Docstoc

Using Open Source Middleware for Securing e-Gov Applications

Document Sample
Using Open Source Middleware for Securing e-Gov Applications Powered By Docstoc
					                                                                           University of Milan
                                                                   Department of Information Technology
The first International Conference on Open Source Systems




                                                            Using Open Source Middleware
                                                                     for Securing
                                                                  e-Gov Applications

                                                              Authors: Claudio Agostino Ardagna,
                                                                 Ernesto Damiani, Fulvio Frati
                                                                      and Martin Montel


                                                                                Genova, 11th - 15th July 2005
                                                                                                                1
The first International Conference on Open Source Systems
                                                                 Outline
                                                            ●   e-Gov: state of the art


                                                            ●   Open Source e-Gov Environment


                                                            ●   Implementing JBoss security environment


                                                            ●   Advanced security implementation




                                                                                  Genova, 11th - 15th July 2005
                                                                                                                  2
The first International Conference on Open Source Systems
                                                                 e-Gov state of the art - 1

                                                            ●   e-Services fundamental role in modern
                                                                economy


                                                            ●   Increasing interest in e-Gov services


                                                            ●   Definition of e-Gov services’ layered structure




                                                                                  Genova, 11th - 15th July 2005
                                                                                                                  3
The first International Conference on Open Source Systems
                                                            e-Gov state of the art - 2


                                                                                       e-Government Components




                                                                                               Application Server



                                                                                                        Operating System
                                                                                                            Platform




                                                                        Genova, 11th - 15th July 2005
                                                                                                                           4
The first International Conference on Open Source Systems
                                                                 e-Gov state of the art - 3

                                                            ●   Problems
                                                                –   budget limitations
                                                                –   hybrid implementations rely on proprietary
                                                                    middleware horizontal functionalities


                                                            ●   Solution
                                                                –   provide a complete Open Source e-Gov
                                                                    Environment



                                                                                  Genova, 11th - 15th July 2005
                                                                                                                  5
The first International Conference on Open Source Systems
                                                                 Open Source e-Gov environment
                                                            ●   Open Source service components

                                                            ●   Open Source Application Servers
                                                                –   JBoss
                                                                –   JOnAS

                                                            ●   Open Source Operating System
                                                                –   Linux



                                                                              Genova, 11th - 15th July 2005
                                                                                                              6
                                                                 Open Source Application Server - Characteristics
The first International Conference on Open Source Systems



                                                            ●   Provide an environment over which
                                                                applications are deployed


                                                            ●   Avoid proprietary lock-in at middleware
                                                                layer


                                                            ●   Developers focus on business activities



                                                                                   Genova, 11th - 15th July 2005
                                                                                                                    7
                                                                 Open Source Application Server - Functionalities
The first International Conference on Open Source Systems


                                                            ●   Web Server support


                                                            ●   Transaction Manager


                                                            ●   Security Manager


                                                            ●   Cache Manager


                                                            ●   Persistence Manager


                                                            ●   Clustering Manager

                                                                                      Genova, 11th - 15th July 2005
                                                                                                                      8
The first International Conference on Open Source Systems
                                                                 JBoss/JOnAS
                                                            ●   Open Source Application Servers


                                                            ●   Fully J2EE specifications compliant


                                                            ●   EJB/Web Container


                                                            ●   Web Services support through AXIS
                                                                integration



                                                                                  Genova, 11th - 15th July 2005
                                                                                                                  9
                                                                 Application Server Security – JBoss
The first International Conference on Open Source Systems



                                                            ●   Access Control Management

                                                                –   JBossSX: component that handles security
                                                                    (role-based)

                                                                –   JAAS (Java Authentication and
                                                                    Authorization Service): standard modules
                                                                    for file, DB, LDAP - based security
                                                                    information



                                                                                   Genova, 11th - 15th July 2005
                                                                                                                   10
                                                                 Application Server Security – JOnAS
The first International Conference on Open Source Systems



                                                            ●   Based on security environments
                                                                (realms)

                                                                –   Memory realm

                                                                –   Datasource realm

                                                                –   LDAP realm



                                                                                   Genova, 11th - 15th July 2005
                                                                                                                   11
                                                                 Implementing JBoss security environment
The first International Conference on Open Source Systems


                                                            ●   Security Domain
                                                                Configuration (jboss-
                                                                web.xml, jboss.xml)


                                                            ●   Authentication process
                                                                configuration (login-
                                                                config.xml)


                                                            ●   Authorization process
                                                                configuration (ejb-
                                                                jar.xml)




                                                                                        Genova, 11th - 15th July 2005
                                                                                                                        12
                                                                 Implementing JBoss security environment
The first International Conference on Open Source Systems


                                                            ●   Security Domain                    <security-domain>
                                                                Configuration (jboss-                 java:/jaas/MySecurity
                                                                web.xml, jboss.xml)
                                                                                                   </security-domain>


                                                            ●   Authentication process
                                                                configuration (login-
                                                                config.xml)


                                                            ●   Authorization process
                                                                configuration (ejb-
                                                                jar.xml)




                                                                                        Genova, 11th - 15th July 2005
                                                                                                                              13
                                                                 Implementing JBoss security environment
The first International Conference on Open Source Systems


                                                            ●   Security Domain                  <application-policy name="MySecurity">


                                                                Configuration (jboss-
                                                                                                  <authentication>


                                                                web.xml, jboss.xml)
                                                                                                   <login-module code= "org.jboss.security.

                                                                                                    auth.spi.DatabaseServerLoginModule"

                                                                                                    flag="required">

                                                                                                     <module-option name="dsJndiName">

                                                            ●   Authentication process                 java:/UserDS

                                                                configuration (login-                </module-option>

                                                                config.xml)                          <module-option name="principalsQuery">

                                                                                                       SELECT Password FROM Operators

                                                                                                       WHERE OperatorID=?


                                                                Authorization process
                                                                                                     </module-option>
                                                            ●
                                                                                                     <module-option name="rolesQuery">
                                                                configuration (ejb-                    SELECT Role, ’Roles’ FROM
                                                                jar.xml)                               OperatorRoles WHERE OperatorID=?

                                                                                                     </module-option>

                                                                                                   </login-module>

                                                                                                  </authentication>

                                                                                                 </application-policy>

                                                                                        Genova, 11th - 15th July 2005
                                                                                                                                              14
                                                                 Implementing JBoss security environment
The first International Conference on Open Source Systems

                                                                                                  <ejb-jar>
                                                            ●   Security Domain                    <assembly-descriptor>

                                                                Configuration (jboss-               <security-role>


                                                                web.xml, jboss.xml)
                                                                                                     <role-name>Standard</role-name>
                                                                                                    </security-role>
                                                                                                    <security-role>
                                                                                                     <role-name>Admin</role-name>
                                                                                                    </security-role>
                                                            ●   Authentication process              <method-permission>

                                                                configuration (login-                <role-name>Admin</role-name>


                                                                config.xml)
                                                                                                     <method>
                                                                                                      <ejb-name>Operator</ejb-name>
                                                                                                      <method-name>*</method-name>
                                                                                                     </method>
                                                                                                    </method-permission>
                                                            ●   Authorization process               <method-permission>

                                                                configuration (ejb-                  <role-name>Standard</role-name>


                                                                jar.xml)
                                                                                                      <method>
                                                                                                       <ejb-name>OperatorSession</ejb-name>
                                                                                                       <method-name>getOperator</method-name>
                                                                                                      </method>
                                                                                                     </method-permission>
                                                                                                   </assembly-descriptor>
                                                                                                  </ejb-jar>

                                                                                        Genova, 11th - 15th July 2005
                                                                                                                                                15
The first International Conference on Open Source Systems




                                                              Advanced Security
                                                               Implementation
                                                            JBoss and Single Sign-On




                                                                     Genova, 11th - 15th July 2005
                                                                                                     16
The first International Conference on Open Source Systems
                                                                    Single Sign-On (SSO)
                                                            ●   Provide centralized authentication to a single server


                                                            ●   Advantages of SSO solution


                                                                –   Reduction of authentication time to secondary domains


                                                                –   Security improvement


                                                                –   Reduction of user profiles management costs and time


                                                                –   Usability improvement: single login interface


                                                                                        Genova, 11th - 15th July 2005
                                                                                                                            17
                                                                 Central Authentication Service (CAS)
The first International Conference on Open Source Systems



                                                            ●   SSO Open Source framework


                                                            ●   Developed by Yale University


                                                            ●   Run over any servlet engine


                                                            ●   Secure, flexible, reliable


                                                                                   Genova, 11th - 15th July 2005
                                                                                                                   18
                                                                    Central Authentication Service (CAS) - Security
The first International Conference on Open Source Systems



                                                            ●   Passwords used for authentication process only
                                                                through encrypted channels

                                                            ●   Transparent re-authentication

                                                            ●   Applications know User Identities through
                                                                opaque cookies

                                                                –    User Identities shared only between CAS server and
                                                                     services



                                                                                       Genova, 11th - 15th July 2005
                                                                                                                          19
The first International Conference on Open Source Systems
                                                              CAS Flow
                                                            • TGC (Ticket
                                                              Grant                                                    ID

                                                              Cookie):              CAS
                                                                                   server
                                                                                                             ST             service

                                                              – Identify the
                                                                user                                              ST

                                                              – CAS usable




                                                                                       HTTPS
                                                                only             TGC           ST



                                                            • ST (Service
                                                              Ticket)
                                                              – Limited Time
                                                                Validity          web browser
                                                                                                    TGC
                                                              – Authorize web
                                                                browser access
                                                                to service



                                                                                  Genova, 11th - 15th July 2005
                                                                                                                                      20
                                                                    Advanced Security Implementation (CAS++)
The first International Conference on Open Source Systems



                                                            ●   SSO based on certificates
                                                                –   Improvement to CAS architecture (CAS++)


                                                            ●   Integration with Public Key Infrastructure
                                                                (PKI)

                                                            ●   Integration with strong authentication
                                                                mechanisms based on
                                                                –   smart card, and
                                                                –   fingerprint reader



                                                                                         Genova, 11th - 15th July 2005
                                                                                                                         21
                                                            Advanced Security Implementation - Flow
The first International Conference on Open Source Systems




                                                                              Genova, 11th - 15th July 2005
                                                                                                              22
The first International Conference on Open Source Systems
                                                                 Thanks to
                                                            ●   Ernesto Damiani


                                                            ●   Fulvio Frati


                                                            ●   Martin Montel


                                                            ●   Software Engineering and Advanced
                                                                Architectures Lab. (University of Milan)


                                                                                Genova, 11th - 15th July 2005
                                                                                                                23
The first International Conference on Open Source Systems
                                                                  Reference
                                                            ●   CAS
                                                            http://tp.its.yale.edu/tiki/tiki-index.php?page=CentralAuthenticationService




                                                            ●   Italian Project PEOPLE
                                                            http://www.progettopeople.it




                                                                                               Genova, 11th - 15th July 2005
                                                                                                                                           24
        The first International Conference on Open Source Systems
                                                                    Questions???




 Genova, 11th - 15th July 2005
25

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:4/21/2013
language:Unknown
pages:25
wang nianwu wang nianwu http://
About wangnianwu