Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission.

Similar presentations


Presentation on theme: "Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission."— Presentation transcript:

1 Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission is granted for this material to be shared for non-commercial purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of Unicon, Inc. To disseminate otherwise or to republish requires written permission from Unicon, Inc. Some slides drawn from prior presentations at JA-SIG conferences. http://creativecommons.org/licenses/by-nc/2.5/ Adam Rybicki Unicon, Inc. Arlington, Virginia, May 5, 2008 Scott Battaglia Rutgers University

2 Hi. I’m Adam. V.P. of Technology at Unicon, Inc. Previously CTO at Interactive Business Solutions, Inc. (IBS)

3 Hi. I’m Scott. Application Developer/Architect @ Rutgers Committer to various open source projects

4 What is JA-SIG? Java Architectures Special Interest Group Founded in 1999 to foster collaboration among HE institutions and companies around Java applications for the enterprise Regular conferences Membership-funded Open source projects –uPortal Initially funded by an Andrew W. Mellon Foundation Named in 2003 in InfoWorld’s top 100 IT projects 2007 Educause Catalyst award winner –CAS Initially developed in 1999 at Yale University Became a JA-SIG project in 2004

5 What is CAS? CAS is enterprise single-sign-on for the web. –Free –Open source –Server implemented in Java –Clients implemented in a plethora of languages –www.ja-sig.org/products/cas/

6 Some of the people involved as the project has evolved Shawn Bayern Susan Bramhall Marc-Antoine Garrigue Howard Gilbert Dmitriy Kopylenko Arnaud Lesueur Drew Mazurek Andrew Petro Jan Van der Velpen (Velpi)

7 Many CAS deployers Appian Corporation Athabasca University Azusa Pacific University BCcampus California Polytechnic Institute California State University, Chico Campus Crusade for Christ Case Western Reserve University Columbia Employers Direct GET-INT Hong Kong University of Science and Technology Indiana Karlstad University, Sweden La Voz de Galicia, Spain Memorial University of Newfoundland Nagoya University NHMCCD Northern Arizona University Plymouth State University (used with SunGardHE Luminis) Roskilde University Rutgers, The State University of New Jersey SunGard HE Luminis Simon Fraser University (Vancouver, B.C.)Simon Fraser University Suffield Academy Tollpost Globe AS

8 … and more Universita degli Studi di Parma Universite de Bourgogne - France Universite de La Rochelle, France Universite de Pau et des Pays de l'Adour, France University of Nancy 1, France Universite Nancy 2, France Universite Pantheon Sorbonne Universiteit van Amsterdam University of Bristol, England University of California Merced University of California, Riverside University of Crete, Greece University of Delaware University of Geneva University of Hawaii University of New Mexico University of Rennes1 University of Technology, Sydney Uppsala University Valtech Virginia Tech Yale University And likely more not well- enumerated…

9 CAS and Commercial CAS is embedded in at least two commercial products CAS support is baked into at least one hardware platform (a wireless Internet vending appliance) Commercial entities use CAS as their SSO

10 Multi-sign-on for the Web

11 At least with one username/password? LDAP

12 All applications touch passwords LDAP

13 Any compromise leaks primary credentials LDAP

14 Adversary then can run wild LDAP

15 What to do about this? What if there were only one login form, only one application trusted to touch primary credentials?

16 Delete your login forms.

17 CAS in a nutshell Browser Web application Authenticates without sending password Authenticates via password (once) Determines validity of user’s claimed authentication

18 How CAS works Web application CAS Web browser S TGC ST S NetID

19 LDAP Webapps no longer touch passwords CAS

20 LDAP Adversary compromises only single apps CAS

21 What about portals? Need to go get interesting content from different systems.

22 Password replay Portal Channel Password- protected service Password- protected service Password- protected service PW PW PW PW PW PW PW PW PW PW PW

23 Look ma, no password! Without a password to replay, how am I going to authenticate my portal to other applications?

24 CAS 2.0: Proxy CAS Web application CAS Web browser S TGC ST S NetID PGTURL PGTIOU PGT https listener

25 CAS 2.0: Proxy CAS Web application CAS Web browser Back-end application SPGT PT S NetID PGTURL Data

26 Proxiable credentials illustrated IMP CAS SST IMAP server CAS PAM module PGT PT -Username -Identity of web resource

27 Provided authentication handlers LDAP –Fast bind –Search and bind Active Directory –LDAP –Kerberos (JAAS) JAAS JDBC RADIUS SPNEGO Trusted X.509 certificates Writing a custom authentication handler is easy

28 Today CAS is not only for authentication Return attributes of logged on users Adding support for standards –OpenID –SAML Single Sign-Out Support for clustering –Implements distributed ticket registry –Requires session replication –Must guarantee cross-server ticket uniqueness Services management (white listing) Remember me

29 Short Term Goals RESTful API Service Registration Page Service Priority InfoCard Support LDAP implementation of Service Registry Auditing, Logging etc. More Internationalization Bug Fixes, etc.!

30 Long Term Goals Re-architecture to support emerging use cases –Account Management integration –Password Expiration Policies/Password Change Integration –SAML, OAuth, OpenID2, etc. –Levels of Assurance / Multifactor authentication / second- level Better online/realtime administration –Installer/configurer –Information about CAS server (open SSO sessions, etc.) Hardening/Anti-phishing

31 Adam Rybicki arybicki@unicon.net www.unicon.net Questions? Scott Battaglia scott_battaglia@rutgers.edu eas.rutgers.edu


Download ppt "Improving Web Application Security by Using JA-SIG CAS © Copyright Unicon, Inc., 2006-2008. This work is the intellectual property of Unicon, Inc. Permission."

Similar presentations


Ads by Google