|
|
This section describes the Web Server Security Service Module, including tasks that you must perform after installing and completing the post-installation tasks. See Installing Security Service Modules for information about how to install the Web Server Security Service Module for Microsoft IIS or the Apache Web Server. The following topics are covered in this section:
This section includes the following topics describing the Web Server SSMs:
An ALES Web Server SSM provides the environmental bindings between the ALES and a web server. It can provide six distinct services: Registry, Authentication, Authorization, Auditing, Role Mapping, and Credential Mapping.
A Web Server SSM makes access decisions for the web server to which it is bound. The security configuration on which the access control decisions are based is defined and deployed by the Administration Server via the Security Control Module.
A Web Server SSM can be tailored to specific needs. Using templates provided as part of the product, security developers can customize the look and feel of authentication pages and configure parameters that allow fine tuning for a particular installation. Web applications can have information added to the HTTP request by the security framework, such as roles and response attributes.
ALES provides three Web Server SSMs: IIS Web Server SSM (SSM), Apache Web Server SSM, and Web Services SSM (see Figure 5-2).
The environmental binding is used to bind to and interact with web servers. Binding a Web Server SSM to the server projects the ALES subsystem into the web server environment. The SSM accepts HTTPS requests from the web server and presents them to the ALES security framework.
Bindings are provided for two types of web servers: ASF Apache and Microsoft IIS. The second function is ultimately for enforcing access control and providing a means of implementing the SAML Browser/POST profile. Additionally, the Web Server SSM implements the server-side includes (SSIs) that process SAML Browser/POST profile.
This section describes the Web Server SSM features in the following sections
This section covers the following topics:
Web single sign-on enables users to log on to one web server and gain access to other web servers in the same domain without supplying login credentials again, even if the other web servers have different authentication schemes or requirements. Figure 5-3 shows the basic components of a web single sign-on service.
While web single sign-on facilitates access and ease of use, it does not improve security. In fact, security requirements should be considered when implementing a web single sign-on solution.
The Web Server SSM supports the following single sign-on (SSO) use cases.
The Web Server and WebLogic Server SSMs support single sign-on using the ALES Identity Assertion provider. For instructions on how to implement Single Sign-On, see Enabling SPNEGO-based Single Sign-on.
The authentication service supports the following features:
| Note: | If a new callback type is encountered during authentication, the Web Server SSM ignores it. |
The authorization service supports the following features:
.." and decodes URL encoding. The resource is presented as the path element of a URL and the file or application name. For example, http://www.example.com/framework.jsp?CNT=index.htm&FP=/products/aqualogic/ is presented as /framework.jsp. The query arguments CNT and FP and associated values are made available in the application context.isAuthenticationRequired() method to check if a resource is protected by a security system. This feature is important because you may want to leave some web server resources unprotected.The auditing service has the following capabilities:
The role mapping service supports hard-coded roles in applications. Generally hard-coding behavior into an application based on roles is not recommended. It is possible, however, that some customers may need to replace an existing system that uses this mechanism or may want to use roles for user interface personalization. Support for this feature requires that a list of mapped roles available from a security provider for a particular request be provided in a usable form by applications running within the web server.
| Note: | It is important to note that roles are not global in ALES but can change depending upon the resource and various elements of the context. |
ALES defines two types of credential objects: username/password credentials and generic credentials; however, there is no limitation as to the format of objects that can be used. Credentials can be mapped and associated with a resource and identity or an alias.
The credential mapping service has the following features:
Administering the security configuration involves writing policies for users, groups, roles, and the web application resources that the SSM protects. The Web Server SSM has the following features:
To manage session behavior, the Web Server SSM supports the following capabilities:
The web server is configured to use the filter component of the Web Server SSM. Local configuration of the web server should only be necessary once and should be static. The Web Server SSM has the following configuration capabilities:
The Web Server SSM has the following constraints and limitations:
This section provides an overview of integration tasks. Integration tasks center on managing SSM configurations (including the security providers) and configuring the web server to use the web filters. For additional information, see Installing Security Service Modules.
The major tasks performed are:
During the instance creation process, the default.properties configuration file is created. This file contains the connection information for the ALES services.
Developing a policy for a web application typically begins by determining which resources you want to protect. You then create authorization mapping policies to define access privileges and roles for each resource, and under what specific conditions. Next, you create role mapping policies that control which users and groups have membership in the defined roles, and under what conditions.
This section describes how to create resources and define authorization and role mapping policies to protect a sample Web server application. This section also describes how to deploy this policy to the Web Services SSM that you will use to control access to sample Web server application resources.
AquaLogic Enterprise Security provides three tools for configuring application policy: the Administration Console, the Policy Import Tool, and Business Logic Manager (BLM) API. In this section you are directed to use the Administration Console to configure policy.
For more information on how to use the Administration Console to configure policy, see the Policy Managers Guide and Console Help.
For instructions on how to use the Policy Import Tool to import policy files, see the Importing Policy section in the Policy Managers Guide.
For information on the BLM, see the BLM API Javadocs.
To configure and deploy policy for the Web Server SSM, perform the following tasks:
This section describes how to use the Administration Console to create resources for the sample web server application resource.
Figure 5-6 shows the resources that you must create for the sample IIS Web Server configuration. You create the same resources for the Apache Web Server, except that you assign the NamePasswordForm a file extension of .html, instead of .acc.
To create these resources, perform the following steps:
ssmws, select Binding from the Type drop-down list box, and click Ok. The ssmws resource appears under the Policy node.ssmws resource and click Configure. The Configure Resource dialog box appears.ssmws resource and click New. The Create Resource dialog box appears.favicon.ico, and click Ok. The resource appears under ssmws.| Note: | The favicon.ico file is an icon requested by the Internet Explorer and Mozilla browsers for bookmarking a URL. |
ssmws resource and click New. The Create Resource dialog box appears.test, and click Ok. The resource appears under ssmws.test resource and click New. The Create Resource dialog box appears.foo.html and click Ok. The foo.html resource appears under the test resource.test resource and click New. The Create Resource dialog box appears.NamePasswordForm.acc for IIS (or NamePasswordForm.html for Apache), and click Ok. The resource appears under test.This section describes how to use the Administration Console to create authorization and role mapping policies to protect the sample Web server application resources. It includes authorization policies for the HTML files and role mapping policies to assign membership to those roles.
Table 5-1 lists and describes the authorization policies that you will create to protect the sample Web server application resources. These authorization policies allow users who are members of the Everyone role the Get access privilege to the favicon.ico and GET and POST access privileges to NamePasswordForm.acc (so users who have membership in the Everyone role can access the username/password form when authentication for a protected resource is needed). The policy also restricts access to foo.html to users in the Admin role.
To create the authorization polices listed in Table 5-1, perform the following steps:
GET privilege from the Select Privileges from Group list box and add it to the Selected Privileges box. favicon.ico resource from the Child Resource box and add it to the Selected Resources box. Everyone role from the Roles List box, add it to the Selected Policy Subjects box, and click Ok. Admin role is assigned to the foo.html resource.This section describes how to use the Administration Console to modify the role mapping policies that will be used to control access to the sample Web Server application resources.
To modify the Admin and Everyone role mapping policies, perform the following steps:
Admin role for ASI, and click Edit. The Edit Role Policy dialog appears.ssmws resource, and click Ok.Everyone role to add ssmws to the Everyone role.
For the sample Web server application, the Application Deployment Parent setting on the ASI Authorization provider and the ASI Role Mapping provider must be set to //app/policy/ssmws and must be bound to the provider.
To configure these providers, perform the following steps:
//app/policy/ssmws, and click Apply.//app/policy/ssmws to this provider.To configure the ALES Identity Assertion and ALES Credential Mapping providers, perform the following steps:
| Note: | The ALES Identity Assertion provider and the ALES Credential Mapping provider work with one another; therefore, it is important that you ensure that their configuration settings match. |
Distribute the policy and security configuration to the Web Server SSM.
For information on how to distribute policy and security configuration, see the Console Help. Be sure to verify the results of your distribution.
The Web Server Environmental Binding configuration procedures vary depending on the type of Web Server SSM you are configuring. AquaLogic Enterprise Security supports two Web server SSMs that require configuration of the Web Server Environmental Binding: the Microsoft IIS Web Server SSM and the Apache Web Server SSM. For configuration instructions, see the appropriate topic below:
To configure the environmental binding for Microsoft IIS Web Server, perform the following tasks:
| Note: | This task assumes you have created an instance of the IIS Web Server SSM according instructions provided in Creating an Instance of a Security Service Module in Installing Security Service Modules. |
The IIS Web Server Binding plug-in file is named wles_isapi.dll. This file is located in the BEA_HOME\ales25-ssm\iis-ssm\lib directory.
To configure the Microsoft IIS Web Binding plug-in, perform the following steps:
wles_isapi.dll file (which is located in BEA_HOME\ales25-ssm\iis-ssm\lib directory), and click OK. 
Read and Read/Execute permissions on the following directories:BEA_HOME\ales25-ssm\iis-ssm\libBEA_HOME\ales25-ssm\iis-ssm\instance\iisssmdemo\sslBEA_HOME\ales25-ssm\iis-ssm\instance\iisssmdemo\config
NamePasswordForm.acc file in a virtual directory, repeat the previous step for the virtual directory as well.
wles_isapi.dll file to the Executable field, fill in the other fields as shown in Figure 5-11, and click OK.wles_isapi.dll file again and start the IIS Web Server.| Note: | Be sure to start the IIS Web server with IIS SSM after you have started the Web Services SSM and ARME. |
Configure the NamePasswordForm.acc file for the IIS Web Server as follows:
<FORM METHOD=POST ACTION="test/NamePasswordForm.acc">
To set up the sample web application, perform the following steps:
| Note: | The Web Services SSM must be started before you perform this task because the filter and extension attempt to connect to the Web Services SSM when they are loaded by the Web server. |
IIS Server/wwwroot/test directory as shown in Figure 5-12 and copy the following files to the test directory:NamePasswordForm.acc foo.htmlatnfailure.htmlatzfailure.html| Note: | The NamePasswordForm.acc file is provided in the BEA_HOME\ales25-ssm\iis-ssm\instance\<instancename>\templates directory. The foo.html, atnfailure.html and atzfailure.html files are not provided in the product installation kit. You should use your own versions of these files. |
http://<machine_name_with DNS_suffix>:80/test/foo.html. NamePasswordForm.acc. foo.html.To configure the Apache Web Server, perform the following tasks:
To download and install the Apache Web Server software, perform the following steps:
ServerRoot/modules/mod_include.soServerRoot/modules/mod_ssl.so
where ServerRoot is the Apache installation directory.
| Note: | The Apache Web Server Security Service Module (SSM) requires that the above two modules be included in the Apache installation; otherwise the Secure Sockets Layer (SSL) and the Security Assertion Markup Language (SAML) server-server include (SSI) related functions will not work. |
| Note: | You may build your own 2.0.x version of the Apache Web Server with the above mentioned modules. If the modules are built into Apache, there may be no such files. |
| Note: | This task assumes you have created an instance of the Apache Web Server SSM according instructions provided in Creating an Instance of a Security Service Module in Installing Security Service Modules. |
The ALES module contains only one file. For Windows, the file name is mod_wles.dll. For Sun Solaris and Linux, the file name is mod_wles.so.
To install and configure the ALES module:
ServerRoot/conf/httpd.conf file and add a LoadModule directive. There are several LoadModule directives in the LoadModule section of the httpd.conf file. Add the following line to the end of the LoadModule section:LoadModule wles_module <APACHE_SSM_HOME>/lib/mod_wles.so
where <APACHE_SSM_HOME> is the Apache Web Server SSM installation directory.
LoadModule wles_module c:\bea\ales25-ssm\apache-ssm\lib\mod_wles.dll
LoadModule wles_module /home/tiger/bea/ales25-ssm/apache-ssm/lib/mod_wles.so
WLESConfigDir directive right after the above LoadModule directive as follows:<IfModule mod_wles.cpp>
WLESConfigDir <APACHE_SSM_HOME>/instance/<instance_name>/config
</IfModule>
where the config directory is the directory that contains the default.properties file.
| Note: | In the IfModule condition, be sure to specify mod_wles.cpp, not mod_wles.c. |
ServerName. For example:ServerName www.yourservername.com:8080
asiusers group so it can read the mod_wles file and other required files: Group asiusersenvvars file in the ServerRoot/bin directory, appending the directory where mod_wles.so resides to the default LD_LIBRARY_PATH, so that the file looks like this: LD_LIBRARY_PATH="/www/apache/lib:$LD_LIBRARY_PATH:<APACHE_SSM_HOME>/lib"| Note: | This step ensures that the Apache Web Server can load the dependency libraries for the mod_wles file. |
ctl script to start or restart Apache Web Server in the ServerRoot/bin directory.
Configure the NamePasswordForm.html file for the Apache Web Server as follows:
<FORM METHOD=POST ACTION="/test/NamePasswordForm.html">
To set up the sample web application, perform the following steps:
Apache Server/wwwroot/test directory as shown in Figure 5-13 and copy the following files to the test directory:NamePasswordForm.htmlfoo.htmlatnfailure.htmlatzfailure.html| Note: | The NamePasswordForm.html file is provided in the BEA_HOME\ales25-ssm\apache-ssm\instance\<instancename>\templates directory. The foo.html, atnfailure.html and atzfailure.html files are not provided in the product installation kit. You should use your own versions of these files. |
http://<hostmachine.cookiedomain>:8088/test/foo.html. NamePasswordForm.html foo.html.
You can configure web single sign-on (SSO) for the following use cases:
With SSO configured, any user that authenticates to one Web Server SSM can access any other Web Server SSM in the cookie domain without having to re-authenticate.
With SSO configured, any user that authenticates to one Web Server SSM can access any other WebLogic Server SSM in the cookie domain without having to re-authenticate. However, a user that authenticates to a WebLogic Server SSM cannot access another WebLogic Server SSM or another Web Server SSM without re-authenticating.
For configuration instructions, see the following topics:
To configure Web Server SSM to Web Server SSM to support web single sign-on, perform the following steps:
For instructions on how to perform the above steps, see the Console Help for the Administration Console.
To configure Web Server SSM to WebLogic Server SSM to support web single sign-on, perform the following steps:
For instructions on how to perform the above steps, see the Console Help.
The Web Server SSM has a configuration file named default.properties. All configuration settings for the Web Server SSM instance are defined in this file. This file is pre-configured and placed in the proper location for you.
If you want to edit the default.properties file for your particular environment, refer to the parameters descriptions in the following sections:
The AquaLogic Enterprise Security services are stateless services; it is the calling Web Services client that is responsible for determining session related information. In addition, in a web environment, a session does not necessarily end with an explicit logout, so session termination must be inferred from a lack of activity.
Table 5-4 describes the settings used to manage session behavior. You use these settings to configure the Web server session related behavior for the security configuration to which it applies.
Table 5-5 describes the settings that you use to configure the Web server authentication behavior for the security configuration to which it applies. Also, for information on mapping JAAS Callbacks, see Mapping JAAS Callback Type to Form and Form Fields.
Given a question, this setting specifies what field on what form will answer that question. Notice that the <prompt> is shown as optional. However, the prompt is required if there are multiple callbacks of the same type, because there is no other way for the SSM to distinguish identical callback types. The prompt is obtained from the callback by calling the
getPrompt() method, but it is not used in the display of the form. If the prompt setting is missing, then the Web Server SSM attempts to answer the callbacks in the order of the settings. If the order does not match the order of the providers, then authentication fails. For more information on using this setting, see Mapping JAAS Callback Type to Form and Form Fields.
|
|
Table 5-6 describes the different types of authentication callbacks that are supported by the Web Server SSM.
There are two required and one optional configuration setting that specify what form and what field contain the information required to satisfy the authentication callbacks. The credential gathering form must use an HTTP POST method to specify this information. Listing 5-1 shows an example of how to use the POST method in the credential gathering form.
<FORM METHOD=POST ACTION="LoginNamePwdTextIn.html">
<!--#AUTHSTATE -->
<TABLE BGCOLOR="C0C0C0"><TR><TD>
<TABLE BGCOLOR="#FFFFFF">
<TR><TD COLSPAN="2" BGCOLOR="#C0C0C0">Please Login</TD></TR>
<TR><TD COLSPAN="2">User Name </TD><TR>
<TR><TD><!--#PROMPT --></TD><TD><INPUT NAME="username"></TD></TR>
<TR><TD COLSPAN="2">Password </TD><TR>
<TR><TD><!--#PROMPT.1--></TD><TD><INPUT TYPE=
PASSWORD NAME="password"></TD></TR>
<TR><TD COLSPAN="2">Input Text </TD><TR>
<TR><TD><!--#PROMPT --></TD><TD><INPUT NAME="textinput"></TD></TR>
<TR><TD COLSPAN="2"> </TD><TR>
<TR><TD COLSPAN="2" ALIGN="CENTER"><INPUT TYPE="SUBMIT" VALUE="OK"></TD><TR>
</TABLE>
</TD></TR></TABLE>
</FORM>
The form field defines the HTTP POST data name that results from a submitted form.
The settings have the following format:
authentication.<callback type>[<prompt>] = <field>:<form URL>
Given a question, this setting specifies what field on what form will answer that question. Notice that the <prompt> is shown as optional. However, if there are multiple callbacks of the same type, the <prompt> is required because there is no other way for the Web Server SSM to distinguish identical callback types. The <prompt> is obtained from the callback by calling the getPrompt() method, but it is not used in the display of the form. If the <prompt> setting is missing, then the Web Server SSM attempts to answer the callbacks in the order of the settings. If the order does not match the order of the authentication providers, then authentication fails.
The supported callback types are: nameCallback, passwordCallback, textInputCallback, textOutputCallback.
Table 5-7 provides examples of callback usage and more information on each supported callback type.
|
|||
authentication.initialForm=/test/NamePasswordForm.html # username/password/textInput
In this example the user will be prompted for username/password. The authentication provider then prompts for the user's mother's maiden name. The Web Server SSM redirects to |
|||
In this example two providers require username/password callbacks, a third provider requires a textInputCallback for mother's maiden name, and a fourth provider requires a textInputCallback for a Social Security number: The prompts distinguish between the two textInputCallbacks.
|
|||
The
textOutputCallback is used to display a message to the user. Because the Web Server SSM does not create or update forms, if it gets a textOutputCallback, it redirects it to the form URL and adds the field as a query string argument and the message value. The application that processes the URL is responsible for parsing the query string and displaying the message.
|
|||
Language callbacks are handled internally by the Web server; the user is never prompted, so no configuration is needed. The user's browser Accept-Language header is checked for the preferred language it supports and that locale is returned to the authentication provider. If the user's browser has no Accept-Language header, the system default locale is used. |
Table 5-8 describes the settings that you use to configure the Web server role mapping behavior for the policy domain to which it applies.
Table 5-9 describes the settings that you use to configure the Web server credential mapping behavior for the policy domain to which it applies.
If set to |
|||
List of credential types to ask for in this policy domain. Only credentials that are mapped and that are supported by configured Credential Mapping provider are returned for a specific request. Therefore, asking for a credential does not guarantee that it is there. For example, to configure credential mapping to support the password for the database server, perform the following steps:
|
|||
Table 5-10 describes the settings that you use to configure the Web Server SSM naming authority.
Specifies the naming authority for the resource. The naming authority is configured in the Web Services SSM. |
|
Specifies the URL of the Web Services Registry Service. For example: |
Table 5-11 describes the settings that you use to configure the Web Server SSM naming authority.
The Web Server Security Service Module (SSM) tool kit enables you to access user environment variables using Common Gateway Interface (CGI).
Although security is embedded within the web server itself, requiring no special programming (if the user does not have access, your code will never run), a security administrator may want to use CGI to access and modify environment variables passed in by the Web Server Security Service Module. In order to customize the application according to the details of the security being enforced, a web application may access several environmental values in order to provide a more integrated user experience.
You can use CGI to access the following environment variables:
ALES_IDENTITY—An authentication environment variable. It is available to a CGI programmer after a user successfully authenticates. This variable contains the username of the user, if available. It specifies the name of the HTTP header that will be added. The value of the variable is a list of the identity principals, including username and groups.ALES_DECISIONTIME—An authorization environment variable. It is available to a CGI programmer after a user is authorized to access a secure resource. It contains the date and time this authorization decision was rendered and has this format: "Monday June 23 15:14:21 EDT 2003"ALES_ROLES—A role environment variable that stores a list of roles calculated for the user.CRED is the default. Different credential types are handled differently, but the general format of the variable is: CRED_{NAME}={VALUE}
Password credentials conform to the format
javax.resource.spi.security.PasswordCredential. The ManagedConnectionFactory element of this class is ignored. This credential type is rendered in the CGI environment as:
|
|