Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Applications With Picketlink

8,064 views

Published on

Anil Saldhana and Pete Muir presented securing applications with PicketLink at Red Hat Summit 2013. For more information, please refer to http://www.picketlink.org and JDF. TicketMonster is a Java EE app with HTML5 (http://www.jboss.org/jdf/examples/ticket-monster/tutorial/WhatIsTicketMonster/). This presentation talked about securing TicketMonster using PicketLink.

Published in: Technology

Securing Applications With Picketlink

  1. 1. 1 Sunday, July 7, 13
  2. 2. SECURING APPLICATIONS WITH PICKETLINK Anil Saldhana, Red Hat Pete Muir, Red Hat June 2013 2 Sunday, July 7, 13
  3. 3. What is it? Security framework for Java EE ● Apache License V2 ● First class support for CDI ● Secures your beans, bean methods, view layer, RESTful endpoints, servlets and more ● Simple API for managing Users, Groups and Roles ● Authenticate any way you want ● Federation (SAML, WS-Trust, OpenID) 3 Sunday, July 7, 13
  4. 4. Overview 4 Sunday, July 7, 13
  5. 5. Identity Management Manage users, groups, roles and more ● Built in support for storing your identities in: ● File system ● A relational database (using JPA) ● LDAP ● Well defined SPI for creating custom identity stores ● Powerful query API for querying identities ● All operations done through IdentityManager, which can be simply @Injected into your beans 5 Sunday, July 7, 13
  6. 6. BYO Identity Model ● We provide you with optional User, Group, Role classes ● We also provide a few default relationships – group membership, group role and application role ● But custom relationships (between two or more participating identities) are also easy to define ● Provides the flexibility you need to meet the requirements of your business or project 6 Sunday, July 7, 13
  7. 7. Authentication Authentication is initiated with Identity.login() ● Identity bean is a session-scoped bean that tracks the current user Authenticator can be configured per application or per request ● Supports multiple authentication methods in a single application (e.g. Username/password and OpenID) ● We provide some default (optional) support for some credential types 7 Sunday, July 7, 13
  8. 8. 8 Sunday, July 7, 13
  9. 9. 9 Sunday, July 7, 13
  10. 10. 10 Sunday, July 7, 13
  11. 11. RESTful Authentication Endpoint org.jboss.jdf.example.ticketmonster.security.rest.LoginServic e ● Username/password passed in via the credential param ● Identity.login() invoked ● If authentication successful, the User object is read from the Identity bean and passed back in the REST response ● We haven't configured an Authenticator for this application, so by default Identity Management is used to authenticate 11 Sunday, July 7, 13
  12. 12. Where are our users defined? org.jboss.jdf.example.ticketmonster.security.IdentityManagementInitializer ● @Startup bean is instantiated during app startup ● IdentityManager is @Injected ● initialize() is a @PostConstruct method ● Is executed automatically ● Creates the users, roles and default passwords for our application ● Sensible IDM configuration defaults make this possible 12 Sunday, July 7, 13
  13. 13. Securing application methods org.jboss.jdf.example.ticketmonster.rest.BookingService ● We want to restrict the createBooking() method to only logged-in users ● @UserLoggedIn is a Security Binding Type, an annotation used to restrict access to beans and bean methods ● This feature is provided by Apache DeltaSpike ● A Security Binding Type requires an Authorizer method, annotated with @Secures in addition to the binding annotation 13 Sunday, July 7, 13
  14. 14. Implementing the Authorizer method org.jboss.jdf.example.ticketmonster.security.AuthorizationManager ● The isUserLoggedIn() method controls access to methods annotated with @UserLoggedIn ● Is annotated with both @Secures and @UserLoggedIn ● Parameters of an authorizer method are treated as injection points ● Must return a boolean to indicate whether the authorization was successful – a result of true means the restricted method may be invoked by the current user 14 Sunday, July 7, 13
  15. 15. Servlet security org.jboss.jdf.example.ticketmonster.security.RoleBasedAuthorizationFilter ● Standard servlet filter, active for all requests ● Delegates authorization check to AuthorizationManager.isAllowed() ● Only allows requests to /admin/* URLs if user has the Administrator role ● IdentityManager.hasRole() method used to check if the current user has the required role 15 Sunday, July 7, 13
  16. 16. View layer security We can also tailor the user experience based on the current user's privileges ● JSF <ui:fragment> control can be used to show or hide parts of the page based on roles ● Can access the Identity bean directly via EL, e.g. #{identity.loggedIn} ● Can also use application-specific checks, e.g. AuthorizationManager.isAdmin() 16 Sunday, July 7, 13
  17. 17. User Registration IDM makes it easy to implement user self-registration ● org.jboss.jdf.example.ticketmonster.security.rest.RegistrationService ● The register() method receives a user registration request ● The performRegistration() method creates a new User, assigns them the User role, and adds them to the Users group. ● The registering user is even automatically logged in by the performSilentAuthentication() method ● An alternative would be to send a confirmation e-mail 17 Sunday, July 7, 13
  18. 18. Other IDM Features Built-in authentication support for ● Form-based, BASIC, DIGEST, X509 Certificate, Username/Password Password encoding ● Defaults to a salted hash, or BYO Mix and match identity stores ● Store your users in LDAP, roles and groups in DB 18 Sunday, July 7, 13
  19. 19. Other Features of PicketLink PicketLink Federation (SSO and Trust) ● SAML 2.0 ● SAML 1.1 ● WS-Trust 1.3 19 Sunday, July 7, 13
  20. 20. Other Features of PicketLink PicketLink Social Login ● Login using Facebook ● Login using Twitter ● Login using Google ● Login using OpenID 20 Sunday, July 7, 13
  21. 21. PicketLink RoadMap PicketLink v2.5.0 is the target ● Currently in frequent beta releases (Last Beta4) ● CR cycles to start soon ● Current emphasis on QE, Quickstarts and Demos ● Final planned mid-july (+ or - 2 weeks) 21 Sunday, July 7, 13
  22. 22. PicketLink Resources PicketLink has an one stop resource ● http://www.picketlink.org ● JDF Quickstarts 22 Sunday, July 7, 13
  23. 23. Questions? 23 Sunday, July 7, 13

×