Comments
Transcript
IBM WebSphere Portal V6.0 Security Overview
WebSphere Portal 6.0 Security, Version 6.0.0 IBM WebSphere Portal V6.0 Security Overview Level: Advanced Dr. Dieter Buehler, WebSphere Portal Security Architect, IBM Stefan Schmitt, WebSphere Portal Security Lead, IBM Holger Waterstrat, WebSphere Portal Security Team, IBM Andreas Zehnpfenning, WebSphere Portal Security Team, IBM Jan-Paul Buchwald, WebSphere Portal Security Team, IBM Richard Jacob, WebSphere Portal WSRP Lead, IBM Thomas Hurek, WebSphere Portal L3 Lead, IBM 01 Nov 2006 © Copyright International Business Machines Corporation 2006. All rights reserved. Abstract Portals provide personalized access to information, applications, processes, and people. They are central access points that authenticate users and control access to various kinds of information and applications. The nature of the content of portals can range from public information that needs no strong protection (such as articles in a news portal) to classified information within enterprises or governments. To accommodate such different levels of security requirements, IBM® WebSphere® Portal must integrate with different security infrastructure components for authentication, authorization, and single sign-on (SSO) so that customers can choose the combination that best matches their security needs. For example, authentication might be as simple as requesting users to provide a user ID and password. Alternatively, it could be as sophisticated as requiring users to authenticate using a smart card, which securely stores a private key and certificate. The card provides WebSphere Portal with cryptographic computations needed to participate in SSL/TLS client authentication to build up an authenticated and secure connection between the client and the portal. Through its modular architecture, WebSphere Portal enables integration with different authentication proxies, authorization systems, and credential vault implementations. WebSphere Portal can work with WebSphere Security, Tivoli Access Manager, and various third-party security products. It lets customers build a secure system that fits well into their particular infrastructure. This article provides portal administrators with an overview of the WebSphere Portal security architecture, and briefly describes some basics of internet security. You see various deployment scenarios for WebSphere Portal through which you learn how it handles authentication, authorization, SSO, secure connections between clients and the portal, and secure connections between the portal and back-end systems. Page 1 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 Table of contents 1 Introduction......................................................................................................... 4 1.1 Revisiting basic Internet security ................................................................... 6 1.1.1 Protected communication.................................................................................................. 6 1.1.2 Firewalls............................................................................................................................ 7 2 Portal deployment scenarios............................................................................. 8 2.1 Portals in protected networks.......................................................................... 8 2.2 Internet portals................................................................................................ 8 2.2.1 Portals using WebSphere Application Server authentication............................................. 9 2.2.2 Portals using a separate authentication proxy................................................................... 9 3 Authentication................................................................................................... 11 3.1 Authentication using WebSphere Application Server Security...................... 12 3.2 Authentication using a separate authentication proxy .................................. 13 3.2.1 Trust Association Interceptor........................................................................................... 13 3.3 Requests in a session which is already authenticated.................................. 15 3.4 User registry.................................................................................................. 16 3.5 Portal login.................................................................................................... 17 3.6 JAAS login.................................................................................................... 17 3.7 Logout........................................................................................................... 18 3.8 Customizing the portal login and logout processes....................................... 19 4 Single sign-on (SSO)........................................................................................ 19 4.1 SSO from the client to Web applications....................................................... 20 4.1.1 SSO between Windows workstations and the portal....................................................... 20 4.2 Portal-to-back-end SSO................................................................................ 21 4.2.1 How the Credential Vault works....................................................................................... 21 4.2.2 Passive and active credential objects.............................................................................. 22 5 Securing client-to-portal communication....................................................... 25 5.1 Restricting the protection to sensitive communication only .......................... 28 5.2 Using client certificates................................................................................. 28 6 Securing back-end connections...................................................................... 29 6.1 Using IPSec between the portal and back-end applications......................... 29 7 Controlling access to portal resources.......................................................... 29 7.1 Access control concepts............................................................................... 29 Page 2 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 7.1.1 Sensitive operations........................................................................................................ 29 7.1.2 Protected resources......................................................................................................... 29 7.1.3 Roles and role types........................................................................................................ 30 7.1.4 Role assignment and inheritance..................................................................................... 32 7.1.5 Role blocks...................................................................................................................... 33 7.1.6 Resource ownership........................................................................................................ 33 7.1.7 Private pages................................................................................................................... 33 7.1.8 Resource domains........................................................................................................... 33 7.2 Delegating access control administration...................................................... 35 7.3 Access control in the composite application infrastructure (CAI).................. 35 7.4 Integrating external authorization systems.................................................... 36 7.5 Administering access control........................................................................ 37 7.5.1 Administering access control using the XML Configuration Interface.............................. 38 7.5.2 Administering by using Scripting...................................................................................... 39 7.6 Auditing......................................................................................................... 40 8 Portlet security.................................................................................................. 41 8.1 Supporting Java 2 Platform Security............................................................. 41 8.2 Verifying secure connections........................................................................ 42 8.3 Preventing cross-site scripting attacks.......................................................... 42 8.4 Dangerous URL Protection........................................................................... 42 9 WSRP Security.................................................................................................. 43 9.1 Securing connections to remote portlets....................................................... 43 9.1.1 Securing WSRP services on the Web Service layer........................................................ 43 9.1.2 Securing WSRP services on the transport layer.............................................................. 45 9.2 Enforcing access control with WSRP security.............................................. 45 9.3 WSRP security and the Credential Vault...................................................... 46 9.4 WSRP and Cross Site Scripting.................................................................... 46 10 Summary......................................................................................................... 46 11 Resources....................................................................................................... 47 12 About the authors........................................................................................... 47 13 Glossary.......................................................................................................... 48 14 Product names................................................................................................ 48 15 Acknowledgements........................................................................................ 49 Page 3 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 1 Introduction This document provides an overview of security concepts and the mechanisms in IBM WebSphere Portal V6.0 which secure access to portal resources such as page groups, pages, portlets, and documents. It describes WebSphere Portal options which portal administrators can use to provide user authentication and authorization, and to support single sign-on (SSO). Figure 1 illustrates the most important components in WebSphere Portal [1], which are invoked (from left to right) when handling requests for portal pages. While there could be some public portal pages which are accessible without prior Authentication, all requests for personal pages or group pages must pass through an authentication component, such as IBM WebSphere Application Server Security, Tivoli Access Manager, or third-party security products. After a user is successfully authenticated, the request is analyzed and routed to the appropriate component where it is handled. Page 4 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 Figure 1: WebSphere Portal subsystems Incoming HTTP requests that want to obtain a portal page are routed to the Portal Servlet which acts as the central access point to all portal pages. The requests must be authorized. The component receiving the request calls the authorization component to determine whether access can be granted. Authorization information to most portal resources is maintained within the portal so that semantic consistency of access rights is guaranteed. However, for some resources, access control can be externalized to systems such as IBM Tivoli Access Manager or Netegrity SiteMinder. When a request is routed to the portal servlet and access to a page is granted, the valid subset of portlets that are referenced on the page is determined. Only those portlets for which the user has sufficient access rights will be invoked. Next, the servlet selects the appropriate aggregation module based on the request’s user agent information. The aggregation module renders the page by calling the referenced portlets using the Portlet API, enriching the request information with user profile information from the Member Services component and with portlet instance data from the WebSphere Portal data store. Portlets are special servlets which, unlike other servlets, are designed to participate in the portal’s event model and to exploit the portal infrastructure. Therefore, a portlet can invoke any J2EE function such as JCA Connectors, Enterprise Java Beans, Message Beans, and JDBC. A portlet can call Web services and HTTP URLs (just as other servlets can). In addition, it can invoke portalspecific portlet services and tag libraries from within JSPs. Portlets are often used to integrate back-end applications into a portal, providing a Web-based user interface. In such a scenario, Single Sign-On (SSO) is an important requirement. After logging into the portal, users do not want to enter passwords for each application the portlet needs to access from a back-end system. To support SSO to portlets and their associated back-end applications, WebSphere Portal provides a Credential Vault portlet service. Portlets can use the service to obtain and forward credentials to back-end systems to transparently authenticate the user underneath the covers. The credential vault service is backed by a credential vault, which can either be the portal’s built-in vault or IBM Tivoli® Access Manager’s secure vault. Page 5 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 1.1 Revisiting basic Internet security Because the Internet is open to everybody, communication through it is exposed; systems connected to the Internet need to be protected. The IP packets that make up all Internet traffic can be monitored, copied, and modified. This poses various threats, such as eavesdropping, sending of messages or mail with false origin, or alteration of the message content. To prevent those attacks on communication, various encryption techniques are used on different layers of the network protocol stack. The most widely used techniques are IPSec protection of the IP packets in the link layer and the transport layer security protocols (TLS), and its predecessor, secure sockets layer (SSL). 1.1.1 Protected communication The current version of the IP protocol is version 4 (often abbreviated as IPv4). The next version is version IP version 6 (IPv6), which provides new features including an enormously extended space of available addresses. IPv6 will also offer protection of the IP packets by means of encryption and signing. You can get these security enhancements with IPv4, using the extensions called IPSec [2]. Any kind of protected communication requires the use of cryptographic keys at both the sender and receiver. In IPv6, the management of these keys will be flexible enough to allow for easy adding of new communication nodes. In contrast, several of the current IPSec implementations limit the flexibility and complexity by, for example, using shared secret keys instead of private and public keys. When using implementations with such limitations, IPSec is better suited to protect the communication between statically coupled1 network nodes. Transport Layer Security (TLS) and its predecessor Secure Socket Layer (SSL) apply the protection of data confidentiality to a higher layer of the communication [3]. They also unconditionally use private and public keys for authenticating the communication partners. A communication partner uses the private key to prove its authenticity to the other partner, who, in turn, uses the corresponding certificate to verify authenticity. TLS and SSL allow three degrees of authentication: • No authentication - makes the communication immune against eavesdropping, but it cannot prevent one partner from communicating its data to an unintended receiver, thus exposing the data. • Authentication of the server to the client - protects the client from exposing its data to an unintended receiver. • Mutual authentication - protects the server from serving to unauthorized clients. It requires that both the server and the client have a certificate with the associated public and private key. To prevent misuse of the private key (especially to copy it), you must protect the key--ideally by using special-purpose cryptographic hardware. While it is common today to have a valid public key certificate and a secure key storage for servers, this mechanism is still not widely used with clients. For encryption of the transmitted payload, TLS and SSL use symmetric key cryptography, because the symmetrical cryptography algorithms perform much faster than public key cryptography algorithms. To agree on the shared symmetrical key (called the “session key”), both partners employ public key cryptography during the initial session setup. 1 That is, nodes for which the coupling will not change frequently, such as between an authentication proxy and the associated user registry. Page 6 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 1.1.2 Firewalls In the physical world, we protect areas by fences and walls, making it harder for unauthorized persons to intrude. At the same time, it is a bit harder for the authorized persons to enter too. The fences and walls need to be maintained and the distribution of the keys must be controlled. In the world of networks, we protect parts of the network by inserting firewalls between them and the rest of the network. These firewalls filter and monitor the network traffic, making it harder for unauthorized persons and programs to access any node in the protected network area. At the same time this protection restricts flexibility and adds cost for the maintenance of the firewall and its policies (very similar to physical world access control). The basic filter function of standard Internet firewalls operates on IP packets. A packet is forwarded or dropped, depending on its origin and destination. The port of the origin and the destination is included in the decision. This allows basing the filtering also on the service requested, because the services are bound to specific port numbers. The filtering policies can be configured as a set of rules. Basic IP packet filtering is most efficient but provides only limited protection. More sophisticated analysis of the communication is needed to enable better flexibility without compromising security. Packet filtering technology is constantly enhanced to add understanding and analysis of the packets with an understanding of the higher protocol layers they carry. A packet might well be legal in the context of its preceding IP packets, but would need to be rejected just on its own. A firewall capable of “stateful packet filtering” can understand the context of a packet within a larger section of the overall communication. For example, a filter configuration might only allow inbound traffic from the external network if it is a response to an HTTP request, which had passed the filter outbound before. This stateful form of packet filtering is called “dynamic” to distinguish it from the basic “static” packet filtering. Another filtering principle used by firewalls is “circuit filtering”, which can correlate requests and responses. Circuit filters achieve this additional intelligence by acting as proxies on the TCP layer. Filtering at a higher layer is also performed by “application gateways”, which understand and analyze the traffic on the application layer and filter it even more intelligently. For example, an application gateway can reject inbound or outbound mail with certain contents. This firewall technique can provide the tightest protection but takes the highest toll in terms of processing resources and administration. A firewall might perform a Network Address Translation (NAT) from externally published addresses to private internal addresses. This translation protects the inner systems, because outsiders do not know these private addresses. At any rate, they could not use these addresses remotely because they are in a range that a router would not treat as a legal destination. Another level of capability is a firewall’s ability to participate in an intrusion detection scheme. Rather than silently dropping suspicious packets, a more sophisticated firewall can make these events known to the intrusion detection system, which can perform more analysis and generate an alert, if needed. Most companies are using more than a single firewall to shield the inner network from the Internet. Often, an outer firewall separates the Internet from the so-called Demilitarized Zone (DMZ). Only those nodes which need to be visible to the Internet are located in the DMZ. A second firewall separates the DMZ and intranet. This inner firewall is configured to allow inbound traffic only from machines in the DMZ that have been explicitly authorized. Two firewalls and one DMZ is a widely used approach. Often three firewalls and two DMZs are used. You could compare this to a ship’s body which is built in segments to make it less sinkable. Water penetrating the hull might fill one segment, but not the others. Intruders who were able to get into one segment of the network should not be able to easily get into other segments. For excellent advice on the use of firewalls we recommend reading Guidelines on Firewalls and Firewall Policy, Recommendations of the National Institute of Standards and Technology [4]. Page 7 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 2 Portal deployment scenarios When planning a portal system based on WebSphere Portal, you have a variety of possible deployment options, each of which provides different levels of performance, scalability, availability, and security. In this section, you see some typical portal scenarios and learn about the security considerations for the applicable deployment options. 2.1 Portals in protected networks First, take a look at a simple portal setup, which is applicable if the portal and its clients reside in a protected network, under the assumption that no attacks are to be expected from within this network2. Portal and clients are protected by a firewall and are, therefore, not visible to the Internet, as shown in Figure 2. The bold red border depicts a firewall. Figure 2: Deployment of a portal within a protected network Clients can connect to the portal server directly because they are in the same network. In this example configuration, we assume that the Web server and the application server with the portal server code are located on the same physical machine. The portal uses a database on a separate server for storing its data. All user information is in a user registry on a third machine. The portal server, the database server, and the user registry are all in the same network. Also, in the same network are all of the back-end systems which the portal applications might access. 2.2 Internet portals For portals servicing clients in the Internet, the simple firewall protection described in the previous section is not sufficient. At least one node of the portal system must be visible from the Internet. 2 The assumption that no attacks are launched from within an intranet is very rarely valid. Such a setup, although common practice, is not recommended. Page 8 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 Two or more firewalls are typically used to segment the server environment into different security zones. We will explore a few variations in the following sections. 2.2.1 Portals using WebSphere Application Server authentication If the portal handles authentication and access control of its resources, the machine running the Web server needs to be visible to the Internet, as shown in Figure 3. In this example, we assume that the Web server and the application server with the portal server code are located on different machines. The Web server is the first node that needs to be accessible for external clients and, therefore, must be visible to the Internet. It is located in a DMZ behind an outer firewall, allowing HTTP requests to the Web server as the only incoming traffic. Figure 3: Portal configuration example serving clients in the Internet A second firewall provides additional protection for the inner network and the back-end systems. It allows only the expected inbound traffic from the Web server to the portal server. In order to penetrate through the second firewall an attacker must first have succeeded in seizing control of the Web server. To allow the portal server to access and aggregate external content, an outbound proxy in the DMZ forwards requests from the intranet, and returns the responses from the Internet. Additional firewalls to segment the intranet might be used but are not shown here. 2.2.2 Portals using a separate authentication proxy For authentication, WebSphere Portal can either use its own authentication mechanism (that is, the authentication mechanisms provided by the security infrastructure of WebSphere Application Server) or rely on a separate authentication proxy server. A separate authentication component can provide a single central authentication point for one or more portals and other web resources. Page 9 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 The authentication proxy server can be implemented as a separate server machine, as a plug-in to the Web server, or as a plug-in to the Edge component in WebSphere Application Server (previously known as the Edge Server). Figure 4 shows an example of a portal deployment with a separate authentication component. In this example, a proxy server handles the authentication. This authentication proxy is the only node visible to clients connecting from the Internet. It is protected by an outer firewall. To decide whether a request can be allowed to pass through, the authentication proxy cooperates with its authorization server, which is behind another firewall. This firewall only allows inbound requests from the authentication proxy and inbound responses from the outbound proxy. The outbound proxy forwards requests from the intranet and returns the responses from the clients in the Internet. The authorization server accesses the user registry, which is in the same network. In this example, the user registry is used by the authorization server, the portal server and by other systems. The portal server functions execute on several machines in a cluster to provide a higher capacity and fault tolerance. Figure 4 shows three server machines that indicate the cluster, which could decompose into a load balancer machine, several caching proxy machines, and several portal server machines. Figure 4: Example of a portal deployment with separate authentication component In the same network − along with the authorization server, user registry, and portal server cluster − are the portal database, content management server, and search server. Another firewall separates this network from the intranet clients. 2.2.2.1Portal clusters with load-balanced authentication proxies The last deployment example we look at is a portal cluster, which uses a separate a load-balanced and fault-tolerant cluster of authentication proxy server machines (Figure 5). The network node visible to the clients in the Internet is the load balancer, which dispatches requests between several authentication proxies. These proxies are located in the DMZ so that only authenticated requests get through the second firewall into the production network. Page 10 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 The portal server cluster is placed in the production zone behind the second firewall, along with the portal database, the search server, and the content management server. A third firewall separates the portal server cluster network and back-end systems from the intranet clients. Figure 5: Portal deployment with clusters of portal servers and authentication proxies In this example, you see a typical network administration setup with a separate administration zone. We assume that the middle firewall has been given a third network adapter to connect the administration network with the outer DMZ and the production network in a secure way using customized filtering. Inside the administration network is the authorization server, the user registry, the network administration system, and the Intrusion Detection System (IDS). 3 Authentication The precondition for access control is to make sure that the person or program requesting access is identified without doubt. This process is called authentication. In its most common form, authentication employs a user identification string (user ID) and a user secret (password) to establish certainty about the requestor. The standard ways to supply the user ID and password to the server are HTTP basic authentication (a Web browser mechanism using a standard login dialog), or HTTP form-based authentication (a mechanism in which the server sends a customized authentication form that is presented to the user). Other authentication mechanisms include SSL/TLS client authentication based on digital signatures and certificates (including secure storage on smart cards), hardware-based one-time passwords such as the RSA SecureID token, and various biometric mechanisms such as finger print verification, iris scanning, or speaker verification. The WebSphere Portal authentication subsystem delegates the task of authentication to underlying mechanisms of WebSphere Application Server [5,6]. It provides support for the following authentication configurations: Page 11 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 • Use of native WebSphere Application Server authentication. A custom login form posts the user’s authentication data to a servlet which requests WebSphere Application Server Security to validate the user’s authentication data. Alternatively, you can set up WebSphere Application Server to accept and validate SSL client certificates. This setup exploits the fact that WebSphere Portal is well integrated with WebSphere Application Server and that the portal can be configured as a secure Web application. • Use of an authentication proxy. WebSphere Application Server provides an interface that allows it to establish trust to authentication proxies; this interface is called the Trust Association Interceptor interface. Let's look at both of these configurations. 3.1 Authentication using WebSphere Application Server Security To use WebSphere Application Server Security, the portal is configured as a secure Web application. When WebSphere Application Server receives a request for this application (the portal), its security component requests the authentication credentials from the client. Depending on which authentication method you configured, one of the following occurs: • An HTTPS client certificate request is sent to the browser, or • The client is redirected to an authentication form that prompts the user to provide the credentials for authentication. In the latter case (which is the portal default configuration), the form posts the credentials to WebSphere Portal’s custom authentication servlet which obtains the posted credentials. The servlet then logs the user in to WebSphere Application Server’s security context using the JAAS (Java Authentication and Authorization Services [7]) Framework, as described in JAAS Login. In the case of HTTPS client certificate authentication, WebSphere Application Server receives the authentication credentials directly. WebSphere Application Server authenticates the user by checking the provided credentials against the user registry, which can either be an LDAP directory or a custom user registry. Figure 6 shows the detailed flow of control when a request for a portal destination is not yet authenticated, and needs to be authenticated by WebSphere Application Server Security. In this example, the configuration was set up to use HTTP form based authentication. The post-login page can be configured as part of the post-login redirection policy. Page 12 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 Figure 6: Authentication flow with WebSphere Portal configured to use WebSphere Application Server Security and HTTP form-based authentication 3.2 Authentication using a separate authentication proxy You can use an external authentication proxy to protect the portal by intercepting all requests targeted for portal destinations. An authentication proxy can be implemented as a proxy server such as WebSEAL in IBM Tivoli Access Manager for e-business [8]. Alternatively, it can be implemented as a plug-in to the Web server or to the IBM Edge Server. Examples of HTTP plug-in authentication proxies are the Web Agent in Netegrity SiteMinder, and the authentication plugin within Entrust GetAccess. The IBM Tivoli Access Manager Plugin for Edge Server plugs into Edge Server instead of into the Web server.3 An external authentication component authenticates users by whatever means the external authentication component considers appropriate (for example, using an LDAP BIND call). You can use Trust Association Interceptors, registered with WebSphere Application Server, to establish a trust relation between WebSphere Application Server and the external authentication component. The authentication component passes the authenticated user ID string to WebSphere Application Server (for example, encoded in dedicated HTTP headers) which will accept the user ID based on the established trust. A typical way of establishing this trust is using a shared secret to encrypt and decrypt the user ID when stored and retrieved from the HTTP request (such as the HTTP header fields mentioned earlier). This is a common scenario in production environments. 3.2.1 Trust Association Interceptor A Trust Association Interceptor (TAI) is a mechanism by which WebSphere Application Server enables an external component to authenticate the user and to assert the identity to the WebSphere Application Server Web container. 3 Plugging into the Edge Server has advantages for scalability. Page 13 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 WebSphere Application Server provides functions which the TAI uses to indicate that it is able to handle a request and that the request is already authenticated. You could think of a TAI as an adapter, which communicates with the authentication component in an unspecified way and makes the authentication decisions accessible to WebSphere Application Server through the specified TAI interface. Figure 7: Supported authentication components and Trust Association Interceptors After a request for a portal destination passes the external authentication component, WebSphere Application Server receives it and passes it sequentially to the registered TAIs. If one of the TAIs indicates that it is responsible for authentication, it either accepts or rejects the request. If no TAI can handle the incoming request, WebSphere Application Server falls back to its native authentication, just as if there where no TAIs at all. In the case of WebSphere Portal, the client is redirected to the custom login form. However, this should only occur with requests that bypass the external authentication component. Figure 8 shows the detailed flow of control for a request that passes through an external authentication proxy. The interactions shown are the same for authentication proxies implemented as separate servers, or for proxies implemented as plug-ins for the Web server or the Edge component. Page 14 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 Figure 8: Flow of control for a request passing through an external authentication proxy 3.3 Requests in a session which is already authenticated After successful authentication (through either WebSphere Application Server Security or an authentication proxy with a TAI) the user is logged in. Then, the user's authenticated portal session starts and an SSO token is issued to the client as a cookie, along with the HTTP session cookie (usually named JSESSIONID)4. The default implementation used for the SSO cookie is the Lightweight Third Party Authentication (LTPA) scheme supported by the WebSphere components. As proof of authentication, user information is signed and encrypted into an LTPA token, which can be verified by all servers that are part of this LTPA SSO domain. An LTPA token contains the user ID and has an expiry date and time, at which time it expires (even when continuously used). It is possible to use custom SSO tokens to obtain trust between calls from the client. 4 For devices that cannot manage cookies (like WAP phones), proxy gateways take over the handling of cookies. Page 15 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 Figure 9: Flow for a request that is already authenticated 3.4 User registry The user registry is a repository that holds information about registered users and groups. WebSphere Application Server and WebSphere Portal support an internal WebSphere Portal database, an LDAP directory, or a custom registry as a user registry. WebSphere Portal shares the authentication registry with WebSphere Application Server and can also (optionally) have a separate look-aside database for user profile data and preferences. Some profile information can also be stored in the same physical store as the authentication registry. For example, an LDAP directory typically contains much more information about each user than just the name and password. In WebSphere Portal, the information about users is centralized in the WebSphere Member Manager (WMM) component. You can configure this WebSphere Portal component for different layouts of data in the user registry and its look-aside database. Also, WebSphere Portal can work with a read-only user registry, in which case, all portal user data that needs to be updated is stored in the internal look-aside database. The WebSphere Member Manager component is also responsible for determining group membership. This information is used by WebSphere Portal’s access control component and administration functions. The lookup is able to evaluate nested groups. Because this lookup has a potential impact on performance, a configurable option lets you stop group membership lookup at the first level. The supported authentication registries and their corresponding Application Server and WebSphere Portal settings are listed in the following table: WebSphere Member Manager configuration WebSphere AppServer authentication registry LDAP + database LDAP or Description The authentication registry is a directory server (LDAP), and profile information is split between custom registry for both LDAP and a database. The degree of this WebSphere Application split is configurable (for example, what attributes Server provided by are stored in LDAP and what in the database). WebSphere Portal This configuration is possible either with the WebSphere Application Server LDAP registry or a custom user registry implementation for an LDAP user registry provided by WebSphere Portal. The custom registry has the advantage of supporting the realms notion required for different user populations with Virtual Portal. Page 16 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 Multiple repositories Custom registry for The authentication registry can be a combination WebSphere Application of one or multiple directory servers (LDAP) and a Server provided by database. WebSphere Portal This configuration is only possible with a custom user registry implementation for an LDAP user registry provided by WebSphere Portal. This setup does let you create a horizontal split of the user registry. Database only Custom registry for WebSphere Application Server provided by WebSphere Portal WebSphere Portal provides a custom user registry implementation for the internal database. With this configuration, the authentication registry is part of the Member Manager, and profile information is stored in the same database. Customer provided Custom registry for The customer supplies a custom user registry. WebSphere Application Profile and authentication information is held in Server provided by this custom registry. customer 3.5 Portal login After authentication to WebSphere Application Server, the portal login is performed. The portal login accepts the authenticated user ID string from the WebSphere Application Server security context and initializes the portal’s HTTP session with corresponding user data: 1. The user profile data is populated from the user registry. 2. The user session is resumed from the saved state (if this option was chosen). 3. The browser is redirected to post-login target page. In addition, you can configure your portal to perform a second portal-specific JAAS login to populate the portal user object with additional credentials. (See also JAAS login.) When the user terminates the session, he or she can either explicitly perform a logout action, or the session can time out. For more detail, see Logout. 3.6 JAAS login If you choose form-based login as the authentication mechanism for your portal, a JAAS login triggers the Application Server authentication to build the Security Context. A JAAS login is also triggered for the portal login. JAAS, a Java API for authentication and authorization, specifies three different categories of classes: common, authentication, and authorization. WebSphere Portal mainly uses the common classes (in particular, the JAAS Subject). Some of the functionality of the authentication classes (LoginContext and LoginModule) is used, and none of the authorization classes are used. A JAAS login as defined by the JAAS specification executes a number of login modules and returns the user’s Subject as a result of a successful login. The Subject is a container for the user’s identities (Principals) and Credentials. Each login module can add principals and/or credentials to this Subject. Figure 10 shows an example of a JAAS login flow. Page 17 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 During Application Server authentication, a JAAS configuration executes which contains the Application Server modules performing the authentication against the configured user registry. The JAAS configuration also contains a module which builds the SSO token for authentication of subsequent requests. You can adapt the configuration by adding additional login modules before or after the execution of the Application Server login modules. These additional modules could establish a secured state in the shared State (of the login modules) to disable authentication to the user registry. More information on the WebSphere Application Server login modules can be found here [9]. An individual JAAS login module can get the actual HTTP Request and HTTP Response objects that triggered the JAAS login using corresponding JAAS Callbacks supported by WebSphere Application Server. The JAAS configuration that executes the login is also triggered for authentication of XmlAccess and portal scripting requests. During the optional portal JAAS login, the user does not need to be authenticated because user authentication was previously performed by the authentication component (either Application Server Security using an authentication proxy, or by the first JAAS login). Therefore, the WebSphere Portal JAAS login modules typically only populate the user’s JAAS Subject. This can be used to store single sign-on tokens which can then be used by special active credential objects (see Passive and Active credential objects) to enable portlets to access other applications within the same single sign-on domain. (See SSO for more information on single sign-on). The JAAS configuration used for Application Server Authentication is registered with the name Portal_LTPA; the JAAS configuration used for portal login is registered as Portal_Login. Figure 10: Sample JAAS Login 3.7 Logout The logout can be initiated by a URI that is explicitly selected when the user clicks on the logout button (which has been added by the aggregation engine to every page banner). Alternatively, the Page 18 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 logout can be initiated implicitly through a session timeout that occurs after a specified time of inactivity. The portal logout performs the following actions: 1. Suspend User Session. The user’s portal session (the portal’s navigational state) is persisted. The HTTP session is invalidated. 2. Portlet user logout. The portlets are notified of the event “user logged out” to give them the opportunity to finalize (trans-)actions that need to be terminated. The following steps are performed only when the logout is initiated by an explicit user action. They are not performed when the logout is a consequence of a timeout. 3. WebSphere Application Server logout. The user’s credential token is marked as invalid, and a respective cookie invalidation command is added to the response. 4. Browser redirect (302). The browser is redirected to render the post-logout target. In the case of an authentication proxy, WebSphere Portal needs to be set up to redirect after logout to the authentication proxy’s logout page. This way the authentication proxy is also notified of the logout. If a user does not logout explicitly, the proxy cannot be notified of the portal session timeout and the proxy session will time out eventually as well. 3.8 Customizing the portal login and logout processes WebSphere Portal lets you customize the portal login and logout procedures at various places. The following modifications are possible [10]: • Specifying the post-login and the post-logout redirection policy and targets. • Adding custom JAAS login modules that are used to authenticate a user and/or populate the portals user JAAS Subject with principals or credentials. • Securing the login interactions and/or the personalized portal pages using SSL. • Extending the portal login and logout action classes. 4 Single sign-on (SSO) WebSphere Portal is often used to integrate other enterprise information systems, and to present them through the portal user interface. The recommended approach is that those systems do not relinquish control of their application security, even if they are accessed through WebSphere Portal. Therefore, the back-end systems continue to do their own authentication and authorization. However, most implementations want to avoid requiring the user to repeatedly authenticate. This is where SSO comes into play. The goal of SSO is to provide a secure method of authenticating a user one time within an environment, and to use that single authentication (for the duration of the session) as a basis for access to other applications, systems, and networks. In the context of WebSphere Portal, there are two SSO realms: • • From the client to portal and other Web applications From the portal to the back-end applications. Those two realms are indicated in by loops. Page 19 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 Figure 11: Portal single sign-on realms With single sign-on from the client to the Web applications and the portal, a client logs into one Web application (once), and can then access all other Web applications that are part of the same SSO realm, without receiving a second authentication challenge. It makes no difference whether WebSphere Portal, or one of the other trusted Web applications, is the authenticating Web application. Single sign-on from the portal to the back-end applications enables a portal client to log into the portal once, and then to access a number of back-end applications through respective portlets, without having to authenticate at each of these applications. 4.1 SSO from the client to Web applications You can provide SSO from the client to Web applications and the portal through these various mechanisms: 0. LTPA support built into WebSphere Application Server (see Requests in a session which is already authenticated) 1. Authentication proxy SSO support (for example WebSEAL, Netegrity SiteMinder, RSA Cleartrust, or Entrust GetAccess) The functional principle of these single sign-on solutions is essentially the same. Upon successful authentication the client gets a security token that enables it to prove successful authentication and to pass through subsequent requests without repeating the authentication. Important: WebSphere Portal does not use any persistent cookies; it only uses cookies which are deleted when the browser session is terminated. Sometimes persistent cookies are used to achieve the goal of single sign-on. Persistent cookies are stored by the browser on the client in a form, which has very little protection from reading and copying. This security concern is the major reason to completely avoid the use of persistent cookies in WebSphere Portal. 4.1.1 SSO between Windows workstations and the portal With Tivoli Access Manager for e-business Version 4.1 and later, you can implement SSO between a Windows workstation and WebSphere Portal. That is, a user can log on to a local workstation and use Windows® Internet Explorer to access the portal without needing to authenticate at the portal again. This scenario requires that the user have an SPNEGO-enabled Web browser (such as Microsoft Internet Explorer); it also requires Microsoft's IIS as the Web server for the portal along Page 20 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 with the Tivoli Access Manager Web server plug-in for IIS. You would configure it so that an eCommunity is established between the IIS plug-in and WebSEAL. 4.2 Portal-to-back-end SSO Some back-end systems can be accessed using standardized technologies, such as J2EE technologies (for example, Application Server Data Sources or J2C adapters) or Web services. If portlets need to interoperate with one of these back-end systems and do not need any sophisticated principal mapping mechanisms, it is recommended that you use these technologies. For communication with other back-end systems that require proprietary or non-J2EE protocols, WebSphere Portal offers a Credential Vault as a portlet service. This service provides portlets (and the portal, for that matter) with a mechanism for mapping from a user identity (usually a user ID, which is generally called a Principal) to another user identity and (usually) a credential, such as a password, for that user ID. Portlets should not store user credentials as part of their user-specific portlet data. Storing credentials in the portlet data is not a recommended way of achieving single sign-on because portlet data is stored in places that are insecure for storing user credentials; for example, in the database where it could be read by any database administrator. Instead, convert these portlets so that they use the Credential Vault. Figure 12 illustrates the structure of the Credential Vault. Credentials are stored in Credential Slots, through which user secrets are retrieved, created, modified, and deleted. Figure 12: Credential Vault Credential slots are contained in vault segments. A segment can be managed by both users and administrators, or by administrators only. The vault segments map onto a specific vault implementation through corresponding vault adapters. 4.2.1 How the Credential Vault works WebSphere Portal’s Credential Vault works as follows: • The portal administrator can partition the vault into several vault segments. Only portal administrators can create and configure vault segments. Page 21 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 • A vault segment contains one or more credential slots, which are the “drawers” where credentials are stored, and later retrieved, by portlets. Each slot holds one credential if user defined, and one credential per user if defined by the administrator. • A credential slot is linked to a resource in a vault implementation, the place where the credential secrets are actually stored. Examples of vault implementations are WebSphere Portal’s default database vault and IBM Tivoli Access Manager’s repository. A flag for each vault segment indicates if it is to be managed by the administrator or by the user. Only administrators can create credential slots in an administrator-managed vault segment. Portlets (acting on behalf of a portal user) are permitted to create credential slots only in user-managed vault segments, but they can set and retrieve credentials in both types of segments. Therefore, portlets that need a credential to complete their service have two options: 1. Use an existing credential slot that has been defined by the portal administrator in an administrator-managed vault segment. 2. Create a new credential slot in a user-managed vault segment. As a current limitation, WebSphere Portal installs one pre-configured user-managed vault segment and does not permit the definition of any additional user-managed segments. Administratormanaged vault segments can be created without any limitation. WebSphere Portal’s Credential Vault defines four types of credential slots: • Vault Slots in administrator-managed vault segments: o A system slot stores system credentials where the actual secret is shared among all users and portlets. It is a shared slot that belongs to an administrative segment. o An administrative slot allows each user to store a secret for an administrator-defined resource (for example, Lotus Notes). It is an unshared slot that belongs to an administrative segment. • Vault Slots in user-managed vault segments: o A shared user slot stores user credentials that are shared among the user's portlets. It is a shared slot that belongs to the user segment. o A portlet private slot stores user credentials that are not shared among the user's portlets. It is an unshared slot that belongs to the user segment. Details both on the administration of WebSphere Portal's Credential Vault and the corresponding programming model for portlets can be found in [10]. 4.2.2 Passive and active credential objects The Credential Vault Service returns credentials in the form of credential objects. WebSphere Portal differentiates between two basic types: passive and active credential objects. Passive credential objects are simply a container for the credential's secret. Portlets that use passive credentials need to extract the secret out of the credential. With passive credentials the portlets are responsible for the authentication communication with the back-end. Listing 1 shows how a portlet uses a passive credential that carries a user ID and password. Page 22 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 Listing 1. Passive credential object use (pseudo code) // 1. Retrieve the credential object from the credential vault UserPasswordPassiveCredential credential = (UserPasswordPassiveCredential) service.getCredential(slotId, "UserPasswordPassive", null, porletRequest); // 2. Extract the actual secret out of the credential object UserPasswordCredentialSecret secret = credential.getUserSecret([…]); // 3. Portlet connects to back-end system authenticates using the user's secret. ... // 4. Portlet uses the connection to communicate with the back-end application. ... // 5. Portlet takes care of logging of at the back-end. ... An active credential object hides the credential's secret from the portlet; there is no method to extract the secret. Instead, active credential objects offer methods that take care of the authentication with the back-end system. They let portlets trigger authentication to remote servers using standard mechanisms such as basic auth, HTTP form-based authentication, or POP3 authentication, without knowing the credential secrets. The portlets can ask the credential to authenticate on their behalf, and then use the authenticated connection. With active credentials the portlets never get in touch with the credential secrets; therefore, there is no risk a portlet could violate any security rules. While there might not always be an appropriate active credential class available, it is the recommended type of credential object to use. In addition, for accessing server side credentials, the active credentials are attractive because they enable use of crypto hardware that does not expose their secrets. Such crypto hardware5 only enables using credentials inside the hardware with the supported authentication algorithms. Listing 2 shows how a portlet uses an active credential; in this case, an active credential for HTTP form-based authentication. The flow is illustrated in Figure 13, where the numbering coincides with the numbering in Listing 2. Listing 2. Active credential object use (pseudo code) // 1. Retrieve the credential object from the credential vault HttpFormBasedAuthCredential credential = (HttpFormBasedAuthCredential) service.getCredential(slotId, "HttpFormBasedAuth", config, request); // 2. Log into the back-end system credential.login(); // 3. Get an authenticated connection to work with URLConnection connection = credential.getAuthenticatedConnection(); // 4. Portlet uses the connection to communicate with the back-end application ... // 5. Log out of back-end system credential.logout(); 5 IBM has a cryptographic coprocessor (IBM 4758PCI) for storing the private key and executing the cryptographic functions. This module meets the FIPS PUB 140-1 level 4 specification. The card can keep the server’s private keys secure (any data tampering will be recognizable) and can execute encryption algorithms. Therefore, the private keys do not need to leave the card, and execution will be faster. Page 23 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 1a. Retrieve Credential Portlet API Figure 13: Portlet using an active credential object for back-end SSO Portlet 4. Send Business Request 2a. login() 3. Get Authenticated Connection Back-end System 2b. Authenticate Active Credential Portal Engine Credential Vault Portlet Service 1b. Retrieve Secret Vault Store All credential types that are available within the portal are registered in a Credential Type Registry. WebSphere Portal provides a small set of credential types “out of the box”, but additional credential objects can easily be registered in this registry. The credential classes that are included with the WebSphere Portal V6.0 are: Passive credential objects: • SimplePassive - Stores secrets in the form of serializable Java™ objects. This can only be done programmatically; the vault administration GUI does not currently support BLOB secrets (which are needed in order to store serialized Java Objects). • UserPasswordPassive - Stores secrets in the form of user ID/password pairs. • JaasSubjectPassive - Stores secrets in the form of javax.security.auth.Subject objects. It provides portlets with the JAAS Subject that the portal has established for the user. • BinaryPassive - Simple standard implementation of PassiveCredential for binary credential secrets. Stores secrets in the form of a byte array. Active credential objects: • HttpBasicAuth - Stores user ID/password secrets and provides support for HTTP basic authentication. • HttpFormBasedAuth - Stores user ID/password secrets and provides support for HTTP formbased authentication. • JavaMail - Stores user ID/password pairs and leverages the authentication functionality of the javax.mail API. • LtpaToken - Supports authentication at a back-end system that is within the same Application Server SSO-Domain as the portal. • SiteMinderToken - Supports accessing back-end systems that are in the same SiteMinder SSO-Domain as the portal. It is typically used when a SiteMinder authentication proxy protects the portal and other resources. Page 24 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 • WebSEALToken - Supports accessing back-end systems that are in the same WebSEAL SSO-Domain as the portal. It is typically used when a WebSEAL authentication proxy protects the portal and other resources. Credential objects do not implement java.io.Serializable and can, therefore, only be stored in the portlet session as a transient value. This implementation is for security reasons; the credential classes store the credential secret as private attributes. If they were serialized into the Application Server session table, then the secret could potentially be read by anyone who has access to this database. 5 Securing client-to-portal communication Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are protocols that leverage a variety of cryptographic algorithms to implement security, for example authentication with certificates, session key exchange algorithms, encryption, and integrity checks. They are common protocols that are often used to provide privacy and trust between communicating applications such as Web clients and Web servers. When HTTP is used over such a secure connection, this is known as HTTPS. SSL and TLS provide connection security with three basic properties: 1. Confidentiality - Encryption is used after an initial handshake to define a secret key. Symmetric cryptography is used for data encryption (for example, DES, RC4) 2. Authentication - The peer's identity can be authenticated using public key cryptography (for example, RSA, DSS). 3. Integrity - Message transport includes a message integrity check using a keyed Message Authentication Code (MAC). Secure hash functions (for example, SHA, MD5) are used for MAC computations. While TLS is the standard implementation, SSL still is more widely distributed. In this description, we refer to SSL, but also imply TLS. WebSphere Portal is tested and supported to run with the FIPS 140-2 compliant TLS providers available in WebSphere Application Server. IPSec is a technology that can be used as an alternative to SSL (see Protected communication). It works on a lower layer of the OSI reference model than SSL and is usually configured and handled on the operating system level. Although the operating systems of most clients support IPSec today, only a few have it already configured. Therefore, we do not recommend using it for the communication between clients and the server complex. When the communication between servers needs to be protected however, it is a question of design whether to use SSL or IPSec. Both technologies offer advantages: IPSec is on the network level and is, therefore, transparent to applications; they do not have to do anything to support it. In addition, it might perform faster if the OS makes use of available crypto hardware6. SSL, on the other hand, is widely supported and administrators have gained a lot of experience and confidence with this technology over the years. WebSphere Portal can be configured to support SSL [11]. For example, it can generate respective URLs if needed; you can specify the protocol as well as the port. The main questions with using transport or network layer security are where to terminate the protected connections and which communication to protect. If a higher level of security is desired, it is necessary not only to protect the communication across unprotected networks (such as the Internet), but also the communication within the corporate networks. The threats of human errors that might open up holes in the network protection as well as the threats of internal attackers (such as disgruntled or dishonest employees) are not to be underestimated. In fact it is estimated that in about half of the cases, these are the causes of security incidents. 6 SSL could exploit crypto hardware as well, but each application would have to support this. Page 25 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 Figure 14 shows how transport layer security would be implemented in the simplest of our deployment scenarios (see Figure 2). The clients connect directly to the portal server; therefore, the connection is secured with SSL. Page 26 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 Figure 14: Communication security for portal installations within a protected network The second of our deployment scenarios (Figure 3) separates the Web server from the portal server with firewalls between the client and Web server, and between the Web server and portal server. Figure 15 shows one SSL connection between the client and Web server, and a second one from the Web server through the firewall to the portal server. Figure 15: Communication security for a portal installation in a trusted intranet The third of the deployment scenarios (Figure 4) places a reverse proxy for authentication in the DMZ and, behind another firewall, a cluster of portal servers that are fed by a load balancer7. A possible secure communication implementation for this case could use SSL from client to reverse proxy, and IPSec for the remaining path between the servers: one IPSec connection from authentication proxy to the load balancer, and another one from load balancer to the portal cluster as shown in Figure 16. Figure 16: Communication security for a straightforward Internet portal cluster In a fully clustered portal environment, with full transport layer security, the client’s SSL connection is tunneled through the first load balancer and terminated at the authentication proxy cluster. The 7 When the authentication proxy is Tivoli Access Manager for e-business, no extra load balancer is needed because load balancing capabilities are already built into this authentication proxy. The same applies if IBM Edge Server is used together with Tivoli Access Manager Plugin for Edge Server. Page 27 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 tunneling can be done because the first load balancer does not need to read the request’s content for its load balancing strategy. That is only needed for more sophisticated strategies such as session affinity, for example, when all requests by the same user are always routed to the same cluster machine. The second load balancer will usually use such a strategy; therefore, the next SSL connection needs to be terminated at this server. Finally, there is a third SSL connection between load balancer and portal cluster. For this scenario, we have shown how to connect to an LDAP directory. The communication between application server and LDAP server is protected as well because the LDAP queries and responses might contain confidential data. You can configure WebSphere Application Server’s security component to use LDAPS (LDAP over SSL) Figure 17: Communication security implementation in a fully clustered portal setup 5.1 Restricting the protection to sensitive communication only Using SSL is not cheap; it costs a considerable amount of computing power. The most expensive SSL operation is the initial handshake, but the symmetric encryption of the bulk data produces additional load. Therefore, limit the SSL protection to the necessary minimum. WebSphere Portal can switch between SSL and non-SSL connections during a session. You can set up SSL for the portal with these configurations: • For the user login interaction only • For login and the part of the portal that is restricted to authenticated users • For the whole portal The final decision to whether a portal should protect none, all, or only parts of its communication with SSL should be based on the sensitivity of the data. 5.2 Using client certificates The SSL and TLS protocols specify the authentication of the communication partners through the use of X.509 certificates. The client can use a certificate to authenticate to the server. This authentication through the client certificate is more convenient than typing a password and also avoids the known security drawbacks of passwords. In addition, if the private key that is associated with the client certificate is stored on a smart card, then this form of authentication can establish particularly strong trust. The decision to enforce certificate-based client authentication is a configuration option with WebSphere Application Server. If an authentication proxy such as Tivoli Access Manager’s WebSEAL is used, then select this setting in the WebSEAL configuration. Page 28 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 6 Securing back-end connections Some portlets are designed to access back-end applications that house important enterprise data. You have these two options to secure back-end data: 1. Selected portlets can use SSL connections to exchange data with a corresponding back-end application. Depending on the back-end application, an SSL handshake with client authentication can be required. 2. The portal and the back-end applications can establish a virtual private network, for example, using IPSec. 6.1 Using IPSec between the portal and back-end applications Using IPSec for back-end connections is an alternative to using SSL (see Securing client-to-portal communication for a more detailed explanation of these two technologies). The fact that IPSec is efficiently operating on the network layer and that it is easy to configure in most current operating systems makes it worth considering in this context. 7 Controlling access to portal resources Authorization is based on authentication. In order to enforce that only authorized subjects (users) are allowed access to the portal, it must be assured who the subject is. Authentication is, therefore, the first step performed on each request coming into the portal server. Portal Access Control (PAC) defines the set of sensitive operations a specific user is allowed to execute within the portal resource space. This set of operations is defined by the set of permissions granted to the user. WebSphere Portal uses the role concept to enable convenient management of permissions based on the job responsibilities of individual users. A role can be considered a container of permissions that comprises all authorizations necessary to act in a specific role on a specific part of the protected resource hierarchy. Assigning a role to a user grants all the contained permissions in the role to the user. Access control administration can be performed using the portal administration portlets, XmlAccess, or the portal scripting interface. 7.1 Access control concepts First, we define key terminology and concepts involved in WebSphere Portal's access control capabilities. 7.1.1 Sensitive operations Users (or more general clients) interact with the portal in a multitude of ways ranging from simple page view requests to complex update operations like cloning an installed portlet. Access to almost all of those operations has to be restricted to a set of authorized users. Therefore, all sensitive operations are protected by the portal access control component. A well defined WebSphere Portal access control policy (see InfoCenter [12]) maps each sensitive operation to a specific set of permissions that are required to be allowed this operation. Access control administration then defines each user’s permissions by creating and deleting the corresponding roles and role assignments. 7.1.2 Protected resources Those resources within the portal object model that require access control protection are referred to as protected resources. All protected resources are linked into tree structures that reflect their internal topology. For example, while individual sub pages are linked as child resources of their Page 29 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 containing parent pages, individual portlet definitions are linked as child resources of their enclosing portlet applications. Figure 18 depicts a schematic overview of these resources within the portal release data domain. Figure 18: Protected resource hierarchy within the portal release database domain The vast majority of the resources within this hierarchy represent portal resource instances that require access control protection (such as individual portal pages or portlets); but some of them are special virtual resources. Figure 18 shows the fixed set of supported virtual resources as grey boxes and the resource instances as blue boxes. Virtual resources are used in two ways: 1. They guard sensitive operations that do not affect specific resource instances as such but the whole portal or a whole portal concept. For example, the virtual resource XmlAccess is used to protect the ability to use the XmlAccess configuration tool. 2. They group resources of the same or related resource types. For example, the virtual resource Content Nodes is the root node of all pages (resource instances of resource type Content Node) within the portal page hierarchy. 7.1.3 Roles and role types A role is a set of permissions on individual protected resources. If a user shall be allowed to execute a specific sensitive operation, she needs to have corresponding role assignments Page 30 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 providing the required permissions on the affected resources. Role assignments can be either explicit (a user or user group is directly assigned to a role) or implicit (the user or user group is a member of a user group that has a corresponding explicit role assignment). The set of permissions granted to a specific user is defined by the union of all permissions contained in all explicitly and implicitly assigned roles of this user. Roles within WebSphere portal are typed, such that each role instance is of a specific role type. WebSphere Portal supports the role types Administrator, Security Administrator, Delegator, Manager, Editor, Contributor, Privileged User, and User. Role types model the different ways people interact with the system depending on their job responsibility. Role Type Allows… User Viewing portal content (for example, viewing a specific page). Privileged User Viewing portal content, personalizing portlets and pages, and creating new private pages. Contributor Viewing portal content and creating new resources. The Contributor role type does not include the permission to edit resources. It only allows you to create new resources. Editor Creating new shared resources and configuring existing resources that are used by multiple users. Manager Creating new shared resources as well as configuring and deleting existing resources that are used by multiple users. Security Administrator Creating and deleting role assignments for roles tied to specific resources. Administrator Unrestricted access to resources. This includes creation, configuration, and deletion of shared resources. Administrators can also decide who shall have access to the resources by creating and deleting corresponding role assignments. Delegator Assigning specific users or user groups to those roles which the delegator holds himself. As illustrates, role types are organized in a hierarchy. Each role type extends the privileges contained in the role types directly beneath it in the hierarchy. For example, Privileged Users and Contributors can do everything that Users can do. Managers can do everything that Editors, Contributors, and Users can do. Page 31 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 Figure 19: Role type hierarchy 7.1.4 Role assignment and inheritance In addition to the role type, an individual role instance is also characterized by an additional attribute called the domain root resource, which identifies the set of protected resources that are affected by the given role instance. By default, the role affects all resources contained in the subtree of protected resources rooted at the domain root resource. As a convention, a given role is referred to by concatenating the role’s type and the name of the domain root resource, separated by the “@” sign (that is, <role type>@<domain root resource>). For example, the role Editor@Market News Page refers to a role of type Editor tied to a specific page in the portal page hierarchy named Market News Page (see ). The permissions in such a role allow executing sensitive operations on the Market News Page that correspond to the job responsibility of an Editor or any other less privileged role in the role type hierarchy (see ). Through inheritance, a specific role contains permissions for accessing the domain root resource, and it also contains corresponding permissions on all resources in the subtree rooted at the domain root resource. In the previous example, users having a role assignment to the Editor@Market News Page role are also allowed to act in the Editor role on the USA Market News Page (see ). Figure 20: Page hierarchy example If inheritance is not intended, the inheritance can be blocked as described in the next section. Page 32 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 7.1.5 Role blocks You might want to prevent a specific role from affecting all resources below the role’s root resource in the resource hierarchy. In this case, you can control the inheritance behavior of some or all of those resources and prevent them from being affected by this role. For example, in , there is a role block for roles of type Editor inserted above the Europe Market News Page. This prevents the Europe Market News Page from being affected by other roles of type Editor that may exist at resources above this page. This example illustrates that a role block is role type-specific and is tied to a specific resource. A specific role block disables inheritance on the corresponding resource for all roles of the corresponding role type. The block for roles of type Editor above the Europe Market News Page does not block roles of types different from Editor (such as Manager or User roles). You could block these roles separately using corresponding role blocks, if desired. Roles of type Administrator or Security Administrator can only be blocked using XmlAccess. If Administrator and/or Security Administrator role are blocked, XmlAccess will block all other role types as well. Access control supports two kinds of role blocks called inheritance blocks and propagation blocks. While inheritance blocks shield a resource from inheriting from their parent resources (like the one depicted in ), propagation blocks inhibit inheritance from the resource to its child resources. You could think of this as blocking above the resource (inheritance block) or blocking below a resource (propagation block). 7.1.6 Resource ownership Each resource protected by portal access control can (but need not) have a dedicated owner. When a user creates a new portal resource (for example, a new page) the executing user automatically becomes the initial owner of that resource. Being owner of a resource provides specific permissions on that resource including the right to delete the resource. Ownership provides the same permissions on the owned resource as being in the Manager role on the resource. The ownership property of a resource is not subject to inheritance. Ownership can be changed, so it is possible to assign a specific resource a new owner, giving this user the corresponding privileges on that resource. For non-private resources, the ownership can also be removed. 7.1.7 Private pages Portal access control supports the notion of private pages. A private page can be accessed only by the owner of the page. Privileged Users on a non-private page (users having a Privileged User role assignment for that page) are allowed to personalize this page. Personalizing a non-private portal page results in the creation of a private personalized copy of the corresponding page (by implicit page derivation). All modifications the Privileged User does to this page are only accessible to this user because it is now a private version of the page. 7.1.8 Resource domains WebSphere Portal Version 6 introduced the notion of four distinct database domains called Release, Community, Customization, and JCR domain. Those database domains can be represented by individual database schema within the same database instance or by separate, distinct database instances. The four domains contain different kinds of data: • The Release database domain contains all portal configuration data that make up a portal installation in a specific version (or release) such as the portal page topology and the configuration data for individual portlets. • The Customization domain contains private user customization data such as implicitly derived pages or user specific portlet preferences. • The Community domain contains those pages and portlets that are used in the Composite Application Infrastructure (introduced with WebSphere Portal V6.0). Page 33 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 • The JCR domain contains those portal resources that are stored within the Java Content Repository (JCR) such as documents, folders, policies, and templates Resources in any of these database domains may require access control protection and are, therefore, considered protected resources. The access control configuration data for any protected resource is stored in the same database domain as the resource itself. This allows maintaining a consistent access control configuration when you backup individual database domains. The subset of the protected object space that is stored within the Release domain is depicted by Figure 18. Figure 21 depicts the protected object space as it exists in the Java Content Repository (JCR) domain in WebSphere Portal. Figure 21: The protected resource hierarchy of the JCR domain Portal access control protects the following types of resources stored in the Release domain: • Web modules • Portlet applications • Portlets • Content nodes (this type includes pages, labels, and externals URLs) • URL mapping contexts • WSRP producers • PSE sources • User groups • Users (not protected individually, but through the groups to which they belong) Portal access control protects the following types of resources stored in the JCR domain: • Document Libraries • Documents and folders • Template root, template categories, and templates • Policy root and policies • Personalization rules Page 34 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 7.2 Delegating access control administration Portal access control supports the concept of delegated administration. In the context of access control, the term administrator is generally applied to users that are allowed to change access control configuration (for example, create role assignments). Delegated administration means that an administrator can delegate specific subsets of his or her administrative privileges to other users or user groups. The receivers of these privileges become sub-administrators, which, in turn, can delegate subsets of their privileges to some sub-sub-administrators and so on. Portal access defines a delegated administration policy (a subset of the WebSphere Portal access control policy described in the InfoCenter [12]) that controls which permissions are necessary to be allowed to do a specific change to the access control configuration (for example, to create a specific role assignment). This policy allows restricting administrative privileges to specific parts of the protected resource hierarchy and to specific user groups. Therefore, you can establish subadministrators that control role assignments for a specific subtree of the resource hierarchy (for example, nested pages) and a specific set of user groups. The administrative user and group that are created or identified during portal installation are initially set as the domain administrative user or group for each resource domain. These users and groups are implicitly assigned the Administrator role at the root resource of the protected resource hierarchy in the corresponding resource domain. This role implies full access to all shared resources in the domain. You can define the administrative users and groups separately for each domain by changing settings of a Portal Service (see the WebSphere Portal InfoCenter [12] for details); therefore, you could set different administrative users or groups for each resource domain. 7.3 Access control in the composite application infrastructure (CAI) The concept of composite applications is a key element within the IBM's SOA strategy. A composite application aggregates one or more business components into a single, coherent entity. The individual business components and the interactions among them can implement sophisticated business logic to serve a meaningful purpose for business users. WebSphere Portal V6.0 introduced the composite application infrastructure (CAI) that provides the runtime environment and the programming model for such applications. You can plug existing software components (for example, EJBs, J2C Connectors, or other software services) into this infrastructure by implementing corresponding adapter code to mediate between the CAI and the business logic contained in the components. In WebSphere Portal, you can define composite applications in a declarative fashion using application templates. A template defines the internal structure of the application including references to the business components it contains, meta-data associated with those components, and the user interface which is composed of portal artifacts such as portlets and pages. The template also defines the access control structure for the application by defining the set of application roles that are exposed by the application. An individual application role represents a set of application-specific privileges on the business logic level (that is, independent of the access control details that may exist on the business component level). For example, a banking application may expose application roles such as Customer, Teller, and Supervisor. A team room application may expose roles such as Guest and Contributor. The individual application roles are than mapped to individual roles exposed by the business components inside the application (see Figure 22). If the application contains portal artifacts such as portlets and pages, you can map individual application roles to portal roles to affect those resources using the portal role types introduced in Section 7.1.3, Roles and role types. As depicted in Figure 22, the Teller role in a Banking example could map to some Operator role defined by an ACMEBanking business component, and, at the same time, to a portal role of type Privileged User on the Teller portlet. If a user is assigned to this application role, the CAI Page 35 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 propagates this update information to the ACMEBanking component through a corresponding life cycle interface (the Membership interface in this case The CAI also insures that this user automatically has Privileged User permissions on the Teller portlet. Figure 22: Application roles and membership As discussed in Section 7.1.8 Resource domains, all resources that belong to the CAI are stored exclusively within the Community database domain and are managed through the corresponding administration portlets. • The Membership portlet lets you manage membership information; that is, the mapping between users and application roles. • The Roles portlet lets you manage the role mapping information; that is, the mapping between application roles and component roles (see Figure 22) For a comprehensive introduction to the portal composite application infrastructure can be found see [13]. 7.4 Integrating external authorization systems There are a number of systems in the market that are dedicated to controlling access to IT resources and applications. Sometimes these dedicated systems are called “3A systems”, because they offer centralized Authentication, Authorization and Administration. Examples are Tivoli Access Manager for e-Business, Netegrity’s SiteMinder, and Entrust’s GetAccess. You can set up the access control system of WebSphere Portal to let external 3A systems control portal resources. WebSphere Portal ships with authorization adapters for Tivoli Access Manager for e-Business and for Netegrity SiteMinder. Portal access control lets you put individual subtrees of the protected resource hierarchy under external protection. For example, using the Resource Permissions portlet, you can select a resource and change its externalization state. As a result, the selected resource and all resources contained in the subtree rooted at this resource are either put under external access control or brought back in to be protected by portal internal access control depending on the specific externalization state chosen. Inheritance always stops between resources that have different externalization state (this also applies to Administrator and Security Administrator roles). This Page 36 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 guarantees that each resource is either exclusively protected by portal access control or by the external system. Putting resources under external protection does not mean that the resource information as such is added to the protected object space of the external system. Only the roles that exist on those resources are registered there. An administrator of the external system can create role mappings for these roles, typically by assigning corresponding access control lists to the roles. The roles and role blocks are exclusively controlled by the portal. Only the mapping between roles and users/groups is managed through the external authorization system. Changing the externalization status of resources is considered a sensitive operation and requires at least Security Administrator@Portal and Security Administrator@External Access Control authority. External Access Control is a virtual resource that guards the concept of externalizing and internalizing resources. This resource is put under external protection during portal installation and cannot be internalized. This approach guarantees that the external security administrator cannot be overruled by a portal security administrator. 7.5 Administering access control You can administer access control for resources stored in the Release or JCR domain using the Resource Permissions and User and Groups Permissions portlets. • The Resource Permissions Portlet lets the administrator navigate through the protected resource hierarchy, and provides a resource centric view of the configuration. For example, "Are there role blocks defined on the selected resource?", "Which user groups are considered to be the Editor of this resource?" It also allows updating the configuration, so it let’s you create/delete role assignments, create/delete role blocks, change the ownership of the resource and change the externalization status of the resource if an external authorization provider is installed. In the case of managing access control on folders and documents, the navigation part is done using dedicated UIs, for example, the PDM portlet. • The User and Groups Permissions Portlet lets the administrator first select a specific user or user groups, and provides a user/groups centric view on the access control configuration. It supports the same set of actions as the Resource Permissions Portlet. Resources from the Community domain are exclusively administered through the new Roles and Membership portlets of the CAI. • The Membership Portlet is used in the context of a specific application. A user with membership management privileges within the given application can assign individual application roles exposed by that application to individual users and groups. • Like the Membership Portlet, the Roles Portlet is used within the context of a specific application. A user with application manager privileges within the current application can map individual application roles exposed by the current application to individual roles exposed by the individual business components that are comprised within the application. In addition to these portlets, the XmlAccess configuration tool and portal scripting can be used to administer access control for resources stored within the release domain. There are no access control administration facilities for resources stored in the customization domain because this domain contains only private resources that can only be accessed by the corresponding resource owner. Page 37 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 7.5.1 Administering access control using the XML Configuration Interface The XML Configuration Interface (also referred to as just XmlAccess) supports all aspects of Portal Access Control; that is, role assignments, role blocks, ownership, and externalization state. The access control information of individual resources modeled in XmlAccess is contained in the <access-control> sub-element. You can use this element to define the initial access control configuration for resources that are created using XmlAccess, or you can update the access control information for existing resources (for example, by exporting the configuration of a page, manipulating the access-control sub-element, and re-importing the configuration of the page into the portal). The access-control element only contains the explicitly defined access control data; that is, it does not contain implicitly assigned roles or inherited roles. For example, in the little scenario depicted in the access-control element of the Market News Page would contain the role assignment information for Bob; the one for the Europe Market News Page would contain the inheritance block of type Editor; and the access-control element of the USA Market News Page would be empty. In other words, Bob’s inherited role assignment on the USA Market News Page is not visible in the access-control element of that page. Instead, it is implicitly given by the fact that Bob has a noninherited role assignment to parent page and the lack of role blocks between those two pages. The following sample shows you how to block inheritance on a specific page by inserting role blocks and than explicitly assign rights to this page. The XML fragment given below first identifies the page to be updated via its unique name ibm.portal.SamplePage.2. It then adds two inheritance blocks on this page for role types Manager and Editor. As a result, this page is no longer affected by roles of this type that may exist at parent resources of the ibm.portal.SamplePage.2 page. The new Manager and User role assignments that take effect starting with this page are created with the succeeding role and mapping elements. <content-node action="update" uniquename="ibm.portal.SamplePage.2"> <access-control> <!-- The manager role should not be inherited automatically from parents of this page. --> <role-block type="inheritance" actionset="Manager"/> <role-block type="inheritance" actionset="User"/> <!-- The manager role is set explicitly on this page. --> <role actionset="Manager" update="set"> <mapping subjectid="wpsadmin" subjecttype="USER" update="set"/> </role> <role actionset="User" update="set"> <mapping subjectid="yourusername" subjecttype="USER" update="set"/> </role> </access-control> </content-node> Role propagation blocks (see Section 7.1.5 Role blocks) can be inserted in the same way using a type attribute of value 'propagation'. The type attribute can also be set to the value 'none' if there shall be neither an inheritance nor propagation block on the resource (as shown in the following example for roles of type User). <role-block type="none" actionset="User"/> XmlAccess can not only be used for managing access control for pages, it is also applicable for web modules, portlet applications, portlets, user groups, URL mappings, WSRP producers, and virtual resources like shown in the sample below. Page 38 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 <virtual-resource name="USER_GROUPS" action="update"> <access-control> <role actionset="Administrator" update="set"> <mapping subjectid="wpsadmin" subjecttype="USER" update="set"/> </role> </access-control </virtual-resource> 7.5.2 Administering by using Scripting In addition to the XmlAccess framework, WebSphere Portal Server supports a second configuration framework, the Portal Scripting interface. Portal Scripting differs from XmlAccess in the following aspects: • Portal Scripting supports access control management only for pages, portlets, portlet applications, and web modules. • Portal Scripting allows to write reusable scripts to modify access control configuration As XmlAccess, the Scripting interface shows only explicit role assignments to the resources, so neither implicit nor inherited role assignments can be queried using the Portal Scripting interface. Portal Scripting uses the same model as the scripting interface supported by WebSphere Application server. Thus, access to access control configuration data is done via MBeans. Two beans are defined in the area of access control: • $Access – provides function to get and set Access Control objects and lists all available role types • $PacList – keeps Access Control objects of the queried resource as well as information on blocks and is used to store the targeted modifications Let’s again take the ibm.portal.SamplePage.2 as an example. If we want to create the same Access Control settings as shown in the XmlAccess sample, we will end up in a script similar to the following: #General part. Need to authenticate first if { $argc != 2 } { #UserId and Password are passed as cmd line parameter. puts "invocation syntax: wpscript -f testme.jacl -profile mylogin.jacl <user> <pwd>" exit } set user [lindex $argv 0] set pwd [lindex $argv 1] $Portal login $user $pwd #Get the PacList of the Content Node you want to change $Content find page uniquename ibm.portal.SamplePage.2 select $PacList edit [$Access getacl Content [$Content current]] #Now modify the AccessControl setting $PacList grant User name "uid=youruser,dc=users,o=myorg" $PacList grant Manager name "uid=wpsadmin,dc=users,o=myorg" $PacList block User inheritance $PacList block Manager inheritance Page 39 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 #check if the List has been changed and write back if needed if [$PacList modified numeric] { $Access setacl [$PacList done] } #show the new active settings $PacList view [$Access getacl Content [$Content current]] #list all principals in all lists foreach as [$Access listall actionsets] { puts "\nPrincipals for $as:" puts [$PacList list $as all] } The sample can be executed using the wpscript command line tool which is located at wp_home/bin like the following: wpscript.[sh|bat] -port port_number -f script_file_name.jacl <userid> <password> Let’s have more detailed look into the script shown above. First of all we have to authenticate at the Portal Server instance to get the necessary right to perform those actions. Then the $PacList object is filled with information from this call. Before that call accessing the $PacList object would lead to an exception. $PacList edit [$Access getacl Content [$Content current]] Now modify the Access Control setting by either setting a block, removing a block, grant or revoke access and in the end save and close the $PacList object by using $Access setacl [$PacList done] Another useful command, not shown in the sample, is to check if a block is set or not: $PacList show <actionset> <flag> numeric where actionset can be any of the defined Access Control role types in the system, flag can be inheritance or propagation and the key word numeric lets you use this command within a conditional statement. Note that the numeric value for 0 indicates a blocked and 1 stands for not blocked. 7.6 Auditing WebSphere Portal has a built-in auditing function that can be used to log certain events and their originators into a separate log file. This file can then be used to track administrative activities. For each event the timestamp, an optional transaction ID, the user performing the action, and individual event details are logged. Per default, the auditing function is completely disabled and can be enabled individually for each of the following events by configuring the Audit Service [14]: • • • • • • • • • • • • Creating, modifying and deleting users and groups Creating, modifying and deleting portlet applications Assigning and revoking roles to and from users Modifying role blocks Modifying resource ownership Creating, modifying and deleting protected resources Externalizing and internalizing resources Installing and uninstalling web modules Creating and deleting application roles Assigning and revoking application roles to and from users Adding and deleting roles to application roles Initializing a database domain Page 40 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 8 Portlet security 8.1 Supporting Java 2 Platform Security Java 2 Platform Security is a security feature that was newly introduced by WebSphere Application Server Version 5. This feature enables protection of individual sensitive operations (such as file I/O or network access) such that code must be granted certain permissions in order to be allowed to execute those operations. For example, if Java 2 Platform Security is enabled on the JVM, code that wants to open a java.io.FileInputStream() object on a file, must be assigned a corresponding java.io.FilePermission. Otherwise, the call will fail with a corresponding security exception being thrown by the Access Controller built into the Java runtime system. A detailed discussion of the Java 2 Platform Security model can be found in the Java2 Platform Security Architecture document [15]. The assignment of individual permissions to individual code sources is done using policy files. The syntax and semantics of those files is defined by the Java Language Specification. WebSphere Application Server uses a specific set of policy files to set up Java 2 Platform Security for code running on the JVM of a WebSphere server instance. The installation procedure of WebSphere Portal updates those policy files, granting all code shipping with WebSphere Portal full access to system resources. Specifically, this is achieved by granting the javax.security.AllPermission to the shared libraries used by portal using the server.policy file, and to the individual portlets using corresponding was.policy files (see the WebSphere Application Server InfoCenter for a complete discussion of all policy files used by WebSphere Application Server). All other code running within the WebSphere Portal environment runs with permissions granted according to the WebSphere Java 2 Platform Security setup. By default, this matches the default permission set for Web containers, as defined by the J2EE specification. If a portlet needs additional permissions in order to operate correctly (for example, to write report data to the file system), you can insert a was.policy file into the corresponding WAR archive file. You need to place the was.policy file in the portletname.war/META-INF directory prior to packaging the portlet. In order to make WebSphere Application Server pick up the information contained in the was.policy file, the was.policy file is automatically moved from the war/META-INF directory to the ear/META-INF directory during portlet deployment. Therefore, in order to modify the permissions of an installed portlet after it has been deployed, you must modify the was.policy file within the ear/META-INF directory of the corresponding WebSphere nodes. Portlets can use the public portlet API exposed by WebSphere portal including the portlet services and the portal JSP Tag Library, without being granted additional permissions. Java 2 Platform Security support is intended to provide an administrative means of controlling access to system resources (for example, access to files or network facilities). However, enabling Java 2 Platform Security does not completely prevent malicious portlet code from damaging the portal or reading sensitive data available to the portal runtime (for example, by maliciously calling internal portal APIs). Therefore, at this point in time, portlet developers are still responsible for making sure that portlets keep sensitive data secure, and that they do not open up exposures that undermine the overall portal security. The portal administrator is still responsible for only installing portlets that are trusted enough. Java 2 Platform Security can be enabled and disabled using the WebSphere administration facilities. Java 2 Platform Security is orthogonal to J2EE security, so you can enable Java 2 Platform Security independently from enabling WebSphere Global Security. Page 41 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 8.2 Verifying secure connections Some portlets will require secure connections; that is, they need the guarantee that the data that they send is kept confidential. If the portal is enabled to serve pages via SSL, portlets can initiate an SSL connection with a “start transaction” link. However, the portlet needs to check for each request, whether the connection is still secure. This can be done with the request.isSecure() method. If a request did not come over a secure connection, the portlet must not write confidential data to the output stream (see also Restricting the protection to sensitive communication only)8. 8.3 Preventing cross-site scripting attacks Because portlets can directly access the markup stream, they are exposed to Cross Site Scripting attacks like any other Web application. Therefore, the portlet developer is responsible for properly encoding all data prior to writing it to the markup stream. This is typically done using the JSTL out tag from within JSPs or using the ResponseUtils class supported by WebSphere Application when plain Java code is writing to the markup stream. Otherwise, if user provided data (such as a URL parameters) are directly written to the markup stream, the receiver of that markup (the Web browser) may parse this data as active content (JavaScript) and execute code on the client's computer (for example, steal browser cookies). In order to reduce the risk for such attacks, the portal engine can be configured to do some basic filtering of portlet input, and converts the characters “less-than” and “greater-than” to the respective HTML escape sequences; however, this filtering addresses only a subset of potential vulnerabilities. Because it is a common problem, there is plenty of information on Cross Site Scripting on the Web; for example, see [16]. A similar kind of problem arises when a portlet aggregates markup from a third-party server, for example with a clipping portlet or by integrating remote portlets via WSRP. 8.4 Dangerous URL Protection WebSphere Portal uses two basic types of URLs: • URLs that are purely navigational: so-called render URLs or render requests. They do not cause changes to the persistently stored data, with the possible exception information about the navigational state, if this is to be persisted for session failover. Examples include links to pages in WebSphere Portal's navigation bar. • URLs that cause an action that might change persistent data: so-called action URLs or action requests. Examples are URLs used to create a new page or to delete a user. They are not dangerous per se, but they should not be executed accidentally, without the user's knowledge. The threat to be addressed is as follows: An attacker figures out the URL that causes a specific change to the persisted portal configuration, for example to delete the portal root page. He can do this, for example, by examining the corresponding page's HTML markup in his own portal installation where he would be allowed actually allowed to delete the root page. He then sends this URL to a high number of users of the target portal (he must first adjust the server part of the URL accordingly), and use phishing techniques to make them follow the link (for example, by hiding the link behind some faked “urgent update of you personal data required” message). If one user that has been granted enough permissions in the target portal clicks on the link, the unintended operation would be executed. 8 There remains one problem however: In a complex portal setup, the SSL connection will usually be terminated at an earlier node, for example at the authentication proxy. In such a case, the isSecure() method can not return the correct state (always “false”). The Web Container of the WebSphere Application Server offers some special HTTP header field that can be used by an SSL offloader to indicate that the incoming connection has been through SSL – the HttpsIndicatorHeader field. See the Web Container custom properties section in the WebSpehre Application Info Center for detailed information on this field. Page 42 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 WebSphere Portal has a built-in functionality to avoid such a malicious execution of action URLs. Each action URL is valid for one user only; namely, for the one who requested the page on which the link is rendered. This is achieved by calculating specific hash values that are encoded into the URL when the URL is created, and validated when URLs are to be executed. If the validation fails, the action will not be executed. The hash value is based on both the action to be executed and the user ID of the executing user. 9 WSRP Security WebSphere Portal lets a portal consume portlets from remote Producer portals as Web services which are based on the Web Services for Remote Portlets (WSRP) protocol [17]. These remote portlets can be used like local portlets with some restrictions. This section describes several security aspects that are important when using WSRP. 9.1 Securing connections to remote portlets In the default mode, WSRP connections are not secured, and there is no reliable user identity propagated from the Consumer portal to the Producer portal. Therefore, the portlet cannot rely on having a user object with correct user information and/or credentials. Propagated user meta data can be used to establish a personalized user experience (for example, to display weather information based on the ZIP code in the user profile). However, this information should be considered little more than a "hint" at the user's real identity and not an authenticated user identity. WebSphere Portal's support for WSRP permits propagating authenticated user identity by leveraging the Web Services Security runtime available in WebSphere Application Server. WSRP connections can also leverage SSL to establish confidential communication channels and to prevent man-in-the-middle attacks. 9.1.1 Securing WSRP services on the Web Service layer 9.1.1.1 WS-Security WSRP is a Web Services standard on the top of the Web Services stack, whereas security aspects are handled by lower layers, defined by the Web Services Security (WS-Security) specification [18]. WS-Security is an OASIS standard that forms the base for securing Web Services at the message level. It provides a general-purpose mechanism for associating security tokens with messages; it does not require any specific type of security token. The WebSphere Portal WSRP implementation on both the Producer and Consumer sides runs in the JSR 109 compliant Web container of WebSphere Application Server. It relies on the WSSecurity support available in the WebSphere Application Server Web Services runtime, including the corresponding extension points, to establish the security context. WebSphere Portal always bases reliable user identification (that is, the user identity that is used for access control enforcement) on the security context established and managed by WebSphere. For this, a variety of tokens are supported by WebSphere Application Server, including the LTPA token. In addition, you can use extension points to integrate custom token formats. Because WebSphere Portal WSRP is based on the WS-Security runtime of WebSphere Application Server, future extensions to the WS-Security support in WebSphere Application Server will automatically be available to WSRP as well. See the WebSphere Application Server Information Center [19] for more details on the WSSecurity support. There is a limitation regarding the compatibility of WS-Security support in WSRP when using both WebSphere Portal Version 5.x and Version 6.x in a mixed environment. The limitation relates to the fact that assembly tools (which you use to import the portal EAR file in order to perform the WSSecurity configuration for WSRP) generate different WS-Security extensions and binding configuration files based on the J2EE version. Because WebSphere Portal 5.x is a J2EE 1.3 application, the assembly tools create configuration files using WS-Security 1.0 draft 13. However, WebSphere Portal version 6.x is a J2EE 1.4 application, so the files are created using the final WS-Security 1.0 standard. After the configuration files are created, the corresponding Page 43 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 format is used independently of the WebSphere Application Server version on which the portals run. Therefore, using WebSphere Portal V5.x and V6.x as mixed Producer and Consumer portals will fail because the message formats are incompatible. There are two potential solutions to overcome this limitation: 1. You could migrate the 5.x portal EAR to J2EE 1.4, and generate the configuration files again. Copying the J2EE 1.4 configuration from a 6.x portal configuration will not work. 2. Or, you could manually copy the J2EE 1.3 configuration files to a 6.x portal (this solution has been successfully tested). However, this solution implies that generally WS-Security 1.0 draft 13 messages are used in the environment. Important: These are only possible solutions to work around the problem, and they are not officially supported by IBM. Therefore, the recommendation is to use the same version of WebSphere Portal for both the Producer and Consumer side. 9.1.1.2 Using the LTPA token for user identity propagation When using the LTPA token for single-sign-on in your environment, a common setup is to propagate the LTPA token also on the Web Service message level, allowing the Producer to assert the user identity. Such a setup requires that both the Producer and the Consumer portal share the same user registry and single-sign-on realm (that is, they use the same LTPA keys for token encryption). The LTPA token containing the user id is wrapped inside the SOAP header of each WSRP request. The token is extracted from the SOAP request at the Producer portal, and the corresponding security context is created. The resulting request processing on the Producer runs under the same user identity as the initial request on the Consumer portal. Figure 23 depicts the LTPA token-based user identity propagation mechanism. Figure 23: WSRP LTPA token- based user identity propagation Page 44 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 9.1.1.3 Using different WS-Security configurations for Producers Beginning with WebSphere Portal V.0, the Consumer portal can specify different WS-Security configurations for different Producers, enabling the Consumer portal to communicate securely with a set of Producers, each requiring a distinct security setup. This is done by creating the necessary Web Service security configuration files with an assembly tool and associating them to a representation of a particular Producer on the Consumer portal. To simplify this manual process, you could define several security configuration templates and then associate them to particular Producers. 9.1.2 Securing WSRP services on the transport layer In addition to securing WSRP services on the Web Service layer, you can use SSL to provide message-level integrity, confidentiality, and mutual authentication by client certificates. To provide message-level integrity and confidentiality, you can configure the connections from Producers to Consumers to be secured by SSL. You configure the WSRP Web Services in the WebSphere Portal EAR file for SSL using the WebSphere Application Server Administrative Console. Additionally, you can use SSL for client certificate based authentication from Consumer to Producer. This can be used alone or combined with the previously described WS-Security identity propagation. If you use SSL for client certificate based authentication alone, you can provide limited user identity propagation based on the client certificate installed at the WSRP Consumer. In such a setup, Consumer and Producer portals can each have different user registries. However, you must define either a shared user ID or a corresponding certificate mapping for the mutually authenticated SSL connection. The user ID representing the Consumer portal is pulled from the client certificate installed at the Consumer portal and sent with all WSRP requests, independent of the identity of the user that was authenticated against the Consumer portal. Therefore, this user ID is shared by all users of the client portal when connecting to a Producer portal. In this configuration, personalization information for the end user identity is added to the SOAP request as meta-data. As mentioned at the beginning of this section, this personalization information is not reliable information from a security point of view. So the Producer portlet should only use this identity for displaying personalized data; all access control decisions on the Producer portal are made based on the reliable shared user identity coming from the Consumer certificate. When using both SSL client certificate and WS-Security for identity propagation, the SSL mutual authentication is done first to establish trust in the caller. Only if the client certificate is verified correctly, is the request forwarded to the Web Service Engine that establishes a security context based on the WS-Security token. The WS-Security identity information then supersedes the one from the client certificate, which means the user identity on the Producer will be taken from the SOAP security header and not from the SSL client certificate. 9.2 Enforcing access control with WSRP security Access control for WSRP connections can be enforced at both the Producer and Consumer sides. On the Consumer, the registration of WSRP Producers and the integration of portlets from the Producer side are controlled by Portal Access Control. On the Producer, the enforcement of the access control decision can be enabled or suppressed by setting the configuration property, wsrp.security.enabled, in the properties of the Portal Configuration Service. • If wsrp.security.enabled is set to true, then all access control decisions in the producing portal are based on the authenticated principal. Page 45 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 • If wsrp.security.enabled is set to false, then the producing portal does not enforce any access control on incoming client portal WSRP requests. All access control decisions are based exclusively on the security context established by WebSphere Application Server. When using identity propagation with WS-Security, the user authenticated on the client portal is taken for access control checks. If no identity propagation is configured, but SSL client certificate authentication is enabled, then the ID of the certificate is used for all access control checks. If none of the previously mentioned authentication methods is used, then the request is treated as un-authenticated, taking the anonymous Portal user for access control checks. 9.3 WSRP security and the Credential Vault WSRP portlets running in a Consumer portal can make use of the Credential Vault without restrictions, if identity propagation is being used. They can access both system-managed slots and any user-managed slot for the respective user ID. The credentials are stored in the Credential Vault located at the Producer portal, in this case. If there is no identity propagation and there is only a shared user ID based on the Consumer portal SSL client certificate, then the Credential Vault access is limited; only system-managed slots can be used. User-managed slots in the user segment must not be used because the end user identity is not available and is mapped to the shared user identity of the client portal. 9.4 WSRP and Cross Site Scripting Putting a WSRP-provided portlet on a portal page results in the markup produced by the remote portlet being added to the markup of the local page. As a result, if this markup contains active content, it can access the markup provided by other (local) portlets on that page and other browser properties such as cookies. In other words, importing a malicious portlet using WSRP can result in this portlet stealing document cookies and other information rendered by other portlets on the consumer side. Therefore, only trusted portlets must be integrated into a portal to prevent this kind of information leakage at the consumer side. 10 Summary WebSphere Portal offers state-of-the-art protection through industry standard security protocols and crypto algorithms. A single sign-on concept for the portal front-end and for back-end applications provides a superior user experience. WebSphere Portal can be flexibly integrated with existing corporate user directories and with products for authentication, authorization, and administration. In addition to password-based authentication, stronger methods such as X.509 certificates or one-time passwords (with WebSEAL) are supported. Secure communication can be used wherever the transmitted information is sensitive. Page 46 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 11 Resources 12 About the authors Dr. Dieter Buehler, WebSphere Portal Security Architect, joined IBM in 2002 and has worked in the WebSphere Portal development team since the WebSphere Portal 4.1 release. Prior to IBM, Dieter worked three years in research at the University of Tuebingen in Germany exploring concepts and technologies for integrating industrial automation systems into web-based portal solutions. Beyond the core WebSphere Portal security architecture, Dieter is especially interested in Java-based client-server system design and information retrieval concepts. You can reach Dr. Buehler at [email protected]. Stefan Schmitt joined IBM in 2000 and has worked in the WebSphere Portal development team since the WebSphere Portal 1.0 release. He leads the security team of IBM WebSphere Portal, works as the IBM WebSphere Portal Vulnerability contact and is responsible for the architecture and design of the user management functions available in IBM WebSphere Portal. Prior to his work at IBM, Stefan studied Information Technology at the University of Cooperative Education Stuttgart. Holger Waterstrat joined IBM in 2001 and worked in the pervasive computing development area. He joined the WebSphere Portal development team in the same year and is currently working in the security team. Holger received a Diploma of Computer Science from the Technical University of Berlin. Andreas Zehnpfenning received his Diploma of Computer Science from the University of Stuttgart. After completing his diploma thesis on speech synthesis at IBM’s voice team in 2005, he joined the WebSphere Portal security team. Jan-Paul Buchwald studied Computer Science at the Albert Einstein University of Ulm. With the experience gained in a WebSphere Portal Speed Team internship project in summer 2004, he joined the WebSphere Portal security team after finishing his studies in 2005. Richard Jacob joined the IBM WebSphere Portal development team in 2002. He is responsible for the WSRP architecture in WebSphere Portal and for the WSRP standardization and specification. He represents the IBM development team at the OASIS Web Services for Remote Portlets technical committee, where he is a core member. Prior to his work in the Portal team, Richard graduated from University of Stuttgart, Germany and received a Diploma of Computer Science in 2000. He worked for a German telecommunications company where he gained experience in networking, distributed systems, systems management and security. Page 47 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 Thomas Hurek is a software architect at the German IBM development lab. He has technical responsibility for fixpacks and Level 3 maintenance in the WebSphere Portal development team. You can contact Thomas at [email protected]. 13 Glossary Credential Vault Service Portlet service for accessing credentials. This service supports single sign-on. Credential Vault Portal component for storing credentials. Portlets access the credential vault through the credential service. CAI Collaborative Application Infrastructure DMZ De-Militarized Zone HTTPS HTTP over SSL IDS Intrusion Detection System, monitoring network and machines for break-ins IPSec Secure IP, the security functions of IP version 6 ported into IP version 4 JAAS Java Authentication and Authorization Service JCR Java Content Repository LTPA Lightweight Third Party Authentication MAC Message Authentication Code POS Protected Object Space, the set of objects protected by an access control system SSL Secure Sockets Layer SSO Single Sign-On TAI Trust Association Interceptor TLS Transport Layer Security, an IETF Standard version of SSL VPN Virtual Private Network 14 Product names Company Product Name Entrust GetAccess IBM Edge Server Tivoli Access Manager for e-business WebSEAL and Tivoli Access Manager Plugin for Edge Server WebSphere Portal WebSphere Application Server Microsoft IIS (Internet Information Server) Windows Netegrity SiteMinder and SiteMinder Web Agent Page 48 of 50 WebSphere Portal 6.0 Security, Version 6.0.0 RSA Cleartrust 15 Acknowledgements The authors would like to acknowledge the valuable information or feedback we received from our colleagues: Carol Jones, Don Jones, Jochen Burkhardt, Jeff Crume, Christian Karpp, Uwe Hansmann, Karl Bishop, Keys Botzum, Stephan Laertz, Andreas Seidel, and Ralph Klaassen. Trademarks • • • • DB2, IBM, Lotus, Tivoli, Rational, and WebSphere are trademarks or registered trademarks of IBM Corporation in the United States, other countries, or both. Windows and Windows NT are registered trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, and service names can be trademarks or service marks of others. IBM copyright and trademark information: http://www.ibm.com/legal/copytrade.phtml Page 49 of 50 1 [] WebSphere Portal Family http://www.ibm.com/software/genservers/portal/ 2 [] IETF RFC 2401 http://www.ietf.org/rfc/rfc2401.txt 3 [] IETF RFC 2246 http://www.ietf.org/rfc/rfc2246.txt 4 [] Guidelines on Firewalls and Firewall Policy – Recommendations of the National Institute of Standards and Technology, by John Wack, Computer Security Division Information Technology Laboratory National Institute of Standards and Technology http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf 5 [] IBM WebSphere Application Server, Version 6 Security http://www.ibm.com/software/webservers/appserv/was/library/library60.html 6 [] WebSphere Application Server V6 Security Handbook Series, SG24-6316-00 http://www.redbooks.ibm.com/redbooks/pdfs/sg246316.pdf 7 [] JAAS Documentation and Specification http://java.sun.com/products/jaas/ 8 [] Tivoli Access Manager for e-Business http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/ 9 [] Advanced authentication in WebSphere Application Server http://www-128.ibm.com/developerworks/websphere/techjournal/0508_benantar/0508_benantar.html 10 [] Exploiting the WebSphere Portal V5.1.0.1 programming model: Part 3: Integrating WebSphere Portal into your security environment and user management system http://www.ibm.com/developerworks/websphere/library/techarticles/0606_buehler/0606_buehler.html 11 [] Secure Socket Layer overview in the WebSphere Portal InfoCenter http://publib.boulder.ibm.com/infocenter/wpdoc/v6r0/topic/com.ibm.wp.ent.doc/wpf/ssloverview.html 12 [] WebSphere Portal 6.0 product documentation, including the InfoCenter http://www.ibm.com/developerworks/websphere/zones/portal/proddoc.html 13 [] Building composite applications and templates in WebSphere Portal V6 http://www.ibm.com/developerworks/websphere/library/techarticles/0608_stober/0608_stober.html 14 [] Enable the audit service in the WebSphere Portal InfoCenter http://publib.boulder.ibm.com/infocenter/wpdoc/v6r0/topic/com.ibm.wp.ent.doc/wpf/sec_audit.html 15 [] Java 2 Platform Security Architecture, by Li Gong http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-spec.doc.html 16 [] Prevent a cross-site scripting attack http://www.ibm.com/developerworks/web/library/wa-secxss/?ca=dnt-55 17 [] Web Services for Remote Portlets Specification Version 1.0, by OASIS http://www.oasis-open.org/committees/download.php/3343/oasis-200304-wsrp-specification-1.0.pdf 18 [] Web Services Security: SOAP Message Security 1.0, by OASIS http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf 19 [] WebSphere Application Server zone, including access to the InfoCenter http://www.ibm.com/developerworks/websphere/zones/was/ [20] WebSphere Portal zone http://www.ibm.com/developerworks/websphere/zones/portal/