2. Authentication Methods
• Storing passwords in your DB (Model)
• Authenticating against LDAP services
• LDAP via your Model and hybrid solutions
• Kerberos/SSO and hybrid redux
• WebAuth and gateway solutions
• Shibboleth and the future
3. Auth in DB
• The default approach
• With little database security, the hash must be secure
• SHA-1 (160) or SHA-2 (256) and friends
• Sample code...
4. SHA-2 in the Database
qual = UserAccount.USERNAME.eq(username).and(UserAccount.PASSWORD.eq(digestedString(password)));
....
public String digestedString(String aString) {
String digestedString;
try {
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.reset();
digestedString = new sun.misc.BASE64Encoder().encode (md.digest(aString.getBytes("UTF-8")));
}
catch (NoSuchAlgorithmException e) {
throw new NSForwardException(e);
}
catch (UnsupportedEncodingException e){
throw new NSForwardException(e);
}
return digestedString;
}
5. LDAP
• JNDI can be used for EOs, but NOT for passwords!
• Generally restricted by sites LDAP configuration
• Standard method is to try a “simple bind” against LDAP
• LDAPS:// - Port 636 if possible (SSL), DIGEST otherwise
• StartTLS is not an option
• http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html
6. Java LDAP Authentication
if (LDAPAuth.LDAPAuthenticate(username, password))
...
public class LDAPAuth {
public static final boolean LDAPAuthenticate (String userid, String password)
{
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://172.16.113.129:389/dc=example,dc=com");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5"); // or “simple”
env.put(Context.SECURITY_PRINCIPAL, "uid=" + userid + ", ou=People, dc=example, dc=com");
env.put(Context.SECURITY_CREDENTIALS, password);
// Create the initial context
try {
DirContext ctx = new InitialDirContext(env);
} catch (NamingException e) {
return false; // Failed to auth
//e.printStackTrace();
}
return true;
}
}
7. LDAP via EOModel
• WebObjects lets you access LDAP via JNDI
• Insecure
• SSL supposedly should work
• Not good for authentication, but other info is there
• Great for the “hybrid” approach to authentication
8. The Hybrid Approach
• Define user attributes in your DB-based EOs
• Authenticate user that is also in LDAP tree
• 1st time auth: use JNDI EO
• Must have matching name between auth and LDAP
• Use JNDI EO in read-only fashion to get user attributes
• Store in your DB user EOs for future use
• Considerations for future JNDI updates
11. All LDAP Hybrid Approach
if (LDAPAuth.LDAPAuthenticate(username, password))
{
qual = UserAccount.USERNAME.eq(username);
NSLog.out.appendln("LDAP authenticated: " + username);
}
if (qual != null)
try {
user = UserAccount.fetchRequiredUserAccount(ERXEC.newEditingContext(), qual);
} catch (NoSuchElementException e) {
// Make a new user from LDAP
qual = PosixAccount.UID.eq(username);
EOEditingContext ec = ERXEC.newEditingContext();
PosixAccount ldapAccount = PosixAccount.fetchPosixAccount(ec, qual);
user = UserAccount.createUserAccount(ec, ldapAccount.gecos(), username);
ec.saveChanges();
}
...
public static UserAccount createUserAccount(EOEditingContext editingContext, String fullName, String username) {
UserAccount eo = (UserAccount) EOUtilities.createAndInsertInstance(editingContext, _UserAccount.ENTITY_NAME);
eo.setFullName(fullName);
eo.setUsername(username);
return eo;
}
12. SSO: Kerberos
• Many Single-Sign On (SSO) solutions
• Kerberos / Active Directory are most common today
• AD and OpenDirectory marry LDAP w/ Kerberos: hybrid!
• Heavily tied into Java Crypto APIs, so Frustration-By-Design
• Remember to set classes.include.patternset in woproject to have “**/*.conf”
• Best seen by example... (Thanks Mike!)
13. Kerberos Methods
public class KerberosAuth {
static final String krbPath = "/Library/Preferences/edu.mit.Kerberos";
public static final boolean KerberosAuthenticate (String userid, char[] password)
{
System.setProperty("java.security.krb5.conf", krbPath);
System.setProperty("java.security.auth.login.config", KerberosAuth.class.getResource("/kerberos.conf").toExternalForm());
try {
LoginContext lc = new LoginContext("primaryLoginContext", new UserNamePasswordCallbackHandler(userid, password));
lc.login();
}
catch (LoginException e) {
// e.printStackTrace();
return false; // Consider all failures as equal
}
return true;
}
14. Kerberos Method Part 2
public static class UserNamePasswordCallbackHandler implements CallbackHandler {
private String _userName;
private char[] _password;
public UserNamePasswordCallbackHandler(String userName, char[] password) {
_userName = userName;
_password = password;
}
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback && _userName != null) {
((NameCallback) callback).setName(_userName);
}
else if (callback instanceof PasswordCallback && _password != null) {
((PasswordCallback) callback).setPassword(_password);
}
}
}
}
18. WebAuth
• External authentication handled in Apache
• More involved site setup
• Must trust the Gateway (Apache) for security
• Deceptively simple
• Interesting solutions:
• Multiple authentications
• Trust-to-Set applications
19. Gateway Approach
Considerations
• Does make Developer Mode a bit more interesting
• Mixing up DirectAction logins w/ gateway header request check
• DirectConnect can be good here.. (Thanks Chuck!)
• Best practices:
• Put values you want into your session object
• make sure your session is SSL-enabled!
• useExternalAuth boolean in User-type entity?
20. WebAuth Method
public class WebauthAuth {
public static final String WebauthAuthenticate (WOContext context)
{
// If unauthenticated, this will be blank
// assumes that web location is WebAuth protected to restrict this setting
return context.request().headerForKey("webauth_user");
}
}
21. Which brings us too...
“Gilead then cut Ephraim off from the fords of the Jordan, and whenever
Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you
an Ephraimite?' If he said, 'No,' they then said, 'Very well, say
"Shibboleth" ( '.)שיבולתIf anyone said, "Sibboleth" ( ,)סיבולתbecause he could
not pronounce it, then they would seize him and kill him by the fords of the
Jordan. Forty-two thousand Ephraimites fell on this occasion.”
22. Shibboleth Topics
• Shibboleth Authentication Point of View
• Federated Frameworks
• How is IdP put together
• General Shibboleth Service Provision Scenario
• Classic Computer Security
23. The Shibboleth Point of View
• Stone Age: Application maintains unique credential and identity
information for each user.
• Bronze Age: Credentials are centralized but applications maintain
all user identity information
• Iron Age: Credentials and core identity information are
centralized and application maintains only app-specific user data.
24. Fallacies of Distributed Computing
1.The Network is reliable
2.Latency is Zero
3.Bandwidth is infinite
4.The network is secure
5.Topology doesn’t change
6.There is one administrator
7.Transportation cost is zero
8.The network is homogeneous
Peter Deutsch, James Gosling
25. Computer Security Subjects 101
Resource Subject
AllowedOperations owner: User operations: Array<Allowed Operations>
canRead: Boolean name: String
canUpdate: Boolean permissions: allowedOperations
canDelete: Boolean creationTime
entity: Resource
modificationTime
(Boolean) canRead
(Boolean) canUpdate
Subject Allowed
(Boolean) canDelete
Operation User Group
subject: Subject no attributes owner: Subject
members(): Array<Subject> members(): Array<Subject>
provider(): Provider
General Operations
Allowed
No Attributes
Local User
givenName: String
surName: String
commonName: String
telephoneNumber: String
address: String
organization: String
jobTitle: String
password: String
26. Fallacies of Distributed Computing
1.The network is reliable
2.Latency is zero
3.Bandwidth is infinite
4.The network is secure
5.Topology doesn’t change
6.There is one administrator
7.Transportation cost is zero
8.The network is homogeneous
27. Computer Security Subjects 101
AllowedOperations Resource Subject
canRead: Boolean owner: User operations: Array<Allowed Operations>
canUpdate: Boolean permissions: allowedOperations name: String
canDelete: Boolean creationTime
entity: Resource modificationTime
(Boolean) canRead
(Boolean) canUpdate
(Boolean) canDelete
Subject Allowed
Operation
subject: Subject
User Group
General Operations no attributes owner: Subject
Allowed members(): Array<Subject> members(): Array<Subject>
No Attributes provider(): Provider
! ❑!Classic Subjects Problems: Local User
givenName: String
! •! ❑!Group Information surName: String
commonName: String
Compromise telephoneNumber: String
address: String
! •! ❑!User info compromise organization: String
jobTitle: String
password: String
28. Computer Security Subjects with Shibboleth
AllowedOperations Resource Subject
canRead: Boolean owner: User operations: Array<Allowed Operations>
canUpdate: Boolean permissions: allowedOperations name: String
canDelete: Boolean creationTime ticket: Shibboleth Assertion
entity: Resource modificationTime
(Boolean) canRead
(Boolean) canUpdate
(Boolean) canDelete
Subject Allowed
Operation
subject: Subject
User Group
General Operations no attributes no attribute
Allowed
No Attributes
32. Commercial Providers
• Test Shibboleth Two (https://www.testshib.org)
• Protect Network (http://www.protectnetwork.org/)
• NJ Trust (http://njtrust.net/)
• SWITCH (http://www.switch.ch/uni/security/) (Switzerland)
• UK Federation (http://www.ukfederation.org.uk/content/
Documents/Setup2IdP)
33. Service Provider
mod_shib mod_php mod_jk
PHP
shibd
Applications
cgi-bin
Adaptor
• ! Runs on: Mac OS X, FreeBSD, Linux, Solaris,
Windows
• ! Protects Web Applications
• ! The Shibboleth Daemon processes attributes
▼! Can authorize users with
•! Apache directives
•! Shibboleth XML Access rules
• !Provides attributes to applications
34. General Play-by-Play Scenario
Service Provider
6a. Assertion
Confirmation Identity Provider
7. Provide Content
2. SAML2 Discovery Request
1. Access
Service URL
Discovery
2.1 Discovery Request
Service
User
6. Authenticate w/ Assertion
3. Select Home Organization
4. SAML2 Authn Request
5. Authenticate
35. Installation on Mac OS X
• IdP: Note do not have IdP compete with Teams/ Podcast
Producer
• MacPorts SP Install: Note, install curl +ssl first. (https://
spaces.internet2.edu/display/SHIB2/NativeSPMacPortInstallation)
• Do the registry steps with IdP/SP and federation.
• Demo:
38. Mobility Trends
• “Cached Credentials” approach for mobile devices: Browser local storage
• Using your User EO for credential storage and remote wiping
• RESTful interfaces and authentication approaches
• Issues with “gateway” authentication with unknown site authenticators: Split
Authentication