improving web application security by using ja-sig cas © copyright unicon, inc., 2006-2008. this...
TRANSCRIPT
![Page 1: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/1.jpg)
Improving Web Application Security by Using JA-SIG CAS
© Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission is granted for this material to be shared for non-commercial purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of Unicon, Inc. To disseminate otherwise or to republish requires written permission from Unicon, Inc.
Some slides drawn from prior presentations at JA-SIG conferences.
http://creativecommons.org/licenses/by-nc/2.5/
Adam RybickiUnicon, Inc.
Arlington, Virginia, May 5, 2008
Scott BattagliaRutgers University
![Page 2: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/2.jpg)
Hi. I’m Adam.
• V.P. of Technology at Unicon, Inc.
• Previously CTO at Interactive Business
Solutions, Inc. (IBS)
![Page 3: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/3.jpg)
Hi. I’m Scott.
• Application Developer/Architect @ Rutgers
• Committer to various open source projects
![Page 4: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/4.jpg)
What is JA-SIG?
• Java Architectures Special Interest Group
• Founded in 1999 to foster collaboration among HE institutions and companies around Java applications for the enterprise
• Regular conferences
• Membership-funded
• Open source projects
– uPortal
• Initially funded by an Andrew W. Mellon Foundation
• Named in 2003 in InfoWorld’s top 100 IT projects
• 2007 Educause Catalyst award winner
– CAS
• Initially developed in 1999 at Yale University
• Became a JA-SIG project in 2004
![Page 5: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/5.jpg)
What is CAS?
• CAS is enterprise single-sign-on for the web.
– Free
– Open source
– Server implemented in Java
– Clients implemented in a plethora of languages
– www.ja-sig.org/products/cas/
![Page 6: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/6.jpg)
Some of the people involved as the project has evolved
• Shawn Bayern
• Susan Bramhall
• Marc-Antoine Garrigue
• Howard Gilbert
• Dmitriy Kopylenko
• Arnaud Lesueur
• Drew Mazurek
• Andrew Petro
• Jan Van der Velpen (Velpi)
![Page 7: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/7.jpg)
Many CAS deployers
• Appian Corporation
• Athabasca University
• Azusa Pacific University
• BCcampus
• California Polytechnic Institute
• California State University, Chico
• Campus Crusade for Christ
• Case Western Reserve University
• Columbia
• Employers Direct
• GET-INT
• Hong Kong University of Science and Technology
• Indiana
• Karlstad University, Sweden
• La Voz de Galicia, Spain
• Memorial University of Newfoundland
• Nagoya University
• NHMCCD
• Northern Arizona University
• Plymouth State University (used with SunGardHE Luminis)
• Roskilde University
• Rutgers, The State University of New Jersey
• SunGard HE Luminis
• Simon Fraser University (Vancouver, B.C.)
• Suffield Academy
• Tollpost Globe AS
![Page 8: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/8.jpg)
… and more
• Universita degli Studi di Parma
• Universite de Bourgogne - France
• Universite de La Rochelle, France
• Universite de Pau et des Pays de l'Adour, France
• University of Nancy 1, France
• Universite Nancy 2, France
• Universite Pantheon Sorbonne
• Universiteit van Amsterdam
• University of Bristol, England
• University of California Merced
• University of California, Riverside
• University of Crete, Greece
• University of Delaware
• University of Geneva
• University of Hawaii
• University of New Mexico
• University of Rennes1
• University of Technology, Sydney
• Uppsala University
• Valtech
• Virginia Tech
• Yale University
• And likely more not well-enumerated…
![Page 9: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/9.jpg)
CAS and Commercial
• CAS is embedded in at least two commercial
products
• CAS support is baked into at least one
hardware platform (a wireless Internet
vending appliance)
• Commercial entities use CAS as their SSO
![Page 10: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/10.jpg)
Multi-sign-on for the Web
![Page 11: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/11.jpg)
At least with one username/password?
LDAP
![Page 12: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/12.jpg)
All applications touch passwords
LDAP
![Page 13: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/13.jpg)
Any compromise leaks primary credentials
LDAP
![Page 14: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/14.jpg)
Adversary then can run wild
LDAP
![Page 15: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/15.jpg)
What to do about this?
• What if there were only one login form, only
one application trusted to touch primary
credentials?
![Page 16: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/16.jpg)
Delete your login forms.
![Page 17: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/17.jpg)
CAS in a nutshell
BrowserWeb application
Authenticateswithout sending password
Authenticates
via password (once)
Determinesvalidity of user’sclaimedauthentication
![Page 18: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/18.jpg)
How CAS works
Webapplication
CAS
Webbrowser
S
TGC
ST
S ST
NetID
![Page 19: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/19.jpg)
LDAP
Webapps no longer touch passwords
CAS
![Page 20: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/20.jpg)
LDAP
Adversary compromises only single apps
CAS
![Page 21: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/21.jpg)
What about portals?
Need to go get interesting content from different systems.
![Page 22: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/22.jpg)
Password replay
Portal
Channel
Channel
Channel
Password-protectedservice
Password-protectedservice
Password-protectedservice
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
PWPW
![Page 23: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/23.jpg)
Look ma, no password!
• Without a password to replay, how am I going
to authenticate my portal to other
applications?
![Page 24: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/24.jpg)
CAS 2.0: Proxy CAS
Webapplication
CAS
Webbrowser
S
TGC
ST
S ST
NetID
PGTURL
PGTIOU
PGTIOUPGT
https listener•
![Page 25: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/25.jpg)
CAS 2.0: Proxy CAS
Webapplication
CAS
Webbrowser
Back-endapplication
S PGT
PT
PTPT S
NetID
PGTURL
Data
![Page 26: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/26.jpg)
Proxiable credentials illustrated
IMP CAS
S STIMAP serverCAS PAM
modulePGT
PGT
PT
PT
PT
-Username
-Identity of web resource
![Page 27: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/27.jpg)
Provided authentication handlers
• LDAP
– Fast bind
– Search and bind
• Active Directory
– LDAP
– Kerberos (JAAS)
• JAAS
• JDBC
• RADIUS
• SPNEGO
• Trusted
• X.509 certificates
• Writing a custom authentication handler is easy
![Page 28: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/28.jpg)
Today CAS is not only for authentication
• Return attributes of logged on users
• Adding support for standards
– OpenID
– SAML
• Single Sign-Out
• Support for clustering
– Implements distributed ticket registry
– Requires session replication
– Must guarantee cross-server ticket uniqueness
• Services management (white listing)
• Remember me
![Page 29: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/29.jpg)
Short Term Goals
• RESTful API
• Service Registration Page
• Service Priority
• InfoCard Support
• LDAP implementation of Service Registry
• Auditing, Logging etc.
• More Internationalization
• Bug Fixes, etc.!
![Page 30: Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission](https://reader036.vdocuments.us/reader036/viewer/2022070323/56649d8c5503460f94a7309f/html5/thumbnails/30.jpg)
Long Term Goals
• Re-architecture to support emerging use cases
– Account Management integration
– Password Expiration Policies/Password Change Integration
– SAML, OAuth, OpenID2, etc.
– Levels of Assurance / Multifactor authentication / second-
level
• Better online/realtime administration
– Installer/configurer
– Information about CAS server (open SSO sessions, etc.)
• Hardening/Anti-phishing