540 likes | 689 Views
Transcending Network Identity with the Java TM Identity API. Ron Monzillo. Ron Monzillo : ron.monzillo@oracle.com Consulting Member of Technical Staff, Oracle Identity Management Joined Sun Microsystems in March 1999 Java EE Platform and Servlet Security Architect Specification Lead:
E N D
Transcending Network Identity with the JavaTM Identity API Ron Monzillo
Ron Monzillo: ron.monzillo@oracle.com Consulting Member of Technical Staff, Oracle Identity Management Joined Sun Microsystems in March 1999 Java EE Platform and Servlet Security Architect Specification Lead: JSR 351 The Java Identity API JSR 196 The Java Authentication SPI for Containers JSR 115 The Java Authorization Contract for Containers OASIS WS-Security contributor and editor of SAML Token profile
Agenda • Introduction • Service Architecture • Programming Model and API • Programming Examples • Reference Implementation • Advanced Topics • Wrap up • Q & A
What you will get out of this Presentation • Introduction to the Project and its Information Model • Preview of the APIand a Basic Understanding of How to Use It. • Where you can find us and how you can contribute
Agenda: Introduction • Timeline, Contributors, and Activities • Terminology and Information Model • Use Cases and Approach
Timeline • JSR 351 Approval Ballot completed Oct. 3, 2011 • First Expert Group meeting Nov 15, 2011 • biweekly meetings since • Nobis Reference Implementation live in java.net sinceJuly 3rd, 2012 • Biweekly meetings since Tuesday Aug. 28th, 2012 • Early Draft submission to JCP imminent – approved yesterday • Anticipated Final Release: June 2014
Licensing Reference Implementation in Project Nobis on java.net, under Apache License, version 2.0 http://www.apache.org/licenses/LICENSE-2.0 License for Final Release of Specification http://jcp.org/aboutJava/communityprocess/licenses/jsr351/351SpecLicenseIdentityJSR.pdf The TCK will be licensed at no charge http://jcp.org/aboutJava/communityprocess/licenses/jsr351/351SATCKJSRIdentity1.pdf
Objective • Client-side Java framework for consumption, generation, propagation, and governance of identity attributes • Distributed identity repositories and disparate domain models • No single-source completely describes an entities identity • Declaration of use, virtualization of source • Annotations declare dependencies • Dependency Injection/Interceptors/Entity factories simplify lookup • for Java SE, Java EE and for Java applications running in consumer devices
Information Model - Foundation • Entities, (i.e. persons, computers, services, documents, ...) are represented as collections of named, metadata qualified, values called Attributes • metadata conveys named property values, (e.g., issuer, validity period, usage constraints, ...) within the Attributerepresentation. • Entity and Attribute references support propagation and exchange without disclosing identity values
Terminology - Services • Attribute Repository • translates attribute interfaces to operations on identity repository • Repository Agent • source of Attribute Repository implementations • Attribute Provider • secure, meta data assigning encapsulation of Attribute Repository, or of otherAttribute Providers • Attribute Service • Source of Attribute Providers
Terminology – Handles • Repository Descriptor • handle to obtain Attribute Repository from Repository Agent. • Provider Lookup Context • handle to obtain Attribute Provider from Attribute Service • Entity Reference • handle to obtain Entity attributes from Attribute Service. • Attribute Reference • handle to obtain Attribute from Attribute Service
Motivating Use Cases • Application is Client of Attribute Service • Application is Attribute Provider • Identity Exchange or Propagation • Authentication System Binds Attributes to Java Authentication State • Hybrid of 1 and 4, Application consumes Attributes of/using Authentication state
Approach • Standardize the Representation • Promote Attribute Service • Standardize a Declarative Programming Style • Layer 1: Representation and JRE Integration • Layer 2: Services • Layer 3: Application Development
Agenda: Service Architecture • Role of Attribute Service • Provided Services and Service Provider Architecture • Repository Virtualization and Composition • Identity Protection Model
Promote Attribute Service • As Point of Interaction, Governance, and Virtualization • Local point of reference for applications • Encapsulation of diverse repository protocols and locations • Able to optimize interactions with remote repositories • Credential acquisition • Authoritative representation of source, validity, and related meta-data • Authorization and Audit of application use of identity attributes • in support of compliance with Identity governance model
Attribute Service Provides 3 Services • Repository Agent Registration Service • registers agents that return Attribute Repository objects • Provider Lookup Service • returns Attribute Providers by Provider Lookup Context • Attribute (Lookup and Update) Services • routes interactions to corresponding interfaces of Attribute Providers located by Provider Lookup Context from Provider Lookup Service
Service Provider Architecture • Repository Agent • registered as source of Attribute Repository implementations described by Repository Descriptor • Constructs and return Attribute Repositories to Attribute Service • Provider Lookup Initializer • registers repository agents when invoked as a result of constructor injection @Inject public NobisAttributeService(@Any Instance<ProviderLookupInitializer> initializers) { …}
Provider Lookup Context • Portable, provider independent, component of all reference forms • Provider Lookup Service returns Attribute Provider • given Repository Agent registrations for leaf providers in context • Embedded in predicates, attributes, entity, and attribute references, etc. • Simple model of composition
Provider Lookup Context forms • Leaf • represented by Repository descriptor • Entity Selector • Predicate based subset • Union • Aggregation of two or more • Pair-wise Correlation • Natural Join through common values of designated attributes • Virtualization and Composition
Role of Attribute Provider • Enforces Service protection Model • Assigns required metadata • Implements virtualization and composition (based on predicate, aggregation or natural join) • Attribute Provider implementation provided by Attribute Service implementation
Services Protection Model • Employs the Java Security Manager • Checks calling access control context for the corresponding AttributeRepositoryPermission(s) • One permission check for each Leaf in the lookup context • PermissionAction determined by the service being invoked • Utility, getRequiredPermissions, returns the permissions to check • provider and interface specific, content independent, policy • Protects access to service interfaces (e.g. getAttributeLookupService, and to operations within service interfacs(e.g., getAttribute)
Content Protection Model • Differential protection of specific entities, and attributes • Objective is to enforce common entity and attribute protection model over disparate repository technologies • Requires contract between Attribute Repository and Attribute Provider to acquire credentials required by identity repository • token authorizing Attribute Service to access content of repository • Attribute Service asserts that it is acting on behalf of some user known to repository • Attribute service relies on its authority to operate at the repository
Identity Repository Protection Model • Disparate policy models • Evolving support for in-process delegation of rights (requiring resource owner to be on-line) • Other environments may support static delegation models, or trusted repository clients • Special Case of application as Attribute Provider @IDEntityProvider • Allow developer to establish policy • Privileged actors may be identified within the content • as a result of their role in the creation of the entity
Repository Protection Model Attribute Service Attribute Provider
Agenda: Programming Model and API • Programmatic Interfaces • Attribute Lookup • Attribute Provider by Annotation • Content Protection by Annotation (TBD)
Standard Attribute Interfaces Attributes named, multi-valued, and meta-data qualified meta-data: Issuer*, time-of-issue, validity period, usage-constraints Uniform, domain model independent, framework for representing Identity Attributes Including content from mechanism specific security credentials Represents Identity such that it can be used within interfaces of the Java Security Model can be propagated between Java systems Standardize Representation of Identity in Java
Identity Attribute Interface public interface IDAttribute { Collection<IDName> getAttributeNames(); IDAttributeValue<T> getAttributeValue(); Collection<IDName,IDAttributeValue> getPropertyMap(); IDAttributeReferencegetAttributeReference(); } named, meta-data qualified, value with reference
AttributeLookupService Entity lookup Collection<IDEntityReference> search(AttributeSelector... entitySelectors); Attribute of Entity lookup Collection<IDAttribute> getAttributes(IDEntityReference entity, AttributeSelectorattributeSelector, PropertySelector … propertySelectors); Attribute Reference of Entity lookup Collection<IDAttributeReference> getAttributeReferences(IDEntityReference entity, AttributeSelectorattributeSelector, PropertySelector … propertySelectors); Attribute for Attribute Reference IDAttributegetAttribute(IDAttributeReference attribute);
Selectors, Predicates, and Expressions • Expressions • statement representing attribute characteristic (e.g., value, name) • Predicate • function with boolean result used in a test of an expression about an attribute, or in a test of one or more predicates • Selector • is a predicate used in a test of an entity or attribute during lookup There are Entity and Attribute Selectors
Creating an Entity • Bag of attributes • Internal resilient entity identifier • permanent and decoupled from the value of any attributes (to ensure stability of entity reference)
AttributeUpdateService Create Entity IDEntityReferenceaddEntity(Collection<IDNamedAttributeValue> attributes); Add Attribute to reference Entity IDAttributeReference addAttribute(IDEntityReference entity, IDNamedAttributeValue attribute); Add Property to referenced Attribute booleanaddProperty(IDAttributeReference attribute, IDNamepropertyName, IDAttributeValuepropertyValue); Rename referenced Attribute Boolean renameAttribute(IDAttributeReference attribute, Collection<IDName> names) Etc.
@IDEntity, @IDEntityProvider, and @IdentityAttribute • @IDEntity • designates class as receiver of attributes • @IDEntityProvider • designates class as attribute provider • @IdentityAttribute • Used by both attribute receivers and providers • Designates field as attribute receiver or provider depending on context
Agenda: Programming Examples • Application consumes Identity Attribute Values • Application is Java Attribute Provider • Authentication System Binds Entity Reference. • Application obtains Identity Attribute from Attribute Reference
Attribute Receiver by Annotation @IDEntity public class TheAttributeReceiver { @IdentityAttribute(names ={“userName“}) String name; @IdentityAttribute IDAttributeValueemailAddress; @EntityReference IDEntityReference entity; }
Attribute Provider by Annotation @IDEntityProvider public class TheAttributeProvider{ @IdentityAttribute(names ={“userName“}) String name; @IdentityAttribute IDAttributeValueemailAddress; @EntityReference IDEntityReference entity; }
Authentication System Binds IDEntityReference Subject bindEntityReference(IDEntityReference e) { IDEntityReferencePrincipal p = new IDEntityReferencePrincipal(e); Subject s = new Subject(); s.getPrincipals.add(p); return s; }
Binding reference to @IDEntityProvider @IDEntityProvider public class User { @IdentityAttribute) String userName; @IdentityAttribute IDAttributeValuegroups; @EntityReference IDEntityReferenceentity; } User user = newUser(); // set user attribute values; user.setUserName(“Bill”); … p = new IDEntityReferencePrincipal(user.entity); Subject s = bindEntityReference(p); IDEntityProviderFactoryfactory; Factory = new IDEntityProviderFactort(attributeService,User.class) User user = factory.newIDEntityProvider();
Authentication establishes entity reference e.g. HttpServletRequest.getUserPrincipal returns IDEntityReferencePrincipal Application requests attributes of user Use of @IdentityAttribute (shown earlier) Programmatically by obtaining AttributeLookupService corresponding to ProviderLookupContext of entity reference Collection<IDAttribute> attributes = attributeService.getAttributes(entityReference); Lookup Attributes of Authenticated User
Attribute Lookup by CDI Injection • good match for apps that • statically name the attributes they want, and • entity identifying context must be established before injection • In some cases, such as injection of user attributes in a servlet, Injection must be scoped to the service invocation
Agenda: Reference Implementation • Project Nobis – http://java.net/projects/nobis • Attribute Service implementation • Attribute Provider Virtualization and Composition • Attribute Repository Integration • Interceptors, Entity Factories, and CDI Injection
Interceptors and CDI • The Nobis Attribute Service provides • postConstruct interceptors for @IDEntity and @IDEntityProvider • factory based alternative for the interceptors • a Caller qualifier and an IDEntityRefence Producer to support IDEntityReferenceinjection and Attribute Injection
Swim Lanes • Composite predicates and reference forms produced by NobisAttributeProvider • Top level predicate and reference forms, encapsulate a network of corresponding artifacts obtained from and to be processed by the underlying providers
Agenda: Advanced Topics • Connector Repositories • Defining Requirements around Metadata • Security Token Acquisition for Repository Integration
Connector Repositories • Predicate based search incompatible with social Repositories • Can be applied to internalized entity sets • Assuming the subset can be identified • Perhaps by a simple predicate • And that it is possible to create and exchange durable references to the internalized entities
Requirements Around MetaData • define a common taxonomy of meta data • establish how Attribute Repositories and Attribute Providers corporate to define attribute metadata • Establish how any required attribute meta data is to be represented
Security token acquisition • Define how Applications and Users are to provide credentials for use by Attribute Repositories • Define if and how common desktop applications will be authorized at Identity Repositories
Repository Bindings • bind a predicate to a specific internal component. • Repository Binding scopes an expression to a leaf repository • In support of join where we cannot • assume that we can do the cartesianproduct first, • that attribute names are unique among the components • Cannot require that both sides of the join satisfy the selector • In this case, we bind the predicate to the appropriate leaf repository
Agenda: Wrap up • Summary • Next Steps
Next Steps • Supporting Consumer devices • Providing Attribute Repositories and Agents via Nobis • Improved integration with CDI • Refining the API and completing Specification