Securent Entitlement Management Solution SSPI Agent€¦ · SSPI Agent where WebAppOne is the name of the web application. - Update tag with the following

Securent Entitlement Management Solution

v 3.1 GA

SSPI Agent

September 2007

Part No. 31GA-SSPIAGENT-1

Copyright Copyright © 2004-2005 Securent, Inc. All Rights Reserved.

Restricted Rights Legend This software and documentation is subject to and made available only pursuant to the terms of the Securent Inc. License Agreement and may be used or copied only in accordance with the terms of that agreement. It is against the law to copy the software except as specifically allowed in the agreement. This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent, in writing, from Securent, Inc. THE SOFTWARE AND DOCUMENTATION ARE PROVIDED, AS IS. WITHOUT WARRANTY OF ANY KIND INCLUDING WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. FURTHER, Securent DOES NOT WARRANT, GUARANTEE, OR MAKE ANY REPRESENTATIONS REGARDING THE USE, OR THE RESULTS OF THE USE, OF THE SOFTWARE OR WRITTEN MATERIAL IN TERMS OF CORRECTNESS, ACCURACY, RELIABILITY, OR OTHERWISE.

Securent Confidential

Content

Introduction ..........................................................................................................1 SSPI Approach to protecting WebLogic Applications.....................................................1 How to integrate SSPI-Agent into your application ......................................................3 Sample <weblogic-resource> tags for supported resource types ...................................6 Example of a customized SSPI authorization process:................................................ 11 How to protect actions of a WebLogic portal:............................................................ 15

Securent Confidential

SSPI Agent

Introduction This document provides guidelines for the deployment of SSPI Agent and also in detail explains the features supported by the Securent customized Authorization provider for applications running in the WebLogic (BEA WebLogic v 9.2).

SSPI approach to protecting WebLogic Applications WebLogic security providers are modules that "plug into" a WebLogic Server security realm to provide security services to applications. Provider determines whether access should be granted or denied to BEA WebLogic Server resources. If the WebLogic security providers supplied with the WebLogic Server product do not fully meet your security requirements, you can supplement or replace them with custom security providers. WebLogic supports a number of security providers and Securent implements the WebLogic Authorization Provider. This Authorization Provider can be used for protecting WebLogic Portal resources (i.e. Desktop, Books, Pages, Portlets), EJBs, JMS, Web Services, URL, JDBC and Server. Securent's implementation makes calls to its decision APIs and then returns the right result based on the decision. Securent implements the following SSPI framework method: public Result isAccessAllowed(Subject subject,Map roles,Resource resource,ContextHandler handler, Direction direction) This method, in turn, calls the following Securent method: getDecisionsByAttributeValue(String subject, String resource,String action,Map environmentVar) Where,

- subject refers to the principal user. If there are multiple users then the first principal will be considered as the subject for this method.

- role refers to the key value pair of the role assigned to the principal user. The role key for this method must be given as wls_role. For example, role key wls_role role value Admin

- resource refers to the weblogic resource being protected - action refers to the user-privileges on the protected resource e.g. edit, view,

delete, etc. - environmentVar holds the key value pairs of role details, group details, principal

details and contextHandler details. The values for these keys can be comma-separated multiple values, for example: key wls_role value MedRecAdmin,Anonymous,Admin key wls_group value Administrators,MedRecAdmins key wls_principal value [email protected] context key HttpServletResponse context value Http Request: /images/button_bg_hover.gif, Http Request: /images/login_patient.gif

Securent Confidential 1

SSPI Agent

Fig 1: Securent authorization process Securent authorization process is carried out in the following manner:

i) A user or system process requests a WebLogic resource for performing a given operation.

ii) The resource container, which handles the type of WebLogic resource being

requested, receives the request (for example, the EJB container receives the request for Portlet resource).

iii) The resource container calls the WebLogic Security Framework, passing in the

subject, the WebLogic resource, and optionally the ContextHandler object (to provide additional input for the decision).

iv) The WebLogic Security Framework delegates the actual decision about whether

the subject is entitled to perform the requested action on the WebLogic resource to the configured Authorization providers.

v) The Authorization providers' Access Decisions use various pieces of information

about the request. They too construct a set of callback objects that represent the type of information being requested.

vi) The ‘isAccessAllowed’ method of each configured Authorization provider's Access

Decision is called to determine if the subject is authorized to perform the requested access, based on the subject, WebLogic resource, and action. Each ‘isAccessAllowed’ method can return one of two values:


SSPI Agent

- PERMIT indicates that the requested access is permitted. - DENY indicates that the requested access is explicitly denied.

How to integrate SSPI-Agent with your application Below given is the step-by-step procedure for integrating Securent SSPI Agent with your application: 1) Unzip the following distribution (as per your requirement) into your system:

- V31Beta_SSPI_With_Dependent_Jars_20070810.zip: Use this distribution if you want the PAP, SSPI and other components to be available in a common jar file.

- V31Beta_SSPI_With_Consolidated_Jars_20070810.zip: Use this distribution if you want the PAP, SSPI and other components to be available in a individual jar files.

1) From the unzipped folder, copy SecurentAuthorizer.jar into

$BEA_HOME\weblogic92\server\lib\mbeantypes folder 2) Open the pep_config.xml located in the unzipped folder and update <sspi-config>

tag followed by <record> tag as given below depending up on your application specific requirements:

Sample <sspi_config> tag: <sspi-config> <app-group name="Prime groupone"> <enterprise-application name="portalApp"> <web-application name="groupspace"> <weblogic-resource type="wlp" enableaction="true">*</weblogic-resource>

<subject source="header" attributename="referer"/> <http-headers> <headername>*</headername> </http-headers> <session-attribute> <attributename>*</attributename> </session-attribute> </web-application> </enterprise-application> </app-group> </sspi-config> <record>true</record>

- Update <app-group name=> tag with the value of the application group name from

your PAP such as: <app-group name="AppGroupOne"> where AppGroupOne is the name of the application group.

- Update <enterprise-application name=> tag with the name of the enterprise application which needs to be checked for entitlement such as: <enterprise-application name="MyPortal"> where MyPortal is the name of the enterprise application.

- Update <web-application name=> tag with the name of the web application which needs to be checked for entitlement <web-application name="WebAppOne">


SSPI Agent

where WebAppOne is the name of the web application. - Update <weblogic-resource> tag with the following modifications:

Set the WebLogic resource-type attribute. The possible values are 'wlp', ‘ejb’, ‘webservice’, ‘jdbc’, ‘jms’, ‘url’ and ‘svr’

Set the enableaction attribute to true or false. If this attribute value is set to ‘true’ then additional information is taken from the weblogic resourcetype as resource actions for checking entitlement using Securent. (Click here to see how the portal actions are protected)

Update the resource names which need to be checked for entitlement. The possible values can be either a single or multiple resource names separated by comma or ‘*’ representing all the resources of the type mentioned in weblogic-resource type Click here to see the sample <weblogic-resource> tags for supported resource types. Note: The <subject> tag is used to provide additional input for URL resources, details of which are mentioned in Sample <weblogic-resource> tags for URL resource type.

- The <record> tag is introduced to Securent in v-3.0 only. If you are using any earlier version of Securent this tag has no meaning. The <record> tag can be set to either true or false. Setting it to true will result in automatic creation of resources, if they are not found while decision making. But it assumes that the Application group and Application in the Securent PAP with the same name as mentioned in the <sspi_config> tag already exist. If you don’t want these resource creations to happen, then set the tag to false.

4) After the aforesaid changes are made, copy pep_config.xml to the portal server folder

from where you start your WebLogic (i.e. the folder where the startWLS.cmd or startWeblogic.cmd file exists). For example, if you set the entitlement to an application called MyPortal, then copy the config file to $BEA_HOME\weblogic92\samples\domains\MyPortal folder.

5) Start the WebLogic server (startWeblogic.cmd)

6) Open the WebLogic server admin console (for ex. http://localhost:7001/console)

7) Under the security option, open \Realms\myRealm\Providers\Authorization.

8) Click ‘Lock and Edit’ in the left side pane

9) Configure a new Authorizer as Securent Authorizer and select the SSPIAuthorizer from

the drop down list. Name: Securent Authorizer Type: SSPIAuthorizer

10) While deploying any application or module, select 'Custom Roles and Policies: Use only

roles and policies that are defined in the Administration Console' for the security model.


http://localhost:7001/console

SSPI Agent

11) Before restarting the server, keep the following jar files bundled with your chosen

distribution: - If you are using V31Beta_SSPI_With_Dependent_Jars_20070810.zip, copy

axis.jar, axis-ant.jar, commons-discovery-0.2.jar, log4j-1.2.5.jar, commons-logging-1.0.4.jar, jaxrpc.jar, soap.jar, saaj.jar and wsdl4j-1.5.1.jar in the lib folder of your application domain (i.e. $BEA_HOME\weblogic92\samples\domains\portal\lib folder).

- If you are using V31Beta_SSPI_With_Consolidated_Jars_20070810.zip, copy pep.jar, papclient.jar, Securent_Commons.jar, axis-ant.jar and log4j-1.2.14.jar to the lib folder of your application domain (i.e. $BEA_HOME\ weblogic92\samples\domains\portal\lib folder).

12) Open $BEA_HOME\weblogic92\samples\domains\portal\config.xml file and

update <security-configuration> tag by adding <enforce-valid-basic-auth-credentials> parameter set to false. Below given is the sample code of <security-configuration> tag highlighting the added parameter:

<security-configuration xmlns:xacml="http://www.bea.com/ns/weblogic/90/security/xacml">

<name>securentdomain</name> <realm>

<sec:authentication-provider xsi:type="wls:default-authenticatorType"/> <sec:authentication-provider xsi:type="wls:default-identity-asserterType"> <sec:active-type>AuthenticatedUser</sec:active-type> </sec:authentication-provider> <sec:role-mapper xsi:type="xacml:xacml-role-mapperType"/> <sec:authorizer xsi:type="xacml:xacml-authorizerType"/> <sec:adjudicator xsi:type="wls:default-adjudicatorType"/> <sec:credential-mapper xsi:type="wls:default-credential-mapperType"/> <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"/> <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder> <sec:name>myrealm</sec:name>

</realm> <default-realm>myrealm</default-realm> <credential-encrypted>{3DES}D5j+jbAEFe82UleGqDZFJCDkNbNGUiSteD7PF8xPbZ8stVQ0zqgX6/d21ffaxmTY14kV2JwhX6fDWsHLCKdCW3ZYs9vKlrDC</credential-encrypted> <node-manager-username>weblogic</node-manager-username> <node-manager-password-encrypted>{3DES}EJN/pQk194Aw+0gQzqZf8w==</node-manager-password-encrypted> <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

</security-configuration>

What is <enforce-valid-basic-auth-credentials> flag? For WebLogic Server versions 9.2 and later, client requests that use HTTP BASIC authentication must pass WebLogic Server authentication, even if access control is not enabled on the target resource. The setting of the Security Configuration MBean flag enforce-valid-basic-auth-credentials determines this behavior. (The DomainMBean can return the new Security Configuration MBean for the domain.) It specifies whether or not the system should allow requests with invalid HTTP BASIC authentication credentials to access unsecured resources. Note: The Security Configuration MBean provides domain-wide security configuration information. The enforce-valid-basic-auth-credentials flag affects the entire domain.


SSPI Agent The enforce-valid-basic-auth-credentials flag is true by default, and WebLogic Server authentication is performed. If authentication fails, the request is rejected. WebLogic Server must therefore have knowledge of the user and password. You may want to change the default behavior if you rely on an alternate authentication mechanism. For example, you might use a backend web service to authenticate the client, and WebLogic Server does not need to know about the user. With the default authentication enforcement enabled, the web service can do its own authentication, but only if WebLogic Server authentication first succeeds. If you explicitly set the enforce-valid-basic-auth-credentials flag to false, WebLogic Server does not perform authentication for HTTP BASIC authentication client requests for which access control was not enabled for the target resource.

13) Add the environmental variable securent.agentconfig to JAVA_PROPERTIES of setDomainEnv.cmd for specifying the pep_config.xml path. For example: set JAVA_PROPERTIES = -Dsecurent.agentconfig=$BEA_HOME/weblogic92/samples/domains/portal/pep_config.xml

14) Restart the WebLogic server.

15) PAP and PDP to which your sspi agent is connecting should be already running.

16) On restart of the weblogic server if the agent is initialized properly it would display a

message saying “SSPI SecurentAuthorizationProvider initialized".

17) Now you are ready to check entitlements for you application, if the resource has an access it returns PERMIT displaying a message as "The user is entitled to perform the operation" else DENY with a message as "The user is not entitled to perform the operation".

Note: Creating WebLogic portal resources in the Securent PAP (WLP_Resource_ Discovery):

i) Copy the (groupspace.community or .portal file) to the current folder and rename it as resource.xml

ii) Place SecurentAuthorizer.jar,papclient.jar,Securent_Commons.jar in the classpath.

iii) Copy pep_config.xml to the current folder. (It is important to note that this file should contain only one enterprise-application and web-application tag).

iv) Run the runresourcediscoverywlp.bat file.

Sample <weblogic-resource> tags for supported resource types

i. If the resource is of type ‘WebLogic portal’

<weblogic-resource type="wlp" enableaction="true">*</weblogic-resource>

Here, the value of this tag is set to *. This means all portal resource types (e.g. Portlets, Pages, Desktop, Book) will be checked for entitlement. You can set an individual or multiple resource-types depending on the number of resources in this


SSPI Agent

tag by mentioning their names separated with comma. For example if you want only portlets and pages to be protected, then the tag must be updated as: <weblogic-resource type="wlp" enableaction="true">Portlet,Page</weblogic-resource>

For a given WebLogic portal the resources are identified in the following manner:

type=<wlp>, EntApp=portalApp, Webapp=groupspace, Resource=Portlet communitySamplePortal Discussion_Portlet_1, Capability=maximized In Securent, portalApp will be the Application, groupspace/Discussion_Portlet_1 will be the resource hierarchy and maximized will be the Action in Securent if enableaction is set to true. Note: If you are using Securent v 1.5, then groupspace will be the Application, Discussion_Portlet_1 will be the Resource and maximized will be the Action. For the above mentioned application and resources, following resource structure must be maintained in the <sspi> tag of the pep_config.xml: <enterprise-application name="portalApp"> <web-application name="groupspace"> <weblogic-resource type="wlp"

enableaction="false">*</weblogic-resource> /web-application> </enterprise-application>

ii. If the resource is of type ‘EJB’

<weblogic-resource type="ejb" enableaction="true">*</weblogic-resource>

Here, the value of this tag is set to *. This means all the EJBs are checked for entitlement. You can also mention any single or multiple EJBs separated by comma as the tag value. If this attribute value is set to ‘true’ then all the EJB methods will be considered as resource actions. For a given EJB resource the resources are identified in the following manner: type=<ejb>, application=MedRecEAR, module=sessionEjbs, ejb=RecordSessionEJB, method=create, methodInterface=Home, signature={} In Securent, MedRecEAR will be the Application, sessionEjbs/RecordSessionEJB will be the resource hierarchy and create will be the Action in Securent. For the above mentioned application and resources, following resource structure must be maintained in the sspi tag of the pep_config.xml: <enterprise-application name="MedRecEAR"> <web-application name="sessionEjbs"> <weblogic-resource type="ejb" enableaction="true">*</weblogic-

resource> </web-application> </enterprise-application>


SSPI Agent

iii. If the resource is of type ‘webservices’

<weblogic-resource type="webservices" enableaction="true">*</weblogic-resource>

Here, the value of this tag is set to *. If enableaction attribute value is set to ‘true’ then all the webservice methods will be considered as resource actions and hence can be entitled using Securent. For a given WebService the resources are identified in the following manner: type=<webservices>, application=webservicesJwsSimpleEar, contextPath=/jws_basic_simple, webService=SimpleSoapPort, method=sayHello, signature={java.lang.String} In this case, webservicesJwsSimpleEar will be the Application, jws_basic_simple/SimpleSoapPort will be the resource hierarchy and sayHello will be the Action in Securent. For the above mentioned application and resources, following resource structure must be maintained in the <sspi> tag of the pep_config.xml: <enterprise-application name="webservicesJwsSimpleEar"> <web-application name="/jws_basic_simple"> <weblogic-resource type="webservices"

enableaction="true">*</weblogic-resource> </web-application> </enterprise-application>

iv. If the resource is of type ‘jdbc’ <weblogic-resource type="jdbc" enableaction="true">*</weblogic-resource> You can edit the values of <weblogic-resource> to "*" to check entitlement for all JDBC resources or can provide multiple resource names with comma separator. For a given JDBC resource, the resources are identified in the following manner: type=<jdbc>, application=MedRecEAR, module=MedRecAppScopedDataSourceXA, resourceType=ConnectionPool, resource=MedRecDataSourceXA, action=reserve In this case, MedRecEAR will be the Application in Securent, MedRecAppScopedDataSourceXA/ConnectionPool/MedRecDataSourceXA will be the resource hierarchy and reserve will be the Action in Securent. For the above mentioned application and resources, following resource structure must be maintained in the <sspi> tag of the pep_config.xml: <enterprise-application name="MedRecEAR"> <web-application name="MedRecAppScopedDataSourceXA">

<weblogic-resource type="jdbc" enableaction="true">*</weblogic-resource>

</web-application> </enterprise-application>


SSPI Agent

v. If the resource is of type ‘JMS’

<weblogic-resource type="jms" enableaction="true">*</weblogic-resource>

Here, the value of this tag is set to *. If enableaction attribute value is set to ‘true’ then ‘send’ and ‘receive’ will be considered as resource actions and hence can be entitled using Securent. For a given JMS resource type, the resources are identified in the following manner: type=<jms>, application=MedRecEAR, destinationType=queue, resource=XML_UPLOAD_MDB_QUEUE, action=receive In this case, MedRecEAR will be the Application, queue/XML_UPLOAD_MDB_QUEUE will be the Resource hierarchy and receive will be the Action in Securent. For the above mentioned application and resources, following resource structure must be maintained in the <sspi> tag of the pep_config.xml: <enterprise-application name="MedRecEAR"> <web-application name="queue"> <weblogic-resource type="jms" enableaction="true">*</weblogic-


vi. If the resource is of type ‘URL’

<weblogic-resource type="url" enableacti true">*</weblogic-resource> on="<subject source="header" attributename="referer"/>

<http-headers> <headername>*</headername>

</http-headers> <session-attribute>

<attributename>*</attributename> </session-attribute>

Here, the value of this tag is set to *. If enableaction attribute value is set to ‘true’ then all the http methods will be considered as resource actions and hence can be entitled using Securent. The user can also provide additional information to the sspi_agent by configuring the following tags:

In the <subject> tag source can be either header or session. If the source is header, the value of the referrer will be taken from the header. If the source is session, the value of the referrer will be taken from the session.

Whatever values given in <http-header> and <session-attribute> tags will be passed as environmental attributes. The value can be set to * (to read all attributes present in the header or session) or with the one or more attribute names separated by comma.

For a given URL resource type, the resources are identified in the following manner:


SSPI Agent

type=<url>, application=MedRecEAR, contextPath=/patient, uri=/record.do, httpMethod=GET In this case, MedRecEAR will be the Application in Securent, patient/record.do will be the resource hierarchy and GET will be the Action in Securent. For the above mentioned application and resources, following resource structure must be maintained in the <sspi> tag of the pep_config.xml: <enterprise-application name="MedRecEAR"> <web-application name="/patient"> <weblogic-resource type="url" enableaction="true">*</weblogic-


vii. If the resource is of type ‘JNDI’

<weblogic-resource type="jndi" enableaction="true">*</weblogic-resource>

Here, the value of this tag is set to *. If enableaction attribute value is set to ‘true’ then jndi resource actions will be considered as resource actions and hence can be entitled using Securent. For a given JNDI resource type, the resources are identified in the following manner: type=<jndi>, application=, path={TesterEJB}, action=lookup In this case, ServerApps will be the Application in Securent, TesterEJB will be the resource hierarchy and lookup will be the Action in Securent. For the above mentioned application and resources, following resource structure must be maintained in the <sspi> tag of the pep_config.xml:

<enterprise-application name="ServerApp"> <web-application name="ServerApp"> <weblogic-resource type="jndi" enableaction="true">*</weblogic-resource> </web-application> </enterprise-application>

viii. If the resource is of type ‘Server’

<weblogic-resource type="svr" enableaction="true">*</weblogic-resource>

Here, the value of this tag is set to *. If enableaction attribute value is set to ‘true’ then ‘boot’ will be considered as an action and hence can be entitled using Securent. For a given Server resource type, the resources are identified in the following manner: type=<svr>, application=, server=AdminServer, action=boot In this case, the application name is set to null. In this effect, whenever Server as the resource type, the ‘ServerApp’ will be the application by default, AdminServer will be the resource and boot will be the Action in Securent.


SSPI Agent

For the above mentioned application and resources, following resource structure must be maintained in the <sspi> tag of the pep_config.xml: <enterprise-application name="ServerApp"> <web-application name="ServerApp">

<weblogic-resource type="jndi" enableaction="true">*</weblogic-resource>

</web-application> </enterprise-application>

Example of a customized SSPI authorization process: 1. Login to the sample portal running in the WebLogic server. The username entered in

the login page will be taken as the ‘subject’ in the authorization request. Note: In the absence of the subject (i.e. if the subject is null), the subject will be considered as “wls_anonymous_user”

2. The Sample portal contains three portlets e.g.

a. BEAPortlet b. Dev2Dev c. Secportlet


SSPI Agent 3. Assume that necessary arrangements are made in the Securent Administration

Console by creating a resource hierarchy with Sample Portal as the Application and portlets as resources. In order to control the access of all or any of the portlets of the sample portal, configure the entitlement policies by defining ‘Allow’ policies on all the portlets from ‘UserBased’ screen as shown in the below figure:

This setting will reflect in the Sample portal in the following way:


SSPI Agent

You can view all the portlets in the portal.

Set ‘Deny’ policy on secportlet.portlet in the Securent Admin Console as shown below:


SSPI Agent

This setting will effect in non-availability of secportlet.portlet in the Sample Portal.

Similarly, set ‘Deny’ policies on secportlet.portlet and dev2dev.portlet in the Securent Admin Console (as shown below):

As a result, you the user cannot access the selected portlets in the Sample Portal.


SSPI Agent

In this way the authorization process is done by customizing the SSPI in the WebLogic server using Securent for protecting resources like Portlets, Pages, Books, Desktop and EJB.

How to protect actions of a WebLogic portal: The Securent SSPI Agent can be used to protect the actions (modes) of a WebLogic portal. With the help of Securent Administration console, you can control the use of few actions available in the portal. A Weblogic portal can have various actions (below given figure shows few of such actions). At present, you can control access of actions such as View, Edit, Delete, Minimize and Maximize only. You cannot control other actions such as Help, Float etc.


SSPI Agent In order to avail this feature of Securent-SSPI Agent, you must create these actions under the corresponding portal in the resource tree in the Securent administration console (as shown below).

You must define Allow or deny policy on different actions which will have different effects afterwards as mentioned in the below given table:

Action Allow Deny

Minimize User can minimize the portlet using this button

The user cannot view the minimize button.

Maximize User can maximize the portlet using this button

The user cannot view the maximize button.

Edit User can edit the content of the portlet using this button

The user cannot view the edit button

Delete User cannot view the portlet using this button

The user cannot view the delete button

View User can view the contents of the portlet using this button

The user cannot view the view button


Documents

Securent Entitlement Management Solution SSPI Agent€¦ · SSPI Agent where WebAppOne is the name of the web application. - Update tag with the following