oracleidm jug 2011

8/6/2019 Oracleidm Jug 2011

1/43

Developing Applications With Declarative SecurityJava User Group Presentation, Los Angeles and Phoenix

Ganesh Kirti, Sr. Director, Platform Security, Fusion Middleware

July/2011


2/43

This document is for informational purposes. It is not a

commitment to deliver any material, code, or functionality,and should not be relied upon in making purchasingdecisions. The development, release, and timing of anyfeatures or functionality described in this document remainsat the sole discretion of Oracle. This document in any form,

software or printed matter, contains proprietary informationthat is the exclusive property of Oracle. This document andinformation contained herein may not be disclosed, copied,reproduced or distributed to anyone outside Oracle withoutprior written consent of Oracle. This document is not part ofyour license agreement nor can it be incorporated into anycontractual agreement with Oracle or its subsidiaries oraffiliates.


3/43

3

Agenda

Declarative Security

Real World Financials ApplicationImplementation/Demo

Benefits of Declarative Security

Q & A

References


4/43

4

Declarative Security Today

Declarative Security approach is a proven securitymodel It keeps business logic separated from security decisions

logic Security role policies (mappings) are externalized in DDs or

policy files Available Java Standards:

J2EE Container Security Java2 Security

Very easy to use APIs exist for applications

isUserInRole getCallerPrincipal checkPermission


5/43

5

Declarative Security TodayWhat is the limitation?

Current standards are proven, but are verylimited: Too coarse grained to support business rules Access control enforcement stops at the application

perimeter level No contextual support for making access control

decisions Securing data access within application requires

custom implementation

Lets review a real world application example (nextslide)


6/43

6

Declarative SecurityReal World Application Examples

Roles PrivilegesContext

Account Owners,

Traders

Equity Analyst

Fund Manager

Equity Trades

By Geography By Trade limit

Equity Research By Vertical industry By Line of Business

Equity Trades

Rebalance Funds

Restrict Access from an un-trusted n/w Restrict Trade Sizes to < $100K Daily trading limit of $5M

Unauthorized for trading Authorized for Review of Energy

Companies listed on NYSE Authorized for access to research report

Authorized for 24x7 Trading Rebalancing of Small-Cap Funds Daily Trading Limit of $1B

Users Resource

Savings Account

Municipal Equity

Fund

Oil & Gas

Semiconductors

Mortgage EquityFund

Municipal Equity

Fund

Jane West

Steve Jackson

Ellen Stewart

Accounts

Transfers Credit


7/43


8/438

APPROACH TO DESIGNINGAPPLICATION SECURITY


9/439

Approach to Designing ApplicationSecurity

Continue to use declarative security pattern i.e. Externalize security decisions process

Security must be built into your application Rely on existing security standards (JAAS, J2EE, RBAC,

ABAC, XACML) for designing security model

Rely on security frameworks and tooling that provide: APIs and Tools to secure application resources declaratively Support for Interoperability with Identity Management Systems APIs and Tools for managing application security life-cycle

events (design, deployment, and administration of security data)

Next - Lets walk thru an implementation of a real worldFinancials application built using this approach


10/4310

Real World Financials ApplicationHigh level Requirements

Application with users: account owners, stockbrokers, and administrators

Multiple Security Roles: brokers, bronze/goldusers, administrators

Context aware security to meet business rules Meet corporate security compliancy

requirements (Audit, central administration,and governance)

Standards compliant (JAAS, J2EE security,ABAC, RBAC, OpenAZ/PEP, OPSS)

Scalability and Performance


11/4311

Application Security Architecture

* Application enforces access check using APIs. Security decision process is externalized to PDP

** PDP (Policy Decision Point) can be configured in Embedded or out of process centralized modes

Financials Application

Menu UIs

Account Services

Trading Services

Data Access

Request

Grant

Deny

Users

Identity Store:User Identities

Policy Store:

Roles andEntitlements

AccessCheck*

PDP**PolicyCachePolicyEvaluationRoleHierarchyData

securityfilters

Administrators;BusinessApplicationOwners

....

Policy Admin Server


12/4312

Design/Implementation Concepts

Securable Resources Securable resource: UI items (menu, region etc), web service, portlet, data

filters Developers define resources during application design time

Entitlements Administration usable concept - Collection of resources managed as a

single unit

Application Role Bundle of privileges, role hierarchies, role catalog, mapped to users/groups Developers and Administrators can define application roles

Policy It is an access control declarative policy that binds together resource/s,

role/s, and entitlements.

Policy can be made powerful and dynamic by including conditions/rules,and obligations. Administrators define and mange policies Application is unaware of details of the policy, but enforces it during run-

time


13/4313

Scenario1: Default view upon logonBronze user (jane.west) can login and see only allowed resources (account,transfers, customer service. Not allowed to access investments, transfers)

Administrator configures the declarative security policy: BronzeAccountsNavEntitlementt,GoldAccountsNavEntitlement

The following sample code implements a subset of this use case:String resName = "AzUnionBank/UINavigationResource/AccountsNavItem";

// authorization runtimeLoginContext ctx = loginService.getLoginContext(new Subject(), cbh);ctx.login();Subject ident = ctx.getSubject();

String rtAction = view)Map appContext= new HashMap();env.put("myAttr", "Hello");

PepResponse response =PepRequestFactoryImpl.getPepRequestFactory().newPepRequest( ident, rtAction,

resName, appContext).decide();

if (response .allowed()) {System.out.println("GRANT");// Do whatever ...

} else {System.out.println("DENY");

}


14/4314

Scenario2: Deny access to accounts from un-trusted networkJane logs in from an un-trusted network; access to some resourceswill be blocked

Administrator configures the declarative security policy: CredScoreWidgetDenyEntitlements,DenyAccountInfoEntitlement, DenyBalanceSummaryWidgetEntitlement

The following code implements this use case:

String resName = "AzUnionBank/UIWidget/CreditScoreWidget";

// authorization runtime

LoginContext ctx = loginService.getLoginContext(new Subject(), cbh);

ctx.login();

Subject ident = ctx.getSubject();String rtAction = view;

Map appContext = new HashMap();appContext.put(("FromInternet", "true");

PepResponse response =PepRequestFactoryImpl.getPepRequestFactory().newPepRequest( ident, rtAction,

resName, appContext ).decide();if (response.allowed()) {

System.out.println("GRANT");// Do whatever ...

} else {System.out.println("DENY");

}


15/4315

Scenario3: Data Security using ObligationBronze customer can only see two years of transactions; Goldcustomer can see 5 years of data

Administrator configures the declarative security policy: BronzeAccountTransactionsEntitlementPolicy,

GoldAccountTransactionsEntitlementPolicy

The following code implements this use case:

String resName = "AzUnionBank/DataSetResType/AccountTxns";

// authorization runtime

LoginContext ctx = loginService.getLoginContext(new Subject(), cbh);

ctx.login();

Subject ident = ctx.getSubject();String rtAction = view;

Map appContext = new HashMap();

PepResponse response =

PepRequestFactoryImpl.getPepRequestFactory().newPepRequest( ident, rtAction,

resName, appContext ).decide();

if (response.isAllowed()) {

Map obligations = response.getObligations();if (obligationElement != null) {for (String name : obligations.keySet()) {

System.out.print("obligation: name = " + name + ", values = " +

obligations.get(name).getStringValues());

}// Get the WHERE CLASS which is returned as the obligation and added it to the select query....

}} else {

System.out.println("DENY");}


16/4316

Financials ApplicationImplementation Summary

All securable resources are declaratively secured inexternal central policy store

Administrators secure resources using declarativepolicies and rules

Simple pass-thru OpenAZ APIs enforce the security

within application; decisions are externalized. Oracle proposed Standards APIs, OpenAZ. This provides

XACML Java binding APIs

All run-time access to resources is audited by the PDPimplicitly

Administrators have full visibility into the applicationaccess policies and runtime activity


17/4317

Benefits to Application Developers

Well proven design pattern Developers rely on frameworks and tools to secure

resources; Hence security development cost isreduced

Developers can focus on business logic Security logic is externalized and managed byadministrators

Application ready for Cloud deployments asapplication meets CSA, audit requirements

Interoperates with Identity Management Systems Developers not responsible for security breaches


18/4318

Benefits to CSOs and IT Managers

Administrators have fullvisibility into applicationsecurity policies from acentral dashboard

Full control of who is allowedaccess to what resources

within an application Make security policy changes

as business rules changeand make it effectiveimmediately in applicationruntime instantaneously

Application can integrate withan already existing IdentityManagement services

Can centrally manage 1000sof applications securitycontrols

Can see full audit of runtimesystem

Satisfaction that applicationsecurity is in good hands;Hence, Job security


19/4319

19

Learn More


20/4320

Webcast: Introducing Oracle Entitlements Server. http://bit.ly/oes11g-webcast July 14 10a PT

Webcast: Declarative Security for Mobile Apps, http://bit.ly/mnKoX7Aug 25 9a PT

Webcast: Declarative Security for Mobile Apps http://bit.ly/is3XAQ Sep7 9a PT

Register for Related Events
http://bit.ly/oes11g-webcasthttp://bit.ly/oes11g-webcasthttp://bitly.com/mnKoX7?r=bbhttp://bit.ly/is3XAQhttp://bit.ly/is3XAQhttp://bitly.com/mnKoX7?r=bbhttp://bit.ly/oes11g-webcasthttp://bit.ly/oes11g-webcast


21/4321

Useful Resources

Download Financials Application

Oracle Entitlements Server

Whitepapers

Product downloads, Javadocs

Oracle Platform Security Services

Fusion Middleware and Fusion ApplicationsSecurity Framework; samples, presentations

Identity Management Resource Library
https://www.samplecode.oracle.com/sf/frs/do/downloadFile/projects.oracle_entitlements_server_11gr1/frs.unsupported_samples.11gr1/frs1059?dl=1http://www.oracle.com/us/products/middleware/identity-management/oracle-entitlements-server/overview/index.htmlhttp://www.oracle.com/technetwork/middleware/id-mgmt/index-100381.html?ssSourceSiteId=ocomenhttp://www.oracle.com/us/products/middleware/identity-management/resource-library/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/resource-library/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/resource-library/index.htmlhttp://www.oracle.com/technetwork/middleware/id-mgmt/index-100381.html?ssSourceSiteId=ocomenhttp://www.oracle.com/us/products/middleware/identity-management/oracle-entitlements-server/overview/index.htmlhttps://www.samplecode.oracle.com/sf/frs/do/downloadFile/projects.oracle_entitlements_server_11gr1/frs.unsupported_samples.11gr1/frs1059?dl=1


22/43

22

Questions

You may contact me at: [email protected]


23/43

23

Java Security Standards


24/43

24

Java Security Standards Initiatives

OpenAz

Java Identity API (JSR proposal)

CARML/ArisID

SAML Session Token (WAM token)


25/43

25

OpenAz Goals Provide consistent model for applications and

middleware to invoke access control Based upon PEP definition given in XACML specification

Encourage creation of other language/framework bindings

Reference implementation for Java AzApi interface

Java interface based on XACML request-response model

Explain how AzApi interface can be mated with third-party policy engines Existing policy engines can implement this interface

Support efficient processing as providers can implementcaching and other proprietary magic

Details of local vs. remote processing hidden by the interface


26/43

26

PEP API: Java Construct Layer

Responds to concern that AzApi requiressome knowledge of XACML specifics

Data types, Attribute categories and names

Java packages or frameworks may requestauthorization decisions using native objects

E.g., Decide (user object, resource object, actionobject)

Mapping of these native representations into lower-level AzApi forms is modeled separately

E t li d Att ib t b d


27/43

27

Externalized Attribute-basedAccess Control

Application

Middleware

Service

PEP

PEP

PEP

Policy Engine

PDP

Rules

Groups and Roles

(manager, customer,)

user attributes

(zip code, citizenship,..)

resource attributes

(creator, classification,.)

environment attributes

(authN strength, )

PAP

Gateway PEP

PEP - Policy Enforcement Point

PAP Policy Administration Point

PDP Policy Decision Point


28/43

28

Available OpenAz Components

Definition of Java AzApi Interface

Includes PEP Api layer

Submitted to XACML TC for standardization

Joint work with Cisco and others (RSA)

Implementation of AzApi with SUN XACML library

Available for use today

XACML Policy-creation Tool Simplifies creation of XACML policy


29/43

29

Download information

Complete project (AzApi interface, referenceimplementation, Policy Tool,Javadoc)

http://openaz.svn.sourceforge.net/viewvc/openaz/(download the GNU tarball)

Javadoc only

http://openaz.svn.sourceforge.net/viewvc/openaz/azapi/doc/

Apache 2.0 license

Join the project ! http://www.openliberty.org/wiki/index.php/Main_Page#OpenAz

Mailing list and bi-weekly conference call
http://openaz.svn.sourceforge.net/viewvc/openaz/http://openaz.svn.sourceforge.net/viewvc/openaz/azapi/doc/http://openaz.svn.sourceforge.net/viewvc/openaz/azapi/doc/http://openaz.svn.sourceforge.net/viewvc/openaz/


30/43

30

Java Identity API

Ongoing work to create a Java standard (JSR)within the JCP

www.jcp.org

Please join us to take the work forward!

Diverse sources of identity data imposenew requirements for identity data. Goes beyond model based on a single IT directory

Driven by new identity models

Identity Federation, Facebook, Virtual directory

Concerns about user consent, privacy andaccountability

Java Identity API Enhance Java
http://www.jcp.org/http://www.jcp.org/


31/43

31

Java Identity API - Enhance Javato include

Characteristic representation for identity attributesand meta-data such as issuer, TTL, Use-Constraints

Uniform representation independent of source Programming model for applications to interact with

and provide attributes (with meta-data)

Programming model for applications to provide

fine-grained context in access control

Integration of enhancements with the existing Javasecurity model


32/43

32

CARML/ArisID Declarative approach to obtaining identity attributes

in applications Improves on lower-level approaches based on LDAP or

JNDI

Includes support for privacy assertions

Based upon use of CARML (Client Attributes

Markup Language) manifest describes identity needs of an application or group

of applications

Tools and services can use manifest to provide attributes toapplication

Part of a broader standard called IdentityGovernance Framework http://www.projectliberty.org/strategic_initiatives/identity_gov

ernance/?f=strategic_initiatives/identity_governance


33/43

33

ArisID open source project

Open source implementation of CARML

ArisID is a Java API suitable for Java applicationdevelopers

Complete open source stack now available

Apache 2.0 license

http://www.openliberty.org/wiki/index.php/ProjectAris

Available in Oracle Virtual Directory 11g and

also used in Oracle Fusion Middleware
http://www.openliberty.org/wiki/index.php/ProjectArishttp://www.openliberty.org/wiki/index.php/ProjectArishttp://www.openliberty.org/wiki/index.php/ProjectArishttp://www.openliberty.org/wiki/index.php/ProjectAris


34/43

34

Session Token OverviewStandardized scheme for managing Web Server

Security Session State

First within Oracle products, then externally

Benefits

Lower costs/improve security for Oracle products

Demonstrate industry leadership

Foundation for interop with other vendors

Provides a standard for Session Management

More efficient enables features like idle timeout


35/43

35

Project SummaryProject Summary

Define common WAM SSO Token format and interface Implement "pre-standard" across AM suite Work with community to standardize the token Converge to final standard

Status Design based on existing product requirements Implemented Token library in Oracle Access Manager

11g OASIS SAML Session Token Profile awaiting final

public review before reaching Committee Specificationstatus

Latest OASIS Draft http://www.oasis-open.org/committees/download.php/41975/saml-session-token-

v1.0-wd07.pdf


36/43

36

Appendix: Proven Practices,

Solutions, and Tools


37/43

37

Proven Practice: Oracle Platform Security Services(OPSS)

AuthN AuthZ IdMInt.

Authn Authz Creds &

Keys

Audit ID Profile Trust XML Security

Crypto, SSL

Java ApplicationsSOAP/RESTApplications

Cloud Applications

SSO/Tokens

Entitlements

ServierLDAP & Virtualization Identity

Provisioning

37 Copyright 2010, Oracle. All rights reservedOracle Confidential


Security Service Providers

LDAP DatabaseFileIdentity, Policy, Credential Store Providers


38/43

38

Key Design Patterns Supported inOPSS

Externalize Identities Rely on a central audit

framework Audit System identities

usage and runtimeaccess of resources

Externalize user androle provisioning

Standardize on IdentityPropagation acrossSOA, REST, J2EEservices

Follow compliantencryption forcredentials/keys

Externalize TokenProcessing and creation

Rely on Web servicessecurity/tokensinterceptors

Follow a standard LDAPand SSO integrations

frameworks across yourapplications


39/43

39

Benefits of OPSS

Suite of Security Services - Application enablementwith a rich, secure, and compliant security platform Provides abstraction layer to identity systems Rich set of APIs for most common design patterns Works in conjunction with Java2, J2EE, SOA,

HTTP, JCE security standards Interoperates with Identity Management Systems

Reduce Costs & Rapidly Respond to BusinessDemands

Declarative security increases 50% developer

productivity Entire Fusion Middleware and Fusion Applications

products build on top of OPSS


40/43

40

App

Oracle Entitlements Server (OES)

Without OES With OES

Hard-coded security policies

Brittle policy management

Application policy silos

Externalized entitlements

Agile business policies

Centralized policy management

Application

App

App

A

pp

App

Ap

plication

Application

Applicatio

n


41/43

41

Portals and Content Management

App Servers & Dev Frameworks

Middleware

Identity Management

XML Gateways

Native & Custom Integrations with OES

Data Sources

41


42/43

42

Benefits of OES to Developers and Administrators

Manage security from a single place

Provides finer control over the protection of allresources

Separates security decisions from applicationlogic

Offers robust auditing of events

Enhanced Securityand Compliance

Centralizes security policy management

Enables reuse and sharing of security servicesFrees developers up to focus on value-added

business logic

Integrates easily with identity and accessmanagement

Increased ITEfficiency

An adaptable security service infrastructure that

more closely models your businessRespond faster to changing corporate, regulatory,

market requirements

Reduce time-to-market

Better BusinessAgility


43/43

Useful Resources


Fusion Middleware and Fusion ApplicationsSecurity Framework; samples, presentations

Oracle Entitlements Server Whitepapers

Product downloads, Javadocs

Identity Management Resource Library
http://www.oracle.com/technetwork/middleware/id-mgmt/index-100381.html?ssSourceSiteId=ocomenhttp://www.oracle.com/us/products/middleware/identity-management/oracle-entitlements-server/overview/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/resource-library/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/resource-library/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/oracle-entitlements-server/overview/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/resource-library/index.htmlhttp://www.oracle.com/technetwork/middleware/id-mgmt/index-100381.html?ssSourceSiteId=ocomen

oracleidm jug 2011

Documents