Presentation is loading. Please wait.

Presentation is loading. Please wait.

PicketBox in AS7 | Developer Conference 2012 1 PicketBox in AS7 Peter Škopek Software Engineer, JBoss by Red Hat Brno, Developer Conference 2012.

Published byAlice Bridges Modified over 8 years ago

Similar presentations

Presentation on theme: "PicketBox in AS7 | Developer Conference 2012 1 PicketBox in AS7 Peter Škopek Software Engineer, JBoss by Red Hat Brno, Developer Conference 2012."— Presentation transcript:

1 PicketBox in AS7 | Developer Conference 2012 1 PicketBox in AS7 Peter Škopek Software Engineer, JBoss by Red Hat Brno, Developer Conference 2012

2 PicketBox in AS7 | Developer Conference 2012 2 Agenda ● PicketBox overview ● Vault

3 PicketBox in AS7 | Developer Conference 2012 3 PicketBox Overview ● PicketBox is a Java Security Framework that provides Java developers the following functionality: ● Authentication Support ● Authorization Support ● Audit Support ● Security Mapping Support ● OASIS XACML v2.0 Support

4 PicketBox in AS7 | Developer Conference 2012 4 Authentication ● It is based on JAAS which is available as part of the Java SE ● PicketBox provides various authentication and authorization modules JAAS modules ● Advanced LDAP based Authentication using LdapExtLoginModule ● LDAP based Authentication using LdapLoginModule ● Database based Authentication using DatabaseServerLoginModule ● File based Authentication using UsersRolesLoginModule

5 PicketBox in AS7 | Developer Conference 2012 5 Authorization ● Coarse Grained ● You can use the PicketBox authorization modules to provide access control to your java application ● Fine Grained ● Standards based Oasis XACML v2 Authorization using JBossXACML ● Access Control Lists (ACLs) using PicketBox ACL

6 PicketBox in AS7 | Developer Conference 2012 6 Authentication/Authorization Annotations ● We can reduce our boiler plate code using PicketBox Annotations on POJOs. ● @SecurityDomain ● @Authentication ● @Authorization ● @SecurityMapping ● @Module ● @ModuleOption ● @SecurityConfig

7 PicketBox in AS7 | Developer Conference 2012 7 Audit ● @SecurityAudit Annotation ● Fully Qualified Name: org.jboss.security.annotation.SecurityMapping ● The annotation indicates that all security events will be audited @SecurityAudit(modules = {@Module(code = SomeAuditProvider.class, Options= {@ModuleOption(key="roles",value="validuser")})}) public class AnnotatedPOJO { }

8 PicketBox in AS7 | Developer Conference 2012 8 Security Mapping ● It is important for any security framework to provide facilities to map principal or roles from one form to another ● Examples include: ● The authentication has been performed using X509 Certificates. Now you want to convert the principal from the certificate to a logical name that is meaningful to your application such as display purposes. ● The authentication process derived a set of roles as part of the security domain. But you want to associate a few more roles with the current subject as part of the deployment archive.

9 PicketBox in AS7 | Developer Conference 2012 9 XACML ● If using JBossXACML engin use version 2.0.7.Final and newer ● Contains fix which make it run as dependency of your JEE application ● Use META-INF/jboss-deployment-structure.xml:

10 PicketBox in AS7 | Developer Conference 2012 10 Vault ● Vault storage for passwords used throughout the system ● Subsystems can load passwords from VaultService ● Configuration file is not revealing passwords to outside world ● But be careful current default Vault implementation is using Password Based Encryption which is security by obscurity ● Paranoid user could store content of Vault on some kind of secure storage and remove after server boot

11 PicketBox in AS7 | Developer Conference 2012 11 Vault – how to ● First create your keystore (yes old good keystore) ● keytool -genkeypair -alias vault -keyalg RSA -keysize 1024 -keystore vault.keystore -keypass secretvault -storepass secretvault -dname "CN=PicketBox Vault,OU=eng,O=jboss.org,L=Brno,C=CZ" ● Then run $JBOSS_HOME/bin/vault.sh ● Start interactive session by pressing 0 ● Supply needed information ● Mark down masked password

12 PicketBox in AS7 | Developer Conference 2012 12 Vault – how to ● Generated information will be used when configuring VaultService in e.g. standalone.xml... <vault-option name="KEYSTORE_URL" value="/home/pskopek/vault/vault.keystore"/> <vault-option name="KEYSTORE_PASSWORD" value="MASK-29p2XuDhbHF3nixK9O5Isu"/>...

13 PicketBox in AS7 | Developer Conference 2012 13 Vault – how to ● Next operation is 0 Store a password ● Attribute value – a.k.a password :-) ● Enter Vault Block – block name in Vault ● Enter Attribute Name – name of attribute to find it later ● Don't forget to write down output of operation

14 PicketBox in AS7 | Developer Conference 2012 14 Vault – how to <datasource jndi-name="java:jboss/datasources/ExampleDS" enabled="true" use-java-context="true" pool-name="H2DS"> jdbc:h2:mem:test;DB_CLOSE_DELAY=-1 h2 sa ${VAULT::ds_ExampleDS::password:: N2RhMDViNzAtZGNkNC00ZTE0LTllZTgtMGFjZGQ3MTk1NjBjTElORV9CUkVBS3ZhdWx0}...

15 PicketBox in AS7 | Developer Conference 2012 15 Vault – how to ● Little different than original: sa

16 PicketBox in AS7 | Developer Conference 2012 16 Using vaulted attributes in own modules ● If you are using the AttributeDefinition classes the vaulted expression will be automatically resolved when calling AttributeDefiniton.resolveModelAttribute(). ● If not, you need to call OperationContext.resolveExpression() yourself

17 PicketBox in AS7 | Developer Conference 2012 17 Vault – how to ● It works even in this situation: @DataSourceDefinition( name = "java:jboss/datasources/LoginDS", user = "sa", password = "VAULT::DS::thePass::OWY5M2I5NzctYzdkOS00MmZhLWExZGYtNjczM2U5ZGUyOWI xTElORV9CUkVBS3ZhdWx0", className = "org.h2.jdbcx.JdbcDataSource", url = "jdbc:h2:tcp://localhost/mem:test" ) @WebServlet(name = "MyTestServlet", urlPatterns = { "/my/" }, loadOnStartup = 1) public class MyTestServlet extends HttpServlet { private static final long serialVersionUID = 1L; @Resource(lookup = "java:jboss/datasources/LoginDS") private DataSource ds;

Download ppt "PicketBox in AS7 | Developer Conference 2012 1 PicketBox in AS7 Peter Škopek Software Engineer, JBoss by Red Hat Brno, Developer Conference 2012."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Client Principal in the wild

Client Principal in the wild
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Understanding WebLogic Security

Understanding WebLogic Security
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.

LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Understanding Active Directory

Understanding Active Directory
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Copyright © 2012 Accenture All Rights Reserved.Copyright © 2012 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are.

Copyright © 2012 Accenture All Rights Reserved.Copyright © 2012 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.

Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.

Similar presentations

Ads by Google