Google Site Search


Wednesday, October 31, 2007

Why is WS-Federation necessary when we have SAML v2.0?

This is a commonly asked question in the industry whenever there is any mention of "Federated Identity and related standards".

I have always been an avid supporter of the SAML specifications and was greatly thrilled to see Liberty, Shibboleth and SAML v1.1 find some common ground to beget SAML v2.0.

Now to the original question, who else to answer this than Don Schmidt, an highly respected expert in Federated Identity (Don is a key figure in Microsoft's Federated Identity story).

Here is the link to Don's blog entry:
WS-Federation 1.1 and SAML 2.0 have different goals

WS-Trust is an extremely important specification in the WS world. WS-Federation being the natural extension of trust semantics is an important necessity.

I do hope that all these federated Identity and trust related specifications can converge, in the near future. It is encouraging to see Kim Cameron preaching the concept of an "Identity MetaSystem" that will try to provide an unified view irrespective of the underlying protocols/mechanisms.

Friday, October 26, 2007

Tip10: Generate GUID or UUID

Stefan and I have been discussing the usage of java.util.UUID to generate a sso identifier similar to that done by tomcat's AuthenticatorBase. Since we wanted to avoid overlap with the random id generated by AuthBase, I suggested the usage of UUID.

So we decided to explore the level1 or time based UUID.

After sometime, Stefan gave up figuring out the way to instantiate level 1 UUID.

We found this mini-FAQ on UUID.

Java UUI Mini FAQ

Level 4 UUID should be sufficient.

An example of UUID usage is here >>>

Tip 9: Change SSL Implementation in JBoss/Tomcat

Sometime you may get some errors such as

java.lang.ClassNotFoundException: Error
loading SSL Implementation

:java.lang.ClassNotFoundException: No
ClassLoaders found for:

If you want to change the SSL implementation to the JBoss
SSL implementation (which is not really such a big difference),

then take a look at the
Tip 5

More specifically at:

<!-- SSL/TLS Connector with encrypted keystore password
configuration -->
<Connector port="9943"
scheme="https" secure="true"
sslProtocol = "TLS"

Friday, October 19, 2007

Tip 8: Securing JMX in JBossAS

Sometime ago, I wrote a technical white paper on "Securing JMX" basically to secure the JMX-Console, Web-Console and the invokers.

The JIRA issue for this is: White Paper on JMX Security

Now for the attachments:
Single HTML Page- Technical White Paper on Securing JMX

Monday, October 15, 2007

Instance Based Security

I am getting some requests to produce code to handle Instance Based Security for Non Application Server related code aka Business Code. The projects that are directly affected are JBoss Rules or Drools, jBPM, JBoss Portal and JBoss Seam.

The idea is to be able to CRUD level access for data driven applications.

In the past, OSAccess from Open Symphony has tried to address this space. Acegi Security for Spring has some support for Instance Based ACL.

Authorization concepts and solutions for J2EE applications is a nice technical article that talks about Role Based Access Control and Instance Based Access Control.

An ACL implementation will be simple and performant in comparison to an XACML based implementation which does have a learning curve attached.

Wednesday, October 10, 2007

Tip 7: SSO between Web Applications

If you need SSO between web applications deployed to the same HOST, then you can use the Apache Tomcat SingleSignOnValve. If you need to do SSO across a JBoss Cluster, then you will need the ClusteredSingleSignOnValve. Take a look at the following clustered single sign on white paper here.

More details are here: Single Sign On in JBoss

Additional reference:

Tip 6: Want Custom Principal Implementation

Occasionally, JBoss users would like to use their custom principal implementation in the web/ejb containers. To do this, follow:

Custom Principals in JBoss

You can verify by checking ejbContext.getCallerPrincipal().

Tuesday, October 9, 2007

eCrime: How do we deal with it?

I mentioned in my earlier blog post that APWG recently conducted a eCrime summit in Pittsburgh. So eCrime is a menace that affects all facets of our democratic societies.

Have a look at Dr.Philip Hallam-Baker's presentation from Google Tech Talks, January 2006. I know Dr.Hallam-Baker from various working groups at W3C and other standards groups. He is a Principal Scientist/Evangelist at Verisign.

Crime: The Real Internet Security Problem

Dr Hallam-Baker is a leading designer or Internet security protocols and has ... all » made substantial contributions to the HTTP Digest Authentication mechanism, XKMS, SAML and WS-Security. He is currently working on the DKIM email signing protocol, federated identity systems and completing his first book, The dotCrime Manifesto which sets out a comprehensive strategy for defeating Internet crime.

Dr Hallam-Baker has a degree in Electronic Engineering from Southampton University and a doctorate in Computer Science from the Nuclear Physics Laboratory at Oxford University.

ABSTRACT Internet Crime is a serious and growing problem. Phishing, Advance Fee and Consumer fraud continue to grow at alarming rates. Internet crime is a business that makes huge profits for some. But despite the fact that security has regularly polled as almost every type of Internet user's top priority over the past ten years, almost none of the security mechanisms developed in response are effectively controlling Internet crime.

How To Break Web Software - A look at security vulnerabilities in web software

From Google Tech Talk

Mike Andrews, Senior Consultant is the presenter.

Long presentation that mentions various statistics.

Browser Help Me. I want you to be Secure....

Wikipedia defines Phishing as:
In computing, phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay, PayPal and online banks are common targets. Phishing is typically carried out by email or instant messaging

Get the entire scoop here:

Some of the blame for the widespread proliferation of online scams and phishing rests with the victims. They fall prey easily and do not pay attention to security indicators in their user agents (aka browsers).

It is nice to know that organizations such as CABForum are actively working on making browsing secure, via the new concept of Extended Validation Certificates.
CAB Forum -

This is how it looks in Opera, as shown by Yngve Pettersen, Opera Security Czar.
EV in Opera

Recently, on the personal insistence of Yngve, I downloaded Opera. I was quite impressed by the security indicators displayed for sites with SSL enabled. It even read my Firefox bookmarks.

Yngve also has totally disabled SSLv2.0 from Opera 9.0 onwards
SSL v2 Disabled

The Anti-Phishing Working Group (APWG) recently held an eCrime summit in Pittsburg.

Why am I talking about all this? This is because I am one of the editors on an W3C Security Recommendation (in progress).
W3C Security Context

As the citizens of the online world, it is our responsibility to take precautions as well as force companies to be more secure in their offerings.

I have learned my lessons. I hope that you do not have to. :)

Take care when you get those emails or see lousy pop up windows on web sites.

If you are looking for free browser that is high on security, there is no other place than to look at Mozilla Firefox.

1) R. Dhamija et. al
2) Do Security Toolbars Actually Prevent Phishing Attacks?
3) Evaluation of EV and PIP attacks