aqualogic user interaction security

ALUI Technique Document

AquaLogic User Interaction Security

LiJieSenior SE

BEA Confidential | 2BEA ALUI Technique Document, BID China

Knowledge Directory Security

Users, Groups and Object Access

Community Security

Admin Folder Security

Module Roadmap

Single Sign-On


Portal Users

The Portal administrator creates users in the Portal, or syncs users into the Portal

The user can then log in

Each user is defined by an object in the Portal

George

Keith

Helen

Erica

Ben


Portal Groups

The Portal administrator creates and manages groups

A group has one or more members*

A user belongs to one or more groups

Executive CommunityMembers

Executive CommunityManagers

1. George2. Helen3. Christine4. Jack5. Jim

– All these users are in the Executive Community Members group

– Helen is a member or two groups


Portal Objects

Almost everything in the Portal is considered an object

Communities

Subcommunities

Portlets

Administrative folders

Document folders

Documents

Users

Groups …

Every object in the Portal has a list describing who can access that object – it is called an Access Control List (ACL)


Access Control List

An Access Control list specifies which uses and groups have access to an object (and what kind of access privileges they have… see next page)

Executive Community

Administrators Group

Executive Community Members

Executive Community Managers

Administrator

…


Access Privileges

ACLs have privileges that specify what a user/group can do with an object

READ View the object only

SELECT Add this object to other objects e.g., add a portlet to a My Page

EDIT Create and modify objects

ADMIN All rights, including delete objects and change object ACLs

If users are not listed on an ACL (access of NONE), they do not know the object exists


Example: ACL for a Community

Groups

User

Object

AccessPrivileges


Module Roadmap



Community Security


Single Sign-On


Security Scenario #1

The Knowledge Directory contains folders and objects (i.e., links to documents) within those folders

A user may be able to see some folders and not see others

If a user cannot see a folder, he cannot see or search for objects within that folder

Both folders and the objects within them are secured with ACLs


Steps: View Document Folder Security

Steps to witness Knowledge Directory security

1. Log in as a George, a member of the Executive team and browse the Knowledge Directory

2. Log in as Keith, a member of Marketing and view the Knowledge Directory

3. View security on the Document folder and explain what is happening

See next slides for details…


Step 1: Log in as George

Log in as George, who is in the Executive Community Members group

1


Step 1: Browse the Directory

Choose Directory -> Browse Directory

2

Click on the Financials subfolder, inside the Executive folder

3


Step 1: Click a Link to a Document

The contents of the Financial subfolder display

Click on a link to see the underlying content

4

Click Back

5

Note that George can Submit links to this folder


Step 2: Log in as Keith

Log in as Keith, who is in the Marketing Community Members group

1


Step 2: Browse the Directory

???

Choose Directory -> Browse Directory

2

The Financials subfolder does NOT appear to Keith

3


Step 3: View Document Folder ACL

Access Control List for the Financials folder

Conclusion: The group that Keith is in (Marketing Community Members group) is not listed on the ACL; therefore, he cannot see the Financials folder or any documents inside of it. George is in Executive Community Members; he can access, view and submit documents to the Financials folder

George is in this group


Access Levels: Folders, Objects in Folders

What ACLs mean to document folders

NONE: Cannot see folder

READ or SELECT: Can view the folder

EDIT: Can submit or crawl content into folder

ADMIN: Can approve documents for this folder

What ACLs mean on objects in folders

NONE: Cannot see object (search or browse)

READ or SELECT: Can view object

EDIT: Can overwrite object’s properties

ADMIN: Can edit the object’s ACL and delete object

Note: You cannot update the content of a document in the Knowledge Directory


Module Roadmap



Community Security


Single Sign-On



Users can access a Community at various levels

Cannot see it at all (don’t know it exists)

Can browse the Community without joining it

Can join the Community and become a “member”

Can edit the Community

Can change the security settings

In scenario #2, you will see the difference between users with NONE, SELECT, EDIT and ADMIN access to a Community

Based on what you know about Access Control List privileges,Which privileges do you think correspond to each above? READ, EDIT, SELECT, ADMIN, NONE


Steps: Observe Community Security

Steps to experience Community security

1. Log in as George, and go to the Executive Community

2. Log in as Keith and (try to) join the Executive Community

3. Log in as Helen and join the Executive Community

4. Log in as Erica 5. View security on the Admin folders and explain

what is happening



Step 1: Log in as George

Log in as George, who is in the Executive Community Members group

1

Go to the Executive Community (George is already a member)

2


Step 1: View the Community


Step 2: Log in as Keith


1


Step 2: Join Executive CommunityAttempt to join the Executive Community

Choose My Communities -> Join Communities

2

Since it is not listed, search for Executive Community, then click

3


Step 2: Join Executive Community

Result: Nothing is returned from Keith’s search because he does not have access to the Executive Community

Click Cancel

4


Step 3: Log in as Helen

Log in as Helen, who is in the Executive Community Managers group

1

Go to the Executive Community(Helen is already a member)

2


Step 3: View the Community

Result: Helen sees the Community and also has the option, Edit This Community; click on this link

3


Step 3: View Community Security

The Community editor appears … Helen can edit the Community

Click Security

4


Step 3: View Community Security

Result:

Helen can view the security settings of the Community but she cannot change any security settings

Click Cancel


Step 4: Log in as Erica

Log in as Erica, who is in the Portal Managers group

1

Go to the Executive Community(Erica is already a member)

2


Step 4: Edit the Community

Result: Like Helen, Erica sees the Community and also has the option, Edit This Community; click on the link

3


Step 4: Edit the Community

The Community editor appears … Erica can edit the Community

Click Security

4


Step 4: Edit Community SecurityResult: Erica can CHANGE the security settings for this Community -- add and delete users and groups to the ACL, change the privileges

Click Cancel (please do not change any settings!)

Erica is in this group

George is in this group

Helen is in this group

The group that Keith is in (Marketing Community Members group) is not on the ACL … therefore, he cannot view or join the Executive Community



There may be reasons to allow a user to view a Community without joining it

Differences to end user

Does not have to join and become a member

Community does not appear on My Communities tab

In the next example, Keith is in a group that has READ access to the Evergreen Community … see what happens!


Log in as Keith


1

Try to join the Evergreen Community

2


Try to Join Evergreen Community

Search for Evergreen Community

2

Keith cannot JOIN the Community … but he knows it exists and that he should be able to see it!

Click Cancel

3


Try to View Evergreen Community

Submit a Portal search … search for Evergreen Community

4

The Portal returns the Evergreen Community this time…

Click on it

5


View the Evergreen Community

Result: Keith is allowed to VIEW but not JOIN the Community


Module Roadmap



Community Security


Single Sign-On


Access Levels: Administrative Folders

Like Document folders, Administrative folders are secured

What ACLs mean to Administrative folders

NONE: User cannot see the folder

READ or SELECT: User can see the folder

EDIT: User can create objects in the folder

ADMIN: User can delete the folder and change folder security


Steps: View Admin Folder Security

Steps to experience administrative folder security

1. Log in as StudentN and go to the Administration page Make a note of the folders you can see

2. Log in as Ben and go to the Administration page; Make a note of the folders you can see

3. Log in as Erica and go to the Administration page; Make a note of the folders you can see

4. View security on the Admin folders and explain what is happening

5. As StudentN, try to create an object in an administrative folder



Step 1: Log in as StudentN

Log in as StudentN (where N is your student number), who is a member of a group called Students

1

Go to the Administration page

2


Step 1: Observe What StudentN Can See

Note that you can see a folder called Community Lab and one subfolder … StudentN, where N is your student number

3


Step 2: Log in as Ben

Log in as Ben, who is in the Sales Community Managers group

1


2


Step 2: Observe What Ben Can See

Note that Ben cannot see the Community Lab or any of its subfolders

3

???


Step 3: Log in as Erica

Log in as Erica, who is in the Portal Managers group

1


2


Step 3: Observe What Erica Can See

Note that Erica can see the Community Lab folder and many subfolders…

3


Step 4: View Folder Security

Security for the Community Lab folder

Do you think StudentN or Erica can create anything in this folder? Why or why not?

StudentN is in this group

Erica is in this group

Community Lab

StudentN


Step 4: View Folder Security

Security for the StudentN Folder

Can StudentN create anything in the StudentN folder?Why or Why not?

StudentN is in this user…

(where N is your student number)

Community Lab

StudentN


Step 5: Log in as StudentN

Log in as StudentN (where N is your student number)

1


Step 5: Go to the StudentN Folder


2

Click on the subfolder in the Community Lab folder that StudentN can see

3


Step 5: Create an Object

Advanced Security note: In order to create anything, StudentN also needs activity rights (which you have)!All students have activity rights of Access Administration, Create Community and Create Administrative Folder

Choose Create Object… then Administrative Folder

4

Name it Test Folder, then click OK

5

Result: Folder created



Module Roadmap



Community Security

Single Sign-On


Single Sign-On (SSO)

What is SSO and what is it not?

How do SSO products work?

How does ALUI integrate with SSO Solutions?

Working around SSO limitations

Lab Info


SSO – What is it?

What problem is Single Sign-On trying to address?

Enterprises have many Web applications

Separate Web applications require separate login credentials

Managing identity within a topology of many applications is inefficient

What do Single Sign-On vendors sell?

Users login once to access all enterprise resources

Centralized location for authentication and authorization

Authentication: whether or not a user’s name and password are correct

Authorization: whether or not said user has access to a network resource

Streamlined user experience and global security administration


SSO – The Reality

What does SSO actually provide out-of-the-box?

Virtual directory level authentication and authorization to Web sites

A single place to manage authorization for Web sites

What does SSO NOT provide out-of-the-box?

A way to login to arbitrary vendors’ backend servers

A way to pass login information to a server API

We’ll call it the “Backend Problem”

This is a difficult problem

SSO products do not provide an out-of-the-box solution

Customizations can often provide a solution


SSO – How Do SSO Products Work?

Three main components

Directory Server (LDAP / AD)

“Access Server”

“SSO Gate”

“Access Server” synchronized with

Directory Server

User authorization managed

on “Access Server”

“SSO Gate” intercepts HTTP

requests to Web applications

LDAP

AccessServer

(Oblix, Netegrity)

SSO Gate

ALUIPortal

Other Web App

Application Server


SSO – How Do SSO Products Work?

用户通过浏览器访问 ALUI门户SSO Gate 截获用户请求，访问服务器通过浏览器向用户显示器安全认证信息SSO Gate 需要用户输入认证信息认证信息被传输到访问服务器 , 由访问服务器将认证信息与 LDAP / AD存储的用户信息进行匹配如果认证通过，用户被授权访问 ALUI门户 , SSO 令牌将存在于整个用户会话中在进入 ALUI门户后，将不再提示用户输入认证信息，系统自动通过用户会话中的 SSO令牌进行认证

LDAP

AccessServer

123

4

SSO Gate

ALUIPortal

Application Server

Other Web App

5


SSO – ALUI Integration

当 ALUI 检测到用户通过单点登陆进入时假定用户已经通过系统的单点登陆认证将浏览器重定向到 ALUI SSO 的专用登录界面检查位于 HTTP 头的用户名如果用户名及认证信息正确， ALUI 接受由访问服务器颁布的 SSO 令牌在认证的过程中 ALUI 会尝试在多个的用户数据源中进行匹配如果没有匹配的用户， ALUI 会将用户重定向到 My Page

SSOALUI

PortalALUI

SSO Page

Authenticate

Redirect

Forward

Request

Logged In


SSO – ALUI Integration

Integration with the login process is complex

When SSO is enabled, Guest access still works if the user clicks Logout

KB Article DA_218443

You protect /portal/SSOServlet

Diagram at the left shows what happens after SSO authenticates and authorizes the user


SSO – Supported Vendors

5.0J supports three SSO vendors out of the box:

1. Oblix NetPoint

2. Netegrity SiteMinder

• Siteminder Terminology

WebAgent – Intercepts calls to protected resources and Authenticates the user. Sits on Portal Server.

Policy Server – Authorizes the given user to access the given resource. Other restrictions like time can be applied to Policy Server rules.

Directory Server – the user repository


Summary

Portal security works the same for ALL Portal objects (except users) – each has an Access Control List, indicating

who can interact with that object

and at what level

This module is intended to give you a primer on Portal Security from an end-user perspective

For full coverage of Portal Security, please refer to the Portal Administration 5.0 course or to the E-learning Administration learning modules

ALUI Technique Document

Q&A