Web Service Security
Introduction
The Web Service Security (WSS) functionality that comes with DDF is integrated throughout the system. This document was made to act as a central point to show how all of the pieces work together and point out where they live inside of the system.
DDF comes with a Security Framework and Security Services. The Security Framework is the set of APIs that define the integration with the DDF framework and the Security Services are the reference implementations of those APIs built for a realistic end-to-end use case.
Security Framework
The DDF Security Framework utilizes Apache Shiro (http://shiro.apache.org/) as the underlying security framework. The classes mentioned in this section will have their full package name listed so that it is easy to tell which classes come with the core Shiro framework and which are added by DDF.
Subject
ddf.security.Subject <extends> org.apache.shiro.subject.Subject
The Subject is the key object in the security framework. Most of the workflow and implementations revolve around creating and using a Subject. The Subject object in DDF is a class that encapsulates all information about the user performing the current operation. The Subject can also be used to perform permission checks to see if the calling user has acceptable permission to perform a certain action (examples: calling a service or returning a metacard). This class was made DDF specific due to the Shiro interface not being able to be added to the Query Request property map.
Implementations of Subject:
| Classname | Description |
|---|---|
| ddf.security.impl.SubjectImpl | Extends org.apache.shiro.subject.support.DelegatingSubject |
Security Manager
ddf.security.service.SecurityManager
The Security Manager is a service that handles the creation of Subject objects. A proxy to this service should be obtained by an endpoint to create a Subject and add it to the outgoing QueryRequest. The Shiro framework relies on creating the subject by obtaining it from the current thread. Due to the multi-threaded and stateless nature of the DDF framework, utilizing the SecurityManager interface makes retrieving Subjects easier and safer.
Implementations of Security Managers:
| Classname | Description |
|---|---|
| ddf.security.service.SecurityManagerImpl | This implementation of the SecurityManager handles taking in both org.apache.shiro.authc.AuthenticationToken and org.apache.cxf.ws.security.tokenstore.SecurityToken objects. |
AuthenticationTokens
org.apache.shiro.authc.AuthenticationToken
Authentication Tokens are used to verify authentication of a user when creating a subject. A common use-case is when a user is logging directly in to the DDF framework.
| Classname | Description |
|---|---|
| ddf.security.service.impl.cas.CasAuthenticationToken | This Authentication Token is used for authenticating a user that has logged in with CAS. It takes in a proxy ticket which can be validated on the CAS server. |
Realms
Authenticating Realms
org.apache.shiro.realm.AuthenticatingRealm
Authenticating Realms are used to authenticate an incoming authentication token and create a Subject on successfully authentication.
Implementations of Authenticating Realms that come with DDF:
| Classname | Description |
|---|---|
| ddf.security.realm.sts.StsRealm | This realm delegates authentication to the STS. It creates a RequestSecurityToken message from the incoming AuthenticationToken and converts a successful STS response into a Subject. |
Authorizing Realms
org.apache.shiro.realm.AuthorizingRealm
Authorizing Realms are used to perform authorization on the current Subject. These are used when performing both Service AuthZ and Filtering/Redaction. They are passed in the AuthorizationInfo of the Subject along with the Permissions of the object wanting to be accessed. The response from these realms is a true (if the Subject has permission to access) or false (if the Subject does not).
Implementations of Authorizing Realms that come with DDF:
| Classname | Description |
|---|---|
ddf.security.service.AbstractAuthorizingRealm | This is an Abstract Authorizing Realm that takes care of caching and parsing the Subject's AuthorizingInfo and should be extended to allow the implementing realm focus on making the decision. |
| ddf.security.pep.realm.XACMLRealm | This realm delegates the authorization decision to a XACML-based Policy Decision Point (PDP) backend. It creates a XACML 3.0 request and looks on the OSGi framework for any service implementing ddf.security.pdp.api.PolicyDecisionPoint. |
| ddf.security.pdp.realm.SimpleAuthZRealm | This realm performs the authorization decision without delegating to an external service. It uses the incoming permissions to create a decision. |
Auditing
Authentication (AuthN)
Central Authentication Server (CAS)
Authorization (AuthZ)
Service Authorization
XACML Policy Decision Point (PDP)