NATIONAL GOVERNMENT PORTAL (NGP) · • From multiple websites, siloed e-Services and no standard...
Transcript of NATIONAL GOVERNMENT PORTAL (NGP) · • From multiple websites, siloed e-Services and no standard...
• From multiple websites, siloed e-Services and no standard government identity
• To a one-stop gateway to government data, services, information
NATIONAL GOVERNMENT PORTAL (NGP)
• A Java web application, running on a standard Java container / application server • Vertical and horizontal enterprise portal
LIFERAY DXP
• CentOS, Ubuntu, RHEL, etc. • Cloud & virtualized environments
FEATURESDeployment Compatibility
• JBoss, Tomcat, Wildfly, etc. • MariaDB, MySQL, PostgreSQL, etc.
Performance & Scalability
• Clustering at any combination of tiers (presentation, service, business logic, database)
Security
• Email verification • Granular permissioning
• Encryption such as DES, SHA, RSA • Pluggable authentication
• Advanced caching (Ehcache) • Elasticsearch platform support • Performance monitoring
• LDAP authentication • Session management
FEATURESDeveloper Languages and UI Frameworks
• Groovy • GWT • JQuery
• Java • JSF • Alloy UI
• Bootstrap • Meta.js • ReactJS
• AngularJS • Senna.js • Lodash
• Vaadin • Ruby • Scala
• Others
Web Services
• SOAP • JSON • REST
Theme Developer Languages
• Freemarker • Velocity
Other Standards / Technologies
• JSR-286 • JSF to JSF
2.2
• AJAX • JSR-168
• Spring 3.0 • CMIS
1.0/1.1
• Hibernate • OSGI Core
6.0
• SAML 2.0 • OAuth 1.1
• iCalendar & Microformat
FEATURESContent Repository
• Multiple Repository Support • Customizable Doc Types • Metadata per doc type • MS Office integration
• CMIS Support • CI/CO • Content previews • Content versioning
• Workflows per doc type • Mobile/desktop file
synchronization • Google docs integration
Site Publishing
• Dynamic and static site templates • Drag and drop site maps • Sitemap protocol support • Friendly page URLs
• Staging & Scheduling • Multiple site variations • Faceted search • User-customizable pages
• Mobile previews • Mobile responsive theme • Mobile device recognition • Mobile SDK • Native mobile app support • Push notifications
Mobile
• Asset • Cache • Data handlers • File storage • Geolocation • Message bus • Scheduler • Scripting • Workflow
FEATURESOther Back-end APIs
• Audience Targeting • Segmentation Rules • Session Attributes • Wikis, Blogs, Message Boards • Calendar • Alerts & Announcements
Others
FEATURES
Product Architecture
• Authentication (AuthN) and Authorization (AuthZ) • Supports the use of an Identity Provider (IdP), Single Sign On (SSO), LDAP,
OpenId, Open Authorization (OAuth), Shibboleth, Authentication through Facebook and Google, etc.
IDENTITY MANAGEMENT
Figure 1. Internal authentication
Figure 2. LDAP authentication
Figure 3. SSO as authenticator and LDAP as storage of user data
• Authentication Mechanisms for SSO • Cookies • Tokens • Agents
IDENTITY MANAGEMENT
Figure 3. SSO as authenticator and LDAP as storage of user data
• Authentication (AuthN) and Authorization (AuthZ) • Supports the use of an Identity Provider (IdP), Single Sign On (SSO), LDAP,
OpenId, Open Authorization (OAuth), SAML, Shibboleth, Authentication through Facebook and Google, etc.
IDENTITY MANAGEMENT
Figure 4. OpenID Figure 5. Service provider initiated SSO
• Authentication (AuthN) and Authorization (AuthZ) • Supports the use of an Identity Provider (IdP), Single Sign On (SSO), LDAP,
OpenId, Open Authorization (OAuth), SAML, Shibboleth, Authentication through Facebook and Google, etc.
IDENTITY MANAGEMENT
Figure 6. Typical OAuth configuration flow
Figure 7. Third-party Solutions
• Authentication Pipeline • Sign-in portlet or sign-in screen • Log in via email (default), screen name, or user ID
IDENTITY MANAGEMENT
Figure 8. NGP’s Sign-in portlet
• Authorization • LDAP Groups • OOB Role-Based Authorization
Control (RBAC)
• Liferay can be extended with extra Authenticator or AutoLogin classes
IDENTITY MANAGEMENT
Figure 9. Authentication management is deferred to the SSO server and assignment of user groups and roles to the LDAP server
IDENTITY MANAGEMENT
Figure 10. Login flow
• Transport Security • Supports HTTPS • All responses contain secure headers and cookie flags
• Encryption • Uses the PBKDF2WithHmacSHA1/160/128000 encryption algorithm by default • Length of hashes and number of rounds can be increased to increase cryptographic
strength • Users may choose alternative encryption algorithm as needed • Supports data encryption at rest
• Web Service Security Layers • IP permission based on a whitelist • Service access policy on service classes and method
APPLICATION-LEVEL SECURITY
• Web Service Security Layers • Token-based authentication if a web service invocation request comes from a browser • User permission checks
• Password Policy • Password strength, frequency of password expiration, user lockout, etc. • Different policies can be applied to different sets of users
• Single Sign On (SSO) • Identity management
• Entitlement Management • Fine-grained Role-Based Access Control (flexible roles and permissions)
• Entitlement Management • Historical view of what users are doing in applications through log files
APPLICATION-LEVEL SECURITY
• Secure Development Process • Developed according to secure coding best practices and guidelines such as the
OWASP Top 10 and the CWE/SANS Top 25 • Security code reviews • White and black box security scans • Penetration tests • Monitoring of third-party libraries included in Liferay products (e.g. Apache Struts 2) • Verified by Veracode
• Portal Scanning • Weekly web application scanning
• Fix Packs
APPLICATION-LEVEL SECURITY
• Clustered and highly available • Server-level • Application-level
• Components addressed in a cluster • Load balancer • Centralized database • Caching • Search (Elasticsearch) • Document Library
ARCHITECTURE
Figure 11. High-level diagram of a typical set-up
CLOUD LOCATION 1
Dev Environment
CLOUD LOCATION 2
Staging Env Production Env
CLOUD LOCATION 3
HA Environment
EDGE PLATFORM
ORIGIN SERVER
Figure 12. Infrastructure Reference Architecture
• Local / Origin • WAF, Load Balancer, ADC,
IDPS
• Edge • WAF • SiteShield • Network List • API Security • Certificates • DNS (optional) • Log Delivery • Alerts
ARCHITECTURE
Authentication (SSO, PKI)
Figure 13. NGP Internal Components
ARCHITECTURE
GCP Middleware Agency Systems
Document Repository Workflows Indexing
and SearchData
AnalyticsData
Storage
Pluggable Architectures
Public Websites
Frontline Services Open Data Native Portal
Applications
National Government Portal
Registered User User Personalization Role-based Content Delivery (Dashboard) Transaction History Account Management
Government Content Management Doc Repository Workflow Access Control G2G Self-Service Performance Statistics Ticketing Audit Trails Data Analytics Web Forms
Unregistered User Web Content Log in Discussions Feed Back Maps Localization Support Faceted Search Accessibility Knowledgebase
INTEGRATION
PHASE 1 - URL LINKING
National Government Portal E-Services catalog (www.gov.ph)
Tradenet (tradenet.gov.ph
PHASE 2 - WEB PROXY & SSO / WEB SERVICES / FULL PORTLET INTEGRATION
2-A Web Proxy & SSO
2-B Web Services
2-C Full Portlet Integration