Presentation is loading. Please wait.

Presentation is loading. Please wait.

JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer.

Published byAlexis Appling Modified over 10 years ago

Similar presentations

Presentation on theme: "JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer."— Presentation transcript:

1 JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer

2 Our Environment 3 Campuses / 2 Environments Tomcat 6.0.20 uPortal 3.1.1 Active Directory Kerberos authentication via JAAS

3 Why Active Directory? AD offers authentication and group management Many campus services use it for authentication Kerberos implementation is widely used

4 Why JAAS? Already part of Java Kerberos implementation is solid Works with our AD/Kerberos uPortal has some JAAS support

5 EWS / uPortal Exchange Web Services (EWS) is a SOAP interface to Microsoft Exchange. We were tasked with building a portlet to retrieve a summary of Email and Calendar items. Each item should be a link that takes the user directly to its detailed view in Outlook Web Access.

6 Parameters Utilize existing infrastructure. Secure and easily managed Authentication.

7 #1 Utilize Existing Infrastructure Both EWS and our uPortal instance authenticates against the AD. EWS has a SOAP interface, Java supports SOAP web services via JAX-WS. Some work was already started via imap2exchange. – Helped w/ JAX-WS bindings – Utilizes BASIC authentication

8 #2 Secure, Easily Managed AuthN BASIC authN Admin user on Exchange server Secret keys between the portal and EWS server Kerberos tickets?

9 Kerberos Tickets and SPNego! Krb tickets are generated by Active Directory Opaque and unique SPNego (Simple and Protected GSSAPI NEGOtiation mechanism) – Krb over HTTP – Built in to EWS DNA – Supported by all major browsers

10 uPortal and SPNego via JAAS/GSSAPI OOB JAASSecurityContext – allows authN via JAAS – does not hold on to the Kerberos ticket Thanks to uPortal being open source – saw why it wasnt – more importantly, showed what had to happen to make it hold on to it Implemented our own JAASSecurityContext

11 uPortal and SPNego via JAAS/GSSAPI Portlets need to be able to access this attribute – use the portlet API (PortletRequest.getAttribute) – developed our own RequestAttributeService and used the portlet container spring context file to inject it into uPortal! Now, IPerson attributes are available to portlets without needing any additional API.

12 Using the Kerberos Ticket Still faced a couple of challenges – Generate a SPNego token – put it on the HTTP header of the SOAP request the right way

13 Enter JAASmine JAASmine was built out of frustration – there are FEW good resources on GSSAPI/SPNego usage in Java – API is under-documented and tutorials are too basic – JAASmine takes what we learned and makes it easy

14 JAASmine Lightweight wrapper for JAAS/GSSAPI Client code for web services that want to authenticate using SPNego tokens Server code for handling verification and validation of SPNego tokens

15 Success!

16 JAASmine and EWS authN From our portlet, we could get the kerberos ticket Pass it to the JAASmine client to generate SPNego Next, put it on the header of the HTTP SOAP request ( WWW-Authenticate )

17 Beyond uPortal JAASmine server components are used for authenticating to our Kuali Rice instances (both the web app and soon the SOAP services) set up is low impact – configure JAAS – configure Kerberos – configure a servlet filter

18 Beyond uPortal More web services Kerberos/Browser to server? Its possible (and ideal)…

19 References SPNego - http://goo.gl/ECVHshttp://goo.gl/ECVHs GSSAPI - http://goo.gl/XPLJFhttp://goo.gl/XPLJF JAASmine - http://goo.gl/DM2GDhttp://goo.gl/DM2GD imap2exchange - http://goo.gl/IkAZLhttp://goo.gl/IkAZL

20 Thank You! Tim Carroll Andy Gherna

Download ppt "JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.

MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.
31242/32549 Advanced Internet Programming Advanced Java Programming

31242/32549 Advanced Internet Programming Advanced Java Programming
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
A Blackboard Building Block™ Crash Course for Web Developers

A Blackboard Building Block™ Crash Course for Web Developers
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Scale Up Access to your 4GL Application using Web Services

Scale Up Access to your 4GL Application using Web Services
Microsoft and Web 2.0 In the enterprise. A working definition of Web 2.0.

Microsoft and Web 2.0 In the enterprise. A working definition of Web 2.0.
1 Notification Service JA-SIG June 6, 2006 One stop shopping Jon Atherton Mark Mara.

1 Notification Service JA-SIG June 6, 2006 One stop shopping Jon Atherton Mark Mara.
UPortal: A framework for the Personalization of Library Services John Fereira: Programmer/Analyst Cornell University Mann Library.

UPortal: A framework for the Personalization of Library Services John Fereira: Programmer/Analyst Cornell University Mann Library.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Web Service Description KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Web Service Description KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
SE-2840 Dr. Mark L. Hornick1 Java Servlet-based web apps Servlet Architecture.

SE-2840 Dr. Mark L. Hornick1 Java Servlet-based web apps Servlet Architecture.
TNC 2010. Common Project EVO / UPMC TNC 2010 Goals Integrate a distance learning system called EVO-Learning into universities environment. Provide a.

TNC Common Project EVO / UPMC TNC 2010 Goals Integrate a distance learning system called EVO-Learning into universities environment. Provide a.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.

Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.

Similar presentations

Ads by Google