entries_inheriting, 208

Transcription

1 Index A AbstractSecurityInterceptor, 31 AbstractSecurityInterceptor s beforeinvocation method, 122 Access Control Entry (ACE), 207 Access control lists (ACLs) accessing secured objects AclEntryVoter(s), 222, 226 custom AccessDecisionManager, 223 default Spring Security login page, 225 deletepost method, ForumController, 224 deletepost method, ForumServiceImpl, 224 form.jsp, 224 cost, 234 filtering returned objects classes and interfaces, 231 classes participating in post-processing phase, 232 createpost method, 229 ExpressionHandler bean, 228 getposts method, annotation, annotation, invocations, 232 PreInvocationAuthorizationAdviceVoter, 227 steps to execute new configuration, 230 securing view layer, 233 security example application abstractions, 207 acl-example-servlet.xml, 220 applicationcontext-acl.xml, 213 applicationcontext-security.xml, 221 attributes, 208 BasePermission class, 208 createaclschema.sql, 206 DatabaseSeeder class, 216 Entity-Relationship (ER) diagram, 209 form.jsp file, 219 ForumController entry point, 216 ForumServiceImp, 217, 220 Maven dependencies, 210 Maven jetty plugin in pom.xml, 212 permission logic, 205 Post class domain model, 218 tables in graphical form, 207 web.xml, 212 AccessDecisionManager, 30, 49, 289 AccessDecisionVoter, 51 AccessDeniedException, 125 AccessOperationsImpl, aclauthorizationstrategy bean, 215 aclcache bean, 215 ACL_CLASS, 208 ACL_ENTRY, 208 acl module, 20 acl_object_identity, 208 aclservice bean, 215 ACL_SID, 208 AfterInvocationManager s, 31 always-use-default-target, 176 applicationcontext-security.xml file, 24, 137 Application security layer, 2 AspectJ Maven Dependency, 132 AspectJ pointcut expressions, 131 Aspect Oriented Programming (AOP), 14 aspects module, 21 authentication-failure-handler-ref, 176 authentication-failure-url, 176 AuthenticationProvider, 48 AuthenticationProvider and UserDetailsService applicationcontext-mongodb.xml, 250 applicationcontext-security.xml, 247 basic web.xml with enabled Spring Security, 247 definition, 243, 245 dependencies, 246 Hello World page, 256 Hello World Servlet,

2 AuthenticationProvider and UserDetailsService (cont.) Jetty Plugin, 246 MongoUserDetailsService, 249, 253 newly created user, 255 relationship, 244 Small Main Class, 255 spring-data-mongodb dependency, 249 UserReadConverter, 251 Authentication-related events, 240 authentication-success-handler-ref, 177 authoritygranters, 186 Authorization-related events, 239 B BeanDefinitionParser objects, 37 Business service-level security, 111 C callbackhandlers, 186 cas module, 20 Central authentication service (CAS) authentication applicationcontext-security.xml spring file, 197 configuration changes in SSL elements, 198 demo application login, 193 with different authentication provider, 202 element, 190 pom.xml file CAS authentication-powered application, 194 CAS war application, 191 process, 200, 202 secured resources, 199 ticket, 201 web.xml file, 196 ChannelSecurityInterceptor, 269 com.apress.pss.terrormovies.access package, 134 config module, 20 ContextLoaderListener, 24 core module, 20 crypto module, 21 Custom Login Form applicationcontext-security.xml, 73 AuthenticationFailureHandler implementation, 76 authentication-failure-url, 75 custom error, 75 DefaultLoginPageGeneratingFilter, 73 default-target-url, 75 JSP file, 74 j_username and j_password, 75 LoginController creation, 74 new login form, 75 new login handler page, 73 spring security, 75 view resolver, 74 D Database-provided authentication applicationcontext-security.xml file, 155 basic tables creation, 159 with groups, 154 HSQLDB Maven dependency, 158 vs. memory-provided authentication, 153 modified applicationcontext-security.xml, 159 pom.xml, 156 Servlet definition, 156 simple database schema, 153 using existing schemas, 162 using groups, 161 web.xml file, 155 Decorator Pattern, 55 DefaultFlowStateSecurityExpression Handler, 290 default-target-url, 177 DelegatingFilterProxy, 25 Dependency injection (DI), 13 Digest authentication, 78 DispatcherServlet servlet, 284 E entries_inheriting, 208 F Filters and filter chain ANONYMOUS_FILTER, 41 BASIC_AUTH_FILTER, 41 CHANNEL_FILTER, 40 CONCURRENT_SESSION_FILTER, 40 DIGEST_AUTH_FILTER, 41 EXCEPTION_TRANSLATION_FILTER, 41 FILTER_SECURITY_INTERCEPTOR, 41 FORM_LOGIN_FILTER, 40 JAAS_API_SUPPORT_FILTER, 41 LOGIN_PAGE_FILTER, 41 LOGOUT_FILTER, 40 OPENID_FILTER, 41 PRE_AUTH_FILTER, 40 REMEMBER_ME_FILTER, 41 REQUEST_CACHE_FILTER, 41 SECURITY_CONTEXT_FILTER, 40 SERVLET_API_SUPPORT_FILTER, 41 servlet filter, 39 SESSION_MANAGEMENT_FILTER, 41 SWITCH_USER_FILTER, 42 web.xml file, 40 X509_FILTER, 40 FilterSecurityInterceptor, 30 Functional programming,

3 G Global-method-security, 116 Gradle Wrapper, 19 Grails method level, 300 web layer with URL rules, 297 Groovy, 291, 297. See also Grails H Hashing algorithms, 4 I Inversion of Control (IoC), 13 J, K JAAS authentication bean properties, 186 configuration file, 185 JaasAuthenticationProvider, 189 pss_jaas.config file, 186 RoleGranterFromMap, 186 SampleLoginModule, 187 Java Authentication and Authorization Service (JAAS), 8 Java Certification Path API (CertPath), 8 Java Cryptographic Extensions (JCE), 8 Java Cryptography Architecture (JCA), 8 Java Secure Socket Extension (JSSE), 8 JdbcMutableAclService, 234 Jetty server, 25 JRuby, 291 jsr250 Maven dependency, 121 L LDAP authentication applicationcontext-security.xml file, 168 attributes, 163 context entry, 165 dnsdomain, 166 entry, 163 group-role-attribute, 171 LdapAuthenticationProvider at work, 170 LDAP hierarchy, 168 LDAP server connection, 164 LDIF file, 166 LDIF file with Apache Directory Studio, 168 local ApacheDS server connection, 165 <password-compare> element, 171 password encoders, 171 role-prefix, 171 Spring Security LDAP dependency, 168 user-context-mapper-ref, 171 values, 163 ldap module, 20 loginconfig, 186 logincontextname, 186 login-page-url, 177 login-processing-url, 177 M MethodSecurityEvaluationContext, 123 MethodSecurityInterceptor, 30 Model-View-Controller (MVC) framework, 273 Admin controller, 62 admin user and roles, 63 AnonymousAuthenticationFilter, 68 Authentication filter, 71 BasicAuthenticationFilter, 67 characteristics, 61 Curl command, 63 DefaultLoginPageGeneratingFilter, 67 ExceptionTranslationFilter, 68 FilterSecurityInterceptor, 69 LogoutFilter, 67 movie creation, 63 RequestCacheAwareFilter, 67 RequestMapping annotation, 62 SecurityContextPersistenceFilter, 66 Servlet listener, 65 servlet-name value, 61 SessionManagementFilter, 68 terrormovies-servlet.xml, 64 URL access, 65 WEB-INF/terrormovies-servlet.xml file, 61 web.xml snippets, 61 MongoDB, 249 moviesservice Bean, 133 MoviesServiceImpl class, MRI Ruby, 292 mutual authentication, 178 myopenid, 172 N Network security layer, 1 O object_id_class, 208 Object Identity, 207 object_id_identity, 208 One-way encryption, 4 opened module,

4 OpenID authentication auto-register functionality, 174 configuration file for Spring Security application, 173 login form, 174 Maven dependencies, 173 MyOpenID site, 175 Spring Security OpenID namespace, 176 workflow, 175 OpenIDAuthenticationToken, 46 Operating system layer, 1 org.springframework.security.acls.jdbc. BasicLookupStrategy class, 235 owner_sid, 208 P, Q param contextconfiglocation, 24 parent_object, 208 Password encryption custom security filter applicationcontext-security.xml, 264 error page, 265 UserAgentFilter, 263 handling errors and entry points AuthenticationEntryPoint Implementation, 266 CookieAccessDeniedHandler, 268 ExceptionTranslationFilter and AuthenticationEntryPoint relationship, 266 Spring Configuration, 267 PreAuthenticatedAuthenticationToken, 45 Public key cryptography, 6 R Rails, 292 AdminsController, 293 applicationcontext-security.xml file, 295 applicationcontext-security.xml security, 296 Java libraries, 293 Java web container, 293 jruby-rack, 294 StandardsController, 293 warble.rb configuration file, 297 warbler, 293 WEB-INF directory, 295 web.xml.erb, 295 Remember-me authentication, 80 AffirmativeBased access-decision manager, 82 Amazon.com, 80 AuthenticatedVoter, 82 Authentication object implementation, 82 autologin method, 81 cookie, 80 PersistentTokenBasedRememberMeServices, 82 RememberMeServices implementation, RoleVoter, 82 <security:intercept-url/> element, 81 UnanimousBased access-decision manager, 82 UsernamePasswordAuthenticationFilter, 80 remoting module, annotations, annotation, 120 Ruby, 292 Ruby on Rails (RoR), 292. See also Rails RunAsUserToken, 46 S Scala, 291 application access, 309 applicationcontext-security.xml, 307.bash_profile, 301 command-line interpreter, 302 functional programming, 301 Maven dependency, 303 mixin, 306 pom.xml file, 303 project creation, 302 REPL interpreter, 302 scalable language, 301 ScalaController class, 305 ScalaService class, 306 scala-servlet.xml file, annotation, 306 Service layer, 305 values and variables, 302 web.xml file, annotation, 116 SecuredController, 300 Secure Sockets Layer (SSL), 178 Security application layer ACLs, 4 authentication, 2, 4 authorization, 3 4 cross-site scripting, 7 denial, service attacks, 7 identity management, 7 Java options, 8 Network security layer, 1 operating system layer, 1 output sanitation, 7 secured connections, 7 sensitive data protection, 7 SQL injection, 7 SecurityExpressionHandler, 289 Security identity (SID), 207 Security interceptor AbstractSecurityInterceptor, 31 AccessDecisionManager, 30 AfterInvocationManager s, 31

5 FilterSecurityInterceptor, 30 MethodSecurityInterceptor, 30 preprocessing and postprocessing step, 30 UML class diagram, 30 sernamepasswordauthenticationtoken., 45 Service layer security access, 120 AccessOperationsImpl, AdminController, 112 applicationcontext-security.xml, CGLIB, 113 class cast exception, 116 class-level and method-level annotations, 116 Global-method-security, 116 login form, 117 MVC mechanism, 112 New AdminController hierarchy, 112 standard JDK proxies, 112 applicationcontext-security.xml file, standalone application, 137 AspectJ AOP applicationcontext-security.xml, 148 AspectJ Security Aspect, Controller TheController, 149 methoda debugging, 150 methodb debugging, page access, 150 pom.xml file for AspectJ example, 143 Service Service.java, 149 weaving, 141 web.xml, 147 business service-level security, 111 command outputs and exceptions, 139 FilterSecurityInterceptor, 117 main class, MethodSecurityInterceptor, 117 MovieController functionality, 119 MoviesService and MoviesServiceImpl, 118 package com.apress.pss.terrormovies.access, annotation, 120 SpEL expression (see e SpEL expression) tostring Method, 120 web-based authentication, 140 web-level security, 111 XML AspectJ Maven Dependency, 132 AspectJ pointcut expressions, 131 moviesservice Bean, 133 MoviesServiceImpl class, 132 Service tickets, 190 Servlet Filters, 111 Session-related events, 242 SpEL annotation, 123 afterinvocation, 124 MethodSecurityInterceptor wrapping, 124 movie access, 125 MoviesServiceImpl class, annotation admin user, 130 allmovies.jsp, 129 DefaultMethodSecurityExpressionHandl, 129 IllegalArgumentException, 129 MovieController method, 129 MoviesServiceImpl class, 129 standard user, annotation, annotation error page, 126 filterobject value, 126 input box, 126 MovieController, 125, MoviesServiceImpl method, 125, movie storage, 126 newmovies.jsp, 125, 127 pom.xml file, 126 security constraints, 121 Spring Framework Aspect Oriented Programming, 14 dependency injection, 13 Spring Security ACLs (see e Access control lists (ACLs)) Active Directory, 10 application process, 24 databases, 10 definition, 9 design and patterns Decorator Pattern, 55 dependency injection (DI), 56 SRP, 56 strategy pattern, 55 domain model, 10 event system AuthenticationProvider and User DetailsService, 243 authentication-related events, 240 authorization-related events, 239 event mechanism, 238 session-related events, foot view AccessDecisionManager, 49 AccessDecisionVoter, 51 ACL, 54 Authentication object, 44 AuthenticationProvider, 48 ConfigAttribute, 42 filters and filter chain (see e Filters and filter chain) JSP Taglib, 54 key components, 29 SecurityContext and SecurityContextHolder, 46 security interceptor (see e Security interceptor) 315

6 Spring Security (cont.) UserDetailsService and AuthenticationUserDetailsService, 52 XML namespace (see e XML namespace) 1,000-foot view, 28 10,000-foot view, 27 Github, 18 Gradle, 19 Grails method level, 300 web layer with URL rules, 297 Groovy, 291, 297 hiding elements, 11 HTTP status code handling, 11 Java, 10 Java EE Server, 11 JRuby, 291 layered security services, 10 LDAP, 10 Maven dependencies, 21 modules, 20 nonintrusive and declarative application, 11 OpenID, 10 open source software, 10 out-of-the-box integration, 9 password encryption changing security interceptor, 269 custom security filter, 262 extensions project, 271 handling errors and entry points, 265 New Expression Root and SpEL, 262 non-jdbc AclService, 262 nonvoter AccessDecisionManager, 259 sha-256 Individual Bean, 257 sha-256 Password encoder, 257 User Inserter Main Method, 257 voters in AccessDecisionManager, 257 public/private key certificates, 11 role-based authentication/authorization, and Ruby, 292 Scala (see e Scala) service layer, 11 Servlet-based web application Hello World message, 17 HelloWorldServlet, 17 Jetty plugin dependency, 16 pom.xml file with Servlet dependencies, 16 source code folder, 19 and Spring, 12 Spring Framework, 9 Aspect Oriented Programming, 14 dependency injection, 13 Spring Web Flow (see e Spring Web Flow) Struts 2 (see e Struts 2) web application, 10 web-layer security, Rails (see e Rails) web project configuration applicationcontext-security.xml, 22 incorrect user name result, 24 listener configuration, 23 Login page, 23 web.xml, 22 springsecurityfilterchain filter, 25, 284 Spring Web Flow applicationcontext-security.xml file, 285 buy.jsp, 287 DispatcherServlet servlet, 284 example-webflow.xml, 285 flow-executor, 288 main.jsp, pom.xml file, 281 products-servlet.xml file, 284 product.xml, 286 review.jsp, 287 SecurityFlowExecutionListener, 288 SpEL-based security, 289 springsecurityfilterchain filter, 284 Spring Security Listener bean, 288 web.xml, 283 working, 280 StateExpressionVoter, 289 StateSecurityExpressionRoot, 291 Strategy pattern, 55 Struts 2 applicationcontext.xml file, application file structure, 275 Java web framework, 273 MVC framework, 273 secured application, 280 secured HelloWorldAction, 279 Spring Security dependencies, pom.xml file, 277 struts.xml file, 275 web.xml with filter, 278 working, Symmetric encryption, 5 T taglibs module, 20 Truststore, 181 U, V UnsecuredController, 300 W Warbler, Web-level security, 111 web module,

7 Web security AdminController, 84 Apache Tomcat, 60 applicationcontext-security.xml, 86 ConcurrentSessionControlStrategy applicationcontext-security.xml, 101 chroem and firefox, 99 errors, 101 CustomInMemoryUserDetails Manager class, 88 Custom Login Form (see e Custom Login Form) custom User and lastname retrieving, 87 custom user class, 86 different pattern matchers, 101 different user inmemoryuserservicewith CustomUser, 96 MovieController, 98 Movie model class, 97 roles, 95 digest authentication, 78 ExpressionHandler access denied, 94 age attribute, 93 applicationcontext-security.xml, 93 configuration, 91 CustomWebSecurityExpression Handler, 92 CustomWebSecurityExpression Root, 93 Hello World page, 60 HTTP authentication, 77 HTTPS channel security, 102 configuration, 102 vs. HTTP, 102 pom.xml plugin section, self-signed certificate, 103 working principle, 104 InMemory model, 85 Jetty application, 60 JSP Taglib authentication, 107 <authorize> security tag, 106 MovieController, 105 output content, 105 security-oriented tags and attributes, 104 logging out, 83 new Maven web application, 57 pom.xml file, remember-me authentication (see e Remember-me authentication) role hierarchies, 108 SecurityContextHolder, 84 SessionFixationProtectionStrategy, 99 Spring expression language applicationcontext-security.xml file, 90 functionality, 89 WebExpressionVoter, 90 WebSecurityExpressionRoot, 90 Spring MVC Admin controller, 62 admin user and roles, 63 AnonymousAuthenticationFilter, 68 Authentication filter, 71 BasicAuthenticationFilter, 67 characteristics, 61 Curl command, 63 DefaultLoginPageGeneratingFilter, 67 endpoint method, 71 ExceptionTranslationFilter, 68 FilterSecurityInterceptor, 69 LogoutFilter, 67 movie creation, 63 RequestCacheAwareFilter, 67 RequestMapping annotation, 62 SecurityContextPersistenceFilter, 66 Servlet listener, 65 servlet-name value, 61 SessionManagementFilter, 68 terrormovies-servlet.xml, 64 URL access, 65 WEB-INF/terrormovies-servlet.xml file, 61 web.xml snippets, 61 X, Y, Z X.509 authentication applicationcontext-security.xml file, 179 certificate generation, 180 certificate pkcs, 182 client certificate, 182 pom.xml file, 178 private key, 180 truststore, 181 workflow, 183 XML AspectJ Maven Dependency, 132 AspectJ pointcut expressions, 131 moviesservice Bean, 133 MoviesServiceImpl class, XML namespace, 37 AUTHENTICATION_MANAGER, 39 AUTHENTICATION_PROVIDER, 39 <bean> based configuration, 35 BeanDefinitionParser objects, 37 DEBUG, 39 Domain Specific Language (DSL), 35 FILTER_CHAIN, 39 FILTER_INVOCATION_DEFINITION_SOURCE,

8 XML namespace (cont.) FILTER_SECURITY_METADATA_SOURCE, 39 GLOBAL_METHOD_SECURITY, 39 HTTP, 39 HTTP_FIREWALL, 39 integrated development environment (IDE), 35 JDBC_USER_SERVICE, 38 LDAP_PROVIDER, 38 LDAP_SERVER., 38 LDAP_USER_SERVICE, 38 load-up sequence, 36 META-INF directory, 36 METHOD_SECURITY_METADATA_SOURCE, 39 USER_SERVICE,