This week's book giveaway is in the Mac OS forum.
We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line!
See this thread for details.
The moose likes Struts and the fly likes To the author: Portlet Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Frameworks » Struts
Bookmark "To the author: Portlet Security" Watch "To the author: Portlet Security" New topic
Author

To the author: Portlet Security

Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
I would like to ask, in order to cater for security requirements, what technology should be used in Portlet?

Traditional ways like SSL, PKI? Or we might use SAML? How will you compare these options?

Nick


SCJP 1.2, OCP 9i DBA, SCWCD 1.3, SCJP 1.4 (SAI), SCJD 1.4, SCWCD 1.4 (Beta), ICED (IBM 287, IBM 484, IBM 486), SCMAD 1.0 (Beta), SCBCD 1.3, ICSD (IBM 288), ICDBA (IBM 700, IBM 701), SCDJWS, ICSD (IBM 348), OCP 10g DBA (Beta), SCJP 5.0 (Beta), SCJA 1.0 (Beta), MCP(70-270), SCBCD 5.0 (Beta), SCJP 6.0, SCEA for JEE5 (in progress)
David Ulicny
Ranch Hand

Joined: Aug 04, 2004
Posts: 724
Is there a web server before Portal server?
Why don't use HTTPS?


SCJP<br />SCWCD <br />ICSD(286)<br />MCP 70-216
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
HTTPS might useful for confidentiality, however, it cant help in other areas, like authorization and authentication.

Nick
Dave Minter
Author
Greenhorn

Joined: Nov 11, 2004
Posts: 17
Originally posted by Nicholas Cheung:
I would like to ask, in order to cater for security requirements, what technology should be used in Portlet?

Traditional ways like SSL, PKI? Or we might use SAML? How will you compare these options?

Nick


David above is correct - you are essntially communicating with a webserver, so the use of HTTPS as with any other website is the natural way to go here.

The possible exception to this is the use of WSRP where you might want to secure the communications between the WSRP host and the portlet container in some manner, but as WSRP is a web service the usual approaches to security for web services are entirely applicable.

In short, portlets are not a specical case from this perspective - generally speaking arguments which apply to servlets are equally applicable to portlets, and they are likely to have access to similar, if not identical, resources.

Dave.
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
Thanks David.

However, what I needed is not just the confidentality. For example, a user goes to my page, which might forward him to a page contains stock code, a buy-sell screen, a/c balance, etc. However, the remote portlet requires a checking on authorization to see whether the user can do certain actions (query or update), so, SSL does not help in this case.

As we might need to use WSRP, thus, we are also thinking of using SAML as the security checking means. As far, I just wanna know whether there are other *natural* means for evaluation.

Nick
Dave Minter
Author
Greenhorn

Joined: Nov 11, 2004
Posts: 17
Originally posted by Nicholas Cheung:
Thanks David.

However, what I needed is not just the confidentality. For example, a user goes to my page, which might forward him to a page contains stock code, a buy-sell screen, a/c balance, etc. However, the remote portlet requires a checking on authorization to see whether the user can do certain actions (query or update), so, SSL does not help in this case.

As we might need to use WSRP, thus, we are also thinking of using SAML as the security checking means. As far, I just wanna know whether there are other *natural* means for evaluation.

Nick


This is the sort of scenario where SSO comes into play. I would be inclined to do this with Kerberos if presented with a clean slate, but in practice you will usually have to work with whatever the existing infrastructure dictates as the "standard" authentication environment.

Working with Kerberos, you login to the web server, which in turn authenticates you and presents your credentials to the portlet. The portlet then has everything it needs to establish a secure context on the remote system (assuming they both have access to the Kerberos domain).

Chapter 13 includes a detailed example of using JAAS and JGSS-API to do exactly that.

In the end portlets don't present you with any new security problems or solutions over and above servlets - but they make some of the existing problems such as SSO rather more prominent.

Dave.
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
We have thought of SSO before, however, due to the *features* of WAS portal server, we have some difficulties on that.

As you might know, there is a built-in DB for portal server that *cache* the user name and password after the 1st login of the users, and it does NOT allow us to change it once saved, unless we use the IBM's APIs to reset it. Thus, we have to think of another way to *by-pass* this feature.

One solution that comes into our mind is SAML, but we are not sure whether it really suitable for performing authentication and authorization. Any ideas on this issue?

Nick
Eusebio Floriano
Ranch Hand

Joined: Mar 07, 2004
Posts: 237
Originally posted by Dave Minter:


Chapter 13 includes a detailed example of using JAAS and JGSS-API to do exactly that.


Hi Dave,
Is there any chapter of you book available ?

Regards,


SCJP 1.4 / 5.0 - SCBCD 1.3 - SCWCD 1.4 - IBM 484
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
Yes. There is a sample chapter:
http://www.apress.com/book/supplementDownload.html?bID=362&sID=2054

However, it is not chapter 13, but chapter 3.

You can also get some more info of the book from here:
http://www.apress.com/book/bookDisplay.html?bID=362

Nick
 
GeeCON Prague 2014
 
subject: To the author: Portlet Security