/
Web Service Security

Web Service Security

Owned by Shaun Morris
May 24, 2013

Introduction

The Web Service Security (WSS) functionality that comes with DDF is integrated throughout the system. This document was made to act as a central point to show how all of the pieces work together and point out where they live inside of the system. 

DDF comes with a Security Framework and Security Services. The Security Framework is the set of APIs that define the integration with the DDF framework and the Security Services are the reference implementations of those APIs built for a realistic end-to-end use case.

Security Framework

The DDF Security Framework utilizes Apache Shiro (http://shiro.apache.org/) as the underlying security framework. The classes mentioned in this section will have their full package name listed so that it is easy to tell which classes come with the core Shiro framework and which are added by DDF. 

Subject

ddf.security.Subject <extends> org.apache.shiro.subject.Subject

The Subject is the key object in the security framework. Most of the workflow and implementations revolve around creating and using a Subject. The Subject object in DDF is a class that encapsulates all information about the user performing the current operation. The Subject can also be used to perform permission checks to see if the calling user has acceptable permission to perform a certain action (examples: calling a service or returning a metacard). This class was made DDF specific due to the Shiro interface not being able to be added to the Query Request property map.

Implementations of Subject:
ClassnameDescription
ddf.security.impl.SubjectImplExtends org.apache.shiro.subject.support.DelegatingSubject

Security Manager 

ddf.security.service.SecurityManager

The Security Manager is a service that handles the creation of Subject objects. A proxy to this service should be obtained by an endpoint to create a Subject and add it to the outgoing QueryRequest. The Shiro framework relies on creating the subject by obtaining it from the current thread. Due to the multi-threaded and stateless nature of the DDF framework, utilizing the SecurityManager interface makes retrieving Subjects easier and safer.

Implementations of Security Managers:
ClassnameDescription
ddf.security.service.SecurityManagerImplThis implementation of the SecurityManager handles taking in both org.apache.shiro.authc.AuthenticationToken and org.apache.cxf.ws.security.tokenstore.SecurityToken objects.

AuthenticationTokens

org.apache.shiro.authc.AuthenticationToken

Authentication Tokens are used to verify authentication of a user when creating a subject. A common use-case is when a user is logging directly in to the DDF framework.

ClassnameDescription
ddf.security.service.impl.cas.CasAuthenticationTokenThis Authentication Token is used for authenticating a user that has logged in with CAS. It takes in a proxy ticket which can be validated on the CAS server.

Realms

Authenticating Realms

org.apache.shiro.realm.AuthenticatingRealm

Authenticating Realms are used to authenticate an incoming authentication token and create a Subject on successfully authentication.

Implementations of Authenticating Realms that come with DDF: 
ClassnameDescription
ddf.security.realm.sts.StsRealmThis realm delegates authentication to the STS. It creates a RequestSecurityToken message from the incoming AuthenticationToken and converts a successful STS response into a Subject.

Authorizing Realms

org.apache.shiro.realm.AuthorizingRealm

Authorizing Realms are used to perform authorization on the current Subject. These are used when performing both Service AuthZ and Filtering/Redaction. They are passed in the AuthorizationInfo of the Subject along with the Permissions of the object wanting to be accessed. The response from these realms is a true (if the Subject has permission to access) or false (if the Subject does not).

Implementations of Authorizing Realms that come with DDF:
ClassnameDescription

ddf.security.service.AbstractAuthorizingRealm

This is an Abstract Authorizing Realm that takes care of caching and parsing the Subject's AuthorizingInfo and should be extended to allow the implementing realm focus on making the decision.
ddf.security.pep.realm.XACMLRealmThis realm delegates the authorization decision to a XACML-based Policy Decision Point (PDP) backend. It creates a XACML 3.0 request and looks on the OSGi framework for any service implementing

ddf.security.pdp.api.PolicyDecisionPoint.

ddf.security.pdp.realm.SimpleAuthZRealmThis realm performs the authorization decision without delegating to an external service. It uses the incoming permissions to create a decision.

Auditing

Auditing

Authentication (AuthN)

Central Authentication Server (CAS)

CAS SSO Configuration

Authorization (AuthZ)

Service Authorization

XACML Policy Decision Point (PDP)

Resource Authorization

Redaction and Filtering

Security Token Service

Security Token Service