I guess way too many apps rely on SSO using Kerberos on Windows with AD.
Here is a link for my future reference:
How to single sign-on with windowsXP,JNDI and AD just like vb.net and ADSI
Saturday, April 28, 2007
Thursday, April 26, 2007
Tip 5: Encrypt the Keystore password in Tomcat server.xml
If you are using JBoss, then you can encrypt the keystore password as described here:
http://wiki.jboss.org/wiki/Wiki.jsp?page=EncryptKeystorePasswordInTomcatConnector
http://wiki.jboss.org/wiki/Wiki.jsp?page=EncryptKeystorePasswordInTomcatConnector
Wednesday, April 25, 2007
Internet Security
How secure is the Internet now?
The following quote by Charlie Kaufman sums it all:
I have picked up the quote from the presentation by Radia Perlman of Sun located at:
http://sec.ietf.org/ietfsectut0304a.ppt
Another important aspect of Internet Security is where does the responsibility of security lie for web usage.
* Should the users be blamed for falling prey to Phishing attempts?
* Should the browsers be blamed for not being smart enough to detect suspicious web sites?
Here is a workshop at the W3C where there are some position papers that talk about these aspects:
W3C Workshop on Transparency and Usability of Web Authentication
The following quote by Charlie Kaufman sums it all:
Until a few years ago, you could connect to the Internet and be in contact with hundreds of millions of other nodes, without giving even a thought to security. The Internet in the ’90’s was like sex in the ’60’s. It was great while it lasted, but it was inherently unhealthy and was destined to end badly. I’m just really glad I didn’t miss out again this time. —Charlie Kaufman
I have picked up the quote from the presentation by Radia Perlman of Sun located at:
http://sec.ietf.org/ietfsectut0304a.ppt
Another important aspect of Internet Security is where does the responsibility of security lie for web usage.
* Should the users be blamed for falling prey to Phishing attempts?
* Should the browsers be blamed for not being smart enough to detect suspicious web sites?
Here is a workshop at the W3C where there are some position papers that talk about these aspects:
W3C Workshop on Transparency and Usability of Web Authentication
Tuesday, April 24, 2007
TIP4: Ciphers for SSLv2 and SSLv3
If you want a list of ciphers that pertain to either sslv2 or sslv3, you can use openssl as follows:
$>openssl ciphers -v -ssl3
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
$>openssl ciphers -v -ssl2
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Thursday, April 19, 2007
Tip 3: Token based Perimeter Authentication
If you are faced with the challenge of integrating a third party security system with JBoss, then the following wiki may be useful to you:
Generic HeaderAuthenticator
In theory, an external system will do the authentication and then pass the authorization request back to JBoss/Tomcat. A token will be usually passed through the request headers.
Generic HeaderAuthenticator
In theory, an external system will do the authentication and then pass the authorization request back to JBoss/Tomcat. A token will be usually passed through the request headers.
Tip 2: Configure security domain for web/ejb
If you have a need to configure security domains for web applications (in jboss-web.xml) and ejb applications (jboss.xml), it may be easier for you to package them together into a single EAR and provide a jboss-app.xml at the application.xml level and specify the security domain there. This way, you do not need to configure the security domain in jboss-web.xml or jboss.xml
Tip 1: If security does not work in JBoss Application Server
Do not panic. Most probably you have made a mistake in configuration. Read the FAQ here:
JBoss Security FAQ
Note Q.4 which shows you how to debug the security layer.
JBoss Security FAQ
Note Q.4 which shows you how to debug the security layer.
Monday, April 9, 2007
SAML and XACML are ITU-T Recommendations
This may be old news. SAML (X.1141) and XACML (X.1142) are recommendations of the ITU-T.
Friday, April 6, 2007
XACML Obligations
I have been mulling over the concept of Obligations in the XACML specification. Basically the PDP can send authorization results back to the PEP with a list of obligations that the PEP has to fulfill as part of the authorization request. If the PEP is unable to fulfill an obligation, then it should throw an error.
I thought that when a legitimate authorization request comes to a PEP, which asks the PDP and gets a "PERMIT" with some obligations. If the PEP is unable to perform any obligation, then it flags an error and denies the access. I was WRONG. Anne Anderson from Sun corrected me on this. She basically told me that there is a semantic relationship between the PEP and PAP who decide on the semantics of obligations. So the PEP does a best-effort at an obligation. If it is not able to perform an obligation, it does not mean the access is denied.
UPDATE 1:
Let us think about situations where a PEP may refuse to perform any of the obligations. Let us take the example of logging. Security and Peformance always do not go together well. In a high performant system, fine-grained authorization checks may be an overkill. The administrators may have turned off logging at the PEP level. In this case, the PEP cannot meet an obligation that asks for logging.
I thought that when a legitimate authorization request comes to a PEP, which asks the PDP and gets a "PERMIT" with some obligations. If the PEP is unable to perform any obligation, then it flags an error and denies the access. I was WRONG. Anne Anderson from Sun corrected me on this. She basically told me that there is a semantic relationship between the PEP and PAP who decide on the semantics of obligations. So the PEP does a best-effort at an obligation. If it is not able to perform an obligation, it does not mean the access is denied.
UPDATE 1:
Let us think about situations where a PEP may refuse to perform any of the obligations. Let us take the example of logging. Security and Peformance always do not go together well. In a high performant system, fine-grained authorization checks may be an overkill. The administrators may have turned off logging at the PEP level. In this case, the PEP cannot meet an obligation that asks for logging.
Subscribe to:
Posts (Atom)