Google Site Search


Thursday, November 25, 2010

Response: Glassfish versus JBoss Community Patches

Please refer to my earlier blog post:  Community JBoss AS versus JBoss EAP  (April 2010) for further information.

Ok, I had to respond to a blog post titled "Glassfish vs JBoss Community Patches" because there was liberal usage of the following words : security, pci and patches.

Chris Mahns is responding to Rich Sharples blog post but brought in the terms "security" and "pci". This has prompted me to respond.

Let me tell you a story.  A friend of mine runs a non-profit public forum using Joomla/PHP etc. One day, he gave me a call to tell me that his site has been serving malware and if I knew of any easy means of preventing that in the future.  I told him that I would look into it.  He came back to me in less than a week to tell me that attackers had utilized the fact that he had not updated the latest patches for Joomla. My friend had missed one patch and his users were all served malware. (It can happen to credible web sites such as the New York Times. Read Here).

Thinking further, I realized that it is getting extremely critical for general users to stay on top of the patch process because someone has to triage security vulnerabilities, coordinate across components, collate patches, write patch reports, maintain relationship with organizations such as Mitre/NIST (CVE and NVD) etc which the general public cannot really do.

I strongly stress (whenever asked) by users that they should adopt OSS that is delievered by JBoss or Apache or any organization with a strong strong "Security Response Team".  For JBoss (Red Hat), we utilize the Red Hat Security Response Team which does an amazing job of triaging, generating patches and erratas for customers. They have relationship with software foundations such as ASF and also with the reporting agencies (Mitre/NIST etc).

Now as an user, if you are interested in "Security" and "PCI" compliance, then YOU SHOULD NOT be using the community version of the JBoss Application Server but using a Enterprise Platform from Red Hat such as EAP or the SOA-P because the components are not only stable but tightly monitored by the security response team.  The team releases frequent patches based on the criticality.

I will tell you from experience that it is not easy to stay on top of security vulnerabilities and patches if there are multiple open source projects involved.  A typical middleware server such as JBoss Application Server contains a large number of OSS projects (developed on JBoss community and other places such as the Apache Software Foundation).

Coming back to community version of JBoss, when we identify vulnerabilities, we typically fix and release as part of the next iteration of the community AS.  I even have a wiki article on JBoss community about this.  Look at Security Vulnerabilities Notification to Community.

We CANNOT spend resources on patching JBoss AS 4.0.1 or releasing a patch for AS 3.2.3, whenever a vulnerability is identified in a component such as Tomcat. Please for heavens sake, you chose cutting edge innovation and wanted the latest and greatest.  If yes, then you should be moving forward with the latest community version of JBoss AS. Adopt JBoss AS6 CR release as they happen. Once AS6 comes out, get on it right away.

As users, you make conscious choices whether you want flexibility, cost savings, reliability and security. If you want to be on the latest and greatest,  cutting edge stuff then adopt the JBoss Application Server (Community Version).  If you are going to run banking software or financial software or defense establishment using JBoss middleware,  then PLEASE adopt EAP or other Red Hat middleware products. You save yourself and us a lot of trouble.

Please refer to my blog post where in I notify the community of vulnerabilities existing in JBoss community projects. It is not like we totally ignore the community (that has made us powerful).

Also refer to my 2008 blog post where I assert that we take security seriously at JBoss.

I spend a portion of my time talking to security evaluators who are currently evaluating JBoss EAP 5.1 for common criteria at EAL4+.  We certified JBoss EAP 4.3 at EAL2+.  The CCE is a very intense exercise that can be daunting at times because the evaluators look at the entire laundry and pinpoint which of them is dirty and needs to be washed.

To summarize, if you are worried about security, PCI compliance, FIPS, Common Criteria and any other security certification/jargon etc, then please adopt a middleware platform from JBoss. You should not be fiddling with a community middleware stack.

My development environment is on Fedora Linux.  When I need the latest patches, bug fixes, I update to the next version of Fedora rather than just cry over not having patches over an older version of Fedora.  This is a choice I made.  If I needed stability, I would probably develop on RHEL.

And I would like to wish my US colleagues/friends at Oracle /Glassfish, a very Happy Thanksgiving. "May the break and family time raise your morale". Lets say Amen to that.


Monday, November 22, 2010

Kerberos support in JBoss Application Server

If you have ever wondered about Kerberos/SPNego support in JBoss Application Server, then you should definitely look at the Kerberos Dashboard Article.

Thanks to Marcus for adding a new article on EJB3 Authentication with SPNego.

Tuesday, October 12, 2010

XACML Policy Editors - Domain driven or language driven

The Authorization process is extremely cumbersome and prone to errors. Typically it is rules based. Decisions based on combination of rules can lead to errors or holes. Because of errors, if the access check returns in a "denial", then the damage is minimal. Someone can verify why that particular access check got turned down.  On the contrary, if the errors lead to a successful unauthorized access, then you know the answer. :)

One of the challenges associated with configuring security is not contempt towards the field of security but the perception of complexity. Administrators/architects/developers are turned down by the number of possible combination associated in configuring ACLs/Rules.

In the Java EE world, web.xml acts as the bedrock of container driven security for web applications.  Long ago, I wrote an article on this that highlighted the permutations and combinations available to admins/devs. Ok, I am a big supporter of container based security because the opposite (custom security) is prone to errors and unmaintainable over the long run.

Coming back to configuring rules,  probably 10% of devs/architects/admins are fully versed in the XACML language and clearly understand the language. So for them a pure XACML policy editor makes sense.  The rest of the crowd just wants to configure their access control system using plain language as follows:
  • This web application can be accessed by an user in the group "employee".
  • This part of the web application is restricted to managers alone.
  • This part of the web application is accessible under normal business hours.
Now the domain based editor for the web applications needs to have UI elements that are simple to understand. The person configuring the system will be able to look at the requirements and check/select the appropriate boxes.

While I am not denying the usefulness of a full fledged XACML policy editor, I am seriously not in agreement that they are the norm. If XACML is to see ubiquitous adoption, there is a need for configurable domain based editors. The infrastructure for access control can be driven by XACML policies and evaluation, but the policy configuration has to be driven by simple domain based editors.

References to Read:

Friday, September 17, 2010

PicketLink Released

Official Wiki Page:

New Stuff:
Documentation Update:

Tuesday, August 31, 2010

PicketBox XACML from JBoss released

It took some extra time (other priorities took precedence). In the end, it all worked out fine.

LGPL licensed free open source project, PicketBox has released the XACML component   Please download it from PicketBox downloads.

Main Wiki Page

PicketBox XACML Dashboard Wiki Page

Main Features Added (compared to v2.0.4)

PicketBox JIRA

JBoss Integration

PicketBox XACML is integrated into JBoss Application Server v5.0 and beyond.  Additionally, it is available as part of the JBoss Enterprise Application Platform (EAP) v5.0 and beyond and JBoss SOA Platform v5.0 and beyond.

Release Notes

** Bug
  •     * [SECURITY-452] - Don't use Xalan classes directly. Use Java API instead
  •     * [SECURITY-461] - AttributeFinder:findAttribute method can throw an NPE if any of the attribute finder modules return null
  •     * [SECURITY-462] - JBossRequestContext should throw IllegalArgumentException for null inputstream
  •     * [SECURITY-507] - JBossXACML: anyURI mismatch
  •     * [SECURITY-518] - JBossPDP should be serializable

** Feature Request
  •     * [SECURITY-454] - Database Attribute Locator
  •     * [SECURITY-463] - AttributeValue.getValue abstract method * [SECURITY-455] - LDAP based attribute locator
  •     * [SECURITY-456] - File based Attribute Locator
  •     * [SECURITY-492] - JBossPolicySetLocator should gracefully handle policies
  •     * [SECURITY-516] - Create a LDAP policy provider for JBoss XACML
  •     * [SECURITY-521] - Decision Cache for constant XACML Requests
  •     * [SECURITY-522] - XACML add hashcode and equals to RequestCtx, Attribute
  •     * [SECURITY-525] - XACML Attribute Locator should support comma separated list of attributeSupportedIds                                                                                                         

Monday, August 30, 2010

XACML Design Considerations and Pointers

One of the challenges with XACML has been the deep knowledge/expertise required in understanding the XACML vocabulary. It can send shivers down anybody's spine when they come across a bunch of XACML policies. While the language is extremely powerful, lack of editors has been the bane.

While it is difficult to design a general purpose xacml editor without requiring the user to have extensive xacml knowledge, it should definitely be possible to create context based editors for XACML rules.  Suppose you are creating XACML policies for your web application, then you can have an editor that is specific to the web application domain.  This domain based editor approach will avoid the requirement of xacml knowledge. The policies can be designed in the domain semantics.

If you have some free time to kill and want to understand XACML better, I certainly recommend taking a peak at the Fedora XACML document ( I did not write it or was associated with the project).

Design Consideration

One of the favorite topics broached by XACML designers is the concept of date/time as part of the environment attributes.

You should be able to create XACML policies with rules such as:
  • Deny requests to web applications between 5pm and 8am CDT.
One point you need to note here is that if you are setting up automated tests to validate your policies, then the time at which the PDP is running your tests, can affect the outcome of the test result.

You should embed the current time as part of your XACML request during tests such that they simulate a request occurring at a particular time - rather than when the test is run. :)

You should definitely take a look at the XML Date and Time functions including Timezone configuration as listed here.

Sunday, July 25, 2010

Cloud Identity Summit experience

From Tuesday to Thursday, I had the privilege of attending the Cloud Identity Summit (managed by Ping Identity). My presentation on the Oasis IDCloud Technical Committee was on Thursday.

There were many excellent presentations from other industry experts from companies such as PayPal, Salesforce, Google and Microsoft.

Chuck Mortimore of Salesforce had an excellent presentation where in he stressed the need for standards to be simple, short and ready to implement.
His presentation is here.

Hopefully, the CIS site should soon host the presentation slides.

I am hoping for more standards in auditing (hopefully, and provisioning to help migration to the cloud.

Kudos to Andre Durand, Patrick Harding and the Ping family for an excellent conference at Keystone, CO.


Friday, June 4, 2010

PicketLink Released

With great pleasure, I announce the availability of PicketLink

More information can be had from this article. (<== HERE)

Some of the new features included:
  • The STS has failover capabilities in the client code.
  • The STS stores the canceled ids in a database (useful in a clustered environment).
  • Password masking capabilities for the configuration files.
Bug fixes: the regular lot. :)

Visit the project page at: Project PicketLink.

Monday, May 24, 2010

US Public Sector Cloud Computing

Last week, I had the privilege of listening to a presentation by Vivek Kundra, US Federal CIO at the US Department of Commerce in Washington DC. I was attending the NIST Cloud Workshop and Forum.

Vivek talked about how the US government tech was 10 years behind the curve and his initial days as the CIO. He basically called for action from NIST and the community to define standards for cloud computing to increase the adoption.

His presentation is available as a CIO report at State of Public Sector Cloud Computing.

The foremost requirement for cloud adoption aired at the workshop was "security". No surprises there.

During the 12+ months reign as the CIO, Vivek has done two things:
a) Jumpstarted Cloud Computing as a paradigm for the government sector. This in turn has energized cloud computing adoption.
b) Placed the emphasis on Identity Management which rejuvenated the ailing OpenId community. (Yeah, the regular LOA1 type work).

I did not have the privilege of meeting Vivek in person.

Thursday, May 13, 2010

Is Facebook - example of IDM in the Cloud?

I remember Giles Hogben of ENISA (during his keynote presentation at the Oasis Security Forum in London in 2008) declaring social networks to be Identity Management systems. Look at slide 9.

Given this, since facebook is the most popular social networking site in the world with about 400 million registered users and it provides a platform for applications to be hosted, I wonder whether Facebook is a good example of Identity Management in the cloud?

"It's like the 'Hotel California,' " said Nipon Das, 34, a director at a biotechnology consulting firm in New York who tried, unsuccessfully, to delete his account this fall. "You can check out any time you like, but you can never leave."

With the latest controversy with Facebook where users are opted into sharing information with partner sites, we clearly  have an example of "identity federation" with attribute sharing. :)

What do you think?

Monday, May 10, 2010

Tip: Debugging JBossXACML/PicketBox XACML

JBossXACML Debugging

If you are looking at getting debug information for the rule evaluation:

JBoss AS Environment :

Add a TRACE level logging category in conf/jboss-log4j.xml(AS5+) or deploy/jboss-logging.xml (AS6+)

<category name="">
<priority value="TRACE"/>

Non-JBoss AS Environment such as Apache Tomcat :

Try to create a file
# Specify the handlers to create in the root logger
# (all loggers are children of the root logger)
# The following creates two handlers
handlers = java.util.logging.ConsoleHandler, java.util.logging.FileHandler

# Set the default logging level for the root logger
.level = ALL

# Set the default logging level for new ConsoleHandler instances
java.util.logging.ConsoleHandler.level = ALL

# Set the default logging level for new FileHandler instances
java.util.logging.FileHandler.level = ALL

# Set the default formatter for new ConsoleHandler instances
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter

# Set the default logging level for the logger named org.jboss = FINEST
com.sun.xml.bind.level = OFF

Now pass the system property with the location of this file such as:

Then you should see something like:
Mar 30, 2009 3:38:25 PM initAlgorithms
CONFIG: Initializing standard combining algorithms
Mar 30, 2009 3:38:25 PM initGeneralFunctions
CONFIG: Initializing standard General functions
Mar 30, 2009 3:38:25 PM initConditionFunctions
CONFIG: Initializing standard Condition functions
Mar 30, 2009 3:38:25 PM initTargetFunctions
CONFIG: Initializing standard Target functions
Mar 30, 2009 3:38:25 PM
FINE: creating a PDP
Mar 30, 2009 3:38:25 PM init
FINER: Initializing PolicyFinder
Resource must contain resource-id attr
Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:string-bag-size:
Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:integer-equal:
Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:


Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:string-subset:
Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:

Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:and:



Mar 30, 2009 3:38:25 PM combine
FINE: Rule id:urn:oasis:names:tc:xspa:1.0:org:allowed:organizations:deny:result=3
Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:
Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:
Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal:
Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:

Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:
Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:
Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal:


Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:

Mar 30, 2009 3:38:25 PM evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:or:


Mar 30, 2009 3:38:25 PM combine
FINE: Rule id:urn:oasis:names:tc:xspa:1.0:org:hoursofoperation:deny:result=1

This is very good debug information.

Summary :: Cloud Identity: Past, Present and Future

This is related to my earlier blog post on "Cloudy With A Chance Of Identity".

Basically, the panel discussion hosted by BrightTalk is available at: Panel Discussion (Requires Registration).

Currently, the feedback has been positive (4 out of 5 stars).

The panel discussion was very interesting. The panelists (Russell Dietz, SafeNet; Ravi Srinivasan, IBM; Darren Platz, Simplified) had very interesting experiences from the field to share.

Topics Discussed:-

1. How has the concept of Identity progressed as the industry has progressed from an enterprise architecture to a cloud based environment?

Background: Traditionally, we had enterprise environments servicing customers. Cloud computing has moved from being a buzz word to a mainstream reality. The concept of identity does have a progression associated with this industry transition.

* Identities have progressed very well with the availability of standards.
* Identity Management standards have matured and available in the industry.
* SAML has been popular in enabling B2B type infrastructure. Has been very useful in private and hybrid type environment. OpenID/OAuth/WRAP are quickly enabling public cloud infrastructure.
* User management/Identity Management are increasingly being decoupled from applications. Previously user management was part of individual applications. With the availability of federated sso, applications rely on authentication services from 3rd party sources.
* Federation and claims based systems have seen identity stores away from applications.

2. What significant challenges exist in the 3 types of Cloud Architectures (Public, Private and Hybrid)?

* Typically private clouds constitute widely deployed SOA applications in a virtualized environment, outsourced to a private cloud environment. Challenges include federation and user centric identity. With hybrid clouds, this gets compounded as we have now added some elements of public cloud infrastructure. Challenges in hybrid clouds include increased federation points and synchronization of user identities. With public clouds, it is a challenge to figure out who owns the user's identity, what is the origin of the identity etc.
* There is a need for Trusted Identities. Is there a notion of "reputation" that can go along with identities.
* Identities not just for people but also for services.
* In public/hybrid clouds, the service level identities needs to be propagated from end to end.
* Lot of short cuts (mashups) being used which should be avoided.

3. Standards Development for Identity.

* SAML, WS-Trust and other associated Identity Management standards have existed more from an enterprise environment perspective. Increasingly, OpenID and oAuth are being utilized/developed by the public - internet scale clouds.
* The emphasis has always been on federated SSO but we need to also look at authorization and provisioning. Standards for authorization and provisioning exist but not widely deployed.
* Blogs and forums have had OpenID adoption. This has also included the US Federal Government. But with increased needs for levels of assurance, then you will need to look at SAML and WS-Trust. If there is money riding on transactions, then OpenId will not come into play.
* Increasingly customers in the field are demanding profiles for cloud computing along with standards. Standards are useful to customers but they feel the need for profiles. Profiles can be either industry based or use case based.
* There is a new technical committee at the Oasis standards consortium called the Oasis Identity In The Cloud TC. One of the deliverables out of this TC is the profiles needed for cloud computing.

4. Provisioning

Some questions to ask are:
- If resources in the cloud are tied to identities, how do these resources transition when the identities get de-provisioned or decommissioned?
- CRUD of Identities/ Attributes in a single cloud environment or in a trusted partner cloud system.

* Identities for people including roles and identities for services (attributes and claims). With this separation, provisioning/deprovisioning of people and services is disconnected. This is kept in the environment itself. Then deprovisioning just involves removing an attribute or claim.
* It depends on the data model of the application to show flexibility in permissions.
* With CRUD, organizations are extending internal organizational processes to the cloud.
* Oasis SPML when adopted along with SSO can help in plugging the holes.
* Authorization systems in a new extended system needs to be robust to handle the provisioning of identities.

5. Enterprise Cloud vs Internet Scale Cloud

* Social media (classic public cloud) need reduced SSO and lower levels of assurance.
* Lots of customers are discussing private and hybrid deployments - abilities to abstract security services as a service ( Authentication as a service, authorization as a service, auditing as a service) to provide higher levels of assurance.
* Highly trusted identity systems or loosely coupled systems of today.
* Password policies at one web site may be different from the other web site.
* There is a need for brokering or resolving differences. Trust brokers between IDPs and SPs to negotiate or mediate in the eco system.
* Move away from communities of users to vetted identities system. Proofing/claim assurance is needed.

6. Access Management

Enterprise (XACML) versus Internet (oAuth); Heavyweight versus Lightweight.

* If there is a need for higher levels of assurance and non-repudiation, use the digital signatures used in XACML.
* Both XACML and oAuth are being used at customer sites.

7. Regulations

Privacy based regulations, Verticals based regulations and Location based regulations.

* There will be a move towards users centric identity. If an user identity moves location, then there may be different access control/regulations that need to be applied.

Questions and Answers Session:

1) Intrusion Detection Systems and Intrusion Prevention Systems in Cloud Computing Infrastructure.
2) Fraud Prevention and Risk Mitigation.

* Traditional layer of perimeter security is not sufficient. There is a need for Virtualization security.
* IDS/IPS at Perimeter are different from Virtualization security.
* How well you vet and proof your identities?
* What authentication mechanisms you use for identities? Authorization systems may demand particular authentication mechanisms, to mitigate fraud prevention. Banking systems are currently driving this via multi-factor authentication demands.
* Shared accounts are being used a lot in the industry. This is a big security hole. This is the short cut approach being prevalent in the enterprise, which when applied to cloud computing can be dangerous.

3) Will Trusted Brokers mitigate the problem of proliferation of trusted Identity Providers?

* In the near and mid-term, the brokers are going to help. Since Identity Providers use different protocols etc, brokering can help and mitigate.

Moderated by: Anil Saldhana, Co-Chair, Oasis Identity In The Cloud Technical Committee.

If you are on LinkedIn and you are a security expert or interested in Identity Management, I do suggest joining the free linkedin group  "Identity In The Cloud".


Wednesday, May 5, 2010

Cloudy with a chance of Identity

I have the privilege of moderating and driving an industry round table on the concept of Identity as applied to Cloud Computing. It is being hosted by BrightTalk (

More details about the time, registration, panelists etc are available from:

OASIS IDCloud Co-chair and Members to Participate in Complimentary Cloud Identity Webinar - TOMORROW, 6 May 2010

Some of the topics we will cover:
a) Identity progression as the industry has moved from an enterprise to Cloud environments.
b) Enterprise versus Internet Scale Identity.
c) Access Management in the enterprise cloud to internet clouds (preferring lightweight mechanism).
d) Standards Development
e) Effect of Regulations on Cloud Identity.
f) Provisioning

Monday, May 3, 2010

JUDCon: Community Can Vote on Topics

PicketLink is among the topics that the community can vote to hear at the next JUDCON.

If you want to hear about SSO, SAML etc, then please vote for the PicketLink SSO presentation.

Wednesday, April 28, 2010

Security Issue: JBoss and CVE-2010-0738

This is a community courtesy notification for a severe security issue affecting some of the JBoss projects and products. Please refer to the following Red Hat KBase article for more information:

JBoss Products & CVE-2010-0738

As a Red Hat/JBoss enterprise customer (paying), you are already notified via the official channels: RHN, CSP etc. Patches/updated products are available to you.

If you are an user of the community project: JBoss Application Server, then you may be affected. Please refer to the kbase article for possible solutions.

Reference: Wiki Page for Community Notification

Saturday, April 17, 2010

Social Media increases our connection to the Internet

Most of us use Social Media in one form or the other. Be it Twitter, Facebook, LinkedIn, Four Square, blogger etc. It is a means by which we stay connected to this planet. Your old friend lives thousands of miles away on the other side of the planet, well, you can reach out to him on a daily basis via the social media. You have not met this classmate since kindergarten and now you get connected to him by Facebook or Myspace.

Each time you use social media, you are giving out your privacy, a bit at a time. I am sure one day avid users of the Social media can attest to Scott McNealy's famous saying on privacy. Before getting there, let us look at one phenomenon of human relationships that is getting to be the toughest for individuals - young and older. The social phenomenon of breakups. Breakups are normal psychological phases that individuals go through, in this world.

Scott Bolohan of Chicago's Red Eye has this interesting article on how the Internet is making it harder for him to breakup. I know. I know. The article is funny (at least all that Scott does to trace his old flame). But a deeper introspection of what Scott is trying to communicate will make you understand the grand scheme of things associated with social media.

Since it is a small world and we are connected to one another via mutual friends, it is going to be increasingly difficult not only to breakup but also to find suitable dates. Gena Grish talks about it in the Huffington Post. She has trouble with potential dates googling about her.

What are the alternatives? Stop using the social media? Do not divulge any information on the web? The jury is out. We certainly are entering or entered a Brave New World. Either we embrace it or live in our own shell.

Friday, April 16, 2010

Security :: Community JBoss AS versus JBoss EAP

JBoss Application Server has been a popular (let us call it premiere) open source Java EE compliant application server for a long long time. Naturally, there are tons of users.

Over the years, the developers (the guys writing JBAS) of the community JBoss AS have debated about enabling security in JBAS. We have had heated debates on whether we ship the community version of JBoss AS in secure mode (everything - jmx console, twiddle, invokers secure secure secure secure secure) or in a development mode.

We have over the years had the understanding that JBoss AS will be primarily used by Java EE developers on their desktop to develop business applications. When they are ready to deploy those applications in production, they will have the practical sense to follow guidelines on securing jboss (which has been available in multiple forms in our wiki).

There are no reasonable defaults in security to secure the shipped community version of JBoss AS.

Now, let us talk about the product JBoss Enterprise Application Platform (EAP) that is shipped by Red Hat. Everything in the platform is secured by default. This is the version that customers (including Governments, Financial institutions, Universities, Companies of varying size) use to develop and deploy business applications. The system administrators have to configure the security of EAP to get it working. You cannot just unzip and run your applications.

Why am I writing this blog post?

The reason I am writing this blog post is because increasingly we are seeing multiple security companies that want a leg hold in the industry, using the community version of JBoss AS, to spread FUD. An example is the presentation by Christian Papathanasiou of Trust Wave called Abusing JBoss. Honestly, I find the title offensive. JBoss is a brand. You cannot abuse it.

Let us talk about ethics now. If you are security researcher or vendor, it is ethical to first contact the company or project whose exploits you are going to make public. Before this presentation, neither Christian nor Trust Wave has contacted the JBoss Security Response Team ( or the Red Hat Security Response Team (

At JBoss, what do we do?
Every time, we find someone with an unsecured JMX Console on the web, our response team folks try to contact the owner of that site to educate them about securing the console. But this is a daunting task. Every developer who wants to have his own website, just uses the community version of JBAS without applying the proper security fixes.

Additionally, the fans of JBoss also try to contact the website owners. We do have a fan following over the years. At JBoss World, they tell us about the same.

I seriously doubt any high profile company has a JMX console that is open to the world. There may be a few but we are actively locating and telling them about security. If you find one, inform them about securing community version of JBoss AS.

Additionally US-CERT has an advisory on this here.

Which JBoss AS should I choose: Community JBoss AS or JBoss EAP?

* JBoss EAP is a product that is officially supported by Red Hat. You get patches, updates, security fixes etc. It is shipped secure.
* If you are using the community version of JBAS, then please please follow the security steps for your instance. If not, you are just giving fodder to the millions of new security companies popping on the block.

If I find a vulnerability in any of JBoss projects and products, where do I report?

Please pass that information to the Red Hat Security response team in any way you choose. The methods are listed at Quick, confidential treatment of your queries and reports will be provided.

Wednesday, April 14, 2010

When will we see the end of the Password era?

I know. I know. Passwords are the simplest means of providing security to applications. It is the simplest piece of knowledge that a subject/user can carry, rather than smart cards, certificates, finger prints, retina scans or whatever stronger forms of security, the world desires.

With the increasing processing speeds/powers of cheap/low cost computers, it will get increasingly easier to crack passwords.

So what is the solution?
* Look to make passwords the strongest? How will I remember all the passwords? I can just write it in my notebook.
* Ensure that the user changes the passwords often and do not allow him to have the last 10-20 recently used passwords? Ok, back to the notebook to keep track of all the accounts and their passwords.

Given the complexity of passwords and the proliferation of accounts that an individual manages in this socially connected, increasingly online world, I would say that the user will probably (wait, will definitely) use the same password in multiple accounts.

So what happens when the apache infrastructure gets compromised and the attacker steals all the passwords? I will have to refer to my notebook to see what my apache password was and which other accounts have the same password. I will then do due diligence in making changes to the password and then feed that information back to the notebook. Lets save paper. We will just maintain the password information in a simple file in my laptop.

I am sorry. I do not have any such notebooks. But my brains are operating at thresholds, right now, in trying to remember all the accounts and their common passwords.

What are the solutions?

Thursday, March 25, 2010

XACML with ExistDB Integration

I was recently asked about Exist DB support for PicketBox XACML (formerly JBossXACML) mainly to retrieve missing XACML attributes during policy evaluation. The question was asked by one of our beta testers of PicketLink (

We now have ExistDB integration support for our XACML Engine. You can read about it here:
PicketBox XACML Integration with Exist DB

I think storing xml files (policies) in an XML native database is a fine idea as long as it is a small set.

Wednesday, March 17, 2010

Enabling EJB Applications using PicketLink STS

Stefan Guilhen has worked on the integration of PicketLink STS with EJB Applications. He has written this great article on
"SAML EJB Integration with PicketLink STS"

Don't forget to check it out.

If you have questions/comments/concerns, use this forum thread here.

Friday, March 12, 2010

Internet is Freedom

An absolutely brilliant presentation by Lawrence Lessig on the topic of "Internet is Freedom" to the Parliament of Italy.

The "Internet is Here". It is not going away. Whatever we need to do to make it safe, we have to do.

Please do not forget to watch the entire episode. About 30 mins.

Wednesday, March 10, 2010

Oasis Identity In The Cloud Technical Committee

I am pleased to have ignited the establishment of a new Technical Committee called as "Oasis Identity In The Cloud" at the Oasis standards consortium. Prominent security experts in the industry were gracious to participate in the initial brainstorming group I created.

You can read more on the charter here: IDCloud Charter

Apart from Red Hat, the proposers of the TC include Microsoft, IBM, CA, Novell, Rackspace, SafeNet, Yaana Technologies along with a few prominent individuals in the security/identity space. I am sure the proposer list will grow in a few days.

If you are an Oasis member or your company is an Oasis member, you should definitely look at joining this effort.

More details and a call for participation will be announced by the Oasis consortium in a few days.

Keywords: Oasis Cloud Security.

UPDATE: The Oasis Call For Participation is here.

Monday, March 8, 2010

Is OpenSSO alive?

Reading Rich Sharples post and also this post saying Oracle kills OpenSSO Express, I am left to wonder if OpenSSO as an open source project is alive? Let me ping Pat Patterson and see if he knows anything.

It is always sad to see any open source project unplugged from the community.

I do hope majority of the migrations from OpenSSO adopt our open source project called PicketLink, rather than adopt some commercial solution. At PicketLink, we have strived hard (yeah, really really hard) to keep things as simple and nimble as possible.

Info on PicketLink v1.0.2.

Friday, March 5, 2010

Project PicketBox (Security for Java Applications)

I would like to introduce you to Project PicketBox, a security framework for Java Application developers.

Project Page: PicketBox

What does it provide?

An API that can provide the following security features:
* Authentication using JAAS.
* Authorization (Coarse Grained and Fine Grained).
* Audit
* Security Mapping.

What is the latest version?

Latest version for download is 3.0.0.Final ( )
Since PicketBox is derived out of "JBoss Security" v2.0 code base, we have chosen to start with v3.

Where I can read the documentation?

You can read it here: PicketBox Overview

Does it provide annotations?

Yes, it does provide Security annotations. (PicketBoxSecurityAnnotations)

Who is planning to use PicketBox?

* The Seam Development team has immediate plans to use PicketBox for Seam v3.
* PicketBox will be available in JBoss Application Server v6.0 M3 and beyond.

Wednesday, February 10, 2010

Picketlink v1.0.2 is released

Project Page: PicketLink

If you are looking for SAMLv2, WS-Trust and OpenID support for your web applications, then PicketLink is the destination. PicketLink has deeper bindings with JBoss Application Server and Apache Tomcat. But we do offer support for any generic web container.

PicketLink is also the ideal choice for Single Sign On for Seam Applications.

Get it here.

Please stay tuned for more information on this release.


Release Notes for PicketLink Federated Identity
Includes versions: PLFED_1.0.2

** Feature Request
* [ PLFED-5 ] Seam authentication filter: add OpenID support

** Bug
* [ PLFED-19 ] FileBasedMetadataConfigurationStore.loadTrustedProviders keeps trustedFile locked for some indeterminate period
* [ PLFED-25 ] FileBasedMetadataConfigurationStore trusted providers file has improper extension
* [ PLFED-13 ] HTTP_Redirect binding: query string parameter SigAlg is not filled properly

** Task
* [ PLFED-7 ] PicketLink STS - parse the OnBehalfOf contents of WS-Trust request

** Release
* [ PLFED-44 ] Release PL Fed 1.0,2

Some new exciting features for Seam and PicketLink integration from Marcel:

PicketLink's Seam Module V1.0.2: many new features!

Note from Marcel: It's a big leap forward. The sample app is now a proof that the Seam module of PicketLink integrates well with external SAML and OpenID identity providers. And installing it in a JBoss AS 5.1 server is as simple as deploying the war file. I'm looking forward to the experiences of the community when using it.


If you are looking for a cheat sheet to run SAML on JBoss AS5.1, take this cheatsheet.

1. All software has bugs. If not, they are lying.
2. Feedback is greatly appreciated.

Monday, February 8, 2010

Tip: Interpretation of missing EJB Method Permissions in JBoss

The EJB 2.1 specs on this case says:

"It is possible that some methods are not assigned to any security roles nor contained in the exclude-list element. In this case, it is the responsibility of the Deployer to assign method permissions for all of the unspecified methods, either by assigning them to security roles, or by marking them as unchecked."

What this basically means is that if you have not specifically assigned method permissions or made them "unchecked", then it is left to the vendor's interpretation.

Default interpretation of missing method permissions in JBoss is "excluded" mode.

Based on JBAS-2471, we have incorporated a jboss.xml setting that will provide the appropriate interpretation of missing method permissions - whether to interpret them as "exclude" or "unchecked".


<!-- The missing-method-permissions-excluded-mode determines the treatment
of missing method-permission mappings in the ejb-jar descriptor. The ejb 2.1
spec states: "It is possible that some methods are not assigned to any security
roles nor contained in the exclude-list element. In this case, it is the
responsibility of the Deployer to assign method permissions for all of the
unspecified methods, either by assigning them to security roles, or by marking
them as unchecked." The missing-method-permissions-excluded-mode is a boolean
that allows the deployer to globally indicate that all methods without a
method-permission element should be treated as excluded(= true and the default),
or that methods without a method-permission element should be treated as
unchecked(= false)


<!ELEMENT missing-method-permissions-excluded-mode (#PCDATA)&rt;

First Case:
In the first case, if you specify:

in your jboss.xml, then all methods that do not have an associated method-permission are excluded from the deployment.

Second Case:
In the second case, if you specify:

in your jboss.xml. then all methods that do not have an associated method-permission are operating in an unchecked mode.

1. Discussion on ejb3 interpretation of this flag. (Under investigation)
2. Default setting in standardjboss.xml

Tip: Role Mapping in JBoss Application Server v5.x

If you are interested in mapping roles at the deployment level (such as EARs, WARs, EJB Jars) to the roles deduced at the security domain level, then you should read this article:

Note the use of

Note: This is an additional forced interpretation of role mapping for the containers when our normal regular interpretation is deployment roles for addition into a RunAs identity.

Thursday, February 4, 2010

Growing Menace of Identity Theft

The latest article in Washington Post titled "Identity thieves use sophisticated techniques to steal money" is a proof of the growing menace of Identity Theft that is plaguing the developed free world.

Once your identity is stolen, it is very very difficult for you to recover from the trauma. Based on victims' experiences (and other experiences in the comments section), we have to admit that Identity Theft is a menace and is a growing reality.

You have to know that your kids/toddlers are not safe either. Check this report on "Child Identity Theft".

Stay Safe.

Wednesday, January 13, 2010

Tip:: Use of "Java:/jaas" prefix in security-domain element

As of JBoss AS 5.0.0, the security domain configuration in jboss.xml and jboss-web.xml can just be the name of the security domain and the "java:/jaas" prefix is optional.

So the following:

can be simplified as:

If there are issues, tell us via user forums.

US Health Care : Patient Identity Identifier related White Paper

Over a decade ago, the US Congress voted against establishing an unique patient identifier in the US for every individual utilizing health care.

The Healthcare Information and Management Systems Society (HIMSS) is the healthcare industry’s membership organization exclusively focused on providing global leadership for the optimal use of healthcare information technology (IT) and management systems for the betterment of healthcare.

Developed by the HIMSS Patient Identity Integrity Work Group, the purpose of the Patient Identity Integrity White Paper is to identify the complex issues relating to the accuracy and completeness of electronic health data attached to or associated with an individual patient and the linking of all such data within and across systems. The paper discusses the critical business processes that must be in place to support and maintain the integrity of the data for quality of care, patient safety and cost management.

Download the White Paper here.

I was fortunate to be invited to this working group long ago and had provided some initial feedback on pseudonyms as the torch bearers of privacy.

Monday, January 4, 2010

Key Management: NIST Special Publication 800-57

I got the following notice from NIST.

NIST is proud to announce the publication of NIST Special Publication (SP) 800-57, RECOMMENDATION FOR KEY MANAGEMENT, Part 3: Application-Specific Key Management Guidance. This SP is intended to help system administrators and system installers adequately secure applications based on product availability and organizational needs, and to support organizational decisions about future procurements. The guide also provides information for end users regarding application options left under their control in normal use of the application. Recommendations are given for a select set of applications, namely: Public Key Infrastructures (PKI), Internet Protocol Security (IPsec), Transport Layer Security (TLS), Secure/Multipurpose Internet Mail Extensions (S/MIME), Kerberos, Over-the-Air Rekeying of Digital Radios (OTAR), Domain Name System Security Extensions (DNSSEC) and Encrypted File Systems (EFS).

The document is available at