeentity: Resource modificationTime (Boolean) canRead (Boolean) canUpdate Subject Allowed (Boolean) canDelete Operation User Group subject: Subject no attributes owner: Subject members(): Array<Subject> members(): Array<Subject> provider(): Provider General Operations Allowed No Attributes Local User givenName: String surName: String commonName: String telephoneNumber: String address: String organization: String jobTitle: String password: String
  26. 26. Fallacies of Distributed Computing1.The network is reliable2.Latency is zero3.Bandwidth is infinite4.The network is secure5.Topology doesn’t change6.There is one administrator7.Transportation cost is zero8.The network is homogeneous
  27. 27. Computer Security Subjects 101 AllowedOperations Resource Subject canRead: Boolean owner: User operations: Array<Allowed Operations> canUpdate: Boolean permissions: allowedOperations name: String canDelete: Boolean creationTime entity: Resource modificationTime (Boolean) canRead (Boolean) canUpdate (Boolean) canDelete Subject Allowed Operation subject: Subject User Group General Operations no attributes owner: Subject Allowed members(): Array<Subject> members(): Array<Subject> No Attributes provider(): Provider! ❑!Classic Subjects Problems: Local User givenName: String ! •! ❑!Group Information surName: String commonName: String Compromise telephoneNumber: String address: String ! •! ❑!User info compromise organization: String jobTitle: String password: String
  28. 28. Computer Security Subjects with Shibboleth AllowedOperations Resource SubjectcanRead: Boolean owner: User operations: Array<Allowed Operations>canUpdate: Boolean permissions: allowedOperations name: StringcanDelete: Boolean creationTime ticket: Shibboleth Assertionentity: Resource modificationTime (Boolean) canRead (Boolean) canUpdate (Boolean) canDelete Subject Allowed Operation subject: Subject User Group General Operations no attributes no attribute Allowed No Attributes
  29. 29. Federated Identity Frameworks• Shibboleth (http://shibboleth.internet2.edu/)• OpenID (http://openid.net)
  30. 30. Concept of a Shibboleth Type Federation Identity Provider Service Provider Discovery Service User
  31. 31. Shibboleth Identity Provider ArchitectureShibboleth CAS ! IdP SSO ! ! ! ! !
  32. 32. Commercial Providers• Test Shibboleth Two (https://www.testshib.org)• Protect Network (http://www.protectnetwork.org/)• NJ Trust (http://njtrust.net/)• SWITCH (http://www.switch.ch/uni/security/) (Switzerland)• UK Federation (http://www.ukfederation.org.uk/content/ Documents/Setup2IdP)
  33. 33. Service Provider mod_shib mod_php mod_jk PHPshibd Applications cgi-bin Adaptor • ! Runs on: Mac OS X, FreeBSD, Linux, Solaris, Windows • ! Protects Web Applications • ! The Shibboleth Daemon processes attributes ▼! Can authorize users with •! Apache directives •! Shibboleth XML Access rules • !Provides attributes to applications
  34. 34. General Play-by-Play Scenario Service Provider 6a. Assertion Confirmation Identity Provider 7. Provide Content 2. SAML2 Discovery Request 1. Access Service URL Discovery 2.1 Discovery Request Service User6. Authenticate w/ Assertion 3. Select Home Organization 4. SAML2 Authn Request 5. Authenticate
  35. 35. Installation on Mac OS X• IdP: Note do not have IdP compete with Teams/ Podcast Producer• MacPorts SP Install: Note, install curl +ssl first. (https:// spaces.internet2.edu/display/SHIB2/NativeSPMacPortInstallation)• Do the registry steps with IdP/SP and federation.• Demo:
  36. 36. Q&A
  37. 37. Shibboleth in Production Stanford Shibboleth Example
  38. 38. Mobility Trends• “Cached Credentials” approach for mobile devices: Browser local storage• Using your User EO for credential storage and remote wiping• RESTful interfaces and authentication approaches• Issues with “gateway” authentication with unknown site authenticators: Split Authentication
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×