Download
1 / 26
260 likes | 415 Vues
EP127 Implementing Security in Enterprise Portals. Thomas J. Parenty Information Security Consultant tom@parenty.com. Risks and Attack Sources Security Goals and Technologies EP Security Architecture & Functionality User Authentication Access Control Administration Futures.
E N D
EP127 Implementing Security in Enterprise Portals • Thomas J. Parenty • Information Security Consultant • tom@parenty.com
Risks and Attack Sources Security Goals and Technologies EP Security Architecture & Functionality User Authentication Access Control Administration Futures Topics
Data Disclosure Communication-Based Access Control-Based Data Corruption Communication-Based Access Control-Based Impersonation Denial of Service Risks
Outside Hackers Application Developers Legitimate Users Attack Sources
C onfidentiality of Data I ntegrity of Data A vailability of Service Non-Repudiation Security Goals
User Authentication Passwords, Digital Certificates, Tokens,… Single Sign-On Encryption, Digital Signatures, Message Digests Access Controls Security Technologies
Secure Business Objects Components Connection Manager Servlet Access Control DB Web Server EP Security Architecture Application Server User • Legacy Data • ASE • Oracle • SAP • PeopleSoft • IBM
Major Components Connection Manager Access Control Database Secure Business Objects EP Security Architecture
Responsible for Authenticating Portal Users Maintaining Security-Session State Making Access Control Decisions Talks to Access Control Database Natively supports Username/Password Authentication Digital Certificate-Based Authentication Connection Manager
Two Aspects: Servlet on Web Server Component in Application Server If Web Browser Client Servlet is Invoked Servlet Communicates with Component If Non-Browser Client Component Invoked directly Connection Manager
Connection Manager Access Control DB Connection Manager & ServletUser Login Web Server Portal Application Server Servlet HTTP Info
ASE Database Structured as LDAP Security Policy Information Authentication Information Password Digital Certificate Call to Authentication API Authorization Information Roles Permissions The Access Control Database
Portal Wide User ID Portal Authentication Info or API Profile Roles & Organizations Access Permissions Application: Authentication Info or API A Portal User Record
Other portal applications may have their own Username/password -- Connection Manager 1. Login to Portal Msmith, portalPwd 4. “mary” “SAPpwd” 3. SAP, mary, SAPpwd 2. Msmith, portalPwd Multi-TierSingle Sign-On Java SAP Application
Acts as “Guard” for Data Store Interfaces with Connection Manager XML Requests Sent to SBO EJB Component in Application Server Secure Business Object (SBO)
JDBC Secures Access to JDBC Data Source PortalSearch Secures Access to Portal Search Engine and its Databases EJB Secures Access to EJB Components in Portal Application Server Includes AI (Application Integration) Components for CORBA Applications Types of SBOs
1. Session handle & XML request 5. Connect and Submit search request Connection Manager 2. Get profile and check permissions for the requested actions 3. Lookup permissions SBOs in Action: Portal Search Services 4. Translate XML request into correct syntax SBO for PortalSearch Component User EJB
Defines Portal Security Infrastructure Monitors Portal Security Administers Access Control Database Uses Portal Security Manager Application The System Security Officer (SSO)
Create Organizational Hierarchy Create Subjects and Define Roles Authorization Services Define Permission Objects Define Security Labels (Access Control Entries) Setting Up Enterprise Portal Security
Describes Subject’s Function in Organization A Role May be Shared by Multiple Subjects A Subject May Have Multiple Roles Roles
Service Name Subject’s Username and Password for Specific Backend Data source URL for Data Source Example: jdbc:sybase:Tds:host1:2638 All Fields Stored Encrypted Authorization Services
Add Subject Authorization Service Authorization Services: Single Sign-On Portal Security Manager Java SSO Corp DB Usernames & Passwords Java Access Control DB Legacy Systems (mainframe, CICS, other)
Defines a Set of Access Rights Includes One or More Selected Permissions Create Update Execute Read Delete Etc. Permission Objects
Defines Permitted Operations Includes: Subject Organization Role Permission Asset Verified at Runtime Security Label (Access Control Entry)
PKI Integration Stored Data Encryption Digital Signatures Fine-Grained Access Control LDAP-Support Closer Integration Content Management Existing User Directories Futures
EP127 Implementing Security in Enterprise Portals • Thomas J. Parenty • Information Security Consultant • tom@parenty.com
