5. Fortress Introduction (continued)
l
Policy Enforcement Points
l
l
l
Sentry Java EE Platform Security
Sentry Other Platforms (in development)
Audit Trail
l
l
l
Authentication – tracks who is accessing the
system
Authorization – tracks who did what, when and
where
Administration – tracks historical changes to the
data
5
6. Fortress System Architecture
RBAC Accelerator
Apache DS
LDAPv3
OR
LDAPv3
Java VM
OpenLDAP
Either LDAP Server works
LDAPv3
Extended Ops
HTTP/S
Legend
Fortress
Fortress
RBAC
Enforcement
APIs will
also call
accelerator
LDAP
HTTP
Applications
6
Fortress Core
APIs
Java App #2
HTTP/S
Java VM
Other App
LDAPv3
Any Platform
RBAC policy
enforcement
on any platform
use accelerator
RBAC policy
administration and
interrogation use
Standard LDAPv3
protocols
8. Dynamic Separation of Duties Demo
1
2
3
One and
only one
may be
active
Role
1
Assignment
Role
2
Assignment
Role
3
Assignment
9. Dynamic Separation of Duties Demo
Fine
AuthZ Granularity
Users:
• User1 is assigned to ROLE_TEST1,
ROLE_TEST2, and ROLE_TEST3
• User2 is assigned to ROLE_TEST2
• User3 is assigned to ROLE_TEST3
Permissions:
• Page1.Button1 is granted to ROLE_TEST1
• Page1.Button2 is granted to ROLE_TEST1
• Page1.Button3 is granted to ROLE_TEST1
• Page2.Button1 is granted to ROLE_TEST2
• Page2.Button2 is granted to ROLE_TES2
• Page2.Button3 is granted to ROLE_TEST2
• Page3.Button1 is granted to ROLE_TEST3
• Page3.Button2 is granted to ROLE_TEST3
• Page3.Button3 is granted to ROLE_TEST3
Dynamic Separation of Duties:
• Set of roles is [ROLE_TEST1,
ROLE_TEST2, ROLE_TEST3]
• DSD Set Cardinality is 1
• Only one Role can be active in Session
Wicket Buttons
Wicket Links
Fortress RBAC
PEP
Wicket Pages
Apache Wicket
Spring Page-level Security
Coarse
Java EE Coarse-grained Security
Fortress RBAC Proxy
Tomcat
Java Virtual Machine
Fortress
RBAC
PDP
10. Where to get RBAC Demo
l
Source
l
l
https://github.com/shawnmckinney/fortressdemo1
Tutorial & other ANSI RBAC write-ups
l
l
l
http://symas.com/ansi-rbac-intro/
http://symas.com/rbac-security-enforcementinside-wicket/
https://github.com/shawnmckinney/
fortressdemo1/blob/master/README.txt
10
11. Commander Introduction
l
RBAC Web Administration
l
Uses the Fortress Core APIs
l
Communicate via HTTP or LDAPv3 protocols
l
Secured by Fortress, Java EE and Spring
l
Full audit trail
l
Extensible – add new pages quickly
l
Uses Apache Wicket UI framework
11
12. Commander System Architecture
Apache DS
OR
LDAPv3
LDAPv3
Java VM
OpenLDAP
Either LDAP Server works
LDAP
HTTP
Commander can use
either HTTP or LDAPv3
protocol
LDAPv3 O R HTTP/S
Commander
HTTP/S
12
Java VM
Fortress Core APIs
Fortress Core APIs
EnMasse
HTTP/S
HTTP protocol aids in
firewall traversals
Java VM
Legend
Fortress
LDAPv3
13. Commander Demo
l
View RBAC demo audit trail
l
View RBAC management capabilities
l
Enable REST communication with En Masse
l
Run Commander Selenium automated test
l
View wireshark trace
13
14. Where to get Commander
l
Source
l
l
Quickstart
l
l
http://www.openldap.org/devel/gitweb.cgi?
p=openldap-fortresscommander.git;a=summary
http://iamfortress.org/download
Maven
l
http://search.maven.org/#search%7Cga
%7C1%7Ccommander
14
15. En Masse Introduction
l
RBAC Policy Server
l
Firewall Friendly
l
120+ RESTful services
l
Multitenant process and services
l
Secured using Fortress RBAC enforcement
l
Binds directly to Fortress entity model
l
Uses Fortress Core to communicate LDAPv3
l
Uses Apache CXF for RESTful processing
15
16. En Masse System Architecture
LDAPv3
Java VM
Apache DS
OpenLDAP
OR
LDAPv3
Either LDAP Server works
LDAPv3
Apps may use any REST
lib or Fortress APIs to
connect with En Masse
Fortress Core APIs
EnMasse
HTTP/S
HTTP/S
HTTP/S
Legend
Fortress
Fortress Core
APIs
Java App
HTTP/S
16
Java VM
Other App
Any Platform
REST
HTTP/S
LDAP
HTTP
Applications
Java VM
HTTP protocol less
efficient than LDAP but
aids in firewall traversals
17. Where to get En Masse
l
Source
l
l
Quickstart
l
l
http://www.openldap.org/devel/gitweb.cgi?
p=openldap-fortress-enmasse.git;a=summary
http://iamfortress.org/download
Maven
l
http://search.maven.org/#search%7Cga
%7C1%7Ca%3A%22enmasse%22
17
19. Multitenant LDAP Data Structure
l
l
l
Leverage LDAP's
natural affinity to
partition data by
client organization.
Each tenant has its
own complete copy
of DIT segregated
by organizational
unit
Reduced cost due to
fewer servers to
maintain
19
20. Multitenant Programming Model
l
l
Client’s id is passed to Fortress in factory
initialization
Lifecycle of ‘Manager’ object processes data on
behalf of the client id passed during initialization
l
AnyMgr:
l
createInstance(tenantId);
// Instantiate the AccessMgr implementation.
AccessMgr accessMgr =
AccessMgrFactory.createInstance( “Client123” );
20