Authenticating REST/Mobile clients using LDAP and OERealm

Slides:



Advertisements
Similar presentations
REST support for B2B access to your AppServer PUG Challenge Americas Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.
Advertisements

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Active Directory: Final Solution to Enterprise System Integration
Chapter 4 Chapter 4: Planning the Active Directory and Security.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
1 Chapter 1 Introduction to Windows Server Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
OE Realm & Your Application’s Authentication Process
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory
A New Object Model for WebSpeed and HTTP
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Overview of Active Directory Domain Services Lesson 1.
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
DB-19: OpenEdge® Authentication Without the _User Table
DONE-10: Adminserver Survival Tips Brian Bowman Product Manager, Data Management Group.
MOVE-14: Migrating Your 4GL Authentication System to OpenEdge® 10
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
WaveMaker Visual AJAX Studio 4.0 Training Authentication.
Security Planning and Administrative Delegation Lesson 6.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Module 2: Managing User and Computer Accounts. Overview Creating User Accounts Creating Computer Accounts Modifying User and Computer Account Properties.
Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.
DEV-09: User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment Michael Jacobs Development Architect.
10/25/20151 Single Sign-On Web Service Supervisors: Viktor Kulikov Alexander Sherman Liana Lipstov Pavel Bilenko.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
LDAP Authentication Copyright © Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print without written permission.
LDAP (Lightweight Directory Access Protocol ) Speaker: Chang-Yu Wu Adviser: Quincy Wu Date:2007/08/22.
 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Progress Software Identity Management 101 Sarah Marshall OpenEdge QA Architect May 2012.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
ARCH-08 A Common Business Service Approach to Application Development Anthony Swindells Progress Fellow.
A New Object Model for WebSpeed and HTTP
Module 7: Implementing Security Using Group Policy.
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
DEV-8: AppServer ™ Mode Case Studies Simon Epps Solutions Engineer.
Introduction to Active Directory
Michael Tinker September 16, 2004
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
Module 8 Implementing Security Using Group Policy.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
1 Introduction to Active Directory Directory Services Uniquely identify users and resources on a network Provide a single point of network management.
Unit 7 ITT TECHNICAL INSTITUTE NT1330 Client-Server Networking II Date: 2/3/2016 Instructor: Williams Obinkyereh.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Vmware 2V0-621D Vmware Exam Questions & Answers VMware Certified Professional 6 Presents
© 2013 IBM Corporation LDAP Fundamentals & LDAP for CLM Bruce Besch IBM Rational Services.
19 Copyright © 2008, Oracle. All rights reserved. Security.
October 2014 HYBRIS ARCHITECTURE & TECHNOLOGY 01 OVERVIEW.
Alain Bethuyne Web Security Architect BNPParibas Fortis
562: Power of Single Sign-On in OpenEdge
Overview of Active Directory Domain Services
CollegeSource Security Application &
Introduction to LDAP Frank A. Kuse.
Implementing Active Directory Domain Services
Data Virtualization Tutorial… LDAP Domains in CIS
Overview of Active Directory Domain Services
(ITI310) SESSIONS 6-7-8: Active Directory.
Cisco Real Exam Dumps IT-Dumps
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Authenticating REST/Mobile clients using LDAP and OERealm PUG Challenge Americas - 2014 Michael Jacobs Senior Software Architect 6.6.2014

Agenda Configurable REST application authentication process LDAP authentication OERealm authentication When things don’t work as you expect

Configurable REST application authentication process

Configurable REST Authentication Process Which authentication model (i.e. process) is configured in WEB-INF/web.xml Common authentication model template policies in WEB-INF/appSecurity… Plug-in user account system modules Each template allows configuration of User account system connection User [http] session control URI access controls (Role Based Authorization) CORS configuration for Java Script clients AppServer [Client-Principal] SSO ( for 11.2+ AppServers )

LDAP Authentication

LDAP Essentials [LDAP] Directory Services widely used for single point of administration LDAP (Lightweight Directory Access Protocol) is a wire protocol and client API Most commonly recognized as a Single Point of Authentication (SPA) A Directory Service ( example: OpenLDAP, Windows Active Directory, Apache DS) A hierarchical store of schema defined objects and object attributes No two production sites will have the same hierarchy ( of users & groups )

Key Directory Service Terms and Concepts Distinguished Name ( DN ) The path to a specific data object Root DN: the name of the object hierarchy's root data object example: dc=acme,dc=com Fully qualified DN: full path to the object from the root DN to the object example: dn=ldapserver1,ou=IT,dc=acme,dc=com Relative DN: example: dn=ldapserver (child object of: ou=IT,dc=acme,dc=com) Search root: the fully qualified DN of the data object at which to begin a decending search for one or more data objects

Key Directory Service Terms and Concepts (cont) Directory Services require logging in to search information Security policies prevent read/write of another user’s password attribute Passwords are stored as salted one-way hashes To test a user account’s password for login You have to login with a fully qualified DN that has search privileges Search to find the user’s account and retrieve its fully qualified DN Logout Login using the user account’s fully qualified DN and password Retrieve user attributes - primarily the Groups (i.e. Role) they are a member of

Required Information From Directory Service Admin The network address and port(s) of the Directory Service: “foo.com” 389 The ROOT DN of the directory service “dc=foo, dc=com” The DN & password of an account with ‘query’ privilege: “uid=admin, ou=ds admins, ou=IT, dc=foo, dc=com” The LDAP DN of the object where the user object search will start “ou=users, ou=employees, dc=foo, dc=com”

Required Information From Directory Service Admin The LDAP user account object’s attribute name that holds the user’s login ID “uid” ( or that non-standard active directory thing… ) The LDAP DN of the object where the search for LDAP user groups (roles) will start “ou=groups,dc=foo,dc=com” The LDAP group object’s attribute name whose value will be the role name inserted into the user’s login token “uniqueMember” The LDAP Group attribute holding the Role/Group name “cn”

You Configure the Spring Security LDAP Server #1 host & port LDAP Directory access <ldap-server id="PrimayLDAP” url="ldap://localhost:389/dc=acwd45,dc=com" manager-dn="uid=dsclient,ou=users,dc=acwd45,dc=com" manager-password=”password" /> #2 directory root #3 User DN used for queries

You Configure Spring Security LDAP Authentication Manager Authentication Provider <authentication-manager id="RestApplicationtAuth" > <ldap-authentication-provider server-ref="PrimayLDAP" group-role-attribute="cn" role-prefix="ROLE_" group-search-filter="(member={0})" group-search-base="" user-search-base="" user-search-filter="(uid={0})" /> </authentication-manager> #8 group attribute used as ROLE name #7 group attribute of user DN #6 group search RDN #4 user search RDN #5 user login-id attribute

Now, The Live Stuff…

OERealm Authentication

OERealm Overview A write-your-own User Account System running in a state-free AppServer OERealm [client] user account system plug-in Current OERealm clients: OEBPM, REST service, (Rollbase under construction) Current OpenEdge 11.3+ client support: Java & .NET OpenClient AppServer client AppServer authn process client application code Business Logic Service Interface app data Developer written Service Interface OE written Identity Management System account data OERealm local accounts LDAP OERealm client configuration

OERealm OOABL Interface Overview Get a list of user accounts Get a list of user account attribute (i.e. field) names Query a list of user account names Lookup a user account * Get user account properties (such as Roles, expiration, … ) * Remove a user account’s attribute value Set a user account’s attribute value Verify a single user account’s password * * Required

Development Process Overview Design for extensibility – focus on security Implement the OERealm interface (there are now requirements…) Provision user accounts (if not already in your application) Code minimum OERealm class methods Code the optional OERealm SSO Client-Principal validation Consider if multi-tenancy ( i.e. multiple domains ) will be required Optional: Create a sealed Client-Principal for SSO to the AppServer OERealm class Optional: Create a new OERealm keystore with the OE Domain(s) Access-Code Deploy OERealm class(es) to AppServer Configure OERealm in the remote authentication process Test and debug

Now, The Live Stuff…

Deployment Site Considerations Supply AppServer SSO defaults REST security templates (appSecurity-xxxx) configuration Default OE Domain and access code ( can be the blank domain ) AppServer defined default OE Domain and access code for AppServer SSO validation Supply OERealm class SSO defaults Sealed Client-Principal for SSO to OERealm AppServer class AppServer defined OE Domain and access code Instructions for changing AppServer SSO Domain and access code Instructions for changing OERealm class SSO Client-Principal

When Things Don’t Work as You Expect

Service Logging Will Be Your Friend The REST service logging configuration found in: <web-app-name>/WEB-INF/classes/log4j.properties The REST service’s log file is found in: <web-app-name>/WEB-INF/adapters/log/xxxx.log Change the security (Java class) logging to DEBUG LOTS of logging will be made – log file size will be an issue