Presentation is loading. Please wait.

Presentation is loading. Please wait.

JAAS AuthN Tokens in uPortal and Beyond

Published byAltan Koz Modified over 5 years ago

Similar presentations

Presentation on theme: "JAAS AuthN Tokens in uPortal and Beyond"— Presentation transcript:

1 JAAS AuthN Tokens in uPortal and Beyond
or “The JAAS Singer” - aging webISO that departments were abandoning - everyone was beginning to use AD LDAP AuthN - AD used a different principal/password than the webISO -- causing issues with portal logins and portal integrations -- university slow on the uptake with an alternative CAS/Shib -- we needed something to bridge the gap -- LDAP authN against central IT policies (security of protocol) -- the kerberos protocol was the recommended way, but no one was doing it -- after a little research the challenge seemed worth undertaking

2 Our Environment 3 Campuses / 2 Environments Tomcat 6.0.20
uPortal 3.1.1 Active Directory Kerberos authentication via JAAS

3 Why Active Directory? AD offers authentication and group management
Many campus services use it for authentication Kerberos implementation is widely used

4 Why JAAS? Already part of Java Kerberos implementation is solid
Works with our AD/Kerberos uPortal has some JAAS support

5 EWS / uPortal Exchange Web Services (EWS) is a SOAP interface to Microsoft Exchange. We were tasked with building a portlet to retrieve a summary of and Calendar items. Each item should be a link that takes the user directly to it’s detailed view in Outlook Web Access.

6 Parameters Utilize existing infrastructure.
Secure and easily managed Authentication. No admin user

7 #1 Utilize Existing Infrastructure
Both EWS and our uPortal instance authenticates against the AD. EWS has a SOAP interface, Java supports SOAP web services via JAX-WS. Some work was already started via imap2exchange. Helped w/ JAX-WS bindings Utilizes BASIC authentication

8 #2 Secure, Easily Managed AuthN
BASIC authN Admin user on Exchange server Secret keys between the portal and EWS server Kerberos tickets? Basic authN would require the user’s credentials to be cached (not happening) or the user to enter their AD creds into another form prior to each submission of a request for a summary (again not happening) an admin user would require it to be able to access all users’ folders which is not desirable from a security standpoint nor easy from an admin standpoint we use shared secrets for authenticating to other campus/university web ISOs but the its not easily managed since there’s a 1-1 relationship between each service/environment and the portal.

9 Kerberos Tickets and SPNego!
Krb tickets are generated by Active Directory Opaque and unique SPNego (Simple and Protected GSSAPI NEGOtiation mechanism) Krb over HTTP Built in to EWS’ DNA Supported by all major browsers Best of all, it’s easy to manage!

10 uPortal and SPNego via JAAS/GSSAPI
OOB JAASSecurityContext allows authN via JAAS does not hold on to the Kerberos ticket Thanks to uPortal being open source saw why it wasn’t more importantly, showed what had to happen to make it hold on to it Implemented our own JAASSecurityContext - our impl stores the JAAS Subject (the krb ticket) as an IAdditionalDescriptor in an IPerson attribute that we chose a name for. This is a key factor for later in the presentation.

11 uPortal and SPNego via JAAS/GSSAPI
Portlets need to be able to access this attribute use the portlet API (PortletRequest.getAttribute) developed our own RequestAttributeService and used the portlet container spring context file to inject it into uPortal! Now, IPerson attributes are available to portlets without needing any additional API. All of this code was implemented using existing interfaces exposed by uPortal and Pluto. uPortal’s spring configurations allowed us to easily fit this into our implementation and give us access to this token.

12 Using the Kerberos Ticket
Still faced a couple of challenges Generate a SPNego token put it on the HTTP header of the SOAP request the right way

13 EnterJAASmine JAASminewas built out of frustration
there are FEW good resources on GSSAPI/SPNego usage in Java API is under-documented and tutorials are too basic JAASminetakes what we learned and makes it easy

14 JAASmine Lightweight “wrapper” for JAAS/GSSAPI
Client code for web services that want to authenticate using SPNego tokens Server code for handling verification and validation of SPNego tokens

15 Success!

16 JAASmineand EWS authN From our portlet, we could get the kerberos ticket Pass it to theJAASmineclient to generate SPNego Next, put it on the header of the HTTP SOAP request (WWW-Authenticate)

17 Beyond uPortal JAASmineserver components are used for authenticating to our Kuali Rice instances (both the web app and soon the SOAP services) set up is low impact configure JAAS configure Kerberos configure a servlet filter

18 Beyond uPortal More web services
Kerberos/Browser to server? It’s possible (and ideal)… Kerberos browser to server would enable proper click-through from items in the summary directly into Outlook Web Access (if kerberos was turned on for it) Other JAAS authentication implementations need to be added to jaasmine (LDAP, etc.).

19 References SPNego - http://goo.gl/ECVHs GSSAPI - http://goo.gl/XPLJF
JAASmine- imap2exchange -

20 Thank You! Tim Carroll Andy Gherna

Download ppt "JAAS AuthN Tokens in uPortal and Beyond"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.

MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.
JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer.

JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer.
UAG Authentication and Authorization- part1

UAG Authentication and Authorization- part1
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
A Blackboard Building Block™ Crash Course for Web Developers

A Blackboard Building Block™ Crash Course for Web Developers
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Architecture & Integration: CP v3.1. 3.x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)

Architecture & Integration: CP v x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.

UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.
UPortal: A framework for the Personalization of Library Services John Fereira: Programmer/Analyst Cornell University Mann Library.

UPortal: A framework for the Personalization of Library Services John Fereira: Programmer/Analyst Cornell University Mann Library.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Web Service Description KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Web Service Description KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Similar presentations

Ads by Google