![Page 1: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/1.jpg)
WildFly in Oracle okoljeIntegracija aplikacij z obstoječo infrastrukturo
Predavatelj:
Urh Srečnik <[email protected]>
Software Architect @ Abakus Plus d.o.o.
![Page 2: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/2.jpg)
Abakus Plus d.o.o.
● Applications● Special
– DB – Newspaper Distribution, – FIS – Flight Information
System– DMS – Document Management
System● ARBITER – the ultimate tool
in audit trailing● APPM – Abakus Plus
Performance and Monitoring Tool
● Backup Server
● Services● DBA, OS administration,
programming (MediaWiki, Oracle)
● networks (services, VPN, QoS, security)
● open source, monitoring (Nagios, OCS, Wiki)
● Hardware● servers, backup server, SAN
storage, firewalls
![Page 3: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/3.jpg)
![Page 4: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/4.jpg)
DBA_USERS in aplikativni uporabniki
Aplikativni strežnik
Podatkovni strežnik
Uporabniki
user=”MYAPP”Oracle Schema
user=”John Doe”javax.security.Principal
![Page 5: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/5.jpg)
Container Managed Authentication
WildFly
App 1 App 2
Oracle Database
DBA_USERS
JAAS
Security Domain
Login Module
users
login
![Page 6: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/6.jpg)
WildFly Login Module Implementation
<<abstract>>AbstractServerLoginModule
+ initialize()+ login()# getIdentity()# getRoleSets()
javax.security.auth.spi.LoginModule
DemoLoginModule
Maven Coordinates:org.picketbox:picketbox
![Page 7: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/7.jpg)
WildFly Module Deployment
$WILDFLY_HOME/ ` modules/ ` system/ ` layers/ ` base/ ` mycompany/ ` mymodule/ ` main/
mymodule.jar
mymodule.xml
$ ./jbosscli.sh connect[standalone@localhost:9990 /] module add \> name=mycompany.mymodule \> resources=mymodule.jar \> dependencies=org.picketbox
![Page 8: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/8.jpg)
WildFly Create Security Domain
./subsystem=security/securitydomain=demosecuritydomain:add(cachetype="default")
cd ./subsystem=security/securitydomain=demosecuritydomain
./authentication=classic:add(\
loginmodules=[ { \
code="com.mypackage.MyDemoModule", \
flag="required", \
moduleoptions={ \
option="value" \
} \
}])
![Page 9: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/9.jpg)
Login Logic
Login Credentials
Open JDBC Connection
Query DBA_ROLE_PRIVS
Close JDBC Connection success
failure
Not authenticated
Authenticated
![Page 10: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/10.jpg)
Oracle Users and Roles (example)
create user app_schema identified by app_schema account lock;
create user app$proxy identified by app$proxy;
create user app$user_a identified by user_a;
create user app$user_b identified by user_b;
create user app$user_c identified by user_c;
create role apr$admin;
create role apr$user;
![Page 11: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/11.jpg)
Oracle Proxy Users (grants)
grant create session to app$proxy;
grant create session to apr$user;
alter user app$user_a grant connect through app$proxy;
alter user app$user_b grant connect through app$proxy;
alter user app$user_c grant connect through app$proxy;
![Page 12: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/12.jpg)
Oracle Role Grants
grant apr$user to apr$admin;
grant apr$admin to app$user_a;
grant apr$user to app$user_b;
grant apr$user to app$user_c;
![Page 13: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/13.jpg)
Oracle Setup Overview
APP$USER_A
APP$USER_B
APP$USER_C
APP$PROXY
APP_SCHEMA
$ sqlplus app$proxy[app$user_a]/app$proxySQL> alter session set current_schema=app_schema;
![Page 14: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/14.jpg)
JDBC Connection Listener Implementation
<<interface>>ConnectionListener
+ initialize()+ activated()+ passivated()
<<class>>DemoConnectionListener
Maven Coordinates:org.jboss.ironjacamar:ironjacamarjdbc
![Page 15: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/15.jpg)
JDBC Connection Listener Deployment
datasource add \ name=MyDemoDataSource \ jndiname=java:jboss/datasources/MyDemoDataSource \ drivername=oracle \ connectionurl= \ jdbc:oracle:thin:@//your.host.com/service \ username=app\$proxy \ password=my_proxy_pass \ connectionlistenerclass=\ com.abakus.lib.oraproxy.OraProxyConnectionListener \ connectionlistenerproperty={\ "currentSchema"=>"MY_APP" \ }
![Page 16: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/16.jpg)
JDBC: Oracle Proxy Sessions
oracle.jdbc.OracleConnection conn;
conn.openProxySession()
conn.close( OracleConnection.PROXY_SESSION);
![Page 17: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/17.jpg)
Security Context
● Sure● @WebFilter● @AroundInvoke
● Uhm.. What about● @Asynchronous● @Timeout
● ...
● How to obtain javax.security.Principal in JDBC Connection Listener?!
● ThreadLocal<Principal>
Does that really work?
![Page 18: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/18.jpg)
What About “AUTHENTICATION REQUIRED” ?
● Wrap javax.security.Principal to include password.
![Page 19: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/19.jpg)
![Page 20: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/20.jpg)
Single Sign On
LDAPAUTH
LDAP Schema should contain:* Username* Perdatabase username
DB1 DB2
APP3 APP2APP1
![Page 21: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/21.jpg)
SAML? OAuth? CAS? OpenID? AD? …?
● SSO vs “WebSSO”
![Page 22: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/22.jpg)
![Page 23: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/23.jpg)
![Page 24: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/24.jpg)
PicketLink Overview
● PicketLink is an umbrella project for security and identity management for Java Applications.● Java EE Application Security● Identity Management● Federation (SAML, OAuth, OpenID, ...)● Social Login (Facebook, Twiter, Google)● Mobile Applications Security● REST Applications Security
● Quickstart examples! =)
![Page 25: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/25.jpg)
Identity Provider
● Create security-domain● Create new web-app
● pom.xml - manifest deps: org.picketlink● web.xml
– Configure container managed authentication– IDPHttpSessionListener– IDPFilter
● picketlink.xml– SAML specific configuration
● idp url, trusted domains, ...
![Page 26: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/26.jpg)
Service Provider
● Create security-domain● SAML2LoginModule
● picketlink.xml● IDP URL, SP URL● Keystore parameters
![Page 27: WildFly in Oracle okolje - · PDF fileWildFly in Oracle okolje Integracija aplikacij z obstoječo infrastrukturo Predavatelj: Urh Srečnik ... picketlink.xml](https://reader034.vdocuments.site/reader034/viewer/2022052319/5a9e2f697f8b9a75458bc089/html5/thumbnails/27.jpg)
?