Anil's Security & Identity Management Blog

Java Identity JSR: A positive step

2011-12-12T03:31:00.001-06:00

The latest JSR on Java Identity is a very positive step in fostering security in Java applications. Since the JSR targets Java SE (as well as Java EE), it will have a very beneficial impact on Java applications running within the VM. You do not require a Java EE application server to avail the Identity services. A presentation on the JSR, given by the spec lead, Ron Monzillo is available at https://oracleus.wingateweb.com/published/oracleus2011/sessions/25171/S25171_139221.pdf A complaint I often hear from Java developers is the lack of consistent, standard API/annotations that they can use for securing their applications. JSR 351 aims to provide the necessary API as well as annotations. This should have happened long ago, but at least now, there is a positive attempt in the direction. I fervently hope that all the framework developers pay attention to this JSR (and not fall prey to the NIH syndrome). With the proliferation of Identity standards and the lack of coherence among them, it has become very hard for application writers to grasp the concepts of security. They usually take the easy way out (a simple password based system). I wish the JSR committee all the success. I am planning to be on the committee. You are welcome to participate. The proposed reference implementation is going to under the Apache 2.0 license and the tck will be free of charge. [Slide 10]

JavaOne11 Experiences :: JBoss AS7/PicketLink/SAML/OpenShift

2011-10-14T09:25:00.004-05:00

I had the privilege of attending Java One in San Francisco this month. I had two talks this year.

Talks:
1) Venue: JBoss Booth. Title: Trusted Security with PicketBox and PicketLink
2) Venue: Regular Session. Title: Experiences with Java EE Paas

In my view, this was a great conference for me. I had the opportunities to show case the SAML based SSO on web applications running on top of JBoss AS7 in the Red Hat's OpenShift Paas environment.

I also showcased Facebook/Google login to web apps running on JBoss AS7 deployed in OpenShift environment.

As part of my sessions, I created the following cheatsheet.

http://community.jboss.org/wiki/CheatSheetForPicketLinkOnRedHatOpenShift/

You should definitely give OpenShift a try. :)

Tribute to Steve Jobs:
Scott Stark and I had just finished making our presentation at Java One. I got an alert from Associated Press on my iPhone: "According to Apple, Steve Jobs has died". It was a shock to me. I showed the alert to Scott who was in the middle of answering offline questions from attendees and he was shocked too. Around 5:40pm. :(

Deploy Java Applications In The Cloud

2011-08-30T10:42:00.001-05:00

A couple of years ago, I had played with Google App Engine. I liked the ease of deployment via eclipse and the fact that I could code in Java and deploy a web app. Then it hit me. All the restrictions and JVM API blacklist was tiring. You had to modify your libraries or applications to tailor to GAE restrictions.

Another potential solution is Heroku. It is popular. But the latest post from Adam announcing Java support is filled with hatred for Java EE. I am unsure how they are going to provide support for Transactions, Security etc (without custom coding) as that is provided by Java EE. Rich Sharples does a good job at dissecting the post.

Coming back to my topic of deploying Java Applications in the cloud, I have been quite excited to try out Red Hat's PAAS offering, the OpenShift. A user can now deploy Java EE 6 applications in the cloud. OpenShift will only get better over time. The dream of running your Java EE applications in the cloud is a reality. Hopefully Java developers will embrace OpenShift. They get access to JBoss AS7 instance to host their apps. Now that's progress in the cloud.

Thank you OpenShift.

Reference:

How to videos for OpenShift.

JBoss AS 7 is Lightning and is now SAML enabled

2011-08-29T21:45:00.001-05:00

If you have been impressed with JBoss Application Server v7.0 aka "Lightning", then I have a good news for you. You can now enabled SAML based SSO for your web applications using PicketLink.

A cheatsheet : JBoss Application Server v7.0 and SAML SSO.

The one stop cheatsheet page for various versions of JBoss AS is here.

Please do not hesitate to ask questions at the PicketLink user forum.

When SSL Certificate is the culprit

2011-08-29T21:28:00.003-05:00

you may have heard of practitioners preaching SSL to mitigate man-in-the-middle attacks. For more information on MITM, read here.

SSL Certificates are issued by a Certificate Authority (CA). There are a large number of CAs around the world and most of the prominent browsers trust a set of CAs by default.

The latest news about a hacker getting SSL certificates issued under the Google name from a Dutch CA, is very alarming.

If the browser trusts a particular CA and that CA has issued a fradulent certificate, then it is very difficult for the browser to figure out the fraud unless they follow OCSP or remove that CA.

Update from Mozilla Firefox:
http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/

Mitigation in Mozilla Firefox:

http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert

Mozilla will be releasing an update to Firefox to further protect you
from this. Until the update is released you can manually delete this
certificate with these steps:

At the top of the Firefox window, click on the Edit menu and select Preferences.

Click on the Advanced panel
Select the Encryption tab
Click View Certificates
In the Certificate Manager window, select the Authorities tab
Scroll down to DigiNotar and select the DigiNotar Root CA
Click Delete or Distrust...
Click OK to confirm the deletion

Apparently DigiNotar Certificate shows up in Internet Explorer too.
Here is Microsoft Advisory.

Google Chrome is covered by its security features.

A Google spokesman provided CNET with this statement: "A Chrome security feature warned the user of the invalid certificate and blocked them from visiting the attacker's site. We're pleased that the security measures in Chrome protected the user and brought this attack to the public's attention. While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."

(Thanks to CNET)

If your favorite bank has a website with the URL starting with https, try to demand Extended Validation Certificates. CAs go through extended audits before issuing EV Certs and the address bar displays a green bar in the browser.

References:
Diginotar and Hackers

HTML5 Security Vulnerabilities by ENISA

2011-08-25T10:43:00.000-05:00

ENISA (European Network and information Security Agency) has released an analysis report on the vulnerabilities that exist in the draft of HTML5. The full report is available at http://www.enisa.europa.eu/act/application-security/web-security/a-security-analysis-of-next-generation-web-standards/at_download/fullReport

You can read the press release at Web security: EU cyber-security Agency ENISA flags security fixes for new web standards/HTML5

If you just want the summary of the report, then look at pages 2 and 3.

Dr.Giles Hogben has been very impressive over the years with his research on Social Media, Cloud Computing and now Web Standards.

JavaEE enabled PAAS and Security

2011-08-15T11:24:00.003-05:00

I am sure you have seen all the news reports on the JavaEE6 Enabled Cloud Platform called OpenShift. I am also pleased to share that Scott Stark and I are presenting a session at Java One 2011 with the following details:

Session ID: 26120
Session Title: Experiences with Java EE-Enabled PaaS
Venue / Room: Hilton San Francisco - Imperial Ballroom B
Date and Time: 10/5/11, 16:30 - 17:30
Track Enterprise Service Architectures and the Cloud
Optional Track: Java EE Web Profile and Platform Technologies

The session will delve into our experiences with Java EE6 in the Cloud. What we learned and what we missed, in providing EE6 support in the OpenShift platform. At the end, we will talk about the various strategies we are employing to provide Identity Management support to the OpenShift users.

I am quite surprised that I did not see any other session at J1 that broached EE and PaaS together with experiences, given the growing significance of Cloud Computing.

PicketLink v2.0.0.final Released

2011-08-11T09:50:00.002-05:00

It gives us immense pleasure in announcing the release of PicketLink v2.0.0.final from JBoss Community. This is an important step forward for the JBoss ecosystem.

Details can be found here.

As always, a cheat sheet for JBoss Application Server is at.

Java Keystore Tips

2011-07-15T14:51:00.000-05:00

1. What are the two common types for Keystore?
The common ones are JKS (Default) and JCEKS (when you want to store symmetric keys).

2. Common Errors
java.security.UnrecoverableKeyException: Given final block not properly padded

Cause: The Keystore password and the KeyPair password are not the same.

JBoss Application Server v7 is a lightning strike

2011-07-12T08:28:00.001-05:00

An excellent blog post by Rich Sharples on a new lightning strike called as JBoss AS7 in the Java EE space. Please read it at Lightning Strikes !

Get JBoss AS7 from http://www.jboss.org/as7

PicketLink and SAML v1.1 Support

2011-07-08T10:13:00.001-05:00

Even though SAML v1.1 has been deprecated in favor of SAML v2.0, there may be installations at users end, that require support for SAML v1.1

For this reason, PicketLink v2 now has SAMLv1.1 support.
It is documented here:

http://community.jboss.org/wiki/PicketLinkSAMLV11Support

This article should form the dashboard for PicketLink-SAMLv1.1 support.

Note that both the PicketLink Identity Provider and the Security Token Server (STS) support both SAML v2 and v1.1

As always, pick the latest PicketLink v2 build from
http://community.jboss.org/message/584988

Facebook over SSL only

2011-07-08T10:08:00.000-05:00

If you use Facebook for your social networking needs, then do not forget to perform the following step to ensure FB is accessed over https/ssl only.

Go to:
Account -> Account Settings -> Account Security

Click "Change"
Check the "Browse Facebook on a secure connection (https) whenever possible" under "Secure Browsing (https)" section.

Click "Save"

PicketBox XACML v2.0.6.Final Released

2011-04-01T12:27:00.000-05:00

I am pleased to announced the community release of PicketBox XACML v2.0.6.Final.

More details are available at:
http://community.jboss.org/wiki/PicketBoxXACMLJBossXACML

What is new?
1. Core RBAC Profile of XACML v2.0
2. Reading policies by just specifying the directory location in the config file.
3. Bug fixes.

Enjoy.

Does OAuth need more legs?

2011-03-21T09:05:00.000-05:00

OAuth is currently being worked out at the IETF. One of the concepts that is prevalent right now in OAuth is the concept of "legs". I am glad that I am not the only one who thinks that "legs" is a bad choice for describing the number of parties involved in an exchange.

Refer to http://www.ietf.org/mail-archive/web/oauth/current/msg05717.html

Basically, a "leg" involves one party.

So, "two legged oauth" involves two parties. As an example, if two end points (without user intervention) agree on an exchange, then it is two legged. If the endpoints are trusted, from the same entity or within corporate firewall, then 2-legged oauth makes sense.

Now, if we bring in the "user" to the mix, then we increase a "leg". That is, we have a 3-legged oauth. An user approves another service such as twitter client (leg) to get/set/operate his account in a 3rd service such as twitter (leg).

In my view, "party" is the right choice as it is very intuitive to have "2 party oauth", "3 party oauth".

I definitely want to hear your opinion or any corrections in my understanding of OAuth.

Book Review: OpenAM by Indira Thangaswamy

2011-03-18T09:39:00.001-05:00

Title: OpenAM
Author: Indira Thangaswamy
Publisher: Packt Publishing (January 25, 2011)
ISBN-10: 1849510229
ISBN-13: 978-1849510226

Link on Amazon: http://www.amazon.com/OpenAM-Indira-Thangasamy/dp/1849510229

My Rating: Buy

General Comments
Books on security projects are quite rare. It is also quite difficult to fully document the breadth of possibilities with Open Source Software. Toward this, I commend Indira’s efforts at writing a book on an open source product, OpenAM. Over the years, I have seen Indira answer user questions on the openam/opensso user forums. So he does know a lot about it. Writing books is not a joke. In the preface, Indira just hint at the pain he took in writing the book. Books take away quality family time. Kudos to Indira.

Detailed Review
Indira has done a fine job with the book. He has clearly divided the content into 3 areas. The first area that occupies the first few chapters are completely devoted to what OpenAM is, what problems that it solve and where do you get it from. Then the next few chapters that occupy the bulk of the book are devoted to HOW YOU do things with OpenAM. Finally, he closes the book with Troubleshooting and Diagnostics.

The first chapter begins quite well with a description of why Identity and Access Management (IAM) is required in the industry. The short example of the FBI breach in the early 2001 highlights the need for proper entitlement management. After an introduction of benefits of IAM, Indira moves on to the history of OpenAM starting its roots at Sun Microsystems in 2000. This is good for obtaining an historic perspective on OpenAM. The OpenSSO architecture diagram is valuable to users who want to grasp the elements of the software packaged in OpenAM.
The section on “what kind of problems does OpenSSO solve?” describes at an high level the features OpenSSO provides: Access Management, Federation, Securing Web Services and Entitlements. I particularly liked the table at the end of this section that gives a graphical description.

In the second chapter, Indira talks about configuring opensso on Tomcat. He also shows how to configure OpenSSO using the console.

The third chapter is all about administration. We see snapshots of the console as well as some CLI interactions to configure. I think the section on customizing the console with user schema needs some additional work (with examples of course).

I liked the fourth chapter that describes the various types of authentication as well as session services. The authentication types (Module, Level, Service etc) have been sufficiently described. If the reader is interested further, hopefully he can get additional information from the project guides.

Chapter 7 was decent with integration with salesforce and google apps. This chapter basically empowers the user to use SAAS based apps with OpenAM as the IDP. The console snapshots should be sufficient for the reader to get it to work. Since I did not try it out, I am not 100% whether this chapter needs additional work.

Suggestions for improvement
* Indira shows how to configure things with the console as well as the command line interface. You should try to add warning boxes in the book stating which settings need the CLI.
* I am not sure if the reader is able to obtain the ldap schema for various ldap servers. Or the openam console does it for you automatically. Please clarify in the book.
* In the administration of OpenAM, things can go wrong. There is very little information on what things need to be watched out, while administering the product. Showing console snapshots or CLI is not sufficient to administer. Please describe what the CLI parameters are.

Disclaimer: I am not endorsing the product OpenAM. All I am doing is reviewing a book on an open source project. I need to play around with OpenAM/OpenSSO such that Project PicketLink is interoperable with it.

JBoss users upgrade to Oracle/Sun JVM JDK 1.6 Update 24

2011-02-21T12:31:00.000-06:00

This is a general alert for all Java applications. Hence affects the JBoss ecosystem users also.

Oracle has released update 24 of the JDK 1.6 to resolve the Security vulnerability as outlined in http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

So, please upgrade to Oracle JVM 1.6u24 asap.

As always, please refer to the community notification page at JBoss.
http://community.jboss.org/wiki/SecurityVulnerabilitiesNotificationtoCommunity

JBoss users upgrade to Oracle/Sun JVM JDK 1.6 Update 23 and apply FP Updater Tool

2011-02-09T08:52:00.007-06:00

A serious vulnerability in the JVM was identified via CVE and has been handled by Oracle/Sun. Please see the following article for more details:

http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

This is an issue that affects all Java applications that may be performing Double-String operations.

In summary, JBoss AS users should try to upgrade to JDK 1.6 Update 23 and use the Floating Point Updater Tool from here.

JDK/JRE6 Update 24 (forthcoming) will fix the issue. Until then please run the updater tool.

Reference Page for JBoss AS Security Vulnerabilities: http://community.jboss.org/wiki/SecurityVulnerabilitiesNotificationtoCommunity

Additional information is available from Oracle Blog Post.

======================================================

Usage:JBoss XACML

2011-02-01T15:52:00.003-06:00

Project PicketBox from JBoss has an XACML engine that can be used in a Java environment.

Assuming that your configuration file is available, something like the following should work for you:

import org.jboss.security.xacml.core.JBossPDP;

import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;

import org.jboss.security.xacml.interfaces.XACMLConstants;

//Get hold of an InputStream to the config file

ClassLoader tcl = Thread.currentThread().getContextClassLoader();

InputStream is = tcl.getResourceAsStream( MY_CONFIG_FILE );

PolicyDecisionPoint pdp = new JBossPDP(is);

//Form your RequestContext by some means

ResponseContext response = pdp.evaluate(request);

int decision = response.getDecision();
//Decision can be one of XACMLConstants.DECISION_DENY

//XACMLConstants.DECISION_PERMIT

RequestContext requestContext = RequestResponseContextFactory.createRequestCtx();

//Read the xacml request from input stream

requestContext.readRequest( is );

requestContext.readRequest( node );  //Parse xacml request as DOM node

============================

If you need to look at code examples: http://community.jboss.org/wiki/XACMLPDPSOAPService

Get JBoss AS6 right away

2011-01-06T11:50:00.002-06:00

If you are an user of JBoss AS 5.1, then you should upgrade to the latest JBoss AS6 which was released recently. Apart from the regular bug fixes, you also get the Java EE 6 certified Web Profile...

More information is in Rich Sharples's blog post. JBoss AS 6 Released !

Happy EE coding!

If you need more info on EE6 development, do sign up for Pete Muir's Jan 19th webinar. http://www.jboss.org/webinars

Also additional info is given by Dimitris. http://dandreadis.blogspot.com/2011/01/introducing-brand-new-jboss-as-60.html

Response: JBoss AS6 vs Glassfish 3.x

2011-01-06T09:26:00.008-06:00

Disclaimers:
* Sorry, this post is not anywhere related to security and identity mgmt. :)
* Arun Gupta (Oracle) is a great guy. I am just giving a personal view as response to his blog post.
* Please use the latest version of JBoss AS ie. AS 7 http://www.jboss.org/as7

Response To: Which Java EE 6 App Server ? - JBoss 6.0 or GlassFish 3.x

My Credentials:

There are Java source files written by me in JBoss Application Server since JBoss 3.x which means I have a right to give my personal opinion. In a nutshell, there are features that are part and parcel of JBoss AS users, that have been created by me.

General Response:

While Arun gives a fair assessment of Glassfish 3.x against the newly released JBoss AS 6.0, he makes some incorrect or subjective statements/assumptions. Let us get to them right away.

I would like to state that I appreciate all that Arun has done for the evangelization of Java, EE, WS, Open Source etc over the years. He is the zone leader on Java DZone. He has been good to the technical community in general and I request him to continue doing that.

Problem Statement 1 from Arun:

The articles like "New JBoss puts Java EE 6 to Work" by PC World and others with similar heading are misleading when they say "one of the first enterprise-grade application servers to fully support Java EE 6". How can an App Server be enterprise-grade and yet not offer commercial support and minimal documentation ? And also Java EE 6 is already put to work in multiple GlassFish deployments so not sure what it means "puts to work".

Response:
Apache HTTP server (from the Apache Software Foundation) has over 60% usage among web servers in the world. Does that mean it is not enterprise grade because there is no commercial support from ASF?

Many commercial companies provide support for httpd via their products or direct support. But overall, the community just relies on the trust they place in the apache httpd developers and do not buy any commercial support.

JBoss AS including v6.0 has basically relied on technology that has been developed over the years, starting lets say JBoss AS 3.2.x. Most of the older features remain the same. Hence there is no real need to create new documentation for these features in JBoss AS 6.0. With each new major new release of JBoss AS, we add some simplification or new features that gets documented but overall we try (I am saying, we try) to maintain backward compatibility with the features that JBoss AS community has loved, adopted and used over the years.

There are many companies that offer commercial support for the community version of JBoss AS (just google them). I am bringing this up with direct reference to the Apache httpd analogy above. If you are a serious user (who wants commercial support), just adopt the JBoss EAP just like you adopt RHEL.

Problem Statement 2 from Arun:

Clustering support in Glassfish coming in 3.1

Response:

Arun, I am not sure how long you have actually looked at the enterprise market (ok, Java EE enterprise market). We at JBoss have been dealing with the enterprise market almost since the beginning of the new millennium.

From an JavaEE Application Server perspective, no enterprise adoption will happen unless there is robust clustering support provided. JBoss AS has built-in, robust/kick-ass clustering capabilities that is simple enough for beginners. Just look for awesome videos of Bela Ban presenting the latest and greatest in JBoss clustering.

So, my statement is "Glassfish 3.x is not enterprise ready until they have clustering". He He!!!

(Update: From comments, I have learned that GF has had clustering but not in 3.x)

Does GF have JTS (Transaction Services)? Just checking.

General Discussion:

The key parameter for adoption of any large product/project such as JBoss AS, Apache httpd etc is the long term sustainability of the project. JBoss AS has been the flagship work of JBoss Inc and since the acquisition in 2006, has been an integral part of Red Hat Inc. Given Red Hat's commitment to Linux community via Fedora, I am confident that the JBoss AS community will continue to be strong.

The startup time of JBoss AS has been quoted as a deterrent in adoption in the media. We are working on that with each iteration. Look for JBoss AS7 in 2011 with great new features and startup.(Arun, you should definitely run the benchmark on non-mac VM. I think the mac vm is a shade slower than the win/linux vm).

Important Note: JBoss AS6 is certified for Java EE 6 Web Profile only. But the AS contains the full feature set. We have not certified the features outside the web profile. Most of these non-certified features have existed in JBoss AS for years and baked by the JBoss community to give them robust status. Also these features may have had certification under EE4 or 5.

(Ref: http://dandreadis.blogspot.com/2011/01/introducing-brand-new-jboss-as-60.html)

Given that, Oracle has won the 2010 Open Source Enemies Prize, I will be extremely apprehensive of adopting Glassfish, if I were an user. (Other Reference is to the current Hudson Project Mess).

I wish Arun and all the readers of this blog post (including Oracle employees) a very Happy New Year 2011.

Java EE 6 has been a great step forward and I think the availability of multiple OSS AS such as JBoss AS6 and Glassfish is a good thing for the community. Kudos to the JCP (and EE members) for the continued support of this paradigm.

Response: Glassfish versus JBoss Community Patches

2010-11-25T12:16:00.001-06:00

Please refer to my earlier blog post: Community JBoss AS versus JBoss EAP (April 2010) for further information.

Ok, I had to respond to a blog post titled "Glassfish vs JBoss Community Patches" because there was liberal usage of the following words : security, pci and patches.

Chris Mahns is responding to Rich Sharples blog post but brought in the terms "security" and "pci". This has prompted me to respond.

Let me tell you a story. A friend of mine runs a non-profit public forum using Joomla/PHP etc. One day, he gave me a call to tell me that his site has been serving malware and if I knew of any easy means of preventing that in the future. I told him that I would look into it. He came back to me in less than a week to tell me that attackers had utilized the fact that he had not updated the latest patches for Joomla. My friend had missed one patch and his users were all served malware. (It can happen to credible web sites such as the New York Times. Read Here).

Thinking further, I realized that it is getting extremely critical for general users to stay on top of the patch process because someone has to triage security vulnerabilities, coordinate across components, collate patches, write patch reports, maintain relationship with organizations such as Mitre/NIST (CVE and NVD) etc which the general public cannot really do.

I strongly stress (whenever asked) by users that they should adopt OSS that is delievered by JBoss or Apache or any organization with a strong strong "Security Response Team". For JBoss (Red Hat), we utilize the Red Hat Security Response Team which does an amazing job of triaging, generating patches and erratas for customers. They have relationship with software foundations such as ASF and also with the reporting agencies (Mitre/NIST etc).

Now as an user, if you are interested in "Security" and "PCI" compliance, then YOU SHOULD NOT be using the community version of the JBoss Application Server but using a Enterprise Platform from Red Hat such as EAP or the SOA-P because the components are not only stable but tightly monitored by the security response team. The team releases frequent patches based on the criticality.

I will tell you from experience that it is not easy to stay on top of security vulnerabilities and patches if there are multiple open source projects involved. A typical middleware server such as JBoss Application Server contains a large number of OSS projects (developed on JBoss community and other places such as the Apache Software Foundation).

Coming back to community version of JBoss, when we identify vulnerabilities, we typically fix and release as part of the next iteration of the community AS. I even have a wiki article on JBoss community about this. Look at Security Vulnerabilities Notification to Community.

We CANNOT spend resources on patching JBoss AS 4.0.1 or releasing a patch for AS 3.2.3, whenever a vulnerability is identified in a component such as Tomcat. Please for heavens sake, you chose cutting edge innovation and wanted the latest and greatest. If yes, then you should be moving forward with the latest community version of JBoss AS. Adopt JBoss AS6 CR release as they happen. Once AS6 comes out, get on it right away.

As users, you make conscious choices whether you want flexibility, cost savings, reliability and security. If you want to be on the latest and greatest, cutting edge stuff then adopt the JBoss Application Server (Community Version). If you are going to run banking software or financial software or defense establishment using JBoss middleware, then PLEASE adopt EAP or other Red Hat middleware products. You save yourself and us a lot of trouble.

Please refer to my blog post where in I notify the community of vulnerabilities existing in JBoss community projects. It is not like we totally ignore the community (that has made us powerful).

Also refer to my 2008 blog post where I assert that we take security seriously at JBoss.

I spend a portion of my time talking to security evaluators who are currently evaluating JBoss EAP 5.1 for common criteria at EAL4+. We certified JBoss EAP 4.3 at EAL2+. The CCE is a very intense exercise that can be daunting at times because the evaluators look at the entire laundry and pinpoint which of them is dirty and needs to be washed.

To summarize, if you are worried about security, PCI compliance, FIPS, Common Criteria and any other security certification/jargon etc, then please adopt a middleware platform from JBoss. You should not be fiddling with a community middleware stack.

My development environment is on Fedora Linux. When I need the latest patches, bug fixes, I update to the next version of Fedora rather than just cry over not having patches over an older version of Fedora. This is a choice I made. If I needed stability, I would probably develop on RHEL.

And I would like to wish my US colleagues/friends at Oracle /Glassfish, a very Happy Thanksgiving. "May the break and family time raise your morale". Lets say Amen to that.

=============

Kerberos support in JBoss Application Server

2010-11-22T12:32:00.000-06:00

If you have ever wondered about Kerberos/SPNego support in JBoss Application Server, then you should definitely look at the Kerberos Dashboard Article.

Thanks to Marcus for adding a new article on EJB3 Authentication with SPNego.

XACML Policy Editors - Domain driven or language driven

2010-10-12T09:07:00.000-05:00

The Authorization process is extremely cumbersome and prone to errors. Typically it is rules based. Decisions based on combination of rules can lead to errors or holes. Because of errors, if the access check returns in a "denial", then the damage is minimal. Someone can verify why that particular access check got turned down. On the contrary, if the errors lead to a successful unauthorized access, then you know the answer. :)

One of the challenges associated with configuring security is not contempt towards the field of security but the perception of complexity. Administrators/architects/developers are turned down by the number of possible combination associated in configuring ACLs/Rules.

In the Java EE world, web.xml acts as the bedrock of container driven security for web applications. Long ago, I wrote an article on this that highlighted the permutations and combinations available to admins/devs. Ok, I am a big supporter of container based security because the opposite (custom security) is prone to errors and unmaintainable over the long run.

Coming back to configuring rules, probably 10% of devs/architects/admins are fully versed in the XACML language and clearly understand the language. So for them a pure XACML policy editor makes sense. The rest of the crowd just wants to configure their access control system using plain language as follows:

This web application can be accessed by an user in the group "employee".
This part of the web application is restricted to managers alone.
This part of the web application is accessible under normal business hours.

Now the domain based editor for the web applications needs to have UI elements that are simple to understand. The person configuring the system will be able to look at the requirements and check/select the appropriate boxes.

While I am not denying the usefulness of a full fledged XACML policy editor, I am seriously not in agreement that they are the norm. If XACML is to see ubiquitous adoption, there is a need for configurable domain based editors. The infrastructure for access control can be driven by XACML policies and evaluation, but the policy configuration has to be driven by simple domain based editors.

References to Read:

PicketLink 1.0.4.final Released

2010-09-17T14:59:00.002-05:00

Official Wiki Page: http://community.jboss.org/wiki/PicketLink104final

New Stuff:

Changes made to support PicketLink with Microsoft ADFSv2. ( Forum Thread Discussion. ) (Wiki Link To Document)
PicketLink STS - Batch Requests.
PicketLink STS SAML Token bindings with JBoss Application Server Containers. (EJB Container Binding Link, Web Container Binding Link )
PicketLink STS Configuration Handlers are Pluggable (Documentation for Pluggable Handlers)
Seam Integration : Serve XRDS file for validating RP for OpenID Providers.
PicketLink STS validated to work on JBoss AS - Apache CXF Stack.
PicketLink STS SAML EJB Integration with WebLogic Server.

Documentation Update:

STS SAML Profile Document: OnBehalfOf, Sender Vouches and Holder of Key.
STS Pluggable Configuration Handler.

PicketBox XACML v2.0.5.final from JBoss released

2010-08-31T14:01:00.001-05:00

It took some extra time (other priorities took precedence). In the end, it all worked out fine.

LGPL licensed free open source project, PicketBox has released the XACML component v2.0.5.final. Please download it from PicketBox downloads.

Main Wiki Page

PicketBox XACML Dashboard Wiki Page

Main Features Added (compared to v2.0.4)

JIRA
PicketBox JIRA

JBoss Integration

PicketBox XACML is integrated into JBoss Application Server v5.0 and beyond. Additionally, it is available as part of the JBoss Enterprise Application Platform (EAP) v5.0 and beyond and JBoss SOA Platform v5.0 and beyond.

Release Notes

** Bug

* [SECURITY-452] - Don't use Xalan classes directly. Use Java API instead
* [SECURITY-461] - AttributeFinder:findAttribute method can throw an NPE if any of the attribute finder modules return null
* [SECURITY-462] - JBossRequestContext should throw IllegalArgumentException for null inputstream
* [SECURITY-507] - JBossXACML: anyURI mismatch
* [SECURITY-518] - JBossPDP should be serializable

** Feature Request

* [SECURITY-454] - Database Attribute Locator
* [SECURITY-463] - AttributeValue.getValue abstract method * [SECURITY-455] - LDAP based attribute locator
* [SECURITY-456] - File based Attribute Locator
* [SECURITY-492] - JBossPolicySetLocator should gracefully handle policies
* [SECURITY-516] - Create a LDAP policy provider for JBoss XACML
* [SECURITY-521] - Decision Cache for constant XACML Requests
* [SECURITY-522] - XACML add hashcode and equals to RequestCtx, Attribute
* [SECURITY-525] - XACML Attribute Locator should support comma separated list of attributeSupportedIds