java ee application security with picketlink
DESCRIPTION
In this presentation we will take a look at PicketLink, a security framework for Java EE and learn how its identity management, authentication and authorization features can be used to address the security requirements for all aspects of application development.TRANSCRIPT
![Page 1: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/1.jpg)
Java EE Application Security With PicketLink
Pedro Igor
![Page 2: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/2.jpg)
What is PicketLink ?● Umbrella project for security related projects● Open and Security Standards● Each project with focus on a specific security aspect
– Federation
– Application Security
– Security As a Service (SecaaS)
● Toolbox for Application Security● Apache License v2
Java EE Application Security With PicketLink
![Page 3: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/3.jpg)
About PicketLink
Java EE Application Security With PicketLink
● Java EE Security Alternative for Authentication and Authorization
● First class support for CDI● Identity Management API● Web and REST Security / Servlet API Integration● JWT and JOSE Token Support● Social Authentication● Federation Protocols : SAML v1 and v2, oAuth,
OpenID and WS-Trust STS● Security for Cloud-based Applications● A plenty of example applications (quickstarts)
![Page 4: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/4.jpg)
Reduce Design Flaws● Covers the most common security concepts in a simple and easy to
use API– How to represent identities ? Users, roles, groups, applications, etc.
– How to authenticate and authorize ?
– How to protect my application resources ? Beans, pages, servlets, REST endpoints, etc.
– How to consume and produce security tokens ?
– How to enable Single Sign-On across different applications ?
● Focus on flexibility for specific security requirements
Java EE Application Security With PicketLink
![Page 5: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/5.jpg)
Agenda
Java EE Application Security With PicketLink
Identity Management
Http Security
Authentication
DBLDAP
AuthorizationBYO
Security
![Page 6: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/6.jpg)
Configuration
Java EE Application Security With PicketLink
● Configure PicketLink BOM (Bill of Materials) and dependencies
● Listen to an event to configure behavior:public void onInit(@Observes SecurityConfigurationEvent event) { SecurityConfigurationBuilder builder = event.getBuilder();
builder .identity() // the identity bean options .idmConfig() // identity management options .http() // http and web security options}
![Page 7: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/7.jpg)
Authentication
Java EE Application Security With PicketLink
● Single method invocationcredentials.setCredential(anyCredentialType);Identity.login();
If (identity.isLoggedIn()) { // user is now authenticated}
Identity.logout();
● Useful events are fired during the authentication
![Page 8: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/8.jpg)
Authentication Flow
Java EE Application Security With PicketLink
![Page 9: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/9.jpg)
Identity Bean
Java EE Application Security With PicketLink
● CDI Bean representing the authenticated user and acting as a central point for authentication, logout and permissioning
private @Inject Identity identity;
● Authentication Scope. Defaults to Session Scope, but you can change that:builder.identity().scope(RequestScoped.class)
● Stateless can be used with REST to consume security tokens
● It may be exposed as as a service– Expose through Servlet, JAX-RS, JAX-WS, EJB ...
![Page 10: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/10.jpg)
Authenticator
Java EE Application Security With PicketLink
● A CDI bean that understands one or more credential types and how to perform authentication
● By default, PicketLink uses a IdmAuthenticator– Fully integrated with PicketLink IDM
● Write your own● You can choose between different authenticators at
runtime
![Page 11: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/11.jpg)
Authenticator Example
Java EE Application Security With PicketLink
@RequestScoped@PicketLinkpublic class CustomAuthenticator extends BaseAuthenticator {
@Inject private DefaultLoginCredentials credentials;
@Override public void authenticate() { If (validCredentials()) { setStatus(AuthenticationStatus.SUCCESS); setAccount(loadAccount()); } }}
![Page 12: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/12.jpg)
Credentials
Java EE Application Security With PicketLink
● Provides what you need to verify user authenticity● Usually it defines which authentication mechanism is going to be used● Built-in credential types
– Username/Password, TOTP, DIGEST, X509, TOKEN
● Token-based Credentials can be used to– Produce and consume your own tokens
– Consume tokens from 3rd party Identity Providers. Eg.: SAML, OpenID, CAS
● You can always write your own credential types. Just remember to also provide the corresponding Authenticator.
![Page 13: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/13.jpg)
Credential Example
Java EE Application Security With PicketLink
public class UsernamePasswordCredentials extends AbstractBaseCredentials {
private String userName; private String password;
// getters and setters}
![Page 14: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/14.jpg)
Http Security
Java EE Application Security With PicketLink
● Useful for Web and RESTful applications● Path-based protection
– Authentication
– Authorization
● URL Rewriting– /demo-app/#{identity.account.id}
● Authentication Schemes– FORM, DIGEST, BASIC, CLIENT-CERT, TOKEN
– Write Your Own
builder.http() .allPaths() .authenticateWith() .form() .authorizeWith() .role("Administrator") .forPath("/logout") .logout();
![Page 15: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/15.jpg)
Multiple Authentication Paths
Java EE Application Security With PicketLink
● Authenticate based on a specific path configuration
builder.http() .forPath("/webpages/*") .authenticateWith() .form() .forPath("/rest/*") .withHeaders() .requestedWith("XMLHttpRequest") .authenticateWith() .token() .realmName("Ajax Requests Realm");
![Page 16: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/16.jpg)
Path Groups
Java EE Application Security With PicketLink
● Common policies may be enforced to different paths
String adminPathGroup = “Admin Resources”
builder.http() .forGroup(adminPathGroup) .authenticateWith() .form() .authorizeWith() .group(“Administrators”) .forPath("/admin/*", adminPathGroup)
![Page 17: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/17.jpg)
PicketLink Identity Management API
Java EE Application Security With PicketLink
● What is it ?– Build Your Own Security Model
– Identity and Access Management API
– Built-In Identity Stores: ● LDAP, Relational Database, Filesystem,
Token, Mixed ● Write Your Own
– Multi-tenancy
– Flexible Identity Model
![Page 18: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/18.jpg)
Identity Model Example
Java EE Application Security With PicketLink
● Custom Identity Model Guide
– http://picketlink.org/gettingstarted/custom_idm_model/● Common requirements for SaaS
– Realm
– User– Application
– Global and Application Roles– Global and Application Groups
![Page 19: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/19.jpg)
Basic Identity Model
Java EE Application Security With PicketLink
● Out-of-the-box implementation for very simple use cases● You are not forced to use it● Help you to quickly evaluate
PL features● In real world use cases, you
would prefer writing your ownIdentity Model
![Page 20: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/20.jpg)
Example Code
Java EE Application Security With PicketLink
private @Inject IdentityManager identityManager;
public void addUser(String userName, String password) { User john = new User(userName);
// add user identityManager.add(john);
Password password = new Password(password)
// update credential identityManager.updateCredential(john, password);}
private @Inject IdentityManager identityManager;
public void addRole(String roleName) { Role manager = new Role(roleName);
// add role identityManager.add(manager);}
private @Inject RelationshipManager relationshipManager;
public void grantRole(User assignee, Role role) { Grant grant = new Grant(assignee, role);
// create relationship, granting role to user relationshipManager.add(grant);}
![Page 21: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/21.jpg)
RelationshipQuery<Grant> query = relationshipManager.createRelationshipQuery(Grant.class);
query.setParameter(Grant.ASSIGNEE, assignee);query.setParameter(GroupRole.ROLE, role);
boolean hasRole = !query.getResultList().isEmpty();
Authorization
Java EE Application Security With PicketLink
● Annotation-based Authorization– @LoggedIn,– @RolesAllowed– @GroupsAllowed– @PartitionsAllowed– @RequiresPermission– @Restrict–Write Your Own
● Programmatic Authorization
– Using PicketLink IDM Query API
![Page 22: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/22.jpg)
Permissioning
Java EE Application Security With PicketLink
● Privileges for application resources
– Assignee is allowed to perform operation on resource● Provided by PicketLink IDM
– John has permission to read file.txt
– John has permission on classes of type
– John has permission on JPA Entity with identifier● Identity Bean methods for permission checks
– boolean hasPermission(Object resource, String operation);
– boolean hasPermission(Class<?> resourceClass, Serializable identifier, String operation);
![Page 23: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/23.jpg)
PicketLink Forge Addon
Java EE Application Security With PicketLink
● Useful to quickly configure a project with PicketLink
● Configures a JPA Identity Store
– Generate entities from your Identity Types● Authentication
– Choose a method● Project Templates
– Have an idea, help us !
$ picketlink-setup --version 2.7.0.Beta2
$ picketlink-setup --feature idm
$ picketlink-setup --feature http
$ picketlink-setup --feature idm --generateEntitiesFromIdentityModel
![Page 24: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/24.jpg)
PicketLink Quickstarts
Java EE Application Security With PicketLink
● Over 30 example applications
● Useful to get started and understand most of PicketLink features
● Clone, import to your IDE, checkout a tag and deploy
git clone [email protected]:jboss-developer/jboss-picketlink-quickstarts.gitgit checkout v2.7.0.CR1mvn clean package jboss-as:deploy or mvn -Pwildfly clean package wildfly:deploy
![Page 25: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/25.jpg)
Thank You !
Java EE Application Security With PicketLink
● Visit our site at http://picketlink.org– You can find useful guides
– Access to documentation
● GitHub– https://github.com/picketlink/
● Join us on the #picketlink IRC channel on Freenode● Social
– @picketlink
– Google+ PicketLink Community
![Page 26: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/26.jpg)
![Page 27: Java EE Application Security With PicketLink](https://reader034.vdocuments.us/reader034/viewer/2022050920/5496587bac79592f2e8b50c2/html5/thumbnails/27.jpg)
Creating a Simple Application
Java EE Application Security With PicketLink
● Using PicketLink Forge Addon– FORM-based Authentication
– RBAC
– Protect Application Resources
– User and Role Management
● Simple application to focus only on the security bits