Google Site Search

Google
 

Wednesday, December 23, 2009

Howard Schmidt: US Cyber Security Czar

Its official now.

Howard A. Schmidt is the newly appointed US Cyber Security Czar in the President Obama administration. From the White House Blog entry, Introducing the New Cybersecurity Coordinator and email from Mr.John Brennan, Assistant to the President for Homeland Security and Counterterrorism to the WhiteHouse.gov registered email addresses, a great introduction to Howard is provided.

My guess over the last few months was either Bruce Scheneir or Howard Schmidt would get elected to the role. So my educated guess has been right.

In an illustrious career that has included being an advisor to a former President, Howard was also the president of the ISSA. He was an invited expert to the European Network and Information Security Agency (ENISA). His wikipedia entry will provide more justification to his stature than this blog post. :)

I do hope Howard will increase his confidence in Open Source Software after "Open source software a security risk, study claims". He gave a generic negative gesture toward Open Source software. :( In spite of this study, adoption of OSS has only increased.

Cyber Security Supply Chain Assurance

Reading the latest Information Week article by J. Nicholas Hoover titled : Securing The Cyber Supply Chain, I am wondering whether a trusted supply chain model for cyber security can give an advantage to large enterprises that handle the entire supply chain for their products.

While the reference assurance model designed by SAIC and the Robert H Smith School of Business (University of Maryland) is commendable, I still have this lingering doubt about the undue advantage well established vertically-integrated companies (or a partnership/alliance) have.

On the flip-side though, the threat is big. Ensuring a trusted eco-system for critical systems in Government, Financial Institutions and National Security is a herculean task. So the reference model is certainly a good positive step. But will it be harsh on smaller players? Maybe I am missing something.

SAML and XACML standards in US Healthcare

I was fortunate to utilize PicketLink (http://jboss.org/picketlink) in a Technology Demonstration (interoperability exercise) at HIMSS 2009, April 2009 at Chicago. The other participants were Sun Microsystems, Jericho Systems, US Department of Veterans Affairs and the US Department of Defense. I have reported on this in the past. We used PicketLink mainly for the SAML and XACML capabilities. The associated Oasis press release is OASIS and HITSP Collaborate on Interoperability Demo of Healthcare Privacy Standards at HIMSS09.

While we are on the topic, I am extremely glad to read the latest news item from the Oasis Consortium related to the use of XACML and SAML standards in the US Healthcare infrastructure. The news is OASIS Members Approve Security and Privacy Authorization Standards for Healthcare.

As co-chair of the Oasis XSPA Technical Committee that was the driver of the two profiles (one on SAML and one on XACML) that became Oasis standards recently, I was able to contribute and support these two profiles. I am pleased that Oasis XACML and Oasis SAML standards have made headway into being mandated for use in the US Federal Agencies. Hopefully, these two standards should play a pivotal role in the widespread usage of the National Health Information Network (NHIN), whose open source based initiative is CONNECT.

Monday, December 21, 2009

PicketLink:: Identity Management and JBoss

It gives me pleasure in announcing v1.0.0 of Project PicketLink
(Formerly JBoss Identity).

Website: http://jboss.org/picketlink

What does the project do?
PicketLink addresses the various facets of Identity Management and other
areas of security at JBoss.

What does v1.0 provide?
* Federated Identity: Support for SAML v2.0, WS-Trust v1.3 and OpenID.
* IDM: An Identity Model for managing identities and associated behavior.

Which Servers are supported?
For Federated Identity support, we support servlet containers, but
provide deeper integration with JBoss Application Server and Apache Tomcat.

What Projects have integrated?
* JBoss Seam has SAML support [From community volunteer Marcel Kolsteren].
* JBoss ESB has WS-Trust STS with SAML Token Support.
* RestEASY wants the OpenID integration.


Looking forward to v1.1:
* AuthZ, a developer friendly access control API, led by Sohil. Built on
top of our XACML offering.
* Negotiation, led by Darran, with integration in EPP as well as WS-T
Kerberos support.
* oAuth Support.

I know there will be gaps and bugs which we will fix as we go forward.

Thursday, December 17, 2009

The Changing Terrain of the Internet

This week, I have seen two interesting bits of information on the internet that at least forces you to think a bit.

Although the overall value of the Internet as a global information highway and enabler of International eCommerce cannot be undermined, there certainly have been some alarming trends happening on the internet that would not have materialized otherwise (Refer to item 1).

Information Item 1:-
One interesting view is in the Mint, an Indian newspaper from WSJ which goes as follows: THE NEW FRONTIER OF TERROR—CYBERSPACE Mr.Raghu Raman raises some very important questions about the usage of the Internet for reasons not in line with its original intent (the intent by which Sir Tim Berners-Lee created the WWW).


Information Item 2
:-
On a lighter side, we do have the Israeli Rabbis issuing an ultimatum for ban of the internet.
Ultra-Orthodox Israeli Rabbis Rage Against The Internet

Is the Internet Evil? ;)

Thursday, December 10, 2009

TIP:: Souce code for JBoss AS Security

If you are wondering where the source code for the security subsystem in JBoss AS 5.x (and also EAP 5.x) is, then you will need to look at the following locations:

Security Integration Code:
1. security module of the JBoss AS workspace.
2. Security SPI
3. JBossSX

The location of the source can be found from:
JBoss AS workspace:
http://anonsvn.jboss.org/repos/jbossas/

Security SPI:
http://anonsvn.jboss.org/repos/jbossas/projects/security/security-spi/tags/2.0.4.SP3/

JBossSX:

http://anonsvn.jboss.org/repos/jbossas/projects/security/security-jboss-sx/tags/2.0.4.SP3/



Additional Note:
There are two security projects integrated into JBAS5/EAP5.x, namely JBossXACML and JBoss Negotiation.

You can get their source from here:
JBossXACML: http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.4/
JBoss Negotiation: http://anonsvn.jboss.org/repos/jbossas/projects/security/security-negotiation/tags/security-negotiation-2.0.3.SP1/

Wednesday, December 9, 2009

Subversion caches clear text passwords

If you are a subversion/svn user, then you may not be aware of this. By default, subversion caches your password to the repositories under the $HOME/.subversion/auth/svn.simple directory in one or more files with names that match some arbitrary strings.

You need to do the following:
1) Delete all the files under $HOME/.subversion/auth/svn.simple
2) In the $HOME/.subversion/config file

uncomment the
store-passwords = no

The documentation says:
### Set store-passwords to 'no' to avoid storing passwords in the
### auth/ area of your config directory. It defaults to 'yes'.
### Note that this option only prevents saving of *new* passwords;
### it doesn't invalidate existing passwords. (To do that, remove
### the cache files by hand as described in the Subversion book.)


Have a safe source control system.


Disadvantage of not caching
:
You will have to enter the password more frequently.

Related Issues:
There are similar issues with Maven. You need to provide clear text passwords to your repositories in the settings.xml file



Additional Notes from Colleagues:

----------------------------------------------------------------------------
If you are using Fedora and have the subversion-gnome package installed,
subversion will store passwords in the GNOME keyring. The equivalent
package for storing passwords in the KDE wallet is subversion-kde.

Only if you do not have these packages will subversion store clear text
passwords, but it will warn you about it and recommend installing the
keyring support. Fedora users might want to double check whether they
have the aforementioned package installed. I'm sure distros other than
Fedora provide this feature as well.

-Alejandro
---------------------------------------------------------------------------
It does not seem to be the case with Mac OS, it seems to be linked to the keychain somehow.
That being said, if someone has root access to my machine, it shouldn't be too much of a problem to open keychain.

- Emmanuel
---------------------------------------------------------------------------

Tuesday, December 8, 2009

TIP::JBossXACML Logging

If you are interested in seeing the trace messages of the PDP engine in JBossXACML, you will need to add the following line to the logging.properties file in use for your setup.

# Set the default logging level for the logger named org.jboss
org.jboss.security.xacml.sunxacml.level = FINEST



If you are running it in Apache Tomcat, then the file is in conf directory.
In JBoss Application Server, you should just add a trace category in the conf/jboss-log4j.xml


The trace messages will be found in the logs of your server.

Wednesday, November 25, 2009

IIW 2009: Identity And Cloud Computing Session

I had the privilege of attending the Internet Identity Workshop (2009) at the Computer History Museum in Mountain View, CA at the beginning of November.

I conducted a session called "Identity and Cloud Computing" at IIW.

The session notes are here:

=========================
Session: Identity And Cloud Computing

* General Concerns around identity Management get compounded in the Cloud.
* There is potential proliferation of Identities.
* Data and artifacts of a company can be tied to identities which is a threat during decommission of identity. It can be lost.
* SLA of Identity As A Service.
* Transfer of Passwords or Password Hashes from Local Data Centers to Cloud environments for migrated applications.
* Users resistance to change with new cloud usage.
* Identity Assurance.
==================

Thursday, October 22, 2009

HTTPOnly Cookies in Tomcat/JBoss

There are concerns that client side scripts should not be able to access the cookies sent by the server. Toward this, the HTTPOnly cookie was invented by Microsoft Internet Explorer and has been reasonably adopted by other browsers and the public.

Read more about it at the OWASP site: http://www.owasp.org/index.php/HTTPOnly

Tomcat has a flag on the Context element which you can either place it in WEB-INF/context.xml (JBoss) or META-INF/context.xml (Tomcat) to utilize this feature.

Reference: http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

So look for examples of context.xml by google search and then add the "useHttpOnly=true" to the context element.

Wednesday, August 12, 2009

JBossXACML v2.0.4 Released

You can get JBossXACML v2.0.4 with minor performance improvements from
http://jboss.org/jbosssecurity/downloads/JBoss%20XACML/?action=a&windowstate=maximized

==================
** Feature Request
* [ SECURITY-423 ] RequestAttributeFactory should have method for multi valued attributes
* [ SECURITY-424 ] Schema Entity Resolver to resolve to local XACML schemas
* [ SECURITY-425 ] Ability to disable JBossXACML Schema Validation
* [ SECURITY-431 ] JAXBContext should be cached in JBossPDP

** Release
* [ SECURITY-432 ] Release JBossXACML 2.0.4
=====================

FAQ:
1) I want to use the latest JBossXACML jar in JBoss AS 5.x
- You need to replace the jbossxacml.jar with the one from this release from the lib directory of your JBoss AS instance. Note if you have a jboss-sunxacml.jar in the lib directory also, discard it.

Thursday, July 16, 2009

JBoss Identity has OpenID Integration

I am pleased to announce the availability of JBoss Identity 1.0.0.alpha4 at http://jboss.org/jbossidentity/downloads/.

The significant feature addition is OpenID. More details are available at the OpenID Integration Wiki.

To become an OpenID Consumer(Relying Party), all you have to do is download the openid-consumer.war archive and deploy.

Monday, July 6, 2009

JBoss EAP 4.3 is Common Criteria Certified



I had the privilege of leading the common criteria evaluation process of JBoss Enterprise Application Platform (EAP) 4.3 from inception to completion. It gives me immense pleasure in joining the other announcements(Rich Sharples Blog), to declare that JBoss EAP 4.3 is Common Criteria certified for EAL2+.


Press Release
: Red Hat Press
Agency (BSI) Page: BSI

What does it really mean to customers?
Customers can be assured that EAP 4.3 has gone through strict evaluation by Security Evaluators/Auditors (AtSec) for adherence to the security principles set down by Common Criteria. If security is a priority for you, then it makes sense for you to configure EAP 4.3 according to the "Common Criteria Configuration Guide"

Do I need to pay more for the common criteria evaluated version of JBoss EAP 4.3?
As a customer, you do not have to.

NOTE: We are NOT talking about JBoss Application Server available in the community, but the enterprise version available from Red Hat.

Tuesday, June 23, 2009

SAML2/XACMLv2 Out of the Box

Suppose you have the following needs:
a) Need to have XACMLv2 evaluation of access control requests.
b) Do not want to implement either the XACML PDP (Policy Decision Points) or PEP (Policy Enforcement Points).
c) Use SAMLv2 payload to transport the XACMLv2 request and response.
d) Use SOAP 1.1 messages to carry the SAMLv2 payload (which internally carries the XACMLv2 request/response messages).

As described in SAMLv2/XACMLv2 integration, there is a servlet provided as part of the JBossIdentity stack.

All you need to do is create the XACML policies and package it as part of a web application and configure the SOAPSAMLXACMLServlet in the web.xml as defined in the wiki article.

You get out of the box functionality without a need to write PDP or PEP. The servlet acts as the PEP/PDP combo.

Jazoon09: Secure Middleware with JBossAS5.x

I have had the privilege of presenting at Jazoon 2009 in Zurich. My presentation ended a couple of hours ago.

My presentation slides are here.

Please refer to the reference urls in the slides to get more details.

At this moment, I am sitting in the presentation by Dimitris on "JBoss AS5 and Beyond". I am sure you can get more information from his blog.

Wednesday, June 10, 2009

SAMLv2 Web Browser SSO With JBoss

If you are interested in a checking out Web Browser SSO using SAMLv2.0 on JBoss or Tomcat, try JBoss Identity 1.0.0.alpha3 from:
JBoss Identity Project

The documentation is available from the wiki and guides.

You can also try Oasis WS-Trust v1.3 SAML Token Profile support using the JBoss Security Token Service.

We are very eager to get your feedback in the user forum.

Monday, June 1, 2009

JBoss AS 5.1 Security Features

Now that the JBoss AS 5.1 has been released to the community, it is time to talk more about the exciting new Security features available. Toward this end, I have written the following DZone Articles that will be published over the month of June.



1. Security Features of JBoss AS 5.1.0 - Part 1 - Simplified Security Domain Configuration
2. Security Features of JBoss AS 5.1.0 - Part 2 - Masking Passwords in the Configuration File
3. Security Features of JBoss AS 5.1.0 - Part 3 - XACML Authorization for EJB Applications
4. Security Features of JBoss AS 5.1.0 - Part 4 - XACML Authorization for WEB Applications
5. Security Features of JBoss AS 5.1.0 - Part 5 - Instance Based Authorization

So if you are interested in XACML, Instance Based Security with JBoss or want to mask passwords in the xml configuration files, read these articles.

Also Security Auditing Feature in AS5 is:
http://server.dzone.com/articles/security-auditing-jboss

Friday, May 15, 2009

AS5: Specifying Security Domain Configuration

Historically, JBoss AS has provided the DynamicLoginConfig service to specify your security domain configuration (JAAS login modules). Starting JBoss AS 5.0, we provide a simplified xml version of that as follows:

You will need to create a xxx-jboss-beans.xml file and then you can define your login modules as follows:
===================================
<?xml version="1.0" encoding="UTF-8"?>

<deployment xmlns="urn:jboss:bean-deployer:2.0">

<application-policy xmlns="urn:jboss:security-beans:1.0" name="web-test">
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">anonymous</module-option>
<module-option name="usersProperties">u.properties</module-option>
<module-option name="rolesProperties">r.properties</module-option>
</login-module>
</authentication>
</application-policy>

<application-policy xmlns="urn:jboss:security-beans:1.0" name="ejb-test">
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">anonymous</module-option>
<module-option name="usersProperties">u.properties</module-option>
<module-option name="rolesProperties">r.properties</module-option>
</login-module>
</authentication>
</application-policy>

</deployment>


==================================

We still support the DynamicLoginConfig mbean definition approach also. But the afore mentioned approach is simpler.

DZone Article: http://server.dzone.com/articles/security-features-jboss-510

Frequently Asked Questions
:
1. Where do I place the xxx.properties files for the UsersRolesLoginModule?
You can place them under the conf directory.

AS5.1: Specifying custom call back handler

In JBoss Application Server v5.1, you can specify a custom call back handler to be used in authentication in any of the following 3 ways:

1) Specify an attribute "CallbackHandlerClassName" in the JaasSecurityManagerService mbean definition in conf/jboss-service.xml

http://www.jboss.org/community/wiki/JaasSecurityManagerService


2) Specify a system property with the fully qualified class name of the call back handler

-Dorg.jboss.security.callbackhandler=org.somefqn

3) Inject an instance of the callback handler into the JNDISecurityManagement bean in the deploy/security/security-jboss-beans.xml

=================================================================================
<bean name="MyCustomCBH" class="fqn of your class" />

<bean name="JNDIBasedSecurityManagement"
class="org.jboss.security.integration.JNDIBasedSecurityManagement">
<property name="callBackHandler">'<inject bean="MyCustomCBH"/></property>
</bean>
=================================================================================

Unfortunately, the custom callback handler feature is broken in JBoss AS5.0, 5.0.1 and was fixed in JBAS-6747
NOTE: JBAS-6747 is fixed.

Tuesday, May 5, 2009

JBoss AS/JBossMC: Adding secure behavior to POJOs

Let us take a look at a particular use case that I had to inject passwords from an out of band password management scheme into POJOs. The use case was to eliminate clear text passwords from xml files in the JBoss Application Server v5.1 and beyond. Since POJOs are the norm in JBAS5.x, it was important to figure out a mechanism to inject the passwords into POJO properties in a generic/non-intrusive way. The AOP Lifecycle Callback mechanism described in the JBoss Microcontainer documentation (http://www.jboss.org/file-access/default/members/jbossmc/freezone/docs/2.0.x/userGuide/ch05.html) empowered me to achieve my use case.

The reason I used lifecycle callbacks rather than aspects is that I needed a generic way to specify the properties where the password needed to get injected and all I cared for was the password was injected when the bean was created/started and ready for use. Hence the lifecycle callbacks fitted perfectly.

A very good use case for the aspects would be if I wanted to store values in POJO properties in an encrypted manner - hence a setter would probably encrypt the data. That use case is for another day to implement.

Let us walk through my use case implementation:

Step 1: Annotation

Let us look at a POJO definition in the JBoss AS. I can take the example of the JBoss Messaging SecurityStore bean. It has a property called as "suckerPassword" that needs a password value.

==========
<bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
<!-- default security configuration -->
<property name="defaultSecurityConfig">
<![CDATA[
<security>
<role name="guest" read="true" write="true" create="true"/>
</security>
]]>
</property>
<property name="suckerPassword">CHANGE ME!!</property>
<property name="securityDomain">messaging</property>
<property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
</bean>
============

Given this, I can apply an annotation in the bean definition file (messaging-jboss-beans.xml) as follows:

=================
<bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
<!-- default security configuration -->
<property name="defaultSecurityConfig">
<![CDATA[
<security>
<role name="guest" read="true" write="true" create="true"/>
</security>
]]>
</property>
<property name="securityDomain">messaging</property>
<property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
<!-- Password Annotation to inject the password from the common password
utility -->
<annotation>@org.jboss.security.integration.password.Password(securityDomain=messaging,
methodName=setSuckerPassword)</annotation>
</bean>
==================

As you can see, I just used the annotation definition in the xml file. I have also removed the definition of "suckerPassword" in the bean definition.

The annotation is just a regular Java annotation as follows:

====================
package org.jboss.security.integration.password;

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE, ElementType.METHOD, ElementType.FIELD})
public @interface Password
{
/**
* Security Domain
* Defaults to other
* @return
*/
String securityDomain() default "other";

/**
* Name of the method
* that represents the password
* @return
*/
String methodName();
}
=================================

It is not a magical annotation.

The annotation in the bean definition basically lets the microcontainer apply the annotation to the bean.

Step 2: AOP Lifecycle callbacks

First, I needed to add the lifecycle elements into the security-jboss-beans.xml file since these were
security callbacks. In my use case, the PasswordMaskManagement bean is the one that interacts with the
out of band password management system. I declare the lifecycle callback advices and then inject the
password mask management bean into them.

========================
<!-- Password Mask Management Bean-->
<bean name="JBossSecurityPasswordMaskManagement"
class="org.jboss.security.integration.password.PasswordMaskManagement" >
<property name="keyStoreLocation">password/password.keystore</property>
</bean>



<!-- Support for @Password -->
<lifecycle-configure xmlns="urn:jboss:aop-beans:1.0"
name="PasswordRegistrationAdvice"
class="org.jboss.security.integration.password.PasswordLifecycleCallback"
classes="@org.jboss.security.integration.password.Password"
manager-bean="AspectManager"
manager-property="aspectManager">
<property name="passwordManagement"><inject bean="JBossSecurityPasswordMaskManagement"/></property>
</lifecycle-configure>

<lifecycle-create xmlns="urn:jboss:aop-beans:1.0"
name="PasswordCreateDestroyAdvice"
class="org.jboss.security.integration.password.PasswordLifecycleCallback"
classes="@org.jboss.security.integration.password.Password"
manager-bean="AspectManager"
manager-property="aspectManager">
<property name="passwordManagement"><inject bean="JBossSecurityPasswordMaskManagement"/></property>
</lifecycle-create>

<lifecycle-install xmlns="urn:jboss:aop-beans:1.0"
name="PasswordStartStopAdvice"
class="org.jboss.security.integration.password.PasswordLifecycleCallback"
classes="@org.jboss.security.integration.password.Password"
manager-bean="AspectManager"
manager-property="aspectManager">
<property name="passwordManagement"><inject bean="JBossSecurityPasswordMaskManagement"/></property>
</lifecycle-install>
=============================

Let us take a look at the advice.

===============================================
package org.jboss.security.integration.password;

import java.lang.reflect.Method;

import org.jboss.aop.joinpoint.Invocation;
import org.jboss.aop.joinpoint.MethodInvocation;
import org.jboss.dependency.spi.ControllerContext;
import org.jboss.kernel.spi.dependency.KernelControllerContext;
import org.jboss.logging.Logger;
import org.jboss.metadata.spi.MetaData;

public class PasswordLifecycleCallback
{
private static final Logger log = Logger.getLogger(PasswordLifecycleCallback.class);

private PasswordMaskManagement passwordManagement = null;

/**
* Set the Password Mask Management bean
* @param passwordManagement
*/
public void setPasswordManagement(PasswordMaskManagement passwordManagement)
{
this.passwordManagement = passwordManagement;
}

/**
* Bind the target on setKernelControllerContext, unbind on any other method provided that
* the invocation has a Password annotation.
*
* @param invocation the invocation
* @return the result
* @throws Throwable for any error
*/
public Object invoke(Invocation invocation) throws Throwable
{
MethodInvocation mi = (MethodInvocation) invocation;
KernelControllerContext context = (KernelControllerContext) mi.getArguments()[0];

boolean trace = log.isTraceEnabled();
Password passwordAnnotation = (Password) invocation.resolveClassAnnotation(Password.class);
if( trace )
log.trace("Checking method: "+mi.getMethod()+", bindingInfo: "+passwordAnnotation);

// If this is the setKernelControllerContext callback, set the password
if ("setKernelControllerContext".equals(mi.getMethod().getName()) && passwordAnnotation != null)
{
//Get the password
String securityDomain = passwordAnnotation.securityDomain();
char[] passwd = this.passwordManagement.getPassword(securityDomain);

Object target = context.getTarget();
this.setPassword(target, passwordAnnotation, passwd);
}
// If this is the unsetKernelControllerContext callback, unbind the target
else if( passwordAnnotation != null )
{
log.trace("Ignoring unsetKernelControllerContext callback");
}
else if ( trace )
{
log.trace("Ignoring null password info");
}

return null;
}

public void install(ControllerContext context) throws Exception
{
//Get the password
Password passwordAnnotation = readPasswordAnnotation(context);
boolean trace = log.isTraceEnabled();
if( trace )
log.trace("Binding into JNDI: " + context.getName() + ", passwordInfo: " + passwordAnnotation);

String securityDomain = passwordAnnotation.securityDomain();

char[] passwd = this.passwordManagement.getPassword(securityDomain);

if(passwd == null)
log.trace("Password does not exist for security domain=" + securityDomain);
//The bean in question is the target
String methodName = passwordAnnotation.methodName();
Object target = context.getTarget();
if(trace)
{
log.trace("Trying to set password on " + target + " with method :" + methodName);
}
this.setPassword(target, passwordAnnotation, passwd);
}

public void uninstall(ControllerContext context) throws Exception
{
//ignore
}


private Password readPasswordAnnotation(ControllerContext context) throws Exception
{
MetaData metaData = context.getScopeInfo().getMetaData();
if (metaData != null)
return metaData.getAnnotation(Password.class);
return null;
}

private void setPassword(Object target, Password passwordAnnotation, char[] passwd) throws Exception
{
Class<?> clazz = target.getClass();
String methodName = passwordAnnotation.methodName();
if(methodName == null)
throw new IllegalStateException("methodName " + methodName + " not configured on " +
"the Password annotation for target:" + clazz);
Method m = SecurityActions.getMethod(clazz, methodName);

try
{
m.invoke(target, new Object[] {passwd});
}
catch(Exception e)
{
log.trace("Error setting password on " + clazz + ". Will try the string version.");
m.invoke(target, new Object[] { new String(passwd)} );
}
}
}
===========================================================================

Now as beans go through the MC lifecycle, the advice is applied. If the beans contain the @Password annotation, then
as you can see, we inject the password (by getting it from the PasswordMaskManagement bean).

Conclusion
Here we have seen injection of passwords into beans using AOP lifecycle callbacks. JBoss AS 5.x ships with a @JndiBinding annotation that can similarly bind a POJO to JNDI. An user/developer can always inject similar behavior to beans.

To summarize, if you want to leverage the AOP lifecycles in a non-intrusive manner, you can use an annotation and an advice. Then just define them in the bean definition file xxx-jboss-beans.xml

Tuesday, April 28, 2009

NIST guidelines on Enterprise Password Management

GCN Writer William Jackson writes on NIST special publication 800-118 that offers guidelines for password management in the enterprise. The article can be accessed here.

Lets take a peek at the special publication draft.

The publication defines Password management as the process of defining, implementing, and maintaining password policies throughout an enterprise.

NIST recommends protecting the confidentiality of passwords:
1. Create a password policy that specifies all of the organization’s password management-related requirements, including FISMA and other regulatory requirements. “An organization’s password policy should be flexible enough to accommodate the differing password capabilities provided by various operating systems and applications.”
2. Protect passwords from attacks that capture passwords. “Users should be made aware of threats against their knowledge and behavior, such as phishing attacks, keystroke loggers and shoulder surfing, and how they should respond when they suspect an attack may be occurring. Organizations also need to ensure that they verify the identity of users who are attempting to recover a forgotten password or reset a password, so that a password is not inadvertently provided to an attacker.”
3. Configure password mechanisms to reduce the likelihood of successful password guessing and cracking. “Password guessing attacks can be mitigated rather easily by ensuring that passwords are sufficiently complex and by limiting the frequency of authentication attempts, such as having a brief delay after each failed authentication attempt or locking out an account after many consecutive failed attempts. Password-cracking attacks can be mitigated by using strong passwords, choosing strong cryptographic algorithms and implementations for password hashing, and protecting the confidentiality of password hashes. Changing passwords periodically also slightly reduces the risk posed by cracking.”
4. Determine requirements for password expiration based on balancing security needs and usability. Regularly changing passwords “is beneficial in some cases but ineffective in others, such as when the attacker can compromise the new password through the same keylogger that was used to capture the old password. Password expiration is also a source of frustration to users, who are often required to create and remember new passwords every few months for dozens of accounts, and thus tend to choose weak passwords and use the same few passwords for many accounts.”

These are practical guidelines that will help enterprises deal with issues surrounding passwords. Alternative mechanisms such as smart cards augmented by knowledge based authentication mechanisms probably need to be explored. There is no alternative for strong PKI. This sentiment is aired by the publication with "Therefore, organizations should make long-term plans for replacing password-based authentication with stronger forms of authentication for resources with higher security needs."

Wednesday, April 22, 2009

Red Hat CTO Brian Stevens on Cloud Computing

The Laurel Group has released an excellent White Paper on Cloud Computing that includes a Q&A session with Brian Stevens, Red Hat CTO. The paper can be accessed here. The paper has Q&A sessions with visionaries/thought leaders from companies such as IBM, Cisco, Citrix etc. It is an excellent read.

Brian talks about Cloud 2.0. I agree with him. There is a need for research/standards around security for ushering an era of Cloud 2.0. Brian also makes an important point about the SLA language needed to be updated to include the value of data rather than just the value of service (uptime, response times etc). In my opinion, the SLA should also incorporate encryption policies for data, as data security is going to be of the utmost importance in the public/outsourced cloud environment.

Currently, the cloud is relevant to private clouds and outsourcing IT duties for SME, who do not have the capital to host their own compute infrastructure.

I think rather than term the cloud to be just a hype, it is prudent to watch the developments and adopt it over time. Incorporating private clouds is certainly going to benefit companies, irrespective of size.

Lets see how long it takes to see successful ubiquitous 'IT as a service'. It is probably only a few years away. Usecases such as Eli Lilly usage of AWS to yield results for $89 (private investment would have been a billion) cannot be ignored. :)

Lets look at the current state of security in the cloud. Amazon CTO Werner Vogels talks about 3 tiered security in AWS (Physical, Operational and Programmatic Security). Only a selected set of Amazon employees have access to the data centres and infrastructure.

Do not forget to take a peek at the Red Hat Open Source Cloud Computing Forum.

Sunday, April 19, 2009

Whitehurst talks about Open Source Government

Jim Whitehurst's opinion on an Open Source Government that is transparent.
Red Hat is excited that the Obama administration recognizes the value of open source beyond software. Open source principles are changing how we learn, how we share information, how developers create, and how companies do business. Now it has the opportunity to change our government.


Read Jim's post here.

Thursday, April 16, 2009

Is PCI-DSS the panacea to Data Protection woes?

Looking at the battering that PCI-DSS has gone through at a recent US Government Congressional hearing, one might assume that PCI-DSS is just not sufficient for protecting customer data. The congressional hearing is discussed here.

The question should not be WHETHER it is sufficient for protecting customer data, the real issue is are there any other efforts in the industry to define something along the lines of PCI?

PCI is the first standard that has been drawn by the council that includes banks and the credit card companies and is a strict requirement for any entities processing credit card transactions at a large scale. Now, the standard has some rules and requires the expertise of security auditors to evaluate the state of any entity.

Again, the quality of auditors is also critical to the success of the standard. There is a need to work further on the standard to figure out the loop holes and opportunities for improvement, based on the real world experiences from credit card breaches that have happened ever since the standard was introduced.

There is no second chance to any vendor who loses customer data. It is just not reputation that is at stake, it costs MONEY. :(

"Advances in Browser Security" Presentation

As an elected member of the Oasis IDTrust Steering Committee, I had an opportunity to participate at the NIST IDTrust 2009 symposium held at NIST.

I moderated a special session on "Browser Security" where the speakers included Prof.Chadwick from University of Kent.

The complete program is here.

My presentation slides are here.

Enjoy.

Presentation Notes

* The CA goes through extensive review process before issuing an EV Certificate. Annually, the CA has to go through an audit process.
* Firefox2 and Opera display an yellow bar for https. Firefox3 dropped the yellow bar. The user will have to use the tools menu and page info to get information on the certificate.
* Google Chrome uses a secure architecture by separating the web domain and user domain. This separation of domains accounts for about 70% web vulnerabilities. The rest 30% are not under the control of browsers.
* Private Browsing is one of the most sought after features by users for a long time. Apple Safari has private browsing from a long time.
* Many of the plugins operate with root privileges. Hence it is important to use trustworthy plugins.

Tuesday, April 14, 2009

InternetEvolution: Google losing money on YouTube

An interesting analysis on Internet Evolution site on how Google is losing money with YouTube on a daily basis. The information is here.

This analysis looks similar to the Ebay acquisition of Skype gone wrong.

Of course, we all use YouTube, Skype, Facebook etc.

But sometime the companies that you are planning to acquire may be overvalued.:)

Read here.

Friday, April 10, 2009

Bruce Schneier on Cloud Security

Bruce Schneier terms the cloud to be a marketing hype and cautions companies to watch out in his interview.

http://www.schneier.com/news-083.html


Anil's opinion is:

Cloud has some interesting uses mainly for data intensive verticals such as the drug industry. The following article (requires free registration) in the Information Security Magazine, talks of one such use case where a drug researcher at Eli Lilly got his research done for a sum of $89 (using the Amazone EC2) - his own private data centre would have cost a billion and taken months to set up.


http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1349671,00.html


In my opinion, the industry needs to address the security in the cloud (via groups such as the Cloud Security Alliance). We cannot just write off the cloud as a hype given useful use cases such as the Eli Lilly case.

Since sensitive data is going to flow around unknown corners of the cloud, it is imperative that encryption (and hence Key Management) becomes an hot topic of the day in the cloud. Apart from that, establishment of trust models is necessary to gain confidence. You may trust the prominent cloud vendors but what about those entities these vendors rely on, to provide their services?



Sunil Madhu, Chief Security Architect, Cisco Policy Unit has the following response to Bruce's interview:
"I agree with Bruce that the word "cloud" is a buzzword. Essentially the cloud is nothing more than a virtual, dynamic -- what I have termed, "commoditized" -- data-center. However let's not confuse the cloud with the traditional data-center. The cloud has aspects of the traditional data-center and dare I say it -- the mainframe computing environment.

Elastic compute/storage capacity, dynamic machine on-boarding/off-boarding, template-based machine composition are all features specific to the cloud environment and not the traditional data-center. With the elastic compute/storage capacity comes additional savings through new subscription/licensing models and pay-as-you-go computing.

Think about this: if you run a service in the traditional data-center, you are forced to buy/lease sufficient infrastructure to meet your peak load scenarios -- such as during the start of the day, intra-day or during a fail-over scenario. You would have to plan for this capacity in advance and spend $$$ on redundant infrastructure accordingly. With the cloud, your compute/storage capacity is elastic -- so you don't have to buy/lease the infrastructure you don't need since the environment itself will expand and contract to meet your load demands. This is a feature that the mainframe-folks will be quite familiar with. Your compute resources go to the parts of your applications and services that need that capacity, on-demand, but at a lower TCO than the mainframe environment.

As for the whole debate about security -- common sense should dictate that just because you are moving from one type of data-center to the next does not mean that you should abandon the security best-practices developed over the last decade. The cloud does pose some new challenges, but then innovation always comes to the rescue. Good architecture and design teaches you to look at attack-vectors as a way of constraining aspects of the design. I have heard the argument that "...if you use a proprietary program or somebody else's web server, you're defenseless..." all too often before. In the past 10 years, how many operating systems did you write yourself? How many IT/IS solutions did you opt to by COTS vs. build yourself? If your own developers were to build your very own OS and your web-server, does that make your software more trust-worthy than something off the shelf? Ever heard of the term "back-door"? This is fear-mongering and I don't at all agree with it. A key take-away from the open-source community it is that transparent software can be made secure and trustworthy more easily than opaque, proprietary software.

Not all applications are suitable to the dynamics of the cloud and not all cloud-providers in themselves are suitable to help you meet 5-nines SLA, although most cloud providers promise at least 4-nines of availability. As you re-engineer/tweak your applications and services to migrate them to the cloud entirely or opt to utilize a hybrid model, make sure that you are following the same security best-practices you would do normally. The are plenty of reputable service providers for the cloud, some with innovative solutions. Indeed, the security vendors of old are slowly moving their wares to support the cloud albeit slowly.

It is a brave new world, but one that will emerge out of the hype-cycle as operational model of choice for today economy and tomorrows services IMO.
"

Yes, it is a brave new world.

Wednesday, April 8, 2009

JBossXACML v2.0.3 Released

Since we had a very successful interoperability experience as part of the Oasis-HITSP Technology Demonstration at HIMSS2009 in Chicago, we are ready to roll the next version of JBossXACML.

JBossXACML v2.0.3 should be available from here. (Click <==)


Release Notes
:
==========================
Release Notes for JBoss Security and Identity Management
Includes versions: JBossXACML_2.0.3.alpha JBossXACML_2.0.3.CR1 JBossXACML_2.0.3.CR2 JBossXACML_2.0.3.CR3 JBossXACML_2.0.3.CR4 JBossXACML_2.0.3 JBossXACML_2.0.3.CR5

** Sub-task
* [ SECURITY-390 ] JBossXACML: ResourceLocator
* [ SECURITY-396 ] Rule:: NPE if description of a rule is empty
* [ SECURITY-400 ] XACML Conformance Tests: Mandatory - attribute references, functions, combination algos
* [ SECURITY-401 ] XACML Conformance Tests: Mandatory - schema components

** Feature Request
* [ SECURITY-257 ] AttributeDesignator should throw RuntimeException when a particular attribute that was expected is missing
* [ SECURITY-275 ] JBossSAMLRequest: buildRequest method
* [ SECURITY-382 ] JBossPDP ctr to take Configuration Metadata also
* [ SECURITY-388 ] JBossXACML: AttributeLocator
* [ SECURITY-407 ] XACML: Configuration should allow specifying just the locators (and no policies)

** Bug
* [ SECURITY-206 ] Attribute type not set in constructor
* [ SECURITY-295 ] NPE in JBossPDP -> createValidatingUnMarshaller when schema is missing
* [ SECURITY-351 ] JBossResponseContext->getResult has missing values
* [ SECURITY-391 ] JBossXACML: PDP construction should be one time
* [ SECURITY-394 ] FunctionBase: bag-size throws an IllegalArgumentException
* [ SECURITY-395 ] AbstractPolicy: Empty Description element throws NPE
* [ SECURITY-397 ] XACML: HigherOrderFunction checkInputs needs to relax type checking on evaluations
* [ SECURITY-399 ] XACML: Apply->evaluate method tries to encode an attributeValue that can be a bag
* [ SECURITY-403 ] XACML: Resource can have multiple attributes with resource-id
* [ SECURITY-405 ] XACML:: TimeAttribute computes GMT miliseconds incorrectly when the date is 1 day after Jan 1, 1970

** Task
* [ SECURITY-335 ] Sync up sunxacml bug fixes
* [ SECURITY-337 ] Validate the Oasis XACMLv2 conformance tests
* [ SECURITY-359 ] Retire jboss-xacml-saml module
* [ SECURITY-360 ] Assembly for jbossxacml
* [ SECURITY-409 ] Release JBossXACML 2.0.3
==============================================================

What is new?
* Some performance improvements in the PDP evaluation. Previously we were creating a PDP per evaluation. Now we instantiate a PDP and then use it for each evaluation. (Call this an oversight. We are human!).
* You can specify just locators (policy, attribute or resource) in the configuration file without the need for specifying the policy/policysets. This is useful when you need to write a locator that needs to fetch a policy or attribute from a different location.
* The Oasis v2 Conformance Tests are now part of the JBossXACML test suite. So every release will ensure that we have conformance.

User Guide: http://www.jboss.org/auth/jbosssecurity/docs/jbossxacml/html/jbossxacml.html

Tuesday, March 31, 2009

JBossXACML 2.0.3.CR5 released

http://www.jboss.org/jbosssecurity/downloads/JBoss XACML

Pick the JBossXACML CR5 version from the xacml downloads section (Ignore the download counter as it is not working).

Bugs Fixed:
SECURITY-403 XACML: Resource can have multiple attributes with resource-id
SECURITY-405 XACML:: TimeAttribute computes GMT miliseconds incorrectly when the date is 1 day after Jan 1, 1970

If you are interested in adding this to JBossAS 5.0.x, then from the common/lib directory, remove the (jboss-xacml.jar and jboss-sunxacml.jar) and place jbossxacml.jar there.


User Guide: http://www.jboss.org/auth/jbosssecurity/docs/jbossxacml/html/jbossxacml.html

Wednesday, March 25, 2009

JBossXACML 2.0.3.CR4 released

Please pick up the CR4 release of JBossXACML in the 2.0.3 cycle at:
http://www.jboss.org/jbosssecurity/downloads/JBoss%20XACML/

(NOTE: Ignore the download counter which is showing 0. It is broken).

Release Notes for JBoss Security and Identity Management
Includes versions: JBossXACML_2.0.3.CR4

** Sub-task
* [ SECURITY-396 ] Rule:: NPE if description of a rule is empty
* [ SECURITY-400 ] XACML Conformance Tests: Mandatory - attribute references, functions, combination algos
* [ SECURITY-401 ] XACML Conformance Tests: Mandatory - schema components

** Bug
* [ SECURITY-394 ] FunctionBase: bag-size throws an IllegalArgumentException
* [ SECURITY-395 ] AbstractPolicy: Empty Description element throws NPE
* [ SECURITY-397 ] XACML: HigherOrderFunction checkInputs needs to relax type checking on evaluations
* [ SECURITY-399 ] XACML: Apply->evaluate method tries to encode an attributeValue that can be a bag

** Task
* [ SECURITY-337 ] Validate the Oasis XACMLv2 conformance tests
* [ SECURITY-402 ] Release JBossXACML 2.0.3.CR4

References:
JBossXACML Announcements: http://www.jboss.org/index.html?module=bb&op=viewtopic&t=152989

Additional Note: JBossXACML Debugging:
If you are looking at getting debug information for the rule evaluation:

Try to create a logging.properties file
============================
# Specify the handlers to create in the root logger
# (all loggers are children of the root logger)
# The following creates two handlers
handlers = java.util.logging.ConsoleHandler, java.util.logging.FileHandler

# Set the default logging level for the root logger
.level = ALL

# Set the default logging level for new ConsoleHandler instances
java.util.logging.ConsoleHandler.level = ALL

# Set the default logging level for new FileHandler instances
java.util.logging.FileHandler.level = ALL

# Set the default formatter for new ConsoleHandler instances
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter

# Set the default logging level for the logger named org.jboss
org.jboss.security.xacml.sunxacml.level = FINEST
com.sun.xml.bind.level = OFF
=====================================================

Now pass the system property with the location of this file such as:
-Djava.util.logging.config.file=src/test/resources/logging.properties

Then you should see something like:
=========================================
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.combine.StandardCombiningAlgFactory initAlgorithms
CONFIG: Initializing standard combining algorithms
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.StandardFunctionFactory initGeneralFunctions
CONFIG: Initializing standard General functions
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.StandardFunctionFactory initConditionFunctions
CONFIG: Initializing standard Condition functions
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.StandardFunctionFactory initTargetFunctions
CONFIG: Initializing standard Target functions
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.PDP <init>
FINE: creating a PDP
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.finder.PolicyFinder init
FINER: Initializing PolicyFinder
Resource must contain resource-id attr
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:string-bag-size:<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
:::result=2
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:integer-equal:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
::org.jboss.security.xacml.sunxacml.attr.IntegerAttribute@0:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
</Apply>
:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:string-subset:<SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality" DataType="http://www.w3.org/2001/XMLSchema#string"/>
::<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
<SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:and:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
</Apply>
</Apply>
::<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
<SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.combine.DenyOverridesRuleAlg combine
FINE: Rule id:urn:oasis:names:tc:xspa:1.0:org:allowed:organizations:deny:result=3
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
:::result=15:38:25.553000000-05:00
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start" DataType="http://www.w3.org/2001/XMLSchema#time"/>
:::result=00:00:00-08:00
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
::<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
</Apply>
:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
:::result=15:38:25.553000000-05:00
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end" DataType="http://www.w3.org/2001/XMLSchema#time"/>
:::result=23:59:00-08:00
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
::<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
</Apply>
:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:or:<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
</Apply>
</Apply>
::<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end" DataType="http://www.w3.org/2001/XMLSchema#time"/>
</Apply>
</Apply>
</Apply>
:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.combine.DenyOverridesRuleAlg combine
FINE: Rule id:urn:oasis:names:tc:xspa:1.0:org:hoursofoperation:deny:result=1
=============================

This is very good debug information.


User Guide: http://www.jboss.org/auth/jbosssecurity/docs/jbossxacml/html/jbossxacml.html

Friday, March 20, 2009

JBossXACML 2.0.3.CR3 released

The next iteration of JBossXACML in the 2.0.3 is available now. It can be downloaded from the downloads page here:
http://www.jboss.org/jbosssecurity/downloads/JBoss%20XACML


====================
Release Notes for JBoss Security and Identity Management
Includes versions: JBossXACML_2.0.3.CR3

** Sub-task
* [ SECURITY-390 ] JBossXACML: ResourceLocator

** Feature Request
* [ SECURITY-388 ] JBossXACML: AttributeLocator

** Bug
* [ SECURITY-391 ] JBossXACML: PDP construction should be one time

** Task
* [ SECURITY-392 ] Release JBossXACML 2.0.3.CR3
=========================================

That is the release notes.

Improvements in 2.0.3.CR3:
* Support for specifying Attribute Locators and Resource Locators.
* Minor performance improvement where the internal pdp is constructed one time rather than at each request evaluation.

What are Attribute Locators?
Attribute Locators are consulted when the Policy specifies certain attributes to be necessary for evaluation and the the request comes without the required attribute. In that case, the PDP is going to ask the attribute locator for a value for the attribute to make an evaluation. Again, remember the attribute locator is driven by the POLICY and not the REQUEST.

Procedure for Attribute Locators:
  • Write a subclass of org.jboss.security.xacml.locators.AttributeLocator
  • The following methods need to be overridden in your attribute locator
    * @see AttributeFinderModule#findAttribute(String, org.w3c.dom.Node, URI, org.jboss.security.xacml.sunxacml.EvaluationCtx, String)
    * @see AttributeFinderModule#findAttribute(URI, URI, URI, URI, org.jboss.security.xacml.sunxacml.EvaluationCtx, int)
  • Then specify the attribute locator in your configuration file as shown in the example below.

Resource Locators
These are used in the Hierarchical Profile if you decide to use it.

Configuration File

=================================
<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
<ns:Policies>
<ns:PolicySet>
<ns:Location>test/policies/interop/xacml-policySet.xml</ns:Location>
<ns:Policy>
<ns:Location>test/policies/interop/xacml-policy2.xml</ns:Location>
</ns:Policy>

<ns:Policy>
<ns:Location>test/policies/interop/xacml-policy3.xml</ns:Location>
</ns:Policy>
<ns:Policy>
<ns:Location>test/policies/interop/xacml-policy4.xml</ns:Location>
</ns:Policy>

<ns:Policy>
<ns:Location>test/policies/interop/xacml-policy5.xml</ns:Location>
</ns:Policy>

</ns:PolicySet>
</ns:Policies>
<ns:Locators>
<ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator"/>

<ns:Locator Name="org.jboss.test.security.xacml.locators.TestAttributeLocator">
<ns:Option Name="identifier">test-attrib</ns:Option>
<ns:Option Name="attributeDesignatorSupport">true</ns:Option>
<ns:Option Name="attributeSelectorSupport">true</ns:Option>
<ns:Option Name="attributeDesignatorInt">0</ns:Option>
<ns:Option Name="attributeDesignatorInt">1</ns:Option>
<ns:Option Name="attributeDesignatorInt">2</ns:Option>
<ns:Option Name="attributeSupportedId">urn:oasis:names:tc:xacml:1.0:action:action-id</ns:Option>
<ns:Option Name="attributeSupportedId">http://www.w3.org/2001/XMLSchema#string</ns:Option>
<ns:Option Name="attributeSupportedId">urn:xacml:2.0:interop:example:subject:buy-offer-price</ns:Option>
<ns:Option Name="attributeSupportedId">urn:oasis:names:tc:xacml:1.0:subject:subject-id</ns:Option>
</ns:Locator>

<ns:Locator Name="org.jboss.test.security.xacml.locators.TestResourceLocator">
<ns:Option Name="identifier">test-resource</ns:Option>
<ns:Option Name="resourceChildSupport">true</ns:Option>
<ns:Option Name="resourceDescendantSupport">true</ns:Option>
</ns:Locator>

</ns:Locators>
</ns:jbosspdp>
=================================

The "Option" element tags are got from AbstractLocator interface.
http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.3.CR3/jboss-xacml/src/main/java/org/jboss/security/xacml/interfaces/AbstractLocator.java


------------------------
   String IDENTIFIER_TAG = "identifier";

String ATTRIBUTE_DESIGNATOR_SUPPORT_TAG = "attributeDesignatorSupport";

String ATTRIBUTE_SELECTOR_SUPPORT_TAG = "attributeSelectorSupport";

String ATTRIBUTE_SUPPORTED_ID_TAG = "attributeSupportedId";

String ATTRIBUTE_DESIGNATOR_INTEGER_TAG = "attributeDesignatorInt";

String RESOURCE_CHILD_SUPPORTED_TAG = "resourceChildSupport";


String RESOURCE_DESCENDANT_SUPPORTED_TAG = "resourceDescendantSupport";

================================


User Forum: http://www.jboss.org/index.html?module=bb&op=viewforum&f=49

Thursday, March 5, 2009

Vivek Kundra is the US Federal CIO

I had broached this topic in my previous blog post here.
http://anil-identity.blogspot.com/2009/01/us-cto-candidate-and-open-source.html


US President Obama has chosen 34 year old Vivek Kundra, a proponent of Open Government and use of Open Source/Web 2.0 technologies, as the US CIO.

White House Names First Chief Information Officer


Congrats to Vivek and please continue the use of Open Source software for eGovernance.

Wednesday, March 4, 2009

JBossXACML 2.0.3.CR1 released

I would like to announce the availability of JBossXACML v2.0.3.CR1 release. You can get to it from the downloads page here:
JBossXACML Download

What does this have over the last v2.0.2.SP1 release?
* Bug fixes.
* Consolidation of jboss-xacml.jar and jboss-sunxacml.jar into one jar - jbossxacml.jar
* Discontinuation of the jboss-xacml-saml.jar as this functionality is currently provided by JBossIdentity.

As always, please provide feedback at the user forum.

FAQ:
1) How do I use this CR1 jar in AS5.x?
AS5.0.0.GA and 5.0.1.GA contain the v2.0.2.SP1 release of JBossXACML. Just replace the jboss-xacml.jar and jboss-sunxacml.jar from common/lib directory with the jbossxacml.jar

2) Are there any tutorials?
http://java.dzone.com/articles/fine-grained-web-authorization

Friday, February 27, 2009

JBoss Identity 1.0.0.alpha2 released

NOTE: Please refer to http://jboss.org/picketlink


==================================OUTDATED===========================

Please check: http://www.jboss.org/community/wiki/JBossIdentityFederation
for the most recent updates.

It gives me pleasure in announcing the next iteration of the JBoss Identity . The new version is 1.0.0.alpha2.

You can download the binary in zip format here for either JBoss Application Server or Apache Tomcat from here.
http://www.jboss.org/jbossidentity/downloads/


The documentation in zip format contains a User Guide as well as a Developer Guide.

What does this contain:
a) An IDM component (1.0.0.Alpha2) that has been driven by Bolek of JBoss Portal that provides an API/Model for your Identity needs in your applications.
b) Identity Federation component (v1.0.0.alpha2) that has the following:
- SAMLv2 based Web Browser SSO. (HTTP/Redirect Binding)
- SAMLv2 based Web Browser SSO with XML Signature Support.
- SAMLv2 based Web Browser SSO with XML Encryption Support.
c) Latest version of JBoss XACML component for Oasis XACML v2 support. (v2.0.3.CR1)

Developers who are interested in adding SAML support to their applications can use the API mentioned in the Developer guide.

All you need to do is unzip the distribution in JBAS or Tomcat. Please follow the User Guide for more information.

If you have any questions, please use the User Forum.

Please watch for more information on this wiki: http://www.jboss.org/community/docs/DOC-13254 (we will certainly provide more information here based on feedback).

Wednesday, February 25, 2009

IDTrust: Security in Java Applications

I have heard from folks who I have met face to face in the last few months that they need authentication, authorization and audit capabilities for their Java applications, when not running in a container such as JBoss AS. It also should be easy to port these applications to JBoss AS.

In this vein, I created a project sometime ago called as IDTrust but only recently released a jar out. You can use it in your stand alone applications (provided you download the dependent jars as mentioned in the wiki below).

You can get more info at this wiki page:
https://www.jboss.org/community/docs/DOC-13374

Please use the User Forum to communicate/critic it.

I know there is still work to be done from my end. Your feedback/questions will make the road smoother. :)

Wednesday, February 4, 2009

Kerberizing Web Identity and Services

Jeff Hodges blogs about some new work from MIT Kerberos Consortium.
You can look here.

In my view, the span of Kerberos in terms of trust is limited to the footprint of the KDC. But this new proposal highlighted in this picture utilizes various other forms of trust identifiers to go along with Kerberos.

Monday, February 2, 2009

JBoss Identity Community Platform 1.0.0.alpha1 released

NOTE: please refer to http://jboss.org/picketlink


I am pleased to announce the 1.0.0.alpha1 release of the "JBoss Identity Community Platform" for your Identity Management needs.

The project URL is:
http://www.jboss.org/jbossidentity

The JBoss Identity Community Platform contains the following:
a) An Identity Management Framework under the IDM subcomponent. Description is available from Bolek's thread:
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=149355


IDM provides management of identities (Identity,Attributes,Roles etc with various Identity Store plug-and-play).

b) An Identity Federation project that provides federated identity capabilities including SAML v2 based Web SSO.
UserGuide: http://www.jboss.org/file-access/default/members/jbossidentity/freezone/guides/identity-fed/UserGuide/pdf/UserGuide.pdf
DeveloperGuide: http://www.jboss.org/file-access/default/members/jbossidentity/freezone/guides/identity-fed/DeveloperGuide/pdf/DeveloperGuide.pdf

Apart from Web SSO, advanced support includes XML Signature support for trust management and an object model for SAMLv2 and WS-Trust to develop federated identity based applications/services.

c) XMLKey project that provides key management capabilities based on W3C XKMS v2 and Oasis Symmetric Key Management. This project currently provides an object model and unit tests displaying the use of the object model for key management. Some additional work is pending for this project.

The community platform can be enhanced with functionality from:
1) JBoss XACML project that provides fine grained authorization using Oasis XACML v2.0 standards. Remember for alpha1, you will need the 2.0.3.alpha release of JBossXACML (pick the jars from http://repository.jboss.org/maven2/org/jboss/security/jboss-xacml/2.0.3.alpha/jboss-xacml-2.0.3.alpha.jar and http://repository.jboss.org/maven2/org/jboss/security/jboss-sunxacml/2.0.3.alpha/jboss-sunxacml-2.0.3.alpha.jar )


2) JBoss Negotiation project that provides desktop SSO using SPNego/Kerberos for your web applications. (http://anil-identity.blogspot.com/2009/01/jboss-kerberosspnego-support.html)

Even though this is an announcement for an alpha version of the community platform, we are working aggressively on this project and solicit and welcome questions/feedback/contributions from the community. Please tuned in for frequent announcements for releases in this project.

Acknowledgements :
I would like to acknowledge Bolek from the JBoss Portal project for the excellent work on the IDM framework. I also thank Darran for the work on JBoss Negotiation. I also thank Mark Little, Sohil, ThomasH, Stefan, Jeff,TomB,Marcus,MikeBrock,Mark Proctor, Greg Hinkle, Charles and others for the support/feedback.

Reference:
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4206426


FAQ:
1) Why the name "Community Platform"?
It is a selected set of projects/technologies/standards that will cater to the community's identity management needs.

2) What about the other profiles of SAMLv2?
We wish to have a feedback cycle with the community to understand the needs and use cases. You can certainly vote on the profiles with your use case information here:
https://jira.jboss.org/jira/secure/IssueNavigator.jspa?reset=true&pid=12310640&status=1


3) How can I get in touch with the developers of this project?
Register in the jboss-security-beta mailing list of
https://www.redhat.com/mailman/listinfo
or use the forum at http://www.jboss.com/index.html?module=bb&op=main&c=32

Survey: JBoss with Kerberos/SPNego.

http://anil-identity.blogspot.com/2009/01/jboss-kerberosspnego-support.html
announced the release of 2.0.3.GA of JBoss Negotiation which will allow desktop SSO for web applications deployed on JBoss Application Server.

I have created a survey at http://anil-identity.blogspot.com (look at the left hand column) to get a sense of what your usage/requirements are. As always, keep the comments/questions flowing in.

Call for Papers: RH Summit/JBoss World 2009

What are you waiting for?


===============================================================
http://www.businesswire.com/portal/site/google/?ndmViewId=news_view&newsId=20090202005170&newsLang=en

Red Hat Opens Call For Papers For Red Hat Summit And JBoss World 2009

RALEIGH, N.C.--(BUSINESS WIRE)--Red Hat, Inc. (NYSE: RHT), the world's leading provider of open source solutions, today announced that the call for papers is now open for the fifth-annual Red Hat Summit and the fourth-annual JBoss World. Both events are co-located at the Chicago Hilton, and will take place Sept. 1-4, 2009.

The 2009 Red Hat Summit and JBoss World will provide business decision makers, engineers, developers and community enthusiasts insight into the latest open source advancements in Red Hat solutions and JBoss Enterprise Middleware technologies. A comprehensive agenda allows attendees the unique opportunity to move between both conferences, and experience technical and business seminars, hands-on labs and demos, customer case studies, networking opportunities, partner displays and visionary keynotes.

Submissions are being accepted for the 2009 Red Hat Summit in the following categories:

  • Red Hat Enterprise Linux and Infrastructure: Tell us how the Red Hat Enterprise Linux platform and related infrastructure solutions, including applications, and virtualization helped to improve security, performance and generally helped with optimization.
  • Open Source: Present topics meant for building on the discussion of the current issues and future opportunities facing open source advocates -- the meaning of open source, how it's changing the software world and its effect on businesses, governments and society. Topics may include intellectual property, collaboration, best practices, Creative Commons and licensing.
  • Emerging Technologies: Present your views and information about projects and technologies focused on the future of open source and Linux, where the Linux platform is being extended today and discussions on Linux and related open source technologies and projects from a long-term perspective.
  • Business Perspectives: Share knowledge with others who will discuss the value that Linux and open source bring to organizations, business trends, Red Hat partner programs and ways open source technology can help solve business problems.
  • Carving out Costs: Pass on experiences of ways to reduce overall IT costs through deployment of open source and Linux technologies, extracting more value out of existing systems and increasing competitive advantage.

Submissions are being accepted for the 2009 JBoss World in the following categories:

  • Emerging and Next-generation Technology: Tell us how you are using and/or extending JBoss technologies to solve real business-IT problems today. Suggested topics include how you are leveraging existing JBoss runtimes and frameworks in conjunction with other development frameworks, emerging APIs, new standards, cloud computing paradigms, etc. to create the rich Internet applications and services that deliver new heights of functionality.
  • SOA & BPM: Tell us how you are using JBoss runtimes and frameworks along with other technologies, standards, and best practices to reduce business process friction and shift your organization to a service-oriented architecture. Suggested topics include how you got started on the path to SOA, solutions that increased the efficiency of business processes, and/or solutions that increased your ability to rapidly reuse and update services.
  • Optimize, Secure, & Manage: Tell us how you optimize performance, meet service level agreements, and ensure a secure, stable production environment for your JBoss applications. Share with us the best practices and technologies your IT administrators use to consistently meet and exceed line of business and end user expectations.
  • Migration: Tell us how and why you successfully migrated applications to JBoss Enterprise Platforms. Include your porting strategies and best practices, as well as the business impact of switching to JBoss Enterprise Platforms throughout your middleware architecture.
  • Enterprise Insights: As a Senior IT Leader, you are tasked with navigating business trends and IT industry developments to lead your IT organization to meet and exceed its goals. Tell us how the emergence and continued maturation of open source software have shaped the way you think about enterprise IT and computing, and what role JBoss Enterprise Middleware plays in helping you meet your goals.
  • Carving out Costs: Tell us how you are leveraging JBoss Enterprise Middleware to reduce overall IT costs, extract more value out of existing systems, and increase your competitive advantage.

“By combining the Red Hat Summit and JBoss World in 2009, our customers, partners, and community activists will have a broader opportunity to share, network, and further explore open source technologies," said Paul Cormier, executive vice president and president, Products and Technologies at Red Hat. “Presenters will have a distinct opportunity to share innovative topics with both the infrastructure and middleware communities that will provide exceptional value to all attendees."

The 2009 Red Hat Summit and JBoss World call for papers closes on March 9, 2009. For more information on the call for papers, to make a submission, or for sponsorship activities, visit either www.jbossworld.com or www.redhat.com/promo/summit/2009/.

About Red Hat, Inc.

Red Hat, the world's leading open source solutions provider, is headquartered in Raleigh, NC with over 65 offices spanning the globe. CIOs ranked Red Hat as one of the top vendors delivering value in Enterprise Software for five consecutive years in the CIO Insight Magazine Vendor Value survey. Red Hat provides high-quality, affordable technology with its operating system platform, Red Hat Enterprise Linux, together with applications, management and Services Oriented Architecture (SOA) solutions, including JBoss Enterprise Middleware. Red Hat also offers support, training and consulting services to its customers worldwide. Learn more: http://www.redhat.com.

Forward-Looking Statements

Certain statements contained in this press release may constitute "forward-looking statements" within the meaning of the Private Securities Litigation Reform Act of 1995. Forward-looking statements provide current expectations of future events based on certain assumptions and include any statement that does not directly relate to any historical or current fact. Actual results may differ materially from those indicated by such forward-looking statements as a result of various important factors, including: risks related to the integration of acquisitions and the ability to market successfully acquired technologies and products; the ability of the Company to effectively compete; the inability to adequately protect Company intellectual property and the potential for infringement or breach of license claims of or relating to third party intellectual property; risks related to data and information security vulnerabilities; ineffective management of, and control over, the Company's growth and international operations; adverse results in litigation; and changes in and a dependence on key personnel, as well as other factors contained in our most recent Quarterly Report on Form 10-Q (copies of which may be accessed through the Securities and Exchange Commission's website at http://www.sec.gov), including those found therein under the captions "Risk Factors" and "Management's Discussion and Analysis of Financial Condition and Results of Operations". In addition to these factors, actual future performance, outcomes, and results may differ materially because of more general factors including (without limitation) general industry and market conditions and growth rates, economic conditions, and governmental and public policy changes. The forward-looking statements included in this press release represent the Company's views as of the date of this press release and these views could change. However, while the Company may elect to update these forward-looking statements at some point in the future, the Company specifically disclaims any obligation to do so. These forward-looking statements should not be relied upon as representing the Company's views as of any date subsequent to the date of the press release.


LINUX is a trademark of Linus Torvalds. RED HAT and JBOSS® are registered trademarks of Red Hat, Inc. and its subsidiaries in the US and other countries.


Contacts:

Red Hat
Jess Gerber, 919-754-4210
jgerber@redhat.com