Google Site Search

Google
 

Thursday, February 28, 2008

Should you disable saving passwords in your browser?

Majority of the free as well as commercial browsers have a password saving feature. Of course without this, our lives would not have been so much fun. We would be scampering to remember passwords or used one of our notebooks to jot down all the fun user ids and passwords for the one thousand and counting web sites we visit on a regular basis.

One of MIT's online articles here talks about when one should never store passwords in the browser (right, I am talking about the auto-fill feature that is your favorite).

Information Services and Technology recommends that you do not save passwords with your browser for sites which have:

* private information about you or someone else (e.g., medical records)
* private financial information (e.g., credit card numbers)
* private correspondence (e.g., e-mail)

For example, you should never save the passwords for your accounts with:

* Fidelity NetBenefits
* MIT Federal Credit Union, or your bank
* MIT WebMail

If you do save passwords for these types of sites, you put yourself at risk.


There is a non-standard feature to hint the browser to not do auto complete for certain fields as in:

<input type="text" name="Credit Card Number" autocomplete="off" />


Browsers like IE, Firefox (and probably Opera also) honor this.

Disadvantages:
* Using this attribute breaks the xhtml rules. So your page will not be xhtml compliant.

One of the security developers at Mozilla has basically said the following:
We respect it sufficiently that there are several popular bookmarklets/greasemonkey scripts out there that remove this attribute from sites when they find it. People really like their password fillers.


I do hope that this attribute gets into the HTML5 specification and becomes a standard web authoring practice for Banks, Financial Institutions and other secure online sites. Oh, wait. Also Paypal....

UPDATE: If you look at the comments on this post, I have been told that "autocomplete=off" is a valid attribute in HTML5. So that is good. But it remains to be seen how soon banks, financial institutions and health care services will adapt HTML5 or start using this attribute (shouldn't they already be doing this?).

Wednesday, February 27, 2008

Security Toolbars to prevent Phishing Attacks.....

I came across this toolbar from Netcraft that tells me whether a particular website I am visiting is legitimate or not (something like a thermometer view)....

The toolbar can be obtained here.

Since I have started using it today, I cannot tell you how good or bad it will be.

Here is a research paper that talks about how effective security toolbars are....

From the abstract,
We conducted two user
studies of three security toolbars and other browser security
indicators and found them all ineffective at preventing
phishing attacks. Even though subjects were asked to pay
attention to the toolbar, many failed to look at it; others
disregarded or explained away the toolbars’ warnings if the
content of web pages looked legitimate. We found that
many subjects do not understand phishing attacks or realize
how sophisticated such attacks can be.


There is nothing new here. People are not really looking at trust indicators
provided by the browser. Only when you have a bad experience will you, start looking
for indications.... Isn't that human nature?

Tuesday, February 26, 2008

Extended Validation Certificates are close to 1 year now

The CA/Browser Forum defines EV Certificates as:
The Extended Validation (EV) SSL Certificate standard is intended to provide an improved level of authentication of entities that request digital certificates for securing transactions on their Web sites. The next generation of Internet browsers will display EV SSL-secured Web sites in a way that allows visitors to instantly ascertain that a given site is indeed secure and can be trusted. A new vetting format, which all issuing Certification Authorities (CAs) must comply with, ensures a uniform standard for certificate issuance. This means that all CAs must adhere to the same high security standards when processing certificate requests. Consequently, visitors to EV SSL-secured Web sites can trust that the organization that operates the site has undergone and passed the rigorous EV SSL authentication process as defined by the CA/Browser Forum. Internet users thus will be able to trust that particular Web sites are what they claim to be, rather than fraudulent mirror sites operated by perpetrators of phishing schemes.


You can get a reasonable look at how EV Certificates have progressed since their birth at the following Netcraft article:
Extended Validation SSL Certificates now 1 Year Old


Some interesting points from the article are:
Absolute growth of EV SSL certificates has remained largely constant for several months, and the total (around 4000 sites) is dwarfed by the 809,000 sites that use traditional SSL certificates.


You can take a look at how IE7 will display EV Certificates by clicking the following image:
Paypal website in IE7

EV Certificates are certainly a welcome change, but they are not the solution to all the problems. Here is a report of vulnerability of EV Certificates to be backdoors into installing XSS.

Monday, February 25, 2008

Contextual Security - a need or a luxury?

Reading Mary Ann Davidson's article in the latest issue of Oracle Magazine (yes, the free one they send home), titled "Context Is Everything", I have got to wonder whether everyone is aware of a need to attach a context to the security in their enterprise.

Contextual security is where I got a little too excited about XACML when I could easily attach context to my authorization decisions. Of course, this was way before I read Mary's article. Remember, we did do a successful interop at the Burton Catalyst Conference in June 2007 under the auspices of OASIS......

As Mary said, a "All or Nothing" type of security only takes you that far.

In JBoss Application Server 4 and earlier, we had the concept of Security Proxies that were mainly introduced to provide context based security. Things like "Junior Traders can make trades only if it is under $1million", "Stop all four-letter words in the arguments" etc....

Well to answer the question - contextual security is a need or a luxury, I am sure you agree that it is a critical need of the hour....

I would like to make authorization decisions such as:
"This web page is accessible by users who are 18 years or older"
"This web resource is accessible by employees whose status is active and are accessing from the following sub-net and during regular business hours".

Externalized security policies allow you to change the requirements without changing the middleware. This is where specifications like xacml hold a lot of strength. Yes, I hear you. Lots of xml - lots of xml. Well, this is where tools will arrive (hopefully) to mitigate.

Saturday, February 23, 2008

How is Privacy related to the decline in Golf in the US?

Reading the latest news article in NYT, titled "More Americans Are Giving Up Golf", my mind has started racing to tie Security, Privacy with this phenomenon of decline in outdoor sports namely Golf and Tennis. If you are wondering, read on:

The disappearance of golfers over the past several years is part of a broader decline in outdoor activities — including tennis, swimming, hiking, biking and downhill skiing — according to a number of academic and recreation industry studies.

A 2006 study by the United States Tennis Association, which has battled the trend somewhat successfully with a forceful campaign to recruit young players, found that punishing hurricane seasons factored into the decline of play in the South, while the soaring popularity of electronic games and newer sports like skateboarding was diminishing the number of new tennis players everywhere.

Rodney B. Warnick, a professor of recreation studies and tourism at the University of Massachusetts, said that the aging population of the United States was probably a part of the problem, too, and that “there is a younger generation that is just not as active.”


Wow, the younger generation is not at all active anymore. Strong statement. What does that mean? They are indoors. They are hooked to their electronic games and their computer. When I said computer, probably they are online. If they are online, they are probably socializing on the web - maybe in one of the umpteen online social networks (no need for names, you probably know the prominent ones and yes, those are the sites frequented by the teenagers, pre-teens and early youth).

Now, why would the pattern of increasing number of youngsters hooked on to the online world be a cause for concern? Well, certainly they are not playing outdoor sports, implying not doing anything good for their health. The pattern I am driving at is the potential increase in the youth being the targets of Cyber-bullying and the loss of privacy with the social networks. In addition, all the horrors mentioned in my earlier blog posts:
http://anil-identity.blogspot.com/2007/11/online-social-networkstubingphishing.html

Tips to keep your children safe on the internet

In a nutshell, if you have scowled at my argument, well here is the link that you should be reading.
http://news.bbc.co.uk/2/hi/technology/7108627.stm


If you tell me that everyone has no privacy, then hmmmmm....

Friday, February 22, 2008

Create a XACML Policy using the JBossXACML API

Here is sample code that shows you how I create a xacml policy for the web layer using the JBossXACML api (which is basically a JAXB2 object model).


package org.jboss.test.security.xacml.bindings.web;

import java.net.URI;
import java.security.Principal;
import java.security.acl.Group;
import java.util.HashSet;
import java.util.Set;

import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.JAXBElement;

import junit.framework.TestCase;

import org.jboss.security.xacml.core.JBossPDP;
import org.jboss.security.xacml.core.model.policy.ActionMatchType;
import org.jboss.security.xacml.core.model.policy.ActionType;
import org.jboss.security.xacml.core.model.policy.ActionsType;
import org.jboss.security.xacml.core.model.policy.ApplyType;
import org.jboss.security.xacml.core.model.policy.AttributeValueType;
import org.jboss.security.xacml.core.model.policy.ConditionType;
import org.jboss.security.xacml.core.model.policy.EffectType;
import org.jboss.security.xacml.core.model.policy.ExpressionType;
import org.jboss.security.xacml.core.model.policy.FunctionType;
import org.jboss.security.xacml.core.model.policy.ObjectFactory;
import org.jboss.security.xacml.core.model.policy.PolicyType;
import org.jboss.security.xacml.core.model.policy.ResourceMatchType;
import org.jboss.security.xacml.core.model.policy.ResourceType;
import org.jboss.security.xacml.core.model.policy.ResourcesType;
import org.jboss.security.xacml.core.model.policy.RuleType;
import org.jboss.security.xacml.core.model.policy.SubjectAttributeDesignatorType;
import org.jboss.security.xacml.core.model.policy.TargetType;
import org.jboss.security.xacml.factories.PolicyAttributeFactory;
import org.jboss.security.xacml.factories.PolicyFactory;
import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
import org.jboss.security.xacml.interfaces.PolicyLocator;
import org.jboss.security.xacml.interfaces.RequestContext;
import org.jboss.security.xacml.interfaces.XACMLConstants;
import org.jboss.security.xacml.interfaces.XACMLPolicy;
import org.jboss.security.xacml.interfaces.XMLSchemaConstants;
import org.jboss.security.xacml.locators.JBossPolicyLocator;
import org.jboss.test.security.xacml.factories.util.XACMLTestUtil;

/**
* Test Case that constructs the policy dynamically
* and then applies the web access rules
* @author Anil.Saldhana
*/
public class WebLayerDynamicPolicyUnitTestCase extends TestCase
{
//Enable for request trace
private boolean debug = "true".equals(System.getProperty("debug","false"));

public void testWebBinding() throws Exception
{
PolicyType policyType = constructPolicy();
PolicyDecisionPoint pdp = new JBossPDP();

XACMLPolicy policy = PolicyFactory.createPolicy(policyType);
Set policies = new HashSet();
policies.add(policy);

pdp.setPolicies(policies);

//Add the basic locators also
PolicyLocator policyLocator = new JBossPolicyLocator();
policyLocator.setPolicies(policies); //Locators need to be given the policies

Set locators = new HashSet();
locators.add(policyLocator);
pdp.setLocators(locators);
assertNotNull("JBossPDP is != null", pdp);

Principal p = new Principal()
{
public String getName()
{
return "testuser";
}
};

//Create Role Group
Group grp = XACMLTestUtil.getRoleGroup("developer");

String requestURI = "http://test/developer-guide.html";
HttpRequestUtil util = new HttpRequestUtil();
HttpServletRequest req = util.createRequest(p, requestURI);

//Check PERMIT condition
WebPEP pep = new WebPEP();
RequestContext request = pep.createXACMLRequest(req, p, grp);
if(debug)
request.marshall(System.out);

assertEquals("Access Allowed?", XACMLConstants.DECISION_PERMIT,
XACMLTestUtil.getDecision(pdp,request));
}

public void testNegativeAccessWebBinding() throws Exception
{
PolicyType policyType = constructPolicy();
PolicyDecisionPoint pdp = new JBossPDP();

XACMLPolicy policy = PolicyFactory.createPolicy(policyType);
Set policies = new HashSet();
policies.add(policy);

pdp.setPolicies(policies);

//Add the basic locators also
PolicyLocator policyLocator = new JBossPolicyLocator();
policyLocator.setPolicies(policies); //Locators need to be given the policies

Set locators = new HashSet();
locators.add(policyLocator);
pdp.setLocators(locators);
assertNotNull("JBossPDP is != null", pdp);


Principal p = new Principal()
{
public String getName()
{
return "testuser";
}
};

//Create Role Group
Group grp = XACMLTestUtil.getRoleGroup("imposter");
String requestURI = "http://test/developer-guide.html";
HttpRequestUtil util = new HttpRequestUtil();
HttpServletRequest req = util.createRequest(p, requestURI);

//Check DENY condition
WebPEP pep = new WebPEP();
RequestContext request = pep.createXACMLRequest(req, p, grp);
if(debug)
request.marshall(System.out);

assertEquals("Access Disallowed?", XACMLConstants.DECISION_DENY,
XACMLTestUtil.getDecision(pdp,request));
}



private PolicyType constructPolicy() throws Exception
{
ObjectFactory objectFactory = new ObjectFactory();

String PERMIT_OVERRIDES="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides";
PolicyType policyType = new PolicyType();
policyType.setPolicyId("ExamplePolicy");
policyType.setVersion("2.0");
policyType.setRuleCombiningAlgId(PERMIT_OVERRIDES);

//Create a target
TargetType targetType = new TargetType();

ResourcesType resourcesType = new ResourcesType();
ResourceType resourceType = new ResourceType();
ResourceMatchType rmt = new ResourceMatchType();
rmt.setMatchId(XACMLConstants.FUNCTION_ANYURI_EQUALS);
rmt.setResourceAttributeDesignator(PolicyAttributeFactory.createAttributeDesignatorType(
XACMLConstants.RESOURCE_IDENTIFIER,XMLSchemaConstants.DATATYPE_ANYURI));
rmt.setAttributeValue(PolicyAttributeFactory.createAnyURIAttributeType(
new URI("http://test/developer-guide.html")));
resourceType.getResourceMatch().add(rmt);
resourcesType.getResource().add(resourceType);

targetType.setResources(resourcesType);

policyType.setTarget(targetType);


//Create a Rule
RuleType permitRule = new RuleType();
permitRule.setRuleId("ReadRule");
permitRule.setEffect(EffectType.PERMIT);

ActionsType permitRuleActionsType = new ActionsType();
ActionType permitRuleActionType = new ActionType();

ActionMatchType amct = new ActionMatchType();
amct.setMatchId("urn:oasis:names:tc:xacml:1.0:function:string-equal");
amct.setAttributeValue(PolicyAttributeFactory.createStringAttributeType("read"));
amct.setActionAttributeDesignator(PolicyAttributeFactory.createAttributeDesignatorType(
XACMLConstants.ACTION_IDENTIFIER, XMLSchemaConstants.DATATYPE_STRING));
permitRuleActionType.getActionMatch().add(amct);
TargetType permitRuleTargetType = new TargetType();
permitRuleActionsType.getAction().add(permitRuleActionType);
permitRuleTargetType.setActions(permitRuleActionsType);
permitRule.setTarget(permitRuleTargetType);

ConditionType permitRuleConditionType = new ConditionType();
FunctionType functionType = new FunctionType();
functionType.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
JAXBElement jaxbElementFunctionType = objectFactory.createExpression(functionType);
permitRuleConditionType.setExpression(jaxbElementFunctionType);

ApplyType permitRuleApplyType = new ApplyType();
permitRuleApplyType.setFunctionId(XACMLConstants.FUNCTION_STRING_IS_IN);

SubjectAttributeDesignatorType sadt = PolicyAttributeFactory.createSubjectAttributeDesignatorType(
XACMLConstants.SUBJECT_ROLE_IDENTIFIER, XMLSchemaConstants.DATATYPE_STRING);
JAXBElement sadtElement = objectFactory.createSubjectAttributeDesignator(sadt);
AttributeValueType avt = PolicyAttributeFactory.createStringAttributeType("developer");
JAXBElement jaxbAVT = objectFactory.createAttributeValue(avt);
permitRuleApplyType.getExpression().add(jaxbAVT);
permitRuleApplyType.getExpression().add(sadtElement);


permitRuleConditionType.setExpression(objectFactory.createApply(permitRuleApplyType));

permitRule.setCondition(permitRuleConditionType);

policyType.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(permitRule);
//Create a Deny Rule
RuleType denyRule = new RuleType();
denyRule.setRuleId("DenyRule");
denyRule.setEffect(EffectType.DENY);
policyType.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(denyRule);

return policyType;
}
}


Note the XACMLTestUtil class is provided in my previous blog post on Web Enforcement.

The policy construction is cumbersome? You prefer xml?

Well, what I show above is how a program (eg. a console) may create a xacml policy.

Web layer enforcement using JBossXACML

Ok, here are examples of implementing a Web PEP using JBossXACML.

Tell me if you find this code useful. If you have any other requirements, do tell me.

package org.jboss.test.security.xacml.bindings.web;

import java.net.URI;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Enumeration;

import javax.servlet.http.HttpServletRequest;

import org.jboss.security.xacml.core.model.context.ActionType;
import org.jboss.security.xacml.core.model.context.AttributeType;
import org.jboss.security.xacml.core.model.context.EnvironmentType;
import org.jboss.security.xacml.core.model.context.RequestType;
import org.jboss.security.xacml.core.model.context.ResourceType;
import org.jboss.security.xacml.core.model.context.SubjectType;
import org.jboss.security.xacml.factories.RequestAttributeFactory;
import org.jboss.security.xacml.factories.RequestResponseContextFactory;
import org.jboss.security.xacml.interfaces.RequestContext;

/**
* PEP for the web layer
* @author Anil.Saldhana
*/
public class WebPEP
{
String ACTION_IDENTIFIER = "urn:oasis:names:tc:xacml:1.0:action:action-id";
String CURRENT_TIME_IDENTIFIER = "urn:oasis:names:tc:xacml:1.0:environment:current-time";
String RESOURCE_IDENTIFIER = "urn:oasis:names:tc:xacml:1.0:resource:resource-id";
String SUBJECT_IDENTIFIER = "urn:oasis:names:tc:xacml:1.0:subject:subject-id";
String SUBJECT_ROLE_IDENTIFIER = "urn:oasis:names:tc:xacml:2.0:subject:role";

@SuppressWarnings("unchecked")
public RequestContext createXACMLRequest(HttpServletRequest request,
Principal principal, Group roleGroup) throws Exception
{
RequestContext requestCtx = RequestResponseContextFactory.createRequestCtx();

//Create a subject type
SubjectType subject = new SubjectType();
subject.getAttribute().add(RequestAttributeFactory.createStringAttributeType(
SUBJECT_IDENTIFIER, "jboss.org", principal.getName()));
Enumeration roles = (Enumeration) roleGroup.members();
while(roles.hasMoreElements())
{
Principal rolePrincipal = roles.nextElement();
AttributeType attSubjectID = RequestAttributeFactory.createStringAttributeType(
SUBJECT_ROLE_IDENTIFIER, "jboss.org", rolePrincipal.getName());
subject.getAttribute().add(attSubjectID);
}

//Create a resource type
ResourceType resourceType = new ResourceType();
resourceType.getAttribute().add(RequestAttributeFactory.createAnyURIAttributeType(
RESOURCE_IDENTIFIER, null, new URI(request.getRequestURI())));

//Create an action type
ActionType actionType = new ActionType();
actionType.getAttribute().add(RequestAttributeFactory.createStringAttributeType(
ACTION_IDENTIFIER, "jboss.org", "read"));

//Create an Environment Type (Optional)
EnvironmentType environmentType = new EnvironmentType();
environmentType.getAttribute().add(RequestAttributeFactory.createDateTimeAttributeType(
CURRENT_TIME_IDENTIFIER, null));

//Create a Request Type
RequestType requestType = new RequestType();
requestType.getSubject().add(subject);
requestType.getResource().add(resourceType);
requestType.setAction(actionType);
requestType.setEnvironment(environmentType);

requestCtx.setRequest(requestType);

return requestCtx;
}
}


The test case for the web layer would be as follows:

package org.jboss.test.security.xacml.bindings.web;

import java.io.InputStream;
import java.security.Principal;
import java.security.acl.Group;

import javax.servlet.http.HttpServletRequest;

import junit.framework.TestCase;

import org.jboss.security.xacml.core.JBossPDP;
import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
import org.jboss.security.xacml.interfaces.RequestContext;
import org.jboss.security.xacml.interfaces.XACMLConstants;
import org.jboss.test.security.xacml.factories.util.XACMLTestUtil;

/**
* Unit Tests for the Web bindings
* @author Anil.Saldhana
*/
public class WebLayerUnitTestCase extends TestCase
{

public void testWebBinding() throws Exception
{
PolicyDecisionPoint pdp = getPDP();
assertNotNull("JBossPDP is != null", pdp);

Principal p = new Principal()
{
public String getName()
{
return "testuser";
}
};

//Create Role Group
Group grp = XACMLTestUtil.getRoleGroup("developer");

String requestURI = "http://test/developer-guide.html";
HttpRequestUtil util = new HttpRequestUtil();
HttpServletRequest req = util.createRequest(p, requestURI);

//Check PERMIT condition
WebPEP pep = new WebPEP();
RequestContext request = pep.createXACMLRequest(req, p, grp);
if(debug)
request.marshall(System.out);

assertEquals("Access Allowed?", XACMLConstants.DECISION_PERMIT,
XACMLTestUtil.getDecision(pdp,request));
}

public void testNegativeAccessWebBinding() throws Exception
{
PolicyDecisionPoint pdp = getPDP();
assertNotNull("JBossPDP is != null", pdp);
Principal p = new Principal()
{
public String getName()
{
return "testuser";
}
};

//Create Role Group
Group grp = XACMLTestUtil.getRoleGroup("imposter");
String requestURI = "http://test/developer-guide.html";
HttpRequestUtil util = new HttpRequestUtil();
HttpServletRequest req = util.createRequest(p, requestURI);

//Check DENY condition
WebPEP pep = new WebPEP();
RequestContext request = pep.createXACMLRequest(req, p, grp);
if(debug)
request.marshall(System.out);

assertEquals("Access Disallowed?", XACMLConstants.DECISION_DENY,
XACMLTestUtil.getDecision(pdp,request));
}

private PolicyDecisionPoint getPDP()
{
ClassLoader tcl = Thread.currentThread().getContextClassLoader();
InputStream is = tcl.getResourceAsStream("test/config/webConfig.xml");
assertNotNull("InputStream != null", is);

return new JBossPDP(is);
}
}


Now here is the util class that creates a test HttpServletRequest:


package org.jboss.test.security.xacml.bindings.web;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.Principal;
import java.util.Enumeration;
import java.util.Locale;
import java.util.Map;

import javax.servlet.RequestDispatcher;
import javax.servlet.ServletInputStream;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

/**
* Utility class for the web binding
* @author Anil.Saldhana
*/
public class HttpRequestUtil
{
public HttpServletRequest createRequest(final Principal gp, final String uri)
{
return new HttpServletRequest(){

public String getAuthType() {
return null;
}

public String getContextPath() {
return null;
}

public Cookie[] getCookies() {
return null;
}

public long getDateHeader(String arg0) {
return 0;
}

public String getHeader(String arg0) {
return null;
}

@SuppressWarnings("unchecked")
public Enumeration getHeaderNames() {
return null;
}

@SuppressWarnings("unchecked")
public Enumeration getHeaders(String arg0) {
return null;
}

public int getIntHeader(String arg0) {
return 0;
}

public String getMethod() {
return "GET";
}

public String getPathInfo() {
return null;
}

public String getPathTranslated() {
return null;
}

public String getQueryString() {
return null;
}

public String getRemoteUser() {
return null;
}

public String getRequestURI() {
return uri;
}

public StringBuffer getRequestURL() {
return null;
}

public String getRequestedSessionId() {
return null;
}

public String getServletPath() {
return null;
}

public HttpSession getSession() {
return null;
}

public HttpSession getSession(boolean arg0) {
return null;
}

public Principal getUserPrincipal() {
return gp;
}

public boolean isRequestedSessionIdFromCookie() {
return false;
}

public boolean isRequestedSessionIdFromURL() {
return false;
}

public boolean isRequestedSessionIdFromUrl() {
return false;
}

public boolean isRequestedSessionIdValid() {
return false;
}

public boolean isUserInRole(String arg0) {
return false;
}

public Object getAttribute(String arg0) {
return null;
}

@SuppressWarnings("unchecked")
public Enumeration getAttributeNames() {
return null;
}

public String getCharacterEncoding() {
return null;
}

public int getContentLength() {
return 0;
}

public String getContentType() {
return null;
}

public ServletInputStream getInputStream() throws IOException {
return null;
}

public String getLocalAddr() {
return null;
}

public String getLocalName() {
return null;
}

public int getLocalPort() {
return 0;
}

public Locale getLocale() {
return null;
}

@SuppressWarnings("unchecked")
public Enumeration getLocales() {
return null;
}

public String getParameter(String arg0) {
return null;
}

@SuppressWarnings("unchecked")
public Map getParameterMap() {
return null;
}

@SuppressWarnings("unchecked")
public Enumeration getParameterNames() {
return null;
}

public String[] getParameterValues(String arg0) {
return null;
}

public String getProtocol() {
return null;
}

public BufferedReader getReader() throws IOException {
return null;
}

public String getRealPath(String arg0) {
return null;
}

public String getRemoteAddr() {
return null;
}

public String getRemoteHost() {
return null;
}

public int getRemotePort() {
return 0;
}

public RequestDispatcher getRequestDispatcher(String arg0) {
return null;
}

public String getScheme() {
return null;
}

public String getServerName() {
return null;
}

public int getServerPort() {
return 0;
}

public boolean isSecure() {
return false;
}

public void removeAttribute(String arg0) {
}

public void setAttribute(String arg0, Object arg1) {
}

public void setCharacterEncoding(String arg0)
throws UnsupportedEncodingException {
}};
}
}


Here is the XACMLTestUtil class:

package org.jboss.test.security.xacml.factories.util;

import java.io.InputStream;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Enumeration;
import java.util.Vector;

import junit.framework.TestCase;

import org.jboss.security.xacml.factories.RequestResponseContextFactory;
import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
import org.jboss.security.xacml.interfaces.RequestContext;
import org.jboss.security.xacml.interfaces.ResponseContext;
import org.jboss.security.xacml.interfaces.XACMLConstants;

/**
* Utility class for the JBossXACML Tests
* @author Anil.Saldhana
*/
public class XACMLTestUtil
{
//Enable for request trace
private static boolean debug = "true".equals(System.getProperty("debug","false"));
/**
* Get the decision from the PDP
* @param pdp
* @param requestFileLoc a file where the xacml request is stored
* @return
* @throws Exception
*/
public static int getDecision(PolicyDecisionPoint pdp,
String requestFileLoc) throws Exception
{
ClassLoader tcl = Thread.currentThread().getContextClassLoader();
InputStream is = tcl.getResourceAsStream(requestFileLoc);
RequestContext request = RequestResponseContextFactory.createRequestCtx();
request.readRequest(is);
ResponseContext response = pdp.evaluate(request);
if(response == null)
throw new RuntimeException("Response is null");
return response.getDecision();
}

/**
* Get the decision from the PDP
* @param pdp
* @param request RequestContext containing the request
* @return
* @throws Exception
*/
public static int getDecision(PolicyDecisionPoint pdp, RequestContext request)
throws Exception
{
ResponseContext response = pdp.evaluate(request);
if(debug)
response.marshall(System.out);
TestCase.assertNotNull("Response is not null", response);
return response.getDecision();
}

/**
* Get a Group with the passed rolename
* @param roleName rolename which will be placed as a principal
* @return
*/
public static Group getRoleGroup( final String roleName)
{
return new Group() {

private Vector vect = new Vector();
public boolean addMember(final Principal principal)
{
return vect.add(principal);
}

public boolean isMember(Principal principal)
{
return vect.contains(principal);
}

public Enumeration members()
{
vect.add(new Principal()
{

public String getName()
{
return roleName;
}});
return vect.elements();
}

public boolean removeMember(Principal principal)
{
return vect.remove(principal);
}

public String getName()
{
return "ROLES";
}
};
}


}

Tuesday, February 19, 2008

NIST: Participating in a panel on Oasis Security Standards

I will be participating on a panel at the forthcoming "7th Symposium on Identity and Trust on the Internet" or IDTrust08 at the prestigious NIST campus. You can find details on the program here.

Basically, I will be highlighting the need for incorporating SAML (and any other federated identity aspects) and xacml aspects into the Java EE environment (and the specifications of course). The panel will also talk about the upcoming XACML Interoperability event at the RSA Conference 2008 in April at San Francisco.

An excellent opportunity for me to not only participate in a prestigious panel but also meet/interact-with industry thought leaders such as Arshad Noor (Enterprise Key Management), Stephen Wilson (PKI) and of course Hal Lockhart and Tony Nadalin.

If you are going to be present at the workshop, I am sure our paths will cross. ;)

Programmatic Web Login finds use with an user

I was pointed to the following blog entry by a JBoss user that talks about the painful journey experienced by the user with various versions of JBoss until we added the very useful feature of Programmatic Web Login.

The blog entry from the user is:
Perform a JAAS programmatic login in Jboss - try to solve the “empty” remote user problem

I am all for having an active dialog with JBoss users in the blogosphere.

I invite users to subscribe to the "JBoss Security Beta Program" mailing list which is accessible at the Red Hat mailing lists here. This is a moderated no-spam mailing list, which provides an excellent communication platform between JBoss and its users (as far as security is concerned).

Sunday, February 10, 2008

Oasis SSTC (SAML) Secretary

I have always been fascinated by the concept of Federated Identity and the need for SSO across domains (not just intra-company but also inter-company, inter-partners). The specification that brought this into the forefront is the Oasis SAML specification.

I have been elected (basically with unanimous consent) as a secretary of the Oasis Security Services Technical Committee (SSTC) which is the driver behind the SAML specifications.

Take a look here: Oasis SSTC Home Page.

Still learning to be a secretary of a prominent specification body. :)

Oasis XACML Interoperability Event at the RSA Conference 2008

Ok, after the successful interoperability event at the Burton Conference in 2007, it is time for the next Oasis XACML Interoperability Event. This time, it is at the RSA Conference in April 2008 in San Francisco.

What will be different this time?

This time the interoperability will target the health care industry. It is more like an effort from the experts from Oasis, HL7, ANSI and other standard bodies.

DETAILS:
The eXtensible Access Control Markup Language (XACML) 2.0 OASIS Standard has emerged as a front runner in solving complex access control problems in the enterprise. Unlike the approach taken by proprietary access control lists (ACL), XACML is an industry accepted standard that provides a well defined structure to create rules and policy sets to make complex authorization decisions. Enterprise practitioners have wished for greater interoperability between products that support the XACML OASIS Standard.

At the RSA Conference 2008 in San Francisco, April 7-11, nine organizations will come together to demonstrate interoperability of the eXtensible Access Control Markup Language (XACML) 2.0 OASIS Standard. Simulating a real world scenario provided by the U.S Department of Veterans Affairs; the demo will show how XACML ensures successful authorization decision requests and the exchange of authorization policies. Participants include:

* Axiomatics
* BEA Systems
* IBM
* Oracle
* Red Hat
* Cisco
* Sun Microsystems
* U.S. Department of Veterans Affairs

The Interoperability Demonstration will utilize the requirements drawn in the Healthcare industry based on work done at the U.S. Department of Veterans Affairs, HL7, ASTM and ANSI. The requirements include Role-Based Access Control (RBAC), Privacy Protections, Structured and Functional Roles, Consent Codes, Emergency Overrides and Filtering of Sensitive Data. The demonstration will highlight how XACML Obligations can provide additional capabilities in the policy decision making process, while taking the health care scenarios as example. Technical details of the demonstration, including Interoperability Configuration, Policy Decision Request and Policy Interoperability, Roles and Privileges Modeling, Usage of XACML Obligations and SAML Identity Providers will be highlighted.

The demonstration will occur in Booths 132-136 beginning April 7, 2008 during Expo hours. There will be an opportunity for the RSA 2008 attendees to interact with the participating technologists.