SlideShare una empresa de Scribd logo

Third Party Auth Methods in WO: DB, LDAP, Kerberos, WebAuth & Shibboleth

W
WO Community
Tecnología
1 de 38
Descargar para leer sin conexión
Third Party Auth in WO Joe Little and Daniel Beatty
Authentication Methods • Storing passwords in your DB (Model) • Authenticating against LDAP services • LDAP via your Model and hybrid solutions • Kerberos/SSO and hybrid redux • WebAuth and gateway solutions • Shibboleth and the future
Auth in DB • The default approach • With little database security, the hash must be secure • SHA-1 (160) or SHA-2 (256) and friends • Sample code...
SHA-2 in the Database qual = UserAccount.USERNAME.eq(username).and(UserAccount.PASSWORD.eq(digestedString(password))); .... public String digestedString(String aString) { String digestedString; try { MessageDigest md = MessageDigest.getInstance("SHA-256"); md.reset(); digestedString = new sun.misc.BASE64Encoder().encode (md.digest(aString.getBytes("UTF-8"))); } catch (NoSuchAlgorithmException e) { throw new NSForwardException(e); } catch (UnsupportedEncodingException e){ throw new NSForwardException(e); } return digestedString; }
LDAP • JNDI can be used for EOs, but NOT for passwords! • Generally restricted by sites LDAP configuration • Standard method is to try a “simple bind” against LDAP • LDAPS:// - Port 636 if possible (SSL), DIGEST otherwise • StartTLS is not an option • http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html
Java LDAP Authentication if (LDAPAuth.LDAPAuthenticate(username, password)) ... public class LDAPAuth { public static final boolean LDAPAuthenticate (String userid, String password) { Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://172.16.113.129:389/dc=example,dc=com"); env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5"); // or “simple” env.put(Context.SECURITY_PRINCIPAL, "uid=" + userid + ", ou=People, dc=example, dc=com"); env.put(Context.SECURITY_CREDENTIALS, password); // Create the initial context try { DirContext ctx = new InitialDirContext(env); } catch (NamingException e) { return false; // Failed to auth //e.printStackTrace(); } return true; } }
LDAP via EOModel • WebObjects lets you access LDAP via JNDI • Insecure • SSL supposedly should work • Not good for authentication, but other info is there • Great for the “hybrid” approach to authentication
The Hybrid Approach • Define user attributes in your DB-based EOs • Authenticate user that is also in LDAP tree • 1st time auth: use JNDI EO • Must have matching name between auth and LDAP • Use JNDI EO in read-only fashion to get user attributes • Store in your DB user EOs for future use • Considerations for future JNDI updates
LDAP EOModel
LDAP Connection Dictionary
All LDAP Hybrid Approach if (LDAPAuth.LDAPAuthenticate(username, password)) { qual = UserAccount.USERNAME.eq(username); NSLog.out.appendln("LDAP authenticated: " + username); } if (qual != null) try { user = UserAccount.fetchRequiredUserAccount(ERXEC.newEditingContext(), qual); } catch (NoSuchElementException e) { // Make a new user from LDAP qual = PosixAccount.UID.eq(username); EOEditingContext ec = ERXEC.newEditingContext(); PosixAccount ldapAccount = PosixAccount.fetchPosixAccount(ec, qual); user = UserAccount.createUserAccount(ec, ldapAccount.gecos(), username); ec.saveChanges(); } ... public static UserAccount createUserAccount(EOEditingContext editingContext, String fullName, String username) { UserAccount eo = (UserAccount) EOUtilities.createAndInsertInstance(editingContext, _UserAccount.ENTITY_NAME); eo.setFullName(fullName); eo.setUsername(username); return eo; }
SSO: Kerberos • Many Single-Sign On (SSO) solutions • Kerberos / Active Directory are most common today • AD and OpenDirectory marry LDAP w/ Kerberos: hybrid! • Heavily tied into Java Crypto APIs, so Frustration-By-Design • Remember to set classes.include.patternset in woproject to have “**/*.conf” • Best seen by example... (Thanks Mike!)
Kerberos Methods public class KerberosAuth { static final String krbPath = "/Library/Preferences/edu.mit.Kerberos"; public static final boolean KerberosAuthenticate (String userid, char[] password) { System.setProperty("java.security.krb5.conf", krbPath); System.setProperty("java.security.auth.login.config", KerberosAuth.class.getResource("/kerberos.conf").toExternalForm()); try { LoginContext lc = new LoginContext("primaryLoginContext", new UserNamePasswordCallbackHandler(userid, password)); lc.login(); } catch (LoginException e) { // e.printStackTrace(); return false; // Consider all failures as equal } return true; }
Kerberos Method Part 2 public static class UserNamePasswordCallbackHandler implements CallbackHandler { private String _userName; private char[] _password; public UserNamePasswordCallbackHandler(String userName, char[] password) { _userName = userName; _password = password; } public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (Callback callback : callbacks) { if (callback instanceof NameCallback && _userName != null) { ((NameCallback) callback).setName(_userName); } else if (callback instanceof PasswordCallback && _password != null) { ((PasswordCallback) callback).setPassword(_password); } } } }
Kerberos.conf in Sources folder primaryLoginContext { com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=false; };
Kerberos Authentication if (KerberosAuth.KerberosAuthenticate(username, password.toCharArray())) { qual = UserAccount.USERNAME.eq(username); NSLog.out.appendln("Kerberos authenticated: " + username); } ... UserAccount user = UserAccount.fetchRequiredUserAccount(ERXEC.newEditingContext(), qual); ((Session)session()).setCurrentUser(user); if (((Session)session()).currentUser() != null) { nextPage = D2W.factory().defaultPage(session()); }
Demo and Review
WebAuth • External authentication handled in Apache • More involved site setup • Must trust the Gateway (Apache) for security • Deceptively simple • Interesting solutions: • Multiple authentications • Trust-to-Set applications
Gateway Approach Considerations • Does make Developer Mode a bit more interesting • Mixing up DirectAction logins w/ gateway header request check • DirectConnect can be good here.. (Thanks Chuck!) • Best practices: • Put values you want into your session object • make sure your session is SSL-enabled! • useExternalAuth boolean in User-type entity?
WebAuth Method public class WebauthAuth { public static final String WebauthAuthenticate (WOContext context) { // If unauthenticated, this will be blank // assumes that web location is WebAuth protected to restrict this setting return context.request().headerForKey("webauth_user"); } }
Which brings us too... “Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say "Shibboleth" (‫ '.)שיבולת‬If anyone said, "Sibboleth" (‫ ,)סיבולת‬because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion.”
Shibboleth Topics • Shibboleth Authentication Point of View • Federated Frameworks • How is IdP put together • General Shibboleth Service Provision Scenario • Classic Computer Security
The Shibboleth Point of View • Stone Age: Application maintains unique credential and identity information for each user. • Bronze Age: Credentials are centralized but applications maintain all user identity information • Iron Age: Credentials and core identity information are centralized and application maintains only app-specific user data.
Fallacies of Distributed Computing 1.The Network is reliable 2.Latency is Zero 3.Bandwidth is infinite 4.The network is secure 5.Topology doesn’t change 6.There is one administrator 7.Transportation cost is zero 8.The network is homogeneous Peter Deutsch, James Gosling
Computer Security Subjects 101 Resource Subject AllowedOperations owner: User operations: Array<Allowed Operations> canRead: Boolean name: String canUpdate: Boolean permissions: allowedOperations canDelete: Boolean creationTime entity: Resource modificationTime (Boolean) canRead (Boolean) canUpdate Subject Allowed (Boolean) canDelete Operation User Group subject: Subject no attributes owner: Subject members(): Array<Subject> members(): Array<Subject> provider(): Provider General Operations Allowed No Attributes Local User givenName: String surName: String commonName: String telephoneNumber: String address: String organization: String jobTitle: String password: String
Fallacies of Distributed Computing 1.The network is reliable 2.Latency is zero 3.Bandwidth is infinite 4.The network is secure 5.Topology doesn’t change 6.There is one administrator 7.Transportation cost is zero 8.The network is homogeneous
Computer Security Subjects 101 AllowedOperations Resource Subject canRead: Boolean owner: User operations: Array<Allowed Operations> canUpdate: Boolean permissions: allowedOperations name: String canDelete: Boolean creationTime entity: Resource modificationTime (Boolean) canRead (Boolean) canUpdate (Boolean) canDelete Subject Allowed Operation subject: Subject User Group General Operations no attributes owner: Subject Allowed members(): Array<Subject> members(): Array<Subject> No Attributes provider(): Provider ! ❑!Classic Subjects Problems: Local User givenName: String ! •! ❑!Group Information surName: String commonName: String Compromise telephoneNumber: String address: String ! •! ❑!User info compromise organization: String jobTitle: String password: String
Computer Security Subjects with Shibboleth AllowedOperations Resource Subject canRead: Boolean owner: User operations: Array<Allowed Operations> canUpdate: Boolean permissions: allowedOperations name: String canDelete: Boolean creationTime ticket: Shibboleth Assertion entity: Resource modificationTime (Boolean) canRead (Boolean) canUpdate (Boolean) canDelete Subject Allowed Operation subject: Subject User Group General Operations no attributes no attribute Allowed No Attributes
Federated Identity Frameworks • Shibboleth (http://shibboleth.internet2.edu/) • OpenID (http://openid.net)
Concept of a Shibboleth Type Federation Identity Provider Service Provider Discovery Service User
Shibboleth Identity Provider Architecture Shibboleth CAS ! IdP SSO ! ! ! ! !
Commercial Providers • Test Shibboleth Two (https://www.testshib.org) • Protect Network (http://www.protectnetwork.org/) • NJ Trust (http://njtrust.net/) • SWITCH (http://www.switch.ch/uni/security/) (Switzerland) • UK Federation (http://www.ukfederation.org.uk/content/ Documents/Setup2IdP)
Service Provider mod_shib mod_php mod_jk PHP shibd Applications cgi-bin Adaptor • ! Runs on: Mac OS X, FreeBSD, Linux, Solaris, Windows • ! Protects Web Applications • ! The Shibboleth Daemon processes attributes ▼! Can authorize users with •! Apache directives •! Shibboleth XML Access rules • !Provides attributes to applications
General Play-by-Play Scenario Service Provider 6a. Assertion Confirmation Identity Provider 7. Provide Content 2. SAML2 Discovery Request 1. Access Service URL Discovery 2.1 Discovery Request Service User 6. Authenticate w/ Assertion 3. Select Home Organization 4. SAML2 Authn Request 5. Authenticate
Installation on Mac OS X • IdP: Note do not have IdP compete with Teams/ Podcast Producer • MacPorts SP Install: Note, install curl +ssl first. (https:// spaces.internet2.edu/display/SHIB2/NativeSPMacPortInstallation) • Do the registry steps with IdP/SP and federation. • Demo:
Q&A
Shibboleth in Production Stanford Shibboleth Example
Mobility Trends • “Cached Credentials” approach for mobile devices: Browser local storage • Using your User EO for credential storage and remote wiping • RESTful interfaces and authentication approaches • Issues with “gateway” authentication with unknown site authenticators: Split Authentication

Recomendados

Modern Web development and operations practices
Modern Web development and operations practicesModern Web development and operations practices
Modern Web development and operations practicesGrig Gheorghiu
 
Automating CloudStack with Puppet - David Nalley
Automating CloudStack with Puppet - David NalleyAutomating CloudStack with Puppet - David Nalley
Automating CloudStack with Puppet - David NalleyPuppet
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 
Infrastructure as code with Puppet and Apache CloudStack
Infrastructure as code with Puppet and Apache CloudStackInfrastructure as code with Puppet and Apache CloudStack
Infrastructure as code with Puppet and Apache CloudStackke4qqq
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.jsConFoo
 
Multithreading on iOS
Multithreading on iOSMultithreading on iOS
Multithreading on iOSMake School
 
Using OpenStack With Fog
Using OpenStack With FogUsing OpenStack With Fog
Using OpenStack With FogMike Hagedorn
 
CloudFormation vs. Elastic Beanstalk & Use cases
CloudFormation vs. Elastic Beanstalk & Use casesCloudFormation vs. Elastic Beanstalk & Use cases
CloudFormation vs. Elastic Beanstalk & Use casesWayland Zhang
 

Recomendados

Modern Web development and operations practices
Modern Web development and operations practicesModern Web development and operations practices
Modern Web development and operations practicesGrig Gheorghiu
 
Automating CloudStack with Puppet - David Nalley
Automating CloudStack with Puppet - David NalleyAutomating CloudStack with Puppet - David Nalley
Automating CloudStack with Puppet - David NalleyPuppet
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 
Infrastructure as code with Puppet and Apache CloudStack
Infrastructure as code with Puppet and Apache CloudStackInfrastructure as code with Puppet and Apache CloudStack
Infrastructure as code with Puppet and Apache CloudStackke4qqq
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.jsConFoo
 
Multithreading on iOS
Multithreading on iOSMultithreading on iOS
Multithreading on iOSMake School
 
Using OpenStack With Fog
Using OpenStack With FogUsing OpenStack With Fog
Using OpenStack With FogMike Hagedorn
 
CloudFormation vs. Elastic Beanstalk & Use cases
CloudFormation vs. Elastic Beanstalk & Use casesCloudFormation vs. Elastic Beanstalk & Use cases
CloudFormation vs. Elastic Beanstalk & Use casesWayland Zhang
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices Nebulaworks
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
node.js: Javascript's in your backend
node.js: Javascript's in your backendnode.js: Javascript's in your backend
node.js: Javascript's in your backendDavid Padbury
 
Writing robust Node.js applications
Writing robust Node.js applicationsWriting robust Node.js applications
Writing robust Node.js applicationsTom Croucher
 
Deploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab FacilitiesDeploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab FacilitiesFIWARE
 
Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017Jonathon Brouse
 
Puppet and Apache CloudStack
Puppet and Apache CloudStackPuppet and Apache CloudStack
Puppet and Apache CloudStackPuppet
 
Declarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with TerraformDeclarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with TerraformRadek Simko
 
Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)Artem Zhurbila
 
NodeJS
NodeJSNodeJS
NodeJS.toster
 
Introduce about Nodejs - duyetdev.com
Introduce about Nodejs - duyetdev.comIntroduce about Nodejs - duyetdev.com
Introduce about Nodejs - duyetdev.comVan-Duyet Le
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern CloudsNic Jackson
 
How to deploy spark instance using ansible 2.0 in fiware lab v2
How to deploy spark instance using ansible 2.0 in fiware lab v2How to deploy spark instance using ansible 2.0 in fiware lab v2
How to deploy spark instance using ansible 2.0 in fiware lab v2Fernando Lopez Aguilar
 
Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021TomStraub5
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipelineAnton Babenko
 
Luc Dekens - Italian vmug usercon
Luc Dekens - Italian vmug usercon Luc Dekens - Italian vmug usercon
Luc Dekens - Italian vmug usercon VMUG IT
 
Infrastructure as Code with Terraform
Infrastructure as Code with TerraformInfrastructure as Code with Terraform
Infrastructure as Code with TerraformTim Berry
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
 
NodeJS
NodeJSNodeJS
NodeJSLinkMe Srl
 
Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastJorge Lopez-Malla
 
Dropwizard
DropwizardDropwizard
DropwizardScott Leberknight
 

Más contenido relacionado

La actualidad más candente

A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices Nebulaworks
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
node.js: Javascript's in your backend
node.js: Javascript's in your backendnode.js: Javascript's in your backend
node.js: Javascript's in your backendDavid Padbury
 
Writing robust Node.js applications
Writing robust Node.js applicationsWriting robust Node.js applications
Writing robust Node.js applicationsTom Croucher
 
Deploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab FacilitiesDeploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab FacilitiesFIWARE
 
Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017Jonathon Brouse
 
Puppet and Apache CloudStack
Puppet and Apache CloudStackPuppet and Apache CloudStack
Puppet and Apache CloudStackPuppet
 
Declarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with TerraformDeclarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with TerraformRadek Simko
 
Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)Artem Zhurbila
 
Introduce about Nodejs - duyetdev.com
Introduce about Nodejs - duyetdev.comIntroduce about Nodejs - duyetdev.com
Introduce about Nodejs - duyetdev.comVan-Duyet Le
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern CloudsNic Jackson
 
How to deploy spark instance using ansible 2.0 in fiware lab v2
How to deploy spark instance using ansible 2.0 in fiware lab v2How to deploy spark instance using ansible 2.0 in fiware lab v2
How to deploy spark instance using ansible 2.0 in fiware lab v2Fernando Lopez Aguilar
 
Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021TomStraub5
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipelineAnton Babenko
 
Luc Dekens - Italian vmug usercon
Luc Dekens - Italian vmug usercon Luc Dekens - Italian vmug usercon
Luc Dekens - Italian vmug usercon VMUG IT
 
Infrastructure as Code with Terraform
Infrastructure as Code with TerraformInfrastructure as Code with Terraform
Infrastructure as Code with TerraformTim Berry
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
 

La actualidad más candente (20)

A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp Vault
 
node.js: Javascript's in your backend
node.js: Javascript's in your backendnode.js: Javascript's in your backend
node.js: Javascript's in your backend
 
Writing robust Node.js applications
Writing robust Node.js applicationsWriting robust Node.js applications
Writing robust Node.js applications
 
Deploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab FacilitiesDeploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab Facilities
 
Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017Terraform at Scale - All Day DevOps 2017
Terraform at Scale - All Day DevOps 2017
 
Puppet and Apache CloudStack
Puppet and Apache CloudStackPuppet and Apache CloudStack
Puppet and Apache CloudStack
 
Declarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with TerraformDeclarative & workflow based infrastructure with Terraform
Declarative & workflow based infrastructure with Terraform
 
Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)Artem Zhurbila - docker clusters (solit 2015)
Artem Zhurbila - docker clusters (solit 2015)
 
NodeJS
NodeJSNodeJS
NodeJS
 
Introduce about Nodejs - duyetdev.com
Introduce about Nodejs - duyetdev.comIntroduce about Nodejs - duyetdev.com
Introduce about Nodejs - duyetdev.com
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern Clouds
 
How to deploy spark instance using ansible 2.0 in fiware lab v2
How to deploy spark instance using ansible 2.0 in fiware lab v2How to deploy spark instance using ansible 2.0 in fiware lab v2
How to deploy spark instance using ansible 2.0 in fiware lab v2
 
Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021Developing Terraform Modules at Scale - HashiTalks 2021
Developing Terraform Modules at Scale - HashiTalks 2021
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipeline
 
Luc Dekens - Italian vmug usercon
Luc Dekens - Italian vmug usercon Luc Dekens - Italian vmug usercon
Luc Dekens - Italian vmug usercon
 
Infrastructure as Code with Terraform
Infrastructure as Code with TerraformInfrastructure as Code with Terraform
Infrastructure as Code with Terraform
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
 
NodeJS
NodeJSNodeJS
NodeJS
 

Similar a Third Party Auth Methods in WO: DB, LDAP, Kerberos, WebAuth & Shibboleth

Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastJorge Lopez-Malla
 
The Zen of Lithium
The Zen of LithiumThe Zen of Lithium
The Zen of LithiumNate Abele
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVCAlive Kuo
 
Different waysconnect
Different waysconnectDifferent waysconnect
Different waysconnectmyrajendra
 
Teste de Integração com DbUnit e jIntegrity
Teste de Integração com DbUnit e jIntegrityTeste de Integração com DbUnit e jIntegrity
Teste de Integração com DbUnit e jIntegrityWashington Botelho
 
Xitrum Web Framework Live Coding Demos / Xitrum Web Framework ライブコーディング
Xitrum Web Framework Live Coding Demos / Xitrum Web Framework ライブコーディングXitrum Web Framework Live Coding Demos / Xitrum Web Framework ライブコーディング
Xitrum Web Framework Live Coding Demos / Xitrum Web Framework ライブコーディングscalaconfjp
 
Xitrum @ Scala Matsuri Tokyo 2014
Xitrum @ Scala Matsuri Tokyo 2014Xitrum @ Scala Matsuri Tokyo 2014
Xitrum @ Scala Matsuri Tokyo 2014Ngoc Dao
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareAlona Mekhovova
 
Local data storage for mobile apps
Local data storage for mobile appsLocal data storage for mobile apps
Local data storage for mobile appsIvano Malavolta
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.jsRichard Lee
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureNicolas Corrarello
 

Similar a Third Party Auth Methods in WO: DB, LDAP, Kerberos, WebAuth & Shibboleth (20)

Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit east
 
Dropwizard
DropwizardDropwizard
Dropwizard
 
The Zen of Lithium
The Zen of LithiumThe Zen of Lithium
The Zen of Lithium
 
Intro to Sail.js
Intro to Sail.jsIntro to Sail.js
Intro to Sail.js
 
ERRest
ERRestERRest
ERRest
 
Requery overview
Requery overviewRequery overview
Requery overview
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC
 
Different waysconnect
Different waysconnectDifferent waysconnect
Different waysconnect
 
Zendcon 09
Zendcon 09Zendcon 09
Zendcon 09
 
Teste de Integração com DbUnit e jIntegrity
Teste de Integração com DbUnit e jIntegrityTeste de Integração com DbUnit e jIntegrity
Teste de Integração com DbUnit e jIntegrity
 
Xitrum Web Framework Live Coding Demos / Xitrum Web Framework ライブコーディング
Xitrum Web Framework Live Coding Demos / Xitrum Web Framework ライブコーディングXitrum Web Framework Live Coding Demos / Xitrum Web Framework ライブコーディング
Xitrum Web Framework Live Coding Demos / Xitrum Web Framework ライブコーディング
 
Xitrum @ Scala Matsuri Tokyo 2014
Xitrum @ Scala Matsuri Tokyo 2014Xitrum @ Scala Matsuri Tokyo 2014
Xitrum @ Scala Matsuri Tokyo 2014
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middleware
 
Local data storage for mobile apps
Local data storage for mobile appsLocal data storage for mobile apps
Local data storage for mobile apps
 
Android and REST
Android and RESTAndroid and REST
Android and REST
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.js
 
JS everywhere 2011
JS everywhere 2011JS everywhere 2011
JS everywhere 2011
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
 

Más de WO Community

In memory OLAP engine
In memory OLAP engineIn memory OLAP engine
In memory OLAP engineWO Community
 
Using Nagios to monitor your WO systems
Using Nagios to monitor your WO systemsUsing Nagios to monitor your WO systems
Using Nagios to monitor your WO systemsWO Community
 
Build and deployment
Build and deploymentBuild and deployment
Build and deploymentWO Community
 
Reenabling SOAP using ERJaxWS
Reenabling SOAP using ERJaxWSReenabling SOAP using ERJaxWS
Reenabling SOAP using ERJaxWSWO Community
 
Chaining the Beast - Testing Wonder Applications in the Real World
Chaining the Beast - Testing Wonder Applications in the Real WorldChaining the Beast - Testing Wonder Applications in the Real World
Chaining the Beast - Testing Wonder Applications in the Real WorldWO Community
 
D2W Stateful Controllers
D2W Stateful ControllersD2W Stateful Controllers
D2W Stateful ControllersWO Community
 
Deploying WO on Windows
Deploying WO on WindowsDeploying WO on Windows
Deploying WO on WindowsWO Community
 
Unit Testing with WOUnit
Unit Testing with WOUnitUnit Testing with WOUnit
Unit Testing with WOUnitWO Community
 
Apache Cayenne for WO Devs
Apache Cayenne for WO DevsApache Cayenne for WO Devs
Apache Cayenne for WO DevsWO Community
 
Advanced Apache Cayenne
Advanced Apache CayenneAdvanced Apache Cayenne
Advanced Apache CayenneWO Community
 
Migrating existing Projects to Wonder
Migrating existing Projects to WonderMigrating existing Projects to Wonder
Migrating existing Projects to WonderWO Community
 
iOS for ERREST - alternative version
iOS for ERREST - alternative versioniOS for ERREST - alternative version
iOS for ERREST - alternative versionWO Community
 
"Framework Principal" pattern
"Framework Principal" pattern"Framework Principal" pattern
"Framework Principal" patternWO Community
 
Filtering data with D2W
Filtering data with D2W Filtering data with D2W
Filtering data with D2W WO Community
 
Localizing your apps for multibyte languages
Localizing your apps for multibyte languagesLocalizing your apps for multibyte languages
Localizing your apps for multibyte languagesWO Community
 

Más de WO Community (20)

KAAccessControl
KAAccessControlKAAccessControl
KAAccessControl
 
In memory OLAP engine
In memory OLAP engineIn memory OLAP engine
In memory OLAP engine
 
Using Nagios to monitor your WO systems
Using Nagios to monitor your WO systemsUsing Nagios to monitor your WO systems
Using Nagios to monitor your WO systems
 
Build and deployment
Build and deploymentBuild and deployment
Build and deployment
 
High availability
High availabilityHigh availability
High availability
 
Reenabling SOAP using ERJaxWS
Reenabling SOAP using ERJaxWSReenabling SOAP using ERJaxWS
Reenabling SOAP using ERJaxWS
 
Chaining the Beast - Testing Wonder Applications in the Real World
Chaining the Beast - Testing Wonder Applications in the Real WorldChaining the Beast - Testing Wonder Applications in the Real World
Chaining the Beast - Testing Wonder Applications in the Real World
 
D2W Stateful Controllers
D2W Stateful ControllersD2W Stateful Controllers
D2W Stateful Controllers
 
Deploying WO on Windows
Deploying WO on WindowsDeploying WO on Windows
Deploying WO on Windows
 
Unit Testing with WOUnit
Unit Testing with WOUnitUnit Testing with WOUnit
Unit Testing with WOUnit
 
Life outside WO
Life outside WOLife outside WO
Life outside WO
 
Apache Cayenne for WO Devs
Apache Cayenne for WO DevsApache Cayenne for WO Devs
Apache Cayenne for WO Devs
 
Advanced Apache Cayenne
Advanced Apache CayenneAdvanced Apache Cayenne
Advanced Apache Cayenne
 
Migrating existing Projects to Wonder
Migrating existing Projects to WonderMigrating existing Projects to Wonder
Migrating existing Projects to Wonder
 
iOS for ERREST - alternative version
iOS for ERREST - alternative versioniOS for ERREST - alternative version
iOS for ERREST - alternative version
 
iOS for ERREST
iOS for ERRESTiOS for ERREST
iOS for ERREST
 
"Framework Principal" pattern
"Framework Principal" pattern"Framework Principal" pattern
"Framework Principal" pattern
 
Filtering data with D2W
Filtering data with D2W Filtering data with D2W
Filtering data with D2W
 
WOver
WOverWOver
WOver
 
Localizing your apps for multibyte languages
Localizing your apps for multibyte languagesLocalizing your apps for multibyte languages
Localizing your apps for multibyte languages
 

Último

Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 

Último (20)

Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 

Third Party Auth Methods in WO: DB, LDAP, Kerberos, WebAuth & Shibboleth

  • 1. Third Party Auth in WO Joe Little and Daniel Beatty
  • 2. Authentication Methods • Storing passwords in your DB (Model) • Authenticating against LDAP services • LDAP via your Model and hybrid solutions • Kerberos/SSO and hybrid redux • WebAuth and gateway solutions • Shibboleth and the future
  • 3. Auth in DB • The default approach • With little database security, the hash must be secure • SHA-1 (160) or SHA-2 (256) and friends • Sample code...
  • 4. SHA-2 in the Database qual = UserAccount.USERNAME.eq(username).and(UserAccount.PASSWORD.eq(digestedString(password))); .... public String digestedString(String aString) { String digestedString; try { MessageDigest md = MessageDigest.getInstance("SHA-256"); md.reset(); digestedString = new sun.misc.BASE64Encoder().encode (md.digest(aString.getBytes("UTF-8"))); } catch (NoSuchAlgorithmException e) { throw new NSForwardException(e); } catch (UnsupportedEncodingException e){ throw new NSForwardException(e); } return digestedString; }
  • 5. LDAP • JNDI can be used for EOs, but NOT for passwords! • Generally restricted by sites LDAP configuration • Standard method is to try a “simple bind” against LDAP • LDAPS:// - Port 636 if possible (SSL), DIGEST otherwise • StartTLS is not an option • http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html
  • 6. Java LDAP Authentication if (LDAPAuth.LDAPAuthenticate(username, password)) ... public class LDAPAuth { public static final boolean LDAPAuthenticate (String userid, String password) { Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://172.16.113.129:389/dc=example,dc=com"); env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5"); // or “simple” env.put(Context.SECURITY_PRINCIPAL, "uid=" + userid + ", ou=People, dc=example, dc=com"); env.put(Context.SECURITY_CREDENTIALS, password); // Create the initial context try { DirContext ctx = new InitialDirContext(env); } catch (NamingException e) { return false; // Failed to auth //e.printStackTrace(); } return true; } }
  • 7. LDAP via EOModel • WebObjects lets you access LDAP via JNDI • Insecure • SSL supposedly should work • Not good for authentication, but other info is there • Great for the “hybrid” approach to authentication
  • 8. The Hybrid Approach • Define user attributes in your DB-based EOs • Authenticate user that is also in LDAP tree • 1st time auth: use JNDI EO • Must have matching name between auth and LDAP • Use JNDI EO in read-only fashion to get user attributes • Store in your DB user EOs for future use • Considerations for future JNDI updates
  • 11. All LDAP Hybrid Approach if (LDAPAuth.LDAPAuthenticate(username, password)) { qual = UserAccount.USERNAME.eq(username); NSLog.out.appendln("LDAP authenticated: " + username); } if (qual != null) try { user = UserAccount.fetchRequiredUserAccount(ERXEC.newEditingContext(), qual); } catch (NoSuchElementException e) { // Make a new user from LDAP qual = PosixAccount.UID.eq(username); EOEditingContext ec = ERXEC.newEditingContext(); PosixAccount ldapAccount = PosixAccount.fetchPosixAccount(ec, qual); user = UserAccount.createUserAccount(ec, ldapAccount.gecos(), username); ec.saveChanges(); } ... public static UserAccount createUserAccount(EOEditingContext editingContext, String fullName, String username) { UserAccount eo = (UserAccount) EOUtilities.createAndInsertInstance(editingContext, _UserAccount.ENTITY_NAME); eo.setFullName(fullName); eo.setUsername(username); return eo; }
  • 12. SSO: Kerberos • Many Single-Sign On (SSO) solutions • Kerberos / Active Directory are most common today • AD and OpenDirectory marry LDAP w/ Kerberos: hybrid! • Heavily tied into Java Crypto APIs, so Frustration-By-Design • Remember to set classes.include.patternset in woproject to have “**/*.conf” • Best seen by example... (Thanks Mike!)
  • 13. Kerberos Methods public class KerberosAuth { static final String krbPath = "/Library/Preferences/edu.mit.Kerberos"; public static final boolean KerberosAuthenticate (String userid, char[] password) { System.setProperty("java.security.krb5.conf", krbPath); System.setProperty("java.security.auth.login.config", KerberosAuth.class.getResource("/kerberos.conf").toExternalForm()); try { LoginContext lc = new LoginContext("primaryLoginContext", new UserNamePasswordCallbackHandler(userid, password)); lc.login(); } catch (LoginException e) { // e.printStackTrace(); return false; // Consider all failures as equal } return true; }
  • 14. Kerberos Method Part 2 public static class UserNamePasswordCallbackHandler implements CallbackHandler { private String _userName; private char[] _password; public UserNamePasswordCallbackHandler(String userName, char[] password) { _userName = userName; _password = password; } public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (Callback callback : callbacks) { if (callback instanceof NameCallback && _userName != null) { ((NameCallback) callback).setName(_userName); } else if (callback instanceof PasswordCallback && _password != null) { ((PasswordCallback) callback).setPassword(_password); } } } }
  • 15. Kerberos.conf in Sources folder primaryLoginContext { com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=false; };
  • 16. Kerberos Authentication if (KerberosAuth.KerberosAuthenticate(username, password.toCharArray())) { qual = UserAccount.USERNAME.eq(username); NSLog.out.appendln("Kerberos authenticated: " + username); } ... UserAccount user = UserAccount.fetchRequiredUserAccount(ERXEC.newEditingContext(), qual); ((Session)session()).setCurrentUser(user); if (((Session)session()).currentUser() != null) { nextPage = D2W.factory().defaultPage(session()); }
  • 18. WebAuth • External authentication handled in Apache • More involved site setup • Must trust the Gateway (Apache) for security • Deceptively simple • Interesting solutions: • Multiple authentications • Trust-to-Set applications
  • 19. Gateway Approach Considerations • Does make Developer Mode a bit more interesting • Mixing up DirectAction logins w/ gateway header request check • DirectConnect can be good here.. (Thanks Chuck!) • Best practices: • Put values you want into your session object • make sure your session is SSL-enabled! • useExternalAuth boolean in User-type entity?
  • 20. WebAuth Method public class WebauthAuth { public static final String WebauthAuthenticate (WOContext context) { // If unauthenticated, this will be blank // assumes that web location is WebAuth protected to restrict this setting return context.request().headerForKey("webauth_user"); } }
  • 21. Which brings us too... “Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say "Shibboleth" (‫ '.)שיבולת‬If anyone said, "Sibboleth" (‫ ,)סיבולת‬because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion.”
  • 22. Shibboleth Topics • Shibboleth Authentication Point of View • Federated Frameworks • How is IdP put together • General Shibboleth Service Provision Scenario • Classic Computer Security
  • 23. The Shibboleth Point of View • Stone Age: Application maintains unique credential and identity information for each user. • Bronze Age: Credentials are centralized but applications maintain all user identity information • Iron Age: Credentials and core identity information are centralized and application maintains only app-specific user data.
  • 24. Fallacies of Distributed Computing 1.The Network is reliable 2.Latency is Zero 3.Bandwidth is infinite 4.The network is secure 5.Topology doesn’t change 6.There is one administrator 7.Transportation cost is zero 8.The network is homogeneous Peter Deutsch, James Gosling
  • 25. Computer Security Subjects 101 Resource Subject AllowedOperations owner: User operations: Array<Allowed Operations> canRead: Boolean name: String canUpdate: Boolean permissions: allowedOperations canDelete: Boolean creationTime entity: Resource modificationTime (Boolean) canRead (Boolean) canUpdate Subject Allowed (Boolean) canDelete Operation User Group subject: Subject no attributes owner: Subject members(): Array<Subject> members(): Array<Subject> provider(): Provider General Operations Allowed No Attributes Local User givenName: String surName: String commonName: String telephoneNumber: String address: String organization: String jobTitle: String password: String
  • 26. Fallacies of Distributed Computing 1.The network is reliable 2.Latency is zero 3.Bandwidth is infinite 4.The network is secure 5.Topology doesn’t change 6.There is one administrator 7.Transportation cost is zero 8.The network is homogeneous
  • 27. Computer Security Subjects 101 AllowedOperations Resource Subject canRead: Boolean owner: User operations: Array<Allowed Operations> canUpdate: Boolean permissions: allowedOperations name: String canDelete: Boolean creationTime entity: Resource modificationTime (Boolean) canRead (Boolean) canUpdate (Boolean) canDelete Subject Allowed Operation subject: Subject User Group General Operations no attributes owner: Subject Allowed members(): Array<Subject> members(): Array<Subject> No Attributes provider(): Provider ! ❑!Classic Subjects Problems: Local User givenName: String ! •! ❑!Group Information surName: String commonName: String Compromise telephoneNumber: String address: String ! •! ❑!User info compromise organization: String jobTitle: String password: String
  • 28. Computer Security Subjects with Shibboleth AllowedOperations Resource Subject canRead: Boolean owner: User operations: Array<Allowed Operations> canUpdate: Boolean permissions: allowedOperations name: String canDelete: Boolean creationTime ticket: Shibboleth Assertion entity: Resource modificationTime (Boolean) canRead (Boolean) canUpdate (Boolean) canDelete Subject Allowed Operation subject: Subject User Group General Operations no attributes no attribute Allowed No Attributes
  • 29. Federated Identity Frameworks • Shibboleth (http://shibboleth.internet2.edu/) • OpenID (http://openid.net)
  • 30. Concept of a Shibboleth Type Federation Identity Provider Service Provider Discovery Service User
  • 31. Shibboleth Identity Provider Architecture Shibboleth CAS ! IdP SSO ! ! ! ! !
  • 32. Commercial Providers • Test Shibboleth Two (https://www.testshib.org) • Protect Network (http://www.protectnetwork.org/) • NJ Trust (http://njtrust.net/) • SWITCH (http://www.switch.ch/uni/security/) (Switzerland) • UK Federation (http://www.ukfederation.org.uk/content/ Documents/Setup2IdP)
  • 33. Service Provider mod_shib mod_php mod_jk PHP shibd Applications cgi-bin Adaptor • ! Runs on: Mac OS X, FreeBSD, Linux, Solaris, Windows • ! Protects Web Applications • ! The Shibboleth Daemon processes attributes ▼! Can authorize users with •! Apache directives •! Shibboleth XML Access rules • !Provides attributes to applications
  • 34. General Play-by-Play Scenario Service Provider 6a. Assertion Confirmation Identity Provider 7. Provide Content 2. SAML2 Discovery Request 1. Access Service URL Discovery 2.1 Discovery Request Service User 6. Authenticate w/ Assertion 3. Select Home Organization 4. SAML2 Authn Request 5. Authenticate
  • 35. Installation on Mac OS X • IdP: Note do not have IdP compete with Teams/ Podcast Producer • MacPorts SP Install: Note, install curl +ssl first. (https:// spaces.internet2.edu/display/SHIB2/NativeSPMacPortInstallation) • Do the registry steps with IdP/SP and federation. • Demo:
  • 36. Q&A
  • 37. Shibboleth in Production Stanford Shibboleth Example
  • 38. Mobility Trends • “Cached Credentials” approach for mobile devices: Browser local storage • Using your User EO for credential storage and remote wiping • RESTful interfaces and authentication approaches • Issues with “gateway” authentication with unknown site authenticators: Split Authentication