Re: ServiceMix and security

[Guillaume Nodet]

I do agree that we really need to separate 3 different security issues:
  * authentication / authorization
  * secure transport
  * integrity of the message

In my previous mail, I was mainly talking about authentication / authorization.
Such authorizations could be configured on the ServiceMix container
using a static xml configuration file or dynamically using a JMX
mbean.  Using some simple rules for granting access to a given
interface, service or endpoint should be feasible.  ActiveMQ already
has such a feature to grant access to jms destinations using a simple
configuration mechanism.
When an exchange is sent by a component, the container could check the
given subject for an authorization (and even use the authorizations to
select a valid jbi endpoint when targeting an interface or service
name).  Some components may also need to use the given subject to
access resources (http with authentication, acessing JEE resources),
but this is a problem specific to such a component.
I hope that such a mechanism (on the container side) could be
pluggable and integrated with the authentication mechanism provided by
the hosting JEE container.

A binding component will of course be responsible for securing its own
transport when possible: using https for the HTTP BC, ssl on tcp for
ActiveMQ (do not know of other JMS providers...).   When using a
clustered flow, the underlying ActiveMQ broker can already be
configured to use SSL on the tcp transport.

The only way I am aware of to ensure integrity of the message is to
use ws-sec for soap messages, or the underlying xmldsig
(http://www.w3.org/TR/xmldsig-core/) for non-soap messages (problems
may arise on how to carry the needed informations).  I still need to
read these specs...
This may be needed by binding components acting as consumers or
providers or clustered flows, as I do not really see the need of
securing informations that are not sent on the network.  Such a
service may be implemented as a JBI component so that it can be used
by all components, but I do not see the real need for that yet.  I
even doubt that there is a real need for using xmldsig without ws-sec:
using soap may be an acceptable limitation when you want to secure
messages and afaik this is the only way to be interoperable.
Clustered flows could be configured to use wsdsig directly, as they do
not need to interoperate with other components.

Cheers,
Guillaume Nodet



On 4/25/06, Hossam Karim <[EMAIL PROTECTED]> wrote:
> Please find my comments inline.
>
> -Original Message-
> From: Guillaume Nodet [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, April 25, 2006 10:45 AM
> To: servicemix-dev@geronimo.apache.org
> Subject: Re: ServiceMix and security
>
> The main problem of using a JBI component to provide security is that
> when you use a clustered ServiceMix, JBI exchanges may go to the
> security component using a clustered flow.  In such a case, the
> exchange will be sent on the wire in an unsecured / unauthenticated
> way.
>
> Yes, this is true, but I believe this is not just a problem for ServiceMix
> only, any clustered application should provide the option of securing the
> network communication, like enabling SSL for example. I think ActiveMQ
> already supports that.
>
> I have always thought that security should be provided by the
> container.  I would compare it to a web server which has built-in
> security to secure web applications.  The application can always use a
> custom login / authentication scheme, but the prefered way is to
> delegate to the container (and implement a specific realm if needed),
> which is the only way to provide SSO afaik.
>
> Besides this, if security is handled by the container, it will be able
> to detect authorization failures earlier and even use them when
> implicit endpoint selection is used: if the jbi exchange target is an
> interface QName, the container could check matching endpoints for
> authorization instead of selecting one and having an authorization
> failure.
>
> There are two points here, we need to answer the question: What do we want
> to secure and who should be responsible for the security?
>
> - If we are concerned about providing a global security mechanism for
> accessing any of the ServiceMix bus services, then I think what you are
> proposing is exactly what is needed. I hope the specification would address
> this in its next version. Integrating with application servers' security
> would be a great selling point for ServiceMix here. But still, how would you
> do that? How would force all secured services with all their different
> protocols to follow your security model?
> Can you please illustrate more about the technical details you have in mind
> that can lead to implementing such feature?
>
> - If we are talking about securing the transport protocols and messag

Re: ServiceMix and security

[Antoni Reus]

I think that you are right with your example of a web container.

JBI defines a container, just like a web container or a ejb container.




En/na Guillaume Nodet ha escrit:


The main problem of using a JBI component to provide security is that
when you use a clustered ServiceMix, JBI exchanges may go to the
security component using a clustered flow.  In such a case, the
exchange will be sent on the wire in an unsecured / unauthenticated
way.

I have always thought that security should be provided by the
container.  I would compare it to a web server which has built-in
security to secure web applications.  The application can always use a
custom login / authentication scheme, but the prefered way is to
delegate to the container (and implement a specific realm if needed),
which is the only way to provide SSO afaik.

Besides this, if security is handled by the container, it will be able
to detect authorization failures earlier and even use them when
implicit endpoint selection is used: if the jbi exchange target is an
interface QName, the container could check matching endpoints for
authorization instead of selecting one and having an authorization
failure.

Last point, if security is provided by a component, all components
will have to be rewritten so that they can leverage this feature.  It
seems much more interesting that security is provided transparently by
the container...

I really think that container security is the most flexible and
pluggable way to handle security as it is centralized.

Any thoughts ?

Cheers,
Guillaume Nodet

On 4/19/06, Hossam Karim <[EMAIL PROTECTED]> wrote:
 


Just thinking:
- Security is a service
- A component installed inside SM can support a SM specific security
contract, in which a security provider implementing this contract can be
bound to one or more installed components. This provider can provide
authentication, digital signature verification, XML encryption and
decryption, integration with LDAP, etc.
- A component that has a security provider installed should delegate all
security operations to its provider.
- A component that has a security provider should provide additional
management operations through JMX to secure its lifecycle management.

Hossam


-Original Message-
From: Guillaume Nodet [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 19, 2006 2:57 AM
To: servicemix-dev@geronimo.apache.org
Subject: ServiceMix and security

One of the important feature ServiceMix does not address yet is security.
I' m not really familiar with this aspect so please forgive my
ignorance and speak if you have any idea / corrections.

Security can be applied in different areas:
 * secure transports
 * secure messages
 * secure services

Securing transports can be done using SSL on JMS or HTTP.  Securing
the JMS broker is beyond ServiceMix scope, but ActiveMQ supports SSL
on tcp transport.  So this works fine for both the JMS binding
component and any clustered flow.  Securing HTTP will be done asap (we
already have a patch, see
http://issues.apache.org/activemq/browse/SM-372).

Securing messages is not handled yet, but can be done using
WS-Security on soap enabled transports (servicemix-jms and
servicemix-http binding components).  Is there a need to secure
messages within the bus ?

Securing services seems to be the most difficult part.  The JMS specs
only mention the use of the subject property on a NormalizedMessage
http://java.sun.com/integration/1.0/docs/sdk/api/javax/jbi/messaging/Normali
zedMessage.html#setSecuritySubject(javax.security.auth.Subject).
The main problem is how to set / use this information and how
informations about service authorizations.
Such security informations may be embedded in the service unit /
service assemblies deployment, or may be configured separately on the
container.  When a component sends a jbi exchange, the  container
could check the authorizations for the destination endpoint (or
service, interface ?).
However, I do not have any clue on how this information will be
provided by binding components when an external message comes in. HTTP
transport could leverage HTTP authentication, but what about the other
transports ?

All this security has also to be integrated with J2EE containers
security when ServiceMix is deployed into such a container.

Cheers,
Guillaume Nodet


   




 



--

Antoni Reus Darder
Cap de Projecte
Administració Digital, Negoci Electrònic i Sanitat

F u n d a c i ó   I B I T
Illes Balears Innovació Tecnològica
http://www.ibit.org
Tel. +34 971 17 72 70/71
Fax. +34 971 17 72 79

Re: ServiceMix and security

[Dan Diephouse]

Hiya Guillaume,

Some thoughts inlined...

Guillaume Nodet wrote:

Securing messages is not handled yet, but can be done using
WS-Security on soap enabled transports (servicemix-jms and
servicemix-http binding components).  Is there a need to secure
messages within the bus ?

  
Could there be a situation where multiple users are using the bus and 
they all have different levels of access? And also in that situation 
could there be a message broadcast where only certain users have access 
to the information? If so I think there may be some need for encrypted 
messages.

Securing services seems to be the most difficult part.  The JMS specs
only mention the use of the subject property on a NormalizedMessage
http://java.sun.com/integration/1.0/docs/sdk/api/javax/jbi/messaging/NormalizedMessage.html#setSecuritySubject(javax.security.auth.Subject).
The main problem is how to set / use this information and how
informations about service authorizations.
Such security informations may be embedded in the service unit /
service assemblies deployment, or may be configured separately on the
container.  When a component sends a jbi exchange, the  container
could check the authorizations for the destination endpoint (or
service, interface ?).
However, I do not have any clue on how this information will be
provided by binding components when an external message comes in. HTTP
transport could leverage HTTP authentication, but what about the other
transports ?

  

I think I see two ways we could set the SecuritySubject:
- At the configuration level, i.e. configuring the username/password in 
the BC configuration
- The API of the Binding Component - say we have a BC which access a 
service on the bus that needs the SecuritySubject. When the user 
interacts with the API of the BC, they would need to provide their 
security information. The BC would then be responsible for setting the 
Subject on the NormalizedMessage
- Another option would be to do some sort of ThreadLocal type thing. If 
a BC doesn't have a way to set the security info, we could always create 
a custom API along the likes of 
"SecurityContext.setCurrentSubject(subject)".


I also have been doing some thinking about WS-Security/Policy 
integration. WS-Security is easy enough to hook in, we just need to wire 
in XFire to listen for requests then pass on the messages to the bus. 
I'm guess we can use the ws-sec security tokens and put those on the bus 
as well? XFire But there is the whole problem that ws-sec just sucks and 
is too damn slow, so I don't really like pushing it as a good option.


Also, it'd be really cool to just to write the policy or policy 
fragments and have the endpoint in servicemix enforce that. So we can 
require security or RM or whatever else real easily. Guess I need to get 
off my arse and do some WS-Policy integration with XFire.


- Dan

--
Dan Diephouse
Envoi Solutions
http://envoisolutions.com
http://netzooid.com/blog

Re: ServiceMix and security

[Dain Sundstrom]

On Apr 19, 2006, at 10:40 AM, Bruce Snyder wrote:


On 4/18/06, Hossam Karim <[EMAIL PROTECTED]> wrote:

Just thinking:
- Security is a service
- A component installed inside SM can support a SM specific security
contract, in which a security provider implementing this contract  
can be

bound to one or more installed components. This provider can provide
authentication, digital signature verification, XML encryption and
decryption, integration with LDAP, etc.
- A component that has a security provider installed should  
delegate all

security operations to its provider.
- A component that has a security provider should provide additional
management operations through JMX to secure its lifecycle management.


Actually I agree with Hossam here. I've always considered that
security would be delegated to other components, not built into the
core of each component. This will allow a wider variation of security
models to be addressed and will also allow custom security components
to be created to address custom security models on a per enterprise
basis.


When coding Geronimo, I have found that as soon as I say, "no one  
will ever do X" someone shows me a service doing just that, so my  
question is, how will ServiceMix handle components that have security  
"built into the core"?


-dain

Re: ServiceMix and security

[Bruce Snyder]

On 4/18/06, Hossam Karim <[EMAIL PROTECTED]> wrote:
> Just thinking:
> - Security is a service
> - A component installed inside SM can support a SM specific security
> contract, in which a security provider implementing this contract can be
> bound to one or more installed components. This provider can provide
> authentication, digital signature verification, XML encryption and
> decryption, integration with LDAP, etc.
> - A component that has a security provider installed should delegate all
> security operations to its provider.
> - A component that has a security provider should provide additional
> management operations through JMX to secure its lifecycle management.

Actually I agree with Hossam here. I've always considered that
security would be delegated to other components, not built into the
core of each component. This will allow a wider variation of security
models to be addressed and will also allow custom security components
to be created to address custom security models on a per enterprise
basis.

Bruce
--
perl -e 'print unpack("u30","D0G)[EMAIL 
PROTECTED]&5R\"F)R=6-E+G-N>61Ehttp://geronimo.apache.org/
Apache ActiveMQ - http://incubator.apache.org/activemq/
Apache ServiceMix - http://incubator.apache.org/servicemix/
Castor - http://castor.org/

ServiceMix and security

[Guillaume Nodet]

One of the important feature ServiceMix does not address yet is security.
I' m not really familiar with this aspect so please forgive my
ignorance and speak if you have any idea / corrections.

Security can be applied in different areas:
  * secure transports
  * secure messages
  * secure services

Securing transports can be done using SSL on JMS or HTTP.  Securing
the JMS broker is beyond ServiceMix scope, but ActiveMQ supports SSL
on tcp transport.  So this works fine for both the JMS binding
component and any clustered flow.  Securing HTTP will be done asap (we
already have a patch, see
http://issues.apache.org/activemq/browse/SM-372).

Securing messages is not handled yet, but can be done using
WS-Security on soap enabled transports (servicemix-jms and
servicemix-http binding components).  Is there a need to secure
messages within the bus ?

Securing services seems to be the most difficult part.  The JMS specs
only mention the use of the subject property on a NormalizedMessage
http://java.sun.com/integration/1.0/docs/sdk/api/javax/jbi/messaging/NormalizedMessage.html#setSecuritySubject(javax.security.auth.Subject).
The main problem is how to set / use this information and how
informations about service authorizations.
Such security informations may be embedded in the service unit /
service assemblies deployment, or may be configured separately on the
container.  When a component sends a jbi exchange, the  container
could check the authorizations for the destination endpoint (or
service, interface ?).
However, I do not have any clue on how this information will be
provided by binding components when an external message comes in. HTTP
transport could leverage HTTP authentication, but what about the other
transports ?

All this security has also to be integrated with J2EE containers
security when ServiceMix is deployed into such a container.

Cheers,
Guillaume Nodet