Presentation is loading. Please wait.

Presentation is loading. Please wait.

3rd EuroCAMP Ljubljana Mind the Gap (And Try To Fill It with Any Tool at Hand) Bridging PAPI and Applications Diego R. Lopez.

Published byMarian Hicks Modified over 9 years ago

Similar presentations

Presentation on theme: "3rd EuroCAMP Ljubljana Mind the Gap (And Try To Fill It with Any Tool at Hand) Bridging PAPI and Applications Diego R. Lopez."— Presentation transcript:

1 3rd EuroCAMP Ljubljana Mind the Gap (And Try To Fill It with Any Tool at Hand) Bridging PAPI and Applications Diego R. Lopez

2 3rd EuroCAMP Ljubljana The Goals Web SSO does not stay at its bare bones Control the access to restricted areas Pass identity data to Web-based applications From CGI to servlet And beyond Web enabled applications Use the browser to establish the initial identity context Current technology makes it perfectly possible Albeit there is a gap with application developers

3 3rd EuroCAMP Ljubljana The Gap Web SSO and applications developers seem to be minded in different ways Middleware and server in one side Match with server procedures and identity sources An end by itself Business rules on the other side Databases and tiers A means to an end So they expect for us at their side of gap Here is the true story of PAPI travel to application-land

4 3rd EuroCAMP Ljubljana The Starting Point PAPI runs as an Apache module Traditional Apache methods were used To pass data through other modules up to the application Notes Shared-memory inter-module communication Headers As if they were coming in the original request Authentication parameters As if they were established by HTTP Auth procedures In any possible flavor The whole, unprocessed, assertion Individual attribute values

5 3rd EuroCAMP Ljubljana The Staring Point. Some Details Notes and headers The whole PAPI assertion is available through Note PAPIHcook Header X-PAPI-Hcook PAPIAttr- in notes PAPIAttr-schacMotherTongue X-PAPIAttr- in headers X-PAPIAttr-schacMotherTongue HTTP Auth values New to PAPI 1.5 Using the directive MapAuthUser to apply the appropriate attribute value

6 3rd EuroCAMP Ljubljana Going a Little Beyond Less HTTP-ish detail Avoid header processing Do not require tweaking the server configuration Configuration independence for each instance Provide an abstraction layer General interface to access attributes, independently of the source Avoid future protocol changes affecting application code Finer control Apply to other units that those supported by the Apache module And available in many flavors Do not mandate a particular implementation language

7 3rd EuroCAMP Ljubljana The PAPI Model at Play AuthN Data uid: drlopez pass: ****** Assertion Formats Directory Server AuthServer GPoA RedIRIS PoA IntranetPoA Admin uid=drlopez role=admin uid=drlopez role=admin

8 3rd EuroCAMP Ljubljana Applying the PAPI Model The Authentication Server (AS) => IdP Provides users with a (local) single authentication point Source for user attribute data The Point of Access (PoA) => inner SP Performs actual access control by means of temporary cryptographic tokens, encoded as HTTP cookies The Group-wide Point of Access (GPoA) => outer SP Combines a group of PoAs with similar access policies Intended to simplify AS-PoA interactions and PoA operation PoAs relaying on a GPoA can be built using different language bindings with a relatively low effort And a standalone GPoA based on AA-RR is also available

9 3rd EuroCAMP Ljubljana phpPoA Requires a parent GPoA Implemented as a PHP (4/5) object Takes care of HTTP redirections mandated by the PAPI protocol Must be instantiated and called at the start of the procedure Provide access control and attribute access to individual pages Configured through a typical PHP ini file Unique for all the phpPoAs running in the server Easy to use for those who are PHP-aware [admin] Location = /admin LKEY_File = /usr/local/papi/etc/KEYS/lkey GPoA_Pub_Key = /usr/local/papi/etc/KEYS/_GPoA_pubkey.pem GPoA_URL = http://www.rediris.es/papiGPoA/papiPoA PAPI_Filter_accept = "group=tecniris,.*?uid=david" PAPI_Filter_reject = ".*"

10 3rd EuroCAMP Ljubljana The phpPoA Interface A simple method call $poa = new PoA('admin'); // Stanza in phpPoA.ini $attr = $poa->check_Access(); Returns an associative array with the authorization results and the received attributes PAPIAuthZValue => 1 PAPIASName => myAuthNServer PAPIAssertion => uid=myUID,group=myGID,role=admin@myAuthNServer uid => myUserID group => myGroupID role => admin

11 3rd EuroCAMP Ljubljana es.rediris.papi.filter A Tomcat filter based in the same principles as phpPoA Configured through an XML properties file Configurable for each PAPI filter in the system Easy to use for those who are Tomcat-aware... /home/tomcat/conf/PAPI/lkey /servlets-examples/ cookies.txt manual any => accept, =...

12 3rd EuroCAMP Ljubljana The es.rediris.papi.filter Interface. Configuration Define it in the web.xml Tomcat configuration file PAPI Filter es.rediris.papi.filter.PAPIFilter PAPI.configFile /home/tomcat/conf/PoAconf.xml... PAPI Filter /*

13 3rd EuroCAMP Ljubljana The es.rediris.papi.filter Interface. Runtime Implementation of the javax.servlet.Filter interface Constructor plus init() and doFilter() methods If authorization succeeds, attributes are made available through Attributes in the user session maintained by the application context es.rediris.papi.filter.PAPIHcookValue => 1143987915:uid=myUID,group=myGID,role=admin@myAuthNServer es.rediris.papi.filter.PAPIAuthServer => myAuthNServer es.rediris.papi.filter.uid => myUserID es.rediris.papi.filter.group => myGroupID es.rediris.papi.filter.role => admin Available to any servlet accessed in the same application context A full implementation of JAAS to be directly referenced by servlets is under way

14 3rd EuroCAMP Ljubljana Going Beyond: JNLP/Java Web Start A small JNLP application must be loaded Living in a PAPI-protected location Fresh cryptographic material is passed as parameter Establish the PAPI tokens through a shared cookie repository Using the standard class HTTPClient Any data access from JNLP applications can then be protected by PAPI Referencing URLs behind a PAPI PoA Just by using the HTTPClient class for network connections And this is orthogonal with protecting the access to the application itself Putting the XML definition in an URL behind a PAPI PoA

15 3rd EuroCAMP Ljubljana If Anything Else Fails: RewritingProxy A proxy with rewriting capabilities Supporting several access methods IP address HTTP (basic and digest) authentication Forms Able to: Proxy sites or entire domains Be seen as a virtual host or a location Integrate with a cache to enhance response times Include user attributes to fulfill access methods Usernames, passwords, source IP addresses,…

16 3rd EuroCAMP Ljubljana The RewritingProxy Engine The rewriting engine can be applied to: HTML tags plus embedded scripts (JavaScript, CSS) (always) Specific content types URL patterns (even bypassing PAPI access control) The rewriting engine is based on: Perl regular expressions Derived from the remote site or domain being accessed Specific, applicable to The whole proxied site/domain URLs matching certain patterns Attributes can be used inside the engine

17 3rd EuroCAMP Ljubljana RewritingProxy At Work: From Simple… Remote site # REL 1, 20030101 Remote_URL http://portal.acm.org Remote domain # REL 1, 20030101 - Requires PAPI >= 1.2.0 Remote_Domain ebsco.com PAPI_Redirect ([\w-]+).ebsco.com PROXYNAME/$1/

18 3rd EuroCAMP Ljubljana RewritingProxy At Work: …To More Sophisticated… A little bit # REL 2, 20050627 - Requires PAPI >= 1.3.0 Remote_Domain iop.org PAPI_Redirect ([\w]+).iop.org PROXYNAME/$1 PAPI_Redirect "/images "/$name_dest/images Rewrite_MIME_Types application/x-javascript And more # REL 2, 20040602 - Requires PAPI >= 1.3.0 Remote_Domain aip.org PAPI_Redirect ([\w]+).aip.org PROXYNAME/$1/ PAPI_Redirect PROXYNAME/([\w]+):([\d]+) PROXYNAME:$2/$1 PAPI_Redirect \"/jimages/ \"/$name_dest/jimages/ PAPI_Redirect \"/vsearch/ \"/$name_dest/vsearch/ PAPI_Redirect \"/journal_cgi/ \"/$name_dest/journal_cgi/ PAPI_Redirect SRC='/journals/ SRC='/$name_dest/journals/ Rewrite_MIME_Types application/x-javascript

19 3rd EuroCAMP Ljubljana RewritingProxy At Work: …To Really Complicated # REL 5, 20050627 - Requires PAPI >= 1.4.0 Remote_Domain isiknowledge.com No_XML 1 # Mark URI-escaped characters PAPI_Redirect %(25)?([0-9a-fA-F]{2}) *$1$2*... # URLs with port spec PAPI_Redirect PROXYNAME/([\w]+)(/|\*2F\*)?(:|\*3A\*)(8080)(/|\*2F\*) $1.isiknowledge.com$3$4$5... # Rewrite back "product references" into URL params PAPI_Redirect product_st_thomas=(.*?)PROXYNAME(:|\*3A\*)?([\d]+)?(/|\*2F\*)(.*?)(/|\*2F\*) product_st_thomas=$1$5.isiknowledge.com$2$3$4... # Unmark URI-escaped characters PAPI_Redirect \*(25)?([0-9a-fA-F]{2})\* %$1$2...

20 3rd EuroCAMP Ljubljana RewritingProxy In the Run The need for proxying is going to stay during (at least) some years So we’d better prepare for it Community support for proxy definitions All the examples previously shown are available at http://papi.rediris.es/comu/proxies/ Ongoing enhancements Proxy auto-configuration from definitions held at the PAPI site Applet proxy

Download ppt "3rd EuroCAMP Ljubljana Mind the Gap (And Try To Fill It with Any Tool at Hand) Bridging PAPI and Applications Diego R. Lopez."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Lecture 11 Server Side Interaction

Lecture 11 Server Side Interaction
Web 2.0 with AJAX Students : LASC Ioana KELEMEN Csilla POP Dan Adrian CIOBANU Dumitru Daniel Project leaders : Jean Luc LARBOT Ahmed RHIAT.

Web 2.0 with AJAX Students : LASC Ioana KELEMEN Csilla POP Dan Adrian CIOBANU Dumitru Daniel Project leaders : Jean Luc LARBOT Ahmed RHIAT.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Servlets and a little bit of Web Services Russell Beale.

Servlets and a little bit of Web Services Russell Beale.
WEB1P servintro1 Introduction to servlets and JSP Dr Jim Briggs.

WEB1P servintro1 Introduction to servlets and JSP Dr Jim Briggs.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 2.

Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 2.
OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”

OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”
CS 5150 1 CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.

CS CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.

Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.
CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.

CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Introduction to Java web programming Dr Jim Briggs JWP intro1.

Introduction to Java web programming Dr Jim Briggs JWP intro1.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
DAT602 Database Application Development Lecture 15 Java Server Pages Part 1.

DAT602 Database Application Development Lecture 15 Java Server Pages Part 1.

Similar presentations

Ads by Google