Websphere Portal V6.1 Security Overview

IBM WebSphere Portal Security Overview

Stefan Schmitt
WebSphere Portal Security Architect

© 2008 IBM

Agenda

STORY TITLE
 Part I: Introduction
 Part II: Authentication and User Identity
 Authentication
 PUMA and VMM
 RememberMe and StepUp
 WAS Group Assertion
 Virtual Portal Security
 SSO – Credential Vault
 Part III: Authorization and Security Infrastructure
 Portal Access Control & Membership
 WSRP Security
 Java 2 Platform Security
 Miscellaneous
 Summary

2 WebSphere Portal Technical Conference Europe 2
2008

Part I: Portal Security Introduction
STORY TITLE

 WebSphere Portal (WP) Security is based on
WebSphere Application Server (WAS) security
 WP Security allows to leverage from WAS:
J2EE Security
Web Single-Sign-On (JAAS / TAI / LTPA)
Java 2 Security
Java Connector Architecture
SSL / TLS Support
IBM JCE/JCE/JSSE libraries
 WP Security provides additional features in the areas:
Authorization
Authentication Customization
User Profile and Group Management
Back-end Single Sign On (Credential Vault)
Security Audit

2008

Portal Setup with Authentication Proxy
STORY TITLE

2008

Part II: Authentication and User
Identities

© 2008 IBM

Portal Authentication

© 2008 IBM

Authentication
STORY TITLE

 WP is a custom Form Login application to WAS
 relies on WAS to
− intercept requests to protected portal area
− do the authentication and provide the security context
− Global Security in WAS is active

 Portal picks up whatever user identity established by WAS
 All WAS authentication customization options also apply to
portal:
 Authentication Proxies and Trust Association Interceptors (e.g.
TAM / WebSeal)
 Custom JAAS Login Modules

 Portal supports public code plug points for intercepting the portal
login and session validation flow

2008

Portal and WAS Authentication “flow” (since version
6.1.x)
STORY TITLE

Login via UI,
XMLAccess,
Portal login VMM
Retrieve User
Scripting submitted handler

ID/PW
okay?
WAS Security
Context
Fetch attributes by
JAAS Login (Portal_LTPA) DN (user profile)

WAS Fetch nested group
memberships
Security Independent of
WAS lookup but
based on DN from
WAS User Registry WAS
configuration
(e.g. via admin
console)

Search,
“bind” (validate id/ LDAP
pw), fetch DN, fetch
group
memberships
2008

Portal and WAS Authentication “flow” (since version
6.1.x)
STORY TITLE

Login via UI,
XMLAccess,
Login
Filter
Chain
Portal login VMM
Retrieve User
Scripting
submitted
Plug
Point handler

ID/PW
okay?
WAS Security
Context
Explicit Explicit Fetch attributes by
Login ... Login
Filter1 Filter N
JAAS Login (Portal_LTPA) DN (user profile)

WAS Fetch nested group
memberships
WAS lookup but
based on DN from
WAS User Registry WAS
configuration
(e.g. via admin
console)

Search,
“bind” (validate id/ LDAP
group
memberships
2008

End user identity flow from TAI to WAS to WP
STORY TITLE

 User identity must be “mappable” from front end security and TAI (if
present) to WAS and WP
 Path of least resistance: Front end/TAI, WAS, and WP should all use
the same user registry
 Possible to map between different registries for front end .vs. WAS/
WP
This is complex, leads to hard-to-debug problems
TAI can assert a security shortname that WAS will “look up”
using search
TAI++ can set end user identity, bypassing lookup
• Portal still needs to be able to look up profile info for that
user
 Except in VERY rare circumstances, WAS and WP should always use
the same user registry
Portal lookup based on “DN” from WAS
10 10
WebSphere Portal Technical Conference Europe 2008

Portal and External Security (authentication)
STORY TITLE

 Anything “in front of” WAS that does the authentication
 Login dialog conducted by front end security
May use Portal to serve up the login page, but Portal no longer
handles the login form submission
 Front end asserts already-authenticated end user identity to WAS
Trust Association Interceptor (TAI) architecture
TAM has other options (LTPA junctions)
 TAI is a WAS feature, not a Portal feature
Documented in the WAS InfoCenter
Portal has no idea about presence or absence of TAI, or how
WAS gets the user identity
IBM only provides one (1) TAI – that for TAM/WebSEAL. ALL
OTHER SECURITY VENDORS MUST PROVIDE THEIR OWN TAI.

11 11

Portal and WAS and TAI Authentication “flow”
STORY TITLE

Login dialog
Security Portal and
Front-end y VMM
All id/pw validation
done by front end p oka
oku
Asserts
Identity lo
S
WA
Fetch attributes by
WAS DN (user profile)
WAS TAI
Security
Context
Security Fetch nested group
memberships
Independent of
WAS lookup but
based on DN from
WAS User Registry WAS (from TAI)
configuration
(e.g. via admin
console)

Search, fetch DN,
fetch group LDAP
memberships

12 12

Portal and WAS and TAI Authentication “flow”
STORY TITLE

Login dialog
Security Portal and
Implicit
Login

Front-end
Filter

VMM
Chain
Plug
y
All id/pw validation
done by front end p oka Point

oku
Asserts
Identity lo
S
WA

WAS Implicit Implicit

WAS TAI Login ... Login
Filter1 Filter N
Security
Context
Security
Fetch attributes by
DN (user profile)
WAS User Registry Fetch nested group
configuration memberships
(e.g. via admin
console)
Independent of
WAS lookup but
Search, fetch DN,
fetch group LDAP based on DN from
memberships WAS (from TAI)

13 13

Variation: New Federated Security Option in WAS
6.1 STORY TITLE

 VMM can be used as Security Provider in WebSphere Application
Server (Federated)

 Fully integrated in WebSphere Admin Console
Replaces former WMM-UR option

14 14

Portal and WAS Authentication “flow”
STORY TITLE

Login via UI, Portal login
XMLAccess,
Scripting submitted handler
Retrieve User
VMM

ID/PW
okay?
Search,
“bind” (validate id/
group Fetch attributes by
WAS Security API (JAAS) memberships DN (user profile)
Fetch nested group
WAS memberships

WAS lookup but
based on DN from
(WMMUR) WAS
VMM Configuration
In WAS

LDAP
LDAP
LDAP
15 15

Portal and WAS Authentication “flow”
STORY TITLE

Login via UI,
XMLAccess,
Login
Filter Portal login Retrieve User
VMM
Chain
Scripting
submitted
Plug
Point handler

ID/PW
okay?
Search,
“bind” (validate id/
Explicit Explicit group Fetch attributes by
Login ... Login
Filter1 Filter N
WAS Security API (JAAS) memberships DN (user profile)
Fetch nested group
WAS memberships

WAS lookup but
based on DN from
(WMMUR) WAS
VMM Configuration
In WAS

LDAP
LDAP
LDAP
16 16

New Portal Login and Session Validation Filter API
STORY TITLE

 Filter chains for
 Explicit Portal Login
(i.e. Login is triggered by Portal)
 Implicit Portal Login
(i.e. Authentication has been performed by
an external authentication provider)
 Explicit Portal Logout
 Session Validation
(to validate individual (autenticated) portal
requests)
 Session Validation Timeout handling
(for custom session time out handling)

 Custom filters implementations can be plugged
by adding corresponding properties to the
AuthenticationService.properties

17 17

STORY TITLE

18 18

STORY TITLE

FilterChainContext can be used to pass parameters between filters and to specify redirect URLs

19 19

STORY TITLE


20 20

STORY TITLE


21 21

HTTP Basic Auth TAI
STORY TITLE

 Can be used
to send HTTP
Basic Auth
challange for
specific URLs
and/or User
Agents

22 22

Portal AJAX Proxy
STORY TITLE

Domain A
AJAX
Browser
Proxy
HTTP GET
Domain A
Trusted
Server
sites
HTML Page

HTTP GET
Domain B Domain B
AJAX
Portlet
Server

 Today's browsers prevent asynchronous requests to foreign domains because of security
reasons.
Example: Your portlet is served from www.mycompany.com but your AJAX
application tries to load a feed from cnn.com. This would be blocked by the
browser
23 23

AJAX Proxy Server: Security Challenge
STORY TITLE
Dieter‘s Travel
Mashup Doc
... an unsecured AJAX Proxy would exposes me to danger ...

Cross Domain
AJAX Requests
(restricted through your portal Car Rental Site
Browser security
model)
AJAX Proxy Travel Agency Site
WAS Weather Service Site

24 24

 Weather site is hacked or malicious 
Mash-up Security Markup provided by the Weather site can serve active
STORY TITLE
Risk content at will, e.g. steal
 cookies / security tokens
 all information from the Mashup DOM (e.g. credit card
info entered in a field in the travel agency site)

Dieter‘s Travel  3rd party content is now served from your portal
Mashup Doc  Copyright issues (Weather service serves stolen weather
data)
credit#  Infected data (e.g. containing a virus)
 Illegal Data (e.g. offensive content)

Car Rental Site

your portal Travel Agency Site

Weather Service Site
Same issue with:
- malicious ATOM feeds
- Including a portlet via WSRP
- client side mash-up via AJAX 25

Portal AJAX Proxy Server guards my credit card number
STORY TITLE

Weather Site is not on
- Filtering based on
the trusted server -URL
Dieter‘s Travel list -HTTP Action
Mashup Doc -mime-type
-Requesting user
- Maintained by Security
Administrator

admin controlled

Policy
Security
your portal
Car Rental Site

AJAX Proxy Travel Agency Site
WAS Weather Service Site

26 26

AJAX Proxy Configuration
STORY TITLE

 The AJAX proxy security policy is specified in XML

 Request Filtering based on
 URL
 HTTP Action
 mime-type
 Requesting user

 Cookie forwarding can be
enabled

 Planned for future version:
Active Content Filtering Enforcement

27 27

AJAX Proxy: sample policy
STORY TITLE

28 28

PUMA and VMM

© 2008 IBM

PUMA and VMM
STORY TITLE

 Now two Public API’s
 PUMA within Portal, VMM within WAS

 What is VMM?
 Virtual Member Manager supersedes WMM
 Full integrated in WebSphere Application Server

 Why PUMA?
 Fine grain Access Control on Users and Groups
 Portal Virtual Principals (Anonymous, All Authenticated, ...)
 VP and Realm awareness
 REST API

30 30

User Registry Integration – From WMM to VMM
STORY TITLE

WAS UR

Portal
LDAP

PUMA
or
UR
(public WMM Adaptor DB
since
v5101)
or

LDAP + DB
Non-public plug-point
used with AECI

31 31

VMM Integration in WP V6.1
STORY TITLE

WAS
WAS Security
Federated WAS LDAP LDAP
REST API

PUMA SPI
(public since v5101)
VMM
UR
Adaptor
Portal

Public plug-point
LDAP Custom
DB

32 32

Multiple LDAP support (since 6.0)
STORY TITLE

 Requires Federated Security
 VMM can dispatch calls to multiple Acme Supplier Customer
user registries
 Realms can point to a (subset of
a) specific user registry or to Portal Server

(subsets of) multiple user
registries
VMM
 User IDs need to be unique across

al

re
rt

a
po

lm
all registries

supplier
=

=
realm =
m

cu
al

st
re

mo
er
LDAP for LDAP for LDAP for
ACME Supplier Customer

33 33

External Id (extId) Mapping in VMM
STORY TITLE

 Starting with WP 6.0 roles are no longer tied to the DN of the
user but to another unique ID (ExtID)

 VMM ExtID is an opaque, unique, static, and never-to-be-reused
attribute of each user and group

 Portal administrator can map the VMM ExtID to an attribute of
his choice (e.g. objectGUID, DN, email address, …)

 Portal default configuration
 Portal does by default use the standard unique id defined by our common LDAP
vendors. All supported LDAP vendor do have such an attribute (as objectGUID
for MSAD)

 ExtID changes now possible through XMLAccess
 Extended Cleanup User task to rebind uniqueId’s

34 34

New in 6.1.: User Profile REST Service
STORY TITLE

 Provides ATOM feeds for
 Defined user/group attributes
 User/group profiles
 User/group searches
 Group membership

 Supports CRUD operation through ATOM Publishing Protocol (APP)
 Create user/group
 Delete user/group
 Update user/group profile
 Add user to group
 Remove user from group

 Supprts virtual portal realms

35 35

Sample: Feed of defined user attributes
http://<portal_host>:<portal port>/<portal context root>/um/secure/attributes/users
STORY TITLE

36 36

Sample: User search result feed
STORY TITLE
http://<portal_host>:<portal port>/<portal context root>/um/secure/users/profiles?searchAttributes=uid%3DA*

37 37

Sample: User profile
STORY TITLE
http://<portal_host>:<portal port>/<portal context root>/um/secure/users/profiles/<user id>

38 38

Group Assertion

© 2008 IBM

New in 6.1: Reuse Group information from WebSphere
(aka. Group Assertion)
STORY TITLE

 WebSphere TAI++ plug allows external security manager to assert
the user’s group membership information to the WAS Security
runtime
 Same thing can be done using custom JAAS login modules
 Portal 6.1 can be configured to use the asserted group information
for access control checks instead of always retrieving group
information from VMM

  Consistent group-based authoritation through-out the whole WAS
security domain

40 40

Reuse Group information from WebSphere
(aka. Group Assertion)
STORY TITLE

TAI
WAS
AuthenticationProxy JAAS
(WebSeal, Siteminder)
Get user id and
group membership WAS
WP
Security

Retrieve groups
VMM

?
Retrieve user/group profile information
(but no group membership)
LDAP

41 41

StepUp Authentication and
Remember Me

© 2008 IBM

StepUp and RememberMe
STORY TITLE

 RememberMe Cookie
 Persistent cookie allows portal to recognize user without login
•  Portal can show a personalized welcome page
 If RememberMe support is activated, the portal login portlet shows a checkbox
for setting the the cookie
 If cookie is present, portal treats the user as „identified“ but not yet
„authenticated“
• User can only see resources available for the anonymous user
 Access to protected resources requires the user to authenticate.

 StepUp Software Framework
 Enables you to plug custom code for enforcing additional authentication levels
for specific resources
• E.g. enforce SSL for specific services, or client side certificates,…
 Available for Pages and Portlets

 Administration
 Required authentication strength can be managed using the Resource
Permission Portlet and XmlAccess

43 43

My Bookmarks page reconginzes the remember-me cookie
of an unauthenticated user
STORY TITLE
wps/portal/mybookmarks  Remember-me cookie
can be configured to
establish a WAS
security context, or
not

in
RememberMeConfigService.properties

 Portal access control is
agnostic of the current
authentication level

44 44

Remember-me cookie can be configured to create a
WAS security context
STORY TITLE
wps/myportal/mybookmarks
 Access control
enforces access
control based on
remembered user
identity

45 45

Custom Authentication Level Sample
Custom Authentication Level is assigned to “Feeds” page
STORY TITLE

1

2

3
Custom Authentication Challenge

Pages is served on successful authentication only

46 46

StepUp and RememberMe Admin
STORY TITLE

 Define Authentication Levels on
Portlets and Pages via

your
appe auth l
a rs e
here ve l
...

re vel
.
..
he le
 Via XMLAccess

s h
ar ut
pe a
ap our
y

47 47

StepUp and RememberMe Framework
STORY TITLE

48 48

STORY TITLE

49 49

STORY TITLE

50 50

StepUp and RememberMe Framework - Configuration
STORY TITLE

51 51

Virtual Portal Security

© 2008 IBM

Virtual Portals
STORY TITLE

 A virtual portal is a “separate” portal within a portal
 Separate base URL, separate anonymous pages and login facility
 Some portal resources are scoped to individual VPs (e.g. Pages)
 Each individual virtual portal can be assigned a specific VMM realm

www.ibm.com/wps/portal/ yellow
www.ibm.com/wps/portal/blue URL Mappings
www.ibm.com/wps/portal/green

Navigation
realm green realm blue realm yellow
Virtual Virtual Virtual
Portal 1 Portal 2 Portal 3

Root Root Root
page page page

53 53

VMM Realm-based Virtual Portal Security
STORY TITLE

 Each virtual portal is assigned a VMM user realm

 The realm defines a subset of the entries in the user registries

 Portal only allows members of the associated realm to access
resources within the corresponding VP (e.g. Pages)

 Multiple realm support requires Federated Security

 From a WAS perspective there is SSO between all VPs
 Authenticated users get redirected to the VP-specific login page
if they try to access a VP ‚from outside the associated realm (i.e.
if they are not part of the real associated to that VP)

54 54

URL-prefix based Virtual Portal Security
STORY TITLE

 Each virtual portal can be assigned a unique URL prefix (e.g. “/wps/
portal/yellow”)
 Portal can be configured to guarantee that pages contained in a
specific VP can only be accessed by URLs that contain the
corresponding VP URL prefix

  Those URLs can be used to do URL pattern based access control in
reverse proxy servers (e.g. TAM/WebSeal)
 Remark: this allows e.g. to leverage TAM POPs for VP specific
pages

55 55

Portal Backend SSO
(The Credential Vault)

© 2008 IBM

Portal Single Sign-On Realms
STORY TITLE

Web SSO
LTPA, TAI, JAAS Back-End SSO
john.doe
DoeJ
Web-
Application 1 Back-End
Application 1
john.doe john.doe
John Doe
Portlet John
Client Authentication Portal- Back-End
e.g. Web- Proxy Portlet
Browser Server Application 2
Portlet
PN:1234567
john.doe
Back-End
Web-
Application 3
Application 2

57 57

Overview: Portal Single Sign-On
STORY TITLE

 Client-to-Web Application SSO
 Application server built-in SSO support (LTPA)
 Authentication proxy SSO support (WAS Trust Association Interceptors)
 WAS (therefore Portal) support for Federated Identity (Liberty/SAML)
via WebSEAL or other front-end security service, brought in to WAS via
TAI or other mechanism

 Portal-to-Back End SSO
 Portal Credential Vault
• Credential Vault Portlet Service and Active and Passive Credential
Objects
• Credential Vault Adapter SPI
• Default simple DB storage vault implementation
 ConnectionFactories provided via JCA / WAS

58 58

Windows Desktop to Portal Front-End SSO
STORY TITLE

 Supported out-of-the-box by WAS 6.1 through SPENEGO TAI
  Supported by Portal 6.1

 Also supported out-of-the-box by Tivoli Access Manager
 WebSEAL supports SPNEGO, id passed to WAS via standard TAI
 SiteMinder can do this too

59 59

Portal to Backend SSO: WP Credential Vault

A Portlet Service for storing and
retrieving SSO Credentials including
the user‘s JAAS Subject that was built Portlet Portlet Portlet
during login.
+ Credential Portlet Service
A vault adapter interface to integrate
+ Vault Adapter Interface
vault implementations like the Tivoli

Adapter

Adapter

Adapter
Custom
Default
crypto exit

TAM
Access Manager Global Sign-On integrate
A vault adapter interface to
Lockbox vault implementations like the Tivoli
Access Manager Global Sign-On
+ Lockbox
Default TAM GSO
A basic default vault implementation Lockbox
- base64 encoding Vault Impl.
- public encryption exit Custom
- migration challenge Vault

60 WebSphere Portal Technical Conference Europe 2007 60

Part III: Authorization and
Security Infrastructure

© 2008 IBM

What is Access Control (aka. Authorization)?
STORY TITLE

Who is allowed to perform which action on which resource?

Authentication  Unique User ID
Portal Resources
examples: page, portlet

Examples:
view, edit, delete

62 62

Anonymous Access
STORY TITLE

Anonymous User is
allowed access to
the Welcome Page

Anonymous User is
allowed access to
the Login Portlet

Anonymous User is
allowed access to an
Information Portlet

63 63

Anonymous Access
STORY TITLE

User Logs in ...

64 64

Personalized Access
STORY TITLE
Bob is allowed to
create and
personalize private
pages

Bob sees additional
pages

Bob sees other
portlets on the
welcome page

65 65

Personalized Access
STORY TITLE

Now a more
privileged user logs
in ...

66 66

Personalized Access
STORY TITLE

Alice is allowed to
do more things with
the Welcome page

Alice sees other
portlets on the page

67 67

Role Concept
STORY TITLE

Permission
Role
User Subsystem (WMM)
User

Manager

Editor

User Group

Action + Resource Role Assignment
(e.g.: Delete
StocksPortlet)

68 68

Portal Role Types
STORY TITLE Administrator

Security Manager
Administrator
Editor
Delegator
Privileged
 Users are allowed to view portal resources
Contributor User
 Privileged Users are allowed to create and
personalize private resources User
 Contributors are allowed to create new shared resources
 Editors are allowed to create and edit shared resources
 Managers are allowed to create, edit, and delete shared resources
 Delegators are allowed to grant access to other principals
 Security Administrators are allowed to grant access on a resource to other principals
 Administrators are allowed to do everything

69 69

Protected Resource Hierarchy
STORY TITLE

Virtual root resource of the
protected resource hierarchy root

Virtual Resource
page root External AZN app root

Protected Resource
Teller app app 2
page 1

portlet 1 portlet 2
Teller page

page 3 page 4
page 5

page 6

70 70

Role Instances
STORY TITLE

Virtual root resource of the
protected resource hierarchy Administrator
root

Virtual Resource Administrator
page root External AZN app root

Protected Resource
Manager User app 2
page 1 Teller app

Inheritance Block for
Domain Root Resource roles of type Editor
for Editor@Teller page Editor
portlet 1 portlet 2
Teller page
Editor
Editor
page 3 page 4 Editor
page 5

WP role instance:
Manager@page1
page 6

71 71

Creation of Shared Resources
STORY TITLE

 User creates a shared
resource
 The user that created the
createSharedResource(o5) resources becomes the owner
of the resource
o1
 This owner relationship grants
o2 Manager specific permissions on the
corresponding resource

o3 Manager o4 Manager o5 Manager  Ownership can be transferred
 Owner permissions are never
Explicit role assignment subject to inheritance
Owner
o6
Inherited role extension Manager

Relationship

72 72

Private STORY TITLE
Resources

 Users can be granted
createPrivatePage(page5) privileges to create private
Pages
 The user that created the
page1
private becomes the owner
of the new page
page2 Privileged User
 Private resources are visible
only for the owner of the
page3 Privileged User page4 Privileged User page5 Privileged User resource
 Private resources do not
Explicit role assignment inherit any roles from their
Inherited role extension
page6 Owner ancestor nodes
 Private Resources are deleted
Private Resource explicitly by the owner or
automatically when the
creator is removed from the
portal

73 73

Access Control Administration
STORY TITLE
Portal Scripting

Administration
Portlets

XmlAccess
74 74

What are Composite Applications?
STORY TITLE

Community
User Interface
Application
Composite Application
Context
Content Documents (JCR)
Domino
ERP

Business Components …

Business Objects

76 76

Templates and Applications
STORY TITLE Application
Instance(s)
Application PoVs
Instance Application
Context
Application Application
Context Context

Template Portal Objects
Community
Application
Community Context
Community
Business Objects
Portal Objects
Serialization Instantiation Portal Objects

Business Objects
Business Objects
Community
Portal Objects

Template XML Business Objects

• contains the blue print to easily create another instance of that application
• describes visual and non-visual business components and their relationships
• allows for points of variability to be filled out during instantiation

77 77

Membership Management
STORY TITLE

Business User: Application Owner

78 78

STORY TITLE

79 79

STORY TITLE

80 80

Application Role Mappings
STORY TITLE

Users / Groups

Membership
Admin Analyst Developer

Application Roles

Role Mapping

Admin User Admin User Operator

Component
Roles
XML Import External
Business Insight Portlet Portlet Trace Analyzer ...
Components E.g.: Custom Debug Application

81 81

Manage Application Roles
STORY TITLE

Business User: Template Editor or
Application Owner

82 82

E.g.: Create an additional „Manager“ Role
STORY TITLE

Application Role
name ...

... and description

this role shall
contain delegation
privileges

this role shall
contain Manager
privileges for the
Insight portlet
component

Component roles
exposed by the
Enable Tracing
component

83 83

New application role has been created ...
STORY TITLE

84 84

Business Users can use the new role …
STORY TITLE

Business User: Application Owner

85 85

Application Roles & Membership
STORY TITLE

 WebSphere Portal 6.0 features an infrastructure for composite applications
 Each application consists of a set of business components
 Business components expose component roles as appropriate for the
corresponding business domain
 Component roles exposed by one or more business components can be
aggregated into application roles
 Application roles can be assigned to user and groups
 A user being assigned a specific application role is considered being a
member of the corresponding application instance
 There are administration portlets for application role management (i.e.
create, modify, delete, update application roles) and membership
management
 Application instances can be serialized into templates
Application roles are part of the template

86 86

No Inheritance Across
The 4 Data Domains Domain Boundaries

STORY TITLE
Release Domain consistent
backup/restore
Data: „MyPortal“ & „Admin“
Resources
Model: Authorization Roles

Data: Application/Templating
Community consistent
backup/restore
Data Domain
Model: Membership Model

Data: User private data (e.g.
private pages) Customization consistent

Domain
backup/restore
Model: private resources only

Data: Content (WCM/PDM) +
Templates, Policies, PZN Rules
UI: Authorization Roles JCR Domain consistent
backup/restore

87 87

Web Services for Remote Portals (WSRP)
STORY TITLE

 Industry standard for presentation
oriented Web Services WebSphere Portal
 Producer Side: Portlets can be Application and
provided as WSRP Services Local Content Providers
Portlets
 Consumer Side:

WSRP
(JSR 168
Local
Local
WPS 4.x)
Setup Producer entity Portlets
Portlets

Integrate WSRP Services in 3rd Party Content/
form of Portlets from a Application Provider

Producer Portal

Portlet API

WSRP
Generic WSRP
Portlet Internet Services
WSRP
WSRP
Proxy / Services
Services
Intranet

Publish/Find Web Services (SOAP)

UDDI Registry

89 89

WSRP Identity Propagation
STORY TITLE

 User Profile Propagation (no security)
 User profile data submitted in SOAP message
 Used for generating personalized content
 Not intended for access control decisions

 SSL client certificate authentication
 Certificate based client authentication with User ID in certificate
 One identity per consumer portal

 WS-Security
 WSRP client/producer run in JSR 109 compliant container
 allows full exploitation of WAS WS-Security runtime
 Allows end user identity propagation / mapping
• e.g. LTPA token forwarding
• public plug points in WAS for custom tokens

 Tivoli Federated Identity Manager (TFIM) provides multiple ways of doing web services
based federated SSO (e.g. via SAML)

90 90

STORY TITLE

 “Is this piece of code allowed to read httpd.conf?”
 Part of the Java Language Specification
 Policy files define the privileges of the code to be executed
 Protection of system resources and APIs via policy-based,
fine-grain access control mechanism
 Activated via Global Setting in WebSphere Application Server
(independent of “Global Security”)

92 92

STORY TITLE

 WebSphere Portal runs with Java 2 Security enabled
 Portal core libraries and administration Portlets are supposed
to be trusted and get the java.security.AllPermission
 Portlet specific permissions can be assigned to individual
portlets by adding a corresponding was.policy file to the WAR
archive
Portlet deployment copies the was.policy file to the
EAR level as required by WAS security runtime

  Individual portlet can be prevented from accessing
arbitrary system resources …

93 93

Misc
STORY TITLE

 Security Audit Service
 Can be activated to tracks administrative actions
 Writes a dedicated log file (plain text)
 Includes information on executing user, execution time, involved
resources

 new with 6.1:
 SSL configuration in WAS Admin Console

95 95

WebSphere Portal Security Strategy
STORY TITLE

 Security is part of the Portal Design Process
 Design documents detail on security implications and are reviewed by
dedicated portal security team
 Security is part of the Portal Testing Strategy
 WebSphere Portal does dedicated security vulnerability (aka. penetration)
testing on selected portal releases
 Security Certifications
 WebSphere Portal access control is Common Criteria certified
 WebSphere Portal uses FIPS 140-2 compliant crypto libraries provided by
WebSphere Application Server
 Portal Security is aligned with IBM Security Strategy
 IBM invests in security research, e.g. teams in Zurich and Tokyo
investigate Web20 security implications
 WebSphere portal security architect aligns portal security with IBM
security strategy and research results
 Security fixes are published on the portal Security Bulletin Web Site

http://www-128.ibm.com/developerworks/websphere/zones/portal/security/

96 96

Additional Information and Resources
STORY TITLE

 WebSphere Portal Security White Paper
http://www-128.ibm.com/developerworks/websphere/library/techarticles/
0611_buehler/0611_buehler.html
 Exploiting the WebSphere Portal V5.1.0.1 programming model,
Part 3: Integrating WebSphere Portal into your security environment
http://www.ibm.com/developerworks/websphere/library/techarticles/0606_buehler/0606_buehler.html

 WebSphere Portal Product Information:
http://www-306.ibm.com/software/genservers/portal/enable/

 WebSphere Portal Information Center documentation
http://www-106.ibm.com/developerworks/websphere/zones/portal/proddoc.html

 WebSphere Portal Security Zone
http://www-128.ibm.com/developerworks/websphere/zones/portal/security/

97 97

STORY TITLE


Session ID: B07

Session:
IBM WebSphere Portal Security Overview

Presenter: Dr. Dieter Buehler

Please take a few minutes to fill out the session survey.

Thank you
98 98

© IBM Corporation 2008 All Rights Reserved.

The information contained in this publication is provided for informational purposes only. While efforts were made to verify
STORY TITLE
the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of
any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which
are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or
otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall
have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms
and conditions of the applicable license agreement governing the use of IBM software.

References in this presentation to IBM products, programs, or services do not imply that they will be available in all
countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change
at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a
commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor
shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue
growth or other results.
All customer examples described are presented as illustrations of how those customers have used IBM products and the
results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

IBM, the IBM logo, WebSphere, Lotus, Lotus Notes, Domino, Quickplace, Sametime, Workplace and Quickr are
trademarks of International Business Machines Corporation in the United States, other countries, or both.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or
both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.

All references to Renovations Inc. refer to a fictitious company and are used for illustration purposes only.

99 99

Websphere Portal V6.1 Security Overview

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Websphere Portal V6.1 Security Overview

Similar to Websphere Portal V6.1 Security Overview (20)

More from Munish Gupta

More from Munish Gupta (9)

Recently uploaded

Recently uploaded (20)

Websphere Portal V6.1 Security Overview