Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authenticating REST/Mobile clients using LDAP and OERealm

Similar presentations


Presentation on theme: "Authenticating REST/Mobile clients using LDAP and OERealm"— Presentation transcript:

1 Authenticating REST/Mobile clients using LDAP and OERealm
PUG Challenge Americas Michael Jacobs Senior Software Architect

2 Agenda Configurable REST application authentication process
LDAP authentication OERealm authentication When things don’t work as you expect

3 Configurable REST application authentication process

4 Configurable REST Authentication Process
Which authentication model (i.e. process) is configured in WEB-INF/web.xml Common authentication model template policies in WEB-INF/appSecurity… Plug-in user account system modules Each template allows configuration of User account system connection User [http] session control URI access controls (Role Based Authorization) CORS configuration for Java Script clients AppServer [Client-Principal] SSO ( for AppServers )

5 LDAP Authentication

6 LDAP Essentials [LDAP] Directory Services widely used for single point of administration LDAP (Lightweight Directory Access Protocol) is a wire protocol and client API Most commonly recognized as a Single Point of Authentication (SPA) A Directory Service ( example: OpenLDAP, Windows Active Directory, Apache DS) A hierarchical store of schema defined objects and object attributes No two production sites will have the same hierarchy ( of users & groups )

7 Key Directory Service Terms and Concepts
Distinguished Name ( DN ) The path to a specific data object Root DN: the name of the object hierarchy's root data object example: dc=acme,dc=com Fully qualified DN: full path to the object from the root DN to the object example: dn=ldapserver1,ou=IT,dc=acme,dc=com Relative DN: example: dn=ldapserver (child object of: ou=IT,dc=acme,dc=com) Search root: the fully qualified DN of the data object at which to begin a decending search for one or more data objects

8 Key Directory Service Terms and Concepts (cont)
Directory Services require logging in to search information Security policies prevent read/write of another user’s password attribute Passwords are stored as salted one-way hashes To test a user account’s password for login You have to login with a fully qualified DN that has search privileges Search to find the user’s account and retrieve its fully qualified DN Logout Login using the user account’s fully qualified DN and password Retrieve user attributes - primarily the Groups (i.e. Role) they are a member of

9 Required Information From Directory Service Admin
The network address and port(s) of the Directory Service: “foo.com” 389 The ROOT DN of the directory service “dc=foo, dc=com” The DN & password of an account with ‘query’ privilege: “uid=admin, ou=ds admins, ou=IT, dc=foo, dc=com” The LDAP DN of the object where the user object search will start “ou=users, ou=employees, dc=foo, dc=com”

10 Required Information From Directory Service Admin
The LDAP user account object’s attribute name that holds the user’s login ID “uid” ( or that non-standard active directory thing… ) The LDAP DN of the object where the search for LDAP user groups (roles) will start “ou=groups,dc=foo,dc=com” The LDAP group object’s attribute name whose value will be the role name inserted into the user’s login token “uniqueMember” The LDAP Group attribute holding the Role/Group name “cn”

11 You Configure the Spring Security LDAP Server
#1 host & port LDAP Directory access <ldap-server id="PrimayLDAP” url="ldap://localhost:389/dc=acwd45,dc=com" manager-dn="uid=dsclient,ou=users,dc=acwd45,dc=com" manager-password=”password" /> #2 directory root #3 User DN used for queries

12 You Configure Spring Security LDAP Authentication Manager
Authentication Provider <authentication-manager id="RestApplicationtAuth" > <ldap-authentication-provider server-ref="PrimayLDAP" group-role-attribute="cn" role-prefix="ROLE_" group-search-filter="(member={0})" group-search-base="" user-search-base="" user-search-filter="(uid={0})" /> </authentication-manager> #8 group attribute used as ROLE name #7 group attribute of user DN #6 group search RDN #4 user search RDN #5 user login-id attribute

13 Now, The Live Stuff…

14 OERealm Authentication

15 OERealm Overview A write-your-own User Account System running in a state-free AppServer OERealm [client] user account system plug-in Current OERealm clients: OEBPM, REST service, (Rollbase under construction) Current OpenEdge client support: Java & .NET OpenClient AppServer client AppServer authn process client application code Business Logic Service Interface app data Developer written Service Interface OE written Identity Management System account data OERealm local accounts LDAP OERealm client configuration

16 OERealm OOABL Interface Overview
Get a list of user accounts Get a list of user account attribute (i.e. field) names Query a list of user account names Lookup a user account * Get user account properties (such as Roles, expiration, … ) * Remove a user account’s attribute value Set a user account’s attribute value Verify a single user account’s password * * Required

17 Development Process Overview
Design for extensibility – focus on security Implement the OERealm interface (there are now requirements…) Provision user accounts (if not already in your application) Code minimum OERealm class methods Code the optional OERealm SSO Client-Principal validation Consider if multi-tenancy ( i.e. multiple domains ) will be required Optional: Create a sealed Client-Principal for SSO to the AppServer OERealm class Optional: Create a new OERealm keystore with the OE Domain(s) Access-Code Deploy OERealm class(es) to AppServer Configure OERealm in the remote authentication process Test and debug

18 Now, The Live Stuff…

19 Deployment Site Considerations
Supply AppServer SSO defaults REST security templates (appSecurity-xxxx) configuration Default OE Domain and access code ( can be the blank domain ) AppServer defined default OE Domain and access code for AppServer SSO validation Supply OERealm class SSO defaults Sealed Client-Principal for SSO to OERealm AppServer class AppServer defined OE Domain and access code Instructions for changing AppServer SSO Domain and access code Instructions for changing OERealm class SSO Client-Principal

20 When Things Don’t Work as You Expect

21 Service Logging Will Be Your Friend
The REST service logging configuration found in: <web-app-name>/WEB-INF/classes/log4j.properties The REST service’s log file is found in: <web-app-name>/WEB-INF/adapters/log/xxxx.log Change the security (Java class) logging to DEBUG LOTS of logging will be made – log file size will be an issue

22


Download ppt "Authenticating REST/Mobile clients using LDAP and OERealm"

Similar presentations


Ads by Google