Wednesday, August 31, 2011

Remarkable IT Event - Great Source of Knowledge - taking place in Sri Lanka

A remarkable IT Conference in the IT history of Sri Lanka is going to happen with in less than two weeks..

Yes.. it is none other than WSO2Con-2011..



Why do I say so? Is it ONLY because I am an employee of WSO2? Not really...

If you have participated in WSO2Con-2010 or if you have viewed the sessions conducted in WSO2Con-2010, which are available to download, you would also second my statement... 
WSO2Con-2011 agenda has been carefully designed to cover a lot more featured sessions that will be delivered by industry experts around the world..

WSO2 has a proven history of delivering valuable, unique and quality stuff  to the community with consistency and maturity, which you might already have witnessed through WSO2 Oxygen Tank library, webinars and summer school sessions.. 

Her grand annual event-WSO2Con is the zenith of all that where she goes beyond the expectations intending to deliver an amazing experience and unique value addition to your knowledge, whether you are an expert in the IT industry, an amateur IT professional or a university student in IT...

I will talk about specialty of WSO2Con-2011 on following four aspects in my future posts:
These are the aspects that I (and anyone) would look for, in general in an international IT conference...
  • Educational value - where I can expand the boundaries of my knowledge in a field of interest..
  • Industrial value - which addresses the industrial aspects focusing the practical usage of that knowledge in new innovations..
  • Speakers - where I can listen to the speakers who are scholars and experts in the field..
  • Place of the conference - additionally if the conference location is in a fascinating environment and if there are interesting events that I could attend after the conference, that will be greater...
Stay tuned...

Related Links:
1. Are you attending WSO2Con 2011
2. The SMALL miracle, ready for her BIGGEST IT event forever
3. WSO2Con 2011 - 10 top reasons to attend
Posted by at No comments:

Thursday, August 18, 2011

Carbon Authentication Framework

Authentication is a key aspect when it comes to security and identity management. As well as any platform should incorporate  a stronger authentication mechanism, it would be good to have it pluggable and extensible so that custom authentication mechanisms can be developed and plugged-in as required.

WSO2 Carbon platform has an extensible authentication framework which supports custom authenticators to be plugged-in as required. 
Carbon middleware platform has two main separations as front-end and back-end. Carbon Authentication framework has two extension points to plugin front-end and back-end authenticators.

BE Authentication
Following is the architecture diagram of extension point for back end authenticators.

                                               Image 1: Extension for Carbon back end authentication
  • To implement a BE authenticator, you need to implement CarbonServerAuthenticator interface.
  • Implementation needs to be registered as an OSGi service.
  • Default carbon BE authenticator implementation is AuthenticationAdmin.
  • Authenticator checks whether the httpsession of the incoming request is authenticated.
  • It is the login() method of an AuthenticationAdmin service, which sets whether a particular session is authenticated or not by validating the credentials provided at login.
  • If we need to customize login() method then our custom authenticator should also be an AdminService exposing the login() method.
  • Hence the login() request is bypassed at the AuthenticationHandler (which is hit at the invocation of any AdminService operation) and sent directly to the corresponding AdminService.
  • AuthenticationHandler picks up the correct authenticator from the AuthenticatorServerRegistry based on the priority and whether a particular authenticator can handle the current request.
FE Authentication
If you want to customize the authentication logic from front-end itself, you can write a corresponding FE authenticator as well.
It is the FE custom authenticator which is associated with the BE custom authenticator that calls the login() method of the relevant BE custom authenticator.
Following is the architecture diagram extension point for front end authenticators.

Image 2: Extension for Carbon front end authentication
  • You need to implement CarbonUIAuthenticator interface for a custom FE Authenticator.
  • DefaultCarbonAuthenticator is the default implementation of FE authenticator.
  • It is the CarbonSecuredHttpContext that looks for FE authenticators in AuthenticatorRegistry and picks up the correct authenticator.
Existing Authenticators
In addition to the default authenticators, there are several custom authenticator implementations in Carbon code base which are used at different occasions. They are:
  1. saml2-sso-authenticator
  2. sso-authenticator
  3. token authenticator
  4. webseal-authenticator
Configuring Custom Authenticators
As I mentioned earlier, one aspect on which the correct authenticator is picked, is the priority. Either we can set the priotity in code level or in configuration. If you later need to change the priority of your custom authenticator in [carbon_home]/reository/conf/advanced/authenticator.xml (in Carbon 3.2.0 or higher) or [carbon_home]/repository/conf/carbon.xml (in earlier versions).

Sample configuration is given below:

        5

Sample
I have attached here a sample back-end authenticator written for Carbon 3.1.0. The implementation will be same for 3.2.0 as well.
It customizes the login method for creating a role per each user at the user log in.
Drop the bundle found in the target (org.wso2.carbon.sample.authenticator) into [carbon_home]/repository/components/dropins folder and start the server. 
Try to log into the management console, you will notice that custom lines are printed on the backend server log which indicates that our custom authenticator has been picked.

You will need to write a FE custom authenticator also in the same way in order to fully customize the authentication logic.


Posted by at 2 comments:

How WSO2 StratosLive meets security challenges in Cloud

WSO2 StratosLive is the public and open platform as a service (PaaS) operated by WSO2. In other words, it is the open source cloud middleware platform developed by WSO2, readily available as a service (PaaS) in the cloud. It includes the whole enterprise middleware products stack developed by WSO2, as different services in cloud.
It provides cloud consumer with comprehensive set of cloud native features such as self provisioning, multi tenancy, elasticity, billing and metering etc. You can read more on Core Features of Stratos.

In this post, I will go through how WSO2 StratosLive meets some of the common security challenges found in the PaaS layer of Cloud computing stack. This is related with my previous blog on "Security Challenges in Cloud". You may refer it to get an understanding about some of the security challenges encountered in the cloud computing stack.

I have extracted out the security challenges that I described in the above post and discuss how StratosLive has overcome them as follows.

Availability: To withstand the load and function with minimum or no downtime in the face of high loads ensuring the availability, StratosLive incorporates load balancers, clustering and auto-scaling.

Data isolation: Data isolation in registry is achieved with the tenant domain id, in a shared schema, shared database pattern, while the registry data storage is hosted in a DMZ. And if a tenant wants to store data related to an application that he has hosted, then he can create his own storage instance in the Data PaaS offerings provided with SLive such as RDS (Relational Databse as a Service) or Apache Cassandra as a service.

Data protection (during transport, processing and storage): Data communication from the browser to back end Admin Services happens over https (encrypted) which provides transport level protection. Custom code deployed by tenants (webapps, web services) does not have access to data processing code  which is protected by java security manager. The data storage is hosted in a DMZ (De Militarized Zone) which ensures that incoming connections from only a set of trusted hosts are granted access to the data storage. Also, the RDS instances that tenants can create are protected with username/password authentication.

Tenant isolation: Each tenant is given a separate security domain such that each domain is isolated and does not have access to other domains. 
For an example, when a tenant is created, a separate realm is created for that tenant which includes its own UserStoreManager, RealmConfiguration and AuthorizationManager so that user management and permission management happens without interfering with other tenants.

Logic/Execution isolation: From architecture, design and code level of all most all the carbon components which are the building blocks of cloud middleware platform, are  developed in a manner that supports multi-tenancy.  (Multi-tenancy is serving multiple client organizations with multiple virtual instances isolated from one another, while there is a single instance of the software running on the server).
Also, different Axis2 contexts are created for each tenant where all the tenant specific states are kept which facilitates execution isolation for each tenant. (Apache Axis2 is the underlying web services engine used in WSO2 Carbon platform).

Protection form malicious code: Since the middleware platform allows tenants to host their own code, privileged actions in the platform are being protected such that those operations can not be invoked by tenants' code deployed in the platform. This is achieved by restricting access to critical code through Java Security Manager. Access is allowed only from code that is signed properly.

Identity Management: This is the most widely discussed topic in cloud security.
  • Authentication : In addition to basic username, password based authentication, number of industry standard authentication mechanisms are supported.
    • XMPP based Multifactor Authentication for stronger authentication
    • Federated authentication mechanisms such as OpenID provider and SAML2.
    • SAML2 based Single Sign On among all the services in SLive.
    • Authentication delegations mechanisms such as OAuth.
    • Cloud users are provided with the ability of securing communication to their services hosted in SLive with WS-Security mechanisms powered by Apache Rampart which is the security module of Axis2.
    • Further, tenants can integrate their custom webapps deployed SLive, with their user store in SLive in order to authenticate users into those webapps.
  • Authorization: Role based permission model as well as powerful, fine grained and flexible Policy Based Access Control with XACML are supported.
  • Auditing: Tenants' logs are isolated and each tenant admin can download logs related to its tenant from the Manager service. Distributed auditing mechanism is under development.
  • Administration: Currently two different user provisioning mechanisms are supported: Bulk User import and provisioning users from google app domain into SLive.
Cloud Service Gateway: This can be introduced as a Private-Public Cloud bridge which facilitates the cloud consumers with a mechanism of securely connecting to public cloud from their internal network/private cloud.

Above are some mechanisms how SLive meets some of the common security challenges found in PaaS space. If you are interested more, you can listen to the following two webinars conducted during WSO2 Summer School 2011.
Posted by at No comments:
Subscribe to: Posts (Atom)