Spring Security 3. rpafktl Pen source. intruders with this easy to follow practical guide. Secure your web applications against malicious

Size: px
Start display at page:

Download "Spring Security 3. rpafktl Pen source. intruders with this easy to follow practical guide. Secure your web applications against malicious"

Transcription

1 Spring Security 3 Secure your web applications against malicious intruders with this easy to follow practical guide Peter Mularien rpafktl Pen source cfb <A> II nv.iv I I community experience distilled PUBLISHING - BIRMINGHAM MUMBAI

2 Preface 1 Chapter 1: Anatomy of an Unsafe Application 9 Security audit 10 About the sample application 10 The JBCP pets application architecture 11 Application technology 12 Reviewing the audit results 13 Authentication 15 Authorization 16 Database Credential Security 16 Sensitive Information 17 Transport-Level Protection 17 Using Spring Security 3 to address security concerns 18 Why Spring Security? 18 Summary 19 Chapter 2: Getting Started with Spring Security 21 Core security concepts 22 Authentication 22 Authorization 23 Securing our application in three easy steps 26 Implementing a Spring Security XML configuration file 26 Adding the Spring DelegatingFilterProxy to your web.xml file 27 Adding the Spring Security XML configuration file reference to web.xml 28 Mind the gaps! 30 Common problems 31 Security is complicated: The architecture of secured web requests 32 How requests are processed? 32 What does auto-config do behind the scenes? 36

3 How users are authenticated? 37 What is spring_security_login and how did we get here? 41 Where do the user's credentials get validated? 43 When good authentication goes bad? 44 How requests are authorized? 45 Configuration of access decision aggregation 49 Access configuration using spring expression language 51 Summary 55 Chapter 3: Enhancing the User Experience 57 Customizing the login page 57 Implementing a custom login page 59 Implementing the login controller 59 Adding the login JSP 60 Configuring Spring Security to use our Spring MVC login page 61 Understanding logout functionality 63 Adding a Log Out link to the site header 63 How logout works 64 Changing the logout URL 66 Logout configuration directives 66 Remember me 67 Implementing the remember me option 67 How remember me works 68 Remember me and the user lifecycle 71 Remember me configuration directives 72 Is remember me secure? 73 Authorization rules differentiating remembered and fully authenticated sessions 74 Building an IP-aware remember me service 75 Customizing the remember me signature 79 Implementing password change management 80 Extending the in-memory credential store to support password change 80 Extending InMemoryDaolmpI with InMemoryChangePasswordDaolmpI 81 Configuring Spring Security to use InMemoryChangePasswordDaolmpI 82 Building a change password page 83 Adding a change password handler to AccountController 84 Exercise notes 85 Summary 86 Chapter 4: Securing Credential Storage 87 Database-backed authentication with Spring Security 88 Configuring a database-resident authentication store 88 Creating the default Spring Security schema 88 Configuring the HSQL embedded database 89 Configuring JdbcDaolmpI authentication store 89 Adding user definitions to the schema 90

4 Table ofcontents How database-backed authentication works 90 Implementing a custom JDBC UserDetailsService 92 Creating a custom JDBC UserDetailsService class 92 Adding a Spring Bean declaration for the custom UserDetailsService 92 Out of the box JDBC-based user management 93 Advanced configuration of JdbcDaolmpI 95 Configuring group-based authorization 96 Configuring JdbcDaolmpI to use groups 97 Modifying the initial load SQL script 97 Modifying the embedded database creation declaration 98 Using a legacy or custom schema with database-resident authentication 98 Determining the correct JDBC SQL queries 99 Configuring the JdbcDaolmpI to use customsql queries 100 Configuring secure passwords 101 Configuring password encoding 104 Configuring the PasswordEncoder 104 Configuring the AuthenticationProvider 104 Writing the database bootstrap password encoder 105 Configuring the bootstrap password encoder 105 Would you like some salt with that password? 106 Configuring a salted password 108 Declaring the SaltSource Spring bean 109 Wiring the PasswordEncoder to the SaltSource 109 Augmenting DatabasePasswordSecurerBean 109 Enhancing the change password functionality 111 Configuring a custom salt source 111 Extending the database schema 112 Tweaking configuration of the CustomJdbcDaolmpI UserDetails service 112 Overriding the baseline UserDetails implementation 113 Extending the functionality of CustomJdbcDaolmpI 113 Moving remember me to the database 115 Configuring database-resident remember me tokens 115 Adding SQL to create the remember me schema 115 Adding new SQL script to the embedded database declaration 116 Configuring remember me services to persist to the database 116 Are database-backed persistent tokens more secure? 116 Securing your site with SSL 117 Setting up Apache Tomcat for SSL 117 Generating a server key store 118 Configuring Tomcat's SSL Connector 118 Automatically securing portions of the site 119 Secure port mapping 121 Summary 122

5 Table ofcontents Chapter 5: Fine-Grained Access Control 123 Re-thinking application functionality and security 124 Planning for application security 124 Planning user roles 124 Planning page-level security 126 Methods of Fine-Grained authorization 127 Using Spring Security Tag Library to conditionally render content 128 Conditional rendering based on URL access rules 128 Conditional rendering based on Spring EL Expressions 129 Conditionally rendering the Spring Security 2 way 130 Using controller logic to conditionally render content 131 Adding conditional display of the Log In link 131 Populating model data based on user credentials 132 What is the best way to configure in-page authorization? 132 Securing the business tier 134 The basics of securing business methods 135 method annotation 136 Instructing Spring Security to use method annotations 136 Validating method security 136 Several flavors of method security 137 JSR-250 compliant standardized rules 137 Method security using Spring's Secured annotation 139 Method security rules using Aspect Oriented Programming 139 Comparing method authorization types 140 How does method security work? 141 Advanced method security 144 Method security rules using bean decorators 145 Method security rules incorporating method parameters 147 How method parameter binding works 147 Securing method data through Role-based filtering 149 Adding Role-based data filtering 150 Pre-filtering collections with 152 Why use at all? 153 A fair warning about method security 154 Summary 155 Chapter 6: Advanced Configuration and Extension 157 Writing a custom security filter 158 IP filtering at the servlet filter level 158 Writing our custom servlet filter 158 Configuring the IP servlet filter 160 Adding the IP servlet filter to the Spring Security filter chain 161

6 Table ofcontents Writing a custom Authentication Provider 162 Implementing simple single sign-on with an AuthenticationProvider 162 Customizing the authentication token 163 Writing the request header processing servlet filter 164 Writing the request header AuthenticationProvider 166 Combining AuthenticationProviders 167 Simulating single sign-on with request headers 169 Considerations when writing a custom AuthenticationProvider 170 Session management and concurrency 170 Configuring session fixation protection 171 Understanding session fixation attacks 171 Preventing session fixation attacks with Spring Security 172 Simulating a session fixation attack 173 Comparing session-fixation-protection options 175 Enhancing user protection with concurrent session control 176 Configuring concurrent session control 176 Understanding concurrent session control 177 Testing concurrent session control 178 Configuring expired session redirect 179 Other benefits of concurrent session control 179 Displaying a count of active users 179 Displaying information about all users 180 Understanding and configuring exception handling 182 Configuring "Access Denied" handling 184 Configuring an "Access Denied" destination URL 184 Adding controller handling of AccessDeniedException 184 Writing the Access Denied page 185 What causes an AccessDeniedException 186 The importance of the AuthenticationEntryPoint 187 Configuring Spring Security infrastructure beans manually 188 A high level overview of Spring Security bean dependencies 189 Reconfiguring the web application 189 Configuring a minimal Spring Security environment 190 Configuring a minimal servlet filter set 191 Configuring a minimal supporting object set 195 Advanced Spring Security bean-based configuration 196 Adjusting factors related to session lifecycle 196 Manual configuration of other common services 197 Declaring remaining missing filters 198 LogoutFilter 198 RememberMeAuthenticationFilter 199 ExceptionTranslationFilter 202 Explicit configuration of the SpEL expression evaluator and Voter 202

7 Bean-based configuration of method security 203 Wrapping up explicit configuration 204 Which type of configuration should I choose? 204 Authentication event handling 205 Configuring an authentication event listener 207 Declaring required bean dependencies 207 Building a custom application event listener 207 Out ofthe box ApplicationListeners 208 Multitudes of application events 209 Building a custom implementation of an SpEL expression handler 210 Summary 211 Chapter 7: Access Control Lists 213 Using Access Control Lists for business object security 213 Access Control Lists in Spring Security 215 Basic configuration of Spring Security ACL support 217 Defining a simple target scenario 217 Adding ACL tables to the HSQL database 218 Configuring the Access Decision Manager 220 Configuring supporting ACL beans 221 Creating a simple ACL entry 226 Advanced ACL topics 227 How permissions work 228 Custom ACL permission declaration 231 ACL-Enabling your JSPs with the Spring Security JSP tag library 234 Spring Expression Language support for ACLs 235 Mutable ACLs and authorization 237 Configuring a Spring transaction manager 238 Interacting with the JdbcMutableAclService 239 Ehcache ACL caching 241 Configuring Ehcache ACL caching 241 How Spring ACL uses Ehcache 242 Considerations for a typical ACL deployment 243 About ACL scalability and performance modelling 243 Do not discount custom development costs 245 Should I use Spring Security ACL? 247 Summary 247 Chapter 8: Opening up to OpenID 249 The promising world of OpenID 249 Signing up for an OpenID 251

8 Enabling OpenID authentication with Spring Security 252 Writing an OpenID login form 252 Configuring OpenID support in Spring Security 253 Adding OpenID users 254 The OpenID user registration problem 255 How OpenID identifiers are resolved 255 Implementing user registration with OpenID 258 Adding the OpenID registration option 258 Differentiating between a login and registration request 259 Configuring a custom authentication failure handler 260 Adding the OpenID registration functionality to the controller 260 Attribute Exchange 264 Enabling AX in Spring Security OpenID 265 Real-world AX support and limitations 267 Google OpenID support 267 Is OpenID secure? 268 Summary 269 Chapter 9: LDAP Directory Services 271 Understanding LDAP 272 LDAP 272 Common LDAP attribute names 273 Running an embedded LDAP server 275 Configuring basic LDAP integration 275 Configuring an LDAP server reference 275 Enabling the LDAP AuthenticationProvider 276 Troubleshooting embedded LDAP 276 Understanding how Spring LDAP authentication works 277 Authenticating user credentials 278 Determining user role membership 279 Mapping additional attributes of UserDetails 282 Advanced LDAP configuration 283 Sample JBCP LDAP users 283 Password comparison versus Bind authentication 284 Configuring basic password comparison 285 LDAP password encoding and storage 285 The drawbacks of a Password Comparison Authenticator 286 Configuring the UserDetailsContextMapper 287 Implicit configuration of a UserDetailsContextMapper 287 Viewing additional user details 287 Using an alternate password attribute 289

9 Using LDAP as a UserDetailsService 290 Notes about remember me with an LDAP UserDetailsService 291 Configuration for an In-Memory remember me service 291 Integrating with an external LDAP server 292 Explicit LDAP bean configuration 292 Configuring an external LDAP server reference 293 Configuring an LdapAuthenticationProvider 293 Integrating with Microsoft Active Directory via LDAP 294 Delegating role discovery to a UserDetailsService 297 Summary 298 Chapter 10: Single Sign On with Central Authentication Service 299 Introducing Central Authentication Service 299 High level CAS authentication flow 300 Spring Security and CAS 301 CAS installation and configuration 302 Configuring basic CAS integration 303 Adding the CasAuthenticationEntryPoint 304 Enabling CAS ticket verification 305 Proving authenticity with the CasAuthenticationProvider 307 Advanced CAS configuration 309 Retrieval of attributes from CAS assertion 309 How CAS internal authentication works 310 Configuring CAS to connect to our embedded LDAP server 311 Getting UserDetails from a CAS assertion 314 Examining the CAS assertion 315 Mapping LDAP attributes to CAS attributes 316 Finally, returning the attributes in the CAS assertion 318 Alternative Ticket authentication using SAML How is Attribute Retrieval useful? 320 Additional CAS capabilities 321 Summary 322 Chapter 11: Client Certificate Authentication 323 How Client Certificate authentication works 324 Setting up a Client Certificate authentication infrastructure 326 Understanding the purpose of a public key infrastructure 326 Creating a client certificate key pair 327 Configuring the Tomcat trust store 328 Importing the certificate key pair into a browser 330 Using Firefox 330 Using Internet Explorer 330

10 Wrapping up testing 331 Troubleshooting Client Certificate authentication 332 Configuring Client Certificate authentication in Spring Security 333 Configuring Client Certificate authentication using the security namespace 333 How Spring Security uses certificate information 334 How Spring Security certificate authentication works 335 Other loose ends 337 Supporting Dual-Mode authentication 338 Configuring Client Certificate authentication using Spring Beans 340 Additional capabilities of bean-based configuration 341 Considerations when implementing Client Certificate authentication 342 Summary 343 Chapter 12: Spring Security Extensions 345 Spring Security Extensions 345 A primer on Kerberos and SPNEGO authentication 346 Kerberos authentication in Spring Security 349 Overall Kerberos Spring Security authentication flow 349 Getting prepared 350 Assumptions for our examples 351 Creating a keytab file 352 Configuring Kerberos-related Spring beans 353 Wiring SPNEGO beans to the security namespace 355 Adding the Application Server machine to a Kerberos realm 357 Special considerations for Firefox users 358 Troubleshooting 358 Verifying connectivity with standard tools 359 Enabling Java GSS-API debugging 359 Other troubleshooting steps 360 Configuring LDAP UserDetailsService with Kerberos 361 Using form login with Kerberos 362 Summary 364 Chapter 13: Migration to Spring Security Migrating from Spring Security Enhancements in Spring Security Changes to configuration in Spring Security Rearranged AuthenticationManager configuration 367 New configuration syntax for session management options 368 Changes to custom filter configuration 369

11 Table ofcontents Changes to CustomAfterlnvocationProvider 370 Minor configuration changes 371 Changes to packages and classes 371 Summary 373 Appendix: Additional Reference Material 375 Getting started with JBCP Pets sample code 375 Available application events 376 Spring Security virtual URLs 379 Method security explicit bean configuration 379 Logical filter names migration reference 382 Index 385

Spring Security 3. http://www.springsource.com/download/community?project=spring%20security

Spring Security 3. http://www.springsource.com/download/community?project=spring%20security Spring Security 3 1. Introduction http://www.springsource.com/download/community?project=spring%20security 2. Security Namespace Configuration Web.xml configuration: springsecurityfilterchain

More information

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way OpenAM Written and tested with OpenAM Snapshot 9 the Single Sign-On (SSO) tool for securing your web applications in a fast and easy way Indira Thangasamy [ PUBLISHING 1 open source 1 community experience

More information

JVA-122. Secure Java Web Development

JVA-122. Secure Java Web Development JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard

More information

Mastering Tomcat Development

Mastering Tomcat Development hep/ Mastering Tomcat Development Ian McFarland Peter Harrison '. \ Wiley Publishing, Inc. ' Part I Chapter 1 Chapter 2 Acknowledgments About the Author Introduction Tomcat Configuration and Management

More information

Single Sign-on (SSO) technologies for the Domino Web Server

Single Sign-on (SSO) technologies for the Domino Web Server Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145

More information

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE Identity Management in Liferay Overview and Best Practices Liferay Portal 6.0 EE Table of Contents Introduction... 1 IDENTITY MANAGEMENT HYGIENE... 1 Where Liferay Fits In... 2 How Liferay Authentication

More information

From centralized to single sign on

From centralized to single sign on The LemonLDAP::NG project Abstract LemonLDAP::NG is a modular WebSSO (Web Single Sign On) software based on Apache::Session modules. It simplifies the build of a protected area with a few changes in the

More information

Complete Java Web Development

Complete Java Web Development Complete Java Web Development JAVA-WD Rev 11.14 4 days Description Complete Java Web Development is a crash course in developing cutting edge Web applications using the latest Java EE 6 technologies from

More information

Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft

Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft 5.6 Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft logo, Jaspersoft ireport Designer, JasperReports Library, JasperReports Server, Jaspersoft

More information

GlassFish Security. open source community experience distilled. security measures. Secure your GlassFish installation, Web applications,

GlassFish Security. open source community experience distilled. security measures. Secure your GlassFish installation, Web applications, GlassFish Security Secure your GlassFish installation, Web applications, EJB applications, application client module, and Web Services using Java EE and GlassFish security measures Masoud Kalali PUBLISHING

More information

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution Federation and Attribute Based Access Control Page 2 Realization of the IAM (R)evolution Executive Summary Many organizations

More information

Authentication Methods

Authentication Methods Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the

More information

CA Performance Center

CA Performance Center CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

Crawl Proxy Installation and Configuration Guide

Crawl Proxy Installation and Configuration Guide Crawl Proxy Installation and Configuration Guide Google Enterprise EMEA Google Search Appliance is able to natively crawl secure content coming from multiple sources using for instance the following main

More information

TIBCO Spotfire Platform IT Brief

TIBCO Spotfire Platform IT Brief Platform IT Brief This IT brief outlines features of the system: Communication security, load balancing and failover, authentication options, and recommended practices for licenses and access. It primarily

More information

Safewhere*Identify 3.4. Release Notes

Safewhere*Identify 3.4. Release Notes Safewhere*Identify 3.4 Release Notes Safewhere*identify is a new kind of user identification and administration service providing for externalized and seamless authentication and authorization across organizations.

More information

<Insert Picture Here> Hudson Security Architecture. Winston Prakash. Click to edit Master subtitle style

<Insert Picture Here> Hudson Security Architecture. Winston Prakash. Click to edit Master subtitle style Hudson Security Architecture Click to edit Master subtitle style Winston Prakash Hudson Security Architecture Hudson provides a security mechanism which allows Hudson Administrators

More information

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide Salesforce.com: Salesforce Winter '09 Single Sign-On Implementation Guide Copyright 2000-2008 salesforce.com, inc. All rights reserved. Salesforce.com and the no software logo are registered trademarks,

More information

A (re)introduction to Spring Security

A (re)introduction to Spring Security A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security What s coming in Spring Security 3 Before Spring Security There was...

More information

Spring Security SAML module

Spring Security SAML module Spring Security SAML module Author: Vladimir Schäfer E-mail: vladimir.schafer@gmail.com Copyright 2009 The package contains the implementation of SAML v2.0 support for Spring Security framework. Following

More information

Nicholas S. Williams. wrox. A Wiley Brand

Nicholas S. Williams. wrox. A Wiley Brand Nicholas S. Williams A wrox A Wiley Brand CHAPTER 1; INTRODUCING JAVA PLATFORM, ENTERPRISE EDITION 3 A Timeline of Java Platforms 3 In the Beginning 4 The Birth of Enterprise Java 5 Java SE and Java EE

More information

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

Identity Server Guide Access Manager 4.0

Identity Server Guide Access Manager 4.0 Identity Server Guide Access Manager 4.0 June 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF

More information

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual TIBCO Spotfire Web Player 6.0 Installation and Configuration Manual Revision date: 12 November 2013 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED

More information

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Implementation Guide SAP NetWeaver Identity Management Identity Provider Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before

More information

Access Gateway Guide Access Manager 4.0 SP1

Access Gateway Guide Access Manager 4.0 SP1 Access Gateway Guide Access Manager 4.0 SP1 May 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS

More information

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines Ameritas Single Sign-On (SSO) and Enterprise SAML Standard Architectural Implementation, Patterns and Usage Guidelines 1 Background and Overview... 3 Scope... 3 Glossary of Terms... 4 Architecture Components...

More information

Alfresco. Wiley Publishing, Inc. PROFESSIONAL. PRACTICAL SOLUTIONS FOR ENTERPRISE. John Newton CONTENT MANAGEMENT. Michael Farman Michael G.

Alfresco. Wiley Publishing, Inc. PROFESSIONAL. PRACTICAL SOLUTIONS FOR ENTERPRISE. John Newton CONTENT MANAGEMENT. Michael Farman Michael G. PROFESSIONAL. Alfresco PRACTICAL SOLUTIONS FOR ENTERPRISE CONTENT MANAGEMENT David Caruana John Newton Michael Farman Michael G. Uzquiano Kevin Roast WILEY Wiley Publishing, Inc. INTRODUCTION xxix CHAPTER

More information

StreamServe Persuasion SP5 StreamStudio

StreamServe Persuasion SP5 StreamStudio StreamServe Persuasion SP5 StreamStudio Administrator s Guide Rev B StreamServe Persuasion SP5 StreamStudio Administrator s Guide Rev B OPEN TEXT CORPORATION ALL RIGHTS RESERVED United States and other

More information

WebLogic Server 7.0 Single Sign-On: An Overview

WebLogic Server 7.0 Single Sign-On: An Overview WebLogic Server 7.0 Single Sign-On: An Overview Today, a growing number of applications are being made available over the Web. These applications are typically comprised of different components, each of

More information

Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de

Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen, Germany CLARIN AAI Hands On Workshop, 25.02.2009, Oxford

More information

User-ID Best Practices

User-ID Best Practices User-ID Best Practices PAN-OS 5.0, 5.1, 6.0 Revision A 2011, Palo Alto Networks, Inc. www.paloaltonetworks.com Table of Contents PAN-OS User-ID Functions... 3 User / Group Enumeration... 3 Using LDAP Servers

More information

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide IBM SPSS Collaboration and Deployment Services Version 6 Release 0 Single Sign-On Services Developer's Guide Note Before using this information and the product it supports, read the information in Notices

More information

Application Security. Petr Křemen. petr.kremen@fel.cvut.cz

Application Security. Petr Křemen. petr.kremen@fel.cvut.cz Application Security Petr Křemen petr.kremen@fel.cvut.cz What is application security? Security is a set of measures that So, what can happen? taken from [7] first half of 2013 Let's focus on application

More information

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole

More information

Building Web Applications, Servlets, JSP and JDBC

Building Web Applications, Servlets, JSP and JDBC Building Web Applications, Servlets, JSP and JDBC Overview Java 2 Enterprise Edition (JEE) is a powerful platform for building web applications. The JEE platform offers all the advantages of developing

More information

How to Configure Captive Portal

How to Configure Captive Portal How to Configure Captive Portal Captive portal is one of the user identification methods available on the Palo Alto Networks firewall. Unknown users sending HTTP or HTTPS 1 traffic will be authenticated,

More information

Architecture Guidelines Application Security

Architecture Guidelines Application Security Executive Summary These guidelines describe best practice for application security for 2 or 3 tier web-based applications. It covers the use of common security mechanisms including Authentication, Authorisation

More information

LDAP Authentication and Authorization

LDAP Authentication and Authorization LDAP Authentication and Authorization What is LDAP Authentication? Today, the network can include elements such as LANs, WANs, an intranet, and the Internet. Many enterprises have turned to centralized

More information

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files. This chapter provides information about the feature which allows end users to log into a Windows client machine on a Windows domain, then use certain Cisco Unified Communications Manager applications without

More information

An Advanced Fallback Authentication Framework for SAS 9.4 and SAS Visual Analytics

An Advanced Fallback Authentication Framework for SAS 9.4 and SAS Visual Analytics Paper SAS102-2014 An Advanced Fallback Authentication Framework for SAS 9.4 and SAS Visual Analytics Zhiyong Li, SAS Institute; Mike Roda, SAS Institute ABSTRACT SAS 9.4 and SAS Visual Analytics (VA) support

More information

Installation and Configuration Guide

Installation and Configuration Guide Entrust Managed Services PKI Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0 Date of Issue: July 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark

More information

Grails 1.1. Web Application. Development. Reclaiming Productivity for Faster. Java Web Development. Jon Dickinson PUBLISHING J MUMBAI BIRMINGHAM

Grails 1.1. Web Application. Development. Reclaiming Productivity for Faster. Java Web Development. Jon Dickinson PUBLISHING J MUMBAI BIRMINGHAM Grails 1.1 Development Web Application Reclaiming Productivity for Faster Java Web Development Jon Dickinson PUBLISHING J BIRMINGHAM - MUMBAI Preface Chapter 1: Getting Started with Grails 7 Why Grails?

More information

Customer Bank Account Management System Technical Specification Document

Customer Bank Account Management System Technical Specification Document Customer Bank Account Management System Technical Specification Document Technical Specification Document Page 1 of 15 Table of Contents Contents 1 Introduction 3 2 Design Overview 4 3 Topology Diagram.6

More information

Developing ASP.NET MVC 4 Web Applications MOC 20486

Developing ASP.NET MVC 4 Web Applications MOC 20486 Developing ASP.NET MVC 4 Web Applications MOC 20486 Course Outline Module 1: Exploring ASP.NET MVC 4 The goal of this module is to outline to the students the components of the Microsoft Web Technologies

More information

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved. 1 OTM and SOA Mark Hagan Principal Software Engineer Oracle Product Development Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 3 PARADIGM 4 Content What is SOA?

More information

Advanced OpenEdge REST/Mobile Security

Advanced OpenEdge REST/Mobile Security Advanced OpenEdge REST/Mobile Security Securing your OpenEdge Web applications Michael Jacobs August 2013 Legal Disclaimer The contents of these materials are confidential information of Progress Software

More information

Pierce County IT Department GIS Division Xuejin Ruan Dan King

Pierce County IT Department GIS Division Xuejin Ruan Dan King Pierce County IT Department GIS Division Xuejin Ruan Dan King Web Application Work Flow Main Topics Authentication Authorization Session Management * Concurrent Session Management * Session Timeout Single

More information

Single Sign On. SSO & ID Management for Web and Mobile Applications

Single Sign On. SSO & ID Management for Web and Mobile Applications Single Sign On and ID Management Single Sign On SSO & ID Management for Web and Mobile Applications Presenter: Manish Harsh Program Manager for Developer Marketing Platforms of NVIDIA (Visual Computing

More information

API-Security Gateway Dirk Krafzig

API-Security Gateway Dirk Krafzig API-Security Gateway Dirk Krafzig Intro Digital transformation accelerates application integration needs Dramatically increasing number of integration points Speed Security Industrial robustness Increasing

More information

IBM WebSphere Server Administration

IBM WebSphere Server Administration IBM WebSphere Server Administration This course teaches the administration and deployment of web applications in the IBM WebSphere Application Server. Duration 24 hours Course Objectives Upon completion

More information

Web Application Security Assessment and Vulnerability Mitigation Tests

Web Application Security Assessment and Vulnerability Mitigation Tests White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software

More information

Developing ASP.NET MVC 4 Web Applications

Developing ASP.NET MVC 4 Web Applications Course M20486 5 Day(s) 30:00 Hours Developing ASP.NET MVC 4 Web Applications Introduction In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5 tools

More information

UPGRADING TO XI 3.1 SP6 AND SINGLE SIGN ON. Chad Watson Sr. Business Intelligence Developer

UPGRADING TO XI 3.1 SP6 AND SINGLE SIGN ON. Chad Watson Sr. Business Intelligence Developer UPGRADING TO XI 3.1 SP6 AND SINGLE SIGN ON Chad Watson Sr. Business Intelligence Developer UPGRADING TO XI 3.1 SP6 What Business Objects Administrators should consider before installing a Service Pack.

More information

WebSphere Training Outline

WebSphere Training Outline WEBSPHERE TRAINING WebSphere Training Outline WebSphere Platform Overview o WebSphere Product Categories o WebSphere Development, Presentation, Integration and Deployment Tools o WebSphere Application

More information

Spring Security. Reference Documentation. 2.0.x. Copyright 2005-2007

Spring Security. Reference Documentation. 2.0.x. Copyright 2005-2007 Spring Security Reference Documentation 2.0.x Copyright 2005-2007 Preface... vi I. Getting Started... 1 1. Introduction... 2 1.1. What is Spring Security?... 2 1.2. History... 3 1.3. Release Numbering...

More information

Tableau Server Security. Version 8.0

Tableau Server Security. Version 8.0 Version 8.0 Author: Marc Rueter Senior Director, Strategic Solutions, Tableau Software June 2013 p2 Today s enterprise class systems need to provide robust security in order to meet the varied and dynamic

More information

Implementing CAS. Adam Rybicki. 2010 Jasig Conference, San Diego, CA March 7, 2010

Implementing CAS. Adam Rybicki. 2010 Jasig Conference, San Diego, CA March 7, 2010 Implementing CAS Adam Rybicki 2010 Jasig Conference, San Diego, CA March 7, 2010 Copyright Unicon, Inc., 2009. This work is the intellectual property of Unicon, Inc. Permission is granted for this material

More information

Copyright: WhosOnLocation Limited

Copyright: WhosOnLocation Limited How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and

More information

SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS

SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS 1,2 XIANG LIYUN, 1 FANG ZHIYI, 1 SUN HONGYU 1 College of Computer Science and Technology, Jilin University, Changchun, China 2 Department of Computer

More information

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Leverage Active Directory with Kerberos to Eliminate HTTP Password Leverage Active Directory with Kerberos to Eliminate HTTP Password PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website: www.pistolstar.com

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

Tomcat 5 New Features

Tomcat 5 New Features Tomcat 5 New Features ApacheCon US 2003 Session MO10 11/17/2003 16:00-17:00 Craig R. McClanahan Senior Staff Engineer Sun Microsystems, Inc. Slides: http://www.apache.org/~craigmcc/ Agenda Introduction

More information

PingFederate. IWA Integration Kit. User Guide. Version 3.0

PingFederate. IWA Integration Kit. User Guide. Version 3.0 PingFederate IWA Integration Kit Version 3.0 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 3.0 April, 2012 Ping Identity Corporation

More information

entries_inheriting, 208

entries_inheriting, 208 Index A AbstractSecurityInterceptor, 31 AbstractSecurityInterceptor s beforeinvocation method, 122 Access Control Entry (ACE), 207 Access control lists (ACLs) accessing secured objects AclEntryVoter(s),

More information

Getting Started with AD/LDAP SSO

Getting Started with AD/LDAP SSO Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories

More information

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5 DEPLOYMENT GUIDE Version 1.1 Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5 Table of Contents Table of Contents Deploying the BIG-IP system v10 with Citrix Presentation Server Prerequisites

More information

OPENIAM ACCESS MANAGER. Web Access Management made Easy

OPENIAM ACCESS MANAGER. Web Access Management made Easy OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access

More information

CHAPTER 1 - JAVA EE OVERVIEW FOR ADMINISTRATORS

CHAPTER 1 - JAVA EE OVERVIEW FOR ADMINISTRATORS CHAPTER 1 - JAVA EE OVERVIEW FOR ADMINISTRATORS Java EE Components Java EE Vendor Specifications Containers Java EE Blueprint Services JDBC Data Sources Java Naming and Directory Interface Java Message

More information

Unlocking the Secrets of Alfresco Authentication. Mehdi BELMEKKI,! Consultancy Team! Alfresco!

Unlocking the Secrets of Alfresco Authentication. Mehdi BELMEKKI,! Consultancy Team! Alfresco! Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI,! Consultancy Team! Alfresco! Agenda Introduction! Talk objectives! Repository Authentication! Share Authentication! External Authentication!

More information

Setup Guide Access Manager 3.2 SP3

Setup Guide Access Manager 3.2 SP3 Setup Guide Access Manager 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE

More information

VMware Identity Manager Administration

VMware Identity Manager Administration VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved. Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,

More information

NetIQ Identity Manager Setup Guide

NetIQ Identity Manager Setup Guide NetIQ Identity Manager Setup Guide July 2015 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE

More information

Oracle WebLogic Server 11g Administration

Oracle WebLogic Server 11g Administration Oracle WebLogic Server 11g Administration This course is designed to provide instruction and hands-on practice in installing and configuring Oracle WebLogic Server 11g. These tasks include starting and

More information

Microsoft Active Directory Oracle Enterprise Gateway Integration Guide

Microsoft Active Directory Oracle Enterprise Gateway Integration Guide An Oracle White Paper May 2011 Microsoft Active Directory Oracle Enterprise Gateway Integration Guide 1/33 Disclaimer The following is intended to outline our general product direction. It is intended

More information

LDAP and Integrated Technologies: A Simple Primer Brian Kowalczyk, Kowal Computer Solutions Inc., IL Richard Kerwin, R.K. Consulting Inc.

LDAP and Integrated Technologies: A Simple Primer Brian Kowalczyk, Kowal Computer Solutions Inc., IL Richard Kerwin, R.K. Consulting Inc. LDAP and Integrated Technologies: A Simple Primer Brian Kowalczyk, Kowal Computer Solutions Inc., IL Richard Kerwin, R.K. Consulting Inc., IL ABSTRACT SAS Integration Technologies and LDAP(Lightweight

More information

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9 CA Adapter Installation and Configuration Guide for Windows r2.2.9 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

User Identification (User-ID) Tips and Best Practices

User Identification (User-ID) Tips and Best Practices User Identification (User-ID) Tips and Best Practices Nick Piagentini Palo Alto Networks www.paloaltonetworks.com Table of Contents PAN-OS 4.0 User ID Functions... 3 User / Group Enumeration... 3 Using

More information

CatDV Pro Workgroup Serve r

CatDV Pro Workgroup Serve r Architectural Overview CatDV Pro Workgroup Server Square Box Systems Ltd May 2003 The CatDV Pro client application is a standalone desktop application, providing video logging and media cataloging capability

More information

GENERAL OVERVIEW OF VARIOUS SSO SYSTEMS: ACTIVE DIRECTORY, GOOGLE & FACEBOOK

GENERAL OVERVIEW OF VARIOUS SSO SYSTEMS: ACTIVE DIRECTORY, GOOGLE & FACEBOOK Antti Pyykkö, Mikko Malinen, Oskari Miettinen GENERAL OVERVIEW OF VARIOUS SSO SYSTEMS: ACTIVE DIRECTORY, GOOGLE & FACEBOOK TJTSE54 Assignment 29.4.2008 Jyväskylä University Department of Computer Science

More information

Course Name: Course in JSP Course Code: P5

Course Name: Course in JSP Course Code: P5 Course Name: Course in JSP Course Code: P5 Address: Sh No BSH 1,2,3 Almedia residency, Xetia Waddo Duler Mapusa Goa E-mail Id: ITKP@3i-infotech.com Tel: (0832) 2465556 (0832) 6454066 Course Code: P5 3i

More information

Windows Security and Directory Services for UNIX using Centrify DirectControl

Windows Security and Directory Services for UNIX using Centrify DirectControl SOLUTION GUIDE CENTRIFY CORP. SEPTEMBER 2005 Windows Security and Directory Services for UNIX using Centrify DirectControl With Centrify, you can now fully leverage your investment in Active Directory

More information

WebSphere Server Administration Course

WebSphere Server Administration Course WebSphere Server Administration Course Chapter 1. Java EE and WebSphere Overview Goals of Enterprise Applications What is Java? What is Java EE? The Java EE Specifications Role of Application Server What

More information

Server based signature service. Overview

Server based signature service. Overview 1(11) Server based signature service Overview Based on federated identity Swedish e-identification infrastructure 2(11) Table of contents 1 INTRODUCTION... 3 2 FUNCTIONAL... 4 3 SIGN SUPPORT SERVICE...

More information

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001 Securing access to Citrix applications using Citrix Secure Gateway and SafeWord PremierAccess App Note December 2001 DISCLAIMER: This White Paper contains Secure Computing Corporation product performance

More information

SSO Plugin. Release notes. J System Solutions. http://www.javasystemsolutions.com Version 3.6

SSO Plugin. Release notes. J System Solutions. http://www.javasystemsolutions.com Version 3.6 SSO Plugin Release notes J System Solutions Version 3.6 JSS SSO Plugin v3.6 Release notes What's new... 3 Improved Integrated Windows Authentication... 3 BMC ITSM self service... 3 Improved BMC ITSM Incident

More information

Using weblock s Servlet Filters for Application-Level Security

Using weblock s Servlet Filters for Application-Level Security Using weblock s Servlet Filters for Application-Level Security September 2006 www.2ab.com Introduction Access management is a simple concept. Every business has information that needs to be protected from

More information

Unified Access for Enterprise Users

Unified Access for Enterprise Users Unified Access for Enterprise Users Informational webinar Chinmay Meghani Liferay Portal Specialist Fulcrum Worldwide, Inc. Mehria Askaryar Business Development Manager Fulcrum Worldwide, Inc. Agenda Introduction

More information

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

Securing WebFOCUS A Primer. Bob Hoffman Information Builders Securing WebFOCUS A Primer Bob Hoffman Information Builders 1 Agenda Gain an understanding of the WebFOCUS Architecture Where can security be implemented? Review the internal WebFOCUS repository and resource

More information

Building Secure Applications. James Tedrick

Building Secure Applications. James Tedrick Building Secure Applications James Tedrick What We re Covering Today: Accessing ArcGIS Resources ArcGIS Web App Topics covered: Using Token endpoints Using OAuth/SAML User login App login Portal ArcGIS

More information

Secure the Web: OpenSSO

Secure the Web: OpenSSO Secure the Web: OpenSSO Sang Shin, Technology Architect Sun Microsystems, Inc. javapassion.com Pat Patterson, Principal Engineer Sun Microsystems, Inc. blogs.sun.com/superpat 1 Agenda Need for identity-based

More information

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x Active Innovations, Inc. Copyright 1998 2015 www.inforouter.com Installing the LDAP Authentication Web Service

More information

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication

More information

APPLICATION SECURITY ENHANCEMENTS IN JAVA EE 6

APPLICATION SECURITY ENHANCEMENTS IN JAVA EE 6 APPLICATION SECURITY ENHANCEMENTS IN JAVA EE 6 SRINI PENCHIKALA Austin Java User Group Meeting October 26, 2010 ABOUT THE SPEAKER Security Architect Certified Scrum Master Author, Editor (InfoQ) IASA Austin

More information

Reference Documentation

Reference Documentation Reference Documentation 1.0.0 RC 1 Copyright (c) 2004 - Ben Alex Table of Contents Preface... iv 1. Security... 1 1.1. Before You Begin... 1 1.2. Introduction... 1 1.2.1. Current Status... 1 1.3. High

More information

Siteminder Integration Guide

Siteminder Integration Guide Integrating Siteminder with SA SA - Siteminder Integration Guide Abstract The Junos Pulse Secure Access (SA) platform supports the Netegrity Siteminder authentication and authorization server along with

More information