©2004 blackboard, inc. all rights reserved. security and authentication security and authentication...
TRANSCRIPT
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Security and Authenticatio
n
Security and Authenticatio
nFriday, April 21, 2023
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Legal Information…Legal Information…Any statements in this presentation about future expectations, plans and prospects for the Company, including statements about the Company, the Building Blocks Program and other statements containing the words “believes,” “anticipates,” “plans,” “expects,” “will,” and similar expressions, constitute forward-looking statements within the meaning of The Private Securities Litigation Reform Act of 1995. Actual results may differ materially from those indicated by such forward-looking statements as a result of various important factors, including: product development, and other factors discussed in our Registration Statement filed on Form S-1 with the SEC. In addition, the forward-looking statements included in this press release represent the Company’s views as of July 26, 2004. The Company anticipates that subsequent events and developments will cause the Company’s views to change. However, while the Company may elect to update these forward-looking statements at some point in the future, the Company specifically disclaims any obligation to do so. These forward-looking statements should not be relied upon as representing the Company’s views as of any date subsequent to July 26, 2004.
Any statements in this presentation about future expectations, plans and prospects for the Company, including statements about the Company, the Building Blocks Program and other statements containing the words “believes,” “anticipates,” “plans,” “expects,” “will,” and similar expressions, constitute forward-looking statements within the meaning of The Private Securities Litigation Reform Act of 1995. Actual results may differ materially from those indicated by such forward-looking statements as a result of various important factors, including: product development, and other factors discussed in our Registration Statement filed on Form S-1 with the SEC. In addition, the forward-looking statements included in this press release represent the Company’s views as of July 26, 2004. The Company anticipates that subsequent events and developments will cause the Company’s views to change. However, while the Company may elect to update these forward-looking statements at some point in the future, the Company specifically disclaims any obligation to do so. These forward-looking statements should not be relied upon as representing the Company’s views as of any date subsequent to July 26, 2004.
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Security – High Level ViewSecurity – High Level View
Authentication Who is using the system?
Authorization Can that user do what they’re trying to do?
Privacy Is the users’ data kept private?
Integrity Has the data been tampered with?
Authentication Who is using the system?
Authorization Can that user do what they’re trying to do?
Privacy Is the users’ data kept private?
Integrity Has the data been tampered with?
Can the code do what it is trying to do?
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Topics for Extension DevelopersTopics for Extension Developers
Common Security Tasks Authentication, Authorization
Declaring Permissions Often trial and error iteration… add a permission, get
stopped by another one
Common Security Tasks Authentication, Authorization
Declaring Permissions Often trial and error iteration… add a permission, get
stopped by another one
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Overview – Java SecurityOverview – Java Security
All Part of JDK 1.4
JSSE – Java Secure Sockets Extension SSL support, etc.
TLS, RFC-2246
JCE – Java Cryptography Extensions Pluggable crypto provider framework
Java GSS-API Java bindings for Generic Security Services API (RFC-2853)
CertPath API API for examining certificate chains
All Part of JDK 1.4
JSSE – Java Secure Sockets Extension SSL support, etc.
TLS, RFC-2246
JCE – Java Cryptography Extensions Pluggable crypto provider framework
Java GSS-API Java bindings for Generic Security Services API (RFC-2853)
CertPath API API for examining certificate chains
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Overview – Java SecurityOverview – Java Security
JAAS – Java Authentication and Authorization Service Pluggable Authentication
Authorization for code and principals
Code Security Model Who can do what
What code can do what
JAAS – Java Authentication and Authorization Service Pluggable Authentication
Authorization for code and principals
Code Security Model Who can do what
What code can do what
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Language FeaturesLanguage FeaturesType safety
Compile-time
Run-time
Byte code verification Well formed class files
No illegal sequences – e.g., check for stack underflow, etc.
Type safety Compile-time
Run-time
Byte code verification Well formed class files
No illegal sequences – e.g., check for stack underflow, etc.
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Authentication for ExtensionsAuthentication for Extensions
Simple, let the platform worry about it…Simple, let the platform worry about it…
BbSessionManagerService sessionService = BbServiceManager.getSessionManagerService();
BbSession bbSession = sessionService.getSession( request );
AccessManagerService accessManager = (AccessManagerService)BbServiceManager.lookupService( AccessManagerService.class );
if (! bbSession.isAuthenticated() ) { accessManager.sendLoginRedirect(request,response); return;}
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Authentication for ExtensionsAuthentication for Extensions
Access Manager coordinates with authentication providers to do the right thing
Default providers RDBMS
LDAP
Web Server
Custom providers
Access Manager coordinates with authentication providers to do the right thing
Default providers RDBMS
LDAP
Web Server
Custom providers
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Authorization in BlackboardAuthorization in Blackboard
Role-based assignment System role attached to user
object
Course role attached to enrollment record
Privileges attached to Roles Editable
Check relies on the union of all relevant entitlements
Role-based assignment System role attached to user
object
Course role attached to enrollment record
Privileges attached to Roles Editable
Check relies on the union of all relevant entitlements
SystemRole
Entitlement
CourseRole
User
Membership
1
*
* 1
* 1**
**
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Customizing PrivilegesCustomizing Privileges
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
It All Comes Back To…It All Comes Back To…
Context! You have the user, and thus the system role…
You have the course, and thus the course role...
Access control works against the full entitlements mask
Context! You have the user, and thus the system role…
You have the course, and thus the course role...
Access control works against the full entitlements mask
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Authorization for ExtensionsAuthorization for Extensions
Authorization Role-based checks – Deprecated...
Entitlement-based checks – Not finalized…
PlugInUtil.authorizeForXXX() authorizeForCourseControlPanel()
authorizeForSystemAdminPanel()
authorizeForCourse()
authorizeForContent()
Authorization Role-based checks – Deprecated...
Entitlement-based checks – Not finalized…
PlugInUtil.authorizeForXXX() authorizeForCourseControlPanel()
authorizeForSystemAdminPanel()
authorizeForCourse()
authorizeForContent()
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Code Security FrameworkCode Security Framework
Leverage security inherent in the Java 2 Standard Edition framework
Enforce certain API restrictions
Enforce API usage disclosure Manifest must declare required permissions
Leverage security inherent in the Java 2 Standard Edition framework
Enforce certain API restrictions
Enforce API usage disclosure Manifest must declare required permissions
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Code Security – HistoricalCode Security – Historical
“Sandbox” model – JDK 1.0 Applets just couldn’t do certain things
Hard to manage/understand
“Trusted” model – JDK 1.1 Permissions assignable to trusted code
Code (applets) could be signed
“Domain” model – JDK 1.2 Policy
Domains
“Sandbox” model – JDK 1.0 Applets just couldn’t do certain things
Hard to manage/understand
“Trusted” model – JDK 1.1 Permissions assignable to trusted code
Code (applets) could be signed
“Domain” model – JDK 1.2 Policy
Domains
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Basic Class HierarchyBasic Class Hierarchy
+implies()+getName()+getActions()
Permission
BasicPermission
Permissions+add()+implies()+elements()
PermissionCollection
+checkPermission()
SecurityManager
AllPermission
+getProtectionDomain()
Class+getCodeSource()+getPermissions()
ProtectionDomain
+getCertificates()+getPermissions()+implies(in codeSource : CodeSource)
CodeSource checks
1 1
Has
1 1
Has
*0..*
Contains1
1
Has
PersistPermission
+getName()
Principal
0..*
1
Has
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Permission ClassPermission ClassPermission
Abstract base class for all permissions
All Permission objects define a name and actions
Relationships can be created via implies( Permission )
BasicPermission Concrete base class for most permissions
Permission Abstract base class for all permissions
All Permission objects define a name and actions
Relationships can be created via implies( Permission )
BasicPermission Concrete base class for most permissions
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
ClassesClassesSecurity information available through Class
object Object.getClass()
ProtectionDomain Encapsulates information about the classes physical
source and associated permissions
Class.getProtectionDomain()
Security information available through Class object Object.getClass()
ProtectionDomain Encapsulates information about the classes physical
source and associated permissions
Class.getProtectionDomain()
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
ClassesClassesPermissionCollection
ProtectionDomain.getPermissions()
List of permissions– PermissionCollection.implies( Permission )
CodeSource ProtectionDomain.getCodeSource()
Physical location of class (URL)– Hierarchical: CodeSource.implies( CodeSource )
Certificates
PermissionCollection ProtectionDomain.getPermissions()
List of permissions– PermissionCollection.implies( Permission )
CodeSource ProtectionDomain.getCodeSource()
Physical location of class (URL)– Hierarchical: CodeSource.implies( CodeSource )
Certificates
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Security ChecksSecurity ChecksSecurityManager.checkPermission( Permission )
Other checkXXX() methods ultimately delegate to this method
This method, in fact, delegates to AccessControlManager
For each frame in call stack Get code source
Get permissions for code source
Requested permission implied by permissions collection?
SecurityException thrown if check fails
SecurityManager.checkPermission( Permission ) Other checkXXX() methods ultimately
delegate to this method
This method, in fact, delegates to AccessControlManager
For each frame in call stack Get code source
Get permissions for code source
Requested permission implied by permissions collection?
SecurityException thrown if check fails
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Checking PermissionsChecking Permissions
if( _modifyPermission != null ){ System.getSecurityManager()
.checkPermission( _modifyPermission );}
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Privileged BlocksPrivileged BlocksShort-circuit stack walk
If the current frame has permission, allow access
Allows trusted code to perform actions that may not be granted to the caller E.g., un-trusted code may not have network permission,
but the database driver does
Short-circuit stack walk
If the current frame has permission, allow access
Allows trusted code to perform actions that may not be granted to the caller E.g., un-trusted code may not have network permission,
but the database driver does
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
ExamplesExamplesWe do not allow System Extensions to get raw
database connections
Our own code, which may be called by a System Extension, needs to get a database connection
Solution: Privileged block Code executing with more privileges can accomplish what it
needs to
We do not allow System Extensions to get raw database connections
Our own code, which may be called by a System Extension, needs to get a database connection
Solution: Privileged block Code executing with more privileges can accomplish what it
needs to
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
ExampleExample
private class DbConnectivityPrivilege implements PrivilegedExceptionAction { private Query _query; private Connection _con;
private DbConnectivityPrivilege(Query query, Connection con) { _query = query; _con = con; }
public Object run() throws Exception { _query.executeQuery( _con );
return null; } }
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
ExampleExample
try{ AccessController.doPrivileged( new DbConnectivityPrivilege(query, con));}catch(PrivilegedActionException pae){ castException( pae );}
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
ExampleExample
ExtensionClass.foo()
AnnouncementDbLoaderImpl.loadById()
NewBaseDbLoader.loadObject()
DbConnectivityPrivilege.run()
Query.executeQuery()
ConnectionManager.getConnection()
SecurityManager.checkPermission()
ExtensionServlet.service()
Ca
ll S
eq
ue
nce
Sta
ck W
alk
Initiates Stack Walk
Terminates Stack Walk
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
PoliciesPoliciesPolicies define the Permissions associated
with code bases
Default implementation uses a policy file
Grant/deny permissions to code bases
Grant/deny permissions to Subjects Person or Service
New in JDK 1.4 with addition of JAAS
Policies define the Permissions associated with code bases
Default implementation uses a policy file
Grant/deny permissions to code bases
Grant/deny permissions to Subjects Person or Service
New in JDK 1.4 with addition of JAAS
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Example Policy File EntriesExample Policy File Entries
// Tomcat gets all permissionsgrant codeBase "file:${tomcat.home}${/}lib${/}-" { permission java.security.AllPermission;};
grant {
permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read";}
Tomcat.policy
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Activating SecurityActivating SecurityRun-time properties on the command line
-Djava.security.manager
-Djava.security.policy
java.security – Configuration file for setting security providers policy.provider – Class that is responsible for
implementing the policy– Default is sun.security.provider.PolicyFile
Run-time properties on the command line -Djava.security.manager
-Djava.security.policy
java.security – Configuration file for setting security providers policy.provider – Class that is responsible for
implementing the policy– Default is sun.security.provider.PolicyFile
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Blackboard ImplementationBlackboard Implementation
wrapper.properties/tomcat.sh Points to tomcat.policy
service-config.properties code-level-access-control=true
Can disable SecurityManager regardless of command line options
Custom Policy implementation
wrapper.properties/tomcat.sh Points to tomcat.policy
service-config.properties code-level-access-control=true
Can disable SecurityManager regardless of command line options
Custom Policy implementation
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Blackboard ImplementationBlackboard Implementation
SecurityUtil.checkPermission() Hides check for SecurityManager
Propagates Security Exceptions
BbPolicy Wraps code sources for System Extensions
Attempts to prevent “over-riding”– You can’t just put permissions in the policy file
SecurityUtil.checkPermission() Hides check for SecurityManager
Propagates Security Exceptions
BbPolicy Wraps code sources for System Extensions
Attempts to prevent “over-riding”– You can’t just put permissions in the policy file
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Blackboard PermissionsBlackboard Permissions
blackboard.persist.PersistPermission Name is the data object, actions are
“read,create,modify,delete”
Base persister and loader classes check for permission
blackboard.persist.PersistPermission Name is the data object, actions are
“read,create,modify,delete”
Base persister and loader classes check for permission
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Blackboard PermissionsBlackboard Permissions
blackboard.data.AttributePermission Controls access to attributes on a data object
Naming convention allows single attributes or groups to be protected
E.g., untrusted code can load a user, but can’t get the (hashed) password
blackboard.data.AttributePermission Controls access to attributes on a data object
Naming convention allows single attributes or groups to be protected
E.g., untrusted code can load a user, but can’t get the (hashed) password
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Blackboard PermissionsBlackboard Permissions
<permission type=“persist” name=“Content” actions=“create,modify,delete”/>
<permission type=“attribute” name=“user.authinfo” actions=“read,write”/>
<permission type=“persist” name=“Content” actions=“create,modify,delete”/>
<permission type=“attribute” name=“user.authinfo” actions=“read,write”/>
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
System ExtensionsSystem ExtensionsDeployed as a web application with a unique code
source Code source is attached to /plugin directory, so it encompasses
the /webapp and /config directories
Manifest includes a permissions block Some filtering to restrict certain permissions
Manifest is equivalent of policy file
Deployed as a web application with a unique code source Code source is attached to /plugin directory, so it encompasses
the /webapp and /config directories
Manifest includes a permissions block Some filtering to restrict certain permissions
Manifest is equivalent of policy file
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
System ExtensionsSystem ExtensionsEnabling an extension at startup
Read permissions from database
Associate with web app code source
Register servlet context with Tomcat– Registration of servlet context only occurs if extension is
“Available” or “Unavailable”. Otherwise, no code may be executed
Enabling an extension at startup Read permissions from database
Associate with web app code source
Register servlet context with Tomcat– Registration of servlet context only occurs if extension is
“Available” or “Unavailable”. Otherwise, no code may be executed
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
System ExtensionsSystem ExtensionsPermissions block contains 0 or more permission
elements
Same semantics as “grant” entries in the standard Java policy file No explicit deny
Simple mnemonics for common types Runtime, Socket, Persist, Attribute
Type attribute can be any fully qualified Java classname Must be a Permission sub-class, with two argument constructor
(String, String)
Permissions block contains 0 or more permission elements
Same semantics as “grant” entries in the standard Java policy file No explicit deny
Simple mnemonics for common types Runtime, Socket, Persist, Attribute
Type attribute can be any fully qualified Java classname Must be a Permission sub-class, with two argument constructor
(String, String)
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Default PermissionsDefault PermissionsRead/write access to extension’s home
directory
Read access to Blackboard root
Read access to data (via APIs)
Read access to system properties
Everything else must be explicitly declared…
Read/write access to extension’s home directory
Read access to Blackboard root
Read access to data (via APIs)
Read access to system properties
Everything else must be explicitly declared…
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Example PermissionsExample Permissions<permissions>
<permission type=“socket” name=“api.google.com” actions=“connect”/>
<permission type=“runtime” name=“accessDeclaredMembers” actions=“”/>
<permission type="java.util.PropertyPermission" name="java.protocol.handler.pkgs" actions="write"/>
</permissions>
<permissions>
<permission type=“socket” name=“api.google.com” actions=“connect”/>
<permission type=“runtime” name=“accessDeclaredMembers” actions=“”/>
<permission type="java.util.PropertyPermission" name="java.protocol.handler.pkgs" actions="write"/>
</permissions>
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Manifest LimitationsManifest LimitationsNo escape syntax
Properties that require user input, or information from local system, cannot be encoded in permission block
No escape syntax Properties that require user input, or information from
local system, cannot be encoded in permission block
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
TipsTipsRead the Javadoc for any third party
libraries you are using Many developers don’t test their code with a security
manager, so they don’t know what they’re touching– E.g., Axis configuration routines will throw SecurityException
if run with a SecurityManager
Think security… What would you as an administrator want to see
disclosed?
Read the Javadoc for any third party libraries you are using Many developers don’t test their code with a security
manager, so they don’t know what they’re touching– E.g., Axis configuration routines will throw SecurityException
if run with a SecurityManager
Think security… What would you as an administrator want to see
disclosed?
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Tips – Common RestrictionsTips – Common Restrictions
System.getProperties() returns a mutable copy of the system permission; thus
you need <permission type=“java.util.PropertyPermission”name=“*” actions=“read,write”/>
Reflection requires runtime permission
Spawning a process requires a runtime permission
System.getProperties() returns a mutable copy of the system permission; thus
you need <permission type=“java.util.PropertyPermission”name=“*” actions=“read,write”/>
Reflection requires runtime permission
Spawning a process requires a runtime permission
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
ConclusionConclusionSystem Extensions have access to verify
both authentication and authorization
Administrators have an additional level of disclosure about what extensions will access
System Extensions have access to verify both authentication and authorization
Administrators have an additional level of disclosure about what extensions will access
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED.
Thank You!Thank You!Tom Joyce, Blackboard Product Development
Concluding Presentation is at 2PM:
Building Blocks and Blackboard—A Look Ahead
Salon H (Where the keynote was held)
Tom Joyce, Blackboard Product Development
Concluding Presentation is at 2PM:
Building Blocks and Blackboard—A Look Ahead
Salon H (Where the keynote was held)