Java EE Application Security With PicketLink

Java EE Application Security With PicketLink

Pedro Igor

What is PicketLink ?● Umbrella project for security related projects● Open and Security Standards● Each project with focus on a specific security aspect

– Federation

– Application Security

– Security As a Service (SecaaS)

● Toolbox for Application Security● Apache License v2


About PicketLink


● Java EE Security Alternative for Authentication and Authorization

● First class support for CDI● Identity Management API● Web and REST Security / Servlet API Integration● JWT and JOSE Token Support● Social Authentication● Federation Protocols : SAML v1 and v2, oAuth,

OpenID and WS-Trust STS● Security for Cloud-based Applications● A plenty of example applications (quickstarts)

Reduce Design Flaws● Covers the most common security concepts in a simple and easy to

use API– How to represent identities ? Users, roles, groups, applications, etc.

– How to authenticate and authorize ?

– How to protect my application resources ? Beans, pages, servlets, REST endpoints, etc.

– How to consume and produce security tokens ?

– How to enable Single Sign-On across different applications ?

● Focus on flexibility for specific security requirements


Agenda


Identity Management

Http Security

Authentication

DBLDAP

AuthorizationBYO

Security

Configuration


● Configure PicketLink BOM (Bill of Materials) and dependencies

● Listen to an event to configure behavior:public void onInit(@Observes SecurityConfigurationEvent event) { SecurityConfigurationBuilder builder = event.getBuilder();

builder .identity() // the identity bean options .idmConfig() // identity management options .http() // http and web security options}

Authentication


● Single method invocationcredentials.setCredential(anyCredentialType);Identity.login();

If (identity.isLoggedIn()) { // user is now authenticated}

Identity.logout();

● Useful events are fired during the authentication

Authentication Flow


Identity Bean


● CDI Bean representing the authenticated user and acting as a central point for authentication, logout and permissioning

private @Inject Identity identity;

● Authentication Scope. Defaults to Session Scope, but you can change that:builder.identity().scope(RequestScoped.class)

● Stateless can be used with REST to consume security tokens

● It may be exposed as as a service– Expose through Servlet, JAX-RS, JAX-WS, EJB ...

Authenticator


● A CDI bean that understands one or more credential types and how to perform authentication

● By default, PicketLink uses a IdmAuthenticator– Fully integrated with PicketLink IDM

● Write your own● You can choose between different authenticators at

runtime

Authenticator Example


@RequestScoped@PicketLinkpublic class CustomAuthenticator extends BaseAuthenticator {

@Inject private DefaultLoginCredentials credentials;

@Override public void authenticate() { If (validCredentials()) { setStatus(AuthenticationStatus.SUCCESS); setAccount(loadAccount()); } }}

Credentials


● Provides what you need to verify user authenticity● Usually it defines which authentication mechanism is going to be used● Built-in credential types

– Username/Password, TOTP, DIGEST, X509, TOKEN

● Token-based Credentials can be used to– Produce and consume your own tokens

– Consume tokens from 3rd party Identity Providers. Eg.: SAML, OpenID, CAS

● You can always write your own credential types. Just remember to also provide the corresponding Authenticator.

Credential Example


public class UsernamePasswordCredentials extends AbstractBaseCredentials {

private String userName; private String password;

// getters and setters}

Http Security


● Useful for Web and RESTful applications● Path-based protection

– Authentication

– Authorization

● URL Rewriting– /demo-app/#{identity.account.id}

● Authentication Schemes– FORM, DIGEST, BASIC, CLIENT-CERT, TOKEN

– Write Your Own

builder.http() .allPaths() .authenticateWith() .form() .authorizeWith() .role("Administrator") .forPath("/logout") .logout();

Multiple Authentication Paths


● Authenticate based on a specific path configuration

builder.http() .forPath("/webpages/*") .authenticateWith() .form() .forPath("/rest/*") .withHeaders() .requestedWith("XMLHttpRequest") .authenticateWith() .token() .realmName("Ajax Requests Realm");

Path Groups


● Common policies may be enforced to different paths

String adminPathGroup = “Admin Resources”

builder.http() .forGroup(adminPathGroup) .authenticateWith() .form() .authorizeWith() .group(“Administrators”) .forPath("/admin/*", adminPathGroup)

PicketLink Identity Management API


● What is it ?– Build Your Own Security Model

– Identity and Access Management API

– Built-In Identity Stores: ● LDAP, Relational Database, Filesystem,

Token, Mixed ● Write Your Own

– Multi-tenancy

– Flexible Identity Model

Identity Model Example


● Custom Identity Model Guide

– http://picketlink.org/gettingstarted/custom_idm_model/● Common requirements for SaaS

– Realm

– User– Application

– Global and Application Roles– Global and Application Groups

Basic Identity Model


● Out-of-the-box implementation for very simple use cases● You are not forced to use it● Help you to quickly evaluate

PL features● In real world use cases, you

would prefer writing your ownIdentity Model

Example Code


private @Inject IdentityManager identityManager;

public void addUser(String userName, String password) { User john = new User(userName);

// add user identityManager.add(john);

Password password = new Password(password)

// update credential identityManager.updateCredential(john, password);}

private @Inject IdentityManager identityManager;

public void addRole(String roleName) { Role manager = new Role(roleName);

// add role identityManager.add(manager);}

private @Inject RelationshipManager relationshipManager;

public void grantRole(User assignee, Role role) { Grant grant = new Grant(assignee, role);

// create relationship, granting role to user relationshipManager.add(grant);}

RelationshipQuery<Grant> query = relationshipManager.createRelationshipQuery(Grant.class);

query.setParameter(Grant.ASSIGNEE, assignee);query.setParameter(GroupRole.ROLE, role);

boolean hasRole = !query.getResultList().isEmpty();

Authorization


● Annotation-based Authorization– @LoggedIn,– @RolesAllowed– @GroupsAllowed– @PartitionsAllowed– @RequiresPermission– @Restrict–Write Your Own

● Programmatic Authorization

– Using PicketLink IDM Query API

Permissioning


● Privileges for application resources

– Assignee is allowed to perform operation on resource● Provided by PicketLink IDM

– John has permission to read file.txt

– John has permission on classes of type

– John has permission on JPA Entity with identifier● Identity Bean methods for permission checks

– boolean hasPermission(Object resource, String operation);

– boolean hasPermission(Class<?> resourceClass, Serializable identifier, String operation);

PicketLink Forge Addon


● Useful to quickly configure a project with PicketLink

● Configures a JPA Identity Store

– Generate entities from your Identity Types● Authentication

– Choose a method● Project Templates

– Have an idea, help us !

$ picketlink-setup --version 2.7.0.Beta2

$ picketlink-setup --feature idm

$ picketlink-setup --feature http

$ picketlink-setup --feature idm --generateEntitiesFromIdentityModel

PicketLink Quickstarts


● Over 30 example applications

● Useful to get started and understand most of PicketLink features

● Clone, import to your IDE, checkout a tag and deploy

git clone [email protected]:jboss-developer/jboss-picketlink-quickstarts.gitgit checkout v2.7.0.CR1mvn clean package jboss-as:deploy or mvn -Pwildfly clean package wildfly:deploy

mailto:[email protected]

Thank You !


● Visit our site at http://picketlink.org– You can find useful guides

– Access to documentation

● GitHub– https://github.com/picketlink/

● Join us on the #picketlink IRC channel on Freenode● Social

– @picketlink

– Google+ PicketLink Community

Creating a Simple Application


● Using PicketLink Forge Addon– FORM-based Authentication

– RBAC

– Protect Application Resources

– User and Role Management

● Simple application to focus only on the security bits

Technology

Java EE Application Security With PicketLink