SlideShare ist ein Scribd-Unternehmen logo

Anil saldhana securityassurancewithj_bosseap

Anil Saldanha
Anil Saldanha
1 von 38
Downloaden Sie, um offline zu lesen
SECURITY ASSURANCE WITH JBOSS ENTERPRISE APPLICATION PLATFORM Anil Saldhana, Lead Security Architect (JBoss), Red Hat Ray Ploski, Senior Solutions Architect, Red Hat Date: June 25, 2010
Introduction Speakers ● Anil Saldhana ● Ray Ploski
Introduction - Agenda Session ● Middleware Security – JBoss Platforms ● Secure Your Applications (Web, EJB etc) ● Security Domains ● Encrypt passwords in clear text ● Security Features ● Audit ● XACML (Access Control) ● Negotiation (Kerberos based desktop SSO for web)
Introduction - Agenda Session ● Identity Management with PicketLink ● Best Practices and Tips ● Q&A
Middleware Security – JBoss Platforms Security is critical to middleware ● Balance between features and configuration ● Features such as business access control and audit may be available as part of the stack ● No need for embedding the logic in applications ● Security Response Team ● Cross-cutting, multi-geo and round-the-clock.
Secure Your Applications Security Domain ● Central concept in security configuration for EAP. ● Defines the modules for ● Authentication ● Authorization ● Audit ● Mapping
Secure Your Applications Security Domain ● You can define globally in conf/login-config.xml ● Static configuration. No hot deployment of domains. ● You can define at deployment level using xxx-jboss- beans.xml ● Provides hot deployment of security domains
Secure Your Applications Security Domain <deployment xmlns="urn:jboss:bean-deployer:2.0"> <application-policy xmlns="urn:jboss:security-beans:1.0" name="MyDomain"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" /> </authentication> <authorization> <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/> </authorization> <mapping> <mapping-module code="org.jboss.security.mapping.providers.DeploymentRolesMappingProvider" type=”role”> </mapping-module> </mapping> </application-policy> </deployment>
Secure Your Applications How to secure your web applications? ● Define your security constraints in your web.xml ● Login Config: BASIC, FORM, CLIENT-CERT, DIGEST ● Define your security domain name in jboss-web.xml ● If you omit, it defaults to “other” ● Provide your security domain configuration in a xxx- jboss-beans.xml file ● Package them into a war file
Secure Your Applications How to secure your web services applications? ● EJB based web services are authenticated and authorized by the EJB Container. ● POJO based web services ● Configure a security domain in WEB-INF/jboss-web.xml ● Configure a WEB-INF/jboss-wsse-server.xml to declare the roles or unchecked access.
Secure Your Applications How to secure your EJB3 applications? ● Define your security annotations in your bean classes. ● @RolesAllowed, @RunAs, @PermitAll etc ● Define your security domain name in jboss.xml ● Provide your security domain configuration in a xxx- jboss-beans.xml file ● Package them into a jar file
Secure Your Applications Encrypt/Mask Passwords in Clear Text ● Do you like to see passwords in the clear? ● Facilities to encrypt/mask/hash passwords: ● Data store Passwords ● Tomcat connector Passwords ● Messaging Destination Passwords ● Microcontainer Beans Passwords
Secure Your Applications Encrypt/Mask Passwords in Clear Text ● Difference between hashing and encryption ● Hashing involves a one way treatment ● Encryption is two way but involves a key ● Masking typically uses Password based encryption
Use Cases
Security Features – Use Case 1 ● This is a large company. ● About 20,000 employees log on to their Windows Machines each day. ● The Desktop logins are governed by an Active Directory Domain Controller. ● After corp desktop login ● they access about 30 internal web applications. ● The employee information is stored in AD and divisional databases.
Security Features – Use Case 1 - Issues ● Windows Login – 1 password. ● Web Application 1 – 1 password. ● Web Application 2 – 1 password. ● .... ● Web Application 30 – 1 password. ● Web applications run by various divisions at the company, with different needs for roles.
Security Features – Use Case 1 Negotiation ● Fully supported in JBoss EAP 5.0 and beyond. ● Users log into their desktops (windows/linux) governed by a Kerberos based Domain Controller (Active Directory). ● Web applications on EAP can have seamless SSO. ● Negotiation takes care of the authentication aspect. ● Roles for the web apps can come from any silo. ● Due to JAAS login module stacking.
Security Features – Use Case 1 Negotiation
Security Features – Use Case 2 My web and ejb applications have business rules that keep changing: ● Employees cannot sell company shares during blackout period. ● Employees cannot view their manager's salary. ● Junior Traders can make trades if they are less than $1m in value. ● Web application is read only during non business hours (9am -5pm).
Security Features – Use Case 2 - Issues Many of these business rules = access control rules ● Choice is to embed the business rules in the application logic or ● Externalize the access control logic. ● Java EE Container Security for web and ejb applications uses coarse grained access control rules. ● FINE GRAINED AUTHORIZATION ● DOMAIN DRIVEN AUTHORIZATION
Security Features – Use Case 2 - Detail XACML Engine ● Oasis XACML v2.0 Compliant. ● Fully supported in JBoss EAP 5.0 and beyond. ● Provide Fine Grained Authorization Capabilities to EJB and Web Applications. ● Business Applications can also make direct use of the Engine API. ● Unlike Java EE coarse grained Role Based Access Control, XACML is fine grained attributes driven
Security Features – Use Case 2 - Detail XACML Engine
Security Features – Use Case 2 Detail XACML Access Decisions – a combination of rules on ● Subject – user, actor invoking a service ● Resource – something that needs to be protected ● Action – subject is performing on the resource (get,read,write,delete) ● Environment – date,time,ip address
Security Features – Use Case 3 Enterprise has Identity Management Needs ● Manage users, roles, groups, attributes etc. ● Support SAML, WS-Trust, OpenID, OAuth.
Security Features – Use Case 3 Detail PicketLink Identity Management ● Identity Model (IDM) ● Federated Identity Support ● SAML v2.0, WS-Trust, OpenID ● Tech Preview in JBoss EAP 5.1, SOA-P 5.0 ● IDM Module supported in JBoss EPP5
Security Features – Use Case 3 Detail PicketLink Architectures – Web Based Identity Provider
Security Features – Use Case 3 Detail PicketLink Architectures – WS-Trust Based STS
Security Features – Use Case 3 Detail PicketLink Architectures – STS for EJB Applications
Security Features – Use Case 3 Detail Levels of Assurance (NIST 800-63 Special Pub e-Auth) ● Level 1 ● Little/no confidence in asserted identity's validity ● OpenID and OAuth ● Level 2 ● Some Confidence. ● Password based systems or SAML assertions using password based mechanism
Security Features – Use Case 3 Detail Levels of Assurance (NIST 800-63 Special Pub e-Auth) ● Level 3 ● High Confidence. ● Soft/hard crypto tokens, OTP.... ● Level 4 ● Very High confidence. PKI, Smart Cards.
Security Features – Use Case 3 Detail Which standard is relevant to you? ● Community Type Environment ● Need Level 1 assurance? ● Internet scale? Decentralized? Then OpenID and OAuth. ● Enterprise Type Environment ● Level 2 assurance of identity ● SAML assertions based on password authentication. ● Level 3 or 4 assurance of identity ● SAML assertions based on PKI or Smart Cards.
Security Features – Use Case - 4 Thousands of users access my web and ejb applications. It is very difficult to know: ● Who logged in? ● At what time? ● From which IP Address? ● What EJB operation? Which WEB URI? ● Who was denied access and why?
Security Features – Use Case 4 Details Audit Capabilities ● You can audit your Web and EJB applications. ● Depends on enabling Java EE Container Security. ● Configuration enables granularity of auditing for web requests.
Security Features – Audit 2008-12-05 16:08:38,997 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http- 127.0.0.1-8080-17:) [Success]policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@76ed4518; Resource:=[org.jboss.security.authorization.resources.WebResource:contextMap={policyRegi stration=org.jboss.security.plugins.JBossPolicyRegistration@76ed4518,securityConstraints=[ Lorg.apache.catalina.deploy.SecurityConstraint;@6feeae6, resourcePermissionCheck=true},canonicalRequestURI=/restricted/get-only/x,request=[/web- constraints:cookies=null:headers=user-agent=Jakarta Commons- HttpClient/3.0,authorization=host=localhost:8080,] [parameters=],CodeSource=null];securityConstraints=SecurityConstraint[RestrictedAccess - Get Only];Source=org.jboss.security.plugins.javaee.WebAuthorizationHelper;resourcePermission Check=true;Exception:=; 2008-12-05 16:08:41,561 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http- 127.0.0.1-8080-4:) [Failure]principal=anil;Source=org.jboss.web.tomcat.security.JBossWebRealm;request=[/jaspi -web-basic:cookies=null:headers=user-agent=Jakarta Commons- HttpClient/3.0,authorization=host=localhost:8080,][parameters=][attributes=];2008-12-05 16:07:30,129 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (WorkerThread#1[127.0.0.1:55055]:)
Best Practices, Tips – Field Experiences ● Make use of Java EE Container Security. ● Security Domain Configuration as part of your deployment. ● Register to obtain security patches and updates. ● Keep your system up to date. ● Adopt standards based architecture as far as possible. ● Biggest challenge seen in customers migrating to JBoss
Q&A Thank You!!!
Anil saldhana securityassurancewithj_bosseap

Empfohlen

Bcd Securing Active Directory v1 3
Bcd Securing Active Directory v1 3Bcd Securing Active Directory v1 3
Bcd Securing Active Directory v1 3Pacho Baratta
 
Code by the sea: Web Application Security
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application SecurityBoy Baukema
 
Combat Passwords on Post-Its with Multi-Factor Authentication for IBM i
Combat Passwords on Post-Its with Multi-Factor Authentication for IBM iCombat Passwords on Post-Its with Multi-Factor Authentication for IBM i
Combat Passwords on Post-Its with Multi-Factor Authentication for IBM iPrecisely
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iPrecisely
 
Kailash Kapal Resume v5
Kailash Kapal Resume v5Kailash Kapal Resume v5
Kailash Kapal Resume v5Kailash Kapal
 
PCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuitePCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuiteHitachi ID Systems, Inc.
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 

Empfohlen

Bcd Securing Active Directory v1 3
Bcd Securing Active Directory v1 3Bcd Securing Active Directory v1 3
Bcd Securing Active Directory v1 3Pacho Baratta
 
Code by the sea: Web Application Security
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application SecurityBoy Baukema
 
Combat Passwords on Post-Its with Multi-Factor Authentication for IBM i
Combat Passwords on Post-Its with Multi-Factor Authentication for IBM iCombat Passwords on Post-Its with Multi-Factor Authentication for IBM i
Combat Passwords on Post-Its with Multi-Factor Authentication for IBM iPrecisely
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iPrecisely
 
Kailash Kapal Resume v5
Kailash Kapal Resume v5Kailash Kapal Resume v5
Kailash Kapal Resume v5Kailash Kapal
 
PCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuitePCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuiteHitachi ID Systems, Inc.
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The BasicsIshan A B Ambanwela
 
SkypeShield - Securing Skype for Business
SkypeShield - Securing Skype for BusinessSkypeShield - Securing Skype for Business
SkypeShield - Securing Skype for BusinessYoav Crombie
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iPrecisely
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSOAjit Dadresa
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web ApplicationsOlivier Potonniée
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ONShambhavi Sahay
 
Getting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User PrivilegesGetting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User PrivilegesHelpSystems
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server SecurityVinod Kumar
 
7. Kepware_Security
7. Kepware_Security7. Kepware_Security
7. Kepware_SecuritySteve Lim
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on systemSwati Sinha
 
Oasis IDCloud TC - Anil Saldhana
Oasis IDCloud TC - Anil SaldhanaOasis IDCloud TC - Anil Saldhana
Oasis IDCloud TC - Anil SaldhanaAnil Saldanha
 
Anil saldhana cloud identity
Anil saldhana cloud identityAnil saldhana cloud identity
Anil saldhana cloud identityAnil Saldanha
 
Advances inbrowsersecurity
Advances inbrowsersecurityAdvances inbrowsersecurity
Advances inbrowsersecurityAnil Saldanha
 
Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Anil Saldanha
 
Anil saldhana identitycloud
Anil saldhana identitycloudAnil saldhana identitycloud
Anil saldhana identitycloudAnil Saldanha
 
Oasis Identity In The Cloud Technical Committee
Oasis Identity In The Cloud Technical CommitteeOasis Identity In The Cloud Technical Committee
Oasis Identity In The Cloud Technical CommitteeAnil Saldanha
 
Anil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil Saldanha
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Mule security - saml
Mule security - samlMule security - saml
Mule security - samlcharan teja R
 
DaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDenis Gundarev
 
DaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDenis Gundarev
 

Weitere ähnliche Inhalte

Was ist angesagt?

SkypeShield - Securing Skype for Business
SkypeShield - Securing Skype for BusinessSkypeShield - Securing Skype for Business
SkypeShield - Securing Skype for BusinessYoav Crombie
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iPrecisely
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSOAjit Dadresa
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web ApplicationsOlivier Potonniée
 
Getting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User PrivilegesGetting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User PrivilegesHelpSystems
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server SecurityVinod Kumar
 
7. Kepware_Security
7. Kepware_Security7. Kepware_Security
7. Kepware_SecuritySteve Lim
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on systemSwati Sinha
 

Was ist angesagt? (10)

Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
 
SkypeShield - Securing Skype for Business
SkypeShield - Securing Skype for BusinessSkypeShield - Securing Skype for Business
SkypeShield - Securing Skype for Business
 
Security 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM iSecurity 101: Multi-Factor Authentication for IBM i
Security 101: Multi-Factor Authentication for IBM i
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web Applications
 
SINGLE SIGN-ON
SINGLE SIGN-ONSINGLE SIGN-ON
SINGLE SIGN-ON
 
Getting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User PrivilegesGetting Started with IBM i Security: User Privileges
Getting Started with IBM i Security: User Privileges
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
 
7. Kepware_Security
7. Kepware_Security7. Kepware_Security
7. Kepware_Security
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on system
 

Andere mochten auch

Oasis IDCloud TC - Anil Saldhana
Oasis IDCloud TC - Anil SaldhanaOasis IDCloud TC - Anil Saldhana
Oasis IDCloud TC - Anil SaldhanaAnil Saldanha
 
Anil saldhana cloud identity
Anil saldhana cloud identityAnil saldhana cloud identity
Anil saldhana cloud identityAnil Saldanha
 
Advances inbrowsersecurity
Advances inbrowsersecurityAdvances inbrowsersecurity
Advances inbrowsersecurityAnil Saldanha
 
Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Anil Saldanha
 
Anil saldhana identitycloud
Anil saldhana identitycloudAnil saldhana identitycloud
Anil saldhana identitycloudAnil Saldanha
 
Oasis Identity In The Cloud Technical Committee
Oasis Identity In The Cloud Technical CommitteeOasis Identity In The Cloud Technical Committee
Oasis Identity In The Cloud Technical CommitteeAnil Saldanha
 
Anil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil Saldanha
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Mule security - saml
Mule security - samlMule security - saml
Mule security - samlcharan teja R
 
DaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDenis Gundarev
 
DaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDenis Gundarev
 
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevBriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevDenis Gundarev
 
ID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzMike Schwartz
 
DaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDenis Gundarev
 
Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 ChicagoDan Brinkmann
 
RSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityRSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityMike Schwartz
 
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5Denis Gundarev
 
Cloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationCloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationMike Schwartz
 

Andere mochten auch (20)

Oasis IDCloud TC - Anil Saldhana
Oasis IDCloud TC - Anil SaldhanaOasis IDCloud TC - Anil Saldhana
Oasis IDCloud TC - Anil Saldhana
 
Anil saldhana cloud identity
Anil saldhana cloud identityAnil saldhana cloud identity
Anil saldhana cloud identity
 
Advances inbrowsersecurity
Advances inbrowsersecurityAdvances inbrowsersecurity
Advances inbrowsersecurity
 
Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5
 
Anil saldhana identitycloud
Anil saldhana identitycloudAnil saldhana identitycloud
Anil saldhana identitycloud
 
Oasis Identity In The Cloud Technical Committee
Oasis Identity In The Cloud Technical CommitteeOasis Identity In The Cloud Technical Committee
Oasis Identity In The Cloud Technical Committee
 
Anil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpractices
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Mule security - saml
Mule security - samlMule security - saml
Mule security - saml
 
DaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo Murris
 
DaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat Messaoud
 
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevBriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
 
ID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike Schwartz
 
DaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris Rogers
 
Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 Chicago
 
RSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityRSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud Identity
 
The Tools I Use
The Tools I UseThe Tools I Use
The Tools I Use
 
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
 
Cloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationCloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher Education
 

Ähnlich wie Anil saldhana securityassurancewithj_bosseap

iSecurity Data Sheet March 2016
iSecurity Data Sheet March 2016iSecurity Data Sheet March 2016
iSecurity Data Sheet March 2016Raz-Lee Security
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudTobias Koprowski
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptxPradeep Kapkoti
 
SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentMongoDB
 
Security concerns in web erp
Security concerns in web erpSecurity concerns in web erp
Security concerns in web erpManoj Jhawar
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith
 
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...mfrancis
 
59264945-Websphere-Security.pdf
59264945-Websphere-Security.pdf59264945-Websphere-Security.pdf
59264945-Websphere-Security.pdfDeepakAC3
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONSMarkus Eisele
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBMongoDB
 
Choosing the Best Business Intelligence Security Model for Your App
Choosing the Best Business Intelligence Security Model for Your AppChoosing the Best Business Intelligence Security Model for Your App
Choosing the Best Business Intelligence Security Model for Your AppLogi Analytics
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Weblogic Cluster Security
Weblogic Cluster SecurityWeblogic Cluster Security
Weblogic Cluster SecurityAditya Bhuyan
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 

Ähnlich wie Anil saldhana securityassurancewithj_bosseap (20)

iSecurity Data Sheet March 2016
iSecurity Data Sheet March 2016iSecurity Data Sheet March 2016
iSecurity Data Sheet March 2016
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptx
 
SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB Deployment
 
Security concerns in web erp
Security concerns in web erpSecurity concerns in web erp
Security concerns in web erp
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
 
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
 
59264945-Websphere-Security.pdf
59264945-Websphere-Security.pdf59264945-Websphere-Security.pdf
59264945-Websphere-Security.pdf
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
 
Sudheendra
SudheendraSudheendra
Sudheendra
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
 
Choosing the Best Business Intelligence Security Model for Your App
Choosing the Best Business Intelligence Security Model for Your AppChoosing the Best Business Intelligence Security Model for Your App
Choosing the Best Business Intelligence Security Model for Your App
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Oracle ADF Case Study
Oracle ADF Case StudyOracle ADF Case Study
Oracle ADF Case Study
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Weblogic security
Weblogic securityWeblogic security
Weblogic security
 
Weblogic Cluster Security
Weblogic Cluster SecurityWeblogic Cluster Security
Weblogic Cluster Security
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 

Anil saldhana securityassurancewithj_bosseap

  • 1.
  • 2. SECURITY ASSURANCE WITH JBOSS ENTERPRISE APPLICATION PLATFORM Anil Saldhana, Lead Security Architect (JBoss), Red Hat Ray Ploski, Senior Solutions Architect, Red Hat Date: June 25, 2010
  • 3. Introduction Speakers ● Anil Saldhana ● Ray Ploski
  • 4. Introduction - Agenda Session ● Middleware Security – JBoss Platforms ● Secure Your Applications (Web, EJB etc) ● Security Domains ● Encrypt passwords in clear text ● Security Features ● Audit ● XACML (Access Control) ● Negotiation (Kerberos based desktop SSO for web)
  • 5. Introduction - Agenda Session ● Identity Management with PicketLink ● Best Practices and Tips ● Q&A
  • 6. Middleware Security – JBoss Platforms Security is critical to middleware ● Balance between features and configuration ● Features such as business access control and audit may be available as part of the stack ● No need for embedding the logic in applications ● Security Response Team ● Cross-cutting, multi-geo and round-the-clock.
  • 7. Secure Your Applications Security Domain ● Central concept in security configuration for EAP. ● Defines the modules for ● Authentication ● Authorization ● Audit ● Mapping
  • 8. Secure Your Applications Security Domain ● You can define globally in conf/login-config.xml ● Static configuration. No hot deployment of domains. ● You can define at deployment level using xxx-jboss- beans.xml ● Provides hot deployment of security domains
  • 9. Secure Your Applications Security Domain <deployment xmlns="urn:jboss:bean-deployer:2.0"> <application-policy xmlns="urn:jboss:security-beans:1.0" name="MyDomain"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" /> </authentication> <authorization> <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/> </authorization> <mapping> <mapping-module code="org.jboss.security.mapping.providers.DeploymentRolesMappingProvider" type=”role”> </mapping-module> </mapping> </application-policy> </deployment>
  • 10. Secure Your Applications How to secure your web applications? ● Define your security constraints in your web.xml ● Login Config: BASIC, FORM, CLIENT-CERT, DIGEST ● Define your security domain name in jboss-web.xml ● If you omit, it defaults to “other” ● Provide your security domain configuration in a xxx- jboss-beans.xml file ● Package them into a war file
  • 11. Secure Your Applications How to secure your web services applications? ● EJB based web services are authenticated and authorized by the EJB Container. ● POJO based web services ● Configure a security domain in WEB-INF/jboss-web.xml ● Configure a WEB-INF/jboss-wsse-server.xml to declare the roles or unchecked access.
  • 12. Secure Your Applications How to secure your EJB3 applications? ● Define your security annotations in your bean classes. ● @RolesAllowed, @RunAs, @PermitAll etc ● Define your security domain name in jboss.xml ● Provide your security domain configuration in a xxx- jboss-beans.xml file ● Package them into a jar file
  • 13. Secure Your Applications Encrypt/Mask Passwords in Clear Text ● Do you like to see passwords in the clear? ● Facilities to encrypt/mask/hash passwords: ● Data store Passwords ● Tomcat connector Passwords ● Messaging Destination Passwords ● Microcontainer Beans Passwords
  • 14. Secure Your Applications Encrypt/Mask Passwords in Clear Text ● Difference between hashing and encryption ● Hashing involves a one way treatment ● Encryption is two way but involves a key ● Masking typically uses Password based encryption
  • 16. Security Features – Use Case 1 ● This is a large company. ● About 20,000 employees log on to their Windows Machines each day. ● The Desktop logins are governed by an Active Directory Domain Controller. ● After corp desktop login ● they access about 30 internal web applications. ● The employee information is stored in AD and divisional databases.
  • 17. Security Features – Use Case 1 - Issues ● Windows Login – 1 password. ● Web Application 1 – 1 password. ● Web Application 2 – 1 password. ● .... ● Web Application 30 – 1 password. ● Web applications run by various divisions at the company, with different needs for roles.
  • 18. Security Features – Use Case 1 Negotiation ● Fully supported in JBoss EAP 5.0 and beyond. ● Users log into their desktops (windows/linux) governed by a Kerberos based Domain Controller (Active Directory). ● Web applications on EAP can have seamless SSO. ● Negotiation takes care of the authentication aspect. ● Roles for the web apps can come from any silo. ● Due to JAAS login module stacking.
  • 19. Security Features – Use Case 1 Negotiation
  • 20. Security Features – Use Case 2 My web and ejb applications have business rules that keep changing: ● Employees cannot sell company shares during blackout period. ● Employees cannot view their manager's salary. ● Junior Traders can make trades if they are less than $1m in value. ● Web application is read only during non business hours (9am -5pm).
  • 21. Security Features – Use Case 2 - Issues Many of these business rules = access control rules ● Choice is to embed the business rules in the application logic or ● Externalize the access control logic. ● Java EE Container Security for web and ejb applications uses coarse grained access control rules. ● FINE GRAINED AUTHORIZATION ● DOMAIN DRIVEN AUTHORIZATION
  • 22. Security Features – Use Case 2 - Detail XACML Engine ● Oasis XACML v2.0 Compliant. ● Fully supported in JBoss EAP 5.0 and beyond. ● Provide Fine Grained Authorization Capabilities to EJB and Web Applications. ● Business Applications can also make direct use of the Engine API. ● Unlike Java EE coarse grained Role Based Access Control, XACML is fine grained attributes driven
  • 23. Security Features – Use Case 2 - Detail XACML Engine
  • 24. Security Features – Use Case 2 Detail XACML Access Decisions – a combination of rules on ● Subject – user, actor invoking a service ● Resource – something that needs to be protected ● Action – subject is performing on the resource (get,read,write,delete) ● Environment – date,time,ip address
  • 25. Security Features – Use Case 3 Enterprise has Identity Management Needs ● Manage users, roles, groups, attributes etc. ● Support SAML, WS-Trust, OpenID, OAuth.
  • 26. Security Features – Use Case 3 Detail PicketLink Identity Management ● Identity Model (IDM) ● Federated Identity Support ● SAML v2.0, WS-Trust, OpenID ● Tech Preview in JBoss EAP 5.1, SOA-P 5.0 ● IDM Module supported in JBoss EPP5
  • 27. Security Features – Use Case 3 Detail PicketLink Architectures – Web Based Identity Provider
  • 28. Security Features – Use Case 3 Detail PicketLink Architectures – WS-Trust Based STS
  • 29. Security Features – Use Case 3 Detail PicketLink Architectures – STS for EJB Applications
  • 30. Security Features – Use Case 3 Detail Levels of Assurance (NIST 800-63 Special Pub e-Auth) ● Level 1 ● Little/no confidence in asserted identity's validity ● OpenID and OAuth ● Level 2 ● Some Confidence. ● Password based systems or SAML assertions using password based mechanism
  • 31. Security Features – Use Case 3 Detail Levels of Assurance (NIST 800-63 Special Pub e-Auth) ● Level 3 ● High Confidence. ● Soft/hard crypto tokens, OTP.... ● Level 4 ● Very High confidence. PKI, Smart Cards.
  • 32. Security Features – Use Case 3 Detail Which standard is relevant to you? ● Community Type Environment ● Need Level 1 assurance? ● Internet scale? Decentralized? Then OpenID and OAuth. ● Enterprise Type Environment ● Level 2 assurance of identity ● SAML assertions based on password authentication. ● Level 3 or 4 assurance of identity ● SAML assertions based on PKI or Smart Cards.
  • 33. Security Features – Use Case - 4 Thousands of users access my web and ejb applications. It is very difficult to know: ● Who logged in? ● At what time? ● From which IP Address? ● What EJB operation? Which WEB URI? ● Who was denied access and why?
  • 34. Security Features – Use Case 4 Details Audit Capabilities ● You can audit your Web and EJB applications. ● Depends on enabling Java EE Container Security. ● Configuration enables granularity of auditing for web requests.
  • 35. Security Features – Audit 2008-12-05 16:08:38,997 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http- 127.0.0.1-8080-17:) [Success]policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@76ed4518; Resource:=[org.jboss.security.authorization.resources.WebResource:contextMap={policyRegi stration=org.jboss.security.plugins.JBossPolicyRegistration@76ed4518,securityConstraints=[ Lorg.apache.catalina.deploy.SecurityConstraint;@6feeae6, resourcePermissionCheck=true},canonicalRequestURI=/restricted/get-only/x,request=[/web- constraints:cookies=null:headers=user-agent=Jakarta Commons- HttpClient/3.0,authorization=host=localhost:8080,] [parameters=],CodeSource=null];securityConstraints=SecurityConstraint[RestrictedAccess - Get Only];Source=org.jboss.security.plugins.javaee.WebAuthorizationHelper;resourcePermission Check=true;Exception:=; 2008-12-05 16:08:41,561 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http- 127.0.0.1-8080-4:) [Failure]principal=anil;Source=org.jboss.web.tomcat.security.JBossWebRealm;request=[/jaspi -web-basic:cookies=null:headers=user-agent=Jakarta Commons- HttpClient/3.0,authorization=host=localhost:8080,][parameters=][attributes=];2008-12-05 16:07:30,129 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (WorkerThread#1[127.0.0.1:55055]:)
  • 36. Best Practices, Tips – Field Experiences ● Make use of Java EE Container Security. ● Security Domain Configuration as part of your deployment. ● Register to obtain security patches and updates. ● Keep your system up to date. ● Adopt standards based architecture as far as possible. ● Biggest challenge seen in customers migrating to JBoss