Presentation is loading. Please wait.

Presentation is loading. Please wait.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006."— Presentation transcript:

1 Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006

2 Nov. 3, 20062http://myproxy.ncsa.uiuc.edu/sessions/ Idea Goal: enable “web” single sign-on (SSO) for non-web applications Restriction: utilize the available authentication protocols for all applications involved Requirement: minimize exposure of a user’s long-term authentication credentials (e.g. private password)

3 Nov. 3, 20063http://myproxy.ncsa.uiuc.edu/sessions/ Related SSO Solutions Kerberos –Issues cryptographic software tokens –Can integrate with Java via GSS-API –But, underlying application must be modified to understand the Kerberos protocol Session cookies –JSESSIONID allows JWS application to “inherit” the browser’s security context –But, security context only valid with the web server initially contacted Browser-based SSO –Examples: Microsoft’s Passport, Pubcookie, and Shibboleth –But, not useful in non-browser applications such as JWS

4 Nov. 3, 20064http://myproxy.ncsa.uiuc.edu/sessions/ Motivation Real-world development effort: MAEviz Three main components –Web portal / application server –Data server –Java Web Start visualization application Web portal and Data server use password-based authentication Portal and JWS application do not share a session context

5 Nov. 3, 20065http://myproxy.ncsa.uiuc.edu/sessions/ Scenario User connects to grid portal –Username/password authentication Portal connects to data server for listing –Also username/password authentication Web portal launches JWS application –JWS appl authenticates to data server Desire: user authenticates only once –The goal of Single Sign-On (SSO)

6 Nov. 3, 20066http://myproxy.ncsa.uiuc.edu/sessions/ Portal + Java Web Start (1) Login (2) Data Request (3) Data (4) JNLP (5) Data Request (6) Render Data

7 Nov. 3, 20067http://myproxy.ncsa.uiuc.edu/sessions/ MAE Center Portal

8 Nov. 3, 20068http://myproxy.ncsa.uiuc.edu/sessions/ MAEviz JWS Application

9 Nov. 3, 20069http://myproxy.ncsa.uiuc.edu/sessions/ Multiple Protocols Portal server is Sakai –Web browser front-end –Web services (Axis), JSP, Java back-end Data server is SAM –WebDAV server –Metadata Mgmt. and Notebook Services MAEviz application is JWS –Launched via JNLP file –Distinct from web browser session How to effect a shared security session?

10 Nov. 3, 200610http://myproxy.ncsa.uiuc.edu/sessions/ Password Authentication Good news – all components understand username/password authentication Obvious solution – pass around the user’s name and password Bad news – don’t want to expose user’s long-lived password Solution – use short-lived “session passwords” instead

11 Nov. 3, 200611http://myproxy.ncsa.uiuc.edu/sessions/ Session Passwords Associate multiple short-lived “session” passwords with a given username Can be used in lieu of a user’s long-lived password Expire after a few hours Use an external authentication service Allow for a “password based” SSO solution

12 Nov. 3, 200612http://myproxy.ncsa.uiuc.edu/sessions/ Solution: MyProxy Originally used for X.509 credential storage and retrieval Can also be configured as a Certificate Authority (CA) to issue credentials Server configuration option allows for storage and retrieval of any number of session passwords for a user Multiple external authentication –PAM and SASL

13 Nov. 3, 200613http://myproxy.ncsa.uiuc.edu/sessions/ Creating Session Password (1) Username & Password (2) Authn U/P (3) Credential (4) Generate P ’ (5) Put(Cred,U,P ’ ) (5) Cred

14 Nov. 3, 200614http://myproxy.ncsa.uiuc.edu/sessions/ Using Session Password (1) Username & Session P ’ assword (2) Authn U/P ’ (3) Cred / Authn OK (2) Cred

15 Nov. 3, 200615http://myproxy.ncsa.uiuc.edu/sessions/ MyProxy Configuration Checks all stored credentials –When authenticating a password, ALL credentials for a given username on the MyProxy server are checked for a match Falls back to external authentication –If no password match to stored credentials, MyProxy falls back to external authentication methods (e.g. PAM) Result: MyProxy authenticates a user’s original long-lived password AND any session passwords

16 Nov. 3, 200616http://myproxy.ncsa.uiuc.edu/sessions/ (12) U/P ’ Authn (8) U/P ’ Authn (6) Cred (12) Cred / Authn OK (8) Cred / Authn OK (3) U/P Authn MyProxy Single Sign-On (1) U/P (2) U/P (9) Data (10) JNLP w/ U/P ’ (11) U/P ’ (13) Render Data (4) Cred (5) Generate P ’ (6) Put(Cred,U,P ’ ) (7) U/P ’ (8) U/P ’ Authn (12) U/P ’ Authn (12) Cred (8) Cred

17 Nov. 3, 200617http://myproxy.ncsa.uiuc.edu/sessions/ Security Concerns JNLP File on multi-user systems –Downloaded to user’s local file system –Not deleted upon session exit –Might have permissive umask setting –Only solution is “user education” Session passwords have a finite lifetime –Client can also explicitly destroy a session password before it expires

18 Nov. 3, 200618http://myproxy.ncsa.uiuc.edu/sessions/ Conclusion Enable SSO for legacy applications Client creates any number of “session passwords” for a username stored on a MyProxy server Session passwords are passed among clients/programs Clients need only understand username/password authentication

19 Nov. 3, 200619http://myproxy.ncsa.uiuc.edu/sessions/ Acknowledgements National Center for Supercomputing Applications (NCSA) –Funded by the NSF (National Science Foundation) under Grant No.SCI-0438712 Mid-America Earthquake (MAE) Center –Funded by the NSF (National Science Foundation) under Grant No.EEC-9701785 Additional thanks to –Jim Myers and Kevin Price, at NCSA

Download ppt "Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006."

Similar presentations

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.

Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,

GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
Virtual Observatory Single Sign-on U.S. National Virtual Observatory National Center for Supercomputing Applications Ray Plante, Bill Baker.

Virtual Observatory Single Sign-on U.S. National Virtual Observatory National Center for Supercomputing Applications Ray Plante, Bill Baker.
MyProxy NMI Integration Jim Basney, NCSA Marty Humphrey, University of Virginia

MyProxy NMI Integration Jim Basney, NCSA Marty Humphrey, University of Virginia
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.

Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Similar presentations

Ads by Google