Want to dive even deeper?

Take the course Spring Security by Eugen Paraschiv and become an expert!
Spring Security
by Eugen Paraschiv

Check it out!
You're watching a preview of this video, click the button on the left to puchase the full version from Devoxx'09.

Opensource Authentication and Authorization

As web applications become the norm for application delivery mechanisms, there is more and more demand for managing access control at the application framework level. As is immediately obvious, managing this access control becomes an overwhelming overhead for the actual application, and should be handled by the underlying framework used for application delivery. Opensource projects such as ForgeRock OpenAM, (Formerly OpenSSO) can provide both Authentication services, as well as Authorization services to applications, utilising a simple REST or SOAP based web service interface. All the management of users, groups and other authentication attributes can be handled by the AuthN/AuthZ application, and delivered to the web application as a service. We can already see this behavior in use, in PAM, or pluggable authentication modules used in many linux environments in use today. However mere authentication is not sufficient in an enterprise environment. Often, group, Com...

Published on
  • 754
  • 46
  • 0
  • 0
  • 2
  • Opensource Authentication & Authorization Allan Foster ForgeRock allan.foster@forgerock.com
  • “Build us a Web App” 2
  • Lots of examples.... 3
  • New Application Demands Collaborative Workgroups Client - Server Multi user... In the cloud? 4
  • Its a WebApp! 5
  • Business Logic Your Business... Your Logic... You know how to do this! 6
  • Lots of Help Language... . Net Pe r l + J vy oo Gr PH P va a by Ru C& Py t C+ hon 7
  • Oh yes, LOTS of help! Frameworks... JSF AJA X Sp r Vel o cit y PEAR ing ib H rn e te a I es Fa c ce 8
  • And don’t forget... 9
  • Access Control Who are our users? Who can access what? What can they do? How do we manage this? 10
  • Its not that complicated.. Authentication SSO Authorization 11
  • Authentication? Corporate LDAP 12
  • But what about... 13
  • or... 14
  • or SecureID  RSA  Logo 15
  • Maybe all? 16
  • Authentication isn’t enough... 17
  • Authentication isn’t enough... SSO is expected! I have one set of credentials, Why can’t I just use them ONCE? 18
  • Even between multiple Organizations Federation eGov GoogleApps 19
  • SSO implies having a single Authentication service... trusted 20
  • That can be used by MANY different applications! 21
  • Without regard to HOW the authentication is being performed 22
  • What About Authorization? 23
  • Is this user allowed to perform this action on this data? 24
  • Group Membership? Roles? Some Complex Matrix? 25
  • Access control logic can be embedded in our application... BUT.. 26
  • New Specs New Rules Exceptions Changes... and more changes! ...And testing! 27
  • Reprogram the door? 28
  • Centrally managed service 29
  • AuthN and AuthZ as a service Iden>ty  services  (OpenAM) 30
  • Authentication SSO Authorization 31
  • 32
  • Authentication is NOT Identity Management Validation against EXISTING identity stores! 33
  • We don’t need to know user implementation details We only need to know User Identity and possibly some user attributes. 34
  • Integrate into existing process Plugable Authentication modules Built on Standards - JAAS Multiple Modules & Chains 35
  • AP LD 9 Ce 0 EG Se cu reI D U ix n x5 i c ate rti f S afeW o rd JD O BC SAML2 r tC a ds ar -S Custom MSISDN Me m Sm AD PN Extens ible be rs h ip 36
  • Authentication determines identity Identity is what matters.. NOT the method it is determined 37
  • 38
  • Authentication SSO Authorization 39
  • 40
  • 41
  • 42
  • Allan Foster Speaker Devoxx 2010 45
  • 44
  • Allan Foster Speaker Devoxx 2010 45
  • 46
  • One Pass Multiple Doors Single Sign On 47
  • Application validates credentials... Does NOT issue them! 48
  • We don’t “Login” We validate Identity. This is a hurdle for developers! 49
  • Authentication service determines identity Authentication service issues credentials 50
  • New applications easily integrate into existing infrastructure 51
  • And for many projects This is success! 52
  • Authentication SSO Authorization 53
  • Multi User Application Access Control Rights and Privileges 54
  • Access Control - Policy Rights and Privileges - Entitlements Scalability Flexibility 55
  • Access Control can be Very Complex Domain Specific Dependent on Many Conditions 56
  • Several Options • Ad Hoc • J2EE Policy • URL Access • Custom Developed • External Policy Engine 57
  • Ad Hoc •Localized if - then - else •Cumbersome •No Reuse •Inconsistent enforcement •Unverifiable •Possible security holes 58
  • J2EE Policy •Standards.. •Role Based •Supported in the deployment •Designed from the start •Difficult to change •Domino Effect 59
  • URL Access •Course Grained •Tree Level Access •Often at Application or server Level •Access Control NOT Entitlements 60
  • Custom Policy •Expensive •Hard to Maintain •Proprietary •Administration is Daunting! •Difficult to change and adapt 61
  • External Policy Engine •Policy Evaluation •Extensible •Flexible •Centralized Administration •Can it handle our complexity? 62
  • Can This User access This Resource under These Conditions? 64
  • Define Rules for Access Rules can be changed dynamically Standards based - XACML3 65
  • Rules Resources Actions Subjects Conditions Response Attributes Advice 66
  • Resources URLs Accounts Buttons Projects Hierarchical Scalable Plugable API 67
  • Actions Performed on a resource Fine Grained access G ET T OS E P ET EL D Y OP C Withdraw Balance Transfer C re at e Re ad Upda te De let e 68
  • Subjects Who does the rule apply to? o up Gr D at a em M D at a st er L b DA P sto re Att r ib u te tt r i b u te o re A Se s s io nA tt r Custom Subject i bu te Plugable API Combination Logic 69
  • Conditions Simple or Complex Dependencies tt r A Au u te ib Ba n k B io n im T a la n c e Ad IP ess dr ut o Ti me of the ess S nti lev c atio el n Da tt r i b u te Sess io n A y Plugable API Combination Logic 70
  • Access control can be: Role based, Attribute based, or Dynamic. 71
  • Policy Enforcement Point Policy Decision Point Policy Administration Point 72
  • Policy Enforcement Point 73
  • Policy Enforcement Point Simplest case Agent plugged into web container. ISapi NSApi Mod_auth 74
  • Zero changes to app. Simple to install.. Easily protect “Closed” apps 75
  • Policy Enforcement Point Fine for URL access control when resource is a URL. But how do we address entitlements? 76
  • Policy Enforcement Point Simple Web Service Call Coded into Application if (entitled(userToken,resource,env)) { ... ... } Language Agnostic! 77
  • Simple JSON responses { "statusCode":200, "statusMessage":"OK" "body":{ "actionsValues":{"GET":true}, "attributes":{}, "advices":{}, "resourceName":"http:/ /www.anotherexample.com:80/index.html" } } 78
  • Policy Decision Point 79
  • Policy Decision Point Policy Evaluation Separate the Rule evaluation from the enforcement 80
  • Scalable and extensible policy engine Scalable to millions of entitlements Standards based XACML3 81
  • Separate Administration Application Administration is separate from Entitlement Administration 82
  • 83
  • Policy Administration Administration UI Dynamic rule changes Auditability Consistency 84
  • Standards based XACML3 Any editor... Any workflow... 85
  • Rule changes take immediate effect No impact on application development 86
  • Keep track of rules and changes Reuse rules for reusable resources 87
  • ForgeRock 88
  • OpenAM OpenAM As A Service gives Flexibility, Consistency & Management to Authentication and Entitlements. 89
  • OpenAM Started life as Sun Access Manager OpenSourced in 2007 Strong Community 90
  • OpenAM OpenAM is fully opensource, 100% Java, scalable, high performance, AuthN and AuthZ 91
  • OpenAM Full XACML3 Support Simple policies and Complex Entitlements Extensible Plugins Central Administration Leverage existing SSO 92
  • OpenAM OpenAM Community ForgeRock http:/ /www.forgerock.org 93
  • Download it. Use it. Get involved! info@forgerock.com 94
  • Demo 95

Comments

Be the first one to add a comment