Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Java EE Application Security 
With PicketLink 
Pedro Igor
What is PicketLink ? 
● Umbrella project for security related projects 
● Open and Security Standards 
● Each project with...
About PicketLink 
● Java EE Security Alternative for Authentication 
and Authorization 
● First class support for CDI 
● I...
Reduce Design Flaws 
● Covers the most common security concepts in a simple and easy to 
use API 
– How to represent ident...
Agenda 
Authentication 
Http Security 
Identity Management 
LDAP DB 
Java EE Application Security With PicketLink 
Authori...
Configuration 
● Configure PicketLink BOM (Bill of Materials) 
and dependencies 
● Listen to an event to configure behavio...
Authentication 
● Single method invocation 
credentials.setCredential(anyCredentialType); 
Identity.login(); 
If (identity...
Authentication Flow 
Java EE Application Security With PicketLink
Identity Bean 
● CDI Bean representing the authenticated user and acting as a central point for 
authentication, logout an...
Authenticator 
● A CDI bean that understands one or more credential 
types and how to perform authentication 
● By default...
Authenticator Example 
@RequestScoped 
@PicketLink 
public class CustomAuthenticator extends BaseAuthenticator { 
@Inject ...
Credentials 
● Provides what you need to verify user authenticity 
● Usually it defines which authentication mechanism is ...
Credential Example 
public class UsernamePasswordCredentials extends AbstractBaseCredentials { 
private String userName; 
...
Http Security 
● Useful for Web and RESTful applications 
● Path-based protection 
– Authentication 
– Authorization 
● UR...
Multiple Authentication Paths 
● Authenticate based on a specific path 
configuration 
builder.http() 
.forPath("/webpages...
Path Groups 
● Common policies may be enforced to different 
paths 
String adminPathGroup = “Admin Resources” 
builder.htt...
PicketLink Identity Management API 
● What is it ? 
– Build Your Own Security Model 
– Identity and Access Management API ...
Identity Model Example 
● Custom Identity Model Guide 
– http://picketlink.org/gettingstarted/custom_idm_model/ 
● Common ...
Basic Identity Model 
● Out-of-the-box implementation for very simple use cases 
● You are not forced to use it 
● Help yo...
Example Code 
private @Inject IdentityManager identityManager; 
public void addUser(String userName, String password) { 
U...
Authorization 
RelationshipQuery<Grant> query = 
relationshipManager.createRelationshipQuery(Grant.class); 
query.setParam...
Permissioning 
● Privileges for application resources 
– Assignee is allowed to perform operation on resource 
● Provided ...
PicketLink Forge Addon 
● Useful to quickly configure a project with PicketLink 
● Configures a JPA Identity Store 
– Gene...
PicketLink Quickstarts 
● Over 30 example applications 
● Useful to get started and understand most of PicketLink 
feature...
Thank You ! 
● Visit our site at http://picketlink.org 
– You can find useful guides 
– Access to documentation 
● GitHub ...
Creating a Simple Application 
● Using PicketLink Forge Addon 
– FORM-based Authentication 
– RBAC 
– Protect Application ...
Java EE Application Security With PicketLink
Upcoming SlideShare
Loading in …5
×

of

Java EE Application Security With PicketLink Slide 1 Java EE Application Security With PicketLink Slide 2 Java EE Application Security With PicketLink Slide 3 Java EE Application Security With PicketLink Slide 4 Java EE Application Security With PicketLink Slide 5 Java EE Application Security With PicketLink Slide 6 Java EE Application Security With PicketLink Slide 7 Java EE Application Security With PicketLink Slide 8 Java EE Application Security With PicketLink Slide 9 Java EE Application Security With PicketLink Slide 10 Java EE Application Security With PicketLink Slide 11 Java EE Application Security With PicketLink Slide 12 Java EE Application Security With PicketLink Slide 13 Java EE Application Security With PicketLink Slide 14 Java EE Application Security With PicketLink Slide 15 Java EE Application Security With PicketLink Slide 16 Java EE Application Security With PicketLink Slide 17 Java EE Application Security With PicketLink Slide 18 Java EE Application Security With PicketLink Slide 19 Java EE Application Security With PicketLink Slide 20 Java EE Application Security With PicketLink Slide 21 Java EE Application Security With PicketLink Slide 22 Java EE Application Security With PicketLink Slide 23 Java EE Application Security With PicketLink Slide 24 Java EE Application Security With PicketLink Slide 25 Java EE Application Security With PicketLink Slide 26 Java EE Application Security With PicketLink Slide 27
Upcoming SlideShare
Introduction to SAML
Next
Download to read offline and view in fullscreen.

7 Likes

Share

Download to read offline

Java EE Application Security With PicketLink

Download to read offline

In this presentation we will take a look at PicketLink, a security framework for Java EE and learn how its identity management, authentication and authorization features can be used to address the security requirements for all aspects of application development.

Related Books

Free with a 30 day trial from Scribd

See all

Java EE Application Security With PicketLink

  1. 1. Java EE Application Security With PicketLink Pedro Igor
  2. 2. What is PicketLink ? ● Umbrella project for security related projects ● Open and Security Standards ● Each project with focus on a specific security aspect – Federation – Application Security – Security As a Service (SecaaS) ● Toolbox for Application Security ● Apache License v2 Java EE Application Security With PicketLink
  3. 3. About PicketLink ● Java EE Security Alternative for Authentication and Authorization ● First class support for CDI ● Identity Management API ● Web and REST Security / Servlet API Integration ● JWT and JOSE Token Support ● Social Authentication ● Federation Protocols : SAML v1 and v2, oAuth, OpenID and WS-Trust STS ● Security for Cloud-based Applications ● A plenty of example applications (quickstarts) Java EE Application Security With PicketLink
  4. 4. Reduce Design Flaws ● Covers the most common security concepts in a simple and easy to use API – How to represent identities ? Users, roles, groups, applications, etc. – How to authenticate and authorize ? – How to protect my application resources ? Beans, pages, servlets, REST endpoints, etc. – How to consume and produce security tokens ? – How to enable Single Sign-On across different applications ? ● Focus on flexibility for specific security requirements Java EE Application Security With PicketLink
  5. 5. Agenda Authentication Http Security Identity Management LDAP DB Java EE Application Security With PicketLink Authorization BYO Security
  6. 6. Configuration ● Configure PicketLink BOM (Bill of Materials) and dependencies ● Listen to an event to configure behavior: public void onInit(@Observes SecurityConfigurationEvent event) { SecurityConfigurationBuilder builder = event.getBuilder(); builder .identity() // the identity bean options .idmConfig() // identity management options .http() // http and web security options } Java EE Application Security With PicketLink
  7. 7. Authentication ● Single method invocation credentials.setCredential(anyCredentialType); Identity.login(); If (identity.isLoggedIn()) { // user is now authenticated } Identity.logout(); ● Useful events are fired during the authentication Java EE Application Security With PicketLink
  8. 8. Authentication Flow Java EE Application Security With PicketLink
  9. 9. Identity Bean ● CDI Bean representing the authenticated user and acting as a central point for authentication, logout and permissioning private @Inject Identity identity; ● Authentication Scope. Defaults to Session Scope, but you can change that: builder.identity().scope(RequestScoped.class) ● Stateless can be used with REST to consume security tokens ● It may be exposed as as a service – Expose through Servlet, JAX-RS, JAX-WS, EJB ... Java EE Application Security With PicketLink
  10. 10. Authenticator ● A CDI bean that understands one or more credential types and how to perform authentication ● By default, PicketLink uses a IdmAuthenticator – Fully integrated with PicketLink IDM ● Write your own ● You can choose between different authenticators at runtime Java EE Application Security With PicketLink
  11. 11. Authenticator Example @RequestScoped @PicketLink public class CustomAuthenticator extends BaseAuthenticator { @Inject private DefaultLoginCredentials credentials; @Override public void authenticate() { If (validCredentials()) { setStatus(AuthenticationStatus.SUCCESS); setAccount(loadAccount()); } } } Java EE Application Security With PicketLink
  12. 12. Credentials ● Provides what you need to verify user authenticity ● Usually it defines which authentication mechanism is going to be used ● Built-in credential types – Username/Password, TOTP, DIGEST, X509, TOKEN ● Token-based Credentials can be used to – Produce and consume your own tokens – Consume tokens from 3rd party Identity Providers. Eg.: SAML, OpenID, CAS ● You can always write your own credential types. Just remember to also provide the corresponding Authenticator. Java EE Application Security With PicketLink
  13. 13. Credential Example public class UsernamePasswordCredentials extends AbstractBaseCredentials { private String userName; private String password; // getters and setters } Java EE Application Security With PicketLink
  14. 14. Http Security ● Useful for Web and RESTful applications ● Path-based protection – Authentication – Authorization ● URL Rewriting – /demo-app/#{identity.account.id} ● Authentication Schemes builder.http() – FORM, DIGEST, BASIC, CLIENT-CERT, TOKEN – Write Your Own Java EE Application Security With PicketLink .allPaths() .authenticateWith() .form() .authorizeWith() .role("Administrator") .forPath("/logout") .logout();
  15. 15. Multiple Authentication Paths ● Authenticate based on a specific path configuration builder.http() .forPath("/webpages/*") .authenticateWith() .form() .forPath("/rest/*") .withHeaders() .requestedWith("XMLHttpRequest") .authenticateWith() .token() .realmName("Ajax Requests Realm"); Java EE Application Security With PicketLink
  16. 16. Path Groups ● Common policies may be enforced to different paths String adminPathGroup = “Admin Resources” builder.http() .forGroup(adminPathGroup) .authenticateWith() .form() .authorizeWith() .group(“Administrators”) .forPath("/admin/*", adminPathGroup) Java EE Application Security With PicketLink
  17. 17. PicketLink Identity Management API ● What is it ? – Build Your Own Security Model – Identity and Access Management API – Built-In Identity Stores: ● LDAP, Relational Database, Filesystem, Token, Mixed ● Write Your Own – Multi-tenancy – Flexible Identity Model Java EE Application Security With PicketLink
  18. 18. Identity Model Example ● Custom Identity Model Guide – http://picketlink.org/gettingstarted/custom_idm_model/ ● Common requirements for SaaS – Realm – User – Application – Global and Application Roles – Global and Application Groups Java EE Application Security With PicketLink
  19. 19. Basic Identity Model ● Out-of-the-box implementation for very simple use cases ● You are not forced to use it ● Help you to quickly evaluate PL features ● In real world use cases, you would prefer writing your own Identity Model Java EE Application Security With PicketLink
  20. 20. Example Code private @Inject IdentityManager identityManager; public void addUser(String userName, String password) { User john = new User(userName); // add user identityManager.add(john); Password password = new Password(password) // update credential identityManager.updateCredential(john, password); Java EE Application Security With PicketLink } private @Inject IdentityManager identityManager; public void addRole(String roleName) { Role manager = new Role(roleName); // add role identityManager.add(manager); } private @Inject RelationshipManager relationshipManager; public void grantRole(User assignee, Role role) { Grant grant = new Grant(assignee, role); // create relationship, granting role to user relationshipManager.add(grant); }
  21. 21. Authorization RelationshipQuery<Grant> query = relationshipManager.createRelationshipQuery(Grant.class); query.setParameter(Grant.ASSIGNEE, assignee); query.setParameter(GroupRole.ROLE, role); boolean hasRole = !query.getResultList().isEmpty(); Java EE Application Security With PicketLink ● Annotation-based Authorization –@LoggedIn, –@RolesAllowed –@GroupsAllowed –@PartitionsAllowed –@RequiresPermission –@Restrict –Write Your Own ● Programmatic Authorization – Using PicketLink IDM Query API
  22. 22. Permissioning ● Privileges for application resources – Assignee is allowed to perform operation on resource ● Provided by PicketLink IDM – John has permission to read file.txt – John has permission on classes of type – John has permission on JPA Entity with identifier ● Identity Bean methods for permission checks – boolean hasPermission(Object resource, String operation); – boolean hasPermission(Class<?> resourceClass, Serializable identifier, String operation); Java EE Application Security With PicketLink
  23. 23. PicketLink Forge Addon ● Useful to quickly configure a project with PicketLink ● Configures a JPA Identity Store – Generate entities from your Identity Types ● Authentication – Choose a method ● Project Templates – Have an idea, help us ! $ picketlink-setup --version 2.7.0.Beta2 $ picketlink-setup --feature idm $ picketlink-setup --feature http $ picketlink-setup --feature idm --generateEntitiesFromIdentityModel Java EE Application Security With PicketLink
  24. 24. PicketLink Quickstarts ● Over 30 example applications ● Useful to get started and understand most of PicketLink features ● Clone, import to your IDE, checkout a tag and deploy git clone git@github.com:jboss-developer/jboss-picketlink-quickstarts.git git checkout v2.7.0.CR1 mvn clean package jboss-as:deploy or mvn -Pwildfly clean package wildfly:deploy Java EE Application Security With PicketLink
  25. 25. Thank You ! ● Visit our site at http://picketlink.org – You can find useful guides – Access to documentation ● GitHub – https://github.com/picketlink/ ● Join us on the #picketlink IRC channel on Freenode ● Social – @picketlink – Google+ PicketLink Community Java EE Application Security With PicketLink
  26. 26. Creating a Simple Application ● Using PicketLink Forge Addon – FORM-based Authentication – RBAC – Protect Application Resources – User and Role Management ● Simple application to focus only on the security bits Java EE Application Security With PicketLink
  • khufind

    Sep. 20, 2020
  • ecassamc

    Jun. 30, 2020
  • dozer247

    Apr. 30, 2017
  • DarshanMuralidhar

    Feb. 7, 2016
  • gilbertoca

    Feb. 1, 2016
  • gucs

    Apr. 2, 2015
  • rafaelcba

    Sep. 29, 2014

In this presentation we will take a look at PicketLink, a security framework for Java EE and learn how its identity management, authentication and authorization features can be used to address the security requirements for all aspects of application development.

Views

Total views

6,922

On Slideshare

0

From embeds

0

Number of embeds

1,503

Actions

Downloads

64

Shares

0

Comments

0

Likes

7

×