190 likes | 328 Views
Single Sign-On for Java Web Start Applications Using MyProxy. Terry Fleury, Jim Basney, and Von Welch November 3, 2006. Idea. Goal: enable “web” single sign-on (SSO) for non-web applications Restriction: utilize the available authentication protocols for all applications involved
E N D
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006
Idea • Goal: enable “web” single sign-on (SSO) for non-web applications • Restriction: utilize the available authentication protocols for all applications involved • Requirement: minimize exposure of a user’s long-term authentication credentials (e.g. private password) http://myproxy.ncsa.uiuc.edu/sessions/
Related SSO Solutions • Kerberos • Issues cryptographic software tokens • Can integrate with Java via GSS-API • But, underlying application must be modified to understand the Kerberos protocol • Session cookies • JSESSIONID allows JWS application to “inherit” the browser’s security context • But, security context only valid with the web server initially contacted • Browser-based SSO • Examples: Microsoft’s Passport, Pubcookie, and Shibboleth • But, not useful in non-browser applications such as JWS http://myproxy.ncsa.uiuc.edu/sessions/
Motivation • Real-world development effort: MAEviz • Three main components • Web portal / application server • Data server • Java Web Start visualization application • Web portal and Data server use password-based authentication • Portal and JWS application do not share a session context http://myproxy.ncsa.uiuc.edu/sessions/
Scenario • User connects to grid portal • Username/password authentication • Portal connects to data server for listing • Also username/password authentication • Web portal launches JWS application • JWS appl authenticates to data server • Desire: user authenticates only once • The goal of Single Sign-On (SSO) http://myproxy.ncsa.uiuc.edu/sessions/
Portal + Java Web Start (2) Data Request (4) JNLP (1) Login (5) Data Request (3) Data (6) Render Data http://myproxy.ncsa.uiuc.edu/sessions/
MAE Center Portal http://myproxy.ncsa.uiuc.edu/sessions/
MAEviz JWS Application http://myproxy.ncsa.uiuc.edu/sessions/
Multiple Protocols • Portal server is Sakai • Web browser front-end • Web services (Axis), JSP, Java back-end • Data server is SAM • WebDAV server • Metadata Mgmt. and Notebook Services • MAEviz application is JWS • Launched via JNLP file • Distinct from web browser session • How to effect a shared security session? http://myproxy.ncsa.uiuc.edu/sessions/
Password Authentication • Good news – all components understand username/password authentication • Obvious solution – pass around the user’s name and password • Bad news – don’t want to expose user’s long-lived password • Solution – use short-lived “session passwords” instead http://myproxy.ncsa.uiuc.edu/sessions/
Session Passwords • Associate multiple short-lived “session” passwords with a given username • Can be used in lieu of a user’s long-lived password • Expire after a few hours • Use an external authentication service • Allow for a “password based” SSO solution http://myproxy.ncsa.uiuc.edu/sessions/
Solution: MyProxy • Originally used for X.509 credential storage and retrieval • Can also be configured as a Certificate Authority (CA) to issue credentials • Server configuration option allows for storage and retrieval of any number of session passwords for a user • Multiple external authentication • PAM and SASL http://myproxy.ncsa.uiuc.edu/sessions/
Creating Session Password (1) Username & Password (3) Credential (4) Generate P’ (5) Put(Cred,U,P’) (5) Cred (2) Authn U/P http://myproxy.ncsa.uiuc.edu/sessions/
Using Session Password (1) Username & Session P’assword (3) Cred / Authn OK (2) Authn U/P’ (2) Cred http://myproxy.ncsa.uiuc.edu/sessions/
MyProxy Configuration • Checks all stored credentials • When authenticating a password, ALL credentials for a given username on the MyProxy server are checked for a match • Falls back to external authentication • If no password match to stored credentials, MyProxy falls back to external authentication methods (e.g. PAM) • Result: MyProxy authenticates a user’s original long-lived password AND any session passwords http://myproxy.ncsa.uiuc.edu/sessions/
MyProxy Single Sign-On (2) U/P (4) Cred (10) JNLPw/ U/P’ (5) Generate P’ (1) U/P (6) Put(Cred,U,P’) (12) U/P’ Authn (6) Cred (8) U/P’ Authn (3) U/P Authn (7) U/P’ (8) Cred /Authn OK (12) Cred /Authn OK (12) Cred (8) Cred (11) U/P’ (9) Data (12) U/P’ Authn (8) U/P’ Authn (13) Render Data http://myproxy.ncsa.uiuc.edu/sessions/
Security Concerns • JNLP File on multi-user systems • Downloaded to user’s local file system • Not deleted upon session exit • Might have permissive umask setting • Only solution is “user education” • Session passwords have a finite lifetime • Client can also explicitly destroy a session password before it expires http://myproxy.ncsa.uiuc.edu/sessions/
Conclusion • Enable SSO for legacy applications • Client creates any number of “session passwords” for a username stored on a MyProxy server • Session passwords are passed among clients/programs • Clients need only understand username/password authentication http://myproxy.ncsa.uiuc.edu/sessions/
Acknowledgements • National Center for Supercomputing Applications (NCSA) • Funded by the NSF (National Science Foundation) under Grant No.SCI-0438712 • Mid-America Earthquake (MAE) Center • Funded by the NSF (National Science Foundation) under Grant No.EEC-9701785 • Additional thanks to • Jim Myers and Kevin Price, at NCSA http://myproxy.ncsa.uiuc.edu/sessions/