Friday, May 17, 2013

Securing OpenAM

There are guides describing how to secure OpenAM. Read Security Best Practices when deploying OpenAM and Securing OpenAM.

Both guides talk about URIs Restriction:

  • Restrict access to URIs that you do not use, and prevent internal endpoints such as /sessionservice from being reachable over the Internet. 
  • Restrict access to URIs not used by your use-cases: internal endpoints SHOULD NOT be reachable from the Internet (/sessionservice and accompanies).

What exactly is "such as /sessionservice"? What exactly is "/sessionservice and accompanies"?

Don't you feel annoyed when you read such hardening guide? Which endpoint(s) are to be restricted?

Luckily, there is this Security Advisory from ForgeRock.

Vulnerable endpoints: 

How do we go about restricting the endpoints in Apache HTTPD server if it is deployed as a reverse proxy to the OpenAM server?

The above only allow access to the endpoints from a fixed range of internal IP address.

If we want to further harden by disallowing REST APIs calls, we can add "identity" to LocationMatch.


No comments:

Post a Comment