Single Sign-On for Java Web Start Applications

Using MyProxy

Terry Fleury, Jim Basney, and Von Welch

November 3, 2006

Nov. 3, 2006 2http://myproxy.ncsa.uiuc.edu/sessions/

Idea• Goal: enable “web” single sign-on

(SSO) for non-web applications

• Restriction: utilize the available authentication protocols for all applications involved

• Requirement: minimize exposure of a user’s long-term authentication credentials (e.g. private password)

Nov. 3, 2006 3http://myproxy.ncsa.uiuc.edu/sessions/

Related SSO Solutions• Kerberos

– Issues cryptographic software tokens– Can integrate with Java via GSS-API– But, underlying application must be modified to understand

the Kerberos protocol

• Session cookies– JSESSIONID allows JWS application to “inherit” the

browser’s security context– But, security context only valid with the web server initially

contacted

• Browser-based SSO– Examples: Microsoft’s Passport, Pubcookie, and Shibboleth– But, not useful in non-browser applications such as JWS

Nov. 3, 2006 4http://myproxy.ncsa.uiuc.edu/sessions/

Motivation• Real-world development effort: MAEviz

• Three main components– Web portal / application server– Data server– Java Web Start visualization application

• Web portal and Data server use password-based authentication

• Portal and JWS application do not share a session context

Nov. 3, 2006 5http://myproxy.ncsa.uiuc.edu/sessions/

Scenario• User connects to grid portal

– Username/password authentication

• Portal connects to data server for listing– Also username/password authentication

• Web portal launches JWS application– JWS appl authenticates to data server

• Desire: user authenticates only once– The goal of Single Sign-On (SSO)

Nov. 3, 2006 6http://myproxy.ncsa.uiuc.edu/sessions/

ApplicationServer

DataServer

`

User’sClient

Portal + Java Web Start

(1) Login

(2) DataRequest

(3) Data

(4) JNLP

(5) DataRequest

(6) RenderData

Nov. 3, 2006 7http://myproxy.ncsa.uiuc.edu/sessions/

MAE Center Portal

Nov. 3, 2006 8http://myproxy.ncsa.uiuc.edu/sessions/

MAEviz JWS Application

Nov. 3, 2006 9http://myproxy.ncsa.uiuc.edu/sessions/

Multiple Protocols• Portal server is Sakai

– Web browser front-end– Web services (Axis), JSP, Java back-end

• Data server is SAM– WebDAV server– Metadata Mgmt. and Notebook Services

• MAEviz application is JWS– Launched via JNLP file– Distinct from web browser session

• How to effect a shared security session?

Nov. 3, 2006 10http://myproxy.ncsa.uiuc.edu/sessions/

Password Authentication• Good news – all components

understand username/password authentication

• Obvious solution – pass around the user’s name and password

• Bad news – don’t want to expose user’s long-lived password

• Solution – use short-lived “session passwords” instead

Nov. 3, 2006 11http://myproxy.ncsa.uiuc.edu/sessions/

Session Passwords• Associate multiple short-lived “session”

passwords with a given username

• Can be used in lieu of a user’s long-lived password

• Expire after a few hours

• Use an external authentication service

• Allow for a “password based” SSO solution

Nov. 3, 2006 12http://myproxy.ncsa.uiuc.edu/sessions/

Solution: MyProxy• Originally used for X.509 credential

storage and retrieval

• Can also be configured as a Certificate Authority (CA) to issue credentials

• Server configuration option allows for storage and retrieval of any number of session passwords for a user

• Multiple external authentication– PAM and SASL

Nov. 3, 2006 13http://myproxy.ncsa.uiuc.edu/sessions/

Client A

External UserDatabase

Local Cert Storage

MyProxy Server

Creating Session Password(1) Username & Password

(2) AuthnU/P

(3) Credential

(4) Generate P’

(5) Put(Cred,U,P’) (5) Cred

Nov. 3, 2006 14http://myproxy.ncsa.uiuc.edu/sessions/

Using Session Password

Client B

Local Cert Storage

MyProxy Server

(1) Username & Session P’assword

(2) AuthnU/P’

(3) Cred /Authn OK

(2) Cred

Nov. 3, 2006 15http://myproxy.ncsa.uiuc.edu/sessions/

MyProxy Configuration• Checks all stored credentials

– When authenticating a password, ALL credentials for a given username on the MyProxy server are checked for a match

• Falls back to external authentication– If no password match to stored credentials,

MyProxy falls back to external authentication methods (e.g. PAM)

• Result: MyProxy authenticates a user’s original long-lived password AND any session passwords

Nov. 3, 2006 16http://myproxy.ncsa.uiuc.edu/sessions/

ApplicationServer

DataServer

`

User’sClient

External UserDatabase

MyProxyServer

Local CertStorage

(12) U/P’Authn

(8) U/P’Authn

(6) Cred

(12) Cred /Authn OK(8) Cred /Authn OK

(3) U/PAuthn

MyProxy Single Sign-On

(1) U/P

(2) U/P

(9) Data

(10) JNLPw/ U/P’

(11) U/P’

(13) RenderData

(4) Cred

(5) Generate P’

(6) Put(Cred,U,P’)

(7) U/P’

(8) U/P’Authn

(12) U/P’Authn

(12) Cred(8) Cred

Nov. 3, 2006 17http://myproxy.ncsa.uiuc.edu/sessions/

Security Concerns• JNLP File on multi-user systems

– Downloaded to user’s local file system– Not deleted upon session exit– Might have permissive umask setting– Only solution is “user education”

• Session passwords have a finite lifetime– Client can also explicitly destroy a session

password before it expires

Nov. 3, 2006 18http://myproxy.ncsa.uiuc.edu/sessions/

Conclusion• Enable SSO for legacy applications

• Client creates any number of “session passwords” for a username stored on a MyProxy server

• Session passwords are passed among clients/programs

• Clients need only understand username/password authentication

Nov. 3, 2006 19http://myproxy.ncsa.uiuc.edu/sessions/

Acknowledgements• National Center for Supercomputing

Applications (NCSA)– Funded by the NSF (National Science

Foundation) under Grant No.SCI-0438712

• Mid-America Earthquake (MAE) Center – Funded by the NSF (National Science

Foundation) under Grant No.EEC-9701785

• Additional thanks to – Jim Myers and Kevin Price, at NCSA