Wednesday, May 31, 2006

User Centric Security Model

Java Security Series Part 5

Till now we have been looking at the security model with the code perspective. The focus of this perspective was to prevent malicious code from causing harm to our secure systems. However, in a distributed system, not only is it important to run trusted code, but also we need to trust the user of the code - and this is the focus of User Centric Security model.

In Java 1.3, this model was introduced using the JAAS framework - Java Authorization and Authentication Service. However, with 1.4, it has been merged into Core Java.

Authentication

For protecting a resource against unwarranted users, the system should first be able to "authenticate" the user. The system should first verify in a secure fashion that the user of the system trying to access a protected resource is a known entity which it trusts and this process of verification is called Authentication.

The user of the system should first tell the system that he/she is a "somebody" - a particular name - who the system recognizes and based on this recognition, the system may further grant access to the protected resource. The "somebody" could be an identifier for the user such as user name, Employee Id, Certificate or any token which the system recognizes. The verification process will need the user to provide to the system enough proof that he/she is really the "somebody".

On successful authentication, the user is referred to as the Subject and the name with which he/she is identified as the Principal. A point implicit here is that a subject can have multiple principals attached to it because of multiple authentication processes. This may be needed by a system which has multiple sub-systems each of which recognizes the subject with multiple identities.

Authentication Model

JAAS authentication model is based on the Pluggable Authentication Model (PAM) framework. This architecture decouples the actual authenication logic from the application and thus allows the flexibility of configuring the application to any security requirements later, by just plugging in a different authentication mechanism. The application does not have to change or be modified to support a newer authentication mechanism. This model is also extensible to support multiple authentication mechanisms at the same time, allowing stacking of the authentication mechanisms. Stack attributes to the authentication mechanisms can then be specified in the configuration affecting the stack ordering thus allowing multiple overall authentiction result. The
values of the stack attributes are -

  • Required - An authentication mechansism with this value should succeed for the overall authentication to succeed. The next mechanism in the list is evaluated by the login process in any case.
  • Requisite - An authentication mechanism with this value should succeed for the overall authentication to succeed. The next mechanism in the list is evaluated only if this succeeds. Other wise the overall authentication result is said to be failed and the control returns to the application.
  • Sufficient - An authentication mechanism with this value is not required for the overall authentication to succeed. The next mechanism in the list is evaluated only if this fails. Other wise the overall authentication result is said to be succeeded and the control is immediately returned to the application.
  • Optional - An authentication mechanism with this value is not required for the overall authentication to succeed. The next mechanism in the list is evaluated by the login process in any case.
The overall authentication succeeds only if all Required and Requisite LoginModules succeed. If a Sufficient LoginModule is configured and succeeds, then only the Required and Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded for the overall authentication to succeed. If no Required or Requisite LoginModules are configured for an application, then at least one Sufficient or Optional LoginModule must succeed.

Authentication using LoginContext and LoginModule

javax.security.auth.login.LoginContext abstracts the PAM framework for authentication. When an application needs to authenticate a user, it uses this class to start the authentication process. An instance of this class is created passing the "Authentication Realm" to which the login is required. The authentication realm abstracts a set of login configuration as abstracted by javax.security.auth.login.Configuration to get the configuration of authentication mechanisms to use. The configuration basically contains a collection of authentication mechanism configurations -

  • Authentication mechanism class name
  • Authentication mechanism specific configuration details in name-value pairs
  • Stack config property - Required Requisite Sufficient Optional
These sets of configuration information are indexed by strings which is the authentication realm. The sample below gives an example of a typical configuration for an auth realm called MyLogin -

MyLogin {
com.sun.security.auth.module.UnixLoginModule required;
com.sun.security.auth.module.Krb5LoginModule optional
useTicketCache="true"
ticketCache="${user.home}${/}tickets";
};
After creating the LoginContext object, the user calls the login method. LoginContext object is
as shown below -

public final class LoginContext {
// important constructors
public LoginContext(String authRealm) {...}
public LoginContext(String authRealm, CallbackHandler h) {...}
// two phase auth process
public void login() {...}
public void logout() {...}
// get the authenticated Subject
public Subject getSubject() {...}
}
The login method kicks starts the two-phase authentication process (detailed in the next
section). It calls login() and commit() method on each of the configured login mechanism objects. These login mechanism objects need to implement the interface
javax.security.auth.spi.LoginModule as shown below -

public interface LoginModule {
// 1st authentication phase
boolean login();
// 2nd authentication phase
boolean commit();
boolean abort();
boolean logout();
}

The LoginContext object passes in all the authentication specific configuration settings from the configuration as a Map of name-value pairs which the LoginModule can use for the actuual authentication - possibly to connect to database store etc to validate the passwords. Some times the individual LoginModule object may need to communicate with the user to get some details for the authentication purpose - for example prompt the user to enter user name and password. This communication with the user is achieved through the javax.security.auth.callback.CallbackHandler object. The application needs to implement this object and pass its reference to the LoginModule object in its constructor. The LoginModule will then request whatever it needs by calling its handle method by passing a list of callback objects abstracting the LoginModules's needs. A typical callback handler implementation could be as shown below -

public interface CallbackHandler {
public void handle(Callback[] callbacks) {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof NameCallback) {
// prompt the user for a username
NameCallback nc = (NameCallback)callbacks[i];
// ignore the provided defaultName
System.err.print(nc.getPrompt());
System.err.flush();
nc.setName((new BufferedReader
(new InputStreamReader(System.in))).readLine());
}
else if (callbacks[i] instanceof PasswordCallback) {
// prompt the user for sensitive information
PasswordCallback pc = (PasswordCallback)callbacks[i];
System.err.print(pc.getPrompt());
System.err.flush();
pc.setPassword(readPassword(System.in));
}
else {
throw new UnsupportedCallbackException
(callbacks[i], "Unrecognized Callback");
}
}
}
}

2-Phase authentication

The 2-phase authentication involves -
  • login() call on all LoginModules
  • On successful overall authentication (see above), commit() call on all LoginModules
  • On unsuccessful overall authentication, abort() call on all LoginModules
LoginContext object calls login() on each of the configured the LoginModule objects. LoginModule objects are expected to implement the authentication process, but not update the Subject with the Principal. LoginModules are assumed to store the result privately. LoginModule objects after authenticating, either returns true indicating a successful authentication or throws LoginException indicating authentication failure. A false return indicates that the LoginModule is not really in the context of this Login process and can be ignored.

A point to note here is that if a LoginModule has Stack flag Requisite and its login() operation was a failure, or the Stack flag is Sufficient and the login() operation of the LoginModule is a success, login() is not called on subsequent LoginModules. This is as required by the Stack flag meaning (see above). However, looking at the code, if any LoginModule throws LoginException during the login() phase, it seems that login() of subsequent LoginModules is not called. This may be a bug.

If overall authentication is successful, the authentication process then proceeds to call commit() on all LoginModule objects. LoginModules are now expected to update the Subject with principals specific to LoginModules. On successful completion of this step, the user can get a successfully authenticated subject from the LoginContext and the login process is considered completed successfully.

On the other hand, if overall authentication is not successful, then abort() is called on each of the LoginModules. Each of the LoginModules are expected to cleanup anything relevant to it. abort() may also be called on each of the LoginModules if the commit() phase fails after a successful login() phase. After calling abort(), the original LoginException is thrown back.

9 Comments:

Blogger ninest123 Ninest said...

ninest123 10.27
tiffany jewelry, michael kors outlet, oakley sunglasses wholesale, ugg boots, louis vuitton, jordan shoes, nike air max, burberry outlet, uggs outlet, prada outlet, louis vuitton, ugg boots, louis vuitton outlet, michael kors outlet store, ray ban sunglasses, louis vuitton outlet, replica watches, replica watches, uggs outlet, michael kors outlet, polo ralph lauren outlet online, nike free, ray ban sunglasses, oakley sunglasses, christian louboutin outlet, michael kors outlet online, longchamp outlet, louis vuitton outlet, christian louboutin, tiffany and co, prada handbags, cheap oakley sunglasses, polo outlet, longchamp outlet, tory burch outlet, longchamp outlet, nike outlet, oakley sunglasses, oakley sunglasses, ray ban sunglasses, christian louboutin shoes, christian louboutin uk, chanel handbags, uggs on sale, burberry handbags, nike air max, kate spade outlet, michael kors outlet online

9:46 AM  
Blogger ninest123 Ninest said...

hollister uk, nike roshe run uk, sac longchamp pas cher, nike air max uk, north face, vans pas cher, michael kors, kate spade, nike blazer pas cher, longchamp pas cher, ray ban uk, nike free run, abercrombie and fitch uk, louboutin pas cher, coach outlet store online, timberland pas cher, nike roshe, north face uk, polo ralph lauren, oakley pas cher, nike air max, sac vanessa bruno, hollister pas cher, polo lacoste, true religion outlet, ralph lauren uk, nike tn, sac hermes, ray ban pas cher, coach outlet, jordan pas cher, michael kors, coach purses, nike air force, true religion jeans, lululemon canada, michael kors pas cher, mulberry uk, nike air max uk, true religion outlet, burberry pas cher, michael kors outlet, nike free uk, converse pas cher, coach outlet, hogan outlet, new balance, guess pas cher, true religion outlet, air max

9:47 AM  
Blogger ninest123 Ninest said...

bottega veneta, new balance shoes, nike air max, soccer jerseys, louboutin, giuseppe zanotti outlet, lululemon, mac cosmetics, vans, nike trainers uk, vans outlet, abercrombie and fitch, reebok outlet, nike air max, converse, iphone 6 cases, insanity workout, ghd hair, hollister clothing, converse outlet, oakley, nfl jerseys, baseball bats, herve leger, gucci, nike huaraches, mont blanc pens, north face outlet, ferragamo shoes, valentino shoes, north face outlet, p90x workout, longchamp uk, nike roshe run, soccer shoes, wedding dresses, timberland boots, hollister, hermes belt, hollister, ralph lauren, jimmy choo outlet, chi flat iron, asics running shoes, ray ban, instyler, mcm handbags, beats by dre, celine handbags, babyliss, gucci handbags, michael kors outlet online

9:48 AM  
Blogger ninest123 Ninest said...

toms shoes, ugg, ugg uk, moncler, moncler, juicy couture outlet, hollister, ugg,uggs,uggs canada, michael kors outlet online, canada goose outlet, lancel, wedding dresses, moncler outlet, canada goose, swarovski, barbour uk, moncler, canada goose outlet, louis vuitton, ugg,ugg australia,ugg italia, louis vuitton, moncler uk, louis vuitton, ugg pas cher, louis vuitton, montre pas cher, links of london, marc jacobs, barbour, louis vuitton, canada goose uk, michael kors handbags, canada goose outlet, pandora charms, supra shoes, replica watches, canada goose, juicy couture outlet, coach outlet, karen millen uk, moncler outlet, moncler, pandora uk, doudoune moncler, thomas sabo, swarovski crystal, pandora jewelry, canada goose jackets, michael kors outlet, canada goose, doke gabbana, pandora jewelry
ninest123 10.27

9:49 AM  
Blogger oakleyses said...

christian louboutin uk, louis vuitton outlet, christian louboutin shoes, michael kors pas cher, louis vuitton outlet, sac longchamp pas cher, prada handbags, gucci handbags, tiffany and co, polo ralph lauren outlet online, christian louboutin outlet, cheap oakley sunglasses, longchamp outlet, uggs on sale, polo outlet, louis vuitton, nike air max, oakley sunglasses, longchamp outlet, nike free, nike outlet, longchamp outlet, longchamp pas cher, chanel handbags, nike air max, oakley sunglasses, nike free run, tiffany jewelry, oakley sunglasses wholesale, louboutin pas cher, ray ban sunglasses, ugg boots, replica watches, air max, louis vuitton outlet, oakley sunglasses, nike roshe, louis vuitton, tory burch outlet, ray ban sunglasses, jordan shoes, christian louboutin, prada outlet, polo ralph lauren, burberry pas cher, ugg boots, jordan pas cher, kate spade outlet, ray ban sunglasses

8:37 AM  
Blogger oakleyses said...

nike blazer pas cher, mulberry uk, burberry handbags, michael kors, timberland pas cher, oakley pas cher, ray ban uk, vans pas cher, coach purses, north face, nike free uk, new balance, ray ban pas cher, sac hermes, michael kors, nike air force, ralph lauren uk, nike air max, kate spade, nike roshe run uk, true religion jeans, north face uk, hogan outlet, michael kors outlet online, nike air max uk, uggs outlet, nike tn, burberry outlet, hollister uk, coach outlet store online, replica handbags, lululemon canada, michael kors outlet online, michael kors outlet online, michael kors outlet, michael kors outlet online, converse pas cher, michael kors outlet, true religion outlet, true religion outlet, polo lacoste, hollister pas cher, coach outlet, guess pas cher, true religion outlet, abercrombie and fitch uk, nike air max uk, sac vanessa bruno, michael kors outlet

8:40 AM  
Blogger oakleyses said...

hollister, oakley, celine handbags, instyler, nike trainers uk, ghd hair, converse outlet, hollister clothing, hermes belt, beats by dre, ray ban, lancel, herve leger, timberland boots, nike air max, chi flat iron, longchamp uk, asics running shoes, vans, nike air max, insanity workout, reebok outlet, giuseppe zanotti outlet, abercrombie and fitch, nike roshe run, north face outlet, louboutin, jimmy choo outlet, iphone cases, gucci, mcm handbags, north face outlet, valentino shoes, soccer shoes, hollister, wedding dresses, babyliss, bottega veneta, baseball bats, p90x workout, nfl jerseys, nike huaraches, new balance shoes, soccer jerseys, mont blanc pens, ralph lauren, vans outlet, mac cosmetics, ferragamo shoes, lululemon

8:43 AM  
Blogger oakleyses said...

hollister, louis vuitton, moncler outlet, pandora uk, moncler, canada goose outlet, ugg,ugg australia,ugg italia, marc jacobs, toms shoes, moncler outlet, louis vuitton, canada goose, swarovski crystal, supra shoes, moncler, ugg, juicy couture outlet, wedding dresses, thomas sabo, karen millen uk, ugg pas cher, canada goose jackets, pandora jewelry, louis vuitton, moncler, swarovski, pandora jewelry, links of london, moncler uk, louis vuitton, coach outlet, ugg uk, canada goose uk, ugg,uggs,uggs canada, canada goose, doudoune moncler, louis vuitton, pandora charms, juicy couture outlet, canada goose outlet, canada goose outlet, canada goose, moncler, replica watches, montre pas cher

8:46 AM  
Blogger Liu Liu said...

Nick Saban’s relatively brief time as head coach of the Miami Dolphins is not looked upon fondly by most fans of the team. He went 15-17 christian louboutin shoes in his two seasons, but basically quit on the nfl jerseys store team in the final weeks Nike Air Max 90 of the 2006 season, focused more on his next job, at the University of Alabama, instead of the one he christian louboutin uk was under contract for.And at least one player who played – or at Christian Louboutin Women Flat least practiced – under Saban during those ill-fated christian louboutin men flat final weeks Nike Roshe Run hasn’t forgotten NFL Jerseys how Nike Free Run he was louboutin outlet treated. According to Nike Air Max 2015 Shoes receiver P.K. Sam, a journeyman cheap nfl jerseys who spent time with five NFL teams as well as two CFL clubs, Saban cut wholesale nfl jerseys him after he left the team christian louboutin Panettone spiked leather wallet briefly to see his dying father

2:54 PM  

Post a Comment

<< Home