aspose file tools*
The moose likes Security and the fly likes Understanding JAAS/Web app SSO Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Understanding JAAS/Web app SSO" Watch "Understanding JAAS/Web app SSO" New topic
Author

Understanding JAAS/Web app SSO

Brett Sanger
Greenhorn

Joined: Jul 26, 2006
Posts: 7
My brain is full and I'm buried in buzzwords. Help would be greatly appreciated.

My workplace has a number of web apps deployed under Websphere that each have their own Security filter that forces them to login and checks their credentials against the LDAP server. All the authentication and authorization code is at the app level.

We want to migrate to a single sign-on model, so that a user off one app is recognized on others without having to re-login. I'm trying to understand what all is involved. My instructions are to stay standard and vendor-neutral. (IBM seems to have LTPA - but that's IBM only)

I've discovered that JAAS can have a common authentication module that will check against our LDAP server. What I've not been able to puzzle out is how the apps become aware of the existing authentication. (I.e. on a visit the app checks (something) to determine if the user is already authenticated, and if not, they fail the authentication and get bounced to a login screen of some variety. Currently we do that per-app in a security filter. All of the JAAS examples are single action console based things that don't cover that. )

Likewise, I'm unclear on how authorization is handled. JAAS seems to cover authorization to certain programmatic resources based on the Subject and the policy, but we're interested in having authorization info about the user to determine how (and if) our code performs.

Finally, this will have to be implemented over time as apps are converted to use it. A solution that cripples the access of any app on the server not using JAAS will cause problems.

Can someone help me fill in the missing pieces? I feel like I'm barking up the wrong tree, but clear examples are sorely missing.
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
Sounds like you are missing a common Business tier. Code in the "web apps" should not be checking credentials against an common LDAP server directly. An "authorized user" is tracked in the Business tier and once authorized, they do not need to login again for the other "web apps." Subsequent "web apps" recognize the "authentication" in the common Business tier.

Individual security modules coded within each "web app" will prevent your attempts at SSO from working.

The business application on the common Business tier can use a JAAS module to authenticate with the common LDAP server.

You will need to redesign the "web apps" to implement a SSO solution.
[ July 29, 2008: Message edited by: James Clark ]
Brett Sanger
Greenhorn

Joined: Jul 26, 2006
Posts: 7
Sounds like you are missing a common Business tier

Well yes, that's the general idea of what we're trying to fix.

An "authorized user" is tracked in the Business tier and once authorized, they do not need to login again for the other "web apps."

Yes...What code/server changes are involved in making this happen? As I said, all the examples I've seen are single-action command line things, nothing saying HOW an app learns that a user is already authorized, nor how to determine their authorized role.

Individual security modules coded within each "web app" will prevent your attempts at SSO from working.

Again, we're trying to fix this, but we want to do it piecemeal. Convert apps A and B to use the common auth system while C and D don't (yet).

Your answer is exactly the sort of thing I've been finding: high on theory, low on implementation details. I'm sold on the theory, but I can't find any example of how to implement it (aside from the previously mentioned command-line examples) I'm sorry if I explained it poorly the first time around, but I've been googling and reading buzzword-laden papers for 2 days and I'm not much closer to an implementation.
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
Your answer is exactly the sort of thing I've been finding: high on theory, low on implementation details. I'm sold on the theory, but I can't find any example of how to implement it (aside from the previously mentioned command-line examples) I'm sorry if I explained it poorly the first time around, but I've been googling and reading buzzword-laden papers for 2 days and I'm not much closer to an implementation.


I'm not sure what you really expect from an Internet forum or Internet web articles. I don't think you should expect more. Consulting companies are paid pretty well for designing solutions such as the one you need.

If this design is your resonsibility, then it is your responsibility. If you are unable to create a design, oh well...you can keep searching ?oogle and posting questions, but I doubt you will find what you seek.

Good luck!
Brett Sanger
Greenhorn

Joined: Jul 26, 2006
Posts: 7
I'm not seeking a full working solution, but a how-to along the lines of:

"turn on JAAS authentication in the foo.config file, and in each web application send the FooSec cookie to your LoginContext. The authorization policy only applies to programmatic resources, so you're better off getting the subject's role (via the Subject.getRoles() call) and using that information for any app-based authorization decisions."

Such is the level of support I've come to expect from OTHER languages and frameworks. I assumed I was simply missing the right search terms this time. You seem to be saying "no, you have to guess the framework interfaces, write your own tier from scratch, or hire a consultant."
Brett Sanger
Greenhorn

Joined: Jul 26, 2006
Posts: 7
Perhaps I have phrased it badly so I'll try again.

JAAS is a standard. The code for the tier is written (except for local details).

My questions basically are:

1) Does JAAS do what I've described?

2) Assuming so, how does a web app talk to the JAAS layer and gain/pass auth info?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42639
    
  65
JAAS by itself is not the answer. As James said, it can perform the authentication/authorization, but it doesn't have SSO functionality, so you need to get that elsewhere. Either implement a separate code layer yourself, or have a look at one of the existing SSO frameworks (the http://faq.javaranch.com/java/SecurityFaq lists several). I'm not sure how those support the A/B vs. C/D scenario, but I don't see why A and B shouldn't be able to do their own thing while C and D use SSO.

As to how JAAS interacts with web apps, the answer is: not really. For starters, the process of how web app security is hooked into user data is not standardized. So -as you've found out- WebSphere works differently than Tomcat, which works differently than ... - you get the picture.
Furthermore, JAAS is a generalized authentication/authorization framework; it has nothing web app specific to it. If you want to use it, and you're not supposed to use the bultin server integration, you'll have to roll your own. Not many people do that, by the way - JAAS isn't used much in web apps. You might want to read this article for a deeper understanding of some of the issues involved.
[ July 29, 2008: Message edited by: Ulf Dittmer ]

Ping & DNS - my free Android networking tools app
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
Brett - You seemed to have missed the point about a Business tier. Three-tier programming is a bit different than the traditional programming models. The "web app" is on the Presentation tier. There is no business logic in the "web app". The purpose of the "web app" is to provide a GUI to a human. The Business tier contains the business logic code. And the Integration tier contains your LDAP server.

If you had a Business tier application, these objects would use a JAAS-based login module to authenticate the user. These object would also maintain the "state" of the user. These object will handle your SSO requirements.

It will be difficult for you to skip the Business tier and try to stick everything in the "web apps." This style of application design conflicts with the J2EE programming model.

JAAS is a very good API for handling security. It is best applied to standard Java objects, not web-based API objects. Look up the Business Delegate design pattern to start to get an understanding of what I mention above.
[ July 29, 2008: Message edited by: James Clark ]
Manish Shah
Greenhorn

Joined: Jun 09, 2002
Posts: 22
Hi James

I am also doing POC in JAAS & configuring it in JBoss. I would like to know What do you mean by Web based API..

'JAAS is a very good API for handling security. It is best applied to standard Java objects, not web-based API objects.'

Arent web based API java objects? Please explain..

Thanks


SCBCD5, SCWCD, SCJP, MCP
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42639
    
  65
What James is alluding to is that there's nothing web app-specific in JAAS, and the servlet spec does not define how web app security might interface with JAAS. See my previous post for more detail.
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
Arent web based API java objects? Please explain..


To augment what Ulf mentions above, I am using the term "web-based" objects to refer to any Java-based object that deals with "web" or "internet" functionality. For example, the objects from the packages below are all "web-based".

org.apache.struts
javax.faces
javax.servlet
javax.servlet.http
javax.servlet.jsp
javax.servlet.jsp.tagext

Objects of the classes below would not be "web based"


[ July 30, 2008: Message edited by: James Clark ]
Brett Sanger
Greenhorn

Joined: Jul 26, 2006
Posts: 7
The "web app" is on the Presentation tier. There is no business logic in the "web app". The purpose of the "web app" is to provide a GUI to a human.

I've got that:

User
Browser
App Server
Servlet (Controller of presentation layer)
(Model - Business Delegate to services, etc.)
(other innards here)

My issue is that when the user connects to the App Server, the app server has to identify who that user is to determine if they get sent to a login action. Presumably an SSO solution would remove such logic from the application entirely and handle it before the presentation controller is defined...but I can find no documentation about that part. (Ulf says that JAAS doesn't handle that part, which says a lot in one sentence that I've had problems locating otherwise)

Further, when the business layer attempts to perform an action, it needs to have a JAAS subject and I have no idea where I'm supposed to mystically gain that info. (Probably because I don't have the step above)

It will be difficult for you to skip the Business tier and try to stick everything in the "web apps." This style of application design conflicts with the J2EE programming model.

Part of why we're trying to convert. I _think_ the simple version of what you're saying is "Because your app server will pipe all new sessions to a JAAS-based login system (which will either be a third party package or a custom connector), mixing the authentication systems as you convert will be hard", but you didn't actually say how gaining credentials is handled, so I'm still guessing.
Brett Sanger
Greenhorn

Joined: Jul 26, 2006
Posts: 7
Originally posted by Ulf Dittmer:
JAAS by itself is not the answer.
...


Thank you. Very informative, and I'll plow through the links you provided. A simple "this is not the complete answer" does quite a bit for resolving my confusion. (I also have evidence that it's difficult to get that answer even when explicit, so thank you again.)
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
JAAS is an security API. There are different ways to implement a solution using JAAS. Not all of them require a Subject or Policy. You can write a simple JAAS-based security login modlue. Or, you can write a very complex JAAS-based security login module. Before anything, you need to learn the API and how to code with it. Once you do this, you might be closer to designing a solution.

To implement a SSO solution, you need to remove the authentication from the "web app" code (from all the web apps) and call a security module which will manage the authentication and authorization. Build a security module and then have the "web apps" use this module when a user attempts to login into a "web app."

You can have "web apps" that don't use the security module and you can have "web apps" that do. Over time, you can migrate all of them eventually to use the security module.

I think, a good first step for you would be to study the JAAS API and create a simple login module. Don't try to put it in any "web app". Just design a simple login module that connects to your LDAP server. Create a simple Java class with a main method and call the security module from this class. You can pass credentials on the command line. Have it return a "1" for a good login and a "0" for a bad login.
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
With single-sign on functionality for a set of applications, even though the user does not have to enter username and password more than once, each application still needs to check this. Something that signifies that a user is authenticated and authorized needs to be propagated from one "web app" to another.

When the user goes to a second application after logging in, the second application validates this "something" with the security module. The security module then maintains information about all of the current users. Once the module confirms that the user is authenticated and authorized, it sends signal back to "web app" that everything is ok. User never has to enter name and password until the security module expires the authorization for that user, e.g based on time, log out, actions, etc.

Hope this helps!
abhishek khandelwal
Greenhorn

Joined: Apr 17, 2007
Posts: 11
Hi Guys, Is the problem resolved or you still need some help?


Abhishek Khandelwal
SCPJ1.4, SCWCD1.4
 
Don't get me started about those stupid light bulbs.
 
subject: Understanding JAAS/Web app SSO