Skip to content
This repository has been archived by the owner on Oct 20, 2018. It is now read-only.

consec/ConSec

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

84 Commits

auditing

auditing

 
 

authn

authn

 
 

authz

authz

 
 

ca-server

ca-server

 
 

consec-common

consec-common

 
 

docs

docs

 
 

dynamic-ca-server

dynamic-ca-server

 
 

federation-api

federation-api

 
 

federation-db

federation-db

 
 

federation-id-prov-support

federation-id-prov-support

 
 

federation-id-prov

federation-id-prov

 
 

federation-web

federation-web

 
 

oauth2

oauth2

 
 

parent-pom

parent-pom

 
 

.gitignore

.gitignore

 
 

LICENSE.txt

LICENSE.txt

 
 

README.md

README.md

 
 

pom.xml

pom.xml

 
 

Repository files navigation

ConSec

ConSec is a federated cloud security framework.

Features

  • supports standards SAML, OpenID, OAuth 2.0, XACML
  • supports authentication against multiple authentication sources: LDAP, OpenID, SQL database, Shibboleth or a SAML 2.0 Identity Provider
  • includes SimpleSAMLphp Identity Provider
  • provides SAML-based Single Sign-On
  • provides secure delegated access to protected resources on resource servers via OAuth 2.0 protocol or delegated user certificates
  • provides XACML-based authorization utilizing HERAS-AF XACML evaluation engine
  • provides auditing infrastructure: automated auditing via servlet filter for web apps or REST APIs, library for manually creating audit records, search API for audit records
  • displaying of audit records by various search criteria, visualization of interaction among components

Architecture

The following diagram depicts an overview of the architecture of the ConSec framework:

ConSec architecture

Short Description of Components

Identity Provider (IdP)

The Identity Provider is responsible for authentication of users and providing user's identity and attributes information in the form of SAML assertions to the Service Providers. In the architecture depicted in the upper diagram the Web Portal acts in the role of SAML Service Provider. The IdP enables single sign-on functionality. The ConSec IdP utilizes the SimpleSAMLphp software operating in the Identity Provider mode with the MultiAuth module enabled which enables users to authenticate against various authentication sources.

Federation REST API (federation-api)

The Federation REST API exposes federation database through REST interface.

Federation Database (federation-db)

The Federation Database stores user profiles, roles, groups, attributes, identity providers.

Web Portal

The Web Portal is a web application that provides some service to the users and uses ConSec framework for providing security.

OAuth Authorization Server (OAuth Auth Server)

The OAuth Authorization Server issues access tokens to the clients after successfully authenticating the resource owner and obtaining authorization. The client uses the access token to access the protected resources hosted by the resource server.

CA Server

The CA Server issues delegated user certificates to the clients. The clients can use the certificate to access the protected resources hosted by the resource server on behalf of the user. To request the certificate the client has to provide a valid access token.

Resource Server

The Resource Server is the server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. The ConSec provides three filters which can be plugged into the Resource Server (implemented as a Java web application) to enable specific functionality: OAuth Filter, Auditing Filter, and Authorization Filter.

OAuth Filter

The OAuth Filter is a servlet filter that can be plugged into java web application and provides support for the OAuth protocol to applications having Resource Server role in the OAuth flow. The filter intercepts the HTTP requests, extracts OAuth access token from the request, validates the token and retrieves user information by calling OAuth Authorization Server and injects that data in the request (HttpServletRequest object).

Auditing Filter

The Auditing Filter is a servlet filter that can be plugged into java web application and provides auditing support. For each incoming HTTP request an audit record is created and sent to the Auditing Storage Service. The degree of details of audit records can be configured and adjusted to the specific application.

Authorization Filter

The Authorization Filter is a servlet filter that can be plugged into java web application. It acts as a Policy Enforcement Point (PEP) - it intercepts user's access request to a resource, makes a decision request to the PDP to obtain the access decision (i.e. access to the resource is approved or rejected), and acts on the received decision.

Auditing Storage Service

The Auditing Storage Service listens and receives audit records and stores them to the auditing database. It is made modular and various communication channels for transporting audit records can be used as well as database systems.

Auditing API

The Auditing API provides REST interface for retrieving audit records from the auditing database using various search criteria.

Policy Decision Point (PDP)

The Policy Decision Point receives decision requests from the Policy Enforcement Point (PEP) containing all the relevant information about the request. The PDP evaluates the request using XACML authorization policies, makes an access control decision and returns it to the PEP which simply enforces the decision. The authorization policies are stored in the XACML Policy Repository.

About

Federated cloud security framework

Resources

Readme

License

BSD-3-Clause license
Activity
Custom properties

Stars

4 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages