Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Java EE Application Security With PicketLink

5,957 views

Published on

In this presentation we will take a look at PicketLink, a security framework for Java EE and learn how its identity management, authentication and authorization features can be used to address the security requirements for all aspects of application development.

Published in: Technology

Java EE Application Security With PicketLink

  1. 1. Java EE Application Security With PicketLink Pedro Igor
  2. 2. What is PicketLink ? ● Umbrella project for security related projects ● Open and Security Standards ● Each project with focus on a specific security aspect – Federation – Application Security – Security As a Service (SecaaS) ● Toolbox for Application Security ● Apache License v2 Java EE Application Security With PicketLink
  3. 3. About PicketLink ● Java EE Security Alternative for Authentication and Authorization ● First class support for CDI ● Identity Management API ● Web and REST Security / Servlet API Integration ● JWT and JOSE Token Support ● Social Authentication ● Federation Protocols : SAML v1 and v2, oAuth, OpenID and WS-Trust STS ● Security for Cloud-based Applications ● A plenty of example applications (quickstarts) Java EE Application Security With PicketLink
  4. 4. Reduce Design Flaws ● Covers the most common security concepts in a simple and easy to use API – How to represent identities ? Users, roles, groups, applications, etc. – How to authenticate and authorize ? – How to protect my application resources ? Beans, pages, servlets, REST endpoints, etc. – How to consume and produce security tokens ? – How to enable Single Sign-On across different applications ? ● Focus on flexibility for specific security requirements Java EE Application Security With PicketLink
  5. 5. Agenda Authentication Http Security Identity Management LDAP DB Java EE Application Security With PicketLink Authorization BYO Security
  6. 6. Configuration ● Configure PicketLink BOM (Bill of Materials) and dependencies ● Listen to an event to configure behavior: public void onInit(@Observes SecurityConfigurationEvent event) { SecurityConfigurationBuilder builder = event.getBuilder(); builder .identity() // the identity bean options .idmConfig() // identity management options .http() // http and web security options } Java EE Application Security With PicketLink
  7. 7. Authentication ● Single method invocation credentials.setCredential(anyCredentialType); Identity.login(); If (identity.isLoggedIn()) { // user is now authenticated } Identity.logout(); ● Useful events are fired during the authentication Java EE Application Security With PicketLink
  8. 8. Authentication Flow Java EE Application Security With PicketLink
  9. 9. Identity Bean ● CDI Bean representing the authenticated user and acting as a central point for authentication, logout and permissioning private @Inject Identity identity; ● Authentication Scope. Defaults to Session Scope, but you can change that: builder.identity().scope(RequestScoped.class) ● Stateless can be used with REST to consume security tokens ● It may be exposed as as a service – Expose through Servlet, JAX-RS, JAX-WS, EJB ... Java EE Application Security With PicketLink
  10. 10. Authenticator ● A CDI bean that understands one or more credential types and how to perform authentication ● By default, PicketLink uses a IdmAuthenticator – Fully integrated with PicketLink IDM ● Write your own ● You can choose between different authenticators at runtime Java EE Application Security With PicketLink
  11. 11. Authenticator Example @RequestScoped @PicketLink public class CustomAuthenticator extends BaseAuthenticator { @Inject private DefaultLoginCredentials credentials; @Override public void authenticate() { If (validCredentials()) { setStatus(AuthenticationStatus.SUCCESS); setAccount(loadAccount()); } } } Java EE Application Security With PicketLink
  12. 12. Credentials ● Provides what you need to verify user authenticity ● Usually it defines which authentication mechanism is going to be used ● Built-in credential types – Username/Password, TOTP, DIGEST, X509, TOKEN ● Token-based Credentials can be used to – Produce and consume your own tokens – Consume tokens from 3rd party Identity Providers. Eg.: SAML, OpenID, CAS ● You can always write your own credential types. Just remember to also provide the corresponding Authenticator. Java EE Application Security With PicketLink
  13. 13. Credential Example public class UsernamePasswordCredentials extends AbstractBaseCredentials { private String userName; private String password; // getters and setters } Java EE Application Security With PicketLink
  14. 14. Http Security ● Useful for Web and RESTful applications ● Path-based protection – Authentication – Authorization ● URL Rewriting – /demo-app/#{identity.account.id} ● Authentication Schemes builder.http() – FORM, DIGEST, BASIC, CLIENT-CERT, TOKEN – Write Your Own Java EE Application Security With PicketLink .allPaths() .authenticateWith() .form() .authorizeWith() .role("Administrator") .forPath("/logout") .logout();
  15. 15. Multiple Authentication Paths ● Authenticate based on a specific path configuration builder.http() .forPath("/webpages/*") .authenticateWith() .form() .forPath("/rest/*") .withHeaders() .requestedWith("XMLHttpRequest") .authenticateWith() .token() .realmName("Ajax Requests Realm"); Java EE Application Security With PicketLink
  16. 16. Path Groups ● Common policies may be enforced to different paths String adminPathGroup = “Admin Resources” builder.http() .forGroup(adminPathGroup) .authenticateWith() .form() .authorizeWith() .group(“Administrators”) .forPath("/admin/*", adminPathGroup) Java EE Application Security With PicketLink
  17. 17. PicketLink Identity Management API ● What is it ? – Build Your Own Security Model – Identity and Access Management API – Built-In Identity Stores: ● LDAP, Relational Database, Filesystem, Token, Mixed ● Write Your Own – Multi-tenancy – Flexible Identity Model Java EE Application Security With PicketLink
  18. 18. Identity Model Example ● Custom Identity Model Guide – http://picketlink.org/gettingstarted/custom_idm_model/ ● Common requirements for SaaS – Realm – User – Application – Global and Application Roles – Global and Application Groups Java EE Application Security With PicketLink
  19. 19. Basic Identity Model ● Out-of-the-box implementation for very simple use cases ● You are not forced to use it ● Help you to quickly evaluate PL features ● In real world use cases, you would prefer writing your own Identity Model Java EE Application Security With PicketLink
  20. 20. Example Code private @Inject IdentityManager identityManager; public void addUser(String userName, String password) { User john = new User(userName); // add user identityManager.add(john); Password password = new Password(password) // update credential identityManager.updateCredential(john, password); Java EE Application Security With PicketLink } private @Inject IdentityManager identityManager; public void addRole(String roleName) { Role manager = new Role(roleName); // add role identityManager.add(manager); } private @Inject RelationshipManager relationshipManager; public void grantRole(User assignee, Role role) { Grant grant = new Grant(assignee, role); // create relationship, granting role to user relationshipManager.add(grant); }
  21. 21. Authorization RelationshipQuery<Grant> query = relationshipManager.createRelationshipQuery(Grant.class); query.setParameter(Grant.ASSIGNEE, assignee); query.setParameter(GroupRole.ROLE, role); boolean hasRole = !query.getResultList().isEmpty(); Java EE Application Security With PicketLink ● Annotation-based Authorization –@LoggedIn, –@RolesAllowed –@GroupsAllowed –@PartitionsAllowed –@RequiresPermission –@Restrict –Write Your Own ● Programmatic Authorization – Using PicketLink IDM Query API
  22. 22. Permissioning ● Privileges for application resources – Assignee is allowed to perform operation on resource ● Provided by PicketLink IDM – John has permission to read file.txt – John has permission on classes of type – John has permission on JPA Entity with identifier ● Identity Bean methods for permission checks – boolean hasPermission(Object resource, String operation); – boolean hasPermission(Class<?> resourceClass, Serializable identifier, String operation); Java EE Application Security With PicketLink
  23. 23. PicketLink Forge Addon ● Useful to quickly configure a project with PicketLink ● Configures a JPA Identity Store – Generate entities from your Identity Types ● Authentication – Choose a method ● Project Templates – Have an idea, help us ! $ picketlink-setup --version 2.7.0.Beta2 $ picketlink-setup --feature idm $ picketlink-setup --feature http $ picketlink-setup --feature idm --generateEntitiesFromIdentityModel Java EE Application Security With PicketLink
  24. 24. PicketLink Quickstarts ● Over 30 example applications ● Useful to get started and understand most of PicketLink features ● Clone, import to your IDE, checkout a tag and deploy git clone git@github.com:jboss-developer/jboss-picketlink-quickstarts.git git checkout v2.7.0.CR1 mvn clean package jboss-as:deploy or mvn -Pwildfly clean package wildfly:deploy Java EE Application Security With PicketLink
  25. 25. Thank You ! ● Visit our site at http://picketlink.org – You can find useful guides – Access to documentation ● GitHub – https://github.com/picketlink/ ● Join us on the #picketlink IRC channel on Freenode ● Social – @picketlink – Google+ PicketLink Community Java EE Application Security With PicketLink
  26. 26. Creating a Simple Application ● Using PicketLink Forge Addon – FORM-based Authentication – RBAC – Protect Application Resources – User and Role Management ● Simple application to focus only on the security bits Java EE Application Security With PicketLink

×