Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission.

Published byGwen Blair Modified over 8 years ago

Similar presentations

Presentation on theme: "Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission."— Presentation transcript:

1 Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission is granted for this material to be shared for non-commercial purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of Unicon, Inc. To disseminate otherwise or to republish requires written permission from Unicon, Inc. Some slides drawn from prior presentations at JA-SIG conferences. http://creativecommons.org/licenses/by-nc/2.5/ Adam Rybicki Unicon, Inc. Arlington, Virginia, May 5, 2008 Scott Battaglia Rutgers University

2 Hi. I’m Adam. V.P. of Technology at Unicon, Inc. Previously CTO at Interactive Business Solutions, Inc. (IBS)

3 Hi. I’m Scott. Application Developer/Architect @ Rutgers Committer to various open source projects

4 What is JA-SIG? Java Architectures Special Interest Group Founded in 1999 to foster collaboration among HE institutions and companies around Java applications for the enterprise Regular conferences Membership-funded Open source projects –uPortal Initially funded by an Andrew W. Mellon Foundation Named in 2003 in InfoWorld’s top 100 IT projects 2007 Educause Catalyst award winner –CAS Initially developed in 1999 at Yale University Became a JA-SIG project in 2004

5 What is CAS? CAS is enterprise single-sign-on for the web. –Free –Open source –Server implemented in Java –Clients implemented in a plethora of languages –www.ja-sig.org/products/cas/

6 Some of the people involved as the project has evolved Shawn Bayern Susan Bramhall Marc-Antoine Garrigue Howard Gilbert Dmitriy Kopylenko Arnaud Lesueur Drew Mazurek Andrew Petro Jan Van der Velpen (Velpi)

7 Many CAS deployers Appian Corporation Athabasca University Azusa Pacific University BCcampus California Polytechnic Institute California State University, Chico Campus Crusade for Christ Case Western Reserve University Columbia Employers Direct GET-INT Hong Kong University of Science and Technology Indiana Karlstad University, Sweden La Voz de Galicia, Spain Memorial University of Newfoundland Nagoya University NHMCCD Northern Arizona University Plymouth State University (used with SunGardHE Luminis) Roskilde University Rutgers, The State University of New Jersey SunGard HE Luminis Simon Fraser University (Vancouver, B.C.)Simon Fraser University Suffield Academy Tollpost Globe AS

8 … and more Universita degli Studi di Parma Universite de Bourgogne - France Universite de La Rochelle, France Universite de Pau et des Pays de l'Adour, France University of Nancy 1, France Universite Nancy 2, France Universite Pantheon Sorbonne Universiteit van Amsterdam University of Bristol, England University of California Merced University of California, Riverside University of Crete, Greece University of Delaware University of Geneva University of Hawaii University of New Mexico University of Rennes1 University of Technology, Sydney Uppsala University Valtech Virginia Tech Yale University And likely more not well- enumerated…

9 CAS and Commercial CAS is embedded in at least two commercial products CAS support is baked into at least one hardware platform (a wireless Internet vending appliance) Commercial entities use CAS as their SSO

10 Multi-sign-on for the Web

11 At least with one username/password? LDAP

12 All applications touch passwords LDAP

13 Any compromise leaks primary credentials LDAP

14 Adversary then can run wild LDAP

15 What to do about this? What if there were only one login form, only one application trusted to touch primary credentials?

16 Delete your login forms.

17 CAS in a nutshell Browser Web application Authenticates without sending password Authenticates via password (once) Determines validity of user’s claimed authentication

18 How CAS works Web application CAS Web browser S TGC ST S NetID

19 LDAP Webapps no longer touch passwords CAS

20 LDAP Adversary compromises only single apps CAS

21 What about portals? Need to go get interesting content from different systems.

22 Password replay Portal Channel Password- protected service Password- protected service Password- protected service PW PW PW PW PW PW PW PW PW PW PW

23 Look ma, no password! Without a password to replay, how am I going to authenticate my portal to other applications?

24 CAS 2.0: Proxy CAS Web application CAS Web browser S TGC ST S NetID PGTURL PGTIOU PGT https listener

25 CAS 2.0: Proxy CAS Web application CAS Web browser Back-end application SPGT PT S NetID PGTURL Data

26 Proxiable credentials illustrated IMP CAS SST IMAP server CAS PAM module PGT PT -Username -Identity of web resource

27 Provided authentication handlers LDAP –Fast bind –Search and bind Active Directory –LDAP –Kerberos (JAAS) JAAS JDBC RADIUS SPNEGO Trusted X.509 certificates Writing a custom authentication handler is easy

28 Today CAS is not only for authentication Return attributes of logged on users Adding support for standards –OpenID –SAML Single Sign-Out Support for clustering –Implements distributed ticket registry –Requires session replication –Must guarantee cross-server ticket uniqueness Services management (white listing) Remember me

29 Short Term Goals RESTful API Service Registration Page Service Priority InfoCard Support LDAP implementation of Service Registry Auditing, Logging etc. More Internationalization Bug Fixes, etc.!

30 Long Term Goals Re-architecture to support emerging use cases –Account Management integration –Password Expiration Policies/Password Change Integration –SAML, OAuth, OpenID2, etc. –Levels of Assurance / Multifactor authentication / second- level Better online/realtime administration –Installer/configurer –Information about CAS server (open SSO sessions, etc.) Hardening/Anti-phishing

31 Adam Rybicki arybicki@unicon.net www.unicon.net Questions? Scott Battaglia scott_battaglia@rutgers.edu eas.rutgers.edu

Download ppt "Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission."

Similar presentations

Open-source Single Sign-On with CAS (Central Authentication Service)

Open-source Single Sign-On with CAS (Central Authentication Service)
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.

Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
WebISO PanelEducause SAC 2003 1 Implementing Single Sign On Technologies for Campus Portals Panel Nathan Dors, Project Lead Security/Middleware Unit Univ.

WebISO PanelEducause SAC Implementing Single Sign On Technologies for Campus Portals Panel Nathan Dors, Project Lead Security/Middleware Unit Univ.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
Copyright Dave Steiner and Jeremy Rosenberg 2010. This work is the intellectual property of the authors. Permission is granted for this material to be.

Copyright Dave Steiner and Jeremy Rosenberg This work is the intellectual property of the authors. Permission is granted for this material to be.
EDUCAUSE Security Professionals Conference 2007 Monkey-in-the-Middle Attacks on Campus Networks Andrew J. KortySean KrulewitchIndiana University April.

EDUCAUSE Security Professionals Conference 2007 Monkey-in-the-Middle Attacks on Campus Networks Andrew J. KortySean KrulewitchIndiana University April.
Introducing JA-SIG Central Authentication Service 3.0 Scott Battaglia Rutgers, the State University of New Jersey.

Introducing JA-SIG Central Authentication Service 3.0 Scott Battaglia Rutgers, the State University of New Jersey.
XML Import & Export for uP 2 Using Cernunnos Andrew Petro & Drew Wills April 2007 uPortal Dev Meeting Johns Hopkins University © Copyright Unicon, Inc.,

XML Import & Export for uP 2 Using Cernunnos Andrew Petro & Drew Wills April 2007 uPortal Dev Meeting Johns Hopkins University © Copyright Unicon, Inc.,
What’s New in JA-SIG CAS? JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.

What’s New in JA-SIG CAS? JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.
UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.

UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.
Portal Anthony Colebourne Internet Services January 2006.

Portal Anthony Colebourne Internet Services January 2006.
UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.

UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
The Homegrown Single Sign On (SSO) Project at UM – St. Louis.

The Homegrown Single Sign On (SSO) Project at UM – St. Louis.
JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.
Identity Management: The Legacy and Real Solutions Project Overview.

Identity Management: The Legacy and Real Solutions Project Overview.
Web Portal Development with uPortal or.Net Midwest Educause: March 24-26, 2003 David B. Williams Mark Troester

Web Portal Development with uPortal or.Net Midwest Educause: March 24-26, 2003 David B. Williams Mark Troester

Similar presentations

Ads by Google