Professional Documents
Culture Documents
This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.
Agenda
Declarative Security Real World Financials Application Implementation/Demo Benefits of Declarative Security Q&A References
Declarative Security
Real World Application Examples
Users Roles Privileges
Equity Trades By Geography By Trade limit Accounts Transfers Credit
Resource
Savings Account Municipal Equity Fund
Context
Restrict Access from an un-trusted n/w Restrict Trade Sizes to < $100K Daily trading limit of $5M
Jane West
Equity Research By Vertical industry By Line of Business Ellen Stewart Equity Analyst
Unauthorized for trading Authorized for Review of Energy Companies listed on NYSE Authorized for access to research reports
Authorized for 24x7 Trading Rebalancing of Small-Cap Funds Daily Trading Limit of $1B
Steve Jackson
Fund Manager
Declarative Security
Real World Examples (contd.)
These examples need the following sample declarative APIs:
isAccessAllowed (subject, ApplicationContext, UserSessionClaims) getAllowedMenuItems (subject) get(dataSecurityFilter) //data security
Due to lack of standards, application developer forced to build custom security logic causing the following issues:
Security breaches (lots of them happening nowadays ;-)) Hard coding of security policy in the application Security requirements change; hence maintenance overhead Not compliant with corporate policies; hence may not be ready for Private and Public Cloud deployments
Security must be built into your application Rely on existing security standards (JAAS, J2EE, RBAC, ABAC, XACML) for designing security model Rely on security frameworks and tooling that provide:
APIs and Tools to secure application resources declaratively Support for Interoperability with Identity Management Systems APIs and Tools for managing application security life-cycle events (design, deployment, and administration of security data)
Next - Lets walk thru an implementation of a real world Financials application built using this approach
10
PDP**
Account Services
Grant Access Check*
Users
Deny
Trading Services
Data Access
.. ..
* Application enforces access check using APIs. Security decision process is externalized to PDP ** PDP (Policy Decision Point) can be configured in Embedded or out of process centralized modes
11
Design/Implementation Concepts
Securable Resources
Securable resource: UI items (menu, region etc), web service, portlet, data filters Developers define resources during application design time Administration usable concept - Collection of resources managed as a single unit Bundle of privileges, role hierarchies, role catalog, mapped to users/groups Developers and Administrators can define application roles It is an access control declarative policy that binds together resource/s, role/s, and entitlements. Policy can be made powerful and dynamic by including conditions/rules, and obligations. Administrators define and mange policies Application is unaware of details of the policy, but enforces it during runtime
Entitlements
Application Role
Policy
12
13
14
GoldAccountTransactionsEntitlementPolicy
The following code implements this use case: String resName = "AzUnionBank/DataSetResType/AccountTxns"; // authorization runtime LoginContext ctx = loginService.getLoginContext(new Subject(), cbh); ctx.login(); Subject ident = ctx.getSubject(); String rtAction = view; Map<String, String> appContext = new HashMap<String, String>(); PepResponse response = PepRequestFactoryImpl.getPepRequestFactory().newPepRequest( ident, rtAction, resName, appContext ).decide(); if (response.isAllowed()) {
Map<String, Obligation> obligations = response.getObligations(); if (obligationElement != null) { for (String name : obligations.keySet()) { System.out.print("obligation: name = " + name + ", values = " + obligations.get(name).getStringValues()); } // Get the WHERE CLASS which is returned as the obligation and added it to the select query ....
} } else { System.out.println("DENY"); }
15
All run-time access to resources is audited by the PDP implicitly Administrators have full visibility into the application access policies and runtime activity
16
17
18
Learn More
19
19
Aug 25 9a PT
Webcast: Declarative Security for Mobile Apps http://bit.ly/is3XAQ Sep
7 9a PT
20
Useful Resources
Download Financials Application Oracle Entitlements Server
Whitepapers Product downloads, Javadocs
21
Questions
22
23
OpenAz Java Identity API (JSR proposal) CARML/ArisID SAML Session Token (WAM token)
24
OpenAz Goals
Provide consistent model for applications and middleware to invoke access control
Based upon PEP definition given in XACML specification Encourage creation of other language/framework bindings
Explain how AzApi interface can be mated with thirdparty policy engines
Existing policy engines can implement this interface Support efficient processing as providers can implement caching and other proprietary magic Details of local vs. remote processing hidden by the interface
25
Java packages or frameworks may request authorization decisions using native objects
E.g., Decide (user object, resource object, action object) Mapping of these native representations into lowerlevel AzApi forms is modeled separately
26
PEP - Policy Enforcement Point PAP Policy Administration Point PDP Policy Decision Point
PAP
27
28
Download information
Javadoc only
http://www.openliberty.org/wiki/index.php/Main_Page#OpenAz
29
Diverse sources of identity data impose new requirements for identity data.
Goes beyond model based on a single IT directory Driven by new identity models Identity Federation, Facebook, Virtual directory Concerns about user consent, privacy and accountability
30
Characteristic representation for identity attributes and meta-data such as issuer, TTL, UseConstraints
Programming model for applications to interact with and provide attributes (with meta-data) Programming model for applications to provide fine-grained context in access control Integration of enhancements with the existing Java security model
31
CARML/ArisID
Declarative approach to obtaining identity attributes in applications
Improves on lower-level approaches based on LDAP or JNDI Includes support for privacy assertions
Available in Oracle Virtual Directory 11g and also used in Oracle Fusion Middleware
33
First within Oracle products, then externally Lower costs/improve security for Oracle products Demonstrate industry leadership Foundation for interop with other vendors
Benefits
Provides a standard for Session Management More efficient enables features like idle timeout
34
Project Summary
Project Summary
Define common WAM SSO Token format and interface Implement "pre-standard" across AM suite Work with community to standardize the token Converge to final standard Design based on existing product requirements Implemented Token library in Oracle Access Manager 11g OASIS SAML Session Token Profile awaiting final public review before reaching Committee Specification status Latest OASIS Draft
Status
http://www.oasis-open.org/committees/download.php/41975/saml-session-tokenv1.0-wd07.pdf
35
36
Oracle Platform Security Services Authn AuthN Authz AuthZ Creds & Keys Audit ID Profile Trust IdM Int.
XML Security Crypto, SSL
Identity Provisioning
LDAP Database
File
37
Oracle Confidential
37
38
Benefits of OPSS
Suite of Security Services - Application enablement with a rich, secure, and compliant security platform Provides abstraction layer to identity systems Rich set of APIs for most common design patterns Works in conjunction with Java2, J2EE, SOA, HTTP, JCE security standards Interoperates with Identity Management Systems Reduce Costs & Rapidly Respond to Business Demands Declarative security increases 50% developer productivity Entire Fusion Middleware and Fusion Applications products build on top of OPSS
39
Application
Application
Application
App
Application
App
App
40
App
XML Gateways
Middleware
Data Sources
41
41
Increased IT Efficiency
42
Useful Resources
Oracle Platform Security Services
Fusion Middleware and Fusion Applications Security Framework; samples, presentations
43