This document provides an overview of IBM WebSphere Portal security. It discusses authentication and user identity features such as authentication, PUMA and VMM, single sign-on, and virtual portal security. It also covers authorization and security infrastructure topics including portal access control, WSRP security, Java 2 platform security, and various other aspects. The agenda is split into three parts that introduce the topic, discuss authentication and user identity, and review authorization and security infrastructure.
Utilize the Full Power of GlassFish Server and Java EE SecurityMasoud Kalali
In this session, learn how to utilize Java EE security and what GlassFish Server technology provides to address your security requirements. The presentation goes over how to develop new JASPIC (JSR196) or JACC (JSR-115) moduls and plug them to GlassFish
Presentation by Peter Skopek (JBoss by Red Hat) delivered at the London JBoss User Group event on the 30th of April 2014.
Presentation
Introductory talk to PicketLink from Federation through to Identity Management.
What is PicketLink?
PicketLink is an umbrella project for security and identity management for Java Applications. PicketLink is an important project under the security offerings from JBoss.
A Picket Fence is a secure system of pickets joined together via some type of links. Basically, the Pickets by themselves do not offer any security. But when they are brought together by linking them, they provide the necessary security.
This project is that link for other security systems or systems to bring together or join, to finally provide the necessary secure system.
For more information visit http://picketlink.org/
Anil Saldhana and Pete Muir presented securing applications with PicketLink at Red Hat Summit 2013. For more information, please refer to http://www.picketlink.org and JDF. TicketMonster is a Java EE app with HTML5 (http://www.jboss.org/jdf/examples/ticket-monster/tutorial/WhatIsTicketMonster/). This presentation talked about securing TicketMonster using PicketLink.
Java EE Application Security With PicketLinkpigorcraveiro
In this presentation we will take a look at PicketLink, a security framework for Java EE and learn how its identity management, authentication and authorization features can be used to address the security requirements for all aspects of application development.
Utilize the Full Power of GlassFish Server and Java EE SecurityMasoud Kalali
In this session, learn how to utilize Java EE security and what GlassFish Server technology provides to address your security requirements. The presentation goes over how to develop new JASPIC (JSR196) or JACC (JSR-115) moduls and plug them to GlassFish
Presentation by Peter Skopek (JBoss by Red Hat) delivered at the London JBoss User Group event on the 30th of April 2014.
Presentation
Introductory talk to PicketLink from Federation through to Identity Management.
What is PicketLink?
PicketLink is an umbrella project for security and identity management for Java Applications. PicketLink is an important project under the security offerings from JBoss.
A Picket Fence is a secure system of pickets joined together via some type of links. Basically, the Pickets by themselves do not offer any security. But when they are brought together by linking them, they provide the necessary security.
This project is that link for other security systems or systems to bring together or join, to finally provide the necessary secure system.
For more information visit http://picketlink.org/
Anil Saldhana and Pete Muir presented securing applications with PicketLink at Red Hat Summit 2013. For more information, please refer to http://www.picketlink.org and JDF. TicketMonster is a Java EE app with HTML5 (http://www.jboss.org/jdf/examples/ticket-monster/tutorial/WhatIsTicketMonster/). This presentation talked about securing TicketMonster using PicketLink.
Java EE Application Security With PicketLinkpigorcraveiro
In this presentation we will take a look at PicketLink, a security framework for Java EE and learn how its identity management, authentication and authorization features can be used to address the security requirements for all aspects of application development.
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
Alfresco Summit 2013 (Barcelona and Boston)
This talk will provide an introduction to the OASIS SAML standard (Security Assertion Markup Language) and then describe in detail how we use OpenSAML to provide secure SSO to Alfresco Cloud in a multi-tenant environment, both in terms of Share and the core Repository. We will demonstrate the steps required for an Enterprise Network Admin to setup a trusted SAML connection ('circle of trust') to their chosen Identity Provider (IdP) such as Centrify, Ping Identity, ForgeRock OpenAM (formerly Sun OpenSSO) or potentially any other type of IdP that supports SAML v2.0. We will also discuss possible future requirements and improvements.
http://summit.alfresco.com/boston/sessions/implementing-secure-single-sign-sso-opensaml
http://www.youtube.com/watch?v=KroIZa1co6g
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectMichael J Geiser
This is an overview of the WSO2 Identity Server and a customization we built that will be contributed back into the product. There is also some additional content on Coding Standards and being an LDAP an Directory Server hater
Basic Credential Vault process flow- Automation Anywhere- RPARanjit Nayak
As per security compliance, Its not recommended to store credentials in excel for a data driven framework in RPA. Here is a basic flow of Credentials Vault used in #RPA- #AutomationAnywhere.
#RPA #RPAsecurity #Robotic Process Automation
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming an easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like Twitter, Facebook and Yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have an enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing, etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses.
XHR abuse with attacking Cross Site access controls using level 2 calls
JSON manipulations and poisoning
DOM API injections and script executions
Abusing HTML5 tag structure and attributes
Localstorage manipulation and foreign site access
Attacking client side sandbox architectures
DOM scrubbing and logical abuse
Browser hijacking and exploitation through advanced DOM features
One-way CSRF and abusing vulnerable sites
DOM event injections and controlling (Clickjacking)
Hacking widgets, mashups and social networking sites
Abusing client side Web 2.0 and RIA libraries
We will be covering the above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across the application base. We will see some new scanning tools and approaches to identify some of these key issues.
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
Alfresco Summit 2013 (Barcelona and Boston)
This talk will provide an introduction to the OASIS SAML standard (Security Assertion Markup Language) and then describe in detail how we use OpenSAML to provide secure SSO to Alfresco Cloud in a multi-tenant environment, both in terms of Share and the core Repository. We will demonstrate the steps required for an Enterprise Network Admin to setup a trusted SAML connection ('circle of trust') to their chosen Identity Provider (IdP) such as Centrify, Ping Identity, ForgeRock OpenAM (formerly Sun OpenSSO) or potentially any other type of IdP that supports SAML v2.0. We will also discuss possible future requirements and improvements.
http://summit.alfresco.com/boston/sessions/implementing-secure-single-sign-sso-opensaml
http://www.youtube.com/watch?v=KroIZa1co6g
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectMichael J Geiser
This is an overview of the WSO2 Identity Server and a customization we built that will be contributed back into the product. There is also some additional content on Coding Standards and being an LDAP an Directory Server hater
Basic Credential Vault process flow- Automation Anywhere- RPARanjit Nayak
As per security compliance, Its not recommended to store credentials in excel for a data driven framework in RPA. Here is a basic flow of Credentials Vault used in #RPA- #AutomationAnywhere.
#RPA #RPAsecurity #Robotic Process Automation
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming an easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like Twitter, Facebook and Yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have an enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing, etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses.
XHR abuse with attacking Cross Site access controls using level 2 calls
JSON manipulations and poisoning
DOM API injections and script executions
Abusing HTML5 tag structure and attributes
Localstorage manipulation and foreign site access
Attacking client side sandbox architectures
DOM scrubbing and logical abuse
Browser hijacking and exploitation through advanced DOM features
One-way CSRF and abusing vulnerable sites
DOM event injections and controlling (Clickjacking)
Hacking widgets, mashups and social networking sites
Abusing client side Web 2.0 and RIA libraries
We will be covering the above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across the application base. We will see some new scanning tools and approaches to identify some of these key issues.
This session explains how the combination of IEEE 802.1AE (data link encryption) with the power of Session Group Tags achieves trusted security in a network. It covers the protocols details as well as use case and more importantly how CTS can be deployed in a network. This session is targeted mainly to enterprise customers.
Citrix CloudStack - Build Your Own Scalable Infrastructure Cloud with CloudStackRightScale
RightScale Conference Santa Clara 2011: Many companies move to the cloud before they fully understand the complexities of a solid implementation strategy. Public and private clouds each have their benefits and limitations, and it’s imperative to develop a clear roadmap for success that incorporates a best-practices reference architecture. In this session, we’ll share how to architect a hybrid cloud environment as part of your overall cloud strategy, how to achieve multi-cloud interoperability, and how to proactively plan to survive cloud infrastructure outages.
Smartronix - Building Secure Applications on the AWS CloudAmazon Web Services
Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).
Una presentacion muy rapida y por eso nunca finalizada acerca de Windows Server Federation Services en Windows Server 2008, aunque tiene muchas fallas en el uso de informacion como la mezcla de idiomas, o muchos datos plasmados en el slide, puede servir de base para otra presentacion mejor
Windows Azure for Developers - Building Block ServicesMichael Collier
Learn about the next generation building block services available in Windows Azure that help to create connected, secure, and reliable services.
With services such as Caching, Service Bus (relay, queues, and topics), and Access Control Services (ACS) developers can focus more on building great solutions and less on plumbing services necessary to do so. In this webcast, we will take a look at many of the additional services offered as part of Windows Azure. We'll see just how easy it can be to add scalable caching with Windows Azure Caching, create robust connected solutions with the Service Bus, and secure applications with ACS.
IEEE 802.1X is an authentication and authorization technique. Many Axis network video products support
IEEE 802.1X as a security feature. In this white paper we will discuss the background as well as the
working principle of IEEE 802.1X. We will also describe how 802.1X in Axis network camera products
should be used, and when RADIUS (remote authentication dial-in user service) servers and switches are
well configured.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
2. Agenda
STORY TITLE
Part I: Introduction
Part II: Authentication and User Identity
Authentication
PUMA and VMM
RememberMe and StepUp
WAS Group Assertion
Virtual Portal Security
SSO – Credential Vault
Part III: Authorization and Security Infrastructure
Portal Access Control & Membership
WSRP Security
Java 2 Platform Security
Miscellaneous
Summary
2 WebSphere Portal Technical Conference Europe 2
2008
3. Part I: Portal Security Introduction
STORY TITLE
WebSphere Portal (WP) Security is based on
WebSphere Application Server (WAS) security
WP Security allows to leverage from WAS:
J2EE Security
Web Single-Sign-On (JAAS / TAI / LTPA)
Java 2 Security
Java Connector Architecture
SSL / TLS Support
IBM JCE/JCE/JSSE libraries
WP Security provides additional features in the areas:
Authorization
Authentication Customization
User Profile and Group Management
Back-end Single Sign On (Credential Vault)
Security Audit
3 WebSphere Portal Technical Conference Europe 3
2008
4. Portal Setup with Authentication Proxy
STORY TITLE
4 WebSphere Portal Technical Conference Europe 4
2008
7. Authentication
STORY TITLE
WP is a custom Form Login application to WAS
relies on WAS to
− intercept requests to protected portal area
− do the authentication and provide the security context
− Global Security in WAS is active
Portal picks up whatever user identity established by WAS
All WAS authentication customization options also apply to
portal:
Authentication Proxies and Trust Association Interceptors (e.g.
TAM / WebSeal)
Custom JAAS Login Modules
Portal supports public code plug points for intercepting the portal
login and session validation flow
7 WebSphere Portal Technical Conference Europe 7
2008
8. Portal and WAS Authentication “flow” (since version
6.1.x)
STORY TITLE
Login via UI,
XMLAccess,
Portal login VMM
Retrieve User
Scripting submitted handler
ID/PW
okay?
WAS Security
Context
Fetch attributes by
JAAS Login (Portal_LTPA) DN (user profile)
WAS Fetch nested group
memberships
Security Independent of
WAS lookup but
based on DN from
WAS User Registry WAS
configuration
(e.g. via admin
console)
Search,
“bind” (validate id/ LDAP
pw), fetch DN, fetch
group
memberships
8 WebSphere Portal Technical Conference Europe 8
2008
9. Portal and WAS Authentication “flow” (since version
6.1.x)
STORY TITLE
Login via UI,
XMLAccess,
Login
Filter
Chain
Portal login VMM
Retrieve User
Scripting
submitted
Plug
Point handler
ID/PW
okay?
WAS Security
Context
Explicit Explicit Fetch attributes by
Login ... Login
Filter1 Filter N
JAAS Login (Portal_LTPA) DN (user profile)
WAS Fetch nested group
memberships
Security Independent of
WAS lookup but
based on DN from
WAS User Registry WAS
configuration
(e.g. via admin
console)
Search,
“bind” (validate id/ LDAP
pw), fetch DN, fetch
group
memberships
9 WebSphere Portal Technical Conference Europe 9
2008
10. End user identity flow from TAI to WAS to WP
STORY TITLE
User identity must be “mappable” from front end security and TAI (if
present) to WAS and WP
Path of least resistance: Front end/TAI, WAS, and WP should all use
the same user registry
Possible to map between different registries for front end .vs. WAS/
WP
This is complex, leads to hard-to-debug problems
TAI can assert a security shortname that WAS will “look up”
using search
TAI++ can set end user identity, bypassing lookup
• Portal still needs to be able to look up profile info for that
user
Except in VERY rare circumstances, WAS and WP should always use
the same user registry
Portal lookup based on “DN” from WAS
10 10
WebSphere Portal Technical Conference Europe 2008
11. Portal and External Security (authentication)
STORY TITLE
Anything “in front of” WAS that does the authentication
Login dialog conducted by front end security
May use Portal to serve up the login page, but Portal no longer
handles the login form submission
Front end asserts already-authenticated end user identity to WAS
Trust Association Interceptor (TAI) architecture
TAM has other options (LTPA junctions)
TAI is a WAS feature, not a Portal feature
Documented in the WAS InfoCenter
Portal has no idea about presence or absence of TAI, or how
WAS gets the user identity
IBM only provides one (1) TAI – that for TAM/WebSEAL. ALL
OTHER SECURITY VENDORS MUST PROVIDE THEIR OWN TAI.
11 11
WebSphere Portal Technical Conference Europe 2008
12. Portal and WAS and TAI Authentication “flow”
STORY TITLE
Login dialog
Security Portal and
Front-end y VMM
All id/pw validation
done by front end p oka
oku
Asserts
Identity lo
S
WA
Fetch attributes by
WAS DN (user profile)
WAS TAI
Security
Context
Security Fetch nested group
memberships
Independent of
WAS lookup but
based on DN from
WAS User Registry WAS (from TAI)
configuration
(e.g. via admin
console)
Search, fetch DN,
fetch group LDAP
memberships
12 12
WebSphere Portal Technical Conference Europe 2008
13. Portal and WAS and TAI Authentication “flow”
STORY TITLE
Login dialog
Security Portal and
Implicit
Login
Front-end
Filter
VMM
Chain
Plug
y
All id/pw validation
done by front end p oka Point
oku
Asserts
Identity lo
S
WA
WAS Implicit Implicit
WAS TAI Login ... Login
Filter1 Filter N
Security
Context
Security
Fetch attributes by
DN (user profile)
WAS User Registry Fetch nested group
configuration memberships
(e.g. via admin
console)
Independent of
WAS lookup but
Search, fetch DN,
fetch group LDAP based on DN from
memberships WAS (from TAI)
13 13
WebSphere Portal Technical Conference Europe 2008
14. Variation: New Federated Security Option in WAS
6.1 STORY TITLE
VMM can be used as Security Provider in WebSphere Application
Server (Federated)
Fully integrated in WebSphere Admin Console
Replaces former WMM-UR option
14 14
WebSphere Portal Technical Conference Europe 2008
15. Portal and WAS Authentication “flow”
STORY TITLE
Login via UI, Portal login
XMLAccess,
Scripting submitted handler
Retrieve User
VMM
ID/PW
okay?
Search,
“bind” (validate id/
pw), fetch DN, fetch
group Fetch attributes by
WAS Security API (JAAS) memberships DN (user profile)
Fetch nested group
WAS memberships
Security Independent of
WAS lookup but
based on DN from
(WMMUR) WAS
VMM Configuration
In WAS
LDAP
LDAP
LDAP
15 15
WebSphere Portal Technical Conference Europe 2008
16. Portal and WAS Authentication “flow”
STORY TITLE
Login via UI,
XMLAccess,
Login
Filter Portal login Retrieve User
VMM
Chain
Scripting
submitted
Plug
Point handler
ID/PW
okay?
Search,
“bind” (validate id/
pw), fetch DN, fetch
Explicit Explicit group Fetch attributes by
Login ... Login
Filter1 Filter N
WAS Security API (JAAS) memberships DN (user profile)
Fetch nested group
WAS memberships
Security Independent of
WAS lookup but
based on DN from
(WMMUR) WAS
VMM Configuration
In WAS
LDAP
LDAP
LDAP
16 16
WebSphere Portal Technical Conference Europe 2008
17. New Portal Login and Session Validation Filter API
STORY TITLE
Filter chains for
Explicit Portal Login
(i.e. Login is triggered by Portal)
Implicit Portal Login
(i.e. Authentication has been performed by
an external authentication provider)
Explicit Portal Logout
Session Validation
(to validate individual (autenticated) portal
requests)
Session Validation Timeout handling
(for custom session time out handling)
Custom filters implementations can be plugged
by adding corresponding properties to the
AuthenticationService.properties
17 17
WebSphere Portal Technical Conference Europe 2008
18. New Portal Login and Session Validation Filter API
STORY TITLE
18 18
WebSphere Portal Technical Conference Europe 2008
19. New Portal Login and Session Validation Filter API
STORY TITLE
FilterChainContext can be used to pass parameters between filters and to specify redirect URLs
19 19
WebSphere Portal Technical Conference Europe 2008
20. New Portal Login and Session Validation Filter API
STORY TITLE
FilterChainContext can be used to pass parameters between filters and to specify redirect URLs
20 20
WebSphere Portal Technical Conference Europe 2008
21. New Portal Login and Session Validation Filter API
STORY TITLE
FilterChainContext can be used to pass parameters between filters and to specify redirect URLs
21 21
WebSphere Portal Technical Conference Europe 2008
22. HTTP Basic Auth TAI
STORY TITLE
Can be used
to send HTTP
Basic Auth
challange for
specific URLs
and/or User
Agents
22 22
WebSphere Portal Technical Conference Europe 2008
23. Portal AJAX Proxy
STORY TITLE
Domain A
AJAX
Browser
Proxy
HTTP GET
Domain A
Trusted
Server
sites
HTML Page
HTTP GET
Domain B Domain B
AJAX
Portlet
Server
Today's browsers prevent asynchronous requests to foreign domains because of security
reasons.
Example: Your portlet is served from www.mycompany.com but your AJAX
application tries to load a feed from cnn.com. This would be blocked by the
browser
23 23
WebSphere Portal Technical Conference Europe 2008
24. AJAX Proxy Server: Security Challenge
STORY TITLE
Dieter‘s Travel
Mashup Doc
... an unsecured AJAX Proxy would exposes me to danger ...
Cross Domain
AJAX Requests
(restricted through your portal Car Rental Site
Browser security
model)
AJAX Proxy Travel Agency Site
WAS Weather Service Site
24 24
WebSphere Portal Technical Conference Europe 2008
25. Weather site is hacked or malicious
Mash-up Security Markup provided by the Weather site can serve active
STORY TITLE
Risk content at will, e.g. steal
cookies / security tokens
all information from the Mashup DOM (e.g. credit card
info entered in a field in the travel agency site)
Dieter‘s Travel 3rd party content is now served from your portal
Mashup Doc Copyright issues (Weather service serves stolen weather
data)
credit# Infected data (e.g. containing a virus)
Illegal Data (e.g. offensive content)
Car Rental Site
your portal Travel Agency Site
Weather Service Site
Same issue with:
- malicious ATOM feeds
- Including a portlet via WSRP
- client side mash-up via AJAX 25
25 WebSphere Portal Technical Conference Europe 2008
26. Portal AJAX Proxy Server guards my credit card number
STORY TITLE
Weather Site is not on
- Filtering based on
the trusted server -URL
Dieter‘s Travel list -HTTP Action
Mashup Doc -mime-type
-Requesting user
- Maintained by Security
Administrator
admin controlled
Policy
Security
your portal
Car Rental Site
AJAX Proxy Travel Agency Site
WAS Weather Service Site
26 26
WebSphere Portal Technical Conference Europe 2008
27. AJAX Proxy Configuration
STORY TITLE
The AJAX proxy security policy is specified in XML
Request Filtering based on
URL
HTTP Action
mime-type
Requesting user
Cookie forwarding can be
enabled
Planned for future version:
Active Content Filtering Enforcement
27 27
WebSphere Portal Technical Conference Europe 2008
28. AJAX Proxy: sample policy
STORY TITLE
28 28
WebSphere Portal Technical Conference Europe 2008
30. PUMA and VMM
STORY TITLE
Now two Public API’s
PUMA within Portal, VMM within WAS
What is VMM?
Virtual Member Manager supersedes WMM
Full integrated in WebSphere Application Server
Why PUMA?
Fine grain Access Control on Users and Groups
Portal Virtual Principals (Anonymous, All Authenticated, ...)
VP and Realm awareness
REST API
30 30
WebSphere Portal Technical Conference Europe 2008
31. User Registry Integration – From WMM to VMM
STORY TITLE
WAS UR
Portal
LDAP
PUMA
or
UR
(public WMM Adaptor DB
since
v5101)
or
LDAP + DB
Non-public plug-point
used with AECI
31 31
WebSphere Portal Technical Conference Europe 2008
32. VMM Integration in WP V6.1
STORY TITLE
WAS
WAS Security
Federated WAS LDAP LDAP
REST API
PUMA SPI
(public since v5101)
VMM
UR
Adaptor
Portal
Public plug-point
LDAP Custom
DB
32 32
WebSphere Portal Technical Conference Europe 2008
33. Multiple LDAP support (since 6.0)
STORY TITLE
Requires Federated Security
VMM can dispatch calls to multiple Acme Supplier Customer
user registries
Realms can point to a (subset of
a) specific user registry or to Portal Server
(subsets of) multiple user
registries
VMM
User IDs need to be unique across
al
re
rt
a
po
lm
all registries
supplier
=
=
realm =
m
cu
al
st
re
mo
er
LDAP for LDAP for LDAP for
ACME Supplier Customer
33 33
WebSphere Portal Technical Conference Europe 2008
34. External Id (extId) Mapping in VMM
STORY TITLE
Starting with WP 6.0 roles are no longer tied to the DN of the
user but to another unique ID (ExtID)
VMM ExtID is an opaque, unique, static, and never-to-be-reused
attribute of each user and group
Portal administrator can map the VMM ExtID to an attribute of
his choice (e.g. objectGUID, DN, email address, …)
Portal default configuration
Portal does by default use the standard unique id defined by our common LDAP
vendors. All supported LDAP vendor do have such an attribute (as objectGUID
for MSAD)
ExtID changes now possible through XMLAccess
Extended Cleanup User task to rebind uniqueId’s
34 34
WebSphere Portal Technical Conference Europe 2008
35. New in 6.1.: User Profile REST Service
STORY TITLE
Provides ATOM feeds for
Defined user/group attributes
User/group profiles
User/group searches
Group membership
Supports CRUD operation through ATOM Publishing Protocol (APP)
Create user/group
Delete user/group
Update user/group profile
Add user to group
Remove user from group
Supprts virtual portal realms
35 35
WebSphere Portal Technical Conference Europe 2008
36. Sample: Feed of defined user attributes
http://<portal_host>:<portal port>/<portal context root>/um/secure/attributes/users
STORY TITLE
36 36
WebSphere Portal Technical Conference Europe 2008
37. Sample: User search result feed
STORY TITLE
http://<portal_host>:<portal port>/<portal context root>/um/secure/users/profiles?searchAttributes=uid%3DA*
37 37
WebSphere Portal Technical Conference Europe 2008
38. Sample: User profile
STORY TITLE
http://<portal_host>:<portal port>/<portal context root>/um/secure/users/profiles/<user id>
38 38
WebSphere Portal Technical Conference Europe 2008
40. New in 6.1: Reuse Group information from WebSphere
(aka. Group Assertion)
STORY TITLE
WebSphere TAI++ plug allows external security manager to assert
the user’s group membership information to the WAS Security
runtime
Same thing can be done using custom JAAS login modules
Portal 6.1 can be configured to use the asserted group information
for access control checks instead of always retrieving group
information from VMM
Consistent group-based authoritation through-out the whole WAS
security domain
40 40
WebSphere Portal Technical Conference Europe 2008
41. Reuse Group information from WebSphere
(aka. Group Assertion)
STORY TITLE
TAI
WAS
AuthenticationProxy JAAS
(WebSeal, Siteminder)
Get user id and
group membership WAS
WP
Security
Retrieve groups
VMM
?
Retrieve user/group profile information
(but no group membership)
LDAP
41 41
WebSphere Portal Technical Conference Europe 2008
43. StepUp and RememberMe
STORY TITLE
RememberMe Cookie
Persistent cookie allows portal to recognize user without login
• Portal can show a personalized welcome page
If RememberMe support is activated, the portal login portlet shows a checkbox
for setting the the cookie
If cookie is present, portal treats the user as „identified“ but not yet
„authenticated“
• User can only see resources available for the anonymous user
Access to protected resources requires the user to authenticate.
StepUp Software Framework
Enables you to plug custom code for enforcing additional authentication levels
for specific resources
• E.g. enforce SSL for specific services, or client side certificates,…
Available for Pages and Portlets
Administration
Required authentication strength can be managed using the Resource
Permission Portlet and XmlAccess
43 43
WebSphere Portal Technical Conference Europe 2008
44. My Bookmarks page reconginzes the remember-me cookie
of an unauthenticated user
STORY TITLE
wps/portal/mybookmarks Remember-me cookie
can be configured to
establish a WAS
security context, or
not
in
RememberMeConfigService.properties
Portal access control is
agnostic of the current
authentication level
44 44
WebSphere Portal Technical Conference Europe 2008
45. Remember-me cookie can be configured to create a
WAS security context
STORY TITLE
wps/myportal/mybookmarks
Access control
enforces access
control based on
remembered user
identity
45 45
WebSphere Portal Technical Conference Europe 2008
46. Custom Authentication Level Sample
Custom Authentication Level is assigned to “Feeds” page
STORY TITLE
1
2
3
Custom Authentication Challenge
Pages is served on successful authentication only
46 46
WebSphere Portal Technical Conference Europe 2008
47. StepUp and RememberMe Admin
STORY TITLE
Define Authentication Levels on
Portlets and Pages via
your
appe auth l
a rs e
here ve l
...
re vel
.
..
he le
Via XMLAccess
s h
ar ut
pe a
ap our
y
47 47
WebSphere Portal Technical Conference Europe 2008
48. StepUp and RememberMe Framework
STORY TITLE
48 48
WebSphere Portal Technical Conference Europe 2008
49. StepUp and RememberMe Framework
STORY TITLE
49 49
WebSphere Portal Technical Conference Europe 2008
50. StepUp and RememberMe Framework
STORY TITLE
50 50
WebSphere Portal Technical Conference Europe 2008
51. StepUp and RememberMe Framework - Configuration
STORY TITLE
51 51
WebSphere Portal Technical Conference Europe 2008
53. Virtual Portals
STORY TITLE
A virtual portal is a “separate” portal within a portal
Separate base URL, separate anonymous pages and login facility
Some portal resources are scoped to individual VPs (e.g. Pages)
Each individual virtual portal can be assigned a specific VMM realm
www.ibm.com/wps/portal/ yellow
www.ibm.com/wps/portal/blue URL Mappings
www.ibm.com/wps/portal/green
Navigation
realm green realm blue realm yellow
Virtual Virtual Virtual
Portal 1 Portal 2 Portal 3
Root Root Root
page page page
53 53
WebSphere Portal Technical Conference Europe 2008
54. VMM Realm-based Virtual Portal Security
STORY TITLE
Each virtual portal is assigned a VMM user realm
The realm defines a subset of the entries in the user registries
Portal only allows members of the associated realm to access
resources within the corresponding VP (e.g. Pages)
Multiple realm support requires Federated Security
From a WAS perspective there is SSO between all VPs
Authenticated users get redirected to the VP-specific login page
if they try to access a VP ‚from outside the associated realm (i.e.
if they are not part of the real associated to that VP)
54 54
WebSphere Portal Technical Conference Europe 2008
55. URL-prefix based Virtual Portal Security
STORY TITLE
Each virtual portal can be assigned a unique URL prefix (e.g. “/wps/
portal/yellow”)
Portal can be configured to guarantee that pages contained in a
specific VP can only be accessed by URLs that contain the
corresponding VP URL prefix
Those URLs can be used to do URL pattern based access control in
reverse proxy servers (e.g. TAM/WebSeal)
Remark: this allows e.g. to leverage TAM POPs for VP specific
pages
55 55
WebSphere Portal Technical Conference Europe 2008
57. Portal Single Sign-On Realms
STORY TITLE
Web SSO
LTPA, TAI, JAAS Back-End SSO
john.doe
DoeJ
Web-
Application 1 Back-End
Application 1
john.doe john.doe
John Doe
Portlet John
Client Authentication Portal- Back-End
e.g. Web- Proxy Portlet
Browser Server Application 2
Portlet
PN:1234567
john.doe
Back-End
Web-
Application 3
Application 2
57 57
WebSphere Portal Technical Conference Europe 2008
58. Overview: Portal Single Sign-On
STORY TITLE
Client-to-Web Application SSO
Application server built-in SSO support (LTPA)
Authentication proxy SSO support (WAS Trust Association Interceptors)
WAS (therefore Portal) support for Federated Identity (Liberty/SAML)
via WebSEAL or other front-end security service, brought in to WAS via
TAI or other mechanism
Portal-to-Back End SSO
Portal Credential Vault
• Credential Vault Portlet Service and Active and Passive Credential
Objects
• Credential Vault Adapter SPI
• Default simple DB storage vault implementation
ConnectionFactories provided via JCA / WAS
58 58
WebSphere Portal Technical Conference Europe 2008
59. Windows Desktop to Portal Front-End SSO
STORY TITLE
Supported out-of-the-box by WAS 6.1 through SPENEGO TAI
Supported by Portal 6.1
Also supported out-of-the-box by Tivoli Access Manager
WebSEAL supports SPNEGO, id passed to WAS via standard TAI
SiteMinder can do this too
59 59
WebSphere Portal Technical Conference Europe 2008
60. Portal to Backend SSO: WP Credential Vault
A Portlet Service for storing and
retrieving SSO Credentials including
the user‘s JAAS Subject that was built Portlet Portlet Portlet
during login.
+ Credential Portlet Service
A vault adapter interface to integrate
+ Vault Adapter Interface
vault implementations like the Tivoli
Adapter
Adapter
Adapter
Custom
Default
crypto exit
TAM
Access Manager Global Sign-On integrate
A vault adapter interface to
Lockbox vault implementations like the Tivoli
Access Manager Global Sign-On
+ Lockbox
Default TAM GSO
A basic default vault implementation Lockbox
- base64 encoding Vault Impl.
- public encryption exit Custom
- migration challenge Vault
60 WebSphere Portal Technical Conference Europe 2007 60
WebSphere Portal Technical Conference Europe 2008
62. What is Access Control (aka. Authorization)?
STORY TITLE
Who is allowed to perform which action on which resource?
Authentication Unique User ID
Portal Resources
examples: page, portlet
Examples:
view, edit, delete
62 62
WebSphere Portal Technical Conference Europe 2008
63. Anonymous Access
STORY TITLE
Anonymous User is
allowed access to
the Welcome Page
Anonymous User is
allowed access to
the Login Portlet
Anonymous User is
allowed access to an
Information Portlet
63 63
WebSphere Portal Technical Conference Europe 2008
64. Anonymous Access
STORY TITLE
User Logs in ...
64 64
WebSphere Portal Technical Conference Europe 2008
65. Personalized Access
STORY TITLE
Bob is allowed to
create and
personalize private
pages
Bob sees additional
pages
Bob sees other
portlets on the
welcome page
65 65
WebSphere Portal Technical Conference Europe 2008
66. Personalized Access
STORY TITLE
Now a more
privileged user logs
in ...
66 66
WebSphere Portal Technical Conference Europe 2008
67. Personalized Access
STORY TITLE
Alice is allowed to
do more things with
the Welcome page
Alice sees other
portlets on the page
67 67
WebSphere Portal Technical Conference Europe 2008
68. Role Concept
STORY TITLE
Permission
Role
User Subsystem (WMM)
User
Manager
Editor
User Group
Action + Resource Role Assignment
(e.g.: Delete
StocksPortlet)
68 68
WebSphere Portal Technical Conference Europe 2008
69. Portal Role Types
STORY TITLE Administrator
Security Manager
Administrator
Editor
Delegator
Privileged
Users are allowed to view portal resources
Contributor User
Privileged Users are allowed to create and
personalize private resources User
Contributors are allowed to create new shared resources
Editors are allowed to create and edit shared resources
Managers are allowed to create, edit, and delete shared resources
Delegators are allowed to grant access to other principals
Security Administrators are allowed to grant access on a resource to other principals
Administrators are allowed to do everything
69 69
WebSphere Portal Technical Conference Europe 2008
71. Role Instances
STORY TITLE
Protected Resource Hierarchy
Virtual root resource of the
protected resource hierarchy Administrator
root
Virtual Resource Administrator
page root External AZN app root
Protected Resource
Manager User app 2
page 1 Teller app
Inheritance Block for
Domain Root Resource roles of type Editor
for Editor@Teller page Editor
portlet 1 portlet 2
Teller page
Editor
Editor
page 3 page 4 Editor
page 5
WP role instance:
Manager@page1
page 6
71 71
WebSphere Portal Technical Conference Europe 2008
72. Creation of Shared Resources
STORY TITLE
User creates a shared
resource
The user that created the
createSharedResource(o5) resources becomes the owner
of the resource
o1
This owner relationship grants
o2 Manager specific permissions on the
corresponding resource
o3 Manager o4 Manager o5 Manager Ownership can be transferred
Owner permissions are never
Explicit role assignment subject to inheritance
Owner
o6
Inherited role extension Manager
Relationship
72 72
WebSphere Portal Technical Conference Europe 2008
73. Private STORY TITLE
Resources
Users can be granted
createPrivatePage(page5) privileges to create private
Pages
The user that created the
page1
private becomes the owner
of the new page
page2 Privileged User
Private resources are visible
only for the owner of the
page3 Privileged User page4 Privileged User page5 Privileged User resource
Private resources do not
Explicit role assignment inherit any roles from their
Inherited role extension
page6 Owner ancestor nodes
Private Resources are deleted
Private Resource explicitly by the owner or
automatically when the
creator is removed from the
portal
73 73
WebSphere Portal Technical Conference Europe 2008
74. Access Control Administration
STORY TITLE
Portal Scripting
Administration
Portlets
XmlAccess
74 74
WebSphere Portal Technical Conference Europe 2008
76. What are Composite Applications?
STORY TITLE
Community
User Interface
Application
Composite Application
Context
Content Documents (JCR)
Domino
ERP
Business Components …
Business Objects
76 76
WebSphere Portal Technical Conference Europe 2008
77. Templates and Applications
STORY TITLE Application
Instance(s)
Application PoVs
Instance Application
Context
Application Application
Context Context
Template Portal Objects
Community
Application
Community Context
Community
Business Objects
Portal Objects
Serialization Instantiation Portal Objects
Business Objects
Business Objects
Community
Portal Objects
Template XML Business Objects
• contains the blue print to easily create another instance of that application
• describes visual and non-visual business components and their relationships
• allows for points of variability to be filled out during instantiation
77 77
WebSphere Portal Technical Conference Europe 2008
78. Membership Management
STORY TITLE
Business User: Application Owner
78 78
WebSphere Portal Technical Conference Europe 2008
79. Membership Management
STORY TITLE
79 79
WebSphere Portal Technical Conference Europe 2008
80. Membership Management
STORY TITLE
80 80
WebSphere Portal Technical Conference Europe 2008
81. Application Role Mappings
STORY TITLE
Users / Groups
Membership
Admin Analyst Developer
Application Roles
Role Mapping
Admin User Admin User Operator
Component
Roles
XML Import External
Business Insight Portlet Portlet Trace Analyzer ...
Components E.g.: Custom Debug Application
81 81
WebSphere Portal Technical Conference Europe 2008
82. Manage Application Roles
STORY TITLE
Business User: Template Editor or
Application Owner
82 82
WebSphere Portal Technical Conference Europe 2008
83. E.g.: Create an additional „Manager“ Role
STORY TITLE
Application Role
name ...
... and description
this role shall
contain delegation
privileges
this role shall
contain Manager
privileges for the
Insight portlet
component
Component roles
exposed by the
Enable Tracing
component
83 83
WebSphere Portal Technical Conference Europe 2008
84. New application role has been created ...
STORY TITLE
84 84
WebSphere Portal Technical Conference Europe 2008
85. Business Users can use the new role …
STORY TITLE
Business User: Application Owner
85 85
WebSphere Portal Technical Conference Europe 2008
86. Application Roles & Membership
STORY TITLE
WebSphere Portal 6.0 features an infrastructure for composite applications
Each application consists of a set of business components
Business components expose component roles as appropriate for the
corresponding business domain
Component roles exposed by one or more business components can be
aggregated into application roles
Application roles can be assigned to user and groups
A user being assigned a specific application role is considered being a
member of the corresponding application instance
There are administration portlets for application role management (i.e.
create, modify, delete, update application roles) and membership
management
Application instances can be serialized into templates
Application roles are part of the template
86 86
WebSphere Portal Technical Conference Europe 2008
87. No Inheritance Across
The 4 Data Domains Domain Boundaries
STORY TITLE
Release Domain consistent
backup/restore
Data: „MyPortal“ & „Admin“
Resources
Model: Authorization Roles
Data: Application/Templating
Community consistent
backup/restore
Data Domain
Model: Membership Model
Data: User private data (e.g.
private pages) Customization consistent
Domain
backup/restore
Model: private resources only
Data: Content (WCM/PDM) +
Templates, Policies, PZN Rules
UI: Authorization Roles JCR Domain consistent
backup/restore
87 87
WebSphere Portal Technical Conference Europe 2008
89. Web Services for Remote Portals (WSRP)
STORY TITLE
Industry standard for presentation
oriented Web Services WebSphere Portal
Producer Side: Portlets can be Application and
provided as WSRP Services Local Content Providers
Portlets
Consumer Side:
WSRP
(JSR 168
Local
Local
WPS 4.x)
Setup Producer entity Portlets
Portlets
Integrate WSRP Services in 3rd Party Content/
form of Portlets from a Application Provider
Producer Portal
Portlet API
WSRP
Generic WSRP
Portlet Internet Services
WSRP
WSRP
Proxy / Services
Services
Intranet
Publish/Find Web Services (SOAP)
UDDI Registry
89 89
WebSphere Portal Technical Conference Europe 2008
90. WSRP Identity Propagation
STORY TITLE
User Profile Propagation (no security)
User profile data submitted in SOAP message
Used for generating personalized content
Not intended for access control decisions
SSL client certificate authentication
Certificate based client authentication with User ID in certificate
One identity per consumer portal
WS-Security
WSRP client/producer run in JSR 109 compliant container
allows full exploitation of WAS WS-Security runtime
Allows end user identity propagation / mapping
• e.g. LTPA token forwarding
• public plug points in WAS for custom tokens
Tivoli Federated Identity Manager (TFIM) provides multiple ways of doing web services
based federated SSO (e.g. via SAML)
90 90
WebSphere Portal Technical Conference Europe 2008
92. Java 2 Platform Security
STORY TITLE
“Is this piece of code allowed to read httpd.conf?”
Part of the Java Language Specification
Policy files define the privileges of the code to be executed
Protection of system resources and APIs via policy-based,
fine-grain access control mechanism
Activated via Global Setting in WebSphere Application Server
(independent of “Global Security”)
92 92
WebSphere Portal Technical Conference Europe 2008
93. Java 2 Platform Security
STORY TITLE
WebSphere Portal runs with Java 2 Security enabled
Portal core libraries and administration Portlets are supposed
to be trusted and get the java.security.AllPermission
Portlet specific permissions can be assigned to individual
portlets by adding a corresponding was.policy file to the WAR
archive
Portlet deployment copies the was.policy file to the
EAR level as required by WAS security runtime
Individual portlet can be prevented from accessing
arbitrary system resources …
93 93
WebSphere Portal Technical Conference Europe 2008
95. Misc
STORY TITLE
Security Audit Service
Can be activated to tracks administrative actions
Writes a dedicated log file (plain text)
Includes information on executing user, execution time, involved
resources
new with 6.1:
SSL configuration in WAS Admin Console
95 95
WebSphere Portal Technical Conference Europe 2008
96. WebSphere Portal Security Strategy
STORY TITLE
Security is part of the Portal Design Process
Design documents detail on security implications and are reviewed by
dedicated portal security team
Security is part of the Portal Testing Strategy
WebSphere Portal does dedicated security vulnerability (aka. penetration)
testing on selected portal releases
Security Certifications
WebSphere Portal access control is Common Criteria certified
WebSphere Portal uses FIPS 140-2 compliant crypto libraries provided by
WebSphere Application Server
Portal Security is aligned with IBM Security Strategy
IBM invests in security research, e.g. teams in Zurich and Tokyo
investigate Web20 security implications
WebSphere portal security architect aligns portal security with IBM
security strategy and research results
Security fixes are published on the portal Security Bulletin Web Site
http://www-128.ibm.com/developerworks/websphere/zones/portal/security/
96 96
WebSphere Portal Technical Conference Europe 2008
97. Additional Information and Resources
STORY TITLE
WebSphere Portal Security White Paper
http://www-128.ibm.com/developerworks/websphere/library/techarticles/
0611_buehler/0611_buehler.html
Exploiting the WebSphere Portal V5.1.0.1 programming model,
Part 3: Integrating WebSphere Portal into your security environment
http://www.ibm.com/developerworks/websphere/library/techarticles/0606_buehler/0606_buehler.html
WebSphere Portal Product Information:
http://www-306.ibm.com/software/genservers/portal/enable/
WebSphere Portal Information Center documentation
http://www-106.ibm.com/developerworks/websphere/zones/portal/proddoc.html
WebSphere Portal Security Zone
http://www-128.ibm.com/developerworks/websphere/zones/portal/security/
97 97
WebSphere Portal Technical Conference Europe 2008
98. STORY TITLE
WebSphere Portal Technical Conference Europe 2008
Session ID: B07
Session:
IBM WebSphere Portal Security Overview
Presenter: Dr. Dieter Buehler
Please take a few minutes to fill out the session survey.
Thank you
98 98
WebSphere Portal Technical Conference Europe 2008