3rd EuroCAMP Ljubljana Mind the Gap (And Try To Fill It with Any Tool at Hand) Bridging PAPI and Applications Diego R. Lopez.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Welcome to Middleware Joseph Amrithraj
Lecture 11 Server Side Interaction
Web 2.0 with AJAX Students : LASC Ioana KELEMEN Csilla POP Dan Adrian CIOBANU Dumitru Daniel Project leaders : Jean Luc LARBOT Ahmed RHIAT.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Servlets and a little bit of Web Services Russell Beale.
WEB1P servintro1 Introduction to servlets and JSP Dr Jim Briggs.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 2.
OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”
CS CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.
CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Introduction to Java web programming Dr Jim Briggs JWP intro1.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
DAT602 Database Application Development Lecture 15 Java Server Pages Part 1.
Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.
Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.
UFCEKG-20-2 Data, Schemas & Applications Lecture 4 Server Side Scripting & PHP.
Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Beyond DHTML So far we have seen and used: CGI programs (using Perl ) and SSI on server side Java Script, VB Script, CSS and DOM on client side. For some.
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.
Chapter 33 CGI Technology for Dynamic Web Documents There are two alternative forms of retrieving web documents. Instead of retrieving static HTML documents,
Chapter 4: Core Web Technologies
Identity Management Report By Jean Carreon and Marlon Gonzales.
Chapter 17 - Deploying Java Applications on the Web1 Chapter 17 Deploying Java Applications on the Web.
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
11 Web Services. 22 Objectives You will be able to Say what a web service is. Write and deploy a simple web service. Test a simple web service. Write.
HTML. Principle of Programming  Interface with PC 2 English Japanese Chinese Machine Code Compiler / Interpreter C++ Perl Assembler Machine Code.
PAPI Points of Access to Providers of Information.
Multifarious Project A personal -system Team Members Abdullah Alghamdi Metaib Alenzai Mohammed Alshehri Hamd Alshamsi.
Introduction to JavaServer Pages. 2 JSP and Servlet Limitations of servlet  It’s inaccessible to non-programmers JSP is a complement to servlet  focuses.
Chapter 6 Server-side Programming: Java Servlets
1 Welcome to CSC 301 Web Programming Charles Frank.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Shibboleth: An Introduction
1 MSCS 237 Overview of web technologies (A specific type of distributed systems)
Overview Web Session 3 Matakuliah: Web Database Tahun: 2008.
Integrating and Troubleshooting Citrix Access Gateway.
 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.
Saving State on the WWW. The Issue  Connections on the WWW are stateless  Every time a link is followed is like the first time to the server — it has.
2007cs Servers on the Web. The World-Wide Web 2007 cs CSS JS HTML Server Browser JS CSS HTML Transfer of resources using HTTP.
The Module Road Map Assignment 1 Road Map We will look at… Internet / World Wide Web Aspects of their operation The role of clients and servers ASPX.
David Lawrence 7/8/091Intro. to PHP -- David Lawrence.
IS-907 Java EE World Wide Web - Overview. World Wide Web - History Tim Berners-Lee, CERN, 1990 Enable researchers to share information: Remote Access.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
1 Introduction to Servlets. Topics Web Applications and the Java Server. HTTP protocol. Servlets 2.
JS (Java Servlets). Internet evolution [1] The internet Internet started of as a static content dispersal and delivery mechanism, where files residing.
Module: Software Engineering of Web Applications Chapter 2: Technologies 1.
CSI 3125, Preliminaries, page 1 SERVLET. CSI 3125, Preliminaries, page 2 SERVLET A servlet is a server-side software program, written in Java code, that.
Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
Java Programming: Advanced Topics 1 Building Web Applications Chapter 13.
COSC 2328 – Web Programming.  PHP is a server scripting language  It’s widely-used and free  It’s an alternative to Microsoft’s ASP and Ruby  PHP.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Managing State Chapter 13.
Federation made simple
World Wide Web policy.
Web Development Web Servers.
Data Virtualization Tutorial… CORS and CIS
Node.js Express Web Services
PHP / MySQL Introduction
Presentation transcript:

3rd EuroCAMP Ljubljana Mind the Gap (And Try To Fill It with Any Tool at Hand) Bridging PAPI and Applications Diego R. Lopez

3rd EuroCAMP Ljubljana The Goals Web SSO does not stay at its bare bones Control the access to restricted areas Pass identity data to Web-based applications From CGI to servlet And beyond Web enabled applications Use the browser to establish the initial identity context Current technology makes it perfectly possible Albeit there is a gap with application developers

3rd EuroCAMP Ljubljana The Gap Web SSO and applications developers seem to be minded in different ways Middleware and server in one side Match with server procedures and identity sources An end by itself Business rules on the other side Databases and tiers A means to an end So they expect for us at their side of gap Here is the true story of PAPI travel to application-land

3rd EuroCAMP Ljubljana The Starting Point PAPI runs as an Apache module Traditional Apache methods were used To pass data through other modules up to the application Notes Shared-memory inter-module communication Headers As if they were coming in the original request Authentication parameters As if they were established by HTTP Auth procedures In any possible flavor The whole, unprocessed, assertion Individual attribute values

3rd EuroCAMP Ljubljana The Staring Point. Some Details Notes and headers The whole PAPI assertion is available through Note PAPIHcook Header X-PAPI-Hcook PAPIAttr- in notes PAPIAttr-schacMotherTongue X-PAPIAttr- in headers X-PAPIAttr-schacMotherTongue HTTP Auth values New to PAPI 1.5 Using the directive MapAuthUser to apply the appropriate attribute value

3rd EuroCAMP Ljubljana Going a Little Beyond Less HTTP-ish detail Avoid header processing Do not require tweaking the server configuration Configuration independence for each instance Provide an abstraction layer General interface to access attributes, independently of the source Avoid future protocol changes affecting application code Finer control Apply to other units that those supported by the Apache module And available in many flavors Do not mandate a particular implementation language

3rd EuroCAMP Ljubljana The PAPI Model at Play AuthN Data uid: drlopez pass: ****** Assertion Formats Directory Server AuthServer GPoA RedIRIS PoA IntranetPoA Admin uid=drlopez role=admin uid=drlopez role=admin

3rd EuroCAMP Ljubljana Applying the PAPI Model The Authentication Server (AS) => IdP Provides users with a (local) single authentication point Source for user attribute data The Point of Access (PoA) => inner SP Performs actual access control by means of temporary cryptographic tokens, encoded as HTTP cookies The Group-wide Point of Access (GPoA) => outer SP Combines a group of PoAs with similar access policies Intended to simplify AS-PoA interactions and PoA operation PoAs relaying on a GPoA can be built using different language bindings with a relatively low effort And a standalone GPoA based on AA-RR is also available

3rd EuroCAMP Ljubljana phpPoA Requires a parent GPoA Implemented as a PHP (4/5) object Takes care of HTTP redirections mandated by the PAPI protocol Must be instantiated and called at the start of the procedure Provide access control and attribute access to individual pages Configured through a typical PHP ini file Unique for all the phpPoAs running in the server Easy to use for those who are PHP-aware [admin] Location = /admin LKEY_File = /usr/local/papi/etc/KEYS/lkey GPoA_Pub_Key = /usr/local/papi/etc/KEYS/_GPoA_pubkey.pem GPoA_URL = PAPI_Filter_accept = "group=tecniris,.*?uid=david" PAPI_Filter_reject = ".*"

3rd EuroCAMP Ljubljana The phpPoA Interface A simple method call $poa = new PoA('admin'); // Stanza in phpPoA.ini $attr = $poa->check_Access(); Returns an associative array with the authorization results and the received attributes PAPIAuthZValue => 1 PAPIASName => myAuthNServer PAPIAssertion => uid => myUserID group => myGroupID role => admin

3rd EuroCAMP Ljubljana es.rediris.papi.filter A Tomcat filter based in the same principles as phpPoA Configured through an XML properties file Configurable for each PAPI filter in the system Easy to use for those who are Tomcat-aware... /home/tomcat/conf/PAPI/lkey /servlets-examples/ cookies.txt manual any => accept, =...

3rd EuroCAMP Ljubljana The es.rediris.papi.filter Interface. Configuration Define it in the web.xml Tomcat configuration file PAPI Filter es.rediris.papi.filter.PAPIFilter PAPI.configFile /home/tomcat/conf/PoAconf.xml... PAPI Filter /*

3rd EuroCAMP Ljubljana The es.rediris.papi.filter Interface. Runtime Implementation of the javax.servlet.Filter interface Constructor plus init() and doFilter() methods If authorization succeeds, attributes are made available through Attributes in the user session maintained by the application context es.rediris.papi.filter.PAPIHcookValue => es.rediris.papi.filter.PAPIAuthServer => myAuthNServer es.rediris.papi.filter.uid => myUserID es.rediris.papi.filter.group => myGroupID es.rediris.papi.filter.role => admin Available to any servlet accessed in the same application context A full implementation of JAAS to be directly referenced by servlets is under way

3rd EuroCAMP Ljubljana Going Beyond: JNLP/Java Web Start A small JNLP application must be loaded Living in a PAPI-protected location Fresh cryptographic material is passed as parameter Establish the PAPI tokens through a shared cookie repository Using the standard class HTTPClient Any data access from JNLP applications can then be protected by PAPI Referencing URLs behind a PAPI PoA Just by using the HTTPClient class for network connections And this is orthogonal with protecting the access to the application itself Putting the XML definition in an URL behind a PAPI PoA

3rd EuroCAMP Ljubljana If Anything Else Fails: RewritingProxy A proxy with rewriting capabilities Supporting several access methods IP address HTTP (basic and digest) authentication Forms Able to: Proxy sites or entire domains Be seen as a virtual host or a location Integrate with a cache to enhance response times Include user attributes to fulfill access methods Usernames, passwords, source IP addresses,…

3rd EuroCAMP Ljubljana The RewritingProxy Engine The rewriting engine can be applied to: HTML tags plus embedded scripts (JavaScript, CSS) (always) Specific content types URL patterns (even bypassing PAPI access control) The rewriting engine is based on: Perl regular expressions Derived from the remote site or domain being accessed Specific, applicable to The whole proxied site/domain URLs matching certain patterns Attributes can be used inside the engine

3rd EuroCAMP Ljubljana RewritingProxy At Work: From Simple… Remote site # REL 1, Remote_URL Remote domain # REL 1, Requires PAPI >= Remote_Domain ebsco.com PAPI_Redirect ([\w-]+).ebsco.com PROXYNAME/$1/

3rd EuroCAMP Ljubljana RewritingProxy At Work: …To More Sophisticated… A little bit # REL 2, Requires PAPI >= Remote_Domain iop.org PAPI_Redirect ([\w]+).iop.org PROXYNAME/$1 PAPI_Redirect "/images "/$name_dest/images Rewrite_MIME_Types application/x-javascript And more # REL 2, Requires PAPI >= Remote_Domain aip.org PAPI_Redirect ([\w]+).aip.org PROXYNAME/$1/ PAPI_Redirect PROXYNAME/([\w]+):([\d]+) PROXYNAME:$2/$1 PAPI_Redirect \"/jimages/ \"/$name_dest/jimages/ PAPI_Redirect \"/vsearch/ \"/$name_dest/vsearch/ PAPI_Redirect \"/journal_cgi/ \"/$name_dest/journal_cgi/ PAPI_Redirect SRC='/journals/ SRC='/$name_dest/journals/ Rewrite_MIME_Types application/x-javascript

3rd EuroCAMP Ljubljana RewritingProxy At Work: …To Really Complicated # REL 5, Requires PAPI >= Remote_Domain isiknowledge.com No_XML 1 # Mark URI-escaped characters PAPI_Redirect %(25)?([0-9a-fA-F]{2}) *$1$2*... # URLs with port spec PAPI_Redirect PROXYNAME/([\w]+)(/|\*2F\*)?(:|\*3A\*)(8080)(/|\*2F\*) $1.isiknowledge.com$3$4$5... # Rewrite back "product references" into URL params PAPI_Redirect product_st_thomas=(.*?)PROXYNAME(:|\*3A\*)?([\d]+)?(/|\*2F\*)(.*?)(/|\*2F\*) product_st_thomas=$1$5.isiknowledge.com$2$3$4... # Unmark URI-escaped characters PAPI_Redirect \*(25)?([0-9a-fA-F]{2})\* %$1$2...

3rd EuroCAMP Ljubljana RewritingProxy In the Run The need for proxying is going to stay during (at least) some years So we’d better prepare for it Community support for proxy definitions All the examples previously shown are available at Ongoing enhancements Proxy auto-configuration from definitions held at the PAPI site Applet proxy

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.