Welcome to:

Introduction to Security
Objectives
•Discuss what resources should be secured in an enterprise
environment
•Discuss authentication and how it is supported in WebSphere
Application Server
•Discuss authorization
•Discuss delegation options
•Discuss the role of certificates
•Discuss the implications of using SSL
•Discuss the concepts of principals and roles
 Basic "No Security" End-to-End Model

Client I-Router Router Apps Data

(Internet) Web

This is the company's data.

This is the customer. The This is the company's Web Ultimately this is the
client can be either a server. This provides the information the company
single user PC or a whole universal access to the wishes to share with the
company. The devices company's business logic. This customer. This data can be
will be specified when allows the browser access to the centralized or distributed.
necessary. company's corporation. Above For this example, the data
the Web server is the is accessed through
organization's company business logic.
router/access device. This is the business logic.
This is the router to the Internet.
These applications have
This is typically provided by an ISP
access to the databases.
(Internet Service Provider). This
These "applications" provide
model, however, can apply to a
the company business
corporate Intranet. This router
rules.
separates the internal network from
the outside network.
Basic Concepts
•Authentication
–Who are you?
•Authorization
–What are you allowed to do?
The Basic Steps

2 Server
1

Client 5
4

User
Registry
Authentication
•Authentication: Tell a server who you are, or simply log in
–Challenge Mechanism
(how to obtain
authentication data) Challenge user
–Authentication
Mechanism Challenge
Mechanism
(LTPA, Native OS or
Authentication Data
Pluggable Registry) (uid/pw, cert, token)

–User Registry Authenticated

Authentication Credentials
(associates Credentials Mechanism
with Principal)
Authentication Data Credentials

User
Registry
Authentication in WebSphere Application Server
 Basic Authentication
3. Request Web Page

Web 4. 401 and server Web

Browser certificate Server

5. userid = peter
password = pumpkin

2. Tell user
userid = peter 6. Check Password
password = pumpkin

1. Register user
Authentication
Admin userid = peter
password = pumpkin
DB

Password transmitted over SSL

Man-in-the-middle attack (can be detected)
Authentication stored at server
Web Browser authenticates server certificate
Certificate Authentication

3. Request Web Page

Web 4. Server certificate and Web

Browser Request for client Server
certificate

5. Send client certificate

2. Request and receive certificate

1. Request and receive Authentication

Admin
server certificate DB
User Registry Support

User Registries Supported by WebSphere Application Server

Native OS LDAP

IBM Secure Way Directory

NT Domain, NT WorkGroup, Windows
2000 Domino

AIX (etc/passwd) Windows 2000 Active Directory

Solaris (etc/passwd) Netscape Enterprise Server

HP-UX Novell Directory Service

Linux
Others (using custom config) not
OS/400 "supported"
Lightweight Third-Party Authentication (LTPA)
•IBM service that provides single sign-on and delegation.
•Authentication information is carried in LTPA tokens.
•For interoperability with other products, a single sign-on token
that contains a user ID and password can be issued.
•LDAP directory service or custom registry required for the
LTPA authentication mechanism
–Local Operating System user registry not supported
Lightweight Directory Access Protocol (LDAP)

"root"

objectClass=country

c=US c=UK

objectClass=organization

o=IBM o=CompanyA o=CompanyB

objectClass=person

cn=Joe Smith mail=jsmith@[Link]

telephoneNumber=555-555-5555
LTPA and LDAP
!Allowsa user's identity to be passed around the distributed
network
8. Pass User Credentials (token) 9. Pass token over
to EJS when invoking methods Secure Association
1. Request on EJBs

Enterprise Enterprise
2. Challenge User for JavaBeans JavaBeans
Authentication
Server Server

3. User
WebSphere
Authenticates
Application
Server
7. Create authToken cookie;
serve the request
4. Authenticate (authenticationData)

[Link] userid/password using

LDAP user registry
6. Issue Authentication Token

Security Server that contains the Stored User

Authentication Token Server Information
Single Sign On (SSO)
•Works in conjunction with LTPA
•Issues cookies to Web browser to track user authentication
information
•Provides for SSO within or even between WAS domains
•Required for practical use of custom login

Systems
Management

Cookie Key Generation

Key Distribution
TOKEN
Web server Key Export
LTPA Security
Server

LTPA Server
HTTP or
HTTPS Create Token

Validate Token

Security Plug-in
client
Authorization
•Authorization involves granting trusted Principals permission
to perform actions on resources (that is, Web Pages, Servlets,
JSPs and EJBs).
•Control access to resources.
–Security Lookup (by server)
•Determine security privileges for principal.
•Information stored in registry.

Rules
userX, opY
decide opY???

client userX??
server

–Rule Enforcement (by server) User

•Obtain rules from registry. Registry

•Given privileges and rules, determine access.

Authorization in WebSphere Application Server
Delegation

id = client id = X

client server 1 server 2

X can run as:

Option 1. Client
Option 2. Server 1
Option 3. "Specified identity"
Secure Sockets Layer (SSL)
What is SSL?
•Provides connection security through:
–Communication privacy - the data on the connection can be
encrypted.
–Communication integrity - the protocol includes a built-in
integrity check.
–Authentication - the server can authenticate to the client
through the passing of a digital certificate.
Secure Sockets Layer (SSL)

Web Web
Browser Server
HTTP Internet Port 80

HTTPS Port 443

encrypted

HTTP Application Layer

Network Layer
Secure Sockets Layer
TCP/IP Layer

"SSL runs above TCP/IP and below high-level application protocols.

Certificates and Certificate Authority (CA)
Client C
Client trusts server
based on certificate Server A Server B
Mutual trust based on
certificates

Server A Certificate Server B Certificate

Certificate
Authority

"Verifies identities of Object A and Object B

"Issues a certificate vouching for Object A and Object B
Principals and Roles
•Principals
–Things that can be authenticated: users, servers, and so
forth.
–Example: managers, server1, and so forth.
•Roles
–An abstraction that represents the ability to do something.
Just string names.
–Example: Manager role
•Role Mapping
–The act of defining the registry entities (users and groups)
in the run-time environment corresponding to those roles.
–Example: Mapping the Manager role to the user ID
manager.
Unit Summary
•Authentication
–Basic
–Certificate based
•Authentication mechanisms in WebSphere Application Server
–Simple WebSphere Authentication mechanism
–LTPA
•User Registries
–Local OS
–LDAP
–Custom Pluggable Registry
•Authorization.
•Delegation options:
–RunAsMode
–RunAsIdentity
•Certificates and certificate authorities
•SSL
•Principals and roles