security as a service
TRANSCRIPT
![Page 2: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/2.jpg)
Agenda
• Java Security “Refresher”• Introducing Oracle Platform Security Services (OPSS)• Focus On Design-Time Security (ADF)• Demo• OPSS Use Cases
© 2009 Oracle Corporation 2
![Page 3: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/3.jpg)
The Java EE Security Toolbox
• Container Managed Security– Java EE Security
• Java Authentication and Authorization Service (JAAS)
![Page 4: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/4.jpg)
Container Managed Security
• Java EE security handled by the Java EE container– Declarative, portable, easy to use– Decouple security logic application code– Implementation details hidden from developer
• Authentication– Configured in web.xml descriptor– Basic, Form, Certificate, Digest
• Authorization– Role-based– Based on URL patterns– SSL can be enforced on page
![Page 5: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/5.jpg)
Limitations of Container Managed Security
Java EE declarative security is… • Static within a deployed application– Policies cannot be changed dynamically.– Constraint cannot be changed (static role mapping)
• Not very Granular– Protects URL addressable objects– Does not allow different privileges against a protected object
• Java EE roles are not hierarchical– Need extra groups to define “rollup” levels of enterprise Roles– Not very granular
![Page 6: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/6.jpg)
Java Authentication and Authorization Service (JAAS)
• What JAAS is– Enables services to authenticate and enforce access
controls– Programmatic security model – Extends Java 2 Security – Role-based access control (RBAC)
• Authentication – Pluggable Authentication Module (PAM)– Propagates identity via session context
• Authorization – Grants access to resources and actions– Executes operations within user context
![Page 7: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/7.jpg)
JAAS Advantages
• Dynamic and evaluated in real-time– Policies may be updated in the policy store and reflected in
the application
• Secures the ability to perform a “fine-grained action” on the resource, rather than simple access to the URL– Policies are defined against an action in the policy store not
by the URL pattern– Supports granular privileges against the same object
• Allows for hierarchical policies– References Enterprise roles directly from the Identity
Management System
![Page 8: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/8.jpg)
Summary Of The Challenges To Be Addressed
• The security capabilities supported and defined by the Java EE standards are limited• Too much security knowledge is required of application
developers who should primarily focus on business logic
• No consistent security experience across platforms and applications• Third-party security frameworks are non-standard and
non-portable, and don’t support the complete application lifecycle• No support for large enterprise security deployments• Lack of support for different types of development
model, e.g., Java EE and Java SE
![Page 9: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/9.jpg)
Introducing OPSS
• OPSS provides enterprise product development teams, systems integrators, and independent software vendors with a security framework for Java SE and Java EE applications– standards-based – portable – integrated – enterprise-grade
• OPSS is an abstraction layer that insulates developers from security and identity management implementation details – With OPSS, developers don’t need to know the nitty-gritty of
cryptographic key management or interfaces with user repositories and other identity management infrastructures
![Page 10: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/10.jpg)
OPSS in Oracle Fusion Middleware
Oracle JDeveloper
Web Browser Oracle WLS Admin Console Oracle Enterprise Mgr
Load Balancer
Oracle WebCache
Oracle HTTP Server
Applications
Oracle SOA Suite
Oracle Identity Mgt
Oracle Platform Security Services
Oracle WebCenter
Oracle WebLogic Server
LDAP
RDBMS
Web Tier Application Tier Data Tier
![Page 11: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/11.jpg)
OPSS Benefits
• Customers get what Oracle products get– OPSS is used as the security platform for Oracle Fusion Applications and Oracle
Fusion Middleware components
• OPSS is enterprise ready– Stress tested to support enterprise deployments– Interoperability tested across different environments– Certified on WLS, will be certified on WAS and JBoss– Standards based
• Protect your investment– Pre-integrated with Oracle products and technologies
• Consistent security experience for developers and administrators– Same set of APIs and UI for all types of applications (in-house, third-party, Oracle
Fusion)
• Support large enterprise deployments– Integration with Identity Management
• Enable legacy and third-party security provider integration
![Page 12: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/12.jpg)
OPSS’s Heritage
OAS 9.04Coupled w/ OC4J
OAS 10.1.2Coupled w/ OC4J
OAS 10.1.3Coupled w/ OC4J(Became known internally as “Security Provider”)
11gR1Portable Security Provider to - OC4J- SOA- WebCenter-OWSM
WLS 10.3Portable Security Framework used by - Oracle WLS - OES- OSB- etc
11gR1- OPSS = JPS + CSS- Not coupled w/ app. server - Portable to third-party app. Servers- Oracle WLS - OES- OSB- Oracle SOA- Oracle WebCenter- OWSM
JAAS compatible imp.-AuthN Login module- AuthZ- XML/OID providers
Added support for third-party LDAP directories
- WNA- JSSO- User Role API- OAM integration (JAAS provider)- Web services security- JMX/MBeans
-Java2 Policy Provider-Application Role & Policy Mgmt- Credential Store- OSDT-Auditing Framework
- SSPI to plug-in custom security providers- Authentication- Id Assertion- Authorization- Role Mapping- SSO
- Supports both JPS & WLS/CSS security- Java2 Policy Provider- Application Role & Policy Mgmt- Credential Store Framework- UserRole API- OSDT- Auditing Framework
JAZN JPS – Pre BEA CSS – BEA OPSS – Post BEA
![Page 13: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/13.jpg)
Oracle Virtual DirectoryVirtualizes Identity Store, Credential Store, Policy Store
DevelopDevelop DeployDeploy ManageManage
Oracle Fusion Middleware Components and Oracle Fusion Applications
ATN, ATZ, CSF, UserRole, Policy Management, Cryptography (OSDT)
Identity Assertion
Role Mapping
Creds Mapping
JEE Policy & Role Deployment
Custom SSPI Providers Java2 & JAAS Policy Provider
Cert Lookup & Val
OPSS Functionality
OPSS APIs
Audit SSO
![Page 14: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/14.jpg)
Platform to Product
Security Domain OPSS Solution
(Basic Features)
OPSS Product Solution (Advanced Features)
Identity Store Embedded LDAP OID
Policy Store File - XML OID
Credential Store File – Oracle Wallet OID
SSO WLS SAML Oracle Access Manager
Authorization OPSS CheckPermission Oracle Entitlement Server
![Page 15: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/15.jpg)
Oracle Products Using OPSS
Product Name What It Does How It Uses OPSS
Oracle ADF / WebCenter
ADF is the framework used to develop WebCenter applications (portlets, etc.)
Authentication, JAAS Authorization, Application Role,Anonymous and Authenticated Role, Policy Store Abstraction, Policy Management, Credential Store Framework
Oracle Web Services Manager (OWSM)
OWSM provides SOA and web services security
Authentication, JAAS Authorization, Credential Store Framework, Keystore Service, Audit
Oracle SOA Provides applications designed to deploy SOA environments (BPEL, ESB, etc.)
Authentication, Authorization and Audit
Oracle Service Bus (OSB)
Connects, mediates, and manages SOA composites interaction
Authentication, identity assertion, authorization, Role mapping, credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party integration
Oracle Entitlements Service (OES)
Provides externalized fine-grained authorization
Authentication, identity assertion, authorization, role mapping, credentials mapping, cert. lookup, audit.
WebLogic Server (WLS) Container
Java EE server / container
Authentication, identity assertion, authorization, role mapping, credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party integration
Oracle Access Manager Web access and single sign on platform
Identity assertion and integration with WebLogic Server security.
![Page 16: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/16.jpg)
OPSS For Developers: ADF Security
• Oracle ADF (Application Development Framework) is a Java EE development environment– Oracle ADF simplifies and extends Java EE
• Oracle ADF is the development framework for Oracle products and applications• Oracle ADF is best used with Oracle JDeveloper
© 2009 Oracle Corporation 16
![Page 17: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/17.jpg)
Oracle ADF 11g Architecture
© 2009 Oracle Corporation
Struts
Relational Data XML Data Legacy Data
Business Services
Data Services
Model
Controller
JSP View
Desktop Browser/ Mobile Devices
Me
tad
ata
Se
r vi c
es
ADFm (JSR 227)
Packaged Apps
JSF ADF Faces
JSF/ADFc
Java EJB BAM BPEL ADF BC BI XML
OfficeSwing
Web Services
Portlet Toplink JMXJCR
![Page 18: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/18.jpg)
ADF‘s Java EE Runtime Environment
• Provides Java EE 5 services for applications• Consumes Oracle Platform Security Services (OPSS)• Handles authentication, authorization, logging and
monitoring• Pluggable Authentication architecture– Authentication handled by JAAS Login Modules– Login Modules are exposed through Authentication Provider
![Page 19: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/19.jpg)
ADF Security
• Provides declarative protection for ADF applications• Designed to simplify security in ADF applications• Enforces Java EE authentication– Delegated to WebLogic Server Authentication Providers– Easy to configure via the ADF Security Wizard
• ADF bindings protected by JAAS-based authorization– Leverages EL to protect UI components– Security bubbles up from ADF Business Components
• Provides support for XML and LDAP providers• Integrated with JDeveloper design time and WLS
![Page 20: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/20.jpg)
ADF Security: Authentication
Enterprise Identity
Management
User: sking
User: ahunold
adfAuthentication servlet
Acts as a known “endpoint” for a standardized Login or Logout Link
Is secured by a Java EE Security Constraint
Delegates Logon to the Java EE container (OPSS)
Access granted to all valid users
Redirects to a specified page on successful login or logout
WebLogic Server
AuthN via OPSS: Authenticator; jazn-xmlPAM
/AdfSecurityPojoSample-ViewController-context-root/login.html
/app/BrowseDepartments.jspx
![Page 21: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/21.jpg)
ADF Security: Authorization
Administrator
Clerks
HR
Sales
Dev
ADF Security performs authorization check
In her manager role, sking can see master and detail views
Policy Store
BrowseDepartments.jspx
JAAS AuthZ request
JAAS AuthZ request
Staff
<grant> <principal> <type>role</type> <name>manager</name> </principal> <permission> <name>BrowseDep</name> <actions>view</actions> </permission></grant>
WebLogic Server
ADF Security Filter
User sking
User ahunold
BrowseDepartments.jspx
In his user role, ahunold can only see master view
![Page 22: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/22.jpg)
Application Roles, Enterprise Roles
• Application Roles– Roles defined in jazn-data.xml– ADF Security creates "test-all" role– Permissions are granted to application roles
• Enterprise Roles– Groups of enterprise users–Mapped to application roles to grant privileges to
user groups
![Page 23: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/23.jpg)
© 2009 Oracle Corporation 23
Demo
![Page 24: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/24.jpg)
© 2009 Oracle Corporation 24
OPSS Use Cases
![Page 25: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/25.jpg)
Use Case: WLS Application Using OPSS
• Traditional Java EE security enhanced with – JPSAuth.CheckPermission API for authorization– UserRole API to query attributes stored in LDAP (or other back ends)– Use of CSF to secure credentials
![Page 26: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/26.jpg)
Use Case: Container Authentication
• Java EE application configures authentication method in web.xml• Application uses container managed authentication
![Page 27: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/27.jpg)
Use Case: Programmatic Authentication
• Java EE application needs to programmatically authenticate or assert identity,e.g., take username / password or security token to programmatically authenticate
• Application provides a username, password to programmatically authenticate• Application requires a portable API• Application provides a security token for Identity Assertion (authenticate without a
password)• Identity Assertion protected by a code source permission• Subject Security API to run a task as another user.
ApplicationApplication
Generate AuditGenerate AuditAudit Store
LDAP
Identity Store
Login ServiceLogin Service
AuthenticatorAuthenticator
WLS Admin WLS Admin ConsoleConsole
![Page 28: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/28.jpg)
Use Case: Fine-Grained Authorization
• Application requires a portable API• Authorization decisions can be audited• Application calls JPSAuth.CheckPermission• Can support custom Authorization logic with Custom Permissions
![Page 29: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/29.jpg)
Use Case: Credential Store Framework (CSF)
• Application needs to store / access external system credentials• Credentials (username / password, symmetric keys) stored securely• OOB, credential store is a file (Oracle Wallet), LDAP supported• Application uses CSF APIs to access credentials • Credentials are managed using Oracle EM or WLST• Credential Store operations (read, write, access etc) can be audited
![Page 30: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/30.jpg)
Use Case: User and Role API
• Application needs to do a search in identity store, e.g., search for all users in “EMEA” or access email address for all users in a certain role
• User attributes stored in embedded LDAP or other configured LDAP Authenticator
• The same API works irrespective of where user attributes are stored• App uses UR APIs to access user attributes
UR Provider
Identity StoreAuthenticator
ApplicationApplication
User And Role User And Role APIAPI
WLS Admin WLS Admin ConsoleConsole
![Page 31: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/31.jpg)
Use Case: Audit • Java EE application needs to audit security-sensitive operations such as
authentication, authorization, credential access• Application uses Java EE container-based authentication (WLS Authenticator)• WLS audits authentication and Java EE authorization• If application uses OPSS, it gets check permission authorization and credential
operations audited (OPSS audit API not exposed to applications)
Application
Container based Authentication / Authorization
Audit Store
Generate AuditGenerate Audit
Configure AuditConfigure Audit
Audit Store
Generate WLS Security AuditGenerate WLS Security Audit
Application
OPSS based Authentication / Authorization
BI Publisher
View AuditView Audit
WLS Admin WLS Admin ConsoleConsole
Oracle EMOracle EMFMWControlFMWControl
![Page 32: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/32.jpg)
Use Case: Java SE Application
• Java SE Application using – LoginService API for authentication– CheckPermission for Authorization– User and Role API to query attributes stored in LDAP (or other backends)– Credential Store to secure credentials
Java SE Application
•LoginService API
•checkPermission
•UserRole API
•Credential Store Framework
LDAP
Identity Store
LDAP
Policy Store
Authentication
Permission Check, Access Credentials
![Page 33: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/33.jpg)
Use Case: ADF Development
• Developer creates an ADF application using JDeveloper and applies wizard-based ADF security
• Application’s user and groups, authorization policy, and credentials copied by JDeveloper to WLS embedded in JDeveloper
• Developer creates application’s EAR file which contains policy and credentials• Deployer / Administrator deploys EAR to a remote WLS using Oracle EM
ADF Application
Users/Groups
Policy
Credential
JDeveloperJDeveloper
Integrated WLS
File Based Policy & Credential Store
Auto DeployAuto
Deploy
EarEar
GenerateGenerate
Remote WLS
Domain Policy & Credential Store
Policy & Credentials
Oracle EMOracle EMFMWControlFMWControl
![Page 34: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/34.jpg)
Use Case: ADF Authorization
• ADF application needs to use fine-grained authorization in a portable fashion while using Java EE container-based authentication
• JDeveloper ADF security wizard creates required security configuration• ADF filter calls JPSAuth.checkPermission• Can support custom authorization logic with custom permissions
Application
Policy Store
ADF Filer
MBeans
WLST
Policy Provider
Audit Store
Generate AuditGenerate Audit
CheckPermission
Oracle EMOracle EMFMWControlFMWControl
![Page 35: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/35.jpg)
Use Case: Test to Production
• Administrator tests application in Staging environment; Application’s security policy and credentials need to be migrated to Production environment
• Administrator redeploys application into Production environment• Administrator runs migrateSecurityStore WLST offline command in Production
environment, which copies policy and credential data from Staging to Production store
WLST
Migrate Security Store
Production Policy &
Credential Store
Staging Policy &
Credential Store
![Page 36: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/36.jpg)
Use Case: SSO with OAM .
• Administrator wants to configure multiple WLS domains to participate in SSO • Administrator configures OAM and WLS integration using SSPI• OAM SSPI agent extracts security token and validates it using WLS identity
asserter
![Page 37: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/37.jpg)
OPSS Summary
• OPSS provides– A suite of application-centric security frameworks– Abstraction APIs and implementation of basic features– Lightweight Identity Management infrastructure• Allows customers to build and deploy small to mid-size
applications
– Plug-in interface to Identity Management systems • Applications build against OPSS can be plugged to a centrally
deployed Identity Management system• Allows customers to scale their applications to switch to a
centrally deployed Identity Management system• No code changes required in the application when switching from
one Identity Management system to another Identity Management system
![Page 38: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/38.jpg)
![Page 39: Security As A Service](https://reader033.vdocuments.us/reader033/viewer/2022052823/5558767ed8b42aaa7e8b5490/html5/thumbnails/39.jpg)
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
39© 2009 Oracle Corporation