websphere portal v6.1 security overview
TRANSCRIPT
© 2008 IBM
IBM WebSphere Portal Security Overview
Stefan SchmittWebSphere Portal Security Architect
STORY TITLE
2WebSphere Portal Technical Conference Europe 20082
Agenda
Part I: Introduction
Part II: Authentication and User Identity Authentication PUMA and VMM RememberMe and StepUp WAS Group Assertion Virtual Portal Security SSO – Credential Vault
Part III: Authorization and Security Infrastructure Portal Access Control & Membership WSRP Security Java 2 Platform Security Miscellaneous
Summary
STORY TITLE
3WebSphere Portal Technical Conference Europe 20083
Part I: Portal Security Introduction
WebSphere Portal (WP) Security is based on WebSphere Application Server (WAS) security
WP Security allows to leverage from WAS:J2EE Security Web Single-Sign-On (JAAS / TAI / LTPA)Java 2 SecurityJava Connector ArchitectureSSL / TLS SupportIBM JCE/JCE/JSSE libraries
WP Security provides additional features in the areas: Authorization Authentication CustomizationUser Profile and Group ManagementBack-end Single Sign On (Credential Vault)Security Audit
STORY TITLE
4WebSphere Portal Technical Conference Europe 20084
Portal Setup with Authentication Proxy
© 2008 IBM
Part II: Authentication and User Identities
© 2008 IBM
Portal Authentication
STORY TITLE
7WebSphere Portal Technical Conference Europe 20087
Authentication
WP is a custom Form Login application to WAS relies on WAS to
− intercept requests to protected portal area− do the authentication and provide the security context− Global Security in WAS is active
Portal picks up whatever user identity established by WAS All WAS authentication customization options also apply to portal: Authentication Proxies and Trust Association Interceptors (e.g.
TAM / WebSeal) Custom JAAS Login Modules
Portal supports public code plug points for intercepting the portal login and session validation flow
STORY TITLE
8WebSphere Portal Technical Conference Europe 20088
Portal and WAS Authentication “flow” (since version 6.1.x)
Login via UI,XMLAccess,
Scripting submitted
Portal login handler
WAS Security
WAS User Registry configuration
(e.g. via admin console)
LDAP
JAAS Login (Portal_LTPA)
Search, “bind” (validate id/pw), fetch DN, fetch group memberships
ID/PW
okay?
Retrieve User
Fetch attributes by DN (user profile)
Fetch nested group memberships
Independent of WAS lookup but based on DN from WAS
WAS SecurityContext
VMM
STORY TITLE
9WebSphere Portal Technical Conference Europe 20089
Portal and WAS Authentication “flow” (since version 6.1.x)
Login via UI,XMLAccess,
Scripting submitted
Portal login handler
WAS Security
WAS User Registry configuration
(e.g. via admin console)
LDAP
JAAS Login (Portal_LTPA)
Search, “bind” (validate id/pw), fetch DN, fetch group memberships
ID/PW
okay?
Retrieve User VMM
Fetch attributes by DN (user profile)
Fetch nested group memberships
Independent of WAS lookup but based on DN from WAS
WAS SecurityContext
Login Filter Chain Plug Point
Explicit Login Filter1
Explicit Login
Filter N...
STORY TITLE
10WebSphere Portal Technical Conference Europe 200810
End user identity flow from TAI to WAS to WP
User identity must be “mappable” from front end security and TAI (if present) to WAS and WP
Path of least resistance: Front end/TAI, WAS, and WP should all use the same user registry
Possible to map between different registries for front end .vs. WAS/WP
This is complex, leads to hard-to-debug problemsTAI can assert a security shortname that WAS will “look up”
using searchTAI++ can set end user identity, bypassing lookup
• Portal still needs to be able to look up profile info for that user
Except in VERY rare circumstances, WAS and WP should always use the same user registry
Portal lookup based on “DN” from WAS
STORY TITLE
11WebSphere Portal Technical Conference Europe 200811
Portal and External Security (authentication)
Anything “in front of” WAS that does the authentication
Login dialog conducted by front end security
May use Portal to serve up the login page, but Portal no longer handles the login form submission
Front end asserts already-authenticated end user identity to WAS
Trust Association Interceptor (TAI) architectureTAM has other options (LTPA junctions)
TAI is a WAS feature, not a Portal featureTAI is a WAS feature, not a Portal feature
Documented in the WAS InfoCenterPortal has no idea about presence or absence of TAI, or how
WAS gets the user identityIBM only provides one (1) TAI – that for TAM/WebSEAL. ALL
OTHER SECURITY VENDORS MUST PROVIDE THEIR OWN TAI.
STORY TITLE
12WebSphere Portal Technical Conference Europe 200812
Portal and WAS and TAI Authentication “flow”
WAS Security
WAS User Registry configuration (e.g. via admin
console)
LDAP
Login dialog
Search, fetch DN, fetch group memberships
Portal and VMM
Fetch attributes by DN (user profile)
Fetch nested group memberships
Independent of WAS lookup but based on DN from WAS (from TAI)
TAI
Security Front-end
AssertsIdentity
All id/pw validation done by front end
WAS SecurityContext
WAS lookup okay
STORY TITLE
13WebSphere Portal Technical Conference Europe 200813
Portal and WAS and TAI Authentication “flow”
WAS Security
WAS User Registry configuration (e.g. via admin
console)
LDAP
Login dialog
Search, fetch DN, fetch group memberships
Portal and VMM
Fetch attributes by DN (user profile)
Fetch nested group membershipsIndependent of WAS lookup but based on DN from WAS (from TAI)
TAI
Security Front-end
AssertsIdentity
All id/pw validation done by front end
WAS SecurityContext
Implicit Login Filter Chain Plug Point
Implicit Login Filter1
Implicit Login
Filter N...
WAS lookup okay
STORY TITLE
14WebSphere Portal Technical Conference Europe 200814
Variation: New Federated Security Option in WAS 6.1 VMM can be used as Security Provider in WebSphere Application
Server (Federated)
Fully integrated in WebSphere Admin Console
Replaces former WMM-UR option
STORY TITLE
15WebSphere Portal Technical Conference Europe 200815
Portal and WAS Authentication “flow”
WAS Security
VMM ConfigurationIn WAS
LDAP
Login via UI,XMLAccess,
Scripting submitted
WAS Security API (JAAS)
Portal login handler Retrieve User VMM
Fetch attributes by DN (user profile)
Fetch nested group memberships
Independent of WAS lookup but based on DN from WAS
ID/PW
okay?
(WMMUR)
Search, “bind” (validate id/pw), fetch DN, fetch group memberships
LDAPLDAP
STORY TITLE
16WebSphere Portal Technical Conference Europe 200816
Portal and WAS Authentication “flow”
WAS Security
VMM ConfigurationIn WAS
Login via UI,XMLAccess,
Scripting submitted
WAS Security API (JAAS)
Portal login handler Retrieve User VMM
Fetch attributes by DN (user profile)
Fetch nested group memberships
Independent of WAS lookup but based on DN from WAS
ID/PW
okay?
(WMMUR)
Search, “bind” (validate id/pw), fetch DN, fetch group memberships
Login Filter Chain Plug Point
Explicit Login Filter1
Explicit Login
Filter N...
LDAPLDAPLDAP
STORY TITLE
17WebSphere Portal Technical Conference Europe 200817
New Portal Login and Session Validation Filter API
Filter chains forExplicit Portal Login
(i.e. Login is triggered by Portal)Implicit Portal Login
(i.e. Authentication has been performed by an external authentication provider)
Explicit Portal LogoutSession Validation
(to validate individual (autenticated) portal requests)
Session Validation Timeout handling (for custom session time out handling)
Custom filters implementations can be plugged by adding corresponding properties to the AuthenticationService.properties
STORY TITLE
18WebSphere Portal Technical Conference Europe 200818
New Portal Login and Session Validation Filter API
STORY TITLE
19WebSphere Portal Technical Conference Europe 200819
New Portal Login and Session Validation Filter API
FilterChainContext can be used to pass parameters between filters and to specify redirect URLs
STORY TITLE
20WebSphere Portal Technical Conference Europe 200820
New Portal Login and Session Validation Filter API
FilterChainContext can be used to pass parameters between filters and to specify redirect URLs
STORY TITLE
21WebSphere Portal Technical Conference Europe 200821
New Portal Login and Session Validation Filter API
FilterChainContext can be used to pass parameters between filters and to specify redirect URLs
STORY TITLE
22WebSphere Portal Technical Conference Europe 200822
HTTP Basic Auth TAI
Can be used to send HTTP Basic Auth challange for specific URLs and/or User Agents
STORY TITLE
23WebSphere Portal Technical Conference Europe 200823
Domain A
Portal AJAX Proxy
AJAXProxy
Server
Browser
HTML Page
HTTP GETDomain A
AJAXPortlet
HTTP GETDomain B
Trusted sites
Domain B
Server
Today's browsers prevent asynchronous requests to foreign domains because of security reasons.
Example: Your portlet is served from www.mycompany.com but your AJAX application tries to load a feed from cnn.com. This would be blocked by the browser
STORY TITLE
24WebSphere Portal Technical Conference Europe 200824
AJAX Proxy Server: Security Challenge
Car Rental Site
Travel Agency Site
Weather Service Site
AJAX Proxy
WAS
Dieter‘s TravelMashup Doc
your portal
Cross Domain AJAX Requests(restricted throughBrowser security model)
... an unsecured AJAX Proxy would exposes me to danger ...
STORY TITLE
25WebSphere Portal Technical Conference Europe 200825
Mash-up SecurityRisk
your portal
Car Rental Site
Travel Agency Site
Weather Service Site
Dieter‘s TravelMashup Doc
Weather site is hacked or malicious Markup provided by the Weather site can serve active content at will, e.g. stealcookies / security tokensall information from the Mashup DOM (e.g. credit card
info entered in a field in the travel agency site)
3rd party content is now served from your portalCopyright issues (Weather service serves stolen weather
data) Infected data (e.g. containing a virus) Illegal Data (e.g. offensive content)
credit#
Same issue with: - malicious ATOM feeds- Including a portlet via WSRP- client side mash-up via AJAX
STORY TITLE
26WebSphere Portal Technical Conference Europe 200826
Portal AJAX Proxy Server guards my credit card number
Car Rental Site
Travel Agency Site
Weather Service Site
AJAX Proxy
WAS
Dieter‘s TravelMashup Doc
your portal
SecurityPolicy
- Filtering based on-URL-HTTP Action-mime-type-Requesting user
- Maintained by Security Administrator
Weather Site is not on the trusted server list
admin controlled
STORY TITLE
27WebSphere Portal Technical Conference Europe 200827
AJAX Proxy Configuration
The AJAX proxy security policy is specified in XML
Request Filtering based on URL HTTP Action mime-type Requesting user
Cookie forwarding can be enabled
Planned for future version: Active Content Filtering Enforcement
STORY TITLE
28WebSphere Portal Technical Conference Europe 200828
AJAX Proxy: sample policy
© 2008 IBM
PUMA and VMM
STORY TITLE
30WebSphere Portal Technical Conference Europe 200830
PUMA and VMM
Now two Public API’s
PUMA within Portal, VMM within WAS
What is VMM?
Virtual Member Manager supersedes WMMFull integrated in WebSphere Application Server
Why PUMA?
Fine grain Access Control on Users and GroupsPortal Virtual Principals (Anonymous, All Authenticated, ...)VP and Realm awarenessREST API
STORY TITLE
31WebSphere Portal Technical Conference Europe 200831
WAS
Portal
User Registry Integration – From WMM to VMM
PUMA
(public since v5101)
WMM
LDAP
LDAP
DB
DB+
or
or
UR
URAdaptor
Non-public plug-pointused with AECI
STORY TITLE
32WebSphere Portal Technical Conference Europe 200832
WAS
VMM Integration in WP V6.1
LDAP
WAS Security
Portal
PUMA SPI(public since v5101)
VMM
URAdaptor
DBCustom
Federated WAS LDAP LDAP
RES
T AP
I
Public plug-point
STORY TITLE
33WebSphere Portal Technical Conference Europe 200833
Multiple LDAP support (since 6.0)
Requires Federated Security
VMM can dispatch calls to multiple user registries
Realms can point to a (subset of a) specific user registry or to (subsets of) multiple user registries
User IDs need to be unique across all registries
realm
= porta
l
Acme Supplier Customer
Portal Server
LDAP forACME
LDAP forCustomer
LDAP forSupplier
realm = customerreal
m =
supp
lier
VMM
STORY TITLE
34WebSphere Portal Technical Conference Europe 200834
External Id (extId) Mapping in VMM
Starting with WP 6.0 roles are no longer tied to the DN of the user but to another unique ID (ExtID)
VMM ExtID is an opaque, unique, static, and never-to-be-reused attribute of each user and group
Portal administrator can map the VMM ExtID to an attribute of his choice (e.g. objectGUID, DN, email address, …)
Portal default configuration Portal does by default use the standard unique id defined by our common LDAP
vendors. All supported LDAP vendor do have such an attribute (as objectGUID for MSAD)
ExtID changes now possible through XMLAccess Extended Cleanup User task to rebind uniqueId’s
STORY TITLE
35WebSphere Portal Technical Conference Europe 200835
New in 6.1.: User Profile REST Service
Provides ATOM feeds for Defined user/group attributes User/group profiles User/group searches Group membership
Supports CRUD operation through ATOM Publishing Protocol (APP) Create user/group Delete user/group Update user/group profile Add user to group Remove user from group
Supprts virtual portal realms
STORY TITLE
36WebSphere Portal Technical Conference Europe 200836
Sample: Feed of defined user attributeshttp://<portal_host>:<portal port>/<portal context root>/um/secure/attributes/users
STORY TITLE
37WebSphere Portal Technical Conference Europe 200837
Sample: User search result feed
http://<portal_host>:<portal port>/<portal context root>/um/secure/users/profiles?searchAttributes=uid%3DA*
STORY TITLE
38WebSphere Portal Technical Conference Europe 200838
Sample: User profile
http://<portal_host>:<portal port>/<portal context root>/um/secure/users/profiles/<user id>
© 2008 IBM
Group Assertion
STORY TITLE
40WebSphere Portal Technical Conference Europe 200840
New in 6.1: Reuse Group information from WebSphere(aka. Group Assertion) WebSphere TAI++ plug allows external security manager to assert
the user’s group membership information to the WAS Security runtime
Same thing can be done using custom JAAS login modules
Portal 6.1 can be configured to use the asserted group information for access control checks instead of always retrieving group information from VMM
Consistent group-based authoritation through-out the whole WAS security domain
STORY TITLE
41WebSphere Portal Technical Conference Europe 200841
Reuse Group information from WebSphere (aka. Group Assertion)
AuthenticationProxy(WebSeal, Siteminder)
LDAP
WAS
WP WAS Security
Retrieve user/group profile information(but no group membership)
Get user id andgroup membership
?
TAI
JAAS
VMMRetrieve groups
© 2008 IBM
StepUp Authentication and Remember Me
STORY TITLE
43WebSphere Portal Technical Conference Europe 200843
StepUp and RememberMe
RememberMe CookiePersistent cookie allows portal to recognize user without login
• Portal can show a personalized welcome pageIf RememberMe support is activated, the portal login portlet shows a checkbox
for setting the the cookieIf cookie is present, portal treats the user as „identified“ but not yet
„authenticated“• User can only see resources available for the anonymous user
Access to protected resources requires the user to authenticate.
StepUp Software FrameworkEnables you to plug custom code for enforcing additional authentication levels
for specific resources• E.g. enforce SSL for specific services, or client side certificates,…
Available for Pages and Portlets
AdministrationRequired authentication strength can be managed using the Resource
Permission Portlet and XmlAccess
STORY TITLE
44WebSphere Portal Technical Conference Europe 200844
My Bookmarks page reconginzes the remember-me cookieof an unauthenticated user
Remember-me cookie can be configured to establish a WAS security context, or not
in RememberMeConfigService.properties
Portal access control is agnostic of the current authentication level
wps/portal/mybookmarks
STORY TITLE
45WebSphere Portal Technical Conference Europe 200845
Remember-me cookie can be configured to create aWAS security context
Access control enforces access control based on remembered user identity
wps/myportal/mybookmarks
STORY TITLE
46WebSphere Portal Technical Conference Europe 200846
Custom Authentication Level SampleCustom Authentication Level is assigned to “Feeds” page
Custom Authentication Challenge
Pages is served on successful authentication only
1
2
3
STORY TITLE
47WebSphere Portal Technical Conference Europe 200847
StepUp and RememberMe Admin
Define Authentication Levels on Portlets and Pages via
Via XMLAccess
your auth levelappears here ...
your auth lev
el
appears he
re ..
.
STORY TITLE
48WebSphere Portal Technical Conference Europe 200848
StepUp and RememberMe Framework
STORY TITLE
49WebSphere Portal Technical Conference Europe 200849
StepUp and RememberMe Framework
STORY TITLE
50WebSphere Portal Technical Conference Europe 200850
StepUp and RememberMe Framework
STORY TITLE
51WebSphere Portal Technical Conference Europe 200851
StepUp and RememberMe Framework - Configuration
© 2008 IBM
Virtual Portal Security
STORY TITLE
53WebSphere Portal Technical Conference Europe 200853
Virtual Portals
A virtual portal is a “separate” portal within a portal
Separate base URL, separate anonymous pages and login facility
Some portal resources are scoped to individual VPs (e.g. Pages)
Each individual virtual portal can be assigned a specific VMM realm
Navigation
www.ibm.com/wps/portal/green
www.ibm.com/wps/portal/blue
www.ibm.com/wps/portal/ yellow
Root page
URL Mappings
Root page
Virtual Portal 1
Root page
Virtual Portal 2
Virtual Portal 3
realm green realm blue realm yellow
STORY TITLE
54WebSphere Portal Technical Conference Europe 200854
VMM Realm-based Virtual Portal Security
Each virtual portal is assigned a VMM user realm
The realm defines a subset of the entries in the user registries
Portal only allows members of the associated realm to access resources within the corresponding VP (e.g. Pages)
Multiple realm support requires Federated Security
From a WAS perspective there is SSO between all VPsAuthenticated users get redirected to the VP-specific login page
if they try to access a VP ‚from outside the associated realm (i.e. if they are not part of the real associated to that VP)
STORY TITLE
55WebSphere Portal Technical Conference Europe 200855
URL-prefix based Virtual Portal Security
Each virtual portal can be assigned a unique URL prefix (e.g. “/wps/portal/yellow”)
Portal can be configured to guarantee that pages contained in a specific VP can only be accessed by URLs that contain the corresponding VP URL prefix
Those URLs can be used to do URL pattern based access control in reverse proxy servers (e.g. TAM/WebSeal)Remark: this allows e.g. to leverage TAM POPs for VP specific
pages
© 2008 IBM
Portal Backend SSO(The Credential Vault)
STORY TITLE
57WebSphere Portal Technical Conference Europe 200857
Portal Single Sign-On Realms
AuthenticationProxy
Web SSOLTPA, TAI, JAAS
Portal-Server
Back-EndApplication 1
Back-EndApplication 2
Back-EndApplication 3
Cliente.g. Web-Browser
Portlet
PortletPortlet
Web-Application 1
Web-Application 2
Back-End SSO
John Doe
john.doe
john.doe
john.doe
DoeJ
John
john.doe
PN:1234567
STORY TITLE
58WebSphere Portal Technical Conference Europe 200858
Overview: Portal Single Sign-On
Client-to-Web Application SSO Application server built-in SSO support (LTPA) Authentication proxy SSO support (WAS Trust Association Interceptors) WAS (therefore Portal) support for Federated Identity (Liberty/SAML)
via WebSEAL or other front-end security service, brought in to WAS via TAI or other mechanism
Portal-to-Back End SSO Portal Credential Vault
• Credential Vault Portlet Service and Active and Passive Credential Objects
• Credential Vault Adapter SPI• Default simple DB storage vault implementation
ConnectionFactories provided via JCA / WAS
STORY TITLE
59WebSphere Portal Technical Conference Europe 200859
Windows Desktop to Portal Front-End SSO
Supported out-of-the-box by WAS 6.1 through SPENEGO TAI
Supported by Portal 6.1
Also supported out-of-the-box by Tivoli Access Manager
WebSEAL supports SPNEGO, id passed to WAS via standard TAI SiteMinder can do this too
WebSphere Portal Technical Conference Europe 2007 60WebSphere Portal Technical Conference Europe 200860
+
A vault adapter interface to integrate vault implementations like the Tivoli Access Manager Global Sign-On Lockbox
Vault Adapter Interface
Portlet Portlet Portlet
TAM GSOLockbox
TAM
Adap
ter
Cust
omAd
apte
r
Custom Vault
Credential Portlet Service
Portal to Backend SSO: WP Credential Vault
Defa
ult
Adap
ter
DefaultVault Impl.
A Portlet Service for storing and retrieving SSO Credentials including the user‘s JAAS Subject that was built during login.
+
A vault adapter interface to integrate vault implementations like the Tivoli Access Manager Global Sign-On Lockbox
+
A basic default vault implementation - base64 encoding- public encryption exit- migration challenge
crypto exit
© 2008 IBM
Part III: Authorization and Security Infrastructure
STORY TITLE
62WebSphere Portal Technical Conference Europe 200862
What is Access Control (aka. Authorization)?
Authentication Unique User ID
Examples:
view, edit, delete
Portal Resources
examples: page, portlet
Who is allowed to perform which action on which resource?
STORY TITLE
63WebSphere Portal Technical Conference Europe 200863
Anonymous Access
Anonymous User is allowed access to
the Welcome Page
Anonymous User is allowed access to the Login Portlet
Anonymous User is allowed access to an
Information Portlet
STORY TITLE
64WebSphere Portal Technical Conference Europe 200864
Anonymous Access
User Logs in ...
STORY TITLE
65WebSphere Portal Technical Conference Europe 200865
Personalized Access
Bob sees additional pages
Bob is allowed to create and
personalize private pages
Bob sees other portlets on the welcome page
STORY TITLE
66WebSphere Portal Technical Conference Europe 200866
Personalized Access
Now a more privileged user logs
in ...
STORY TITLE
67WebSphere Portal Technical Conference Europe 200867
Personalized Access
Alice is allowed to do more things with the Welcome page
Alice sees other portlets on the page
STORY TITLE
68WebSphere Portal Technical Conference Europe 200868
Role Concept
RolePermission
Editor
Manager
User Subsystem (WMM)
User Group
User
Role AssignmentAction + Resource(e.g.: Delete
StocksPortlet)
STORY TITLE
69WebSphere Portal Technical Conference Europe 200869
Portal Role Types
Users are allowed to view portal resources Privileged Users are allowed to create and
personalize private resources Contributors are allowed to create new shared resources Editors are allowed to create and edit shared resources Managers are allowed to create, edit, and delete shared resources Delegators are allowed to grant access to other principals Security Administrators are allowed to grant access on a resource to other principals Administrators are allowed to do everything
Administrator
User
Editor
PrivilegedUser
Delegator
ManagerSecurityAdministrator
Contributor
STORY TITLE
70WebSphere Portal Technical Conference Europe 200870
Protected Resource Hierarchy
Teller page
page 4 page 5
page 6
page 3
page root External AZN
page 1 app 2Teller app
app root
portlet 1 portlet 2
root
Protected Resource Hierarchy
Virtual Resource
Virtual root resource of the protected resource hierarchy
Protected Resource
STORY TITLE
71WebSphere Portal Technical Conference Europe 200871
Role Instances
Teller page
page 4 page 5
page 6
Editor
page 3Editor
page root External AZN
page 1Manager app 2Teller app
app root
portlet 1 portlet 2Editor
User
root Administrator
Editor
Administrator
Protected Resource Hierarchy
WP role instance:Manager@page1
Virtual Resource
Domain Root Resourcefor Editor@Teller page
Inheritance Block forroles of type Editor
Virtual root resource of the protected resource hierarchy
Protected Resource
STORY TITLE
72WebSphere Portal Technical Conference Europe 200872
Creation of Shared Resources
o1
o2
o3 o4 o5
Explicit role assignment
Manager
Inherited role extension
ManagerManager Manager
createSharedResource(o5)
Relationship
User creates a shared resource
The user that created the resources becomes the ownerof the resource
This owner relationship grants specific permissions on the corresponding resource
Ownership can be transferred
Owner permissions are never subject to inheritance
Managero6
Owner
STORY TITLE
73WebSphere Portal Technical Conference Europe 200873
Private Resources
Users can be granted privileges to create private Pages
The user that created the private becomes the owner of the new page
Private resources are visible only for the owner of the resource
Private resources do not inherit any roles from their ancestor nodes
Private Resources are deleted explicitly by the owner or automatically when the creator is removed from the portal
page1
page2
page3 page4 page5
Explicit role assignment
Privileged User
Inherited role extension
Privileged UserPrivileged User Privileged User
createPrivatePage(page5)
Private Resource
page6 Owner
STORY TITLE
74WebSphere Portal Technical Conference Europe 200874
Access Control Administration
Portal Scripting
AdministrationPortlets
XmlAccess
© 2008 IBM
Portal Membership Model
STORY TITLE
76WebSphere Portal Technical Conference Europe 200876
Composite ApplicationApplicationContext
What are Composite Applications?
Community
User Interface
Business Objects
Business ComponentsContent Documents (JCR)
DominoERP…
STORY TITLE
77WebSphere Portal Technical Conference Europe 200877
Templates and Applications
Application Instance
Business Objects
Community
Portal Objects
ApplicationContext
TemplateTemplate
Serialization InstantiationBusiness Objects
Community
Portal Objects
ApplicationContext
Application Instance(s)
Template XML
• contains the blue print to easily create another instance of that application
• describes visual and non-visual business components and their relationships
• allows for points of variability to be filled out during instantiation
PoVsPoVs
Business Objects
Community
Portal Objects
ApplicationContext
Business Objects
Community
Portal Objects
ApplicationContext
STORY TITLE
78WebSphere Portal Technical Conference Europe 200878
Membership Management
Business User: Application Owner
STORY TITLE
79WebSphere Portal Technical Conference Europe 200879
Membership Management
STORY TITLE
80WebSphere Portal Technical Conference Europe 200880
Membership Management
STORY TITLE
81WebSphere Portal Technical Conference Europe 200881
Application Role Mappings
E.g.: Custom Debug Application
Admin
Application Roles
Users / Groups
ComponentRoles
Business Components
Insight Portlet
Admin User
XML ImportPortlet
Admin User
ExternalTrace Analyzer
Operator
Analyst
Role Mapping
MembershipDeveloper
...
STORY TITLE
82WebSphere Portal Technical Conference Europe 200882
Manage Application Roles
Business User: Template Editor or Application Owner
STORY TITLE
83WebSphere Portal Technical Conference Europe 200883
E.g.: Create an additional „Manager“ Role
Application Role name ...
... and description
this role shall contain delegation
privileges
this role shall contain Manager privileges for the
Insight portlet component
Component roles exposed by the Enable Tracing
component
STORY TITLE
84WebSphere Portal Technical Conference Europe 200884
New application role has been created ...
STORY TITLE
85WebSphere Portal Technical Conference Europe 200885
Business Users can use the new role …
Business User: Application Owner
STORY TITLE
86WebSphere Portal Technical Conference Europe 200886
Application Roles & Membership
WebSphere Portal 6.0 features an infrastructure for composite applications Each application consists of a set of business components Business components expose component roles as appropriate for the
corresponding business domain Component roles exposed by one or more business components can be
aggregated into application roles Application roles can be assigned to user and groups A user being assigned a specific application role is considered being a
member of the corresponding application instance
There are administration portlets for application role management (i.e. create, modify, delete, update application roles) and membership management
Application instances can be serialized into templatesApplication roles are part of the template
STORY TITLE
87WebSphere Portal Technical Conference Europe 200887
The 4 Data Domains
JCR Domain
CustomizationDomain
Community Domain
Release DomainData: „MyPortal“ & „Admin“ ResourcesModel: Authorization Roles
Data: Application/Templating DataModel: Membership Model
Data: User private data (e.g. private pages)Model: private resources only
Data: Content (WCM/PDM) + Templates, Policies, PZN RulesUI: Authorization Roles
No Inheritance Across Domain Boundaries
consistentbackup/restore
consistentbackup/restore
consistentbackup/restore
consistentbackup/restore
© 2008 IBM
WSRP Security
STORY TITLE
89WebSphere Portal Technical Conference Europe 200889
Web Services for Remote Portals (WSRP)
Industry standard for presentation oriented Web Services
Producer Side: Portlets can be provided as WSRP Services
Consumer Side:
Setup Producer entityIntegrate WSRP Services in
form of Portlets from a Producer
Internet/ Intranet
Portal
Portl
et A
PI
WSR
P
GenericPortletProxy
LocalPortlets
WSRPServices
Publish/Find Web Services (SOAP)
UDDI Registry
WSR
P
LocalPortlets
LocalPortlets(JSR 168WPS 4.x)
WSRPServices
WSRPServices
Application and Content Providers
WebSphere Portal
3rd Party Content/ Application Provider
STORY TITLE
90WebSphere Portal Technical Conference Europe 200890
WSRP Identity Propagation
User Profile Propagation (no security) User profile data submitted in SOAP message Used for generating personalized content Not intended for access control decisions
SSL client certificate authentication Certificate based client authentication with User ID in certificate One identity per consumer portal
WS-Security WSRP client/producer run in JSR 109 compliant container
allows full exploitation of WAS WS-Security runtime Allows end user identity propagation / mapping
• e.g. LTPA token forwarding• public plug points in WAS for custom tokens
Tivoli Federated Identity Manager (TFIM) provides multiple ways of doing web services based federated SSO (e.g. via SAML)
© 2008 IBM
Java 2 Platform Security
STORY TITLE
92WebSphere Portal Technical Conference Europe 200892
Java 2 Platform Security
“Is this piece of code allowed to read httpd.conf?”
Part of the Java Language Specification
Policy files define the privileges of the code to be executed
Protection of system resources and APIs via policy-based, fine-grain access control mechanism
Activated via Global Setting in WebSphere Application Server (independent of “Global Security”)
STORY TITLE
93WebSphere Portal Technical Conference Europe 200893
Java 2 Platform Security
WebSphere Portal runs with Java 2 Security enabled Portal core libraries and administration Portlets are supposed
to be trusted and get the java.security.AllPermission Portlet specific permissions can be assigned to individual
portlets by adding a corresponding was.policy file to the WAR archivePortlet deployment copies the was.policy file to the
EAR level as required by WAS security runtime
Individual portlet can be prevented from accessing arbitrary system resources …
© 2008 IBM
Misc
STORY TITLE
95WebSphere Portal Technical Conference Europe 200895
Misc
Security Audit Service
Can be activated to tracks administrative actionsWrites a dedicated log file (plain text) Includes information on executing user, execution time, involved
resources
new with 6.1:
SSL configuration in WAS Admin Console
STORY TITLE
96WebSphere Portal Technical Conference Europe 200896
WebSphere Portal Security Strategy
Security is part of the Portal Design Process Design documents detail on security implications and are reviewed by
dedicated portal security team Security is part of the Portal Testing Strategy
WebSphere Portal does dedicated security vulnerability (aka. penetration) testing on selected portal releases
Security Certifications WebSphere Portal access control is Common Criteria certified WebSphere Portal uses FIPS 140-2 compliant crypto libraries provided by
WebSphere Application Server Portal Security is aligned with IBM Security Strategy
IBM invests in security research, e.g. teams in Zurich and Tokyo investigate Web20 security implications
WebSphere portal security architect aligns portal security with IBM security strategy and research results
Security fixes are published on the portal Security Bulletin Web Site
http://www-128.ibm.com/developerworks/websphere/zones/portal/security/
STORY TITLE
97WebSphere Portal Technical Conference Europe 200897
Additional Information and Resources
WebSphere Portal Security White Paper
http://www-128.ibm.com/developerworks/websphere/library/techarticles/0611_buehler/0611_buehler.html
Exploiting the WebSphere Portal V5.1.0.1 programming model, Part 3: Integrating WebSphere Portal into your security environmenthttp://www.ibm.com/developerworks/websphere/library/techarticles/0606_buehler/0606_buehler.html
WebSphere Portal Product Information:
http://www-306.ibm.com/software/genservers/portal/enable/
WebSphere Portal Information Center documentationhttp://www-106.ibm.com/developerworks/websphere/zones/portal/proddoc.html
WebSphere Portal Security Zone
http://www-128.ibm.com/developerworks/websphere/zones/portal/security/
STORY TITLE
98WebSphere Portal Technical Conference Europe 200898
Session ID: B07
Session: IBM WebSphere Portal Security Overview
Presenter: Dr. Dieter Buehler
Please take a few minutes to fill out the session survey.
Thank you
WebSphere Portal Technical Conference Europe 2008
STORY TITLE
99WebSphere Portal Technical Conference Europe 200899
© IBM Corporation 2008 All Rights Reserved.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.
IBM, the IBM logo, WebSphere, Lotus, Lotus Notes, Domino, Quickplace, Sametime, Workplace and Quickr are trademarks of International Business Machines Corporation in the United States, other countries, or both.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
All references to Renovations Inc. refer to a fictitious company and are used for illustration purposes only.