Biometric Authentication for J2EE, Web, and Enterprise Applications

Building Biometric Authentication for J2EE, Web, and Enterprise Applications

Print-friendly Version This article describes the process of enabling biometric authentication for Java 2 Platform, Enterprise Edition (J2EE platform) and web-based enterprise applications by integrating Sun Java System Access Manager and BiObex biometric authentication solution. Contents J2EE Security and the JAAS framework Integrating Sun Java System Access Manager and BiObex How It Works Enabling Biometric SSO Tokens Configuration and Deployment Enforcing Biometric SSO Enabling Multi-factor Authentication Summary Authentication is the process of verifying the identity of a user or a computing device in a networked environment. As organizations need to distribute sensitive information to authorized parties over the network, they have increasingly been adopting biometrics as a necessary component for authentication. Biometric authentication is based on an inherent physical trait or a characteristic such as fingerprints, retinal patterns, hand geometry, voice recognition or facial recognition, and offers a high degree of assurance that a person actually is who they claim to be. Biometrics are difficult to fabricate, which makes them much harder to share or steal than traditional authentication mechanisms such as passwords, tokens, certificates or smartcards, which have potential vulnerabilities due to credentials shared, forgotten, stolen or used without the consent of the owner. For robust security, the recommended approach is often to combine two or more authentication methods — a process called multi-factor authentication. For example, a highly secure installation could use three-factor authentication based on password (what the user knows), smartcard (what the user possesses), and fingerprints (who the user is). Incorporating biometric sign-on in an application enforces a highly secure user authentication by comparing a registered biometric sample, also referred to as a biometric template, against a newly acquired biometric sample during the application login process. If the match score between the newly acquired sample and the registered template exceeds a given threshold, the authentication is successful and assures the application provider about the identity who was really accessing application. J2EE Security and the JAAS framework The J2EE architecture provides an end-to-end security model for all the component tiers by leveraging the J2EE container-based security services and the underlying Java platform (J2SE). J2EE also provides extensible security mechanisms via Java Authentication and Authorization Services (JAAS), using JAAS-based login modules for incorporating custom authentication mechanisms and third-party security providers for authentication and authorization. JAAS implements a Java technology version of the Pluggable Authentication Module (PAM) framework and supports user-based authorization. It offers a set of APIs for enabling authentication and authorization services. Using JAAS facilitates a pluggable solution for integrating with different authentication providers that are based on biometrics, smartcards or other custom mechanisms. JAAS also provides a single-signon (SSO) security model for delivering a unified access-control solution for securing multiple J2EE or Java-based applications. Integrating Sun Java System Access Manager and BiObex The Sun Java System Access Manager — now part of Sun Java Enterprise System (Java ES) — is a standards-based security infrastructure solution for managing secure access to J2EE, Java technology, and enterprise applications. It builds on the J2EE architecture and APIs, providing a standards-based authentication and policy-based authorization framework for enabling SSO access to multiple applications and federation of trusted network applications and partners. In particular, the Access Manager authentication and authorization service is based on the JAAS framework. As described earlier, the JAAS authentication services framework provides extensibility by supporting pluggable authentication modules and also allowing integration custom authentication services from third-party security providers. To enforce SSO and to protect application services and resources from unauthorized access and intrusions, Access Manager provides policy agents. The policy agents control access to application services based on the policies configured in the Access manager. BiObex is a cross-platform Java-based biometric authentication solution designed and developed by AC Technology, Inc., for enabling biometric access control for systems and applications in an enterprise network. The BiObex solution provides services for enrollment of biometric samples from users, security policy based biometric authentication that controls users' access by matching the provided samples with registered biometric templates, administration of security policies and resources, and auditing and event logging for system monitoring. Based on the protected applications or systems, the authentication process is handled via pluggable components such as PAM (Pluggable Authentication Module) for Unix systems, GINA (Graphical Identification aNd Authentication) for Windows systems, and JAAS for J2EE applications. Figure 1: Access Manager and BiObex Integration Architecture. Integrating BiObex with Sun Java System Access Manager (as shown in Figure 1) enables a biometrics authentication and single-signon for Access Manager secured applications. This is done by using a pluggable JAAS BiometricLoginModule (listed in references) for handling biometric callbacks to BiObex authentication server via Sun Java System Access Manager. BiometricLoginModule is installed and configured as an authentication service provider for the Access Manager authentication. After installation, the Access Manager can manage the BiometricLoginModule like any other authentication provider modules meant for LDAP, UNIX, and so on. It also supports biometric single-sign on (SSO), which allows users to access multiple partner applications managed by the Access Manager after doing a single biometric authentication. In addition to BiometricLoginModule, the BiObex authentication server can be configured to support heterogeneous application and system environments such as Solaris and Windows environments using PAM and GINA modules respectively (see Figure 2). Figure 2: Biometric Authentication for Heterogeneous Application Environments. How It Works To illustrate a working scenario, assume that the BiometricLoginModule is installed and configured as the default authentication service of the Access Manager. The BiObex server and repository are also installed as a coexisting environment. When a user attempts to access a protected resource managed by the Access Manager, it directs the user to submit credentials to the BiometricLoginModule, which acts as a client to the BiObex authentication server. The BiObex authentication server authenticates the user by acquiring one or more biometric samples from the user and matching them against the user's registered biometric template. If the biometric authentication is successful, the Access Manager grants access to the secured application or resource by issuing an SSO token that represents the user's sign-on and session information. If the authentication fails, the Access Manager returns an error page to the user. The Access Manager makes use of the policy agents for securing multiple applications by intercepting requests from unauthorized intrusions, verifying and validating the user's SSO token if it exists, and controlling access to resources based on policies assigned to the user. Enabling Biometric SSO Tokens Consider a J2EE-based web application requiring access to its users via web-based SSO using Access Manager and using fingerprint based biometric authentication provided by BiObex (see Figure 3). The J2EE application server is installed with the Access Manager policy agent and the user's client terminal requiring web browser access to the J2EE application is installed with a fingerprint scanner (USB or Ethernet-based) for obtaining biometric samples (for example, fingerprints). Before trying this out, it is required that user's fingerprint templates, terminal information and associated biometric sensor mapping are registered and stored with the BiObex authentication server's repository. (Refer to enrollment section for details.) Figure 3: Biometric SSO for J2EE and Web applications - Interaction Diagram. environments. When a user tries to access the URL of the secured J2EE application (that is, a JavaServer Pages or Servlet URL) using a browser, the Access Manager's policy agent running in the J2EE server intercepts the request and verifies the user's SSO token, if any exists. If the token's authentication level is insufficient (or none exists) the Access Manager calls the biometric authentication service (BiometricLoginModule) requesting authentication, which redirects the user to a login page prompting the user to provide username and terminal ID (the identifier of the terminal from which the user is performing the authentication). The biometric authentication service verifies that the provided user and terminal information matches the data stored in the BiObex repository. After successful username and terminal id verification, the service initiates a biometric callback to the fingerprint scanner assigned to the user or terminal and displays a web page prompting the user to provide a fingerprint sample. The BiometricLoginModule forwards the user's biometric samples for authentication against the BiObex server. Upon BiObex authentication, the Access Manager issues a unique SSO token representing the user's session. The policy agent verifies the SSO Token for all subsequent request and then based on the token it allows or denies access to the requested URL resource. It also examines all the roles (which contains the policies) assigned to the user. Configuration and Deployment Installing the Sun Java System Access Manager The Sun Java System Access Manager is available as an installable component product part of the Java Enterprise System (listed in references). During install, it is important to choose all the shared components and other component dependencies required. For example, the Access Manager needs a local or remote instance of Directory Server and a local instance of a J2EE web container, either J2EE Application Server or Web Server (as a Servlet engine). Follow the installation instructions described in the Java Enterprise System installation guide to proceed with the installation and then carry out the post-installation steps to start up the Access Manager components. Installing the BiObex Server The BiObex application suite is available from AC Technology, Inc. The BiObex server and components can be installed as a coexisting application environment where the Sun Java System Access Manager is installed. During installation, you may choose to use the Sun Java System Directory server or a relational database as the repository for persisting the users' biometric data. Installing and Configuring the BiometricLoginModule Follow these steps to configure and install the BiometricLoginModule in the Access Manager environment. Make sure the BiometricLoginModule.jar is available in the directory where all the access Manager libraries and service components exists. /web-src/services/WEB-INF/lib Copy the BiometricLoginModule.xml file to the directory where the entire services configuration files exists. /web-src/services/config/auth/default Copy the amAuthBiometricLoginModule.properties file to the locale directory. /locale Update the defined classpath of the J2EE application server or the servlet container (in the case of Web Server) to include BiometricLoginModule.jar. For example, using the Sun Java System Application Server, update the server.xml located in this directory: /domains/domain1/server1/config Create a BiometricLoginModule service by loading the amAuthBiometricLoginModule.xml using the amadmin command. ./amadmin --runasdn uid=amAdmin,ou=People,, --password -schema amAuthBiometricLoginModule.xml where and refer to the base domain of the Access Manager installation. Restart the access Manager. /bin/amserver stop /bin/amserver start Restart the J2EE application server. /bin/asadmin stop-domain -domain domain1 /bin/asadmin start-domain -domain domain1 Deploying and Registering the Biometric Authentication Service This process is typical for registering a custom authentication module as an authentication service. After restarting the Access Manager, you are required to register and enable the BiometricLoginModule service for an organization requiring biometric authentication. Log in to the Access Manager Administration console 'amconsole' as 'amadmin', specifying the URL as: http://server_name.domain_name:port_no/amconsole Select the Service Configuration tab in the top frame. In the right frame of Pluggable authentication module classes, add the class file name: com.biobex.jaas.BiometricLoginModule Select the Identity Management tab and select your organization. Select Services from the view drop-down list, then click Core in the navigation frame under Authentication. If no registered service is listed, register Core under authentication by clicking the Register button in the left frame. Add BiometricLoginModule to the list of highlighted modules in the Organization authentication modules. The BiometricLoginModule service now appears as an available authentication service in the left frame. It is required to create a template for it, therefore, click the arrow beside the BiometricLoginModule service. This notifies a message mentioning that a template does not exist for this service, so click the Create button to create a template for this service. At this point, it configures all the attributes related to the instance of the BiometricLoginModule and its corresponding BiObex server. Click the Save button. Restart the Access Manager and the J2EE container to update the configuration. Figure 4: Installing and Configuring the BiometricLoginModule in the Access Manager. The BiometricLoginModule has now been installed and deployed as the authentication service of choice for the selected organization (see Figure 4). This deployment works in cooperation with the co-existing BiObex server environment. Registering the User Terminal and Biometric Sensor in BiObex Server Each terminal in the network can have one or more biometric devices associated with them. The BiObex authentication server uses the configured terminal and device information, along with the information that the authentication client provides, to determine if a user can authenticate at a particular terminal based on their security policy (see Figure 5). For example, If a terminal does not have a device to capture fingerprints or has a device that does not match the approved device for a particular terminal, authentication cannot proceed. Figure 5: Defining Network Terminals and Associated Biometric Sensors. Enrolling users and registering their biometric sample in BiObex Enrollment is the process of adding new users to the system or updating their biometric information (in case of damage or change). BiObex uses an enrollment server to facilitate multiple enrollment stations throughout the enterprise as well as remote and disconnected stations. Access to the enrollment server is protected using biometric authentication, ensuring that only enrollment officers designated by the organization are allowed to access or change biometric data. The enrollment tool creates and manages biometric profiles: collections of biometric data associated with a user's electronic identity (see Figure 6). Multiple scans of a biometric can be captured and combined to provide a better template. Since organizations often regard who has what access to biometric data as a policy decision, the actions that enrollment officers are authorized to execute can be restricted through a role-based security model. Figure 6: Creating a Biometric Profile During Enrollment. Testing the installation and configuration Using a Web browser, invoke the following URL: http://.:port/amservice/URI/Login?module=BiometricLoginModule The browser will display the login page, which prompts the user to provide a username and terminal ID of the client machine running the browser (see Figure 7). The BiObex authentication server uses the terminal ID to identify the biometric sensor associated with the terminal (typically based on physical proximity). In intranet-based environments, the terminal ID prompt can be suppressed by using the IP address of the machine running the browser as the terminal ID, which can be automatically identified by the server. Figure 7: Login Page Prompting User for BiObex Authentication. After entering the username and terminal ID, the browser redirects to a page prompting the user to present the biometric sample, using the fingerprint scanner registered with the terminal (Figure 8). Figure 8: Login Page Prompting User to Scan Fingerprint. The user is required to provide one or more biometric samples using a biometric sensor (fingerprint scanner) depending on the active security policy. The BiObex authentication server authenticates the user by matching the provided biometric sample against the previously stored biometric template. BiObex uses a challenge response system, so the user (or an intruder) does not know beforehand which of their enrolled biometrics will be asked for. This increases security in two ways: first, an intruder must be prepared to fabricate all required biometrics; second, when combined with multiple required biometrics, single "latent image" attacks cannot be carried out. Finally, if the authentication is successful, the browser will redirect the user to the page that confirms successful authentication (Figure 9). Figure 9: Verifying the Configuration - Biometric Authentication Successful. Enforcing Biometric SSO To secure J2EE applications, web-based applications, and other enterprise applications with the deployed BiometricLoginModule, the Access Manager policy agents must be installed for the designated J2EE application servers, web servers, and enterprise applications. These policy agents secure the applications in conjunction with Access Manager running the biometric authentication service. To do so, follow the installation instructions for the respective policy agents as described in Access Manager policy agents guide. Enabling Multi-factor Authentication Integrating Access Manager with BiObex authentication also allows enabling multi-factor authentication for J2EE, web-based, and enterprise applications. It does this by chaining one or more supported authentication services, such as LDAP, digital certificate, RSA SecurID, or any other JAAS-compliant authentication modules. To enable multi-factor authentication, in addition to BiometricLoginModule, one or more authentication modules can be configured together so that a user must pass authentication credentials to all of them. This technique is also referred to as authentication module chaining. Authentication chaining in Access Manager is also based on the JAAS framework. To do so, follow the instructions for enabling chained authentication and JAAS shared state as described in the Access Manager developer's guide. Summary This article introduces biometrics and discusses integrating a biometric authentication solution for J2EE, web, and enterprise applications using Sun Java System Access Manager and BiObex. For ensuring applications with highly secure personal identification and verification, biometric authentication provides a more robust and accurate security solution than other traditional authentication mechanisms. It is gaining popularity and strong acceptance particularly in security-sensitive commercial, governmental, and military applications.