SlideShare a Scribd company logo

Securing web applications

Supreme O
Supreme O
AutomotiveTechnology
1 of 10
Download to read offline
WEB DEVELOPMENT Securing Web Applications with OpenAM As software developers, we seek to design software that gets people’s attention. Software that meets the needs of the user, performs well, and pleases the eye is sure to get users’ attention. The security model of an application, on the other hand, gets very little attention from the average user - that is until something goes wrong. One serious security breach could permanently blacklist an application or even a developer in the eyes of the users affected by that breach. You’ll learn: You should know: • How OpenAM can secure web applications and how to • Should have a clear understanding of how web appli- set up OpenAM in a development environment. cations work. • For the tutorial, some experience with Linux and the Li- nux command line will be helpful. G ood software design dictates that security be ta- ken into account throughout the requirements- -gathering process and the actual build. Unfortu- be scalable. For example, an application server may store nately, security considerations are often an afterthought session state for each user and expect the user to send in software design, again because developers are often a session cookie with each request. This is a very com- so focused on functionality, performance and looks that mon approach and honestly works well for most one-off security ends up taking a backseat. Even if you as a de- applications. But what happens when one of our applica- veloper give careful consideration to security in all your tions needs to connect (on behalf of the user) to some applications, you may end up “inheriting” an application service we’ve written. Let’s say the service runs on a se- with a weak security model. cond server and also requires authentication? The ses- sion cookie means nothing to that second server so will Authentication and Authorization we force the user to pass in credentials again? Or will Security in web applications is a very broad topic. Let’s the developer compromise and hard code some creden- narrow it down by talking about two major security con- tials in the application for making the call to the external siderations - authentication and authorization. Authen- service? tication is about verifying that the user is who they say Or what if the developer simply wants to distribute they are. For example I may enter my username and a large application across multiple servers for perfor- password to identify myself to an application. Depending mance but doesn’t want the user to have to log in more on the circumstances, I may have to answer some per- than once? Each of those servers would need to “know” sonal questions or I may be prompted to install a certifi- about the user’s session. cate in my web browser’s store. Once an application “knows” who the user is, it can HTTP Authentication move onto the authorization phase which is deciding Up until this point we have talked about users being pro- whether to fulfill or deny a particular request (i.e. to ac- visioned a session and that session being tracked by so- cess a resource, take a certain action, etc.) on behalf of me stateful server. But it should be noted that we could that particular user. For example, user “pmorris” may be build our web applications such that their servers could authorized to view resource “x” but may not be autho- be essentially stateless. In other words each request wo- rized to edit resource “x”. uld be made in isolation. In such a case the user would have to be authenticated and authorized for each and Will it scale? every request. Some may frown upon such a design but a In some cases a web application may handle authentica- stateless design is inherently scalable.Take a look at how tion and authorization very well but the solution may not well the World Wide Web has scaled over the past 20 34 5/2011
Securing Web Applications with OpenAM years. This is due in large measure to its stateless design. So where does that leave us then? Well we’re back to Most calls that happen over HTTP are in isolation altho- a stateful server maintaining sessions for all our users ugh it has to be admitted that most requests made over and we’re back to the problems with scalability that we HTTP do not need to be authenticated or authorized. mentioned earlier. HTTP as a protocol does include standards for authen- tication, namely Basic and Digest Authentication both of OpenAM as an Authentication and which allow for a stateless approach. So why don’t we see Authorization Solution more applications using Basic or Digest Authentication? Meet OpenAM. (You see? I didn’t forget the title of this ar- In the case of Basic authentication there are inherent se- ticle.) The “AM” stands for Access Management. OpenAM curity weaknesses since credentials are passed over the is a child project of OpenSSO (“SSO” for single-sign-on), wire in clear text. Digest Authentication is very secure an open source product formerly sponsored by Sun Mi- however since it uses one-way hashing to obscure the crosystems, now by Oracle.When Oracle bought out Sun credentials such that it’s impossible to extract them. It al- they took back the latest release of OpenSSO (version so includes policies for preventing the harvesting and re- 9.x) and now offer 8.x as the latest and greatest.A number playing of hashed credentials. So why don’t we see Digest of former Sun executives went on to head up a company Authentication more in web applications? Well for one called Forge Rock, which has taken version 9.x of OpenS- thing it is not trivial to learn and implement the standard. SO, named it OpenAM and started to maintain and build But the overriding reason is that frankly HTTP authen- on it (up to 9.5.x now), pledging to follow its original pro- tication is just “not there yet.” A lot of it seems to have ject roadmap from when it was under the oversight of Sun. to do with the inconsistent and incomplete manner that I see OpenAM as a solution for building security into web browsers have implemented the Digest Authentica- your distributed applications from the start, as well as a tion standard. The details on that are beyond the scope way to secure that pre-existing, not-so-secure applica- of this article, (Did you notice I haven’t mentioned Ope- tion that you may have “inherited” as a hired developer nAM once yet?) so I encourage you to read these two (since we know you would never build an unsecure ap- articles if you want to learn those details: plication yourself). http://www.artima.com/weblogs/viewpost.jsp?thre- Authenticating with OpenAM ad=155252 and http://www.vsecurity.com/download/pa- So OpenAM can be our stateful server for provisioning pers/WeaningTheWebOffOfSessionCookies.pdf and tracking sessions for users. It can hook into an iden- Figure 1. OpenDJ Server Settings Figure 3. OpenDJ Directory Data Figure 2. OpenDJ Topology Options Figure 4. OpenDJ Runtime Options en.sdjournal.org 35
WEB DEVELOPMENT tity repository that already exists (i.e. Microsoft Active Scale Applications Securely with Directory) or you could set up its “sister” application, OpenAM OpenDJ (formerly OpenDS) as the user store. OpenDJ Let’s talk about why OpenAM scales so well. OpenAM is is an open source LDAP directory service also sponso- a Java-based application that runs within a servlet conta- red by Forge Rock. And apparently, at least some users iner (Apache Tomcat, Glassfish, JBoss, etc.). So OpenAM just use a plain old relational database as the identity is itself a web application but it is not your web applica- store. Using the identity repository to verify the identity tion. It partners with your web application. It has a sin- of each user, OpenAM provisions a session and can set gle responsibility: to keep other applications secure. To cookies that represent that session in the user’s browser. illustrate: large office buildings with offices that handle (I actually put together a proof of concept that elimina- very sensitive or secured resources often have a securi- tes the need for OpenAM to set cookies in the user’s ty team operating within the building. That team’s focus browser.) is to keep the building and everything in it secure. The other teams of people within the building don’t have to Authorizing with OpenAM focus so much on security since there is already a team OpenAM can be conFigured with fine-grained poli- dedicated to that purpose operating within the building. cies that dictate which identity subjects (users and/ The other teams are able to focus on what they do best or groups) have access to which resources and even (whatever that might be). which HTTP methods can be invoked by a particu- OpenAM as a framework operates as that security lar subject against a particular resource. So in other team in your infrastructure, keeping your applications words OpenAM can be conFigured to allow user secure so that your application code can focus more on “pmorris” to GET the resource at http://www.exam- things like functionality, usability and performance. ple.com/resource but not POST to that same resource OpenAM exposes services (SOAP or REST) that can (that same URL). be invoked from your applications for authenticating Figure 5. OpenAM General Figure 7. OpenAM Configuration Store Figure 6. OpenAM Server Settings Figure 8. OpenAM User Store 36 5/2011
Securing Web Applications with OpenAM users, checking their authorization to make a certain Take OpenAM for a Test Drive request, and even interacting with your identity reposi- So if you’re like me you like getting your hands on a tory to add users, to get the groups a user belongs to, technology so you can evaluate it yourself. Following etc. For the proof of concept I spoke of earlier I set up is a step-by-step tutorial on how to set up OpenAM very simple filters in front of a RESTful service to per- with OpenDJ as a user repository. All the prerequi- form authentication and authorization before allowing sites for our tutorial, from the OS (Ubuntu 10.04), to access to the service itself. Can you see how such an the servlet container (Apache Tomcat 7.0), to the two approach can scale to practically any size? As long as applications themselves, they’re all open source (i.e. you have the session token representing the session, free!) so you’ve got no reason not to jump right in! you can call OpenAM’s services from anywhere (even Let’s get started. outside your own domain) to authenticate and autho- rize a request. Set up Ubuntu The OpenAM framework not only includes the central Download Ubuntu 10.04 LTS from http://releases.ubuntu. application itself but also a family of policy agents that com/lucid/ubuntu-10.04.2-desktop-i386.iso can be deployed to remote application servers or web If you’re setting up Ubuntu as a virtual machine be servers to “police” said servers and all the applications sure and up the RAM to at least 1024MB. running on them.There are policy agents for J2EE servlet Walk through the installation process containers, and web servers (i.e. Apache and IIS). A policy normally. agent is like a remote “security officer” that intercepts Once logged in go to System -> Administration -> Users all requests coming in to the server (J2EE container, web and Groups and change the user you created to an Ad- server) and consults with the “chief security officer”, the ministrator. OpenAM application itself, to determine if the request should be fulfilled or denied. Figure 11. OpenAM Subjects Figure 9. OpenAM Site Configuration Figure 10. OpenAM Agent Information Figure 12. OpenDJ Control Panel en.sdjournal.org 37
WEB DEVELOPMENT Install Java While an OpenJDK package is available out-of the-box with 10.04, the Sun JDK is not, and that’s the one we want. So open a terminal window and run the following commands first: sudo add-apt-repository „deb http://archive. canonical.com/ lucid partner” sudo apt-get update Then install the Sun JDK: sudo apt-get install sun-java6-jdk Install Tomcat We need a fully qualified domain name (FQDN) when we install OpenAM (i.e. localhost will not work for con- figuration) so we need to add an entry to the hosts file. Run the following command to edit the file: Figure 13. OpenDJ Manage Entries sudo nano /etc/hosts I added this line: 127.0.0.1 devbox.apius.org Be sure and exit (Command + x on the Mac), and save changes on the way out (“y” followed by Enter) Download Apache Tomcat 7 by running wget with a current link address as in: wget http://apache.ziply.com/tomcat/tomcat-7/v7.0.12/ bin/apache-tomcat-7.0.12.tar.gz Untar it with this command: tar xzvf apache-tomcat-7.0.12.tar.gz Figure 14. OpenDJ New User If running on VMware Fusion follow this documenta- I decided to move it to a more standardized folder lo- tion to install VMware Tools: https://help.ubuntu.com/com- cation with: munity/VMware/Tools Reboot. mv apache-tomcat-7.0.12 /usr/local/tomcat7 Figure 15. OpenAM New User 38 5/2011
Securing Web Applications with OpenAM Figure 16. OpenAM REST Authentication Response Figure 17. OpenAM REST Validate Token Response We need to set a couple of environment variables to Install OpenAM ensure the Tomcat 7 instance uses the Sun JDK and Download OpenAM 9.5.2.The 9.5.x releases take advan- that OpenAM will have sufficient memory to install tage of Java EE 6. and run. Run the following command: sudo nano /usr/local/tomcat7/bin/setenv.sh And add these two lines: JAVA_HOME=/usr/lib/jvm/java-6-sun export CATALINA_OPTS=“$CATALINA_OPTS -Xms128m -Xmx1024m -XX:MaxPermSize=256m” Next run: sudo nano /usr/local/tomcat7/conf/tomcat-users.xml I added what is in listing 1 so as to access the Tomcat management console. Start Apache Tomcat with: /usr/local/tomcat7/bin/startup.sh Figure 18. OpenAM Identity Subject 1 en.sdjournal.org 39
WEB DEVELOPMENT Extract it and move it into place using the following two commands: unzip OpenDJ-2.4.1.zip sudo mv OpenDJ-2.4.1 /usr/local/opendj These commands should be run in order to conFigure the installation and open the GUI interface for final con- figuration settings. sudo /usr/local/opendj/bin/create-rc-script --outputFile /etc/init.d/opendj sudo update-rc.d opendj defaults /etc/init.d/opendj start cd /usr/local/opendj/ ./setup Figure 19. OpenAM Identity Subject 2 wget http://www.forgerock.org/downloads/openam/ ConFigure OpenDJ snapshot9.5/openam_s952.war Choose a password for the Directory Manager (admin) account. (Figure 1 – OpenDJ Server Settings) Moving the war to the webapps folder of the Tomcat Select stand alone. (Figure 2 – OpenDJ Topology installation will deploy it. Options) Just create a base DN using whatever domain you pre- sudo mv openam_s952.war usr/local/tomcat7/webapps/ fer. (Figure 3 – OpenDJ Directory Data) openam.war Keep the defaults. (Figure 4 – OpenDJ Runtime Options) Install OpenDJ Review the configuration settings and hit “Finish”. Once Now download OpenDJ using: the installation is complete go ahead and launch the Con- trol Panel and log in to “Local Server” using the Directory wget http://www.forgerock.org/downloads/opendj/2.4.1/ Manager password you entered during setup. Go ahead and OpenDJ-2.4.1.zip minimize the Control Panel and let’s conFigure OpenAM. Figure 20. OpenAM URL Policy 1 40 5/2011
Securing Web Applications with OpenAM ConFigure OpenAM with OpenDJ as user store http://devbox.apius.org:8080/openam will open the web Listing 1. Tomcat configuration configurator. <role rolename=”manager-gui”/> Enter a password of at least 8 characters. (Figure 5 – <role rolename=”manager-script”/> OpenAM General) <role rolename=”manager-jmx”/> Note the following use of that FQDN we added to our <role rolename=”manager-status”/> hosts file earlier. (Figure 6 – OpenAM Server Settings) <user username=”admin” password=”admin” We’ll use OpenAM’s embedded optimized OpenDS roles=”manager-gui,manager- application to store configuration settings. (Figure 7 – script,manager-jmx,manager- OpenAM Configuration Store status”/> Select OpenDS (the predecessor of OpenDJ) as the user store and make sure the Directory Name is cor- /usr/local/opendj/bin/control-panel rect. It should automatically grab the first host name that the loopback address (127.0.0.1) resolves to. Enter the (Figure 12 – OpenDJ Control Panel) Directory Manager’s password that you set at installa- Select “Manage Entries” from the left menu. tion. (Figure 8 – OpenAM User Store) Right click on “people” and select “New User”. (Figure This is a development environment so we won’t worry 13 – OpenDJ Manage Entries) about load balancing. (Figure 9 – OpenAM Site Configu- Be sure and change the “Naming Attribute” to “uid”. ration) Click OK and look for the Entry Created message. (Figu- Choose another password 8 characters or longer. (Fi- re 14 – OpenDJ New User) gure 10 – OpenAM Agent Information) Now go back to the OpenAM console and refresh the In the final screen, verify your configuration and press page. You should see the new user you created in the the Create Configuration button. OpenDJ repository. (Figure 15 – OpenAM New User) Test OpenAM Authentication Service Add User Let’s run a quick and simple test using the REST au- Log in to OpenAM using amadmin as a username and the thentication service in OpenAM to create a session. En- password you entered in Step 1 of the setup. ter the following into your web browser’s address bar. We’re going to test the authentication interface using Adjust the URL and the parameter values based on your OpenAM’s REST services but first we’ll create a user ac- settings: count. A user account can be created using one of the REST services or from the OpenAM console itself but http://devbox.apius.org:8080/openam/identity/authenticate? to illustrate the relationship between OpenAM and the username=pmorris&password=pmorrispmorris underlying user data store, OpenDJ, we’ll add the user from the OpenDJ control panel. This action requests OpenAM to create a session “Access Control” tab. -> “(Top Level Realm)” -> “Sub- for the specified user and once created a token re- jects” tab. I see two users, namely “amadmin” and “ano- presenting that session is passed back to the caller. nymous”. (Figure 11 – OpenAM Subjects) Again, we could add a new user from here but let’s do it from OpenDJ. If the Control Panel is still minimized go ahead and pull it up if it’s not running, run this command: Figure 21. OpenAM URL Policy 2 Figure 22. OpenAM URL Policy 3 en.sdjournal.org 41
WEB DEVELOPMENT (Figure 16 - OpenAM REST Authentication Respon- You should get back the following response. (Figure 17 se) - OpenAM REST Validate Token Response) One note though: What I did above I did only to expedite the tutorial. In reality this is a poor prac- Test OpenAM Authorization Service tice. Why? Since I used a browser’s address bar to Now let’s create a URL policy and test out the authori- make this call we know that the HTTP method was zation feature. Go to the “Access Control” tab. -> “(Top a GET. Obviously this will work but in a real world Level Realm)” -> “Policies” tab. Click on “New Policy”. implementation it’s a bad idea. For one thing, with a I’m calling mine “Hello World Policy”. We need to assign GET request the password parameter value will be this policy to the user we created so scroll down and written to server logs and for another this practice click on “New” in the “Subjects” section. breaks RESTful constraints. HTTP as a standard sta- Let’s make this a specific subject, not just any authen- tes that GET should have no side effects. Creating ticated user. Click “Next”. (Figure 18 - OpenAM Identity a session is definitely a side effect (a desirable side Subject) effect but a side effect nonetheless). So in produc- Next, we’ll give the Identity Subject a name and in tion it’s best practice to always coerce this call to our case search for our user using the “User” filter and a POST. “Add” the user (in my case “pmorris”) to the Identity Now let’s test the authentication service using the Subject and click “Finish” and “OK” in the next screen. token value as a parameter. Copy the token value from (Figure 19 - OpenAM Identity Subject 2) the response page and paste it into another call like Keep in mind that we would probably not do this in so: real life – that is assign a single user to an Identity Sub- ject. More likely we would create a group, add pmorris http://devbox.apius.org:8080/openam/identity/isTokenValid- to that group and then add the group to the Identity ?token=AQIC5wM2LY4SfcxmYwlY5mX1vtaiGhw8cJd8TGJY Subject. But again, to expedite the tutorial we’ll do it Hv6ar4M.*AAJTSQACMDE.* this way. Figure 23. OpenAM REST Authorization Response 42 5/2011
Securing Web Applications with OpenAM You should be back out at the policy listing now. (Figu- http://devbox.apius.org:8080/openam/identity/authori- re 20 - OpenAM URL Policy 1) ze?uri=hello-world&action=POST&subjectid=AQIC5wM2LY Under “Rules” click on “New” and make sure the set- 4SfcwUIYd-YJ4_0ubuuGDJ6-_jzFrwrDrHhsg.*AAJTSQACM- ting is “URL Policy Agent”. Then click “Next”. (Figure 21 DE.* - OpenAM URL Policy 2) Name the new URL Policy Agent and assign it to a I won’t add another screen shot because the only chan- particular URL. In our case “hello-world”. Don’t worry if ge you see is that the response now reads “boole- that resource doesn’t actually exist on the server. Note an=false”, which is precisely what we expect based on that I am allowing the Hello World Identity Subject to the URL Policy Agent we conFigured earlier. GET the resource but not POST to it. Click “Finish”. NOTE: By default, the OpenAM allows for control Conclusion over GET and POST actions on resources, but does not OenAM is a mature application and, as such, feature-rich. offer options for the other HTTP methods like PUT There’s full support for OAuth, which is widely used in and DELETE. Thanks to the http://blogs.sun.com/docte- social networking sites. Identity federation is also an im- ger/entry/enabling_put_and_delete_actions I was able to portant part of OpenAM services. Federation refers to find and successfully modify the two files that provide storing an identity across multiple identity management sys- the options for this configuration view within the Ope- tems or multiple organizations so that disparate systems nAM console, namely amWebAgent.xml and amWebA- can establish a circle of trust for authenticating a user. In gent.properties. Both are found under /WEB-INF/clas- other words, if I log in at Company X’s web application ses of the OpenAM web application that we’re going to ad am redirected to Company Y’s web application, Com- deploy. For each method you wish to add, simply create pany Y considers me authenticated to their application ba- the desired AttributeSchema elements in the XML file sed on the trust relationship between the two systems. A with their nested tags and add the name-value pairs to framework for logging and monitoring is included to sa- the properties file. It’s simply a matter of repeating the tisfy stringent auditing requirements in some enterprises. pattern of the GET and POST actions that are already As already mentioned for many small, one-off applications accounted for in each the files. (Figure 22 - OpenAM OpenAM would probably be overkill. But it’s a viable candi- URL Policy 3) date for distributed architectures and use cases of dispara- We’ve now told OpenAM that this policy with its rule te applications needing to interface with one another and applies to the indicated Identity Subject. share a common authentication and authorization scheme. Let’s get a fresh session token now. Once again follow OpenAM is open source so the only up-front commit- the pattern below and copy the response token value to ment to adoption is time to get over the learning curve. I your clipboard: hope this article and the accompanying tutorial have given you a boost if you are interested in learning this technolo- http://devbox.apius.org:8080/openam/identity/authenticate? gy.Although OpenAM and OpenDJ are open source, Forge username=pmorris&password=pmorrispmorris Rock offers support for everything from proof of concept engagements to robust 24 hours a day by 7 days a week by Let’s use the authorization service to check for access 2 hour response time support contracts. rights. Enter a URL following the pattern below aga- If you think OpenAM might end up in your toolbox, check in adjusting the path and parameters to your configu- out these additional resources for learning. ration: https://www.packtpub.com/glassish-security-with-java-ee/book Glassfish Security by Masou Kalali – Chapter 7, http://blogs. http://devbox.apius.org:8080/openam/identity/authorize?uri- sun.com/doceger Doc Teger’s blog, https://wikis.forgerockorg/ =hello-world&action=GET&subjectid=AQIC5wM2LY4SfcwU confluence/display/openam/OpenAM+Documentation Forge IYd-YJ4_0ubuuGDJ6-_jzFrwrDrHhsg.*AAJTSQACMDE.* Rck’s site, https://www.packtpub.com/openam-snaphot-9-for- securing-your-web-applications/book New book abou Ope- The “uri” parameter is the resource for which we are nAM checking user authorization, the “action” is the HTTP method, and the “subjectid” is the token value repre- PAUL MORRIS senting pmorris’s active session. We set the policy to Paul is a Java and ActionScript developer in allow pmorris to GET this resource so we expect a the Chicago area. He colaborates with a di- “true” response when we inquire regarding authori- stributed team of developers in the United zation. (Figure 23 - OpenAM REST Authorization Re- States and Canada. sponse) Contact to the author (paul@quietbus.com, Now let’s try this same request but change the “ac- http://paulmorris.drupalgardens.com/) tion” parameter to POST as in: en.sdjournal.org 43

Recommended

Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Mahesh_Dimble
Mahesh_DimbleMahesh_Dimble
Mahesh_DimbleMahesh Dimble
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woesSensePost
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Basic Java script handouts for students
Basic Java script handouts for students Basic Java script handouts for students
Basic Java script handouts for students shafiq sangi
 
Architecting your app in ext js 4, part 1 learn sencha
Architecting your app in ext js 4, part 1 learn senchaArchitecting your app in ext js 4, part 1 learn sencha
Architecting your app in ext js 4, part 1 learn senchaRahul Kumar
 
Web Test Automation Framework - IndicThreads Conference
Web Test Automation Framework - IndicThreads ConferenceWeb Test Automation Framework - IndicThreads Conference
Web Test Automation Framework - IndicThreads ConferenceIndicThreads
 
Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Vignesh026
 

Recommended

Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Mahesh_Dimble
Mahesh_DimbleMahesh_Dimble
Mahesh_DimbleMahesh Dimble
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woesSensePost
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Basic Java script handouts for students
Basic Java script handouts for students Basic Java script handouts for students
Basic Java script handouts for students shafiq sangi
 
Architecting your app in ext js 4, part 1 learn sencha
Architecting your app in ext js 4, part 1 learn senchaArchitecting your app in ext js 4, part 1 learn sencha
Architecting your app in ext js 4, part 1 learn senchaRahul Kumar
 
Web Test Automation Framework - IndicThreads Conference
Web Test Automation Framework - IndicThreads ConferenceWeb Test Automation Framework - IndicThreads Conference
Web Test Automation Framework - IndicThreads ConferenceIndicThreads
 
Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Presentation web based application|Web designing training center in coimbator...
Presentation web based application|Web designing training center in coimbator...Vignesh026
 
Progressive Web Apps
Progressive Web AppsProgressive Web Apps
Progressive Web AppsSoftware Infrastructure
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPamela Wright
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Progressive Web Apps
Progressive Web AppsProgressive Web Apps
Progressive Web AppsSaikiran Sheshagiri
 
Webscarab demo @ OWASP Belgium
Webscarab demo @ OWASP BelgiumWebscarab demo @ OWASP Belgium
Webscarab demo @ OWASP BelgiumPhilippe Bogaerts
 
Web sever environmentA Web server is a program that uses HTTP (Hy.pdf
Web sever environmentA Web server is a program that uses HTTP (Hy.pdfWeb sever environmentA Web server is a program that uses HTTP (Hy.pdf
Web sever environmentA Web server is a program that uses HTTP (Hy.pdfaquacareser
 
JAVA Magazine Sep-Oct 2013
JAVA Magazine Sep-Oct 2013JAVA Magazine Sep-Oct 2013
JAVA Magazine Sep-Oct 2013Erik Gur
 
Web Application Development-Ultimate Guide To Web Application Architecture
Web Application Development-Ultimate Guide To Web Application ArchitectureWeb Application Development-Ultimate Guide To Web Application Architecture
Web Application Development-Ultimate Guide To Web Application ArchitectureVersatile Mobitech
 
Java Application Development Vulnerabilities
Java Application Development VulnerabilitiesJava Application Development Vulnerabilities
Java Application Development VulnerabilitiesNarola Infotech
 
Checklist for progressive web app development
Checklist for progressive web app developmentChecklist for progressive web app development
Checklist for progressive web app developmentWebGuru Infosystems Pvt. Ltd.
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptaljbsysatm
 
SharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning ModelsSharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning ModelsShailen Sukul
 
Fundamentals of Web Development For Non-Developers
Fundamentals of Web Development For Non-DevelopersFundamentals of Web Development For Non-Developers
Fundamentals of Web Development For Non-DevelopersLemi Orhan Ergin
 
Devops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.comDevops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.combigclasses.com
 
E farming
E farmingE farming
E farmingshashank reddy
 
Progressive Web Apps / GDG DevFest - Season 2016
Progressive Web Apps / GDG DevFest - Season 2016Progressive Web Apps / GDG DevFest - Season 2016
Progressive Web Apps / GDG DevFest - Season 2016Abdelrahman Omran
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
PWA basics for developers
PWA basics for developersPWA basics for developers
PWA basics for developersFilip Rakowski
 
Heroku for-team-collaboration
Heroku for-team-collaborationHeroku for-team-collaboration
Heroku for-team-collaborationJohn Stevenson
 
Heroku for team collaboration
Heroku for team collaborationHeroku for team collaboration
Heroku for team collaborationJohn Stevenson
 
Pros and cons of buying used fleet vehicles.pptx
Pros and cons of buying used fleet vehicles.pptxPros and cons of buying used fleet vehicles.pptx
Pros and cons of buying used fleet vehicles.pptxjennifermiller8137
 
Building a Future Where Everyone Can Ride and Drive Electric by Bridget Gilmore
Building a Future Where Everyone Can Ride and Drive Electric by Bridget GilmoreBuilding a Future Where Everyone Can Ride and Drive Electric by Bridget Gilmore
Building a Future Where Everyone Can Ride and Drive Electric by Bridget GilmoreForth
 

More Related Content

Similar to Securing web applications

Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPamela Wright
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Webscarab demo @ OWASP Belgium
Webscarab demo @ OWASP BelgiumWebscarab demo @ OWASP Belgium
Webscarab demo @ OWASP BelgiumPhilippe Bogaerts
 
Web sever environmentA Web server is a program that uses HTTP (Hy.pdf
Web sever environmentA Web server is a program that uses HTTP (Hy.pdfWeb sever environmentA Web server is a program that uses HTTP (Hy.pdf
Web sever environmentA Web server is a program that uses HTTP (Hy.pdfaquacareser
 
JAVA Magazine Sep-Oct 2013
JAVA Magazine Sep-Oct 2013JAVA Magazine Sep-Oct 2013
JAVA Magazine Sep-Oct 2013Erik Gur
 
Web Application Development-Ultimate Guide To Web Application Architecture
Web Application Development-Ultimate Guide To Web Application ArchitectureWeb Application Development-Ultimate Guide To Web Application Architecture
Web Application Development-Ultimate Guide To Web Application ArchitectureVersatile Mobitech
 
Java Application Development Vulnerabilities
Java Application Development VulnerabilitiesJava Application Development Vulnerabilities
Java Application Development VulnerabilitiesNarola Infotech
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptaljbsysatm
 
SharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning ModelsSharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning ModelsShailen Sukul
 
Fundamentals of Web Development For Non-Developers
Fundamentals of Web Development For Non-DevelopersFundamentals of Web Development For Non-Developers
Fundamentals of Web Development For Non-DevelopersLemi Orhan Ergin
 
Devops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.comDevops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.combigclasses.com
 
Progressive Web Apps / GDG DevFest - Season 2016
Progressive Web Apps / GDG DevFest - Season 2016Progressive Web Apps / GDG DevFest - Season 2016
Progressive Web Apps / GDG DevFest - Season 2016Abdelrahman Omran
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
PWA basics for developers
PWA basics for developersPWA basics for developers
PWA basics for developersFilip Rakowski
 
Heroku for-team-collaboration
Heroku for-team-collaborationHeroku for-team-collaboration
Heroku for-team-collaborationJohn Stevenson
 
Heroku for team collaboration
Heroku for team collaborationHeroku for team collaboration
Heroku for team collaborationJohn Stevenson
 

Similar to Securing web applications (20)

Progressive Web Apps
Progressive Web AppsProgressive Web Apps
Progressive Web Apps
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Progressive Web Apps
Progressive Web AppsProgressive Web Apps
Progressive Web Apps
 
Webscarab demo @ OWASP Belgium
Webscarab demo @ OWASP BelgiumWebscarab demo @ OWASP Belgium
Webscarab demo @ OWASP Belgium
 
Web sever environmentA Web server is a program that uses HTTP (Hy.pdf
Web sever environmentA Web server is a program that uses HTTP (Hy.pdfWeb sever environmentA Web server is a program that uses HTTP (Hy.pdf
Web sever environmentA Web server is a program that uses HTTP (Hy.pdf
 
JAVA Magazine Sep-Oct 2013
JAVA Magazine Sep-Oct 2013JAVA Magazine Sep-Oct 2013
JAVA Magazine Sep-Oct 2013
 
Web Application Development-Ultimate Guide To Web Application Architecture
Web Application Development-Ultimate Guide To Web Application ArchitectureWeb Application Development-Ultimate Guide To Web Application Architecture
Web Application Development-Ultimate Guide To Web Application Architecture
 
Java Application Development Vulnerabilities
Java Application Development VulnerabilitiesJava Application Development Vulnerabilities
Java Application Development Vulnerabilities
 
Checklist for progressive web app development
Checklist for progressive web app developmentChecklist for progressive web app development
Checklist for progressive web app development
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptal
 
SharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning ModelsSharePoint 2013 App Provisioning Models
SharePoint 2013 App Provisioning Models
 
Fundamentals of Web Development For Non-Developers
Fundamentals of Web Development For Non-DevelopersFundamentals of Web Development For Non-Developers
Fundamentals of Web Development For Non-Developers
 
Devops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.comDevops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.com
 
E farming
E farmingE farming
E farming
 
Progressive Web Apps / GDG DevFest - Season 2016
Progressive Web Apps / GDG DevFest - Season 2016Progressive Web Apps / GDG DevFest - Season 2016
Progressive Web Apps / GDG DevFest - Season 2016
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
PWA basics for developers
PWA basics for developersPWA basics for developers
PWA basics for developers
 
Heroku for-team-collaboration
Heroku for-team-collaborationHeroku for-team-collaboration
Heroku for-team-collaboration
 
Heroku for team collaboration
Heroku for team collaborationHeroku for team collaboration
Heroku for team collaboration
 

Recently uploaded

Pros and cons of buying used fleet vehicles.pptx
Pros and cons of buying used fleet vehicles.pptxPros and cons of buying used fleet vehicles.pptx
Pros and cons of buying used fleet vehicles.pptxjennifermiller8137
 
Building a Future Where Everyone Can Ride and Drive Electric by Bridget Gilmore
Building a Future Where Everyone Can Ride and Drive Electric by Bridget GilmoreBuilding a Future Where Everyone Can Ride and Drive Electric by Bridget Gilmore
Building a Future Where Everyone Can Ride and Drive Electric by Bridget GilmoreForth
 
ABOUT REGENERATIVE BRAKING SYSTEM ON AUTOMOBILES
ABOUT REGENERATIVE BRAKING SYSTEM ON AUTOMOBILESABOUT REGENERATIVE BRAKING SYSTEM ON AUTOMOBILES
ABOUT REGENERATIVE BRAKING SYSTEM ON AUTOMOBILESsriharshaganjam1
 
Mastering Mercedes Engine Care Top Tips for Rowlett, TX Residents
Mastering Mercedes Engine Care Top Tips for Rowlett, TX ResidentsMastering Mercedes Engine Care Top Tips for Rowlett, TX Residents
Mastering Mercedes Engine Care Top Tips for Rowlett, TX ResidentsRowlett Motorwerks
 
A Comprehensive Exploration of the Components and Parts Found in Diesel Engines
A Comprehensive Exploration of the Components and Parts Found in Diesel EnginesA Comprehensive Exploration of the Components and Parts Found in Diesel Engines
A Comprehensive Exploration of the Components and Parts Found in Diesel EnginesROJANE BERNAS, PhD.
 
248649330-Animatronics-Technical-Seminar-Report-by-Aswin-Sarang.pdf
248649330-Animatronics-Technical-Seminar-Report-by-Aswin-Sarang.pdf248649330-Animatronics-Technical-Seminar-Report-by-Aswin-Sarang.pdf
248649330-Animatronics-Technical-Seminar-Report-by-Aswin-Sarang.pdfkushkruthik555
 
Welcome to Auto Know University Orientation
Welcome to Auto Know University OrientationWelcome to Auto Know University Orientation
Welcome to Auto Know University Orientationxlr8sales
 
-The-Present-Simple-Tense.pdf english hh
-The-Present-Simple-Tense.pdf english hh-The-Present-Simple-Tense.pdf english hh
-The-Present-Simple-Tense.pdf english hhmhamadhawlery16
 
Control-Plan-Training.pptx for the Automotive standard AIAG
Control-Plan-Training.pptx for the Automotive standard AIAGControl-Plan-Training.pptx for the Automotive standard AIAG
Control-Plan-Training.pptx for the Automotive standard AIAGVikrantPawar37
 
Lighting the Way Understanding Jaguar Car Check Engine Light Service
Lighting the Way Understanding Jaguar Car Check Engine Light ServiceLighting the Way Understanding Jaguar Car Check Engine Light Service
Lighting the Way Understanding Jaguar Car Check Engine Light ServiceImport Car Center
 
Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!
Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!
Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!Mint Automotive
 
Human Resource Practices TATA MOTORS.pdf
Human Resource Practices TATA MOTORS.pdfHuman Resource Practices TATA MOTORS.pdf
Human Resource Practices TATA MOTORS.pdfAditiMishra247289
 

Recently uploaded (12)

Pros and cons of buying used fleet vehicles.pptx
Pros and cons of buying used fleet vehicles.pptxPros and cons of buying used fleet vehicles.pptx
Pros and cons of buying used fleet vehicles.pptx
 
Building a Future Where Everyone Can Ride and Drive Electric by Bridget Gilmore
Building a Future Where Everyone Can Ride and Drive Electric by Bridget GilmoreBuilding a Future Where Everyone Can Ride and Drive Electric by Bridget Gilmore
Building a Future Where Everyone Can Ride and Drive Electric by Bridget Gilmore
 
ABOUT REGENERATIVE BRAKING SYSTEM ON AUTOMOBILES
ABOUT REGENERATIVE BRAKING SYSTEM ON AUTOMOBILESABOUT REGENERATIVE BRAKING SYSTEM ON AUTOMOBILES
ABOUT REGENERATIVE BRAKING SYSTEM ON AUTOMOBILES
 
Mastering Mercedes Engine Care Top Tips for Rowlett, TX Residents
Mastering Mercedes Engine Care Top Tips for Rowlett, TX ResidentsMastering Mercedes Engine Care Top Tips for Rowlett, TX Residents
Mastering Mercedes Engine Care Top Tips for Rowlett, TX Residents
 
A Comprehensive Exploration of the Components and Parts Found in Diesel Engines
A Comprehensive Exploration of the Components and Parts Found in Diesel EnginesA Comprehensive Exploration of the Components and Parts Found in Diesel Engines
A Comprehensive Exploration of the Components and Parts Found in Diesel Engines
 
248649330-Animatronics-Technical-Seminar-Report-by-Aswin-Sarang.pdf
248649330-Animatronics-Technical-Seminar-Report-by-Aswin-Sarang.pdf248649330-Animatronics-Technical-Seminar-Report-by-Aswin-Sarang.pdf
248649330-Animatronics-Technical-Seminar-Report-by-Aswin-Sarang.pdf
 
Welcome to Auto Know University Orientation
Welcome to Auto Know University OrientationWelcome to Auto Know University Orientation
Welcome to Auto Know University Orientation
 
-The-Present-Simple-Tense.pdf english hh
-The-Present-Simple-Tense.pdf english hh-The-Present-Simple-Tense.pdf english hh
-The-Present-Simple-Tense.pdf english hh
 
Control-Plan-Training.pptx for the Automotive standard AIAG
Control-Plan-Training.pptx for the Automotive standard AIAGControl-Plan-Training.pptx for the Automotive standard AIAG
Control-Plan-Training.pptx for the Automotive standard AIAG
 
Lighting the Way Understanding Jaguar Car Check Engine Light Service
Lighting the Way Understanding Jaguar Car Check Engine Light ServiceLighting the Way Understanding Jaguar Car Check Engine Light Service
Lighting the Way Understanding Jaguar Car Check Engine Light Service
 
Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!
Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!
Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!
 
Human Resource Practices TATA MOTORS.pdf
Human Resource Practices TATA MOTORS.pdfHuman Resource Practices TATA MOTORS.pdf
Human Resource Practices TATA MOTORS.pdf
 

Securing web applications

  • 1. WEB DEVELOPMENT Securing Web Applications with OpenAM As software developers, we seek to design software that gets people’s attention. Software that meets the needs of the user, performs well, and pleases the eye is sure to get users’ attention. The security model of an application, on the other hand, gets very little attention from the average user - that is until something goes wrong. One serious security breach could permanently blacklist an application or even a developer in the eyes of the users affected by that breach. You’ll learn: You should know: • How OpenAM can secure web applications and how to • Should have a clear understanding of how web appli- set up OpenAM in a development environment. cations work. • For the tutorial, some experience with Linux and the Li- nux command line will be helpful. G ood software design dictates that security be ta- ken into account throughout the requirements- -gathering process and the actual build. Unfortu- be scalable. For example, an application server may store nately, security considerations are often an afterthought session state for each user and expect the user to send in software design, again because developers are often a session cookie with each request. This is a very com- so focused on functionality, performance and looks that mon approach and honestly works well for most one-off security ends up taking a backseat. Even if you as a de- applications. But what happens when one of our applica- veloper give careful consideration to security in all your tions needs to connect (on behalf of the user) to some applications, you may end up “inheriting” an application service we’ve written. Let’s say the service runs on a se- with a weak security model. cond server and also requires authentication? The ses- sion cookie means nothing to that second server so will Authentication and Authorization we force the user to pass in credentials again? Or will Security in web applications is a very broad topic. Let’s the developer compromise and hard code some creden- narrow it down by talking about two major security con- tials in the application for making the call to the external siderations - authentication and authorization. Authen- service? tication is about verifying that the user is who they say Or what if the developer simply wants to distribute they are. For example I may enter my username and a large application across multiple servers for perfor- password to identify myself to an application. Depending mance but doesn’t want the user to have to log in more on the circumstances, I may have to answer some per- than once? Each of those servers would need to “know” sonal questions or I may be prompted to install a certifi- about the user’s session. cate in my web browser’s store. Once an application “knows” who the user is, it can HTTP Authentication move onto the authorization phase which is deciding Up until this point we have talked about users being pro- whether to fulfill or deny a particular request (i.e. to ac- visioned a session and that session being tracked by so- cess a resource, take a certain action, etc.) on behalf of me stateful server. But it should be noted that we could that particular user. For example, user “pmorris” may be build our web applications such that their servers could authorized to view resource “x” but may not be autho- be essentially stateless. In other words each request wo- rized to edit resource “x”. uld be made in isolation. In such a case the user would have to be authenticated and authorized for each and Will it scale? every request. Some may frown upon such a design but a In some cases a web application may handle authentica- stateless design is inherently scalable.Take a look at how tion and authorization very well but the solution may not well the World Wide Web has scaled over the past 20 34 5/2011
  • 2. Securing Web Applications with OpenAM years. This is due in large measure to its stateless design. So where does that leave us then? Well we’re back to Most calls that happen over HTTP are in isolation altho- a stateful server maintaining sessions for all our users ugh it has to be admitted that most requests made over and we’re back to the problems with scalability that we HTTP do not need to be authenticated or authorized. mentioned earlier. HTTP as a protocol does include standards for authen- tication, namely Basic and Digest Authentication both of OpenAM as an Authentication and which allow for a stateless approach. So why don’t we see Authorization Solution more applications using Basic or Digest Authentication? Meet OpenAM. (You see? I didn’t forget the title of this ar- In the case of Basic authentication there are inherent se- ticle.) The “AM” stands for Access Management. OpenAM curity weaknesses since credentials are passed over the is a child project of OpenSSO (“SSO” for single-sign-on), wire in clear text. Digest Authentication is very secure an open source product formerly sponsored by Sun Mi- however since it uses one-way hashing to obscure the crosystems, now by Oracle.When Oracle bought out Sun credentials such that it’s impossible to extract them. It al- they took back the latest release of OpenSSO (version so includes policies for preventing the harvesting and re- 9.x) and now offer 8.x as the latest and greatest.A number playing of hashed credentials. So why don’t we see Digest of former Sun executives went on to head up a company Authentication more in web applications? Well for one called Forge Rock, which has taken version 9.x of OpenS- thing it is not trivial to learn and implement the standard. SO, named it OpenAM and started to maintain and build But the overriding reason is that frankly HTTP authen- on it (up to 9.5.x now), pledging to follow its original pro- tication is just “not there yet.” A lot of it seems to have ject roadmap from when it was under the oversight of Sun. to do with the inconsistent and incomplete manner that I see OpenAM as a solution for building security into web browsers have implemented the Digest Authentica- your distributed applications from the start, as well as a tion standard. The details on that are beyond the scope way to secure that pre-existing, not-so-secure applica- of this article, (Did you notice I haven’t mentioned Ope- tion that you may have “inherited” as a hired developer nAM once yet?) so I encourage you to read these two (since we know you would never build an unsecure ap- articles if you want to learn those details: plication yourself). http://www.artima.com/weblogs/viewpost.jsp?thre- Authenticating with OpenAM ad=155252 and http://www.vsecurity.com/download/pa- So OpenAM can be our stateful server for provisioning pers/WeaningTheWebOffOfSessionCookies.pdf and tracking sessions for users. It can hook into an iden- Figure 1. OpenDJ Server Settings Figure 3. OpenDJ Directory Data Figure 2. OpenDJ Topology Options Figure 4. OpenDJ Runtime Options en.sdjournal.org 35
  • 3. WEB DEVELOPMENT tity repository that already exists (i.e. Microsoft Active Scale Applications Securely with Directory) or you could set up its “sister” application, OpenAM OpenDJ (formerly OpenDS) as the user store. OpenDJ Let’s talk about why OpenAM scales so well. OpenAM is is an open source LDAP directory service also sponso- a Java-based application that runs within a servlet conta- red by Forge Rock. And apparently, at least some users iner (Apache Tomcat, Glassfish, JBoss, etc.). So OpenAM just use a plain old relational database as the identity is itself a web application but it is not your web applica- store. Using the identity repository to verify the identity tion. It partners with your web application. It has a sin- of each user, OpenAM provisions a session and can set gle responsibility: to keep other applications secure. To cookies that represent that session in the user’s browser. illustrate: large office buildings with offices that handle (I actually put together a proof of concept that elimina- very sensitive or secured resources often have a securi- tes the need for OpenAM to set cookies in the user’s ty team operating within the building. That team’s focus browser.) is to keep the building and everything in it secure. The other teams of people within the building don’t have to Authorizing with OpenAM focus so much on security since there is already a team OpenAM can be conFigured with fine-grained poli- dedicated to that purpose operating within the building. cies that dictate which identity subjects (users and/ The other teams are able to focus on what they do best or groups) have access to which resources and even (whatever that might be). which HTTP methods can be invoked by a particu- OpenAM as a framework operates as that security lar subject against a particular resource. So in other team in your infrastructure, keeping your applications words OpenAM can be conFigured to allow user secure so that your application code can focus more on “pmorris” to GET the resource at http://www.exam- things like functionality, usability and performance. ple.com/resource but not POST to that same resource OpenAM exposes services (SOAP or REST) that can (that same URL). be invoked from your applications for authenticating Figure 5. OpenAM General Figure 7. OpenAM Configuration Store Figure 6. OpenAM Server Settings Figure 8. OpenAM User Store 36 5/2011
  • 4. Securing Web Applications with OpenAM users, checking their authorization to make a certain Take OpenAM for a Test Drive request, and even interacting with your identity reposi- So if you’re like me you like getting your hands on a tory to add users, to get the groups a user belongs to, technology so you can evaluate it yourself. Following etc. For the proof of concept I spoke of earlier I set up is a step-by-step tutorial on how to set up OpenAM very simple filters in front of a RESTful service to per- with OpenDJ as a user repository. All the prerequi- form authentication and authorization before allowing sites for our tutorial, from the OS (Ubuntu 10.04), to access to the service itself. Can you see how such an the servlet container (Apache Tomcat 7.0), to the two approach can scale to practically any size? As long as applications themselves, they’re all open source (i.e. you have the session token representing the session, free!) so you’ve got no reason not to jump right in! you can call OpenAM’s services from anywhere (even Let’s get started. outside your own domain) to authenticate and autho- rize a request. Set up Ubuntu The OpenAM framework not only includes the central Download Ubuntu 10.04 LTS from http://releases.ubuntu. application itself but also a family of policy agents that com/lucid/ubuntu-10.04.2-desktop-i386.iso can be deployed to remote application servers or web If you’re setting up Ubuntu as a virtual machine be servers to “police” said servers and all the applications sure and up the RAM to at least 1024MB. running on them.There are policy agents for J2EE servlet Walk through the installation process containers, and web servers (i.e. Apache and IIS). A policy normally. agent is like a remote “security officer” that intercepts Once logged in go to System -> Administration -> Users all requests coming in to the server (J2EE container, web and Groups and change the user you created to an Ad- server) and consults with the “chief security officer”, the ministrator. OpenAM application itself, to determine if the request should be fulfilled or denied. Figure 11. OpenAM Subjects Figure 9. OpenAM Site Configuration Figure 10. OpenAM Agent Information Figure 12. OpenDJ Control Panel en.sdjournal.org 37
  • 5. WEB DEVELOPMENT Install Java While an OpenJDK package is available out-of the-box with 10.04, the Sun JDK is not, and that’s the one we want. So open a terminal window and run the following commands first: sudo add-apt-repository „deb http://archive. canonical.com/ lucid partner” sudo apt-get update Then install the Sun JDK: sudo apt-get install sun-java6-jdk Install Tomcat We need a fully qualified domain name (FQDN) when we install OpenAM (i.e. localhost will not work for con- figuration) so we need to add an entry to the hosts file. Run the following command to edit the file: Figure 13. OpenDJ Manage Entries sudo nano /etc/hosts I added this line: 127.0.0.1 devbox.apius.org Be sure and exit (Command + x on the Mac), and save changes on the way out (“y” followed by Enter) Download Apache Tomcat 7 by running wget with a current link address as in: wget http://apache.ziply.com/tomcat/tomcat-7/v7.0.12/ bin/apache-tomcat-7.0.12.tar.gz Untar it with this command: tar xzvf apache-tomcat-7.0.12.tar.gz Figure 14. OpenDJ New User If running on VMware Fusion follow this documenta- I decided to move it to a more standardized folder lo- tion to install VMware Tools: https://help.ubuntu.com/com- cation with: munity/VMware/Tools Reboot. mv apache-tomcat-7.0.12 /usr/local/tomcat7 Figure 15. OpenAM New User 38 5/2011
  • 6. Securing Web Applications with OpenAM Figure 16. OpenAM REST Authentication Response Figure 17. OpenAM REST Validate Token Response We need to set a couple of environment variables to Install OpenAM ensure the Tomcat 7 instance uses the Sun JDK and Download OpenAM 9.5.2.The 9.5.x releases take advan- that OpenAM will have sufficient memory to install tage of Java EE 6. and run. Run the following command: sudo nano /usr/local/tomcat7/bin/setenv.sh And add these two lines: JAVA_HOME=/usr/lib/jvm/java-6-sun export CATALINA_OPTS=“$CATALINA_OPTS -Xms128m -Xmx1024m -XX:MaxPermSize=256m” Next run: sudo nano /usr/local/tomcat7/conf/tomcat-users.xml I added what is in listing 1 so as to access the Tomcat management console. Start Apache Tomcat with: /usr/local/tomcat7/bin/startup.sh Figure 18. OpenAM Identity Subject 1 en.sdjournal.org 39
  • 7. WEB DEVELOPMENT Extract it and move it into place using the following two commands: unzip OpenDJ-2.4.1.zip sudo mv OpenDJ-2.4.1 /usr/local/opendj These commands should be run in order to conFigure the installation and open the GUI interface for final con- figuration settings. sudo /usr/local/opendj/bin/create-rc-script --outputFile /etc/init.d/opendj sudo update-rc.d opendj defaults /etc/init.d/opendj start cd /usr/local/opendj/ ./setup Figure 19. OpenAM Identity Subject 2 wget http://www.forgerock.org/downloads/openam/ ConFigure OpenDJ snapshot9.5/openam_s952.war Choose a password for the Directory Manager (admin) account. (Figure 1 – OpenDJ Server Settings) Moving the war to the webapps folder of the Tomcat Select stand alone. (Figure 2 – OpenDJ Topology installation will deploy it. Options) Just create a base DN using whatever domain you pre- sudo mv openam_s952.war usr/local/tomcat7/webapps/ fer. (Figure 3 – OpenDJ Directory Data) openam.war Keep the defaults. (Figure 4 – OpenDJ Runtime Options) Install OpenDJ Review the configuration settings and hit “Finish”. Once Now download OpenDJ using: the installation is complete go ahead and launch the Con- trol Panel and log in to “Local Server” using the Directory wget http://www.forgerock.org/downloads/opendj/2.4.1/ Manager password you entered during setup. Go ahead and OpenDJ-2.4.1.zip minimize the Control Panel and let’s conFigure OpenAM. Figure 20. OpenAM URL Policy 1 40 5/2011
  • 8. Securing Web Applications with OpenAM ConFigure OpenAM with OpenDJ as user store http://devbox.apius.org:8080/openam will open the web Listing 1. Tomcat configuration configurator. <role rolename=”manager-gui”/> Enter a password of at least 8 characters. (Figure 5 – <role rolename=”manager-script”/> OpenAM General) <role rolename=”manager-jmx”/> Note the following use of that FQDN we added to our <role rolename=”manager-status”/> hosts file earlier. (Figure 6 – OpenAM Server Settings) <user username=”admin” password=”admin” We’ll use OpenAM’s embedded optimized OpenDS roles=”manager-gui,manager- application to store configuration settings. (Figure 7 – script,manager-jmx,manager- OpenAM Configuration Store status”/> Select OpenDS (the predecessor of OpenDJ) as the user store and make sure the Directory Name is cor- /usr/local/opendj/bin/control-panel rect. It should automatically grab the first host name that the loopback address (127.0.0.1) resolves to. Enter the (Figure 12 – OpenDJ Control Panel) Directory Manager’s password that you set at installa- Select “Manage Entries” from the left menu. tion. (Figure 8 – OpenAM User Store) Right click on “people” and select “New User”. (Figure This is a development environment so we won’t worry 13 – OpenDJ Manage Entries) about load balancing. (Figure 9 – OpenAM Site Configu- Be sure and change the “Naming Attribute” to “uid”. ration) Click OK and look for the Entry Created message. (Figu- Choose another password 8 characters or longer. (Fi- re 14 – OpenDJ New User) gure 10 – OpenAM Agent Information) Now go back to the OpenAM console and refresh the In the final screen, verify your configuration and press page. You should see the new user you created in the the Create Configuration button. OpenDJ repository. (Figure 15 – OpenAM New User) Test OpenAM Authentication Service Add User Let’s run a quick and simple test using the REST au- Log in to OpenAM using amadmin as a username and the thentication service in OpenAM to create a session. En- password you entered in Step 1 of the setup. ter the following into your web browser’s address bar. We’re going to test the authentication interface using Adjust the URL and the parameter values based on your OpenAM’s REST services but first we’ll create a user ac- settings: count. A user account can be created using one of the REST services or from the OpenAM console itself but http://devbox.apius.org:8080/openam/identity/authenticate? to illustrate the relationship between OpenAM and the username=pmorris&password=pmorrispmorris underlying user data store, OpenDJ, we’ll add the user from the OpenDJ control panel. This action requests OpenAM to create a session “Access Control” tab. -> “(Top Level Realm)” -> “Sub- for the specified user and once created a token re- jects” tab. I see two users, namely “amadmin” and “ano- presenting that session is passed back to the caller. nymous”. (Figure 11 – OpenAM Subjects) Again, we could add a new user from here but let’s do it from OpenDJ. If the Control Panel is still minimized go ahead and pull it up if it’s not running, run this command: Figure 21. OpenAM URL Policy 2 Figure 22. OpenAM URL Policy 3 en.sdjournal.org 41
  • 9. WEB DEVELOPMENT (Figure 16 - OpenAM REST Authentication Respon- You should get back the following response. (Figure 17 se) - OpenAM REST Validate Token Response) One note though: What I did above I did only to expedite the tutorial. In reality this is a poor prac- Test OpenAM Authorization Service tice. Why? Since I used a browser’s address bar to Now let’s create a URL policy and test out the authori- make this call we know that the HTTP method was zation feature. Go to the “Access Control” tab. -> “(Top a GET. Obviously this will work but in a real world Level Realm)” -> “Policies” tab. Click on “New Policy”. implementation it’s a bad idea. For one thing, with a I’m calling mine “Hello World Policy”. We need to assign GET request the password parameter value will be this policy to the user we created so scroll down and written to server logs and for another this practice click on “New” in the “Subjects” section. breaks RESTful constraints. HTTP as a standard sta- Let’s make this a specific subject, not just any authen- tes that GET should have no side effects. Creating ticated user. Click “Next”. (Figure 18 - OpenAM Identity a session is definitely a side effect (a desirable side Subject) effect but a side effect nonetheless). So in produc- Next, we’ll give the Identity Subject a name and in tion it’s best practice to always coerce this call to our case search for our user using the “User” filter and a POST. “Add” the user (in my case “pmorris”) to the Identity Now let’s test the authentication service using the Subject and click “Finish” and “OK” in the next screen. token value as a parameter. Copy the token value from (Figure 19 - OpenAM Identity Subject 2) the response page and paste it into another call like Keep in mind that we would probably not do this in so: real life – that is assign a single user to an Identity Sub- ject. More likely we would create a group, add pmorris http://devbox.apius.org:8080/openam/identity/isTokenValid- to that group and then add the group to the Identity ?token=AQIC5wM2LY4SfcxmYwlY5mX1vtaiGhw8cJd8TGJY Subject. But again, to expedite the tutorial we’ll do it Hv6ar4M.*AAJTSQACMDE.* this way. Figure 23. OpenAM REST Authorization Response 42 5/2011
  • 10. Securing Web Applications with OpenAM You should be back out at the policy listing now. (Figu- http://devbox.apius.org:8080/openam/identity/authori- re 20 - OpenAM URL Policy 1) ze?uri=hello-world&action=POST&subjectid=AQIC5wM2LY Under “Rules” click on “New” and make sure the set- 4SfcwUIYd-YJ4_0ubuuGDJ6-_jzFrwrDrHhsg.*AAJTSQACM- ting is “URL Policy Agent”. Then click “Next”. (Figure 21 DE.* - OpenAM URL Policy 2) Name the new URL Policy Agent and assign it to a I won’t add another screen shot because the only chan- particular URL. In our case “hello-world”. Don’t worry if ge you see is that the response now reads “boole- that resource doesn’t actually exist on the server. Note an=false”, which is precisely what we expect based on that I am allowing the Hello World Identity Subject to the URL Policy Agent we conFigured earlier. GET the resource but not POST to it. Click “Finish”. NOTE: By default, the OpenAM allows for control Conclusion over GET and POST actions on resources, but does not OenAM is a mature application and, as such, feature-rich. offer options for the other HTTP methods like PUT There’s full support for OAuth, which is widely used in and DELETE. Thanks to the http://blogs.sun.com/docte- social networking sites. Identity federation is also an im- ger/entry/enabling_put_and_delete_actions I was able to portant part of OpenAM services. Federation refers to find and successfully modify the two files that provide storing an identity across multiple identity management sys- the options for this configuration view within the Ope- tems or multiple organizations so that disparate systems nAM console, namely amWebAgent.xml and amWebA- can establish a circle of trust for authenticating a user. In gent.properties. Both are found under /WEB-INF/clas- other words, if I log in at Company X’s web application ses of the OpenAM web application that we’re going to ad am redirected to Company Y’s web application, Com- deploy. For each method you wish to add, simply create pany Y considers me authenticated to their application ba- the desired AttributeSchema elements in the XML file sed on the trust relationship between the two systems. A with their nested tags and add the name-value pairs to framework for logging and monitoring is included to sa- the properties file. It’s simply a matter of repeating the tisfy stringent auditing requirements in some enterprises. pattern of the GET and POST actions that are already As already mentioned for many small, one-off applications accounted for in each the files. (Figure 22 - OpenAM OpenAM would probably be overkill. But it’s a viable candi- URL Policy 3) date for distributed architectures and use cases of dispara- We’ve now told OpenAM that this policy with its rule te applications needing to interface with one another and applies to the indicated Identity Subject. share a common authentication and authorization scheme. Let’s get a fresh session token now. Once again follow OpenAM is open source so the only up-front commit- the pattern below and copy the response token value to ment to adoption is time to get over the learning curve. I your clipboard: hope this article and the accompanying tutorial have given you a boost if you are interested in learning this technolo- http://devbox.apius.org:8080/openam/identity/authenticate? gy.Although OpenAM and OpenDJ are open source, Forge username=pmorris&password=pmorrispmorris Rock offers support for everything from proof of concept engagements to robust 24 hours a day by 7 days a week by Let’s use the authorization service to check for access 2 hour response time support contracts. rights. Enter a URL following the pattern below aga- If you think OpenAM might end up in your toolbox, check in adjusting the path and parameters to your configu- out these additional resources for learning. ration: https://www.packtpub.com/glassish-security-with-java-ee/book Glassfish Security by Masou Kalali – Chapter 7, http://blogs. http://devbox.apius.org:8080/openam/identity/authorize?uri- sun.com/doceger Doc Teger’s blog, https://wikis.forgerockorg/ =hello-world&action=GET&subjectid=AQIC5wM2LY4SfcwU confluence/display/openam/OpenAM+Documentation Forge IYd-YJ4_0ubuuGDJ6-_jzFrwrDrHhsg.*AAJTSQACMDE.* Rck’s site, https://www.packtpub.com/openam-snaphot-9-for- securing-your-web-applications/book New book abou Ope- The “uri” parameter is the resource for which we are nAM checking user authorization, the “action” is the HTTP method, and the “subjectid” is the token value repre- PAUL MORRIS senting pmorris’s active session. We set the policy to Paul is a Java and ActionScript developer in allow pmorris to GET this resource so we expect a the Chicago area. He colaborates with a di- “true” response when we inquire regarding authori- stributed team of developers in the United zation. (Figure 23 - OpenAM REST Authorization Re- States and Canada. sponse) Contact to the author (paul@quietbus.com, Now let’s try this same request but change the “ac- http://paulmorris.drupalgardens.com/) tion” parameter to POST as in: en.sdjournal.org 43