<Insert Picture Here> Hudson Security Architecture. Winston Prakash. Click to edit Master subtitle style



Similar documents
Spring Security 3.

Remote Authentication and Single Sign-on Support in Tk20

Using weblock s Servlet Filters for Application-Level Security

Advanced OpenEdge REST/Mobile Security

Application Security

Configuration Guide - OneDesk to SalesForce Connector

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Portal User Guide. Customers. Version 1.1. May of 5

Sun Access Manager CAC Authentication Deployment Configuration Guide

Spring Security 3. rpafktl Pen source. intruders with this easy to follow practical guide. Secure your web applications against malicious

Setup Guide for Magento and BlueSnap

More about Continuous Integration:

CA Performance Center

Windows XP Exchange Client Installation Instructions

WWPass External Authentication Solution for IBM Security Access Manager 8.0

OpenLDAP Oracle Enterprise Gateway Integration Guide

Lucid Key Server v2 Installation Documentation.

Secure Messaging Server Console... 2

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Crawl Proxy Installation and Configuration Guide

Unlocking the Secrets of Alfresco Authentication. Mehdi BELMEKKI,! Consultancy Team! Alfresco!

In a browser window, enter the Canvas registration URL: silverlakemustangs.instructure.com

Securing Fusion Web Applications

NETASQ ACTIVE DIRECTORY INTEGRATION

WebNow Single Sign-On Solutions

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

WatchGuard QMS End User Guide

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Configuring BEA WebLogic Server for Web Authentication with SAS 9.2 Web Applications

Oracle Managed File Getting Started - Transfer FTP Server to File Table of Contents

Cloud Elements ecommerce Hub Provisioning Guide API Version 2.0 BETA

Virtual Code Authentication User Guide for Administrators

Progress OpenEdge REST

Recommended readings. Lecture 11 - Securing Web. Applications. Security. Declarative Security

Using jlock s Java Authentication and Authorization Service (JAAS) for Application-Level Security

CMDBuild Authentication (file auth.conf)

Delegated Administration Quick Start

<Insert Picture Here> Introducing Hudson. Winston Prakash. Click to edit Master subtitle style

Expresso Quick Install

Workshop for WebLogic introduces new tools in support of Java EE 5.0 standards. The support for Java EE5 includes the following technologies:

Plugin Integration Guide

Pierce County IT Department GIS Division Xuejin Ruan Dan King

LDAP User Service Guide 30 June 2006

CA Nimsoft Service Desk

Eylean server deployment guide

Configure Single Sign on Between Domino and WPS

Adobe Connect LMS Integration for Blackboard Learn 9

Safewhere*Identify 3.4. Release Notes

Configuration Worksheets for Oracle WebCenter Ensemble 10.3

Configuring IBM WebSphere Application Server 7.0 for Web Authentication with SAS 9.3 Web Applications

Instant Chime for IBM Sametime Installation Guide for Apache Tomcat and Microsoft SQL

Integrating EJBCA and OpenSSO

SSO Plugin. Installation for BMC AR System and WUT. J System Solutions. Version 3.4

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Copyright

Xerox DocuShare Security Features. Security White Paper

FortyCloud Installation Guide. Installing FortyCloud Gateways Using AMIs (AWS Billing)

A (re)introduction to Spring Security

Spring Security SAML module

GlassFish Security. open source community experience distilled. security measures. Secure your GlassFish installation, Web applications,

IIS, FTP Server and Windows

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

ADMINISTERING ADOBE LIVECYCLE MOSAIC 9.5

Creating a User Profile for Outlook 2013

WebSphere Business Monitor V7.0: Clustering Single cluster deployment environment pattern

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

SOA Software API Gateway Appliance 7.1.x Administration Guide

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

How To - Implement Single Sign On Authentication with Active Directory

SelectSurvey.NET User Manual

Administering User Security

Deploying RSA ClearTrust with the FirePass controller

docs.hortonworks.com

User Replicator USER S GUIDE

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

VERALAB LDAP Configuration Guide

Active Directory Requirements and Setup

AUTHENTICATION... 2 Step 1:Set up your LDAP server... 2 Step 2: Set up your username... 4 WRITEBACK REPORT... 8 Step 1: Table structures...

Q&A Session for Understanding Atrium SSO Date: Thursday, February 14, 2013, 8:00am Pacific

TypingMaster Intra. LDAP / Active Directory Installation. Technical White Paper (2009-9)

Instant Chime for IBM Sametime For IBM Websphere and IBM DB2 Installation Guide

Getting Started with Clearlogin A Guide for Administrators V1.01

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Running and Testing Java EE Applications in Embedded Mode with JupEEter Framework

Configuring Nex-Gen Web Load Balancer

Complete Java Web Development

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Windows Clients and GoPrint Print Queues

2/24/2010 ClassApps.com

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way

Working with Indicee Elements

This is a training module for Maximo Asset Management V7.1. It demonstrates how to use the E-Audit function.

Sonian Getting Started Guide October 2008

Building Secure Applications. James Tedrick

Oracle9i Application Server: Options for Running Active Server Pages. An Oracle White Paper July 2001

How To Use Saml 2.0 Single Sign On With Qualysguard

Transcription:

<Insert Picture Here> Hudson Security Architecture Click to edit Master subtitle style Winston Prakash

Hudson Security Architecture Hudson provides a security mechanism which allows Hudson Administrators to control areas of access to users or group of users. The key definitions are: Authentication - Determines the identity of a user or roles and represents the Authenticated mode of the user o roles. Authorization/Permission - Determines what resources can be accessed or what actions can be executed by an authenticated user or process. Role - Represents a set of functional responsibilities and specific permissions. Users and groups are assigned to roles to authorize these permissions. AccessControlled An object that has constraints defined by Permission object. ACL a list of Permissions attached to an AccessControlled Object. SecurityRealm represents the scope of the security data from which the users are authenticated. AuthorizationStrategy a strategy with which the Hudson security is enabled.

Authorization Strategy Authorization strategy dictates how Hudson areas are granted access. Unsecured In this default mode, no security imposed, any one can do anything Legacy This strategy grants read access to every one, except a username admin who gets full administrator privilege. Full Control Once Login This strategy grants full Administrator privilege to any who logs in, rest all gets read only privilege. Global Matrix A matrix of privileges are retained by this strategy to grant access Privileged areas are granted access based on the strategy defined in this matrix. Project Matrix Each project can include its own subset of matrix based privileges.

Security Realm A Realm provides a collection of users and groups (user database) that are controlled by the same authentication policy. Legacy Uses Container based Authentication. Assumes the user is already authenticated by container. Password Based Uses Username/Password based authentication. Two implementations are Hudson Private Uses internal database to store username & password LDAP based authentication PAM Uses Unix Pluggable Authentication Module for authentication. Security Realm contributes to view via two files LoginLink.jelly Adds the login/logout link to the dashboard Config.jelly Provides UI to configure the page

Access Control List When a user requests an operation on a Model object, if it is a access controlled, the Access Control List (ACL) is checked for an applicable entry to decide whether the requested operation is authorized. Hudson uses a Security identifier (Sid) as a key to map the Permissions. The Authorization Strategy adds Map Entry with a mapping between Sid and Permission to ACL. Authorization Strategy like Matrix Provides UI for users to add the Role based Permission Mapping. Full Control Once LoggedIn Authorization Strategy adds the Entries as (EveryOne, Administrator, true) (Anonymous, Administrator, false) (Anonymous, Read, true) Legacy Authorization Strategy adds as (Anonymous, Read, true) ( admin, Administrator, true)

Authorization When Security is enabled, with out proper authorization, certain areas of hudson can not be accessed. The authorization is governed by authorization Strategy. There are three entities that are governed by authorization Hudson Model Objects Some portion or all of the model Object can not be executed, with out proper authorization. Hudson View elements Some portion of the view will show only when the logged in user has appropriate access. Hudson Web pages In this case the page itself can not be viewed by unauthorized user Ex. hudson configuration page

Authorizing access to Hudson Objects When Security is enabled, certain Operations on Hudson Model Objects and Extension Points are given access based on the authorization strategy. When a method or block of statement is executed, haspermission(permission) is invoked. For example, in the project Object public void configure() thows NoPrevilegeException{ haspermission(hudson.administrator) // Do the configuration } The permission is checked against the current principal. haspermission() method depends on AuthorizationStrategy. The entry map (sid, Permission) of the ACL object is iterated to see if the current sid has the requested Permission. The sid itself is checked for authentication before checking for authorization.

Authorizing access to Hudson Pages When Security is enabled, Hudson web pages are given access based on the authorization strategy that is in effect. The Page filtering is done via Java EE Filter mechanism. A servlet Filter called HudsonFilter specified in the web.xml to do the job. If a security realm is specified then get the Filter Chain from it. Invoke the filter chain with the specific Servlet Context. If Security Realm is not set, then simply redirect to the Filter chain supplied by the container itself.

Filter Chain The Web pages are filtered in the following order in the chain of filters. HTTP Session Context Integration Filter Responsible for handling the authentication with in a Session. Basic processing Filter Handles the HTTP BASIC Authentication, sent via HTTP header (especially command line request) Authentication processing Filter Form based authentication happens in this filter RememberMe Processing Filter Send the remembered user name and password to the login page Anonymous Processing Filter This filter checks if the page allows anonymous access based on Authorization Strategy. Exception Translation Filter Handles if exception happens during Authentication and Authorization (non security related) Unwrap Security Exception Filter Sends the user to appropriate login page if security related exception happened.

Filter Chain invocation

Specifying Security Filters The filter chain is obtained from Security Realm. It is up to the security Realm to create the filter chain. Hudson provides a easy way to create hudson using Spring security architecture on the fly. Hudson defines a tuple with which the Filter chain provider can inject some of the security components such as Authentication manager User Details RememberMe service Failure URL Filter Process URL Target URL The definitions of security filter itself is defined in a groovy script. Spring Bean Builder service is used to create the corresponding Filters beans.

Filter Chain Groovy Script filter(chainedservletfilter) { filters = [ } ] bean(authenticationprocessingfilter2) { authenticationmanager = securitycomponents.manager remembermeservices = securitycomponents.rememberme authenticationfailureurl = "/loginerror" defaulttargeturl = "/" filterprocessesurl = "/j_acegi_security_check" }, bean(remembermeprocessingfilter) { remembermeservices = securitycomponents.rememberme authenticationmanager = securitycomponents.manager },

Authentication Filter Processing When the page is accessed by User, the Filter.doFilter() method first checks if Authentication and Authorization is required. This is done via Authorization Strategy Object. If required, the username and password is extracted from j_username and j_password Servlet Context Parameters. An UserNamePawwordAuthToken is created from username and password and send to the Authentication manager specified in the Filter for Authentication. If Authentication, the Authentication Object is set to the Container Security Holder for the container filter chain to know that the Authentication is successful Then the the Servlet Context is redirected to the original URL. If Authentication fails then Servlet Context is redirected to the Failure page, usually the Login page.

View Element Authorization The view provided by model Objects or Extension Points can render portion of the view based on certain authorization. Ex. Project Dashboard would display the Configure Project only if the user is authorized to configure the project. The elements of the jelly code that need to be access protected need to be surrounded with a test jelly clause <j:if test="${h.haspermission(it, permission)}"> <d:invokebody/> </j:if> If the current principal has given authorization, then the child elements will be included in the rendering of page.

Changing Authorization Strategy and Security Realm Authorization Strategy and Security Realm are Extension Points. So multiple entities of each can exist in the Hudson Platform. Hudson deployer has option to choose one of each via Hudson Configuration Page. The AuthorizationStrategy object (defaults to Unauthorized) is held by the Hudson Model Object. When user selects different Authorization Strategy, selected one replaces the earlier one. The SecurityRealm object is held by the HudsonFilter. When Hudson model process the submitted config page, it sets the newly selected Security Realm When a new Authorization Strategy set, the ACL will be set with the new authorization (sid, Permission) map entries. When new SecurityRealm is set, previous Authentication will be no longer valid. User need to authenticate with proper security credentials again.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information