1 / 19

Single Sign-On for Java Web Start Applications Using MyProxy

Single Sign-On for Java Web Start Applications Using MyProxy. Terry Fleury, Jim Basney, and Von Welch November 3, 2006. Idea. Goal: enable “web” single sign-on (SSO) for non-web applications Restriction: utilize the available authentication protocols for all applications involved

orlando-estes
Download Presentation

Single Sign-On for Java Web Start Applications Using MyProxy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006

  2. Idea • Goal: enable “web” single sign-on (SSO) for non-web applications • Restriction: utilize the available authentication protocols for all applications involved • Requirement: minimize exposure of a user’s long-term authentication credentials (e.g. private password) http://myproxy.ncsa.uiuc.edu/sessions/

  3. Related SSO Solutions • Kerberos • Issues cryptographic software tokens • Can integrate with Java via GSS-API • But, underlying application must be modified to understand the Kerberos protocol • Session cookies • JSESSIONID allows JWS application to “inherit” the browser’s security context • But, security context only valid with the web server initially contacted • Browser-based SSO • Examples: Microsoft’s Passport, Pubcookie, and Shibboleth • But, not useful in non-browser applications such as JWS http://myproxy.ncsa.uiuc.edu/sessions/

  4. Motivation • Real-world development effort: MAEviz • Three main components • Web portal / application server • Data server • Java Web Start visualization application • Web portal and Data server use password-based authentication • Portal and JWS application do not share a session context http://myproxy.ncsa.uiuc.edu/sessions/

  5. Scenario • User connects to grid portal • Username/password authentication • Portal connects to data server for listing • Also username/password authentication • Web portal launches JWS application • JWS appl authenticates to data server • Desire: user authenticates only once • The goal of Single Sign-On (SSO) http://myproxy.ncsa.uiuc.edu/sessions/

  6. Portal + Java Web Start (2) Data Request (4) JNLP (1) Login (5) Data Request (3) Data (6) Render Data http://myproxy.ncsa.uiuc.edu/sessions/

  7. MAE Center Portal http://myproxy.ncsa.uiuc.edu/sessions/

  8. MAEviz JWS Application http://myproxy.ncsa.uiuc.edu/sessions/

  9. Multiple Protocols • Portal server is Sakai • Web browser front-end • Web services (Axis), JSP, Java back-end • Data server is SAM • WebDAV server • Metadata Mgmt. and Notebook Services • MAEviz application is JWS • Launched via JNLP file • Distinct from web browser session • How to effect a shared security session? http://myproxy.ncsa.uiuc.edu/sessions/

  10. Password Authentication • Good news – all components understand username/password authentication • Obvious solution – pass around the user’s name and password • Bad news – don’t want to expose user’s long-lived password • Solution – use short-lived “session passwords” instead http://myproxy.ncsa.uiuc.edu/sessions/

  11. Session Passwords • Associate multiple short-lived “session” passwords with a given username • Can be used in lieu of a user’s long-lived password • Expire after a few hours • Use an external authentication service • Allow for a “password based” SSO solution http://myproxy.ncsa.uiuc.edu/sessions/

  12. Solution: MyProxy • Originally used for X.509 credential storage and retrieval • Can also be configured as a Certificate Authority (CA) to issue credentials • Server configuration option allows for storage and retrieval of any number of session passwords for a user • Multiple external authentication • PAM and SASL http://myproxy.ncsa.uiuc.edu/sessions/

  13. Creating Session Password (1) Username & Password (3) Credential (4) Generate P’ (5) Put(Cred,U,P’) (5) Cred (2) Authn U/P http://myproxy.ncsa.uiuc.edu/sessions/

  14. Using Session Password (1) Username & Session P’assword (3) Cred / Authn OK (2) Authn U/P’ (2) Cred http://myproxy.ncsa.uiuc.edu/sessions/

  15. MyProxy Configuration • Checks all stored credentials • When authenticating a password, ALL credentials for a given username on the MyProxy server are checked for a match • Falls back to external authentication • If no password match to stored credentials, MyProxy falls back to external authentication methods (e.g. PAM) • Result: MyProxy authenticates a user’s original long-lived password AND any session passwords http://myproxy.ncsa.uiuc.edu/sessions/

  16. MyProxy Single Sign-On (2) U/P (4) Cred (10) JNLPw/ U/P’ (5) Generate P’ (1) U/P (6) Put(Cred,U,P’) (12) U/P’ Authn (6) Cred (8) U/P’ Authn (3) U/P Authn (7) U/P’ (8) Cred /Authn OK (12) Cred /Authn OK (12) Cred (8) Cred (11) U/P’ (9) Data (12) U/P’ Authn (8) U/P’ Authn (13) Render Data http://myproxy.ncsa.uiuc.edu/sessions/

  17. Security Concerns • JNLP File on multi-user systems • Downloaded to user’s local file system • Not deleted upon session exit • Might have permissive umask setting • Only solution is “user education” • Session passwords have a finite lifetime • Client can also explicitly destroy a session password before it expires http://myproxy.ncsa.uiuc.edu/sessions/

  18. Conclusion • Enable SSO for legacy applications • Client creates any number of “session passwords” for a username stored on a MyProxy server • Session passwords are passed among clients/programs • Clients need only understand username/password authentication http://myproxy.ncsa.uiuc.edu/sessions/

  19. Acknowledgements • National Center for Supercomputing Applications (NCSA) • Funded by the NSF (National Science Foundation) under Grant No.SCI-0438712 • Mid-America Earthquake (MAE) Center • Funded by the NSF (National Science Foundation) under Grant No.EEC-9701785 • Additional thanks to • Jim Myers and Kevin Price, at NCSA http://myproxy.ncsa.uiuc.edu/sessions/

More Related