SlideShare a Scribd company logo
1 of 43
Federated Role-Based Access Control Security
Federated RBAC:
Fortress, OAuth2, JWT, Java EE, & JASPIC
Federated Role-Based Access Control Security
Chris Harm
(Manager of Software Infrastructure)
Steve Moyer
(Enterprise Software Architect)
Shawn Smith
(Director of Software Engineering)
Shawn McKinney
(Symas - Software Architect)
“WE ARE” - Software Engineering
Federated Role-Based Access Control Security
Problem Statement
• Our team is responsible for almost 100 applications (and growing)
• Many hand coded specialized RBAC systems
• Penn State is a large decentralized organization
• Historically systems had considered Authentication == Authorization
• Existing IAM evolved over many years
• Legacy authorization is based primarily on LDAP groups
Federated Role-Based Access Control Security
Scope
• Students 96k
• Employees 26k
• Campuses 24
• Locations > 100
• Departments 100s
• Titles1 1000s
1. (Job descriptions, positions, etc)
Federated Role-Based Access Control Security
Implications
• Centralized role and permission granting and revoking is impossible
• Mapping “titles” to roles is impossible
• Those who know how to map employees (and sometimes students)
into roles are commonly not in an IT organization
• We need a clear migration path from custom IAM to a
common security system
Federated Role-Based Access Control Security
Existing IAM Infrastructure
Federated Role-Based Access Control Security
Goals
• Functional Goals
• End to end security chaining
• Delegated role creation, granting and revoking
• Course grained access control (method access)
• Fine grained access control (data slicing)
• Implementation Goals
• Performant and Scaleable
• Pluggable
• Standards compliant
Federated Role-Based Access Control Security
End to end security chaining
webapp service service service
DB
S
S
O
Token TokenToken
Federated Role-Based Access Control Security
Roles vs. Permissions
Users Roles +
permission
permission
operation
permission
objectUsers Roles
role1
@RolesAllowed({“role1”})
public Calendar create(String id)
@RolesAllowed({“role1”, “role2”})
public Calendar create(String id)
@RolesAllowed({“permission1”})
public Calendar create(String id)
role2
permission1
permission1
permission1
role2
role1
permission1
permission1
permission1
Federated Role-Based Access Control Security
Roles vs. Permissions
HR Representation
Bad Staff
@RolesAllowed(“dimc.account.lock”)
public void lockAccount(String userid)
{
….
}
Federated Role-Based Access Control Security
Roles vs. Permissions
HR Representation
Bad Staff
@RolesAllowed(“dimc.account.lock.staff”)
public void lockStaffAccount(String userid)
{
….
}
@RolesAllowed(“dimc.account.lock.student”)
public void lockStudentAccount(String userid)
{
….
}
Federated Role-Based Access Control Security
Roles vs. Permissions
HR Representation
Bad Staff
@RolesAllowed(“dimc.account.lock.staff”)
public void lockStaffAccount(String userid)
{
….
}
@RolesAllowed(“dimc.account.lock.student”)
public void lockStudentAccount(String userid)
{
….
}
Admin Assistant
Schedule Calendar
By Building?
By Department?
By Organization?
By Some Combination?
Federated Role-Based Access Control Security
Roles, Permissions, & Java EE Security
// chris and jon allowed
@RolesAllowed(“calendar.view”)
public Calendar viewCalendar(String id) { …
// only chris allowed
@RolesAllowed(“calendar.create”)
public Calendar createCalendar(String id, String name...
chris
user
calendar_admin
role
User Permission Java EE Role
chris calendar + view calendar.view
chris calendar + create calendar.create
jon calendar + view calendar.view
calendar_user
role
jon
user
+
permission
view
operation
calendar
object
+
permission
create
operation
calendar
object
Federated Role-Based Access Control Security
Delegated Role Creation
Service Desk
Security
Account
Manager
Call
Center
Available
Permissions
dimc.read
dimc.fps.edit
dimc.wireless.lock
ibis.modify
ibis.delete
security_role
permission1
permission1
dimc.pw.*
acct_mgr_role
permission1
permission1
dimc.pw.lock
call_center_role
permission1
permission1
dimc.read
Service Desk Manager
Federated Role-Based Access Control Security
Delegated Role Creation
PermissionA
PermissionB
PermissionC
PermissionD
PermissionE
PermissionF
SomeRole
Permission
Specific
Attributes
Per
User
Federated Role-Based Access Control Security
What we’ve done...
Federated Role-Based Access Control Security
Authentication (OAuth2)
Client
Resource
Server
OAuth
Server
token
Roles +
Permissions
S
S
O
Federated Role-Based Access Control Security
3 Use Cases
How to obtain a token?
• Service Account
• Internal to Penn State - Trusted Access
• External to Penn State - Authorized Access
Federated Role-Based Access Control Security
Service Accounts
Client
Resource
Server
OAuth
Server
token
Client Credentials Flow
POST /oauth/api/token HTTP/1.1
Host: localhost:443
Accept: application/json
Cache-Control: no-cache
Content-Type: application/x-www-form-
urlencoded
grant_type=client_credentials&client_id=y78U6
uybc82P3AH88xZ39dT2XYUVr7Xu&client_secr
et=4ue43PxZyc8YK7pBtY3C2CurEZnVHV9V
Federated Role-Based Access Control Security
Trusted Penn State Systems
JWT Diagram
Client
Resource
Server
OAuth
Server
token
S
S
O
POST /oauth/api/token HTTP/1.1
Host: localhost:443
Accept: application/json
Cache-Control: no-cache
Content-Type: application/x-www-form-
urlencoded
grant_type=urn%3Aietf%3Aparams%3Aoauth%
3Agrant-type%3Ajwt-
bearer&client_id=7Cz22fmD6uKfabLJ83wcQt9
Q98av777E&client_secret=Jk9pZk7TfH47GwyT
WaNMVa9Be6pehV4N&assertion=eyJraWQiOi
JlMmMzZmMyNi1mY2M3LTQ5NzMtODI0OS02
M2RmOGQ1N2E5MmMiLCJ0eXAiOiJKV1QiLC
JhbGciOiJSUzI1NiJ9.eyJzdWIiOiJib2IiLCJhdW
QiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4M
Fwvb2F1dGhcL2FwaVwvdG9rZW4iLCJuYmYi
OjE0Mzg5NTUyNzcsImlzcyI6IjdDejIyZm1ENnV
LZmFiTEo4M3djUXQ5UTk4YXY3NzdFIiwiZXh
wIjoxNDM4OTU1M...
Federated Role-Based Access Control Security
JSON Web Tokens
Header:
{
"kid": "7fa0d042-93ab-4354-bdcb-ca9d321c163e",
"typ": "JWT",
"alg": "RS256"
}
Payload:
{
"sub": "bob",
"aud": "http://dev.apps.psu.edu:80/oauth/api/token",
"nbf": 1444396380,
"iss": "8EZygt3MuU9F6VUE7anj8Wvnf9D6adHe",
"exp": 1444486380,
"iat": 1444396380,
"jti": "bafa86d2-2761-49f7-87aa-d6714eb966e2"
}
Signature:
Digital signature of message using shared or public/private keys.
JWT:
eyJraWQiOiI3ZmEwZDA0Mi05M2FiLTQzNTQtYmRjYi1jYTlkMzIxYzE2
M2UiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJib2IiLCJh
dWQiOiJodHRwOlwvXC9kZXYuYXBwcy5wc3UuZWR1OjgwXC9vYXV0
aFwvYXBpXC90b2tlbiIsIm5iZiI6MTQ0NDM5NjM4MCwiaXNzIjoiOEVae
Wd0M011VTlGNlZVRTdhbmo4V3ZuZjlENmFkSGUiLCJleHAiOjE0NDQ
0ODYzODAsImlhdCI6MTQ0NDM5NjM4MCwianRpIjoiYmFmYTg2ZDItM
jc2MS00OWY3LTg3YWEtZDY3MTRlYjk2NmUyIn0.H3Ue5UL2Dq8387V
r6CqUQW0GQn8PhjMlZU5aMoIbVYjtadn2_rJbej52xcGnp_9GFhq0HzS
QDYd3WjcXgz3Wd-
dBcCtCWqw5MIoeE1VC_gXTpVzR_ncCTz_sYa2G83BUok61cdMOWJ
sNcDwlxeH4DJswQNFg0VX7SNkR0GZF5TIrU-
X8TPboXrIel4RZIbV7ab_QVJ-
Eg0QmrWWNl6L2DsQZUlHsA2v00NwA71F-
SStndzJb8bIKJScaVgOmd2TIvPewHONHaoqjCP3uItqUAGuxq0YK_88
UaihsyxOaatYNAKhU6SaZzXu4asaNWqyMFiguO_AXgCdKKyOeIA8U
Wg
Federated Role-Based Access Control Security
3rd Party External Systems
Client
Resource
Server
OAuth
Server
token
The “Client”
app would like
to access...?
Allow Deny
Authorization Flows GET
/oauth/api/authz?client_id=y78U6uybc82P3AH8
8xZ39dT2XYUVr7Xu&redirect_uri=https://www.
getpostman.com/oauth2/callback&response_typ
e=code&scopes=scope HTTP/1.1
Host: localhost:8080
Cache-Control: no-cache
POST /oauth/api/token HTTP/1.1
Host: localhost:443
Accept: application/json
Cache-Control: no-cache
Content-Type: application/x-www-form-
urlencoded
grant_type=authorization_code&client_id=y78U
6uybc82P3AH88xZ39dT2XYUVr7Xu&client_se
cret=4ue43PxZyc8YK7pBtY3C2CurEZnVHV9V
&code=805af3140c2732b626b35fd4a04cf09a&r
edirect_uri=https%3A%2F%2Fwww.getpostma
n.com%2Foauth2%2Fcallback
Federated Role-Based Access Control Security
How to Validate Access Tokens
Access Tokens are opaque to the client, but the Resource Server and OAuth
Server need to understand how to create and validate the tokens
Options
• Shared DB
• REST Callback to OAuth Service
• JWT encoded Access Tokens
Client
Resource
Server
OAuth
Server
Federated Role-Based Access Control Security
JavaEE Integration with JASPI
Java Authentication Service Provider Interface for Containers - JASPI(C)
Implementation based off JavaEE 7 Samples Project (https://github.com/javaee-
samples/javaee7-samples/tree/master/jaspic)
Integrated with Wildfly
Security Context propagates throughout entire container (Web tier to EJB tier)
Federated Role-Based Access Control Security
Using Standard Security Checks
Standard Role Checks work as expected
• Annotations
• @RolesAllowed(“<PERMISSION_NAME>”)
• Programmatic Checks
• EJBContext.isUserInRole(“<PERMISSION_NAME>”)
• HttpServletRequest.isUserInRole(“<PERMISSION_NAME>”)
• User Principal
• EJBContext.getCallerPrincipal()
• HttpServletRequest.getUserPrincipal()
Federated Role-Based Access Control Security
JASPI Wildfly Configuration
Standalone.xml: jboss-web.xml
jboss-ejb3.xml
Federated Role-Based Access Control Security
Enable JASPI within Application
Federated Role-Based Access Control Security
ServerAuthModule
Federated Role-Based Access Control Security
Security Libraries (Client / Server)
webapp service
service
service
S
S
O
token
J
A
S
P
I
J
A
S
P
I
J
A
S
P
I
Client
Client
Pluggable libraries abstract A&A from application developers
JASPI Library to authenticate incoming requests and establish the security context
OAuth2 Client Libraries to request and present tokens on outbound requests
token
token
Federated Role-Based Access Control Security
Audit
As services proliferate it becomes more
important to be able to audit the entire chain
of authority through a single transaction.
Federated Role-Based Access Control Security
Authorization (Apache Fortress)
Apache Fortress Overview
* Apache 2.0 License
* Sub-project of Apache Directory
* Java Based Identity and Access Management
* Permission-based Access Control Model (RBAC)
Federated Role-Based Access Control Security
Authorization (Apache Fortress)
FourComponents:
* Core – Java APIs + utilities
* Realm – Java EE policy enforcement – Web – Administrative UI
* Rest – APIs over HTTP interface
LDAPv3 Compliant:
* Works with OpenLDAP and Apache Directory Server by default.
* Other possible
Federated Role-Based Access Control Security
Authorization (Apache Fortress)
Fortress Overview (https://directory.apache.org/fortress/)
Standards based and Open Source Identity Access Management system
ANSI RBAC (INCITS 359)
ARBAC02 (http://profsandhu.com/journals/tissec/p113-oh.pdf)
JAVA and REST APIs
Web Based management interface
Role Based Access Control
Role - Collection of permissions
Permission (Object + Operation)
Object - Resource in the system
Operation - Access mode of the resource
Users - Assigned to roles, which grants permissions
Federated Role-Based Access Control Security
Administrative - RBAC
Administrative-RBAC provides administration of the RBAC
data
who can create new roles
who can assign users to roles
who can assign permission to roles
etc…
An admin role determines jurisdiction over a subset of RBAC
and consists of
Admin permissions (object + operation)
User OUs - Groups of users
Perm OUs - Groups of permissions
Role Range - Slice of a role hierarchy
Federated Role-Based Access Control Security
ARBAC Delegated Administration
+
permission
calendar_user
role
jon
user
view
operation
staff
User OU
calendar_app
Perm OU
calendar
object
arbac_cal
ARBAC Role
bob
user
canAssign and
canGrant
ARBAC Permissions
chris
user
Developer builds permissions and integrates
into application
User “bob” is a delegated admin with an
ARBAC role
“staff” User OU
“calendar_app” Perm OU
“canAssign” and “canGrant” permissions
Bob can assign user “jon” to the
“calendar_user” role
Bob can NOT assign user chris into
“calendar_user” role
Bob can grant the “calendar.view” permission
to the “calendar_user” role
Federated Role-Based Access Control Security
We hit a wall
Federated Role-Based Access Control Security
Road Blocks
//doesn’t restrict to a specific “id”
@RolesAllowed(“calendar.view”)
public Calendar viewCalendar(String id) { …
RBAC Role ARBAC Role
calendar_user ar-cal_user
calendar_admin ar-cal_admin
Fine Grained Access
• Problem: RBAC only provides coarse grained access
• Potential Solution:
Permission Object OUs
• Problem: Can’t delegate permissions to different ARBAC roles
• Potential Solution: Change permission OUs to the operation level
ARBAC Role Explosion
• Problem: Need many ARBAC roles to administer RBAC roles
• Potential Solution: Change ARBAC role range to Role OUs
Bi-Directional Lookups
• Problem: Not efficient to lookup certain types of relationships
• Potential Solution: Add attributes on both sides of a relationship
Federated Role-Based Access Control Security
Road Blocks
How do we draw the picture?
Federated Role-Based Access Control Security
Lessons Learned
Doing fine grained security in
a simple generic way is
really hard!!!
Federated Role-Based Access Control Security
(Almost) The End
Federated Role-Based Access Control Security
We’re Hiring!
Software Engineering - UI/UX https://psu.jobs/job/59211
System and Network Security Analyst https://psu.jobs/job/59541
Hardware Configuration Manager https://psu.jobs/job/59543
Software Configuration Manager https://psu.jobs/job/59542
Software Test Engineer https://psu.jobs/job/59670
Other jobs at Penn State https://psu.jobs/jobs
Federated Role-Based Access Control Security
Thank You
Shawn Smith – ses44@psu.edu
Steve Moyer – swm16@psu.edu
Chris Harm – crh5255@psu.edu
Shawn McKinney - smckinney@symas.com
Federated Role-Based Access Control Security
Questions?

More Related Content

What's hot

Microservices Best Practices
Microservices Best PracticesMicroservices Best Practices
Microservices Best PracticesAliasgar Muchhala
 
rethinking-the-fifth-discipline
 rethinking-the-fifth-discipline rethinking-the-fifth-discipline
rethinking-the-fifth-disciplinenguyendodlong
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Apigee | Google Cloud
 
ArchiMate application and data architecture layer - Simplify the models
ArchiMate application and data architecture layer - Simplify the modelsArchiMate application and data architecture layer - Simplify the models
ArchiMate application and data architecture layer - Simplify the modelsCOMPETENSIS
 
Value Chain Canvas Model an Enterprise Architecture Framework
Value Chain Canvas Model an Enterprise Architecture FrameworkValue Chain Canvas Model an Enterprise Architecture Framework
Value Chain Canvas Model an Enterprise Architecture FrameworkRené MANDEL
 
Deconstructing Monoliths with Domain Driven Design
Deconstructing Monoliths with Domain Driven DesignDeconstructing Monoliths with Domain Driven Design
Deconstructing Monoliths with Domain Driven DesignVMware Tanzu
 
Clean Architecture Essentials - Stockholm Software Craftsmanship
Clean Architecture Essentials - Stockholm Software CraftsmanshipClean Architecture Essentials - Stockholm Software Craftsmanship
Clean Architecture Essentials - Stockholm Software CraftsmanshipIvan Paulovich
 
Domain Driven Design Introduction
Domain Driven Design IntroductionDomain Driven Design Introduction
Domain Driven Design Introductionwojtek_s
 
Présentation de la plateforme YARIS
Présentation de la plateforme YARISPrésentation de la plateforme YARIS
Présentation de la plateforme YARISEU GoGIN Project
 
IT4IT / DevOps Tooling Landscape 2022
IT4IT / DevOps Tooling Landscape 2022 IT4IT / DevOps Tooling Landscape 2022
IT4IT / DevOps Tooling Landscape 2022 Rob Akershoek
 
Business Composability
Business ComposabilityBusiness Composability
Business ComposabilityCOMPETENSIS
 
Create an Enterprise Architecture Strategy in 3 Steps
Create an Enterprise Architecture Strategy in 3 StepsCreate an Enterprise Architecture Strategy in 3 Steps
Create an Enterprise Architecture Strategy in 3 StepsMauricio 'MJ' Jimenez
 
Oracle Service Bus vs. Oracle Enterprise Service Bus vs. BPEL
Oracle Service Bus vs. Oracle Enterprise Service Bus vs. BPELOracle Service Bus vs. Oracle Enterprise Service Bus vs. BPEL
Oracle Service Bus vs. Oracle Enterprise Service Bus vs. BPELGuido Schmutz
 
Solution Architecture And User And Customer Experience
Solution Architecture And User And Customer ExperienceSolution Architecture And User And Customer Experience
Solution Architecture And User And Customer ExperienceAlan McSweeney
 
Value analysis with Value Stream and Capability modeling
Value analysis with Value Stream and Capability modelingValue analysis with Value Stream and Capability modeling
Value analysis with Value Stream and Capability modelingCOMPETENSIS
 

What's hot (20)

Microservices Best Practices
Microservices Best PracticesMicroservices Best Practices
Microservices Best Practices
 
rethinking-the-fifth-discipline
 rethinking-the-fifth-discipline rethinking-the-fifth-discipline
rethinking-the-fifth-discipline
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?
 
Apresentação Aula 01
Apresentação  Aula 01Apresentação  Aula 01
Apresentação Aula 01
 
ArchiMate application and data architecture layer - Simplify the models
ArchiMate application and data architecture layer - Simplify the modelsArchiMate application and data architecture layer - Simplify the models
ArchiMate application and data architecture layer - Simplify the models
 
Value Chain Canvas Model an Enterprise Architecture Framework
Value Chain Canvas Model an Enterprise Architecture FrameworkValue Chain Canvas Model an Enterprise Architecture Framework
Value Chain Canvas Model an Enterprise Architecture Framework
 
Event storming
Event storming Event storming
Event storming
 
Arquitetura.corporativa
Arquitetura.corporativaArquitetura.corporativa
Arquitetura.corporativa
 
Deconstructing Monoliths with Domain Driven Design
Deconstructing Monoliths with Domain Driven DesignDeconstructing Monoliths with Domain Driven Design
Deconstructing Monoliths with Domain Driven Design
 
Clean Architecture Essentials - Stockholm Software Craftsmanship
Clean Architecture Essentials - Stockholm Software CraftsmanshipClean Architecture Essentials - Stockholm Software Craftsmanship
Clean Architecture Essentials - Stockholm Software Craftsmanship
 
Domain Driven Design Introduction
Domain Driven Design IntroductionDomain Driven Design Introduction
Domain Driven Design Introduction
 
Présentation de la plateforme YARIS
Présentation de la plateforme YARISPrésentation de la plateforme YARIS
Présentation de la plateforme YARIS
 
ARIS World
ARIS World ARIS World
ARIS World
 
Domain Driven Design
Domain Driven DesignDomain Driven Design
Domain Driven Design
 
IT4IT / DevOps Tooling Landscape 2022
IT4IT / DevOps Tooling Landscape 2022 IT4IT / DevOps Tooling Landscape 2022
IT4IT / DevOps Tooling Landscape 2022
 
Business Composability
Business ComposabilityBusiness Composability
Business Composability
 
Create an Enterprise Architecture Strategy in 3 Steps
Create an Enterprise Architecture Strategy in 3 StepsCreate an Enterprise Architecture Strategy in 3 Steps
Create an Enterprise Architecture Strategy in 3 Steps
 
Oracle Service Bus vs. Oracle Enterprise Service Bus vs. BPEL
Oracle Service Bus vs. Oracle Enterprise Service Bus vs. BPELOracle Service Bus vs. Oracle Enterprise Service Bus vs. BPEL
Oracle Service Bus vs. Oracle Enterprise Service Bus vs. BPEL
 
Solution Architecture And User And Customer Experience
Solution Architecture And User And Customer ExperienceSolution Architecture And User And Customer Experience
Solution Architecture And User And Customer Experience
 
Value analysis with Value Stream and Capability modeling
Value analysis with Value Stream and Capability modelingValue analysis with Value Stream and Capability modeling
Value analysis with Value Stream and Capability modeling
 

Viewers also liked

Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Deny Prasetia
 
Java9 and Project Jigsaw
Java9 and Project JigsawJava9 and Project Jigsaw
Java9 and Project Jigsawtakezoe
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Java9新機能概要
Java9新機能概要Java9新機能概要
Java9新機能概要HonMarkHunt
 
今年はJava進化の年!今知っておくべき新しいJava
今年はJava進化の年!今知っておくべき新しいJava今年はJava進化の年!今知っておくべき新しいJava
今年はJava進化の年!今知っておくべき新しいJavaTakashi Ito
 
Java EE 8 - February 2017 update
Java EE 8 - February 2017 updateJava EE 8 - February 2017 update
Java EE 8 - February 2017 updateDavid Delabassee
 
10のJava9で変わるJava8の嫌なとこ!
10のJava9で変わるJava8の嫌なとこ!10のJava9で変わるJava8の嫌なとこ!
10のJava9で変わるJava8の嫌なとこ!bitter_fox
 
ドメイン駆動設計 基本を理解する
ドメイン駆動設計 基本を理解するドメイン駆動設計 基本を理解する
ドメイン駆動設計 基本を理解する増田 亨
 
Design in Tech Report 2017
Design in Tech Report 2017Design in Tech Report 2017
Design in Tech Report 2017John Maeda
 

Viewers also liked (10)

Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)Implementing role based access control on Web Application (sample case)
Implementing role based access control on Web Application (sample case)
 
Java9 and Project Jigsaw
Java9 and Project JigsawJava9 and Project Jigsaw
Java9 and Project Jigsaw
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
 
Java EE Next
Java EE NextJava EE Next
Java EE Next
 
Java9新機能概要
Java9新機能概要Java9新機能概要
Java9新機能概要
 
今年はJava進化の年!今知っておくべき新しいJava
今年はJava進化の年!今知っておくべき新しいJava今年はJava進化の年!今知っておくべき新しいJava
今年はJava進化の年!今知っておくべき新しいJava
 
Java EE 8 - February 2017 update
Java EE 8 - February 2017 updateJava EE 8 - February 2017 update
Java EE 8 - February 2017 update
 
10のJava9で変わるJava8の嫌なとこ!
10のJava9で変わるJava8の嫌なとこ!10のJava9で変わるJava8の嫌なとこ!
10のJava9で変わるJava8の嫌なとこ!
 
ドメイン駆動設計 基本を理解する
ドメイン駆動設計 基本を理解するドメイン駆動設計 基本を理解する
ドメイン駆動設計 基本を理解する
 
Design in Tech Report 2017
Design in Tech Report 2017Design in Tech Report 2017
Design in Tech Report 2017
 

Similar to Federated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPIC

The hidden gems of Spring Security
The hidden gems of Spring SecurityThe hidden gems of Spring Security
The hidden gems of Spring SecurityMassimiliano Dessì
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examplesnasza-klasa
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing AuthorizationTorin Sandall
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web servicesnbuddharaju
 
Security: Odoo Code Hardening
Security: Odoo Code HardeningSecurity: Odoo Code Hardening
Security: Odoo Code HardeningOdoo
 
Authentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresAuthentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresCorley S.r.l.
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Roll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and LuaRoll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and LuaJon Moore
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 

Similar to Federated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPIC (20)

The hidden gems of Spring Security
The hidden gems of Spring SecurityThe hidden gems of Spring Security
The hidden gems of Spring Security
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
Android and REST
Android and RESTAndroid and REST
Android and REST
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Security in Node.JS and Express:
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web services
 
Security: Odoo Code Hardening
Security: Odoo Code HardeningSecurity: Odoo Code Hardening
Security: Odoo Code Hardening
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Authentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresAuthentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructures
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Roll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and LuaRoll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and Lua
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 

Recently uploaded

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Federated RBAC: Fortress, OAuth2 (Oltu), JWT, Java EE, and JASPIC

  • 1. Federated Role-Based Access Control Security Federated RBAC: Fortress, OAuth2, JWT, Java EE, & JASPIC
  • 2. Federated Role-Based Access Control Security Chris Harm (Manager of Software Infrastructure) Steve Moyer (Enterprise Software Architect) Shawn Smith (Director of Software Engineering) Shawn McKinney (Symas - Software Architect) “WE ARE” - Software Engineering
  • 3. Federated Role-Based Access Control Security Problem Statement • Our team is responsible for almost 100 applications (and growing) • Many hand coded specialized RBAC systems • Penn State is a large decentralized organization • Historically systems had considered Authentication == Authorization • Existing IAM evolved over many years • Legacy authorization is based primarily on LDAP groups
  • 4. Federated Role-Based Access Control Security Scope • Students 96k • Employees 26k • Campuses 24 • Locations > 100 • Departments 100s • Titles1 1000s 1. (Job descriptions, positions, etc)
  • 5. Federated Role-Based Access Control Security Implications • Centralized role and permission granting and revoking is impossible • Mapping “titles” to roles is impossible • Those who know how to map employees (and sometimes students) into roles are commonly not in an IT organization • We need a clear migration path from custom IAM to a common security system
  • 6. Federated Role-Based Access Control Security Existing IAM Infrastructure
  • 7. Federated Role-Based Access Control Security Goals • Functional Goals • End to end security chaining • Delegated role creation, granting and revoking • Course grained access control (method access) • Fine grained access control (data slicing) • Implementation Goals • Performant and Scaleable • Pluggable • Standards compliant
  • 8. Federated Role-Based Access Control Security End to end security chaining webapp service service service DB S S O Token TokenToken
  • 9. Federated Role-Based Access Control Security Roles vs. Permissions Users Roles + permission permission operation permission objectUsers Roles role1 @RolesAllowed({“role1”}) public Calendar create(String id) @RolesAllowed({“role1”, “role2”}) public Calendar create(String id) @RolesAllowed({“permission1”}) public Calendar create(String id) role2 permission1 permission1 permission1 role2 role1 permission1 permission1 permission1
  • 10. Federated Role-Based Access Control Security Roles vs. Permissions HR Representation Bad Staff @RolesAllowed(“dimc.account.lock”) public void lockAccount(String userid) { …. }
  • 11. Federated Role-Based Access Control Security Roles vs. Permissions HR Representation Bad Staff @RolesAllowed(“dimc.account.lock.staff”) public void lockStaffAccount(String userid) { …. } @RolesAllowed(“dimc.account.lock.student”) public void lockStudentAccount(String userid) { …. }
  • 12. Federated Role-Based Access Control Security Roles vs. Permissions HR Representation Bad Staff @RolesAllowed(“dimc.account.lock.staff”) public void lockStaffAccount(String userid) { …. } @RolesAllowed(“dimc.account.lock.student”) public void lockStudentAccount(String userid) { …. } Admin Assistant Schedule Calendar By Building? By Department? By Organization? By Some Combination?
  • 13. Federated Role-Based Access Control Security Roles, Permissions, & Java EE Security // chris and jon allowed @RolesAllowed(“calendar.view”) public Calendar viewCalendar(String id) { … // only chris allowed @RolesAllowed(“calendar.create”) public Calendar createCalendar(String id, String name... chris user calendar_admin role User Permission Java EE Role chris calendar + view calendar.view chris calendar + create calendar.create jon calendar + view calendar.view calendar_user role jon user + permission view operation calendar object + permission create operation calendar object
  • 14. Federated Role-Based Access Control Security Delegated Role Creation Service Desk Security Account Manager Call Center Available Permissions dimc.read dimc.fps.edit dimc.wireless.lock ibis.modify ibis.delete security_role permission1 permission1 dimc.pw.* acct_mgr_role permission1 permission1 dimc.pw.lock call_center_role permission1 permission1 dimc.read Service Desk Manager
  • 15. Federated Role-Based Access Control Security Delegated Role Creation PermissionA PermissionB PermissionC PermissionD PermissionE PermissionF SomeRole Permission Specific Attributes Per User
  • 16. Federated Role-Based Access Control Security What we’ve done...
  • 17. Federated Role-Based Access Control Security Authentication (OAuth2) Client Resource Server OAuth Server token Roles + Permissions S S O
  • 18. Federated Role-Based Access Control Security 3 Use Cases How to obtain a token? • Service Account • Internal to Penn State - Trusted Access • External to Penn State - Authorized Access
  • 19. Federated Role-Based Access Control Security Service Accounts Client Resource Server OAuth Server token Client Credentials Flow POST /oauth/api/token HTTP/1.1 Host: localhost:443 Accept: application/json Cache-Control: no-cache Content-Type: application/x-www-form- urlencoded grant_type=client_credentials&client_id=y78U6 uybc82P3AH88xZ39dT2XYUVr7Xu&client_secr et=4ue43PxZyc8YK7pBtY3C2CurEZnVHV9V
  • 20. Federated Role-Based Access Control Security Trusted Penn State Systems JWT Diagram Client Resource Server OAuth Server token S S O POST /oauth/api/token HTTP/1.1 Host: localhost:443 Accept: application/json Cache-Control: no-cache Content-Type: application/x-www-form- urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth% 3Agrant-type%3Ajwt- bearer&client_id=7Cz22fmD6uKfabLJ83wcQt9 Q98av777E&client_secret=Jk9pZk7TfH47GwyT WaNMVa9Be6pehV4N&assertion=eyJraWQiOi JlMmMzZmMyNi1mY2M3LTQ5NzMtODI0OS02 M2RmOGQ1N2E5MmMiLCJ0eXAiOiJKV1QiLC JhbGciOiJSUzI1NiJ9.eyJzdWIiOiJib2IiLCJhdW QiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4M Fwvb2F1dGhcL2FwaVwvdG9rZW4iLCJuYmYi OjE0Mzg5NTUyNzcsImlzcyI6IjdDejIyZm1ENnV LZmFiTEo4M3djUXQ5UTk4YXY3NzdFIiwiZXh wIjoxNDM4OTU1M...
  • 21. Federated Role-Based Access Control Security JSON Web Tokens Header: { "kid": "7fa0d042-93ab-4354-bdcb-ca9d321c163e", "typ": "JWT", "alg": "RS256" } Payload: { "sub": "bob", "aud": "http://dev.apps.psu.edu:80/oauth/api/token", "nbf": 1444396380, "iss": "8EZygt3MuU9F6VUE7anj8Wvnf9D6adHe", "exp": 1444486380, "iat": 1444396380, "jti": "bafa86d2-2761-49f7-87aa-d6714eb966e2" } Signature: Digital signature of message using shared or public/private keys. JWT: eyJraWQiOiI3ZmEwZDA0Mi05M2FiLTQzNTQtYmRjYi1jYTlkMzIxYzE2 M2UiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJib2IiLCJh dWQiOiJodHRwOlwvXC9kZXYuYXBwcy5wc3UuZWR1OjgwXC9vYXV0 aFwvYXBpXC90b2tlbiIsIm5iZiI6MTQ0NDM5NjM4MCwiaXNzIjoiOEVae Wd0M011VTlGNlZVRTdhbmo4V3ZuZjlENmFkSGUiLCJleHAiOjE0NDQ 0ODYzODAsImlhdCI6MTQ0NDM5NjM4MCwianRpIjoiYmFmYTg2ZDItM jc2MS00OWY3LTg3YWEtZDY3MTRlYjk2NmUyIn0.H3Ue5UL2Dq8387V r6CqUQW0GQn8PhjMlZU5aMoIbVYjtadn2_rJbej52xcGnp_9GFhq0HzS QDYd3WjcXgz3Wd- dBcCtCWqw5MIoeE1VC_gXTpVzR_ncCTz_sYa2G83BUok61cdMOWJ sNcDwlxeH4DJswQNFg0VX7SNkR0GZF5TIrU- X8TPboXrIel4RZIbV7ab_QVJ- Eg0QmrWWNl6L2DsQZUlHsA2v00NwA71F- SStndzJb8bIKJScaVgOmd2TIvPewHONHaoqjCP3uItqUAGuxq0YK_88 UaihsyxOaatYNAKhU6SaZzXu4asaNWqyMFiguO_AXgCdKKyOeIA8U Wg
  • 22. Federated Role-Based Access Control Security 3rd Party External Systems Client Resource Server OAuth Server token The “Client” app would like to access...? Allow Deny Authorization Flows GET /oauth/api/authz?client_id=y78U6uybc82P3AH8 8xZ39dT2XYUVr7Xu&redirect_uri=https://www. getpostman.com/oauth2/callback&response_typ e=code&scopes=scope HTTP/1.1 Host: localhost:8080 Cache-Control: no-cache POST /oauth/api/token HTTP/1.1 Host: localhost:443 Accept: application/json Cache-Control: no-cache Content-Type: application/x-www-form- urlencoded grant_type=authorization_code&client_id=y78U 6uybc82P3AH88xZ39dT2XYUVr7Xu&client_se cret=4ue43PxZyc8YK7pBtY3C2CurEZnVHV9V &code=805af3140c2732b626b35fd4a04cf09a&r edirect_uri=https%3A%2F%2Fwww.getpostma n.com%2Foauth2%2Fcallback
  • 23. Federated Role-Based Access Control Security How to Validate Access Tokens Access Tokens are opaque to the client, but the Resource Server and OAuth Server need to understand how to create and validate the tokens Options • Shared DB • REST Callback to OAuth Service • JWT encoded Access Tokens Client Resource Server OAuth Server
  • 24. Federated Role-Based Access Control Security JavaEE Integration with JASPI Java Authentication Service Provider Interface for Containers - JASPI(C) Implementation based off JavaEE 7 Samples Project (https://github.com/javaee- samples/javaee7-samples/tree/master/jaspic) Integrated with Wildfly Security Context propagates throughout entire container (Web tier to EJB tier)
  • 25. Federated Role-Based Access Control Security Using Standard Security Checks Standard Role Checks work as expected • Annotations • @RolesAllowed(“<PERMISSION_NAME>”) • Programmatic Checks • EJBContext.isUserInRole(“<PERMISSION_NAME>”) • HttpServletRequest.isUserInRole(“<PERMISSION_NAME>”) • User Principal • EJBContext.getCallerPrincipal() • HttpServletRequest.getUserPrincipal()
  • 26. Federated Role-Based Access Control Security JASPI Wildfly Configuration Standalone.xml: jboss-web.xml jboss-ejb3.xml
  • 27. Federated Role-Based Access Control Security Enable JASPI within Application
  • 28. Federated Role-Based Access Control Security ServerAuthModule
  • 29. Federated Role-Based Access Control Security Security Libraries (Client / Server) webapp service service service S S O token J A S P I J A S P I J A S P I Client Client Pluggable libraries abstract A&A from application developers JASPI Library to authenticate incoming requests and establish the security context OAuth2 Client Libraries to request and present tokens on outbound requests token token
  • 30. Federated Role-Based Access Control Security Audit As services proliferate it becomes more important to be able to audit the entire chain of authority through a single transaction.
  • 31. Federated Role-Based Access Control Security Authorization (Apache Fortress) Apache Fortress Overview * Apache 2.0 License * Sub-project of Apache Directory * Java Based Identity and Access Management * Permission-based Access Control Model (RBAC)
  • 32. Federated Role-Based Access Control Security Authorization (Apache Fortress) FourComponents: * Core – Java APIs + utilities * Realm – Java EE policy enforcement – Web – Administrative UI * Rest – APIs over HTTP interface LDAPv3 Compliant: * Works with OpenLDAP and Apache Directory Server by default. * Other possible
  • 33. Federated Role-Based Access Control Security Authorization (Apache Fortress) Fortress Overview (https://directory.apache.org/fortress/) Standards based and Open Source Identity Access Management system ANSI RBAC (INCITS 359) ARBAC02 (http://profsandhu.com/journals/tissec/p113-oh.pdf) JAVA and REST APIs Web Based management interface Role Based Access Control Role - Collection of permissions Permission (Object + Operation) Object - Resource in the system Operation - Access mode of the resource Users - Assigned to roles, which grants permissions
  • 34. Federated Role-Based Access Control Security Administrative - RBAC Administrative-RBAC provides administration of the RBAC data who can create new roles who can assign users to roles who can assign permission to roles etc… An admin role determines jurisdiction over a subset of RBAC and consists of Admin permissions (object + operation) User OUs - Groups of users Perm OUs - Groups of permissions Role Range - Slice of a role hierarchy
  • 35. Federated Role-Based Access Control Security ARBAC Delegated Administration + permission calendar_user role jon user view operation staff User OU calendar_app Perm OU calendar object arbac_cal ARBAC Role bob user canAssign and canGrant ARBAC Permissions chris user Developer builds permissions and integrates into application User “bob” is a delegated admin with an ARBAC role “staff” User OU “calendar_app” Perm OU “canAssign” and “canGrant” permissions Bob can assign user “jon” to the “calendar_user” role Bob can NOT assign user chris into “calendar_user” role Bob can grant the “calendar.view” permission to the “calendar_user” role
  • 36. Federated Role-Based Access Control Security We hit a wall
  • 37. Federated Role-Based Access Control Security Road Blocks //doesn’t restrict to a specific “id” @RolesAllowed(“calendar.view”) public Calendar viewCalendar(String id) { … RBAC Role ARBAC Role calendar_user ar-cal_user calendar_admin ar-cal_admin Fine Grained Access • Problem: RBAC only provides coarse grained access • Potential Solution: Permission Object OUs • Problem: Can’t delegate permissions to different ARBAC roles • Potential Solution: Change permission OUs to the operation level ARBAC Role Explosion • Problem: Need many ARBAC roles to administer RBAC roles • Potential Solution: Change ARBAC role range to Role OUs Bi-Directional Lookups • Problem: Not efficient to lookup certain types of relationships • Potential Solution: Add attributes on both sides of a relationship
  • 38. Federated Role-Based Access Control Security Road Blocks How do we draw the picture?
  • 39. Federated Role-Based Access Control Security Lessons Learned Doing fine grained security in a simple generic way is really hard!!!
  • 40. Federated Role-Based Access Control Security (Almost) The End
  • 41. Federated Role-Based Access Control Security We’re Hiring! Software Engineering - UI/UX https://psu.jobs/job/59211 System and Network Security Analyst https://psu.jobs/job/59541 Hardware Configuration Manager https://psu.jobs/job/59543 Software Configuration Manager https://psu.jobs/job/59542 Software Test Engineer https://psu.jobs/job/59670 Other jobs at Penn State https://psu.jobs/jobs
  • 42. Federated Role-Based Access Control Security Thank You Shawn Smith – ses44@psu.edu Steve Moyer – swm16@psu.edu Chris Harm – crh5255@psu.edu Shawn McKinney - smckinney@symas.com
  • 43. Federated Role-Based Access Control Security Questions?

Editor's Notes

  1. Talk to the simplification of binding methods to permissions. When the RolesAllowed references permissions, you can modify the permissions assigned to a role at runtime in order to change the system's configuration. Also, adding additional roles at runtime is possible without having to redeploy the application. Roles - Static assignment Permissions - Dynamic assignment Map Users to Permissions through roles. Grant Permissions to a role, and assign users into that role.
  2. Talk to the simplification of binding methods to permissions. When the RolesAllowed references permissions, you can modify the permissions assigned to a role at runtime in order to change the system's configuration. Also, adding additional roles at runtime is possible without having to redeploy the application. Roles - Static assignment Permissions - Dynamic assignment Map Users to Permissions through roles. Grant Permissions to a role, and assign users into that role.
  3. Talk to the simplification of binding methods to permissions. When the RolesAllowed references permissions, you can modify the permissions assigned to a role at runtime in order to change the system's configuration. Also, adding additional roles at runtime is possible without having to redeploy the application. Roles - Static assignment Permissions - Dynamic assignment Map Users to Permissions through roles. Grant Permissions to a role, and assign users into that role.
  4. Talk to the simplification of binding methods to permissions. When the RolesAllowed references permissions, you can modify the permissions assigned to a role at runtime in order to change the system's configuration. Also, adding additional roles at runtime is possible without having to redeploy the application. Roles - Static assignment Permissions - Dynamic assignment Map Users to Permissions through roles. Grant Permissions to a role, and assign users into that role.
  5. A delegated authority is assigned who can create roles, grant permissions to roles, and assign users into that role.
  6. Preview the OAuth discussion SSO authenticates users at the webapp OAuth authenticates REST calls OAuth is delegated authentication delegated access for use in situations where the user is not present like a webapp authenticate the end user, but needs to call back end services that need to authenticate calls Application Grant changes based on who the user is, and which system is requesting the token.
  7. Provide examples of each type Service Account - some backend process. Internal to Penn State - internal department application and also other trusted applications from other departments. Need to verify that those systems are trusted and follow best practices External to Penn State - student run organization or group wants to create a mobile app that can access the schedule of classes, your degree information, list of required classes and the real-time local bus data in order to create an optimized schedule and route you around campus. It’s not a Penn State sponsored app, but it needs access to a student’s data.
  8. Clients must register with the OAuth server Clients receive a client_id (public) and client_secret (private) These can be used to obtain an auth token that represents the service account
  9. Examples: Student mobile app that wants to access your course history and required classes to create an optimal schedule. Allow systems to refresh a token after it’s expired… Client must register with OAuth server before being allowed to auth. Possible approval process in place prior to allowing access.
  10. Validate Options - OAuth Server and Resource Server team together in authentication. JWT option allows the RS to validate a token without calling the OAuth server, but increases the complexity of revoking a token Talk Caching of token-info at the RS. Increased overhead of calls to obtain tokens and validate tokens is limited to 2 extra calls per token lifespan (obtaining a token) / caching duration (validating a token)
  11. Why JASPI? Two authentication cases, webapps and REST services PSU uses a SSO solution based on an Apache plugin to authenticate users We tried JAAS, but the solution was a bit awkward. HttpServletRequest.login(“username”, “password”) JASPI allows direct access to authenticate the HTTPServletRrequest - HttpServletRequest.authenticate() This allows us to access the SSO Headers and OAuth Headers directly in order to authenticate the request.
  12. hack to enable security within Wildfly We’re using Wildfly 8. Tried using Wildfly’s JASPI Implementation, but rant into problems Wildfly Implementation - Wildfly bug that prevented principal from propagating into the EJB tier Wildfly JAAS SAM - picketbox JASPI SAM that delegated to a JAAS Login Module did as expected One solution worked but session caching broke. jboss-web.xml and jboss-ejb3.xml files enable the security interceptors in the web and ejb tiers DummyLoginModule doesn’t do anything but is required as a placeholder Monitoring Wildlfy future releases and are willing to go back to built in soldution at some point.
  13. AuthConfigFactory.getFactory().registerConfigProvider() PsuAuthConfigProvider → PsuServerAuthConfig → PsuServerAuthContext → ServerAuthModule
  14. Client library is responsible for Managing the clients shared secret with the OAuth server Requesting a valid token before making a request to the RS Adding the token into the HTTP Request in the Authorization header Managing the lifecycle of an auth token Handling errors and retrying when possible. Server Module is responsible for Extracting the token for every inbound request Determining if the token is valid Resolving the token to a user principal Looking up the roles/permissions associated with the user Establishing the security context within the application server