oracleidm jug 2011 presentation
TRANSCRIPT
Developing Applications With Declarative Security Java User Group Presentation, Los Angeles and Phoenix
Ganesh Kirti, Sr. Director, Platform Security, Fusion Middleware
July/2011
This document is for informational purposes. It is not acommitment to deliver any material, code, or functionality,and should not be relied upon in making purchasingdecisions. The development, release, and timing of anyfeatures or functionality described in this document remainsat the sole discretion of Oracle. This document in any form,software or printed matter, contains proprietary informationthat is the exclusive property of Oracle. This document andinformation contained herein may not be disclosed, copied,reproduced or distributed to anyone outside Oracle withoutprior written consent of Oracle. This document is not part ofyour license agreement nor can it be incorporated into anycontractual agreement with Oracle or its subsidiaries oraffiliates.
3
Agenda
• Declarative Security• Real World Financials Application
Implementation/Demo• Benefits of Declarative Security• Q & A• References
4
Declarative Security Today
• Declarative Security approach is a proven security model• It keeps business logic separated from security decisions
logic• Security role policies (mappings) are externalized in DDs or
policy files• Available Java Standards:
• J2EE Container Security• Java2 Security
• Very easy to use APIs exist for applications• isUserInRole• getCallerPrincipal• checkPermission
5
Declarative Security TodayWhat is the limitation?
• Current standards are proven, but are very limited:• Too coarse grained to support business rules• Access control enforcement stops at the application
perimeter level• No contextual support for making access control
decisions• Securing data access within application requires
custom implementation
Let’s review a real world application example (next slide)
6
Declarative Security Real World Application Examples
Roles Privileges Context
Account Owners, Traders
Equity Analyst
Fund Manager
Equity Trades• By Geography• By Trade limit
Equity Research• By Vertical industry• By Line of Business
Equity Trades Rebalance Funds
• Restrict Access from an un-trusted n/w• Restrict Trade Sizes to < $100K• Daily trading limit of $5M
• Unauthorized for trading• Authorized for Review of Energy
Companies listed on NYSE• Authorized for access to research reports
• Authorized for 24x7 Trading• Rebalancing of Small-Cap Funds• Daily Trading Limit of $1B
Users Resource
Savings Account Municipal Equity
Fund
Oil & Gas Semiconductors
Mortgage Equity Fund Municipal Equity
Fund
Jane West
Steve Jackson
Ellen Stewart
Accounts• Transfers• Credit
7
Declarative SecurityReal World Examples (contd.)
• These examples need the following sample declarative APIs:• isAccessAllowed (subject, ApplicationContext,
UserSessionClaims)• getAllowedMenuItems (subject)• get(dataSecurityFilter) //data security
• Due to lack of standards, application developer forced to build custom security logic causing the following issues:• Security breaches (lots of them happening nowadays ;-))• Hard coding of security policy in the application• Security requirements change; hence maintenance overhead• Not compliant with corporate policies; hence may not be ready
for Private and Public Cloud deployments
8
APPROACH TO DESIGNING APPLICATION SECURITY
9
Approach to Designing Application Security• Continue to use declarative security pattern
• i.e. Externalize security decisions process• Security must be built into your application • Rely on existing security standards (JAAS, J2EE, RBAC,
ABAC, XACML) for designing security model• Rely on security frameworks and tooling that provide:
• APIs and Tools to secure application resources declaratively• Support for Interoperability with Identity Management Systems• APIs and Tools for managing application security life-cycle
events (design, deployment, and administration of security data)
• Next - Let’s walk thru an implementation of a real world Financials application built using this approach
10
Real World Financials ApplicationHigh level Requirements
• Application with users: account owners, stock brokers, and administrators
• Multiple Security Roles: brokers, bronze/gold users, administrators
• Context aware security to meet business rules • Meet corporate security compliancy
requirements (Audit, central administration, and governance)
• Standards compliant (JAAS, J2EE security, ABAC, RBAC, OpenAZ/PEP, OPSS)
• Scalability and Performance
11
Application Security Architecture
* Application enforces access check using APIs. Security decision process is externalized to PDP** PDP (Policy Decision Point) can be configured in Embedded or out of process centralized modes
Financials Application
Menu UIs
Account Services
Trading Services
Data Access
Request
Grant
Deny
Users
Identity Store: User Identities
Policy Store: Roles and Entitlements
AccessCheck*
PDP**•Policy Cache•Policy Evaluation•Role Hierarchy•Data security filters
Administrators; Business Application Owners
……..……..
Policy Admin Server
12
Design/Implementation Concepts
• Securable Resources• Securable resource: UI items (menu, region etc), web service, portlet, data
filters• Developers define resources during application design time
• Entitlements• Administration usable concept - Collection of resources managed as a
single unit• Application Role
• Bundle of privileges, role hierarchies, role catalog, mapped to users/groups• Developers and Administrators can define application roles
• Policy• It is an access control declarative policy that binds together resource/s,
role/s, and entitlements.• Policy can be made powerful and dynamic by including conditions/rules,
and obligations.• Administrators define and mange policies• Application is unaware of details of the policy, but enforces it during run-
time
13
Scenario1: Default view upon logonBronze user (jane.west) can login and see only allowed resources (account, transfers, customer service. Not allowed to access investments, transfers)
• Administrator configures the declarative security policy: BronzeAccountsNavEntitlementt, GoldAccountsNavEntitlement
• The following sample code implements a subset of this use case:String resName = "AzUnionBank/UINavigationResource/AccountsNavItem";
// authorization runtimeLoginContext ctx = loginService.getLoginContext(new Subject(), cbh); ctx.login(); Subject ident = ctx.getSubject();
String rtAction = view“)Map<String, String> appContext= new HashMap<String, String>(); env.put("myAttr", "Hello");
PepResponse response = PepRequestFactoryImpl.getPepRequestFactory().newPepRequest( ident, rtAction,
resName, appContext).decide();
if (response .allowed()) {System.out.println("GRANT");// Do whatever ...
} else {System.out.println("DENY");
}
14
Scenario2: Deny access to accounts from un-trusted networkJane logs in from an un-trusted network; access to some resources will be blocked
• Administrator configures the declarative security policy: CredScoreWidgetDenyEntitlements, DenyAccountInfoEntitlement, DenyBalanceSummaryWidgetEntitlement
• The following code implements this use case:
String resName = "AzUnionBank/UIWidget/CreditScoreWidget";
// authorization runtimeLoginContext ctx = loginService.getLoginContext(new Subject(), cbh); ctx.login(); Subject ident = ctx.getSubject(); String rtAction = view“;
Map<String, String> appContext = new HashMap<String, String>();appContext.put(("FromInternet", "true");
PepResponse response = PepRequestFactoryImpl.getPepRequestFactory().newPepRequest( ident, rtAction,
resName, appContext ).decide(); if (response.allowed()) {
System.out.println("GRANT");// Do whatever ...
} else {System.out.println("DENY");
}
15
Scenario3: Data Security using ObligationBronze customer can only see two years of transactions; Gold customer can see 5 years of data
• Administrator configures the declarative security policy: BronzeAccountTransactionsEntitlementPolicy, GoldAccountTransactionsEntitlementPolicy
• The following code implements this use case:
String resName = "AzUnionBank/DataSetResType/AccountTxns";
// authorization runtimeLoginContext ctx = loginService.getLoginContext(new Subject(), cbh); ctx.login(); Subject ident = ctx.getSubject(); String rtAction = view“;
Map<String, String> appContext = new HashMap<String, String>();
PepResponse response = PepRequestFactoryImpl.getPepRequestFactory().newPepRequest( ident, rtAction,
resName, appContext ).decide();
if (response.isAllowed()) {
Map<String, Obligation> obligations = response.getObligations();if (obligationElement != null) {for (String name : obligations.keySet()) {
System.out.print("obligation: name = " + name + ", values = " + obligations.get(name).getStringValues());
}// Get the WHERE CLASS which is returned as the obligation and added it to the select query....
}} else {
System.out.println("DENY");}
16
Financials Application Implementation Summary• All securable resources are declaratively secured in
external central policy store• Administrators secure resources using declarative
policies and rules• Simple pass-thru OpenAZ APIs enforce the security
within application; decisions are externalized.• Oracle proposed Standards APIs, OpenAZ. This provides
XACML Java binding APIs• All run-time access to resources is audited by the PDP
implicitly• Administrators have full visibility into the application
access policies and runtime activity
17
Benefits to Application Developers
• Well proven design pattern• Developers rely on frameworks and tools to secure
resources; Hence security development cost is reduced
• Developers can focus on business logic• Security logic is externalized and managed by
administrators• Application ready for Cloud deployments as
application meets CSA, audit requirements• Interoperates with Identity Management Systems• Developers not responsible for security breaches
18
Benefits to CSOs and IT Managers
• Administrators have full visibility into application security policies from a central dashboard
• Full control of who is allowed access to what resources within an application
• Make security policy changes as business rules change and make it effective immediately in application runtime instantaneously
• Application can integrate with an already existing Identity Management services
• Can centrally manage 1000s of applications security controls
• Can see full audit of runtime system
• Satisfaction that application security is in good hands; Hence, Job security
19 19
<Insert Picture Here>
Learn More
20
• Webcast: Introducing Oracle Entitlements Server. http://bit.ly/oes11g-webcast July 14 10a PT
• Webcast: Declarative Security for Mobile Apps, http://bit.ly/mnKoX7Aug 25 9a PT
• Webcast: Declarative Security for Mobile Apps http://bit.ly/is3XAQ Sep 7 9a PT
Register for Related Events
21
Useful Resources
• Download Financials Application• Oracle Entitlements Server
• Whitepapers• Product downloads, Javadocs
• Oracle Platform Security Services• Fusion Middleware and Fusion Applications
Security Framework; samples, presentations• Identity Management Resource Library
23
Java Security Standards
24
Java Security Standards Initiatives
OpenAz Java Identity API (JSR proposal) CARML/ArisID SAML Session Token (WAM token)
25
OpenAz Goals• Provide consistent model for applications and
middleware to invoke access control • Based upon PEP definition given in XACML specification• Encourage creation of other language/framework bindings
• Reference implementation for Java AzApi interface• Java interface based on XACML request-response model
• Explain how AzApi interface can be mated with third-party policy engines• Existing policy engines can implement this interface• Support efficient processing as providers can implement
caching and other proprietary magic• Details of local vs. remote processing hidden by the interface
26
PEP API: Java Construct Layer
• Responds to concern that AzApi requires some knowledge of XACML specifics• Data types, Attribute categories and names
• Java packages or frameworks may request authorization decisions using native objects• E.g., Decide (user object, resource object, action
object)• Mapping of these native representations into lower-
level AzApi forms is modeled separately
27
Externalized Attribute-based Access Control
Application
Middleware
Service
PEP
PEP
PEP
Policy EnginePDP
Rules
Groups and Roles(manager, customer,…)user attributes(zip code, citizenship,..)resource attributes(creator, classification,.)environment attributes(authN strength, …)
PAP
Gateway PEP
PEP - Policy Enforcement PointPAP – Policy Administration PointPDP – Policy Decision Point
28
Available OpenAz Components
Definition of Java AzApi Interface Includes PEP Api layer Submitted to XACML TC for standardization
Joint work with Cisco and others (RSA)
Implementation of AzApi with SUN XACML library Available for use today
XACML Policy-creation Tool Simplifies creation of XACML policy
29
Download information
Complete project (AzApi interface, reference implementation, Policy Tool,Javadoc) http://openaz.svn.sourceforge.net/viewvc/openaz/
(download the GNU tarball)
Javadoc only http://openaz.svn.sourceforge.net/viewvc/openaz/azapi/doc/
Apache 2.0 license Join the project !
http://www.openliberty.org/wiki/index.php/Main_Page#OpenAz Mailing list and bi-weekly conference call
30
Java Identity API
Ongoing work to create a Java standard (JSR) within the JCP www.jcp.org Please join us to take the work forward!
Diverse sources of identity data impose new requirements for identity data. Goes beyond model based on a single IT directory Driven by new identity models
Identity Federation, Facebook, Virtual directory Concerns about user consent, privacy and
accountability
31
Java Identity API - Enhance Java to include
Characteristic representation for identity attributes and meta-data such as issuer, TTL, Use-Constraints Uniform representation independent of source
Programming model for applications to interact with and provide attributes (with meta-data)
Programming model for applications to provide fine-grained context in access control
Integration of enhancements with the existing Java security model
32
CARML/ArisID• Declarative approach to obtaining identity attributes
in applications• Improves on lower-level approaches based on LDAP or
JNDI• Includes support for privacy assertions
• Based upon use of CARML (“Client Attributes Markup Language”) • manifest describes identity needs of an application or group
of applications• Tools and services can use manifest to provide attributes to
application• Part of a broader standard called Identity
Governance Framework• http://www.projectliberty.org/strategic_initiatives/identity_gov
ernance/?f=strategic_initiatives/identity_governance
33
ArisID open source project• Open source implementation of CARML
• ArisID is a Java API suitable for Java application developers
• Complete open source stack now available• Apache 2.0 license• http://www.openliberty.org/wiki/index.php/ProjectAri
s
• Available in Oracle Virtual Directory 11g and also used in Oracle Fusion Middleware
34
Session Token OverviewStandardized scheme for managing Web Server Security Session State First within Oracle products, then externally
Benefits Lower costs/improve security for Oracle products Demonstrate industry leadership Foundation for interop with other vendors
Provides a standard for Session ManagementMore efficient – enables features like idle timeout
35
Project SummaryProject Summary Define common WAM SSO Token format and interface Implement "pre-standard" across AM suite Work with community to standardize the token Converge to final standard
Status Design based on existing product requirements Implemented Token library in Oracle Access Manager
11g OASIS SAML Session Token Profile awaiting final
public review before reaching Committee Specification status
Latest OASIS Draft http://www.oasis-open.org/committees/download.php/41975/saml-session-token-
v1.0-wd07.pdf
36
Appendix: Proven Practices, Solutions, and Tools
37
Proven Practice: Oracle Platform Security Services (OPSS)
AuthN AuthZ IdMInt.
Authn Authz Creds & Keys
Audit ID Profile Trust XML Security Crypto, SSL
Java Applications SOAP/REST Applications Cloud Applications
SSO/Tokens Entitlements Servier
LDAP & Virtualization Identity Provisioning
37 Copyright © 2010, Oracle. All rights reservedOracle Confidential
Oracle Platform Security Services
Security Service Providers
LDAP DatabaseFileIdentity, Policy, Credential Store Providers
38
Key Design Patterns Supported in OPSS
• Externalize Identities• Rely on a central audit
framework• Audit System identities
usage and runtime access of resources
• Externalize user and role provisioning
• Standardize on Identity Propagation across SOA, REST, J2EE services
• Follow compliant encryption for credentials/keys
• Externalize Token Processing and creation
• Rely on Web services security/tokens interceptors
• Follow a standard LDAP and SSO integrations frameworks across your applications
39
Benefits of OPSS
• Suite of Security Services - Application enablement with a rich, secure, and compliant security platform• Provides abstraction layer to identity systems• Rich set of APIs for most common design patterns• Works in conjunction with Java2, J2EE, SOA,
HTTP, JCE security standards• Interoperates with Identity Management Systems
• Reduce Costs & Rapidly Respond to Business Demands
• Declarative security increases 50% developer productivity
• Entire Fusion Middleware and Fusion Applications products build on top of OPSS
40
App
Oracle Entitlements Server (OES)Without OES With OES
• Hard-coded security policies• Brittle policy management• Application policy silos
• Externalized entitlements• Agile business policies• Centralized policy management
Appl
icat
ion
App
App
App Ap
p
Appl
icat
ion
Appl
icat
ion
Appl
icat
ion
41
Portals and Content Management
App Servers & Dev Frameworks
Middleware
Identity Management
XML Gateways
Native & Custom Integrations with OES
Data Sources
41
42
Benefits of OES to Developers and Administrators
Manage security from a single placeProvides finer control over the protection of all
resourcesSeparates security decisions from application
logicOffers robust auditing of events
Enhanced Security and Compliance
Centralizes security policy managementEnables reuse and sharing of security servicesFrees developers up to focus on value-added
business logicIntegrates easily with identity and access
management
Increased IT Efficiency
An adaptable security service infrastructure that more closely models your business
Respond faster to changing corporate, regulatory, market requirements
Reduce time-to-market
Better Business Agility
43
Useful Resources
• Oracle Platform Security Services• Fusion Middleware and Fusion Applications
Security Framework; samples, presentations• Oracle Entitlements Server
• Whitepapers• Product downloads, Javadocs
• Identity Management Resource Library