8/6/2019 Oracleidm Jug 2011
1/43
Developing Applications With Declarative SecurityJava User Group Presentation, Los Angeles and Phoenix
Ganesh Kirti, Sr. Director, Platform Security, Fusion Middleware
July/2011
8/6/2019 Oracleidm Jug 2011
2/43
This document is for informational purposes. It is not a
commitment to deliver any material, code, or functionality,and should not be relied upon in making purchasingdecisions. The development, release, and timing of anyfeatures or functionality described in this document remainsat the sole discretion of Oracle. This document in any form,
software or printed matter, contains proprietary informationthat is the exclusive property of Oracle. This document andinformation contained herein may not be disclosed, copied,reproduced or distributed to anyone outside Oracle withoutprior written consent of Oracle. This document is not part ofyour license agreement nor can it be incorporated into anycontractual agreement with Oracle or its subsidiaries oraffiliates.
8/6/2019 Oracleidm Jug 2011
3/43
3
Agenda
Declarative Security
Real World Financials ApplicationImplementation/Demo
Benefits of Declarative Security
Q & A
References
8/6/2019 Oracleidm Jug 2011
4/43
4
Declarative Security Today
Declarative Security approach is a proven securitymodel It keeps business logic separated from security decisions
logic Security role policies (mappings) are externalized in DDs or
policy files Available Java Standards:
J2EE Container Security Java2 Security
Very easy to use APIs exist for applications
isUserInRole getCallerPrincipal checkPermission
8/6/2019 Oracleidm Jug 2011
5/43
5
Declarative Security TodayWhat is the limitation?
Current standards are proven, but are verylimited: Too coarse grained to support business rules Access control enforcement stops at the application
perimeter level No contextual support for making access control
decisions Securing data access within application requires
custom implementation
Lets review a real world application example (nextslide)
8/6/2019 Oracleidm Jug 2011
6/43
6
Declarative SecurityReal World Application Examples
Roles PrivilegesContext
Account Owners,
Traders
Equity Analyst
Fund Manager
Equity Trades
By Geography By Trade limit
Equity Research By Vertical industry By Line of Business
Equity Trades
Rebalance Funds
Restrict Access from an un-trusted n/w Restrict Trade Sizes to < $100K Daily trading limit of $5M
Unauthorized for trading Authorized for Review of Energy
Companies listed on NYSE Authorized for access to research report
Authorized for 24x7 Trading Rebalancing of Small-Cap Funds Daily Trading Limit of $1B
Users Resource
Savings Account
Municipal Equity
Fund
Oil & Gas
Semiconductors
Mortgage EquityFund
Municipal Equity
Fund
Jane West
Steve Jackson
Ellen Stewart
Accounts
Transfers Credit
8/6/2019 Oracleidm Jug 2011
7/43
8/6/2019 Oracleidm Jug 2011
8/438
APPROACH TO DESIGNINGAPPLICATION SECURITY
8/6/2019 Oracleidm Jug 2011
9/439
Approach to Designing ApplicationSecurity
Continue to use declarative security pattern i.e. Externalize security decisions process
Security must be built into your application Rely on existing security standards (JAAS, J2EE, RBAC,
ABAC, XACML) for designing security model
Rely on security frameworks and tooling that provide: APIs and Tools to secure application resources declaratively Support for Interoperability with Identity Management Systems APIs and Tools for managing application security life-cycle
events (design, deployment, and administration of security data)
Next - Lets walk thru an implementation of a real worldFinancials application built using this approach
8/6/2019 Oracleidm Jug 2011
10/4310
Real World Financials ApplicationHigh level Requirements
Application with users: account owners, stockbrokers, and administrators
Multiple Security Roles: brokers, bronze/goldusers, administrators
Context aware security to meet business rules Meet corporate security compliancy
requirements (Audit, central administration,and governance)
Standards compliant (JAAS, J2EE security,ABAC, RBAC, OpenAZ/PEP, OPSS)
Scalability and Performance
8/6/2019 Oracleidm Jug 2011
11/4311
Application Security Architecture
* Application enforces access check using APIs. Security decision process is externalized to PDP
** PDP (Policy Decision Point) can be configured in Embedded or out of process centralized modes
Financials Application
Menu UIs
Account Services
Trading Services
Data Access
Request
Grant
Deny
Users
Identity Store:User Identities
Policy Store:
Roles andEntitlements
AccessCheck*
PDP**PolicyCachePolicyEvaluationRoleHierarchyData
securityfilters
Administrators;BusinessApplicationOwners
....
Policy Admin Server
8/6/2019 Oracleidm Jug 2011
12/4312
Design/Implementation Concepts
Securable Resources Securable resource: UI items (menu, region etc), web service, portlet, data
filters Developers define resources during application design time
Entitlements Administration usable concept - Collection of resources managed as a
single unit
Application Role Bundle of privileges, role hierarchies, role catalog, mapped to users/groups Developers and Administrators can define application roles
Policy It is an access control declarative policy that binds together resource/s,
role/s, and entitlements.
Policy can be made powerful and dynamic by including conditions/rules,and obligations. Administrators define and mange policies Application is unaware of details of the policy, but enforces it during run-
time
8/6/2019 Oracleidm Jug 2011
13/4313
Scenario1: Default view upon logonBronze user (jane.west) can login and see only allowed resources (account,transfers, customer service. Not allowed to access investments, transfers)
Administrator configures the declarative security policy: BronzeAccountsNavEntitlementt,GoldAccountsNavEntitlement
The following sample code implements a subset of this use case:String resName = "AzUnionBank/UINavigationResource/AccountsNavItem";
// authorization runtimeLoginContext ctx = loginService.getLoginContext(new Subject(), cbh);ctx.login();Subject ident = ctx.getSubject();
String rtAction = view)Map appContext= new HashMap();env.put("myAttr", "Hello");
PepResponse response =PepRequestFactoryImpl.getPepRequestFactory().newPepRequest( ident, rtAction,
resName, appContext).decide();
if (response .allowed()) {System.out.println("GRANT");// Do whatever ...
} else {System.out.println("DENY");
}
8/6/2019 Oracleidm Jug 2011
14/4314
Scenario2: Deny access to accounts from un-trusted networkJane logs in from an un-trusted network; access to some resourceswill be blocked
Administrator configures the declarative security policy: CredScoreWidgetDenyEntitlements,DenyAccountInfoEntitlement, DenyBalanceSummaryWidgetEntitlement
The following code implements this use case:
String resName = "AzUnionBank/UIWidget/CreditScoreWidget";
// authorization runtime
LoginContext ctx = loginService.getLoginContext(new Subject(), cbh);
ctx.login();
Subject ident = ctx.getSubject();String rtAction = view;
Map appContext = new HashMap();appContext.put(("FromInternet", "true");
PepResponse response =PepRequestFactoryImpl.getPepRequestFactory().newPepRequest( ident, rtAction,
resName, appContext ).decide();if (response.allowed()) {
System.out.println("GRANT");// Do whatever ...
} else {System.out.println("DENY");
}
8/6/2019 Oracleidm Jug 2011
15/4315
Scenario3: Data Security using ObligationBronze customer can only see two years of transactions; Goldcustomer can see 5 years of data
Administrator configures the declarative security policy: BronzeAccountTransactionsEntitlementPolicy,
GoldAccountTransactionsEntitlementPolicy
The following code implements this use case:
String resName = "AzUnionBank/DataSetResType/AccountTxns";
// authorization runtime
LoginContext ctx = loginService.getLoginContext(new Subject(), cbh);
ctx.login();
Subject ident = ctx.getSubject();String rtAction = view;
Map appContext = new HashMap();
PepResponse response =
PepRequestFactoryImpl.getPepRequestFactory().newPepRequest( ident, rtAction,
resName, appContext ).decide();
if (response.isAllowed()) {
Map obligations = response.getObligations();if (obligationElement != null) {for (String name : obligations.keySet()) {
System.out.print("obligation: name = " + name + ", values = " +
obligations.get(name).getStringValues());
}// Get the WHERE CLASS which is returned as the obligation and added it to the select query....
}} else {
System.out.println("DENY");}
8/6/2019 Oracleidm Jug 2011
16/4316
Financials ApplicationImplementation Summary
All securable resources are declaratively secured inexternal central policy store
Administrators secure resources using declarativepolicies and rules
Simple pass-thru OpenAZ APIs enforce the security
within application; decisions are externalized. Oracle proposed Standards APIs, OpenAZ. This provides
XACML Java binding APIs
All run-time access to resources is audited by the PDPimplicitly
Administrators have full visibility into the applicationaccess policies and runtime activity
8/6/2019 Oracleidm Jug 2011
17/4317
Benefits to Application Developers
Well proven design pattern Developers rely on frameworks and tools to secure
resources; Hence security development cost isreduced
Developers can focus on business logic Security logic is externalized and managed byadministrators
Application ready for Cloud deployments asapplication meets CSA, audit requirements
Interoperates with Identity Management Systems Developers not responsible for security breaches
8/6/2019 Oracleidm Jug 2011
18/4318
Benefits to CSOs and IT Managers
Administrators have fullvisibility into applicationsecurity policies from acentral dashboard
Full control of who is allowedaccess to what resources
within an application Make security policy changes
as business rules changeand make it effectiveimmediately in applicationruntime instantaneously
Application can integrate withan already existing IdentityManagement services
Can centrally manage 1000sof applications securitycontrols
Can see full audit of runtimesystem
Satisfaction that applicationsecurity is in good hands;Hence, Job security
8/6/2019 Oracleidm Jug 2011
19/4319
19
Learn More
8/6/2019 Oracleidm Jug 2011
20/4320
Webcast: Introducing Oracle Entitlements Server. http://bit.ly/oes11g-webcast July 14 10a PT
Webcast: Declarative Security for Mobile Apps, http://bit.ly/mnKoX7Aug 25 9a PT
Webcast: Declarative Security for Mobile Apps http://bit.ly/is3XAQ Sep7 9a PT
Register for Related Events
http://bit.ly/oes11g-webcasthttp://bit.ly/oes11g-webcasthttp://bitly.com/mnKoX7?r=bbhttp://bit.ly/is3XAQhttp://bit.ly/is3XAQhttp://bitly.com/mnKoX7?r=bbhttp://bit.ly/oes11g-webcasthttp://bit.ly/oes11g-webcast8/6/2019 Oracleidm Jug 2011
21/4321
Useful Resources
Download Financials Application
Oracle Entitlements Server
Whitepapers
Product downloads, Javadocs
Oracle Platform Security Services
Fusion Middleware and Fusion ApplicationsSecurity Framework; samples, presentations
Identity Management Resource Library
https://www.samplecode.oracle.com/sf/frs/do/downloadFile/projects.oracle_entitlements_server_11gr1/frs.unsupported_samples.11gr1/frs1059?dl=1http://www.oracle.com/us/products/middleware/identity-management/oracle-entitlements-server/overview/index.htmlhttp://www.oracle.com/technetwork/middleware/id-mgmt/index-100381.html?ssSourceSiteId=ocomenhttp://www.oracle.com/us/products/middleware/identity-management/resource-library/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/resource-library/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/resource-library/index.htmlhttp://www.oracle.com/technetwork/middleware/id-mgmt/index-100381.html?ssSourceSiteId=ocomenhttp://www.oracle.com/us/products/middleware/identity-management/oracle-entitlements-server/overview/index.htmlhttps://www.samplecode.oracle.com/sf/frs/do/downloadFile/projects.oracle_entitlements_server_11gr1/frs.unsupported_samples.11gr1/frs1059?dl=18/6/2019 Oracleidm Jug 2011
22/43
22
Questions
You may contact me at: [email protected]
8/6/2019 Oracleidm Jug 2011
23/43
23
Java Security Standards
8/6/2019 Oracleidm Jug 2011
24/43
24
Java Security Standards Initiatives
OpenAz
Java Identity API (JSR proposal)
CARML/ArisID
SAML Session Token (WAM token)
8/6/2019 Oracleidm Jug 2011
25/43
25
OpenAz Goals Provide consistent model for applications and
middleware to invoke access control Based upon PEP definition given in XACML specification
Encourage creation of other language/framework bindings
Reference implementation for Java AzApi interface
Java interface based on XACML request-response model
Explain how AzApi interface can be mated with third-party policy engines Existing policy engines can implement this interface
Support efficient processing as providers can implementcaching and other proprietary magic
Details of local vs. remote processing hidden by the interface
8/6/2019 Oracleidm Jug 2011
26/43
26
PEP API: Java Construct Layer
Responds to concern that AzApi requiressome knowledge of XACML specifics
Data types, Attribute categories and names
Java packages or frameworks may requestauthorization decisions using native objects
E.g., Decide (user object, resource object, actionobject)
Mapping of these native representations into lower-level AzApi forms is modeled separately
E t li d Att ib t b d
8/6/2019 Oracleidm Jug 2011
27/43
27
Externalized Attribute-basedAccess Control
Application
Middleware
Service
PEP
PEP
PEP
Policy Engine
PDP
Rules
Groups and Roles
(manager, customer,)
user attributes
(zip code, citizenship,..)
resource attributes
(creator, classification,.)
environment attributes
(authN strength, )
PAP
Gateway PEP
PEP - Policy Enforcement Point
PAP Policy Administration Point
PDP Policy Decision Point
8/6/2019 Oracleidm Jug 2011
28/43
28
Available OpenAz Components
Definition of Java AzApi Interface
Includes PEP Api layer
Submitted to XACML TC for standardization
Joint work with Cisco and others (RSA)
Implementation of AzApi with SUN XACML library
Available for use today
XACML Policy-creation Tool Simplifies creation of XACML policy
8/6/2019 Oracleidm Jug 2011
29/43
29
Download information
Complete project (AzApi interface, referenceimplementation, Policy Tool,Javadoc)
http://openaz.svn.sourceforge.net/viewvc/openaz/(download the GNU tarball)
Javadoc only
http://openaz.svn.sourceforge.net/viewvc/openaz/azapi/doc/
Apache 2.0 license
Join the project ! http://www.openliberty.org/wiki/index.php/Main_Page#OpenAz
Mailing list and bi-weekly conference call
http://openaz.svn.sourceforge.net/viewvc/openaz/http://openaz.svn.sourceforge.net/viewvc/openaz/azapi/doc/http://openaz.svn.sourceforge.net/viewvc/openaz/azapi/doc/http://openaz.svn.sourceforge.net/viewvc/openaz/8/6/2019 Oracleidm Jug 2011
30/43
30
Java Identity API
Ongoing work to create a Java standard (JSR)within the JCP
www.jcp.org
Please join us to take the work forward!
Diverse sources of identity data imposenew requirements for identity data. Goes beyond model based on a single IT directory
Driven by new identity models
Identity Federation, Facebook, Virtual directory
Concerns about user consent, privacy andaccountability
Java Identity API Enhance Java
http://www.jcp.org/http://www.jcp.org/8/6/2019 Oracleidm Jug 2011
31/43
31
Java Identity API - Enhance Javato include
Characteristic representation for identity attributesand meta-data such as issuer, TTL, Use-Constraints
Uniform representation independent of source Programming model for applications to interact with
and provide attributes (with meta-data)
Programming model for applications to provide
fine-grained context in access control
Integration of enhancements with the existing Javasecurity model
8/6/2019 Oracleidm Jug 2011
32/43
32
CARML/ArisID Declarative approach to obtaining identity attributes
in applications Improves on lower-level approaches based on LDAP or
JNDI
Includes support for privacy assertions
Based upon use of CARML (Client Attributes
Markup Language) manifest describes identity needs of an application or group
of applications
Tools and services can use manifest to provide attributes toapplication
Part of a broader standard called IdentityGovernance Framework http://www.projectliberty.org/strategic_initiatives/identity_gov
ernance/?f=strategic_initiatives/identity_governance
8/6/2019 Oracleidm Jug 2011
33/43
33
ArisID open source project
Open source implementation of CARML
ArisID is a Java API suitable for Java applicationdevelopers
Complete open source stack now available
Apache 2.0 license
http://www.openliberty.org/wiki/index.php/ProjectAris
Available in Oracle Virtual Directory 11g and
also used in Oracle Fusion Middleware
http://www.openliberty.org/wiki/index.php/ProjectArishttp://www.openliberty.org/wiki/index.php/ProjectArishttp://www.openliberty.org/wiki/index.php/ProjectArishttp://www.openliberty.org/wiki/index.php/ProjectAris8/6/2019 Oracleidm Jug 2011
34/43
34
Session Token OverviewStandardized scheme for managing Web Server
Security Session State
First within Oracle products, then externally
Benefits
Lower costs/improve security for Oracle products
Demonstrate industry leadership
Foundation for interop with other vendors
Provides a standard for Session Management
More efficient enables features like idle timeout
8/6/2019 Oracleidm Jug 2011
35/43
35
Project SummaryProject Summary
Define common WAM SSO Token format and interface Implement "pre-standard" across AM suite Work with community to standardize the token Converge to final standard
Status Design based on existing product requirements Implemented Token library in Oracle Access Manager
11g OASIS SAML Session Token Profile awaiting final
public review before reaching Committee Specificationstatus
Latest OASIS Draft http://www.oasis-open.org/committees/download.php/41975/saml-session-token-
v1.0-wd07.pdf
8/6/2019 Oracleidm Jug 2011
36/43
36
Appendix: Proven Practices,
Solutions, and Tools
8/6/2019 Oracleidm Jug 2011
37/43
37
Proven Practice: Oracle Platform Security Services(OPSS)
AuthN AuthZ IdMInt.
Authn Authz Creds &
Keys
Audit ID Profile Trust XML Security
Crypto, SSL
Java ApplicationsSOAP/RESTApplications
Cloud Applications
SSO/Tokens
Entitlements
ServierLDAP & Virtualization Identity
Provisioning
37 Copyright 2010, Oracle. All rights reservedOracle Confidential
Oracle Platform Security Services
Security Service Providers
LDAP DatabaseFileIdentity, Policy, Credential Store Providers
8/6/2019 Oracleidm Jug 2011
38/43
38
Key Design Patterns Supported inOPSS
Externalize Identities Rely on a central audit
framework Audit System identities
usage and runtimeaccess of resources
Externalize user androle provisioning
Standardize on IdentityPropagation acrossSOA, REST, J2EEservices
Follow compliantencryption forcredentials/keys
Externalize TokenProcessing and creation
Rely on Web servicessecurity/tokensinterceptors
Follow a standard LDAPand SSO integrations
frameworks across yourapplications
8/6/2019 Oracleidm Jug 2011
39/43
39
Benefits of OPSS
Suite of Security Services - Application enablementwith a rich, secure, and compliant security platform Provides abstraction layer to identity systems Rich set of APIs for most common design patterns Works in conjunction with Java2, J2EE, SOA,
HTTP, JCE security standards Interoperates with Identity Management Systems
Reduce Costs & Rapidly Respond to BusinessDemands
Declarative security increases 50% developer
productivity Entire Fusion Middleware and Fusion Applications
products build on top of OPSS
8/6/2019 Oracleidm Jug 2011
40/43
40
App
Oracle Entitlements Server (OES)
Without OES With OES
Hard-coded security policies
Brittle policy management
Application policy silos
Externalized entitlements
Agile business policies
Centralized policy management
Application
App
App
A
pp
App
Ap
plication
Application
Applicatio
n
8/6/2019 Oracleidm Jug 2011
41/43
41
Portals and Content Management
App Servers & Dev Frameworks
Middleware
Identity Management
XML Gateways
Native & Custom Integrations with OES
Data Sources
41
8/6/2019 Oracleidm Jug 2011
42/43
42
Benefits of OES to Developers and Administrators
Manage security from a single place
Provides finer control over the protection of allresources
Separates security decisions from applicationlogic
Offers robust auditing of events
Enhanced Securityand Compliance
Centralizes security policy management
Enables reuse and sharing of security servicesFrees developers up to focus on value-added
business logic
Integrates easily with identity and accessmanagement
Increased ITEfficiency
An adaptable security service infrastructure that
more closely models your businessRespond faster to changing corporate, regulatory,
market requirements
Reduce time-to-market
Better BusinessAgility
8/6/2019 Oracleidm Jug 2011
43/43
Useful Resources
Oracle Platform Security Services
Fusion Middleware and Fusion ApplicationsSecurity Framework; samples, presentations
Oracle Entitlements Server Whitepapers
Product downloads, Javadocs
Identity Management Resource Library
http://www.oracle.com/technetwork/middleware/id-mgmt/index-100381.html?ssSourceSiteId=ocomenhttp://www.oracle.com/us/products/middleware/identity-management/oracle-entitlements-server/overview/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/resource-library/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/resource-library/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/oracle-entitlements-server/overview/index.htmlhttp://www.oracle.com/us/products/middleware/identity-management/resource-library/index.htmlhttp://www.oracle.com/technetwork/middleware/id-mgmt/index-100381.html?ssSourceSiteId=ocomen