1 / 16

Using JASPIC to Develop Portable Servlet Container Authentication Mechanisms

Using JASPIC to Develop Portable Servlet Container Authentication Mechanisms. Ron Monzillo. Program Agenda. Introduction Portable SAM Configuration Demonstration Facebook Connect and SAML Web Sso Module Issues, Potential Enhancements, and Next Steps.

brody
Download Presentation

Using JASPIC to Develop Portable Servlet Container Authentication Mechanisms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using JASPIC to Develop Portable Servlet Container Authentication Mechanisms Ron Monzillo

  2. Program Agenda • Introduction • Portable SAM Configuration • Demonstration • Facebook Connect and SAML Web Sso Module • Issues, Potential Enhancements, and Next Steps

  3. Ron Monzillo: ron.monzillo@oracle.com Consulting Member of Technical Staff, Oracle Identity Management Joined Sun Microsystems in March 1999 Java EE Platform and Servlet Security Architect Specification Lead: JSR 351 The Java Identity API JSR 196 The Java Authentication SPI for Containers JSR 115 The Java Authorization Contract for Containers OASIS WS-Security contributor and editor of SAML Token profile

  4. More Information • Java.net projects • http://jaspic-spec.java.net/ • Issue tracker: http://java.net/jira/browse/JASPIC_SPEC • Javadocs: https://jaspic-spec.java.net/nonav/1.1/apidocs/index.html • Downloads (API, source, javadoc jars) • https://java.net/projects/jaspic-spec/downloads/directory/releases/1.1/API • Contributions in project Nobis: http.//java.net/projects/nobis • https://java.net/projects/nobis/sources/git/show/Nobis/authentication • JSR Project page - http://www.jcp.org/en/jsr/detail?id=196 • Ron.monzillo@oracle.com

  5. Simple Message Interception Model

  6. More Complicated Configuration Model • AuthConfigFactory • Registry of configuration system implementations • Bound to messaging layers and/or specific applications • Container provided but replaceable • AuthConfigProvider • Configuration system implementation • Returns application configuration objects which provide • Invocation specific auth module contexts • Not portable, and hard to find in some “compatible” implementations

  7. Profiles define use in context • Servlet Container Profile • Pluggable authentication in the context of servletconstraint processing • SOAP Profile • SOAP web service message exchanges • LoginModule Bridge Profile • Defines how Auth Module uses JAAS LoginModulefor password validation

  8. Portable Configuration Provider In support of Servlet profile • Advance authentication mechanisms • Simple configuration Methodology • Compatible with all standard Servlet containers • Portable implementation • Auth Module developer or Integrator should not have to do this

  9. JAAS AuthConfigProvider ApplicationConfigurationEntry • Configure authentication modules in JAAS Configuration • SE provide default file-based implementation • Supports module stacking • Issue: jaasconfig no get all configuration entries • Available in glassfish

  10. ServletContainerInitializer • Bound to JAAS Configuration by security property • Registers JAASAuthConfigProvider in factory (at deployment) • Adds listeners to servlet context to manage lifecycle of registration • Simple to use • Put the container listener in lib • Configure authentication modules for applications in jaasconfig file • Bind jaasconfig file to listener and provider via security property • Changes in jaasconfig file applied when any app is deployed

  11. Demo Developing an Authentication Model

  12. Facebook Connect and SAML Web SSO • Facebook connect • Client id, and client secret key alias configured for provider • redirect uri to be configured for “app” in facebook • SAML Web SSO • Dependent on SAML identity provider/IDP • Servlet web app as IDP • Pluggable user authentication • Servlet container as Relying Party • Authentication module redirects user to idp for authentication

  13. Issues, Potential Enhancements, and Next Steps • Simple/Portable AuthConfigProvider • In open source repository • Runtime/spec issues, e.g., • No portable way to save and restore servlet requests • of servlet wrappers • getVirtualServerName • Other profiles, or uses e.g., JAX-RS client • Require as component of EE Web profile

  14. The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract.It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

  15. ?

More Related