2011-10-31 | 11:00 AM - 11:45 AM
Application and platform security requirements are changing under the influence of standards like OpenID and OAuth2, and the increasing demand for lightweight and multi-language platforms. Everyone used to be happy if they could implement single sign on for their Java web applications. That's still important, but there is a growing demand for more extensive Identity Management services, both in the enterprise and for public web applications. CloudFoundry is a nice use case for this new service model: it has multi-language support and security requirements that go beyond simple single sign on. What does that mean, and what does it mean for Spring Security? Come to this presentation to find out.
This is covered during the tech conference. It covers high-level security. The best practice for deployment for gateway (what was known as last-mile) is covered at the end.
API Security in a Microservice ArchitectureMatt McLarty
This presentation was given at the O'Reilly Software Architecture Conference in New York on Feb. 28, 2018. It gives an overview of the new book, Securing Microservice APIs. Download available here: https://transform.ca.com/API-securing-microservice-apis-oreilly-ebook.html
API Gateways can simplify the work that a developer needs to do to build API based services by helping to standardize authentication and authorization, consumer interfaces, and management needs. With Amazon API Gateway you get all of this and more, including a completely serverless management of your APIs and the ability to host them at almost any scale. You also can get the benefits of the numerous types of APIs that are supported, from pubic to private, REST to Websockets, backed by almost any backend you can think of. In this session we’ll review the powerful capabilities of Amazon API Gateway and how you can get started building awesome APIs.
Speaker: Chris Munns - Principal Developer Advocate, AWS Serverless Applications, AWS
Cybersecurity Identity and Access Management applies to the security architecture and disciplines for digital identity management. It governs the duties and access rights shared with individual customers and the conditions under which such privileges are permitted or refused.
BriForum 2014 Boston
Dan Brinkmann presents on Identity Providers, SAML, and OAuth. An example of setting up Office 365 to use Active Directory Federation Services is also shown.
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
APIs are everywhere. Any business with a mobile app, modern web apps (SPAs), using the cloud, doing a digital transformation, integrating with business partners, running microservices or using kubernetes has APIs. There's a good foundation of AppSec knowledge out there - thanks in part to OWASP but API Security isn't exactly the same as AppSec. Additional complexity is part of the landscape with multiple competing API technologies like REST, gRPC and GraphQL plus stakeholders spread across multiple parts of the business. How to do you make sense of API Security landscape? This talk will cover the three fundamental areas to consider, the various chess pieces and the many ways those pieces can be put on your API chessboard. The goal is for you to leave knowing how to map out your API Security landscape and reach a state of solid API Security.
This is covered during the tech conference. It covers high-level security. The best practice for deployment for gateway (what was known as last-mile) is covered at the end.
API Security in a Microservice ArchitectureMatt McLarty
This presentation was given at the O'Reilly Software Architecture Conference in New York on Feb. 28, 2018. It gives an overview of the new book, Securing Microservice APIs. Download available here: https://transform.ca.com/API-securing-microservice-apis-oreilly-ebook.html
API Gateways can simplify the work that a developer needs to do to build API based services by helping to standardize authentication and authorization, consumer interfaces, and management needs. With Amazon API Gateway you get all of this and more, including a completely serverless management of your APIs and the ability to host them at almost any scale. You also can get the benefits of the numerous types of APIs that are supported, from pubic to private, REST to Websockets, backed by almost any backend you can think of. In this session we’ll review the powerful capabilities of Amazon API Gateway and how you can get started building awesome APIs.
Speaker: Chris Munns - Principal Developer Advocate, AWS Serverless Applications, AWS
Cybersecurity Identity and Access Management applies to the security architecture and disciplines for digital identity management. It governs the duties and access rights shared with individual customers and the conditions under which such privileges are permitted or refused.
BriForum 2014 Boston
Dan Brinkmann presents on Identity Providers, SAML, and OAuth. An example of setting up Office 365 to use Active Directory Federation Services is also shown.
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
APIs are everywhere. Any business with a mobile app, modern web apps (SPAs), using the cloud, doing a digital transformation, integrating with business partners, running microservices or using kubernetes has APIs. There's a good foundation of AppSec knowledge out there - thanks in part to OWASP but API Security isn't exactly the same as AppSec. Additional complexity is part of the landscape with multiple competing API technologies like REST, gRPC and GraphQL plus stakeholders spread across multiple parts of the business. How to do you make sense of API Security landscape? This talk will cover the three fundamental areas to consider, the various chess pieces and the many ways those pieces can be put on your API chessboard. The goal is for you to leave knowing how to map out your API Security landscape and reach a state of solid API Security.
Identity Governance: Not Just For ComplianceIBM Security
View on-demand presentation: http://securityintelligence.com/events/identity-governance-not-just-for-compliance/
Did you know that proper identity governance will make your organization more secure? Between Separation of Duty violations, entitlement creep and insider threats, user IDs are the doorway to your organization and identity governance can be the deadbolt.
Join this webinar to learn how you can employ identity governance to not only simplify your audit process, but to safeguard your entire organization.
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...Amazon Web Services
In this advanced workshop, we dive deep on the different networking options for deploying containers at production scale across Amazon EC2, Amazon ECS, and Amazon EKS. We also review architectural best practices and the different relevant industry standards that are leveraged within these services. This workshop includes hands-on labs to facilitate a better understanding of the networking underpinnings of the various container deployment options. We recommend you bring your own laptop.
Java Tech & Tools | Continuous Delivery - the Writing is on the Wall | John S...JAX London
2011-11-01 | 10:40 AM - 11:40 AM
So you want to do continuous delivery but is it working and how does the team and the organisation know what's going on? Using wallboard, information radiators and even just bits of paper stuck to the wall can help you manage all your development.
Covering the many ways companies have visualised the mashinations of their work and providing tips on setting up your own uber information radiators.
Java Tech & Tools | Mapping, GIS and Geolocating Data in Java | Joachim Van d...JAX London
2011-11-02 | 03:45 PM - 04:35 PM
Introduction to mapping, geographic information systems and geolocalization. After covering basics like layers and projections, data formats and standards we will look at open source tools and Java libraries which can help you to build working solutions.
Identity Governance: Not Just For ComplianceIBM Security
View on-demand presentation: http://securityintelligence.com/events/identity-governance-not-just-for-compliance/
Did you know that proper identity governance will make your organization more secure? Between Separation of Duty violations, entitlement creep and insider threats, user IDs are the doorway to your organization and identity governance can be the deadbolt.
Join this webinar to learn how you can employ identity governance to not only simplify your audit process, but to safeguard your entire organization.
Deep Dive on Container Networking at Scale on Amazon EKS, Amazon ECS, & Amazo...Amazon Web Services
In this advanced workshop, we dive deep on the different networking options for deploying containers at production scale across Amazon EC2, Amazon ECS, and Amazon EKS. We also review architectural best practices and the different relevant industry standards that are leveraged within these services. This workshop includes hands-on labs to facilitate a better understanding of the networking underpinnings of the various container deployment options. We recommend you bring your own laptop.
Java Tech & Tools | Continuous Delivery - the Writing is on the Wall | John S...JAX London
2011-11-01 | 10:40 AM - 11:40 AM
So you want to do continuous delivery but is it working and how does the team and the organisation know what's going on? Using wallboard, information radiators and even just bits of paper stuck to the wall can help you manage all your development.
Covering the many ways companies have visualised the mashinations of their work and providing tips on setting up your own uber information radiators.
Java Tech & Tools | Mapping, GIS and Geolocating Data in Java | Joachim Van d...JAX London
2011-11-02 | 03:45 PM - 04:35 PM
Introduction to mapping, geographic information systems and geolocalization. After covering basics like layers and projections, data formats and standards we will look at open source tools and Java libraries which can help you to build working solutions.
Keynote | Middleware Everywhere - Ready for Mobile and Cloud | Dr. Mark LittleJAX London
2011-11-01 | 09:45 AM-10:30 AM
The traditional role of middleware in the data center has been challenged to expand and meet the ubiquitous computing demands becoming more prevalent. The way applications are built, deployed, integrated and managed must accommodate the rapidly evolving mobile and cloud paradigms, without sacrificing security or performance. Open Standards, and a more agile stewardship of the Java Community Process will enable developers, architects and IT executives increase return on their existing IT investment and spur innovation in next generation application environments. Please join Dr. Mark Little, Sr. Director Middleware Engineering, as he discusses Red Hat's vision for how JBoss Enterprise Middleware will drive social, mobile and cloud computing.
Spring Day | WaveMaker - Spring Roo - SpringSource Tool Suite: Choosing the R...JAX London
2011-10-31 | 02:15 PM - 03:00 PM
There are many tools out there to help developers working with the Spring framework and its manifold extensions. But it's not always easy to choose the right tool for the job. This talk guides you through the tooling landscape for Spring and illustrates when to use Spring Roo, WaveMaker or the SpringSource Tool Suite. Demos and examples give the audience first-hand insights and useful hints how to use and combine those tools effectively.
Spring Day | Behind the Scenes at Spring Batch | Dave SyerJAX London
2011-10-31 | 01:30 PM - 02:15 PM
Spring Batch has a large user base and a good track record in production systems, but what is it all really about, and why does it work? This presentation provides a short bootstrap to get a new user started with the Batch domain, showing the key concepts and explaining the benefits of the framework. Then it goes into a deeper dive and looks at what holds it all together, with a close look at some of the most important but least understood features, including restart, retry and transactions.
Spring Day | Spring 3.1 in a Nutshell | Sam BrannenJAX London
2011-10-31 | 11:45 AM - 12:30 PM
Spring 3.1 introduces several eagerly awaited features including bean definition profiles (a.k.a., environment-specific configuration), enhanced Java-based application and infrastructure configuration (a la XML namespaces), and a new cache abstraction. This session will provide attendees with a high-level overview of these major new features, plus a quick look at additional enhancements to the framework such as the new c: namespace for constructor arguments, support for Servlet 3.0, improvements to Spring MVC and REST, and Spring's new integration testing support for profiles and configuration classes.
Spring Day | Spring and Scala | Eberhard WolffJAX London
2011-10-31 | 09:45 AM - 10:30 AM
Spring is widely used in the Java world - but does it make any sense to combine it with Scala? This talk gives an answer and shows how and why Spring is useful in the Scala world. All areas of Spring such as Dependency Injection, Aspect-Oriented Programming and the Portable Service Abstraction as well as Spring MVC are covered.
Java Tech & Tools | Beyond the Data Grid: Coherence, Normalisation, Joins and...JAX London
2011-11-02 | 02:25 PM - 03:15 PM
In 2009 RBS set out to build a single store of trade and risk data that all applications in the bank could access simultaniously. This talk discusses a number of novel techniques that were developed as part of this work. Based on Oracle Coherence the ODC departs from the trend set by most caching solutions by holding its data in a normalised form making it both memory efficient and easy to change. However it does this in a novel way that supports most arbitrary queries without the usual problems associated with distributed joins. We'll be discussing these patterns as well as others that allow linear scalability, fault tolerance and millisecond latencies.
Java Tech & Tools | Social Media in Programming in Java | Khanderao KandJAX London
2011-11-02 | 10:00 AM - 11:00 AM
With the popularity of Social media, businesses require to integrate ERP, CRM and Commerce apps with Social media for consumer monitoring, engagement, analytics, marketing, brand monitoring as well as influencing their purchases. This session covers Java tools, protocols, and frameworks for social media for Social CRM and Social Commerce. Covers: Oauth2, Social Graph, REST, JSON, Facebook & Twitter.
Java Tech & Tools | Just Keep Passing the Message | Russel WinderJAX London
2011-11-01 | 04:20 PM - 05:10 PM
With the increasing ubiquity of multicore and hence parallel systems people are needing better ways of structuring applications than using shared-memory multi-threading. In this session we will look at actors, agents and active objects -- and their implementation in GPars. GPars is a Groovy/Java framework for managing concurrency and parallelism. It leverages all the JSR166 APIs
Java Tech & Tools | Grails in the Java Enterprise | Peter LedbrookJAX London
2011-11-01 | 03:00 PM - 03:50 PM
With all the buzz around rapid web application development frameworks, are enterprise developers left looking on enviously? Not at all. Grails brings the same benefits to Java developers while providing many options for enterprise integration. This talk shows you how to build Grails projects with Ant and Maven; what's involved in talking to legacy databases; and how to talk to Java components.
Java EE | Modular EJBs for Enterprise OSGi | Tim WardJAX London
2011-11-01 | 05:20 PM - 06:10 PM
Enterprise OSGi is all about enabling Java EE technologies in an OSGi environment. Modular EJB provides support for Enterprise Java Beans running inside OSGi, taking advantage of the framework's modularity. See how to: * Package EJBs for use in an OSGi environment * Make use of EJBs from other OSGi bundles * Consume OSGi services directly within your EJBs * Flow transactions between EJBs and OSGi
Java EE | Apache TomEE - Java EE Web Profile on Tomcat | Jonathan GallimoreJAX London
2011-11-01 | 04:20 PM - 05:10 PM
This session explores Apache TomEE, pronounced “Tommy”, an all-Apache Web Profile stack built on Tomcat, which adds all the Java EE Web Profile features, while taking nothing away. The session will show you how to get started with TomEE, how to use it with a sample application, and how you can test your application with TomEE using tools like Arquillian.
Java Core | Understanding the Disruptor: a Beginner's Guide to Hardcore Concu...JAX London
2011-11-02 | 05:45 PM - 06:35 PM | Victoria
The Disruptor is new open-source concurrency framework, designed as a high performance mechanism for inter-thread messaging. It was developed at LMAX as part of our efforts to build the world's fastest financial exchange. Using the Disruptor as an example, this talk will explain of some of the more detailed and less understood areas of concurrency, such as memory barriers and cache coherency. These concepts are often regarded as scary complex magic only accessible by wizards like Doug Lea and Cliff Click. Our talk will try and demystify them and show that concurrency can be understood by us mere mortal programmers.
Java Core | Java 8 and OSGi Modularisation | Tim Ellison & Neil BartlettJAX London
The talk will cover a bit of background first to set things up: what is a module, why do we need a module system, summary of Java's existing support for modularity. Then it will move on to give a comparison of OSGi's and Jigsaw's dependency models. Pros and cons of each model in different environments will be discussed. Finally, opportunities and challenges for interoperability: from the perspective of both application developers (who may need to integrate modules from both kinds) and from library module developers (who may need to target both module systems)
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. Overview
●
What is Identity Management?
●
Is it anything to do with Security?
●
Some existing and emerging standards
●
Relevant features of Spring Security and other Spring projects
●
Common use cases
●
Demo of prototype IDM system
COPYRIGHT VMWARE, INC, 2011
3. Agenda
● Core domain:
● Authentication, identity, trust, delegation, claim, authorization
● SSO
● Identity Management
● Standards:
● SAML
● OpenID
● OAuth, OAuth2
● OpenID Connect
● SCIM
● JWT
● Spring Security and other projects
● Use cases (Google, Facebook, CloudFoundry) and demos
● IDM as a Service
COPYRIGHT VMWARE, INC, 2011
5. Authentication
● You say you are Fred Bloggs? Can you prove it?
● Human-human interactions
● Official document (passport, driving licence, etc.)
● We actually call it “ID”
● Letter of introduction
● Word of mouth, friend of a friend
● Machine-human interactions
● Something you know, hopefully unguessable, maybe random, e.g.
username/password
● Something you have, e.g. one Time Password (OTP) from RSA
hard/soft token
● Multifactor authentication
● Machine-machine interactions
COPYRIGHT VMWARE, INC, 2011
6. Typical System Architecture
“I'm Fred,
show me my
photos”
User
APP
DB User details
store
COPYRIGHT VMWARE, INC, 2011
8. Two Apps, No Shared Authentication
“I'm Fred,
show me my
photos”
User
APP1
“I'm Fred,
can I buy a
book?”
APP2
DB User details
store
DB
COPYRIGHT VMWARE, INC, 2011
9. Two Apps, Shared User Details
“I'm Fred,
show me my
photos”
User
APP1
“I'm Fred,
can I buy a
book?”
APP2
DB
User details
store
COPYRIGHT VMWARE, INC, 2011
10. Two Apps, Single Sign On
“I'm Fred,
show me my
photos”
User
APP1
“I'm Fred,
can I buy a
book?”
APP2
SSO
DB
User details
store
COPYRIGHT VMWARE, INC, 2011
11. All Apps are
Single Sign On: Example Flow the same
● Explicit authentication
required on first visit
● Avoidable
subsequently if App
can store token – but
then with multiple
apps you have
distributed state
This is
unavoidable
COPYRIGHT VMWARE, INC, 2011
12. Two Apps, Single Sign On with Separate Authentication
“I'm Fred,
show me my
photos”
User
APP1
“I'm Fred,
can I buy a
book?”
AUTH
APP2
SSO
DB
User details
store
COPYRIGHT VMWARE, INC, 2011
13. SSO With Spring Security
● Good support for CAS
● Many custom implementations for commercial products like
SiteMinder
● Field is fragmented
● OpenID...
COPYRIGHT VMWARE, INC, 2011
14. Trust
● You say you are Fred Bloggs? Can you prove it?
● Oh, I remember, Martha said you're alright. Come in...
● I trust Martha, USDOT, UKPA, etc, to verify Fred's identity
● Why?
● Because I know them, and they say they know Fred.
COPYRIGHT VMWARE, INC, 2011
15. Consumer Trusts Provider
“I'm Fred,
show me my
photos”
User
Consumer, APP
Relying Party
IDP Provider
DB
User details
store
COPYRIGHT VMWARE, INC, 2011
17. So What did we Gain with an Identity Provider?
● App no longer has to do authentication or keep record of secure
information about users
● User only has to type secrets into a known trusted site (e.g.
Google)
● Separation of concerns
● Abstraction always comes at a cost
● Increased complexity – more to understand, more to maintain,
more to go wrong
● Complexity and Security are uneasy bedfellows
● Hence there are standards that cover this interaction
COPYRIGHT VMWARE, INC, 2011
21. OpenID
“I'm Fred,
show me my
photos”
User
Relying Party APP
OpenID Provider
DB
User details
store
COPYRIGHT VMWARE, INC, 2011
22. OpenID
● Protocol for attribute exchange
● Sits on top of HTTP(S)
● Form plus JSONish on back channel (attribute fetch)
● Form data and redirects on front channel
● Does not specify authentication (up to the Provider)
● Does not require pre-registration of Relying Parties (Apps)
● Implemented in various languages, e.g. Java->OpenID4J (Google
code)
● Support in Spring Security for Relying Party
COPYRIGHT VMWARE, INC, 2011
24. SSO with OpenID
“I'm Fred,
show me my
photos”
User
Relying Party APP1
“I'm Fred,
can I buy a
book?”
APP2
OpenID
DB
Provider
User details
store
COPYRIGHT VMWARE, INC, 2011
25. SSO with OpenID
No user input
required here if
IDP is stateful
COPYRIGHT VMWARE, INC, 2011
26. Delegation and Client Authorization
● So Fred told you to come and pick up his order?
● You say you're Martha? Show me some ID.
● And what about some documentation about the order?
Resource Owner
Client
(e.g. a service
provider) Scope of
responsibility
COPYRIGHT VMWARE, INC, 2011
27. Delegation and Client Authorization
● An App needs to access Fred's resources on his behalf
● Resources live in a protected Resource Server (API)
● Fred is the Resource Owner: he can read and write his resources
if he logs into the API himself
● But App is the Client of the API service not Fred, and Fred
doesn't want to grant App write access
● Resource Server can grant App access to a restricted Scope of
activity
● Fred authorizes the App to read his Resources
● App gets an Access Token that enables it to act on behalf of Fred
● Where does it get the token from? An Authorization Server
COPYRIGHT VMWARE, INC, 2011
28. Delegation
“I'm Fred,
show me my
photos” Resource
Client APP Owner
Token
API Resource
Server
Token Authorization
AUTH
Services Server
COPYRIGHT VMWARE, INC, 2011
29. Example Token Services using Shared Storage
“I'm Fred,
show me my
photos” Resource
Client APP Owner
Token
API Resource
Server
AUTH Authorization
Server
DB
Token Store
COPYRIGHT VMWARE, INC, 2011
30. Delegation Standards
● SAML 1.0, 2.0
● XML
● back channel Need key
exchange
● cryptography
● Spring Security SAML, Service Provider = Resource Server only
● OAuth 1.0a
● plain text
● back channel
Nonce and request token
● cryptography
● Spring Security OAuth (consumer and provider)
● OAuth 2
● JSON (plus optional custom formats)
● no back channel in spec (but need token services in practice)
● clear text (need SSL), plus extensions
● Spring Security OAuth (consumer and provider)
COPYRIGHT VMWARE, INC, 2011
31. OAuth2
● Client /app
GET /api/photos
Authorization: Bearer FDSHGK78JH356G
● Resource Server /api
authenticated:
200 OK
...
unauthenticated:
401 Unauthorized
WWW-Authenticate: Bearer realm=”/auth”
COPYRIGHT VMWARE, INC, 2011
32. OAuth2 Acquiring an Access Token
● Grant Types
● Password
● Authorization Code
● Refresh Token
● Implicit
● Client Credentials
● Others allowed as extensions, e.g. SAML assertion
COPYRIGHT VMWARE, INC, 2011
33. OAuth2 Grant Type: Password
● Resource Server /api
GET /auth/token?response_type=password&username=......&...
Authorization: Basic asdsdfggghf=
● Authorization Server /auth Client
credentials
● Token Endpoint
200 OK
{
“access_token” : “JAHDGFJH78IOUY”,
“token_type” : “bearer”,
“expires_in” : “3600”
}
COPYRIGHT VMWARE, INC, 2011
38. OAuth2 Grant Type: Authorization Code, Explicit Authorization
The spec doesn't say how this happens, just that it does,
e.g:
????
COPYRIGHT VMWARE, INC, 2011
39. OAuth2: More Detail and Options
● Grant type
● Password – native apps, fixed authentication
● Authorization Code – webapps with browser redirects
● Refresh Token – optional for tokens issued with Auth Code
● Implicit – script clients in webapps, native apps
● Client Credentials – service peers
● Other, e.g. SAML
● Token type
● Bearer
● Other, e.g. MAC
● Scope
● Arbitrary string. Signifies something to Resource Server about which
resources are available. C.f. “audience” in SAML.
● State
COPYRIGHT VMWARE, INC, 2011
42. Spring Security OAuth: Client /app
<sec:http>
...
<sec:custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
</sec:http>
<oauth:client id="oauth2ClientFilter" token-services-ref="oauth2TokenServices" />
<bean class="apiRestTemplate" class="org...oauth2.client.OAuth2RestTemplate">
<constructor-arg ref="api" />
</bean>
<oauth:resource id="api" type="authorization_code"
clientId="app" accessTokenUri="${accessTokenUri}"
userAuthorizationUri="${userAuthorizationUri}" scope="read_photos" />
N.B. Spring Social has client support as well (similar approach,
convergence will come later)
COPYRIGHT VMWARE, INC, 2011
43. OpenID Connect
● Similar to OpenID in the role that it plays, but not in any other way
related
● Uses OAuth2 as a protocol for attribute exchange
● Google, Salesforce, etc. behind spec
● OAuth2 endpoints:
● /authorize
● /token
● OpenID endpoints are OAuth2 protected resources:
● /userinfo
● /check_id
● Clients obtain access token with scope=openid
● OAuth /token endpoint includes id token in response as well as
access token
● Responses in JSON or JWT (=encrypted JSON)
● Not implemented in Spring project (yet), SECOAUTH or SEC
COPYRIGHT VMWARE, INC, 2011
45. OpenID Connect: User Info
● Resource Server /api
GET /auth/userinfo
Authorization: Bearer JAHDGFJH78IOUY
● Authorization Server /auth
● User Info Endpoint
200 OK
{
“user_id” : “dsyer”,
“name” : “Dave Syer”,
“email” : “dsyer@vmware.com”,
...
}
COPYRIGHT VMWARE, INC, 2011
46. SCIM
● Simple Cloud Identity Management
● Plain test / JSON standard for provisioning identity systems
● Standard endpoints
● /Users – query user accounts
● /User – CRUD operations on users
● /Groups – CRUD operations on groups
● An OAuth2 authorization service might implement SCIM
● Not implemented (yet) in Spring
COPYRIGHT VMWARE, INC, 2011
47. Spring Security: Project Organization
Luke Taylor (VMW),
Core
Robert Winch Spring Security
Web
● 3.1.0 just released
● Stable, mature
Ryan Heaton, LDAP OpenID ...
Dave Syer (VMW),
Spring Security OAuth
Spring Extensions: Security
Vladimir Schaefer,
Keith Donald (VMW), Mike Wiesner (VMW)
OAuth1a OAuth2 Craig Walls (VMW)
SAML Kerberos
Spring Social
● Oauth2 spec not yet final
● External lead
● 1.0.0 not yet released
● 1.0.0 just released ● Partly external, low-activity
● 1.0.0.M5 release in pipeline
● Consumer for well-
known providers
COPYRIGHT VMWARE, INC, 2011
48. CloudFoundry IDM
“I'm Fred,
show me my
apps” Resource
Client Admin Console Owner
Token
CloudController Resource
Server
Authorization
Access Token Server:
UAA
Decision Services
OAuth2,
OpenID Connect,
Collab Spaces SCIM
COPYRIGHT VMWARE, INC, 2011
49. CloudFoundry IDM
“I'm Fred,
show me my
apps” Resource
Client VMC Owner
Token
CloudController Resource
Server
Authorization
Access Token Server:
UAA
Decision Services
OAuth2,
OpenID Connect,
Collab Spaces SCIM
COPYRIGHT VMWARE, INC, 2011
51. Overview
●
What is Identity Management?
●
Is it anything to do with Security?
●
Some existing and emerging standards
●
Relevant features of Spring Security and other Spring projects
●
Common use cases
●
Demo of prototype IDM system
COPYRIGHT VMWARE, INC, 2011