Presentation is loading. Please wait.

Presentation is loading. Please wait.

Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation.

Published byIsaac Parker Modified over 8 years ago

Similar presentations

Presentation on theme: "Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation."— Presentation transcript:

1

2 Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation

3 Securing J2EE Applications with Oracle Identity Management

4 Agenda  Application Security Overview  Authentication Requirements  Authorization Requirements  J2EE Security  JAAS  Oracle Strategy

5 Application Security  Security is a process, not a product or feature – No 100% security  Only as secure as weakest link – Go beyond firewall security – Implement multi-layer security  Considerations – Authentication – Authorization – Accountability/Audit – Secure Transport

6 Oracle 10 g Security Architecture Single Sign-On Oracle Internet Directory mod_ossl Browser Oracle HTTP Server JAAS Oracle 10 g Containers for J2EE (OC4J) mod_osso Security Infrastructure Layer

7 Authentication Requirements

8 Use The Appropriate Mechanism  Username and password  Client certificate  Smart Card  Biometrics

9 Single Sign-On (SSO)  Why SSO-enable your application? – User Convenience – Security – Cost Reduction  Factors to consider – Integration with infrastructure – Extensible framework

10 Oracle 10 g Single Sign-On  Centralized authentication for web applications  Multiple authentication options – Username/password – Client certificates – 3 rd party API (Biometrics, Smart Card, etc.)  Single Sign-Off  Multiple application types  Integrated across Oracle 10 g – OID, OC4J/JAAS, Portal, OHS, Wireless, Workflow, UM, Ultrasearch, Personalization, Reports, Forms, Discoverer…

11 Relevant Standards  HTTP  SSL/X.509  J2EE  JAAS  Java Authentication SPI  SAML  WS-Security  Plus emerging specifications

12 Authorization Requirements

13 Choose The Right Authorization Model  Roll Your Own (Application-specific) – Maintenance – Administrative Cost – Inconsistent Authorization Policy => Insecurity  Understand The Relevant Standards – J2EE Security – Java 2 Security – JAAS – JACC

14 J2EE Security

15  Design Principles – Declarative security model  Decouple security logic from application logic  Write once run anywhere (WORA ) – Leverage existing security infrastructure  J2EE Roles – Application Provider – Application Assembler – Application Deployer – System Administrator

16 J2EE Security: Authentication  Multiple Authentication Methods - Basic, Form, SSL client certificate, etc.  Declarative Security – Deployment descriptors: web.xml, ejb-jar.xml  JSR 196: Java Authentication SPI – J2EE 1.5 – JAAS LoginModule integration  Missing – Single Sign-On support

17 J2EE Security: Authorization  Protected Resources – Web Resources: URL-patterns – Enterprise Beans: Method permissions  “Role”-based Authorization – Not “Role Based Access Control (RBAC)” – Portability  JSR 115: Integration with Java2/JAAS – Pluggable security (authorization) provider – J2EE security constraints => Java2 permissions

18 JAAS: Java Authentication and Authorization Service

19 Java 2 Security  Key Components – Security Policy defines authorization policy – SecurityManager/AccessController is security monitor  Necessary if running any untrusted code in your JVM  Limitations – Code-based security only – No policy management API – File-based implementation doesn’t scale

20 What is JAAS?  Principal-Based security  Authentication – Pluggable Authentication Module (PAM) framework  Authorization – Extension to Java2 Security Model  Optional Package to JDK 1.3 – JDK 1.4 Core API  J2EE 1.3 Requirement – J2EE 1.4: JACC (JSR 115) – J2EE 1.5: Java Authentication SPI (JSR 196)

21 Oracle 10 g JAAS Provider  Oracle’s JAAS (Java Authentication and Authorization Services) Implementation, plus Extensions  Integrated with Oracle 10 g SSO and OID  Default Security Provider for Oracle 10 g Containers for J2EE

22 Oracle 10 g JAAS Provider: User Manager LDAP-based Provider type XML-based Provider type OID repository jazn-data.xml repository JAZNUserManager Oracle 10 g Containers for J2EE

23 Oracle 10 g JAAS Provider: Authentication  Oracle’s RealmLoginModule Integrated with OC4J Authentication – Declarative model – Integrated with J2EE security model – Integrated with Realm framework for user communities  Support custom JAAS LoginModules – Programmatic and declarative – Integrated with J2EE security model  Option to Use Oracle 10 g Single Sign-On (SSO)

24 Oracle 10 g JAAS Provider: Authorization  JAAS Authorization – Principal (i.e. user) and code-based policies – Hierarchical, role-based access control (RBAC) – Realm framework to support multiple user communities  Authorization Repository – XML flat-file – Oracle Internet Directory (OID)  3 methods of Management – Oracle Enterprise Manager – JAZN Admintool – Programmatic API

25 Oracle 10 g JAAS Provider: What’s New  Custom JAAS LoginModules – Leverage any JAAS-compliant LoginModules – Integration with J2EE security model  Performance & Scalability Enhancements  OC4J Integration – Password hiding (data-sources.xml, oc4j-ra.xml)  Tool Integration – JDeveloper / BC4J

26 Oracle 10 g JAAS Provider: Future Directions  Support for 3 rd party LDAP directories – Default LoginModule certified against AD and SunONE  JACC Provider (JSR 115) – Unified authorization model for managed components  Java Authentication SPI (JSR 196) – Unified authentication model for managed components  Portlet Integration (JSR 168) – J2EE/JAAS authorization model for portlets  Management & Deployment Enhancements – JSR 77 & 88  XML Services Security  Web Services Security

27 JAAS Up Your J2EE Apps

28 JAAS Up your J2EE Apps: Putting the Pieces Together  Define your security policy – Enterprise policy:  role hierarchy  user->role assignment  permission->role assignment – Application-specific policy:  authentication method  authorization constraints (“security-roles”)  Deploy your J2EE Application – authentication method – authorization constraints (“security-role-mappings”) – RunAs identity

29 JAAS Up Your J2EE Apps: SSO-enabling your J2EE Apps  Specify static declarative constraints – in web.xml or ejb-jar.xml  Deploy your J2EE applications – specify JAZN-LDAP UserManager – security-role mappings  OID realms, users and groups  Specify authentication method as SSO – in orion-web.xml: 

30 JAAS Up Your J2EE Apps: Custom LoginModule Integration  Develop, package & deploy your application as usual  Package & deploy your custom LoginModule – As an independent JAR or as part of your application  Configure your application – Set JAZN property “role.mapping.dynamic” to “true” – Set application classpath as appropriate – Set security role mapping as appropriate  Register your custom LoginModule – Associate your custom LoginModule with your application – JAZN Admintool: “-addloginmodule” option

31 JAAS Up Your J2EE Apps: Tips & Tricks  JAZN-LDAP – User/group management delegated to DAS – grant RMIPermission to user accessing EJBs  JAZN-LDAP Cache – Tuning parameters: “ldap.cache.*”  Identity Management Realm – SSO integration  External Synchronization – Performance vs. Ease-of-development  Public Group – Authentication only

32 Oracle Strategy

33 Distributed Systems Security Reference Architecture Identity & Profile Assertion Services Policy Decision Services Identity Management Infrastructure Identity & Policy Store Protected Resources Authentication Application Authorization Privacy Audit Application Security Services Administration & Provisioning Users

34 Oracle 10 g Security Solution  Oracle Identity Management Infrastructure for the enterprise  Platform security enabled by Oracle Identity Management  Platform components with high security assurance

35 Oracle Security Architecture Oracle Internet Directory OracleAS Certificate Authority Directory Integration & Provisioning OracleAS Single Sign-on Delegated Administration Services OracleAS 10g JAAS, WS Security Java2 Permissions.. Oracle E-Business Suite Responsibilities, Roles …. Oracle 10g Enterprise users, VPD, Encryption Label Security Oracle Collaboration Suite Secure Mail, Interpersonal Rights … Access Management Directory Services Provisioning Services External Security Services Oracle Identity Management Oracle 10g Platform Security Bindings OracleAS Portal & Wireless Roles, Privilege Groups … Application Component Security OracleAS 10g JAAS, WS Security Java2 Permissions.. Oracle 10g Enterprise users, VPD, Encryption Label Security OracleAS 10g JAAS, WS Security Java2 Permissions.. Oracle 10g Database Enterprise users, VPD, Encryption Label Security Enterprise Security Infrastructure

36 Oracle Identity Management Benefits  Enables deployment of all Oracle products out of the box – AS, DB, OCS, eBiz  An enterprise infrastructure that leverages Oracle’s “unbreakable” technology – Reliability, scalability, security, performance  A single point of integration for customer’s existing identity management solutions – Transparent 3 rd party integration for OIM enabled products  Accommodates wide variety of partner solutions and customer deployments – Open, standards-based infrastructure enables integration

37 What’s Next  Implementing Identity Management at Lawrence Livermore National Labs – ID: 40287 – Presentor: Tony Macedo, Computer Scientist, LLNL – Date: Thursday, 9/11 – Time: 3:15 - 4:15 – Location: Moscone Center room 120

38 A Q & Q U E S T I O N S A N S W E R S

39 Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation

40

Download ppt "Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation."

Similar presentations

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
Understanding WebLogic Security

Understanding WebLogic Security
5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.

5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.

Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.

DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
J2EE Security and Enterprise Java Beans Mrunal G. Dhond Department of Computing and Information Sciences Master of Science, Final Defense February 26,

J2EE Security and Enterprise Java Beans Mrunal G. Dhond Department of Computing and Information Sciences Master of Science, Final Defense February 26,
Oracle Products Overview Internet Computing Indrek Peenmaa Sales Consultant Oracle Corporation

Oracle Products Overview Internet Computing Indrek Peenmaa Sales Consultant Oracle Corporation
Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.

Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.
ORACLE APPLICATION SERVER BY PHANINDER SURAPANENI CIS 764.

ORACLE APPLICATION SERVER BY PHANINDER SURAPANENI CIS 764.
Understanding and Managing WebSphere V5

Understanding and Managing WebSphere V5
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.

SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.
“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Oracle Application Server 10g (9.0.4) Recommended Topologies Pavana Jain.

Oracle Application Server 10g (9.0.4) Recommended Topologies Pavana Jain.
Novera Software, Inc The Leader in Java Application Servers.

Novera Software, Inc The Leader in Java Application Servers.
[Name] [Title] Oracle Corporation Building an Enterprise Portal.

[Name] [Title] Oracle Corporation Building an Enterprise Portal.

Similar presentations

Ads by Google