July/2011

Developing Applications With Declarative Security

Java User Group Presentation, Los Angeles and Phoenix Ganesh Kirti, Sr. Director, Platform Security, Fusion Middleware

This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.

Agenda
Declarative Security Real World Financials Application Implementation/Demo Benefits of Declarative Security Q&A References

Declarative Security Today

Declarative Security approach is a proven security model
It keeps business logic separated from security decisions logic Security role policies (mappings) are externalized in DDs or policy files

Available Java Standards:

J2EE Container Security Java2 Security

Very easy to use APIs exist for applications

isUserInRole getCallerPrincipal checkPermission

Declarative Security Today

What is the limitation?
Current standards are proven, but are very limited:
Too coarse grained to support business rules Access control enforcement stops at the application perimeter level No contextual support for making access control decisions Securing data access within application requires custom implementation

Lets review a real world application example (next slide)

Declarative Security
Real World Application Examples
Users Roles Privileges
Equity Trades By Geography By Trade limit Accounts Transfers Credit

Resource
Savings Account Municipal Equity Fund

Context
Restrict Access from an un-trusted n/w Restrict Trade Sizes to < $100K Daily trading limit of $5M

Jane West

Account Owners, Traders

Equity Research By Vertical industry By Line of Business Ellen Stewart Equity Analyst

Oil & Gas Semiconductors

Unauthorized for trading Authorized for Review of Energy Companies listed on NYSE Authorized for access to research reports

Equity Trades Rebalance Funds

Mortgage Equity Fund Municipal Equity Fund

Authorized for 24x7 Trading Rebalancing of Small-Cap Funds Daily Trading Limit of $1B

Steve Jackson

Fund Manager

Declarative Security
Real World Examples (contd.)
These examples need the following sample declarative APIs:
isAccessAllowed (subject, ApplicationContext, UserSessionClaims) getAllowedMenuItems (subject) get(dataSecurityFilter) //data security

Due to lack of standards, application developer forced to build custom security logic causing the following issues:
Security breaches (lots of them happening nowadays ;-)) Hard coding of security policy in the application Security requirements change; hence maintenance overhead Not compliant with corporate policies; hence may not be ready for Private and Public Cloud deployments

APPROACH TO DESIGNING APPLICATION SECURITY

8

Approach to Designing Application Security

Continue to use declarative security pattern
i.e. Externalize security decisions process

Security must be built into your application Rely on existing security standards (JAAS, J2EE, RBAC, ABAC, XACML) for designing security model Rely on security frameworks and tooling that provide:
APIs and Tools to secure application resources declaratively Support for Interoperability with Identity Management Systems APIs and Tools for managing application security life-cycle events (design, deployment, and administration of security data)

Next - Lets walk thru an implementation of a real world Financials application built using this approach

Real World Financials Application

High level Requirements
Application with users: account owners, stock brokers, and administrators Multiple Security Roles: brokers, bronze/gold users, administrators Context aware security to meet business rules Meet corporate security compliancy requirements (Audit, central administration, and governance) Standards compliant (JAAS, J2EE security, ABAC, RBAC, OpenAZ/PEP, OPSS) Scalability and Performance

10

Application Security Architecture

Financials Application Menu UIs
Request

PDP**

Account Services
Grant Access Check*

Users
Deny

Trading Services

Data Access
.. ..

Policy Cache Policy Evaluation Role Hierarchy Data security filters

Identity Store: User Identities

Policy Store: Roles and Entitlements

Policy Admin Server

Administrators; Business Application Owners

* Application enforces access check using APIs. Security decision process is externalized to PDP ** PDP (Policy Decision Point) can be configured in Embedded or out of process centralized modes

11

Design/Implementation Concepts
Securable Resources
Securable resource: UI items (menu, region etc), web service, portlet, data filters Developers define resources during application design time Administration usable concept - Collection of resources managed as a single unit Bundle of privileges, role hierarchies, role catalog, mapped to users/groups Developers and Administrators can define application roles It is an access control declarative policy that binds together resource/s, role/s, and entitlements. Policy can be made powerful and dynamic by including conditions/rules, and obligations. Administrators define and mange policies Application is unaware of details of the policy, but enforces it during runtime

Entitlements

Application Role

Policy

12

Scenario1: Default view upon logon

Bronze user (jane.west) can login and see only allowed resources (account, transfers, customer service. Not allowed to access investments, transfers)
Administrator configures the declarative security policy: BronzeAccountsNavEntitlementt, GoldAccountsNavEntitlement The following sample code implements a subset of this use case: String resName = "AzUnionBank/UINavigationResource/AccountsNavItem"; // authorization runtime LoginContext ctx = loginService.getLoginContext(new Subject(), cbh); ctx.login(); Subject ident = ctx.getSubject(); String rtAction = view) Map<String, String> appContext= new HashMap<String, String>(); env.put("myAttr", "Hello"); PepResponse response = PepRequestFactoryImpl.getPepRequestFactory().newPepRequest( ident, rtAction, resName, appContext).decide(); if (response .allowed()) { System.out.println("GRANT"); // Do whatever ... } else { System.out.println("DENY"); }

13

Scenario2: Deny access to accounts from untrusted network

Jane logs in from an un-trusted network; access to some resources will be blocked
Administrator configures the declarative security policy: CredScoreWidgetDenyEntitlements, DenyAccountInfoEntitlement, DenyBalanceSummaryWidgetEntitlement The following code implements this use case: String resName = "AzUnionBank/UIWidget/CreditScoreWidget"; // authorization runtime LoginContext ctx = loginService.getLoginContext(new Subject(), cbh); ctx.login(); Subject ident = ctx.getSubject(); String rtAction = view; Map<String, String> appContext = new HashMap<String, String>(); appContext.put(("FromInternet", "true"); PepResponse response = PepRequestFactoryImpl.getPepRequestFactory().newPepRequest( ident, rtAction, resName, appContext ).decide(); if (response.allowed()) { System.out.println("GRANT"); // Do whatever ... } else { System.out.println("DENY"); }

14

Scenario3: Data Security using Obligation

Bronze customer can only see two years of transactions; Gold customer can see 5 years of data
Administrator configures the declarative security policy: BronzeAccountTransactionsEntitlementPolicy,

GoldAccountTransactionsEntitlementPolicy
The following code implements this use case: String resName = "AzUnionBank/DataSetResType/AccountTxns"; // authorization runtime LoginContext ctx = loginService.getLoginContext(new Subject(), cbh); ctx.login(); Subject ident = ctx.getSubject(); String rtAction = view; Map<String, String> appContext = new HashMap<String, String>(); PepResponse response = PepRequestFactoryImpl.getPepRequestFactory().newPepRequest( ident, rtAction, resName, appContext ).decide(); if (response.isAllowed()) {

Map<String, Obligation> obligations = response.getObligations(); if (obligationElement != null) { for (String name : obligations.keySet()) { System.out.print("obligation: name = " + name + ", values = " + obligations.get(name).getStringValues()); } // Get the WHERE CLASS which is returned as the obligation and added it to the select query ....
} } else { System.out.println("DENY"); }

15

Financials Application Implementation Summary

All securable resources are declaratively secured in external central policy store Administrators secure resources using declarative policies and rules Simple pass-thru OpenAZ APIs enforce the security within application; decisions are externalized.
Oracle proposed Standards APIs, OpenAZ. This provides XACML Java binding APIs

All run-time access to resources is audited by the PDP implicitly Administrators have full visibility into the application access policies and runtime activity

16

Benefits to Application Developers

Well proven design pattern Developers rely on frameworks and tools to secure resources; Hence security development cost is reduced Developers can focus on business logic Security logic is externalized and managed by administrators Application ready for Cloud deployments as application meets CSA, audit requirements Interoperates with Identity Management Systems Developers not responsible for security breaches

17

Benefits to CSOs and IT Managers

Administrators have full visibility into application security policies from a central dashboard Full control of who is allowed access to what resources within an application Make security policy changes as business rules change and make it effective immediately in application runtime instantaneously Application can integrate with an already existing Identity Management services Can centrally manage 1000s of applications security controls Can see full audit of runtime system Satisfaction that application security is in good hands; Hence, Job security

18

<Insert Picture Here>

Learn More

19

19

Register for Related Events

Webcast: Introducing Oracle Entitlements Server. http://bit.ly/oes11g-

webcast July 14 10a PT

Webcast: Declarative Security for Mobile Apps, http://bit.ly/mnKoX7

Aug 25 9a PT
Webcast: Declarative Security for Mobile Apps http://bit.ly/is3XAQ Sep

7 9a PT

20

Useful Resources
Download Financials Application Oracle Entitlements Server
Whitepapers Product downloads, Javadocs

Oracle Platform Security Services

Fusion Middleware and Fusion Applications Security Framework; samples, presentations

Identity Management Resource Library

21

Questions

You may contact me at: ganesh.kirti@oracle.com

22

Java Security Standards

23

Java Security Standards Initiatives

OpenAz Java Identity API (JSR proposal) CARML/ArisID SAML Session Token (WAM token)

24

OpenAz Goals
Provide consistent model for applications and middleware to invoke access control
Based upon PEP definition given in XACML specification Encourage creation of other language/framework bindings

Reference implementation for Java AzApi interface

Java interface based on XACML request-response model

Explain how AzApi interface can be mated with thirdparty policy engines
Existing policy engines can implement this interface Support efficient processing as providers can implement caching and other proprietary magic Details of local vs. remote processing hidden by the interface

25

PEP API: Java Construct Layer

Responds to concern that AzApi requires some knowledge of XACML specifics
Data types, Attribute categories and names

Java packages or frameworks may request authorization decisions using native objects
E.g., Decide (user object, resource object, action object) Mapping of these native representations into lowerlevel AzApi forms is modeled separately

26

Externalized Attribute-based Access Control

Rules
Groups and Roles (manager, customer,) user attributes (zip code, citizenship,..) resource attributes (creator, classification,.) environment attributes (authN strength, )

Application Middleware Service Gateway

PEP PEP PEP PEP Policy Engine PDP

PEP - Policy Enforcement Point PAP Policy Administration Point PDP Policy Decision Point

PAP

27

Available OpenAz Components

Definition of Java AzApi Interface

Includes PEP Api layer Submitted to XACML TC for standardization

Joint work with Cisco and others (RSA)

Implementation of AzApi with SUN XACML library

Available for use today Simplifies creation of XACML policy

XACML Policy-creation Tool

28

Download information

Complete project (AzApi interface, reference implementation, Policy Tool,Javadoc)

http://openaz.svn.sourceforge.net/viewvc/openaz/ (download the GNU tarball)

http://openaz.svn.sourceforge.net/viewvc/openaz/azapi/doc/

Javadoc only

Apache 2.0 license Join the project !

http://www.openliberty.org/wiki/index.php/Main_Page#OpenAz

Mailing list and bi-weekly conference call

29

Java Identity API

Ongoing work to create a Java standard (JSR) within the JCP

www.jcp.org Please join us to take the work forward!

Diverse sources of identity data impose new requirements for identity data.

Goes beyond model based on a single IT directory Driven by new identity models Identity Federation, Facebook, Virtual directory Concerns about user consent, privacy and accountability

30

Java Identity API - Enhance Java to include

Characteristic representation for identity attributes and meta-data such as issuer, TTL, UseConstraints

Uniform representation independent of source

Programming model for applications to interact with and provide attributes (with meta-data) Programming model for applications to provide fine-grained context in access control Integration of enhancements with the existing Java security model
31

CARML/ArisID
Declarative approach to obtaining identity attributes in applications
Improves on lower-level approaches based on LDAP or JNDI Includes support for privacy assertions

Based upon use of CARML (Client Attributes Markup Language)

manifest describes identity needs of an application or group of applications Tools and services can use manifest to provide attributes to application

Part of a broader standard called Identity Governance Framework

http://www.projectliberty.org/strategic_initiatives/identity_gov ernance/?f=strategic_initiatives/identity_governance
32

ArisID open source project

Open source implementation of CARML
ArisID is a Java API suitable for Java application developers Complete open source stack now available
Apache 2.0 license http://www.openliberty.org/wiki/index.php/ProjectAri s

Available in Oracle Virtual Directory 11g and also used in Oracle Fusion Middleware

33

Session Token Overview

Standardized scheme for managing Web Server Security Session State

First within Oracle products, then externally Lower costs/improve security for Oracle products Demonstrate industry leadership Foundation for interop with other vendors

Benefits

Provides a standard for Session Management More efficient enables features like idle timeout

34

Project Summary

Project Summary

Define common WAM SSO Token format and interface Implement "pre-standard" across AM suite Work with community to standardize the token Converge to final standard Design based on existing product requirements Implemented Token library in Oracle Access Manager 11g OASIS SAML Session Token Profile awaiting final public review before reaching Committee Specification status Latest OASIS Draft

Status

http://www.oasis-open.org/committees/download.php/41975/saml-session-tokenv1.0-wd07.pdf

35

Appendix: Proven Practices, Solutions, and Tools

36

Proven Practice: Oracle Platform Security Services (OPSS)

Java Applications SOAP/REST Applications Cloud Applications

Oracle Platform Security Services Authn AuthN Authz AuthZ Creds & Keys Audit ID Profile Trust IdM Int.
XML Security Crypto, SSL

Security Service Providers SSO/Tokens Entitlements Servier

LDAP & Virtualization

Identity Provisioning
LDAP Database

Identity, Policy, Credential Store Providers

File

37

Oracle Confidential

Copyright 2010, Oracle. All rights reserved

37

Key Design Patterns Supported in OPSS

Externalize Identities Rely on a central audit framework Audit System identities usage and runtime access of resources Externalize user and role provisioning Standardize on Identity Propagation across SOA, REST, J2EE services Follow compliant encryption for credentials/keys Externalize Token Processing and creation Rely on Web services security/tokens interceptors Follow a standard LDAP and SSO integrations frameworks across your applications

38

Benefits of OPSS
Suite of Security Services - Application enablement with a rich, secure, and compliant security platform Provides abstraction layer to identity systems Rich set of APIs for most common design patterns Works in conjunction with Java2, J2EE, SOA, HTTP, JCE security standards Interoperates with Identity Management Systems Reduce Costs & Rapidly Respond to Business Demands Declarative security increases 50% developer productivity Entire Fusion Middleware and Fusion Applications products build on top of OPSS

39

Oracle Entitlements Server (OES)

Without OES With OES
App

Application

Application

Application

App

Application

App

Hard-coded security policies Brittle policy management Application policy silos

Externalized entitlements Agile business policies Centralized policy management

App

40

App

Native & Custom Integrations with OES

Portals and Content Management Identity Management

App Servers & Dev Frameworks

XML Gateways

Middleware

Data Sources

41

41

Benefits of OES to Developers and Administrators

An adaptable security service infrastructure that more closely models your business Respond faster to changing corporate, regulatory, market requirements Reduce time-to-market Manage security from a single place Provides finer control over the protection of all resources Separates security decisions from application logic Offers robust auditing of events Centralizes security policy management Enables reuse and sharing of security services Frees developers up to focus on value-added business logic Integrates easily with identity and access management

Better Business Agility

Enhanced Security and Compliance

Increased IT Efficiency

42

Useful Resources
Oracle Platform Security Services
Fusion Middleware and Fusion Applications Security Framework; samples, presentations

Oracle Entitlements Server

Whitepapers Product downloads, Javadocs

Identity Management Resource Library

43