160 likes | 379 Views
Using JASPIC to Develop Portable Servlet Container Authentication Mechanisms. Ron Monzillo. Program Agenda. Introduction Portable SAM Configuration Demonstration Facebook Connect and SAML Web Sso Module Issues, Potential Enhancements, and Next Steps.
E N D
Using JASPIC to Develop Portable Servlet Container Authentication Mechanisms Ron Monzillo
Program Agenda • Introduction • Portable SAM Configuration • Demonstration • Facebook Connect and SAML Web Sso Module • Issues, Potential Enhancements, and Next Steps
Ron Monzillo: ron.monzillo@oracle.com Consulting Member of Technical Staff, Oracle Identity Management Joined Sun Microsystems in March 1999 Java EE Platform and Servlet Security Architect Specification Lead: JSR 351 The Java Identity API JSR 196 The Java Authentication SPI for Containers JSR 115 The Java Authorization Contract for Containers OASIS WS-Security contributor and editor of SAML Token profile
More Information • Java.net projects • http://jaspic-spec.java.net/ • Issue tracker: http://java.net/jira/browse/JASPIC_SPEC • Javadocs: https://jaspic-spec.java.net/nonav/1.1/apidocs/index.html • Downloads (API, source, javadoc jars) • https://java.net/projects/jaspic-spec/downloads/directory/releases/1.1/API • Contributions in project Nobis: http.//java.net/projects/nobis • https://java.net/projects/nobis/sources/git/show/Nobis/authentication • JSR Project page - http://www.jcp.org/en/jsr/detail?id=196 • Ron.monzillo@oracle.com
More Complicated Configuration Model • AuthConfigFactory • Registry of configuration system implementations • Bound to messaging layers and/or specific applications • Container provided but replaceable • AuthConfigProvider • Configuration system implementation • Returns application configuration objects which provide • Invocation specific auth module contexts • Not portable, and hard to find in some “compatible” implementations
Profiles define use in context • Servlet Container Profile • Pluggable authentication in the context of servletconstraint processing • SOAP Profile • SOAP web service message exchanges • LoginModule Bridge Profile • Defines how Auth Module uses JAAS LoginModulefor password validation
Portable Configuration Provider In support of Servlet profile • Advance authentication mechanisms • Simple configuration Methodology • Compatible with all standard Servlet containers • Portable implementation • Auth Module developer or Integrator should not have to do this
JAAS AuthConfigProvider ApplicationConfigurationEntry • Configure authentication modules in JAAS Configuration • SE provide default file-based implementation • Supports module stacking • Issue: jaasconfig no get all configuration entries • Available in glassfish
ServletContainerInitializer • Bound to JAAS Configuration by security property • Registers JAASAuthConfigProvider in factory (at deployment) • Adds listeners to servlet context to manage lifecycle of registration • Simple to use • Put the container listener in lib • Configure authentication modules for applications in jaasconfig file • Bind jaasconfig file to listener and provider via security property • Changes in jaasconfig file applied when any app is deployed
Demo Developing an Authentication Model
Facebook Connect and SAML Web SSO • Facebook connect • Client id, and client secret key alias configured for provider • redirect uri to be configured for “app” in facebook • SAML Web SSO • Dependent on SAML identity provider/IDP • Servlet web app as IDP • Pluggable user authentication • Servlet container as Relying Party • Authentication module redirects user to idp for authentication
Issues, Potential Enhancements, and Next Steps • Simple/Portable AuthConfigProvider • In open source repository • Runtime/spec issues, e.g., • No portable way to save and restore servlet requests • of servlet wrappers • getVirtualServerName • Other profiles, or uses e.g., JAX-RS client • Require as component of EE Web profile
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract.It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.