SlideShare a Scribd company logo

Securing Applications With Picketlink

Anil Saldanha
Anil Saldanha

PicketLink is a security framework for Java EE applications that provides functionality for identity management, authentication, authorization, and federation. It includes APIs for managing users, groups, and roles and supports storing identity data in different sources. PicketLink also allows securing application methods and RESTful endpoints, as well as implementing user registration and social login.

1 of 23
Download to read offline
1 Sunday, July 7, 13
SECURING APPLICATIONS WITH PICKETLINK Anil Saldhana, Red Hat Pete Muir, Red Hat June 2013 2 Sunday, July 7, 13
What is it? Security framework for Java EE ● Apache License V2 ● First class support for CDI ● Secures your beans, bean methods, view layer, RESTful endpoints, servlets and more ● Simple API for managing Users, Groups and Roles ● Authenticate any way you want ● Federation (SAML, WS-Trust, OpenID) 3 Sunday, July 7, 13
Overview 4 Sunday, July 7, 13
Identity Management Manage users, groups, roles and more ● Built in support for storing your identities in: ● File system ● A relational database (using JPA) ● LDAP ● Well defined SPI for creating custom identity stores ● Powerful query API for querying identities ● All operations done through IdentityManager, which can be simply @Injected into your beans 5 Sunday, July 7, 13
BYO Identity Model ● We provide you with optional User, Group, Role classes ● We also provide a few default relationships – group membership, group role and application role ● But custom relationships (between two or more participating identities) are also easy to define ● Provides the flexibility you need to meet the requirements of your business or project 6 Sunday, July 7, 13
Authentication Authentication is initiated with Identity.login() ● Identity bean is a session-scoped bean that tracks the current user Authenticator can be configured per application or per request ● Supports multiple authentication methods in a single application (e.g. Username/password and OpenID) ● We provide some default (optional) support for some credential types 7 Sunday, July 7, 13
8 Sunday, July 7, 13
9 Sunday, July 7, 13
10 Sunday, July 7, 13
RESTful Authentication Endpoint org.jboss.jdf.example.ticketmonster.security.rest.LoginServic e ● Username/password passed in via the credential param ● Identity.login() invoked ● If authentication successful, the User object is read from the Identity bean and passed back in the REST response ● We haven't configured an Authenticator for this application, so by default Identity Management is used to authenticate 11 Sunday, July 7, 13
Where are our users defined? org.jboss.jdf.example.ticketmonster.security.IdentityManagementInitializer ● @Startup bean is instantiated during app startup ● IdentityManager is @Injected ● initialize() is a @PostConstruct method ● Is executed automatically ● Creates the users, roles and default passwords for our application ● Sensible IDM configuration defaults make this possible 12 Sunday, July 7, 13
Securing application methods org.jboss.jdf.example.ticketmonster.rest.BookingService ● We want to restrict the createBooking() method to only logged-in users ● @UserLoggedIn is a Security Binding Type, an annotation used to restrict access to beans and bean methods ● This feature is provided by Apache DeltaSpike ● A Security Binding Type requires an Authorizer method, annotated with @Secures in addition to the binding annotation 13 Sunday, July 7, 13
Implementing the Authorizer method org.jboss.jdf.example.ticketmonster.security.AuthorizationManager ● The isUserLoggedIn() method controls access to methods annotated with @UserLoggedIn ● Is annotated with both @Secures and @UserLoggedIn ● Parameters of an authorizer method are treated as injection points ● Must return a boolean to indicate whether the authorization was successful – a result of true means the restricted method may be invoked by the current user 14 Sunday, July 7, 13
Servlet security org.jboss.jdf.example.ticketmonster.security.RoleBasedAuthorizationFilter ● Standard servlet filter, active for all requests ● Delegates authorization check to AuthorizationManager.isAllowed() ● Only allows requests to /admin/* URLs if user has the Administrator role ● IdentityManager.hasRole() method used to check if the current user has the required role 15 Sunday, July 7, 13
View layer security We can also tailor the user experience based on the current user's privileges ● JSF <ui:fragment> control can be used to show or hide parts of the page based on roles ● Can access the Identity bean directly via EL, e.g. #{identity.loggedIn} ● Can also use application-specific checks, e.g. AuthorizationManager.isAdmin() 16 Sunday, July 7, 13
User Registration IDM makes it easy to implement user self-registration ● org.jboss.jdf.example.ticketmonster.security.rest.RegistrationService ● The register() method receives a user registration request ● The performRegistration() method creates a new User, assigns them the User role, and adds them to the Users group. ● The registering user is even automatically logged in by the performSilentAuthentication() method ● An alternative would be to send a confirmation e-mail 17 Sunday, July 7, 13
Other IDM Features Built-in authentication support for ● Form-based, BASIC, DIGEST, X509 Certificate, Username/Password Password encoding ● Defaults to a salted hash, or BYO Mix and match identity stores ● Store your users in LDAP, roles and groups in DB 18 Sunday, July 7, 13
Other Features of PicketLink PicketLink Federation (SSO and Trust) ● SAML 2.0 ● SAML 1.1 ● WS-Trust 1.3 19 Sunday, July 7, 13
Other Features of PicketLink PicketLink Social Login ● Login using Facebook ● Login using Twitter ● Login using Google ● Login using OpenID 20 Sunday, July 7, 13
PicketLink RoadMap PicketLink v2.5.0 is the target ● Currently in frequent beta releases (Last Beta4) ● CR cycles to start soon ● Current emphasis on QE, Quickstarts and Demos ● Final planned mid-july (+ or - 2 weeks) 21 Sunday, July 7, 13
PicketLink Resources PicketLink has an one stop resource ● http://www.picketlink.org ● JDF Quickstarts 22 Sunday, July 7, 13
Questions? 23 Sunday, July 7, 13

More Related Content

Securing Applications With Picketlink

  • 2. SECURING APPLICATIONS WITH PICKETLINK Anil Saldhana, Red Hat Pete Muir, Red Hat June 2013 2 Sunday, July 7, 13
  • 3. What is it? Security framework for Java EE ● Apache License V2 ● First class support for CDI ● Secures your beans, bean methods, view layer, RESTful endpoints, servlets and more ● Simple API for managing Users, Groups and Roles ● Authenticate any way you want ● Federation (SAML, WS-Trust, OpenID) 3 Sunday, July 7, 13
  • 5. Identity Management Manage users, groups, roles and more ● Built in support for storing your identities in: ● File system ● A relational database (using JPA) ● LDAP ● Well defined SPI for creating custom identity stores ● Powerful query API for querying identities ● All operations done through IdentityManager, which can be simply @Injected into your beans 5 Sunday, July 7, 13
  • 6. BYO Identity Model ● We provide you with optional User, Group, Role classes ● We also provide a few default relationships – group membership, group role and application role ● But custom relationships (between two or more participating identities) are also easy to define ● Provides the flexibility you need to meet the requirements of your business or project 6 Sunday, July 7, 13
  • 7. Authentication Authentication is initiated with Identity.login() ● Identity bean is a session-scoped bean that tracks the current user Authenticator can be configured per application or per request ● Supports multiple authentication methods in a single application (e.g. Username/password and OpenID) ● We provide some default (optional) support for some credential types 7 Sunday, July 7, 13
  • 11. RESTful Authentication Endpoint org.jboss.jdf.example.ticketmonster.security.rest.LoginServic e ● Username/password passed in via the credential param ● Identity.login() invoked ● If authentication successful, the User object is read from the Identity bean and passed back in the REST response ● We haven't configured an Authenticator for this application, so by default Identity Management is used to authenticate 11 Sunday, July 7, 13
  • 12. Where are our users defined? org.jboss.jdf.example.ticketmonster.security.IdentityManagementInitializer ● @Startup bean is instantiated during app startup ● IdentityManager is @Injected ● initialize() is a @PostConstruct method ● Is executed automatically ● Creates the users, roles and default passwords for our application ● Sensible IDM configuration defaults make this possible 12 Sunday, July 7, 13
  • 13. Securing application methods org.jboss.jdf.example.ticketmonster.rest.BookingService ● We want to restrict the createBooking() method to only logged-in users ● @UserLoggedIn is a Security Binding Type, an annotation used to restrict access to beans and bean methods ● This feature is provided by Apache DeltaSpike ● A Security Binding Type requires an Authorizer method, annotated with @Secures in addition to the binding annotation 13 Sunday, July 7, 13
  • 14. Implementing the Authorizer method org.jboss.jdf.example.ticketmonster.security.AuthorizationManager ● The isUserLoggedIn() method controls access to methods annotated with @UserLoggedIn ● Is annotated with both @Secures and @UserLoggedIn ● Parameters of an authorizer method are treated as injection points ● Must return a boolean to indicate whether the authorization was successful – a result of true means the restricted method may be invoked by the current user 14 Sunday, July 7, 13
  • 15. Servlet security org.jboss.jdf.example.ticketmonster.security.RoleBasedAuthorizationFilter ● Standard servlet filter, active for all requests ● Delegates authorization check to AuthorizationManager.isAllowed() ● Only allows requests to /admin/* URLs if user has the Administrator role ● IdentityManager.hasRole() method used to check if the current user has the required role 15 Sunday, July 7, 13
  • 16. View layer security We can also tailor the user experience based on the current user's privileges ● JSF <ui:fragment> control can be used to show or hide parts of the page based on roles ● Can access the Identity bean directly via EL, e.g. #{identity.loggedIn} ● Can also use application-specific checks, e.g. AuthorizationManager.isAdmin() 16 Sunday, July 7, 13
  • 17. User Registration IDM makes it easy to implement user self-registration ● org.jboss.jdf.example.ticketmonster.security.rest.RegistrationService ● The register() method receives a user registration request ● The performRegistration() method creates a new User, assigns them the User role, and adds them to the Users group. ● The registering user is even automatically logged in by the performSilentAuthentication() method ● An alternative would be to send a confirmation e-mail 17 Sunday, July 7, 13
  • 18. Other IDM Features Built-in authentication support for ● Form-based, BASIC, DIGEST, X509 Certificate, Username/Password Password encoding ● Defaults to a salted hash, or BYO Mix and match identity stores ● Store your users in LDAP, roles and groups in DB 18 Sunday, July 7, 13
  • 19. Other Features of PicketLink PicketLink Federation (SSO and Trust) ● SAML 2.0 ● SAML 1.1 ● WS-Trust 1.3 19 Sunday, July 7, 13
  • 20. Other Features of PicketLink PicketLink Social Login ● Login using Facebook ● Login using Twitter ● Login using Google ● Login using OpenID 20 Sunday, July 7, 13
  • 21. PicketLink RoadMap PicketLink v2.5.0 is the target ● Currently in frequent beta releases (Last Beta4) ● CR cycles to start soon ● Current emphasis on QE, Quickstarts and Demos ● Final planned mid-july (+ or - 2 weeks) 21 Sunday, July 7, 13
  • 22. PicketLink Resources PicketLink has an one stop resource ● http://www.picketlink.org ● JDF Quickstarts 22 Sunday, July 7, 13