IBM Software Group I WebSphere Software IBM WebSphere Application Server v6 WebSphere V6 Security DE: 1-=v. Agenda Web Sphere Security model Java Authorization Contract for Containers(JACC) specification Tivoli Access Manager(TAM) Client integration in Web Sphere
1 ® IBM Software Group | WebSphere Software Product Introduction + Exploration IBM WebSphere Application Server v6 WebSphere V6 Security IBM Software Group 2 WebSphere Security © 2004 IBM Corporation Agenda WebSphere Security model Java Authorization Contract for Containers (JACC) specification Tivoli Access Manager (TAM) Client integration in WebSphere
Section Security Basics Authentication Authentication involves validating a client's identity Client can be either an end user, a machine, or an application An authentication mechanism defines b Rules about security information b How security information is stored in both credentials and b Whether a credential can be forwarded to another process May use an Authentication Registry Registry stores userid, password and other user informatio Certificate provides alternative way to establish identity
2 IBM Software Group 3 WebSphere Security © 2004 IBM Corporation Security Basics Security Basics Section IBM Software Group 4 WebSphere Security © 2004 IBM Corporation Authentication Authentication involves validating a client’s identity Client can be either an end user, a machine, or an application An authentication mechanism defines Rules about security information How security information is stored in both credentials and tokens Whether a credential can be forwarded to another process May use an Authentication Registry Registry stores userid, password and other user information Certificate provides alternative way to establish identity
Authorization Authorization is the process that verifies a client has the ppropriate privileges to perform an operation b Information can be stored many ways J2EE uses role based authorization During assembly, permissions to call methods are given to b Roles define a set of permissions within an application During deployment users and groups are assigned to these Access Decision Example Calling Methodo J2EE Server 2. Check the credentials-if successful, create a Subject with the user information including the groups that the user belongs to 3. Get the required roles for the method from the deployment descriptor 4. Get the assigned roles for the user from the binding file 5. If the required roles match any assigned roles, access is permitted Otherwise denied
3 IBM Software Group 5 WebSphere Security © 2004 IBM Corporation Authorization Authorization is the process that verifies a client has the appropriate privileges to perform an operation Information can be stored many ways Access-control list, capability lists J2EE uses role based authorization During assembly, permissions to call methods are given to various roles Roles define a set of permissions within an application During deployment users and groups are assigned to these roles IBM Software Group 6 WebSphere Security © 2004 IBM Corporation Access Decision Example 1. Challenge the requester to provide credentials (name/password) 2. Check the credentials - if successful, create a Subject with the user information including the groups that the user belongs to 3. Get the required roles for the method from the deployment descriptor 4. Get the assigned roles for the user from the binding file 5. If the required roles match any assigned roles, access is permitted Otherwise denied Request Calling Method() J2EE Server
Section WebSphere Security Model Security Layers WebSphere/Application Naming, HTML, Admin rvlet/JSP ↓ Access Contro WebSphere Security WebSphere Security J2EE Security API CORBA Security /CSIv2 Java Securit Java 2 Security JVM 1.4 Security atform Security Operating System Security
4 IBM Software Group 7 WebSphere Security © 2004 IBM Corporation WebSphere Security Model WebSphere Security Model Section IBM Software Group 8 WebSphere Security © 2004 IBM Corporation Security Layers Platform Security Java Security WebSphere Security WebSphere/Application Resources Operating System Security JVM 1.4 Security Java 2 Security CORBA Security / CSIv2 J2EE Security API WebSphere Security HTML, Servlet/JSPs, EJBs Naming, Admin Access Control
Security Feature Comparison Java2 Security-Access to System Resources Enforce access control, based on the location of the code and who signed it Not based on the prind Defined in Policy files Enforced at runtime Java Authentication and Authorization Service(JAAS) b Enforce access control based on the current Principal/Subject b Defined in Application Code Enforced programmatically J2EE Security-Authorization b Role based security b Defined in configuration settings or within Application Code b Enforced by runtime and/or programmatically Java Authorization Contract for Containers(JACC) Java 2 Security JVM Provides an access control mechanism class to manage the applications access to 2 Security system level resources > File I/o. Network Connections (Sockets), Property files, etc Policies define a set of permissions available from various signers and/or certain System Resources code locations b Stored in Policy files Java code will need to get the ermission from java 2 Access All Java code runs under a security Control Access Control looks at the java b Grants access to certain resources 2 Policy file(s )to determine if the requesting Java code has the appropriate permission 5
5 IBM Software Group 9 WebSphere Security © 2004 IBM Corporation Security Feature Comparison Java2 Security – Access to System Resources Enforce access control, based on the location of the code and who signed it – Not based on the principal Defined in Policy files Enforced at runtime Java Authentication and Authorization Service (JAAS) Enforce access control based on the current Principal/Subject Defined in Application Code Enforced programmatically J2EE Security - Authorization Role based security Defined in configuration settings or within Application Code Enforced by runtime and/or programmatically Java Authorization Contract for Containers (JACC) IBM Software Group 10 WebSphere Security © 2004 IBM Corporation Java 2 Security Provides an access control mechanism to manage the application’s access to system level resources File I/O, Network Connections (Sockets), Property files, etc… Policy-based Policies define a set of permissions available from various signers and/or code locations Stored in Policy files All Java code runs under a security policy Grants access to certain resources Java code needs access to certain System Resources Java code will need to get the permission from Java 2 Access Control Access Control looks at the Java 2 Policy file(s) to determine if the requesting Java code has the appropriate permission Java Class System Resource Protection Domain Java 2 Security Permissions Security Manager Access Controller Java 2 Policy Files JVM
JAAS Authentication and Authorization Programmatic interface to establish identity and perform authorization b Incorporated into JDK M 1.4 JAAS Authentication can make use of multiple authentication technologies JAAS Authorization extends the Java 2 Security b Java2 Security is"code centric Permission given to the code base and to whom created (signed) the code JAAS is"user centric Independent of the JAAS Authentication service J2EE Security Roles: Application Authorization Authorization is performed using the J2EE Security roles Specify security at an abstract level without knowledge of actual users and groups Security roles are then applied to the Web and EJB application components EJB Module ,EJB methods or Web URIs Binding of the users and groups to the 2EE security roles are usually done at the application install time b Binding information can be saved in the IBM binding file(default) or can use a JACC provider (like Tivoli Access Manager) Defined in the deployment descriptors
6 IBM Software Group 11 WebSphere Security © 2004 IBM Corporation JAAS Authentication and Authorization Programmatic interface to establish identity and perform authorization Incorporated into JDK™ 1.4 JAAS Authentication can make use of multiple authentication technologies JAAS Authorization extends the Java 2 Security framework Java2 Security is "code centric" Permission given to the code base and to whom created (signed) the code JAAS is "user centric" Uses Java2 Security policies to set permissions for users Independent of the JAAS Authentication service IBM Software Group 12 WebSphere Security © 2004 IBM Corporation J2EE Security Roles: Application Authorization Authorization is performed using the J2EE Security Roles Specify security at an abstract level without knowledge of actual users and groups Security roles are then applied to the Web and EJB application components EJB methods or Web URIs Binding of the users and groups to the J2EE security roles are usually done at the application install time Binding information can be saved in the IBM binding file (default) or can use a JACC provider (like Tivoli Access Manager) Defined in the deployment descriptors Web Module Servlets, JSPs, HTMLs EJB Module EJBs J2EE Security Roles Users/ Groups Binding
Securing J2EE Application Artifacts Permissions ller Customer J2EE Actual Usually by Usual Roles User/Groups Depl Assemble Web Components WebSphere v6 Security Global Security must be enabled Some security settings can be overridden on individual Application Servers Turning off Application security The security configuration and setting is cell wide in Network Deployment cell DMgr, all Node Agents and all Servers have the same security configuration applied Authentication mechanism, registry, etc. 7
7 IBM Software Group 13 WebSphere Security © 2004 IBM Corporation Actual User/Groups J2EE Security Roles Securing J2EE Application Artifacts Enterprise Java Bean (EJB) Web Components HTML, GIFs, etc. EJB Method EJB Method EJB Method Jack Bob Mary Clients Manager Teller Customer Servlet JSP Usually by Assembler or Developer Usually by Deployer Security Binding Security Permissions IBM Software Group 14 WebSphere Security © 2004 IBM Corporation WebSphere v6 Security Global Security must be enabled Some security settings can be overridden on individual Application Servers Turning off Application security The security configuration and setting is cell wide in Network Deployment cell DMgr, all Node Agents and all Servers have the same security configuration applied Authentication mechanism, registry, etc
WebSphere Authentication Mechanisms Authentication Mechanism Intended Use and Supported Package For simple, non-distributed, single application server SWAM) Does not support forwardable credentials or Single Sign On(Sso) Not available and not needed in WebSphere Application Server v6 Network Deployment and which may fail on the receiving server Support forwardable credentials or Single Sign ON (SSO)through Available on all platforms and equires all the servers authentication registry to be a centrally packages shared registry like orvice Facility (ICSF) Support forwardable credentials or Single Sign ON (SSO) Only on z/OS platforms Supports all Web Sphere supported Authentication Registry Single Sign On (Sso) User authenticates only once in a DNS domain and can access resources in other Web Sphere Application Server cells without getting prompted agaIn Requires LTPA across the cells within the domain participating in SSo Same realm names on each system in the sso domain For local Operating System, the realm name is the domain name, if a domain is in use or the machine name On the UNIX platform, the realm name is the same as the host name For LDAP, the realm name is the host port of the LDAP server
8 IBM Software Group 15 WebSphere Security © 2004 IBM Corporation WebSphere Authentication Mechanisms For distributed, multiple application server environments Support forwardable credentials or Single Sign ON (SSO) through cryptography Requires all the servers authentication registry to be a centrally shared registry like LDAP Lightweight Third Party Authentication (LTPA) mechanism Available on all platforms and packages For distributed, multiple application server environments Support forwardable credentials or Single Sign ON (SSO) Supports all WebSphere supported Authentication Registry Integrated Cryptographic Service Facility (ICSF) Only on z/OS platforms For simple, non-distributed, single application server environments Does not support forwardable credentials or Single Sign On (SSO) Caller identity is not forwarded from client on one server to EJB on another server - What gets forwarded in unauthenticated credential which may fail on the receiving server Simple WebSphere Authentication Mechanism (SWAM) Not available and not needed in WebSphere Application Server v6 Network Deployment and higher packages Authentication Mechanism Intended Use and Supported Package IBM Software Group 16 WebSphere Security © 2004 IBM Corporation Single Sign On (SSO) User authenticates only once in a DNS domain and can access resources in other WebSphere Application Server cells without getting prompted again Requires LTPA across the cells within the domain participating in SSO Same realm names on each system in the SSO domain For local operating system – On the Windows Operating System, the realm name is the domain name, if a domain is in use, or the machine name – On the UNIX platform, the realm name is the same as the host name. For LDAP, the realm name is the host:port of the LDAP server
Section JACC Specification JACC Introduction JACc allows applications servers to interact with third party authorization providers via standard interfaces to make authorization decisions JACC defines permission classes for both the EJB and Web container Handle both j2SE and j2EE Does not specify how to assign principals to roles
9 IBM Software Group 17 WebSphere Security © 2004 IBM Corporation JACC Specification JACC Specification Section IBM Software Group 18 WebSphere Security © 2004 IBM Corporation JACC Introduction JACC allows applications servers to interact with third party authorization providers via standard interfaces to make authorization decisions JACC defines permission classes for both the EJB and Web container Handle both J2SE and J2EE permissions Does not specify how to assign principals to roles
JACC Example WebSphere Application Server v6 JACC Provider Contract Application Installation Policy Configuration Provider Repository Create contexteD unique to the module being installed Get Policy configuration Object for the contextID Propagate security policy information for the module using the Policy Configuration Object Application Server Container Requirements ebspher Provider Repository Application Server v6 Access j2EE Check resource EJB/eb Container Policy object JACC Provider Contract Create contexted for the module being accessed Create the appropriate Permission object for the resource Register information required by the specification Delegate the access decision to the Policy object 10
10 IBM Software Group 19 WebSphere Security © 2004 IBM Corporation JACC Example WebSphere Application Server v6 Application Installation JACC Provider Contract PolicyConfiguration Create contextID unique to the module being installed Get PolicyConfiguration Object for the contextID Propagate security policy information for the module using the PolicyConfiguration Object Provider Repository IBM Software Group 20 WebSphere Security © 2004 IBM Corporation Application Server Container Requirements WebSphere Application Server v6 JACC Provider Contract Policy Object Create contextID for the module being accessed Create the appropriate Permission object for the resource Register information required by the specification Delegate the access decision to the Policy object Provider Repository Access J2EE resource EJB/Web Container Check access yes/no yes/no