JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer.

Slides:

Advertisements

Similar presentations

Secure Single Sign-On Across Security Domains

Advertisements

MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.

31242/32549 Advanced Internet Programming Advanced Java Programming

FI-WARE Testbed Access Control temporary solution.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

A Blackboard Building Block™ Crash Course for Web Developers

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Scale Up Access to your 4GL Application using Web Services

Microsoft and Web 2.0 In the enterprise. A working definition of Web 2.0.

1 Notification Service JA-SIG June 6, 2006 One stop shopping Jon Atherton Mark Mara.

UPortal: A framework for the Personalization of Library Services John Fereira: Programmer/Analyst Cornell University Mann Library.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Web Service Description KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

SE-2840 Dr. Mark L. Hornick1 Java Servlet-based web apps Servlet Architecture.

TNC Common Project EVO / UPMC TNC 2010 Goals Integrate a distance learning system called EVO-Learning into universities environment. Provide a.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

CIS 375—Web App Dev II Microsoft’s.NET. 2 Introduction to.NET Steve Ballmer (January 2000): Steve Ballmer "Delivering an Internet-based platform of Next.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Flexibility and user-friendliness of grid portals: the PROGRESS approach Michal Kosiedowski

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Web Server Administration Web Services XML SOAP. Overview What are web services and what do they do? What is XML? What is SOAP? How are they all connected?

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.

Chapter 6 Server-side Programming: Java Servlets

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Building Secure Web Applications With ASP.Net MVC.

INTRODUCTION TO WEB APPLICATION Chapter 1. In this chapter, you will learn about:  The evolution of the Internet  The beginning of the World Wide Web,

UMBC’s WebAuth Robert Banz – UMBC

Case Study.  Client needed to build data collection agents for various mobile platform  This needs to be integrated with the existing J2ee server 

© Hortonworks Inc Hadoop and Kerberos: The madness beyond the gate Steve 2015.

Markus Hjort Reaktor Innovations Java Web Development T WWW-palvelun HUT

OOSSE Week 8 JSP models Format of lecture: Assignment context JSP models JSPs calling other JSPs i.e. breaking up work Parameter passing JSPs with Add.

Providing secure mobile access to information servers with temporary certificates Diego R. López

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

WebObjects Matt Aguirre Lally Singh. What Is It? A Java based development platform specifically designed for database-backed web applications.

INFSO-RI Enabling Grids for E-sciencE ARDA Experiment Dashboard Ricardo Rocha (ARDA – CERN) on behalf of the Dashboard Team.

Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.

Enterprise Portals Empowering Business via Technology Rajesh Moparthi.

Web Services An Introduction Copyright © Curt Hill.

Doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies.

Java Programming: Advanced Topics 1 Building Web Applications Chapter 13.

MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.

Today’s Applications Web API Browser Native app Web API Web API

Azure Active Directory is becoming one of, if not the, primary user identity management services for cloud applications. One of Azure Active Directory's.

Portal Software Unit Testing Supporting agile development of Sakai VRE enhancements Graham Klyne Oxford University Computing Service.

#SummitNow Alfresco Authentication and Synchronization Nov 2013 Mark Rogers.

Secure Single Sign-On Across Security Domains

Stop Those Prying Eyes Getting to Your Data

Data Bridge Solving diverse data access in scientific applications

Section 13 - Integrating with Third Party Tools

CAS and Web Single Sign-on at UConn

Unit – 5 JAVA Web Services

Notification Service JA-SIG June 6, 2006 One stop shopping

eSafe Open Modules Overview

Introduction to Web Services and SOA

Web Server Administration

IS 4506 Server Configuration (HTTP Server)

Distributed Systems Bina Ramamurthy 11/30/2018 B.Ramamurthy.

Distributed Systems Bina Ramamurthy 12/2/2018 B.Ramamurthy.

Distributed Systems Bina Ramamurthy 4/22/2019 B.Ramamurthy.

Introduction to Web Services and SOA

JAAS AuthN Tokens in uPortal and Beyond

Eurostat Unit B3 – IT and standards for data and metadata exchange

Presentation transcript:

JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer

Our Environment 3 Campuses / 2 Environments Tomcat uPortal Active Directory Kerberos authentication via JAAS

Why Active Directory? AD offers authentication and group management Many campus services use it for authentication Kerberos implementation is widely used

Why JAAS? Already part of Java Kerberos implementation is solid Works with our AD/Kerberos uPortal has some JAAS support

EWS / uPortal Exchange Web Services (EWS) is a SOAP interface to Microsoft Exchange. We were tasked with building a portlet to retrieve a summary of and Calendar items. Each item should be a link that takes the user directly to its detailed view in Outlook Web Access.

Parameters Utilize existing infrastructure. Secure and easily managed Authentication.

#1 Utilize Existing Infrastructure Both EWS and our uPortal instance authenticates against the AD. EWS has a SOAP interface, Java supports SOAP web services via JAX-WS. Some work was already started via imap2exchange. – Helped w/ JAX-WS bindings – Utilizes BASIC authentication

#2 Secure, Easily Managed AuthN BASIC authN Admin user on Exchange server Secret keys between the portal and EWS server Kerberos tickets?

Kerberos Tickets and SPNego! Krb tickets are generated by Active Directory Opaque and unique SPNego (Simple and Protected GSSAPI NEGOtiation mechanism) – Krb over HTTP – Built in to EWS DNA – Supported by all major browsers

uPortal and SPNego via JAAS/GSSAPI OOB JAASSecurityContext – allows authN via JAAS – does not hold on to the Kerberos ticket Thanks to uPortal being open source – saw why it wasnt – more importantly, showed what had to happen to make it hold on to it Implemented our own JAASSecurityContext

uPortal and SPNego via JAAS/GSSAPI Portlets need to be able to access this attribute – use the portlet API (PortletRequest.getAttribute) – developed our own RequestAttributeService and used the portlet container spring context file to inject it into uPortal! Now, IPerson attributes are available to portlets without needing any additional API.

Using the Kerberos Ticket Still faced a couple of challenges – Generate a SPNego token – put it on the HTTP header of the SOAP request the right way

Enter JAASmine JAASmine was built out of frustration – there are FEW good resources on GSSAPI/SPNego usage in Java – API is under-documented and tutorials are too basic – JAASmine takes what we learned and makes it easy

JAASmine Lightweight wrapper for JAAS/GSSAPI Client code for web services that want to authenticate using SPNego tokens Server code for handling verification and validation of SPNego tokens

Success!

JAASmine and EWS authN From our portlet, we could get the kerberos ticket Pass it to the JAASmine client to generate SPNego Next, put it on the header of the HTTP SOAP request ( WWW-Authenticate )

Beyond uPortal JAASmine server components are used for authenticating to our Kuali Rice instances (both the web app and soon the SOAP services) set up is low impact – configure JAAS – configure Kerberos – configure a servlet filter

Beyond uPortal More web services Kerberos/Browser to server? Its possible (and ideal)…

References SPNego - GSSAPI - JAASmine - imap2exchange -

Thank You! Tim Carroll Andy Gherna