Improving Web Application Security by Using JASIG CAS
Improving Web Application Security by Using JA-SIG CAS Scott Battaglia Rutgers University Adam Rybicki Unicon, Inc. Arlington, Virginia, May 5, 2008 © Copyright Unicon, Inc. , 2006 -2008. This work is the intellectual property of Unicon, Inc. Permission is granted for this material to be shared for non-commercial purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of Unicon, Inc. To disseminate otherwise or to republish requires written permission from Unicon, Inc. Some slides drawn from prior presentations at JA-SIG conferences. http: //creativecommons. org/licenses/by-nc/2. 5/
Hi. I’m Adam. • V. P. of Technology at Unicon, Inc. • Previously CTO at Interactive Business Solutions, Inc. (IBS)
Hi. I’m Scott. • Application Developer/Architect @ Rutgers • Committer to various open source projects
What is JA-SIG? • Java Architectures Special Interest Group • Founded in 1999 to foster collaboration among HE institutions and companies around Java applications for the enterprise • Regular conferences • Membership-funded • Open source projects – u. Portal • Initially funded by an Andrew W. Mellon Foundation • Named in 2003 in Info. World’s top 100 IT projects • 2007 Educause Catalyst award winner – CAS • Initially developed in 1999 at Yale University • Became a JA-SIG project in 2004
What is CAS? • CAS is enterprise single-sign-on for the web. – Free – Open source – Server implemented in Java – Clients implemented in a plethora of languages – www. ja-sig. org/products/cas/
Some of the people involved as the project has evolved • Shawn Bayern • Susan Bramhall • Marc-Antoine Garrigue • Howard Gilbert • Dmitriy Kopylenko • Arnaud Lesueur • Drew Mazurek • Andrew Petro • Jan Van der Velpen (Velpi)
Many CAS deployers • Appian Corporation • La Voz de Galicia, Spain • Athabasca University • Memorial University of Newfoundland • Azusa Pacific University • Nagoya University • BCcampus • NHMCCD • California Polytechnic Institute • Northern Arizona University • California State University, Chico • • Campus Crusade for Christ Plymouth State University (used with Sun. Gard. HE Luminis) • Case Western Reserve University • Roskilde University • Columbia • • Employers Direct Rutgers, The State University of New Jersey • GET-INT • Sun. Gard HE Luminis • Hong Kong University of Science and Technology • Simon Fraser University (Vancouver, B. C. ) • Indiana • Suffield Academy • Karlstad University, Sweden • Tollpost Globe AS
… and more • Universita degli Studi di Parma • University of Crete, Greece • Universite de Bourgogne - France • University of Delaware • Universite de La Rochelle, France • University of Geneva • Universite de Pau et des Pays de l'Adour, France • University of Hawaii • University of New Mexico • University of Nancy 1, France • University of Rennes 1 • Universite Nancy 2, France • University of Technology, Sydney • Universite Pantheon Sorbonne • Uppsala University • Universiteit van Amsterdam • Valtech • University of Bristol, England • Virginia Tech • University of California Merced • Yale University • University of California, Riverside • And likely more not wellenumerated…
CAS and Commercial • CAS is embedded in at least two commercial products • CAS support is baked into at least one hardware platform (a wireless Internet vending appliance) • Commercial entities use CAS as their SSO
Multi-sign-on for the Web
At least with one username/password? LDAP
All applications touch passwords LDAP
Any compromise leaks primary credentials LDAP
Adversary then can run wild LDAP
What to do about this? • What if there were only one login form, only one application trusted to touch primary credentials?
Delete your login forms.
CAS in a nutshell ) e s c te (on a c i nt ord e w h t Au pass via Browser Authent icates without sending pass Dete rm valid ines it claim y of user’ s e auth d entic ation word Web application
How CAS works S ST Web application CAS Net. ID S ST Web browser TGC
Webapps no longer touch passwords CAS LDAP
Adversary compromises only single apps CAS LDAP
What about portals? Need to go get interesting content from different systems.
Password replay PW PW PW Passwordprotected service PW Channel PW PW PW Channel PW Portal Channel PW Passwordprotected service PW
Look ma, no password! • Without a password to replay, how am I going to authenticate my portal to other applications?
CAS 2. 0: Proxy CAS PGTIOU https listener • Web application S ST PGTURL Net. ID CAS PGTIOU S ST Web browser TGC
CAS 2. 0: Proxy CAS Net. ID PGTURL PT Back-end application S PGT Data Web application PT S CAS PT Web browser
Proxiable credentials illustrated IMAP server CAS PAM module S ST PT PGT IMP CAS PGT PT PT -Username -Identity of web resource
Provided authentication handlers • LDAP – Fast bind – Search and bind • Active Directory – LDAP – Kerberos (JAAS) • JAAS • JDBC • RADIUS • SPNEGO • Trusted • X. 509 certificates • Writing a custom authentication handler is easy
Today CAS is not only for authentication • Return attributes of logged on users • Adding support for standards – Open. ID – SAML • Single Sign-Out • Support for clustering – Implements distributed ticket registry – Requires session replication – Must guarantee cross-server ticket uniqueness • Services management (white listing) • Remember me
Short Term Goals • RESTful API • Service Registration Page • Service Priority • Info. Card Support • LDAP implementation of Service Registry • Auditing, Logging etc. • More Internationalization • Bug Fixes, etc. !
Long Term Goals • Re-architecture to support emerging use cases – Account Management integration – Password Expiration Policies/Password Change Integration – SAML, OAuth, Open. ID 2, etc. – Levels of Assurance / Multifactor authentication / secondlevel • Better online/realtime administration – Installer/configurer – Information about CAS server (open SSO sessions, etc. ) • Hardening/Anti-phishing
Questions? Scott Battaglia scott_battaglia@rutgers. edu eas. rutgers. edu Adam Rybicki arybicki@unicon. net www. unicon. net
- Slides: 31