g uarding your applications
DESCRIPTION
g uarding your applications. Koen Vanderloock [email protected]. Koen Vanderloock?. 9 years experience as Java developer The last 3 years working on security @ Cegeka Leader of the Security Competence Center @ Cegeka SIMBA founder. - PowerPoint PPT PresentationTRANSCRIPT
The OWASP Foundationhttp://www.owasp.org
guarding your applicationsKoen Vanderloock
Koen Vanderloock?
• 9 years experience as Java developer• The last 3 years working on security @ Cegeka • Leader of the Security Competence Center @ Cegeka• SIMBA founder
3
Identification Authentication Authorization Manager users & rights
User Access Management (UAM)
Security Integration Module for Business Applications
Why another UAM Tool ?Large Java Project• 5 years of agile development• 2 week releases• 4 applications• 8 big customers• Secured by Sun Access Manager
4
Why another UAM Tool ?Problems with Sun Access Manager• Configuration nightmare• No clue what’s going on• Management of users/rights
disaster
5
Create it ourself ?
6
Other UAM vendors ?
Why another UAM Tool ?
7
Other UAM vendors • CA Siteminder• OpenSSO = AM• JOSSO
Why another UAM Tool ?
8
Create it ourself• Use it for each Java project• Make it customizable• See what’s going on• Easy management
What can SIMBA do ?• Authentication• Single Sign-On• Role Based Access Control• Authorization• Session Management• User Management
9
Authentication
10
RMI/HTTP
WS/HTTP
10
SIMBA filter
SIMBA Enabled
Your applications
SIMBAAuthentication
Service
WebservicesEntry Point
AuthenticationChain
WS LoginChainSIMBA WS
Handler
SIMBA Enabled
Single Sign-On
11
11
SIMBA filterSIMBA Manager
Your applications
…
SSO Token stored in cookie
Role Based Access Control
12
RBAC in SIMBA
13
Policy(Permission)
Role
1..*
1..*
URL Rule Resource Rule
1..* 1..*
Example RBAC
14
Visitor
URL Rule: Access Zoo
Resource Rule: View animals READ
Resource Rule: Feeding READ
Example RBAC
15
URL Rule: Access Zoo
Resource Rule: View animals READ
Resource Rule: Feeding WRITE
Groundkeeper
Authorization
16
RMI/HTTP
16
Your application (SIMBA Enabled)
Your service
SIMBA
Authorization Service
Security aspect / Delegate
URL Rule Check
Resource Rule Check
(READ, WRITE access)
Session management
17
Overview user sessions
Auto expire sessions
Manually terminate
sessions
User management• Overview of users, roles, policies• Relations between concept• Creation of user & adding correct
rights• Set user inactive• Unblock user• Reset password to the default
18
SIMBA advantages• It’s easy• Chains• It’s lightweight• Caching• Audit logging• User overview• Centralized / distributed deployment
19
SIMBA is easy, but …
SIMBA is easy, but …
Simbaframework
Simba-specific-your project Your application
Customized for your application
Choose your armor
Command and Chains
Webservice entranceWebpage entrance
Authentication chain
Command and Chains
Validate ParametersUser Active
Jaas Login
Account Blocked
Password Expired
Create Session
Session chain Enter Application
Is Credential ?
Check Session
Check Client IP
Logout
URL Rule Check
Incoming request
Command and ChainsThe first request
Command and ChainsThe login request
Command and ChainsThe logged-in request
Webservice chain
Command and Chains
Validate ParametersUser Active
Jaas Login
…
Your security check
Command
Chain• Collection of
commands• Mostly entry
point
• Security check
It’s lightweight• Your own chains = only what you need
• Deploy it on your application server
• Extra features as SAML, E-ID, biometrics, … = extra jars
Caching
Server 1
Simba service
Simba manager
Simba service
Simba manager
Server 2
SIMBA Topic
1. Refresh cache
2. Publish event 3. Clean cache 3. Clean cache
Audit logging• Each Command: success /
error• Each authorization request• Integrity check (HMAC –
SHA1)• Archiving job
Give me an overview !
Give me an overview !
One big tiger,…
Application DB
Server 1
Server 2
SIMBAService
Manager
Application
Application
or a pack ?
Application
Application Application DB
Server 1
Server 2
SIMBAService
Manager
SIMBAService
Manager
Distributed deployment
• Multiple instances of your security• Security doesn’t go down• You can always access the manager• You don’t lose your security session
Advantages
Future SIMBA’s
37
• SAML support• E-ID support• Advanced RBAC (hierarchy,
contraints,…)• SIMBA Filter (Request parameters,
Request headers,X509 certificates)• Manager: add/remove roles, policies• Documentation: SIMBA Threat model• Release about every 6 months
Interested ?
38
More information: • OWASP SIMBA Project• simbasecurity.org• Mail to [email protected]
Questions ?
39
Thanks to: