Successful SOA Security Integration SOA... · 2010-03-28 · Successful SOA Security Integration Air Force SOA Developer’s Conference Kevin T. Smith, Senior Technical Director May

ManTech Proprietary Information

Successful SOA Security IntegrationAir Force SOA Developer’s ConferenceKevin T. Smith, Senior Technical Director

May 21, 2009


About the Presenter

2

Architect and Software Developer:

of SOA Security Solutions for many

government customers

Killer of Trees:

Books and articles focusing on SW

Engineering, Web Services, XML,

Enterprise Architecture, and SOA

Security

Recent Book:

Applied SOA: Service-Oriented

Architecture and Design Strategies

Speaker:

SOA Security Workshop Presenter at

many conferences, such as:

RSA Security Conference, JavaOne,

ApacheCon, Net-Centric Warfare,

AFEI, AFCEA, SemTech, Object

Management Group conferences,

etc.)

Contributing Author


Application

Application

Loose Coupling is Key To SOA

We can now distribute

functionality

to the network and expose

them as services so that many

other applications can reuse

that functionality.

Historically, we have built

monolithic applications

And stovepiped systems,

where data, functionality, and

business rules could not be

reused in other applications.

Services

(Animated Slide – Hard Copy of this Slide will make no sense!)


Loose Security Coupling is Key To SOA Integration

Decouple Security Processing from Business Processing!*From Rosen, Lublinsky, Smith, Balcer, Applied SOA: Service-Oriented Architecture & Design Strategies, Wiley, 2008.


Why is Decoupling of Security Processes

Important?

(1) You don’t want business code & security code tangled up

(2) You should reuse security logic for all services & clients

(3) Exposing Functionality into Reusable Components is what

SOA is all About!

*From Rosen, Lublinsky, Smith, Balcer, Applied SOA: Service-Oriented Architecture & Design Strategies, Wiley, 2008.


High-Level Interceptor Design

6

This is an Implementation-Agnostic Design:

Use it In The Framework of Your Choice


Interceptor Code for You To Inspect

7

Back in the Day, I wrote DIA’s NCES SOA Security Toolkit - Interceptor Code for

Horizontal Fusion (HF)

• Used Apache Axis 1.4.x – a little dated, but still works

• Provides secure messaging, validation, access control using NCES Specification

• WS-Security SAML Token Profile-ish: WS-Security Messaging with SAML, WS-

Addressing MessageID, Timestamp, with digitally signed components

• Customizable Access Control Methods

• Can use Local PDP/PEP - Recommended (old NCES PDS no longer supported)

• Can turn off CVS Checking – Recommended (Now, NCES uses RCVS)

• Client handlers & server handlers for NCES integration

• For other customers, I have

• Used different frameworks (same concept) – Axis2, JAX-WS, JAX-RPC, proprietary

security components (choose the web service container of your choice)

• My Code Online with Documentation & Examples

http://horizontalfusion.dtic.mil/docs/specs/20040417_nces_dia_security.zip

This is just an example – you can also use higher-level frameworks:

(Spring Security, Apache Rampart, etc.)

But The Design on PREVIOUS SLIDE is more important than what you use


• If a service changes its

messaging security

policies, will all of your

service clients break?

• Will your clients have to re-

write client handlers, etc?

• If so, your clients are tightly

coupled to security

messaging.

Are Your Clients Tightly Coupled to Security Policy?

8

Will changes in your service’s

connection policy require

client integration?

Service

A C E

B D


High-Level Design of Dynamic Policy Processing

Don’t hard code security rules in security interceptors!*From K. Smith, “Flexibility by Design: Adapting to Changes at Run-Time in SOA Implementations”, SOAInstitute.org, Sept 2008.


Don’t Forget to Secure and Filter Your Data

10

Service(S)

C (S)

Portal

Secret User

TS OOPS!(S)

A(S) B

(S)

D(S)

• Some focus so much on access

control to services, that they forget to

control access to the data

• Data must be marked with access

control (releasability) markings &

filtered on the way back to the user –

CAPCO standards such as IC-ISM

• Header-vs. Element-Level Marking

Solutions:

• Header-Level separates security

data from business data, placing

the roll-up in header of message

• Element-Level Marking allows

you to do TRUE filtering of the

message, whereas filtering

header-level marked messages

results in a “keep” or “drop.”


Example Filtering Solutions with Marked Data

Get your Security Interceptors to filter responses*From Rosen, Lublinsky, Smith, Balcer, Applied SOA: Service-Oriented Architecture & Design Strategies, Wiley, 2008.


Integrating with Attribute Services

12

All Components of your Solutions must have assurance of:

• Authentication (AuthN) - What is the Subject’s Identity?

• Authorization (AuthZ) – What does the Subject Have Permission to do?

Attribute Services Gaining Popularity for AuthZ

Many organizations in DoD & IC are using attribute services and building ABAC policies

for clearance, compartment, citizenship, etc, and using “role” as another attribute

Typical Integration Issue for Web Servers/App Servers – RBAC vs. ABAC

• RBAC - Java Servlet API uses isUserInRole() and most app servers use roles for

permission management; We need to have a way to map ABAC->RBAC

• Need a way to map ABAC Attributes into J2EE Roles for Web Applications

.

ATTRIBUTES

Clearance = TS

Compartments = MILES,MINGUS

Citizenship = USA

Role = Producer

ROLES

CLEARANCE.TS

COMPARTMENT.MILES

COMPARTMENT.MINGUS

CITIZENSHIP.USA

ROLE.PRODUCER

Typically, if Attribute Services are Specific to Government (ex: web services) & not LDAP,

You May Need to Write Custom Code

EFFECTIVE ABAC->RBAC MAPPING MODEL


Code For You: Custom J2EE Security Realm for

Attribute Service Integration

13

Custom Tomcat 6.0.16+ Security Realm

• Installation ANT build configures Tomcat for Digital Certificate Authentication & Configures Realm

based on Current Security Infrastructure

• Performs Cached CRL Checking (via a directory)

• Retrieves attributes, mapping them to J2EE Roles

• Example Webapp (SecurityTest) Performs RBAC Authorization at Web Container Level

Contains ANT build that prompts user for values, + configures all

What You Need to Do: Extend an Included Class that Accesses Your Attribute Service..


Reuseable Realm Code – Class Diagram

14

The AFRealm class is configured in

<TOMCAT_HOME>/server.xml.

Properties:

-crlCheckingEnabled

-attributeServiceClassName

This is simply example code -- a

concrete implementation of

AttributeServiceIF.

Write your own code HERE

to integrate with the attribute

service of your choice!

After you do, configure the

*className* property of the

Realm in server.xml

CRL Properties configured in

<TOMCAT_HOME>/conf/afReal

m.properties


Skeleton Implementation of your AttributeService accessor class

15

package mil.dod.af.security.tomcat;

import java.util.*;

import org.apache.log4j.Logger;

/***************************************************************************

* This class is an example instance. Your instance will actually call

* an attribute service

*

* @author Kevin T. Smith

* @date 2/28/09

***************************************************************************/

public class ExampleAttributeServiceImpl extends AttributeServiceBase {

private static final Logger log = Logger.getLogger("ExampleAttributeService.class");

public ExampleAttributeServiceImpl ()

{

//Here is where you would create a stub for the service

}

public ArrayList getRolesForUser(String dn)

{

ArrayList roles = new ArrayList();

//Here is where you would call various methods on your attribute service to get attributes

Hashtable hashtable = getAttributes(dn);

Enumeration e = hashtable.keys();

while( e.hasMoreElements() )

{

String attribute = (String)e.nextElement();

super.addToRoles(roles, attribute, hashtable.get(attribute));

}

return (roles);

}

}

}

Calls addToRoles() from the

superclass AttributeServiceBase –

contains convenience methods to

map attributes to roles

getRolesForUser() is the required

method. In this method, query your

attribute service for credentials


Configurable Logging on Security Events -> AFSecurity.log

16

2009-05-12 11:20:57,059 INFO mil.dod.af.security.tomcat.CRLDownloader - ****** U ******

System ID = AF Portal (Security Realm)

User ID = <SYSTEM>

Workstation ID = 192.168.0.126, host = kevin-smiths-macbook-pro.local)

Message = SUCCESSFUL CRL DOWNLOAD: ldap://ldap.digsigtrust.com:389

Successful? = TRUE

May 12, 2009 11:20:58 AM org.apache.coyote.http11.Http11Protocol start

INFO: Starting Coyote HTTP/1.1 on http-8443

May 12, 2009 11:20:58 AM org.apache.catalina.startup.Catalina start

INFO: Server startup in 2795 ms

2009-05-12 11:21:12,055 INFO mil.dod.af.security.tomcat.CRLChecker - ****** U ******


User ID = C=US,O=U.S. Government,OU=MMBI,OU=OPTIC,OU=People,CN=Franco Harris


Message = SUCCESSFUL CRL CHECK - AUTHENTICATED USER NOT REVOKED

Successful? = TRUE

2009-05-12 11:21:12,055 INFO AFRealm.class - ****** U ******


User ID = C=US, O=U.S. Government, OU=MMBI, OU=OPTIC, OU=People, CN=Franco Harris


Message = SUCCESSFUL DIGITAL CERTIFICATE AUTHENTICATION

Successful? = TRUE

2009-05-12 11:21:12,058 INFO AFRealm.class - ****** U ******


User ID = C=US, O=U.S. Government, OU=MMBI, OU=OPTIC, OU=People, CN=Franco Harris


Message = SUCCESSFUL CREDENTIAL RETRIEVAL. AUTHENTICATED USER's CREDENTIALS ARE:

[CITIZENSHIP.USA, COMPARTMENTS.DIZ, COMPARTMENTS.MONK, COMPARTMENTS.TRANE, COMPARTMENTS.MILES, COMPARTMENTS.BIRD,

CLEARANCE.TS]

Successful? = TRUE Attribute Credential Retrieval

CRL Checking Audit Event

Authentication Audit Event


Further Exercise

17

Extend the Realm to use a Client Interceptor to:

• Propagate Identity & Attributes to Service Tier using WS-Security SAML Token Profile (requires no

attribute service lookup by service; trust of user dependent on trust of the service client)

• Propagate Identity Only using various mechanisms (WS-Security Username Token Profile, etc.) –

requires service to do Attribute Service Lookup, trust of propagated user dependent on trust of

Client Interceptor

Service


Final Thoughts

18

Key Tips for Successful SOA Security

Integration

• Decouple business logic & security

logic into interceptors/security

components (slide 6)

• Decouple security policy logic using

dynamic policy design (slide 9)

• Label & filter your messages (slides

10 & 11)

Enjoy the Custom Realm Code:http://www.mantech.com/afrealm/register.aspx

More SOA Security Blueprints & Best

Practices are available in the “SOA

Security” chapter of: Applied SOA:

Service Oriented Architecture

and Design Strategies

Questions? Email Me – [email protected]

Documents

Successful SOA Security Integration SOA... · 2010-03-28 · Successful SOA Security Integration Air Force SOA Developer’s Conference Kevin T. Smith, Senior Technical Director May