Dekho security overview


Published on

Presentation on Dekho security

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Dekho security overview

  1. 1. Dekho Security Overview
  2. 2. Agenda...// What is authentication and authorisation// Authentication methods in ‘Dekho’// Demo – Authentication// Authorisation methods in ‘Dekho’// Demo – Authorisation// Dekho security “under the hood”...// Best practices and Tips...
  3. 3. What is Authentication and Authorisation
  4. 4. Dekho User’s and Role’sUser Dekho application user. Depending on the ‘Role’ assigned to users some can access only the Dekho client and some users can access Dekho admin applications.Role Application roles given to a user. // Dekho users can be assigned to multiple roles. // Authorisation is based on the users roles. // Users who have ‘Administrator’ role will have access to the DEKHO administration application.
  5. 5. Authentication methods in Dekho
  6. 6. Authentication methods...Anonymous: Every user that visits the Dekho site will have the same access. They will not be asked to enter a username/password.Form based: The user will be asked to enter their Dekho username and password. The user’s must be setup in the Dekho Manager and assigned roles in the Dekho Manager.Kerberos: Kerberos is a network authentication protocol. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the clients network credentials. User will not be prompted for credentials. Browser will negotiate the credentials with Dekho server.
  7. 7. Authentication methods contd..,LDAP Forms Authentication: The user will be asked to enter their LDAP username and password. In the case of a windows system, this will be their Active Directory username and password.NTLM Single Sign-on Authentication: User does not have to enter credentials. Browser will negotiate with Dekho server based on the windows NTLM protocol. Dekho supports NTLM V1 and NTLM V2.Pre-authenticated: For organisations who may have an external authentication mechanism, Dekho could be setup to work with this external system. Some examples of such system are container managed authentication, IBM WebSeal, OpenID, CAS etc., This would involve a customisation step to create a plug-in to integrate with the external authentication scheme.
  8. 8. Configuring ‘Authentication’An administrative user can configure authentication via ‘Settings’ inDekho manager. The ‘Security Settings’ panel provides a ‘Test Connection’ Button for some authentication/authorisation methods, which helps Administrators to validate the settings they have configured.
  9. 9. Configuring ‘Anonymous’// Select ‘Anonymous Log In’ in the drop down for authentication setting.// Only ‘Dekho Roles’ will be available as authorisation. .
  10. 10. Demo
  11. 11. Configuring ‘Form Based’// Select ‘Dekho Users’ in the drop down for authentication setting. . // Either ‘Dekho Roles or LDAP Groups’ can be selected for authorisation.
  12. 12. Demo
  13. 13. Configuring ‘Kerberos’// Select ‘Kerberos (Active Directory)’ in the drop down for authentication setting.// Set Kerberos ‘keytab’ file location. A ‘keytab’ is a file containing pairs of Kerberos principals and encrypted keys (these are derived from the Kerberos password).// Set Kerberos principal. Format would be like ‘HTTP/’. The principal name could be determined looking at the values in the keytab file.// Either ‘Dekho Roles or LDAP Groups’ can be selected for authorisation.
  14. 14. Configuring ‘Kerberos’// We use SPNEGO (Simple and Protected GSS-API Negotiation Mechanism)// The server requires a ‘Kerberos configuration propeties (krb5.ini or krb5.conf)installed for SPNEGO to work.
  15. 15. Demo
  16. 16. Configuring ‘NTLM’// Select ‘NTLM’ in the drop down for authentication setting.// Set NTLM pre-autentication domain, username and password. The username and password are for a user in the given windows domain which will be verified when testing connection. “With NTLM authentication, the browser negotiates with the Dekho application server to establish trust using the NTML protocol. Dekho supports NTLM V1 and NTLM V2// Either ‘Dekho Roles or LDAP Groups’ can be selected for authorisation.
  17. 17. Demo
  18. 18. Configuring ‘LDAP’// Select ‘LDAP’ in the drop down for authentication setting.// Set ‘ldap.principal’ to the id of a user in the ldap directory. e.g: User Jerome Pradeep’s id in LDAP is ‘jpradeep’. ‘sAMAccountName’ denotes the ‘user id’ attribute in the LDAP directory in this case. This attribute name could be ‘uid’ or something else depending on the oraganisations LDAP schema.// Set ‘’ to the base (or root) directory path from which a user will be searched. e.g: In this example user ‘jparker’ could be searched under the = ou=People,dc=pisoftware,dc=com
  19. 19. Configuring ‘LDAP’ contd.,// Set ‘ldap.url’ to the LDAP directory server url.// Set ‘ldap.user.searchfilter’ to the LDAP attribute which represents a user id. e.g: The userid ‘jparker’ is found specified against the LDAP attribute ‘uid’. So in a LDAP directory structure like this ‘ldap.user.searchfilter’ should be set to “uid={0}”.// Set ‘ldap.user.userdn’ to the ‘distinguished name’ of the user principal. This is the value against the ‘dn’ attribute of the user. e.g: cn=James Parker,ou=users,dc=domain,dc=com,dc=au
  20. 20. Configuring ‘LDAP’ contd.,// If there are any errors while testing LDAP authentication settings, administrator will see an LDAP specific error number with the message. Using this error number it would be possible to identify or narrow down the root cause.
  21. 21. Demo
  22. 22. Configuring ‘Pre-Authentication’// Dekho can be configured to work with an external authentication system or container authentication via TOMCAT.// The default implementation bundled with Dekho is for ‘Tomcat container managed authentication’ External Security System // External Security System: IBM WebSeal, OpenID, CAS etc., TOMCAT // TOMCAT: DEKHO Tomcat users and realms// In order to setup pre-authentication with an external method a plug-in has to be created (unless using TOMCAT container managed). ESRI Australia Professional Services team will be able to assist with this.
  23. 23. Authorisation methods in Dekho
  24. 24. Authorisation methods...Dekho Roles: Use the internal Dekho database for managing user roles.LDAP Groups: Use a LDAP directory for authorisation. In this case a user roles will be the LDAP groups use is assigned to.
  25. 25. Configuring ‘LDAP’ authorisation// Select ‘LDAP Groups’ in the drop down for authorisation setting.// All settings related to LDAP authentication will appear and need to be configured. These settings allow Dekho to connect to the LDAP server.// Two settings are specific to LDAP authorisation. They are; // = Describe the LDAP attribute which represents the LDAP group name. // = ‘LDAP Group’ object property which describes its members.
  26. 26. DEMO – authorisation configuration
  27. 27. References...// Dekho Administrators Guide.doc#Authentication and Authorisation// Dekho Blog explanation-of-authentication-and-authorisation-in-dekho// Dekho Blog setting-up-authentication-and-authorisation-in-dekho// Kerberos ‘keytab’
  28. 28. Dekho Security ‘under the hood’
  29. 29. Dekho uses Spring Security// Provides industry standards and best practices.// Pluggable architecture supports plugging in popular security implementations.// Support for a vast variety of security implementations and deployments.// Easy to extend security (future integration of CAS/OpenID possible)// Easy to switch backend implementations of supported authentication schemes.
  30. 30. Diagram: Dekho security Client requests Spring Security Dekho Dekho Form Anonymous based Spring WAFFLE NTLM KERBEROS Dekho Pre- Spring LDAP Authentication AuthenticatedDEKHO application
  31. 31. Best practices when using security
  32. 32. Best practices// Use ‘Anonymous’ authentication when; // You want to expose information to an intranet or public audience. // Be conscious that users will be treated as guests. // It’s the responsibility of the ‘Administrator’ to pick the maps/tools and setup useful queries for an anonymous user base. // It’s best to host a dedicated anonymous Dekho instance.// Use ‘Form based’ authentication when; // You don’t have an organization level LDAP directory ( or active director). // You have users that are not in your organizations LDAP directory.// Use ‘LDAP’ authentication when; // All Dekho users are from your organizations LDAP directory ( or active director) and any new users can be added to your organizations LDAP directory.
  33. 33. Best practices contd.,// Use ‘NTLM’ authentication when; // Your organization uses ‘Windows NT authentication’. // All Dekho users will be local to your organization and will exist in the ‘Active Directory’.// Use ‘Kerberos’ authentication when; // Your organization uses ‘Kerberos Domain Controller’ (KDC) // All Dekho users will be local to your organization and will exist in the ‘Active Directory’.// Use ‘Pre-Authentication’ when; // Your organization has already invested on an external authentication mechanism (IBM WebSeal, OpenID, CAS etc.,)
  34. 34. Best practices contd.,// Use ‘Dekho Roles’ authorisation when; // Using ‘Dekho Roles’ as authentication. // You want a set of user groups which does not exist in your LDAP/Active Directory.// Use ‘LDAP Groups’ authorisation when; // Using ‘NTLM, LDAP, Kerberos’ as authentication. // You already have the users and groups defined in your LDAP system.
  35. 35. Tips…// When using ‘LDAP Groups’ as authorisation, versions prior to Dekho 3.2 required you to create a ‘Dekho_Administrators’. From Dekho 3.2 onwards, you could rename the ‘administrator role’ name in Dekho to be the same as an administrator LDAP group in your LDAP directory.// When you save ‘Security Settings’ in Dekho admin screen after setting authentication/authorisation settings, Dekho would automatically validate your settings and complain on any issues. Using ‘TEST connection’ button, you could execute this validation yourself before saving.// Some organizations may have complex LDAP schema setups which may not work with the standard Dekho setup. But Dekho could be customised to work with any type of setup. Talk to Esri Australia Professional Services Team to find out how they can customise Dekho authentication/authorisation to work with your configuration.
  36. 36. Product