1 / 19

Identity and Access Control Extensions for Java Enterprise Edition (EE)

www.oasis-open.org. Identity and Access Control Extensions for Java Enterprise Edition (EE). Anil Saldhana Red Hat Inc. Anil.Saldhana@redhat.com http://anil-identity.blogspot.com. www.oasis-open.org. Anil leads JBoss Security and Identity Management at Red Hat Inc. Member of OASIS Consortium

astrid
Download Presentation

Identity and Access Control Extensions for Java Enterprise Edition (EE)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. www.oasis-open.org Identity and Access ControlExtensions for Java Enterprise Edition (EE) Anil SaldhanaRed Hat Inc.Anil.Saldhana@redhat.comhttp://anil-identity.blogspot.com

  2. www.oasis-open.org • Anil leads JBoss Security and Identity Management at Red Hat Inc. • Member of OASIS Consortium • Secretary of SAML Technical Committee. • Member of XACML, WS-Federation and Enterprise Key Management TCs. • Member of W3C • Co-editor of WSC-XIT Specification (WIP)

  3. www.oasis-open.org • Java Enterprise Edition (EE) is the premier specification in the Java Enterprise World. • Java Community Process (JCP) is the standards body. • Currently in version 1.5 • Containers • Web, Enterprise Java Beans (EJBs) etc. • Coarse-grained security using RBAC.

  4. www.oasis-open.org • Java Enterprise Java EE Application Server Java EE Application Server Legacy Infrastructure Browser Web Server or Java EE Application Server Java EE Application Server Database/ Messaging/ LDAP

  5. www.oasis-open.org • Java EE Security • Underspecified. • Containers perform 2 sequential steps • Establish Principal (Authentication) • Determine Roles and undertake enforcement • RBAC based coarse-grained access control. • Roles shield • Web Resources, EJB Methods, Message Destinations. • Security is an aspect external to app

  6. www.oasis-open.org • Java EE Containers Authentication I KNOW YOU! WHO ARE YOU? Username SAML2 Assertions WS-Trust Claims Kerberos Principal Java Principal in Java Subject Java EE Container

  7. www.oasis-open.org • Java EE Containers Authorization WHAT ROLES DO YOU HAVE? GO AHEAD! Java EE Container Access Java Principal Java EE Policies

  8. www.oasis-open.org • Identity Extensions • Identity entering authentication phase • Certificates (CLIENT-CERT in Web world) • Username (JMS Connections) • Unspecified • Java Principal (in Subject) is the exit artifact. • Federated Identity can always be represented as a Java Principal. • Automatic extension of the Java EE Spec.

  9. www.oasis-open.org • Authorization Extensions • Specification mandated rules are insufficient • Web : Roles against web URL for resources • Contextual security needs to be provided (XACML) • Web resource accessible by employees on business days between 9am and 5pm from a particular subnet only. • Allow multiple policy technologies to make one collective decision • JACC, XACML, Custom Policies plug-n-play

  10. www.oasis-open.org • Authorization Extensions • Example of a policy for resources <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os access_control-xacml-2.0-policy-schema-os.xsd" PolicyId="urn:oasis:names:tc:xacml:2.0:jboss-test:X:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description> Policy for Test X. </Description> <Target/> <Rule RuleId="urn:oasis:names:tc:xacml:2.0:jboss-test:X:rule" Effect="Permit"> <Description> Anyone can perform any action on any resource if current-time is 08:23:47-05:00. </Description> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">08:23:47-05:00</AttributeValue> </Apply> </Condition> </Rule> </Policy>

  11. www.oasis-open.org • Use Case – JBoss Portal • Portlets are web components running in a Portlet Container (JSR-168) • Portal page can contain multiple sub components such as sub pages, sub windows etc. • Subcomponents need entitlements. • An identity may have access to 5 subcomponents out of 20 on a page.

  12. www.oasis-open.org • Use Case – JBoss Portal

  13. www.oasis-open.org • Use Case – JBoss Portal • Need for fine-grained authorization is evident • XACML is a strong candidate (+) • Alternative is a custom ACL implementation (-) • JavaEE web.xml access control semantic falls short. • Identity can be a federated identity

  14. www.oasis-open.org • Use Case – JBoss Portal - Policy <?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xsi=“…“ xsi:schemaLocation=“….“ PolicyId=“…" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description>Policy for Portal Use Case.</Description> <Target/> <Rule RuleId="urn:oasis:names:tc:xacml:2.0:test:II:rule“ Effect="Permit"> <Description>Portal accessible between 9 am and 5pm</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://host/companyportal/</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> </ResourceMatch> </Resource> </Resources> </Target>

  15. www.oasis-open.org • Use Case – JBoss Portal - Policy <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" /> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" /> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue> </Apply> </Condition> </Rule>

  16. www.oasis-open.org • Use Case – JBoss Portal - Policy <Rule RuleId="urn:oasis:names:tc:xacml:2.0:jboss-test:IX:rule“ Effect="Permit"> <Description>The EighteenYearOld page accessible if you are 18</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> <AttributeValue DataType="#anyURI">http://host/companyportal/EighteenYearOld/</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id“ DataType="#anyURI"/> </ResourceMatch> </Resource> </Resources> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:jboss-test:age" DataType="http://www.w3.org/2001/XMLSchema#integer"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">18</AttributeValue> </Apply> </Condition> </Rule> </Policy>

  17. www.oasis-open.org • Use Case – JBoss Portal – Request <?xml version="1.0" encoding="UTF-8"?> <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os” …> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id“ DataType=“…#string"> <AttributeValue>Anil Saldhana</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id“ DataType="…#anyURI"> <AttributeValue>http://host/someportal/</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id” DataType=“…#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time” DataType=“…#time"> <AttributeValue>09:23:47-05:00</AttributeValue> </Attribute> </Environment> </Request>

  18. www.oasis-open.org • Use Case – JBoss Portal – Response <?xml version="1.0" encoding="UTF-8"?> <Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>NotApplicable</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> </Status> </Result> </Response>

  19. www.oasis-open.org • Q & A

More Related