WEB DEVELOPMENT        Securing Web Applications        with OpenAM        As software developers, we seek to design softw...
Securing Web Applications with OpenAMyears. This is due in large measure to its stateless design.    So where does that le...
WEB DEVELOPMENT     tity repository that already exists (i.e. Microsoft Active    Scale Applications Securely with     Dir...
Securing Web Applications with OpenAMusers, checking their authorization to make a certain         Take OpenAM for a Test ...
WEB DEVELOPMENT                                                                  Install Java                             ...
Securing Web Applications with OpenAMFigure 16. OpenAM REST Authentication ResponseFigure 17. OpenAM REST Validate Token R...
WEB DEVELOPMENT                                                             Extract it and move it into place using the fo...
Securing Web Applications with OpenAM  ConFigure OpenAM with OpenDJ as user store  http://devbox.apius.org:8080/openam wil...
WEB DEVELOPMENT     (Figure 16 - OpenAM REST Authentication Respon-              You should get back the following respons...
Securing Web Applications with OpenAM   You should be back out at the policy listing now. (Figu-   http://devbox.apius.org...
Upcoming SlideShare
Loading in …5

Securing web applications


Published on

Published in: Automotive, Technology
1 Comment
  • Great document.

    Our free service, LoginTC, also allows OpenAM administrators to easily add two factor authentication to existing authentication chains.

    Check it out here: https://www.logintc.com/docs/connectors/openam.html
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Securing web applications

  1. 1. WEB DEVELOPMENT Securing Web Applications with OpenAM As software developers, we seek to design software that gets people’s attention. Software that meets the needs of the user, performs well, and pleases the eye is sure to get users’ attention. The security model of an application, on the other hand, gets very little attention from the average user - that is until something goes wrong. One serious security breach could permanently blacklist an application or even a developer in the eyes of the users affected by that breach. You’ll learn: You should know: • How OpenAM can secure web applications and how to • Should have a clear understanding of how web appli- set up OpenAM in a development environment. cations work. • For the tutorial, some experience with Linux and the Li- nux command line will be helpful. G ood software design dictates that security be ta- ken into account throughout the requirements- -gathering process and the actual build. Unfortu- be scalable. For example, an application server may store nately, security considerations are often an afterthought session state for each user and expect the user to send in software design, again because developers are often a session cookie with each request. This is a very com- so focused on functionality, performance and looks that mon approach and honestly works well for most one-off security ends up taking a backseat. Even if you as a de- applications. But what happens when one of our applica- veloper give careful consideration to security in all your tions needs to connect (on behalf of the user) to some applications, you may end up “inheriting” an application service we’ve written. Let’s say the service runs on a se- with a weak security model. cond server and also requires authentication? The ses- sion cookie means nothing to that second server so will Authentication and Authorization we force the user to pass in credentials again? Or will Security in web applications is a very broad topic. Let’s the developer compromise and hard code some creden- narrow it down by talking about two major security con- tials in the application for making the call to the external siderations - authentication and authorization. Authen- service? tication is about verifying that the user is who they say Or what if the developer simply wants to distribute they are. For example I may enter my username and a large application across multiple servers for perfor- password to identify myself to an application. Depending mance but doesn’t want the user to have to log in more on the circumstances, I may have to answer some per- than once? Each of those servers would need to “know” sonal questions or I may be prompted to install a certifi- about the user’s session. cate in my web browser’s store. Once an application “knows” who the user is, it can HTTP Authentication move onto the authorization phase which is deciding Up until this point we have talked about users being pro- whether to fulfill or deny a particular request (i.e. to ac- visioned a session and that session being tracked by so- cess a resource, take a certain action, etc.) on behalf of me stateful server. But it should be noted that we could that particular user. For example, user “pmorris” may be build our web applications such that their servers could authorized to view resource “x” but may not be autho- be essentially stateless. In other words each request wo- rized to edit resource “x”. uld be made in isolation. In such a case the user would have to be authenticated and authorized for each and Will it scale? every request. Some may frown upon such a design but a In some cases a web application may handle authentica- stateless design is inherently scalable.Take a look at how tion and authorization very well but the solution may not well the World Wide Web has scaled over the past 2034 5/2011
  2. 2. Securing Web Applications with OpenAMyears. This is due in large measure to its stateless design. So where does that leave us then? Well we’re back toMost calls that happen over HTTP are in isolation altho- a stateful server maintaining sessions for all our usersugh it has to be admitted that most requests made over and we’re back to the problems with scalability that weHTTP do not need to be authenticated or authorized. mentioned earlier. HTTP as a protocol does include standards for authen-tication, namely Basic and Digest Authentication both of OpenAM as an Authentication andwhich allow for a stateless approach. So why don’t we see Authorization Solutionmore applications using Basic or Digest Authentication? Meet OpenAM. (You see? I didn’t forget the title of this ar-In the case of Basic authentication there are inherent se- ticle.) The “AM” stands for Access Management. OpenAMcurity weaknesses since credentials are passed over the is a child project of OpenSSO (“SSO” for single-sign-on),wire in clear text. Digest Authentication is very secure an open source product formerly sponsored by Sun Mi-however since it uses one-way hashing to obscure the crosystems, now by Oracle.When Oracle bought out Suncredentials such that it’s impossible to extract them. It al- they took back the latest release of OpenSSO (versionso includes policies for preventing the harvesting and re- 9.x) and now offer 8.x as the latest and greatest.A numberplaying of hashed credentials. So why don’t we see Digest of former Sun executives went on to head up a companyAuthentication more in web applications? Well for one called Forge Rock, which has taken version 9.x of OpenS-thing it is not trivial to learn and implement the standard. SO, named it OpenAM and started to maintain and buildBut the overriding reason is that frankly HTTP authen- on it (up to 9.5.x now), pledging to follow its original pro-tication is just “not there yet.” A lot of it seems to have ject roadmap from when it was under the oversight of Sun.to do with the inconsistent and incomplete manner that I see OpenAM as a solution for building security intoweb browsers have implemented the Digest Authentica- your distributed applications from the start, as well as ation standard. The details on that are beyond the scope way to secure that pre-existing, not-so-secure applica-of this article, (Did you notice I haven’t mentioned Ope- tion that you may have “inherited” as a hired developernAM once yet?) so I encourage you to read these two (since we know you would never build an unsecure ap-articles if you want to learn those details: plication yourself).http://www.artima.com/weblogs/viewpost.jsp?thre- Authenticating with OpenAMad=155252 and http://www.vsecurity.com/download/pa- So OpenAM can be our stateful server for provisioningpers/WeaningTheWebOffOfSessionCookies.pdf and tracking sessions for users. It can hook into an iden-Figure 1. OpenDJ Server Settings Figure 3. OpenDJ Directory DataFigure 2. OpenDJ Topology Options Figure 4. OpenDJ Runtime Optionsen.sdjournal.org 35
  3. 3. WEB DEVELOPMENT tity repository that already exists (i.e. Microsoft Active Scale Applications Securely with Directory) or you could set up its “sister” application, OpenAM OpenDJ (formerly OpenDS) as the user store. OpenDJ Let’s talk about why OpenAM scales so well. OpenAM is is an open source LDAP directory service also sponso- a Java-based application that runs within a servlet conta- red by Forge Rock. And apparently, at least some users iner (Apache Tomcat, Glassfish, JBoss, etc.). So OpenAM just use a plain old relational database as the identity is itself a web application but it is not your web applica- store. Using the identity repository to verify the identity tion. It partners with your web application. It has a sin- of each user, OpenAM provisions a session and can set gle responsibility: to keep other applications secure. To cookies that represent that session in the user’s browser. illustrate: large office buildings with offices that handle (I actually put together a proof of concept that elimina- very sensitive or secured resources often have a securi- tes the need for OpenAM to set cookies in the user’s ty team operating within the building. That team’s focus browser.) is to keep the building and everything in it secure. The other teams of people within the building don’t have to Authorizing with OpenAM focus so much on security since there is already a team OpenAM can be conFigured with fine-grained poli- dedicated to that purpose operating within the building. cies that dictate which identity subjects (users and/ The other teams are able to focus on what they do best or groups) have access to which resources and even (whatever that might be). which HTTP methods can be invoked by a particu- OpenAM as a framework operates as that security lar subject against a particular resource. So in other team in your infrastructure, keeping your applications words OpenAM can be conFigured to allow user secure so that your application code can focus more on “pmorris” to GET the resource at http://www.exam- things like functionality, usability and performance. ple.com/resource but not POST to that same resource OpenAM exposes services (SOAP or REST) that can (that same URL). be invoked from your applications for authenticating Figure 5. OpenAM General Figure 7. OpenAM Configuration Store Figure 6. OpenAM Server Settings Figure 8. OpenAM User Store36 5/2011
  4. 4. Securing Web Applications with OpenAMusers, checking their authorization to make a certain Take OpenAM for a Test Driverequest, and even interacting with your identity reposi- So if you’re like me you like getting your hands on atory to add users, to get the groups a user belongs to, technology so you can evaluate it yourself. Followingetc. For the proof of concept I spoke of earlier I set up is a step-by-step tutorial on how to set up OpenAMvery simple filters in front of a RESTful service to per- with OpenDJ as a user repository. All the prerequi-form authentication and authorization before allowing sites for our tutorial, from the OS (Ubuntu 10.04), toaccess to the service itself. Can you see how such an the servlet container (Apache Tomcat 7.0), to the twoapproach can scale to practically any size? As long as applications themselves, they’re all open source (i.e.you have the session token representing the session, free!) so you’ve got no reason not to jump right in!you can call OpenAM’s services from anywhere (even Let’s get started.outside your own domain) to authenticate and autho-rize a request. Set up Ubuntu The OpenAM framework not only includes the central Download Ubuntu 10.04 LTS from http://releases.ubuntu.application itself but also a family of policy agents that com/lucid/ubuntu-10.04.2-desktop-i386.isocan be deployed to remote application servers or web If you’re setting up Ubuntu as a virtual machine beservers to “police” said servers and all the applications sure and up the RAM to at least 1024MB.running on them.There are policy agents for J2EE servlet Walk through the installation processcontainers, and web servers (i.e. Apache and IIS). A policy normally.agent is like a remote “security officer” that intercepts Once logged in go to System -> Administration -> Usersall requests coming in to the server (J2EE container, web and Groups and change the user you created to an Ad-server) and consults with the “chief security officer”, the ministrator.OpenAM application itself, to determine if the requestshould be fulfilled or denied. Figure 11. OpenAM SubjectsFigure 9. OpenAM Site ConfigurationFigure 10. OpenAM Agent Information Figure 12. OpenDJ Control Panelen.sdjournal.org 37
  5. 5. WEB DEVELOPMENT Install Java While an OpenJDK package is available out-of the-box with 10.04, the Sun JDK is not, and that’s the one we want. So open a terminal window and run the following commands first: sudo add-apt-repository „deb http://archive. canonical.com/ lucid partner” sudo apt-get update Then install the Sun JDK: sudo apt-get install sun-java6-jdk Install Tomcat We need a fully qualified domain name (FQDN) when we install OpenAM (i.e. localhost will not work for con- figuration) so we need to add an entry to the hosts file. Run the following command to edit the file: Figure 13. OpenDJ Manage Entries sudo nano /etc/hosts I added this line: devbox.apius.org Be sure and exit (Command + x on the Mac), and save changes on the way out (“y” followed by Enter) Download Apache Tomcat 7 by running wget with a current link address as in: wget http://apache.ziply.com/tomcat/tomcat-7/v7.0.12/ bin/apache-tomcat-7.0.12.tar.gz Untar it with this command: tar xzvf apache-tomcat-7.0.12.tar.gz Figure 14. OpenDJ New User If running on VMware Fusion follow this documenta- I decided to move it to a more standardized folder lo- tion to install VMware Tools: https://help.ubuntu.com/com- cation with: munity/VMware/Tools Reboot. mv apache-tomcat-7.0.12 /usr/local/tomcat7 Figure 15. OpenAM New User38 5/2011
  6. 6. Securing Web Applications with OpenAMFigure 16. OpenAM REST Authentication ResponseFigure 17. OpenAM REST Validate Token ResponseWe need to set a couple of environment variables to Install OpenAMensure the Tomcat 7 instance uses the Sun JDK and Download OpenAM 9.5.2.The 9.5.x releases take advan-that OpenAM will have sufficient memory to install tage of Java EE 6.and run. Run the following command:sudo nano /usr/local/tomcat7/bin/setenv.shAnd add these two lines:JAVA_HOME=/usr/lib/jvm/java-6-sunexport CATALINA_OPTS=“$CATALINA_OPTS -Xms128m -Xmx1024m -XX:MaxPermSize=256m”Next run:sudo nano /usr/local/tomcat7/conf/tomcat-users.xmlI added what is in listing 1 so as to access the Tomcatmanagement console. Start Apache Tomcat with:/usr/local/tomcat7/bin/startup.sh Figure 18. OpenAM Identity Subject 1en.sdjournal.org 39
  7. 7. WEB DEVELOPMENT Extract it and move it into place using the following two commands: unzip OpenDJ-2.4.1.zip sudo mv OpenDJ-2.4.1 /usr/local/opendj These commands should be run in order to conFigure the installation and open the GUI interface for final con- figuration settings. sudo /usr/local/opendj/bin/create-rc-script --outputFile /etc/init.d/opendj sudo update-rc.d opendj defaults /etc/init.d/opendj start cd /usr/local/opendj/ ./setup Figure 19. OpenAM Identity Subject 2 wget http://www.forgerock.org/downloads/openam/ ConFigure OpenDJ snapshot9.5/openam_s952.war Choose a password for the Directory Manager (admin) account. (Figure 1 – OpenDJ Server Settings) Moving the war to the webapps folder of the Tomcat Select stand alone. (Figure 2 – OpenDJ Topology installation will deploy it. Options) Just create a base DN using whatever domain you pre- sudo mv openam_s952.war usr/local/tomcat7/webapps/ fer. (Figure 3 – OpenDJ Directory Data) openam.war Keep the defaults. (Figure 4 – OpenDJ Runtime Options) Install OpenDJ Review the configuration settings and hit “Finish”. Once Now download OpenDJ using: the installation is complete go ahead and launch the Con- trol Panel and log in to “Local Server” using the Directory wget http://www.forgerock.org/downloads/opendj/2.4.1/ Manager password you entered during setup. Go ahead and OpenDJ-2.4.1.zip minimize the Control Panel and let’s conFigure OpenAM. Figure 20. OpenAM URL Policy 140 5/2011
  8. 8. Securing Web Applications with OpenAM ConFigure OpenAM with OpenDJ as user store http://devbox.apius.org:8080/openam will open the web Listing 1. Tomcat configurationconfigurator. <role rolename=”manager-gui”/> Enter a password of at least 8 characters. (Figure 5 – <role rolename=”manager-script”/>OpenAM General) <role rolename=”manager-jmx”/> Note the following use of that FQDN we added to our <role rolename=”manager-status”/>hosts file earlier. (Figure 6 – OpenAM Server Settings) <user username=”admin” password=”admin” We’ll use OpenAM’s embedded optimized OpenDS roles=”manager-gui,manager-application to store configuration settings. (Figure 7 – script,manager-jmx,manager-OpenAM Configuration Store status”/> Select OpenDS (the predecessor of OpenDJ) as theuser store and make sure the Directory Name is cor- /usr/local/opendj/bin/control-panelrect. It should automatically grab the first host name thatthe loopback address ( resolves to. Enter the (Figure 12 – OpenDJ Control Panel)Directory Manager’s password that you set at installa- Select “Manage Entries” from the left menu.tion. (Figure 8 – OpenAM User Store) Right click on “people” and select “New User”. (Figure This is a development environment so we won’t worry 13 – OpenDJ Manage Entries)about load balancing. (Figure 9 – OpenAM Site Configu- Be sure and change the “Naming Attribute” to “uid”.ration) Click OK and look for the Entry Created message. (Figu- Choose another password 8 characters or longer. (Fi- re 14 – OpenDJ New User)gure 10 – OpenAM Agent Information) Now go back to the OpenAM console and refresh the In the final screen, verify your configuration and press page. You should see the new user you created in thethe Create Configuration button. OpenDJ repository. (Figure 15 – OpenAM New User) Test OpenAM Authentication ServiceAdd User Let’s run a quick and simple test using the REST au-Log in to OpenAM using amadmin as a username and the thentication service in OpenAM to create a session. En-password you entered in Step 1 of the setup. ter the following into your web browser’s address bar. We’re going to test the authentication interface using Adjust the URL and the parameter values based on yourOpenAM’s REST services but first we’ll create a user ac- settings:count. A user account can be created using one of theREST services or from the OpenAM console itself but http://devbox.apius.org:8080/openam/identity/authenticate?to illustrate the relationship between OpenAM and the username=pmorris&password=pmorrispmorrisunderlying user data store, OpenDJ, we’ll add the userfrom the OpenDJ control panel. This action requests OpenAM to create a session “Access Control” tab. -> “(Top Level Realm)” -> “Sub- for the specified user and once created a token re-jects” tab. I see two users, namely “amadmin” and “ano- presenting that session is passed back to the caller.nymous”. (Figure 11 – OpenAM Subjects) Again, we could add a new user from here but let’s doit from OpenDJ. If the Control Panel is still minimized go ahead and pullit up if it’s not running, run this command:Figure 21. OpenAM URL Policy 2 Figure 22. OpenAM URL Policy 3en.sdjournal.org 41
  9. 9. WEB DEVELOPMENT (Figure 16 - OpenAM REST Authentication Respon- You should get back the following response. (Figure 17 se) - OpenAM REST Validate Token Response) One note though: What I did above I did only to expedite the tutorial. In reality this is a poor prac- Test OpenAM Authorization Service tice. Why? Since I used a browser’s address bar to Now let’s create a URL policy and test out the authori- make this call we know that the HTTP method was zation feature. Go to the “Access Control” tab. -> “(Top a GET. Obviously this will work but in a real world Level Realm)” -> “Policies” tab. Click on “New Policy”. implementation it’s a bad idea. For one thing, with a I’m calling mine “Hello World Policy”. We need to assign GET request the password parameter value will be this policy to the user we created so scroll down and written to server logs and for another this practice click on “New” in the “Subjects” section. breaks RESTful constraints. HTTP as a standard sta- Let’s make this a specific subject, not just any authen- tes that GET should have no side effects. Creating ticated user. Click “Next”. (Figure 18 - OpenAM Identity a session is definitely a side effect (a desirable side Subject) effect but a side effect nonetheless). So in produc- Next, we’ll give the Identity Subject a name and in tion it’s best practice to always coerce this call to our case search for our user using the “User” filter and a POST. “Add” the user (in my case “pmorris”) to the Identity Now let’s test the authentication service using the Subject and click “Finish” and “OK” in the next screen. token value as a parameter. Copy the token value from (Figure 19 - OpenAM Identity Subject 2) the response page and paste it into another call like Keep in mind that we would probably not do this in so: real life – that is assign a single user to an Identity Sub- ject. More likely we would create a group, add pmorris http://devbox.apius.org:8080/openam/identity/isTokenValid- to that group and then add the group to the Identity ?token=AQIC5wM2LY4SfcxmYwlY5mX1vtaiGhw8cJd8TGJY Subject. But again, to expedite the tutorial we’ll do it Hv6ar4M.*AAJTSQACMDE.* this way. Figure 23. OpenAM REST Authorization Response42 5/2011
  10. 10. Securing Web Applications with OpenAM You should be back out at the policy listing now. (Figu- http://devbox.apius.org:8080/openam/identity/authori-re 20 - OpenAM URL Policy 1) ze?uri=hello-world&action=POST&subjectid=AQIC5wM2LY Under “Rules” click on “New” and make sure the set- 4SfcwUIYd-YJ4_0ubuuGDJ6-_jzFrwrDrHhsg.*AAJTSQACM-ting is “URL Policy Agent”. Then click “Next”. (Figure 21 DE.*- OpenAM URL Policy 2) Name the new URL Policy Agent and assign it to a I won’t add another screen shot because the only chan-particular URL. In our case “hello-world”. Don’t worry if ge you see is that the response now reads “boole-that resource doesn’t actually exist on the server. Note an=false”, which is precisely what we expect based onthat I am allowing the Hello World Identity Subject to the URL Policy Agent we conFigured earlier.GET the resource but not POST to it. Click “Finish”. NOTE: By default, the OpenAM allows for control Conclusionover GET and POST actions on resources, but does not OenAM is a mature application and, as such, feature-rich.offer options for the other HTTP methods like PUT There’s full support for OAuth, which is widely used inand DELETE. Thanks to the http://blogs.sun.com/docte- social networking sites. Identity federation is also an im-ger/entry/enabling_put_and_delete_actions I was able to portant part of OpenAM services. Federation refers tofind and successfully modify the two files that provide storing an identity across multiple identity management sys-the options for this configuration view within the Ope- tems or multiple organizations so that disparate systemsnAM console, namely amWebAgent.xml and amWebA- can establish a circle of trust for authenticating a user. Ingent.properties. Both are found under /WEB-INF/clas- other words, if I log in at Company X’s web applicationses of the OpenAM web application that we’re going to ad am redirected to Company Y’s web application, Com-deploy. For each method you wish to add, simply create pany Y considers me authenticated to their application ba-the desired AttributeSchema elements in the XML file sed on the trust relationship between the two systems. Awith their nested tags and add the name-value pairs to framework for logging and monitoring is included to sa-the properties file. It’s simply a matter of repeating the tisfy stringent auditing requirements in some enterprises.pattern of the GET and POST actions that are already As already mentioned for many small, one-off applicationsaccounted for in each the files. (Figure 22 - OpenAM OpenAM would probably be overkill. But it’s a viable candi-URL Policy 3) date for distributed architectures and use cases of dispara- We’ve now told OpenAM that this policy with its rule te applications needing to interface with one another andapplies to the indicated Identity Subject. share a common authentication and authorization scheme. Let’s get a fresh session token now. Once again follow OpenAM is open source so the only up-front commit-the pattern below and copy the response token value to ment to adoption is time to get over the learning curve. Iyour clipboard: hope this article and the accompanying tutorial have given you a boost if you are interested in learning this technolo-http://devbox.apius.org:8080/openam/identity/authenticate? gy.Although OpenAM and OpenDJ are open source, Forgeusername=pmorris&password=pmorrispmorris Rock offers support for everything from proof of concept engagements to robust 24 hours a day by 7 days a week byLet’s use the authorization service to check for access 2 hour response time support contracts.rights. Enter a URL following the pattern below aga- If you think OpenAM might end up in your toolbox, checkin adjusting the path and parameters to your configu- out these additional resources for learning.ration: https://www.packtpub.com/glassish-security-with-java-ee/book Glassfish Security by Masou Kalali – Chapter 7, http://blogs.http://devbox.apius.org:8080/openam/identity/authorize?uri- sun.com/doceger Doc Teger’s blog, https://wikis.forgerockorg/=hello-world&action=GET&subjectid=AQIC5wM2LY4SfcwU confluence/display/openam/OpenAM+Documentation ForgeIYd-YJ4_0ubuuGDJ6-_jzFrwrDrHhsg.*AAJTSQACMDE.* Rck’s site, https://www.packtpub.com/openam-snaphot-9-for- securing-your-web-applications/book New book abou Ope-The “uri” parameter is the resource for which we are nAMchecking user authorization, the “action” is the HTTPmethod, and the “subjectid” is the token value repre- PAUL MORRISsenting pmorris’s active session. We set the policy to Paul is a Java and ActionScript developer inallow pmorris to GET this resource so we expect a the Chicago area. He colaborates with a di-“true” response when we inquire regarding authori- stributed team of developers in the Unitedzation. (Figure 23 - OpenAM REST Authorization Re- States and Canada.sponse) Contact to the author (paul@quietbus.com, Now let’s try this same request but change the “ac- http://paulmorris.drupalgardens.com/)tion” parameter to POST as in:en.sdjournal.org 43