Acegi Security. What is Acegi Security Key features Conclusion Examples in reality References. Aureliusz Rempala Emily Brand Fan Wang



Similar documents
Spring Security 3.

A (re)introduction to Spring Security

Reference Documentation

Pierce County IT Department GIS Division Xuejin Ruan Dan King

Spring Security. Reference Documentation. 2.0.x. Copyright

Java Enterprise Security. Stijn Van den Enden

entries_inheriting, 208

<Insert Picture Here> Hudson Security Architecture. Winston Prakash. Click to edit Master subtitle style

Space Details. Available Pages. BI Server Documentation - Latest. Description:

Spring Security 3. rpafktl Pen source. intruders with this easy to follow practical guide. Secure your web applications against malicious

SSO Plugin. Authentication service for HP, Kinetic, Jasper, SAP and CA products. J System Solutions. JSS SSO Plugin Authentication service

Advanced OpenEdge REST/Mobile Security

Securing RESTful Web Services Using Spring and OAuth 2.0

Ehcache Web Cache User Guide. Version 2.9

Apache Shiro - Executive Summary

SSO Plugin. Authentication service for HP, Kinetic, Jasper, SAP and CA products. J System Solutions. Page 1 of 23.

Ch-03 Web Applications

Define BA Server Advanced Security

Single Sign-On Research and Expansion Based On CAS

Apache Roller, Acegi Security and Single Sign-on

Apache Ki (formerly JSecurity) DevNexus

ADMINISTERING ADOBE LIVECYCLE MOSAIC 9.5

SSO Plugin. HP Service Request Catalog. J System Solutions. Version 3.6

ClearPass A CAS Extension Enabling Credential Replay

Managing Data on the World Wide-Web

Table of contents. Jasig CAS support for the Spring Security plugin.

HP Asset Manager. Implementing Single Sign On for Asset Manager Web 5.x. Legal Notices Introduction Using AM

Integration of Shibboleth and (Web) Applications

Identification and Implementation of Authentication and Authorization Patterns in the Spring Security Framework

That s why it s more practical to only implement SSO on the web client. Before you run this exercise, make sure you have the following files:

Spring Security SAML module

SINGLE SIGN-ON SETUP T ECHNICAL NOTE

UPGRADING SPRING SECURITY IN TIBCO JASPERREPORTS SERVER 6.0.1

Unlocking the Secrets of Alfresco Authentication. Mehdi BELMEKKI,! Consultancy Team! Alfresco!

Module 13 Implementing Java EE Web Services with JAX-WS

Servlet and JSP Filters

Model-View-Controller. and. Struts 2

Complete Java Web Development

Web Container Components Servlet JSP Tag Libraries

I) Add support for OAuth in CAS server

Implementing CAS. Adam Rybicki Jasig Conference, San Diego, CA March 7, 2010

A detailed walk through a CAS authentication

Crawl Proxy Installation and Configuration Guide

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

UPGRADING TO XI 3.1 SP6 AND SINGLE SIGN ON. Chad Watson Sr. Business Intelligence Developer

CONTROLLING WEB APPLICATION BEHAVIOR WITH

Liferay Enterprise ecommerce. Adding ecommerce functionality to Liferay Reading Time: 10 minutes

Application Security. Petr Křemen.

XAP 10 Global HTTP Session Sharing

JAMon Performance Monitoring of Java EE-Applications

Research Article. ISSN (Print) *Corresponding author Lili Wang

SSC - Web applications and development Introduction and Java Servlet (II)

CHAPTER 9: SERVLET AND JSP FILTERS

Web Frameworks and WebWork

Configuration Guide - OneDesk to SalesForce Connector

Creating Java EE Applications and Servlets with IntelliJ IDEA

A Java proxy for MS SQL Server Reporting Services

Get Success in Passing Your Certification Exam at first attempt!

Acrobat Connect. Using Connect Enterprise Web Services

Dragan Juričić, PBZ May 2015

Using ADOBE ACROBAT CONNECT PRO 7.5 Web Services

<Insert Picture Here> Oracle Web Cache 11g Overview

How to consume a Domino Web Services from Visual Studio under Security

APM for Java. AppDynamics Pro Documentation. Version 4.0.x. Page 1

Master s Thesis EEG/ERP Portal Security in New Technologies

Oracle WebLogic Server

Web Applications and Struts 2

Intro to Load-Balancing Tomcat with httpd and mod_jk

esoc SSA DC-I Part 1 - Single Sign-On and Access Management ICD

Kerberos and Windows SSO Guide Jahia EE v6.1

JBoss Portlet Container. User Guide. Release 2.0

Web Application Development

Mobile Security Jump Start. Wayne Henshaw & Mike Jacobs Progress OpenEdge October 8, 2013

JBoss SOAP Web Services User Guide. Version: M5

ISA Server Plugins Setup Guide

Wicket Hiroto Yamakawa

Java Servlet 3.0. Rajiv Mordani Spec Lead

Enterprise Application Development In Java with AJAX and ORM

Contents. Pentaho Corporation. Version 5.1. Copyright Page. Introduction. Implement Advanced Security. Switch to MS Active Directory.

SAML 2.0 SSO Deployment with Okta

Web Application Security Assessment and Vulnerability Mitigation Tests

Quark Publishing Platform 10.5 System Administration Guide

Office365Mon Developer API

Class Test 2 - e-security (CSN11102/11117) Semester 2, Session

Developing ASP.NET MVC 4 Web Applications MOC 20486

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Tutorial: Building a Web Application with Struts

SSO Plugin. Integration for Jasper Server. J System Solutions. Version 3.6

Salesforce Opportunities Portlet Documentation v2

WEB SERVICES. Revised 9/29/2015

Implementing SSO between the Enterprise Portal and the EPM Add-In

Visa Checkout September 2015

CA Technologies SiteMinder

Transcription:

What is Acegi Security Key features Conclusion Examples in reality References Aureliusz Rempala Emily Brand Fan Wang

- What is Acegi Security? Provides o advanced authentication o advanced authorization o and other features for enterprise application built using the Spring Framework It is an official Spring Sub-Project Commercial support and training available from interface21. Authentication Procedure 1. Check if resource is secure 2. Check if the user has been authenticated 3. Check if authenticated user is authorized 4. Serve the requested resource

- Authentication Overview Authentication mechanism key participants: o ExceptionTranslationFilter Detects any Acegi Security exceptions that are thrown o AuthenticationEntryPoint When the user is not authenticated, it sends back a response indicating that s/he must authenticate. o authentication mechanism collects authentication details from a user agent (usually a web browser), builds "Authentication request" object from the collected data, presents the Authentication object to an AuthenticationProvider. o AuthenticationProvider obtains UserDetail object from the UserDetailsService validates the content of the Authentication object against UserDetail object puts the Authentication object is put in the SecurityContextHolder if authentication is successful.

- Key features (cont.) Acegi performs HTTP session authentication through the use of a servlet filter: Web.xml: <filter> <filter-name>acegi Authentication Processing Filter</filter-name> <filter-class>net.sf.acegisecurity.util.filtertobeanproxy </filter-class> <init-param> <param-name>targetclass</param-name> <param-value> net.sf.acegisecurity.ui.webapp.authenticationprocessingfilter </param-value> </init-param> </filter> <filter-mapping> <filter-name>acegi Authentication Processing Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> How and when authentication takes place is decided by the content of the applicationcontext.xml

- securitycontext.xml FilterChainProxy o all of the requests pass through this bean o defines a cascade of filters o allows to define a different set of filters for different URL o the order of the filters is important. Sample FilterChainProxy bean: <bean id="filterchainproxy" class="org.acegisecurity.util.filterchainproxy"> <property name="filterinvocationdefinitionsource"> <value><![cdata[convert_url_to_lowercase_before_comparison PATTERN_TYPE_APACHE_ANT /**=httpsessioncontextintegrationfilter,logoutfilter,authenticatio nprocessingfilter, basicprocessingfilter, securitycontextholderawarerequestfilter, remembermeprocessingfilter, anonymousprocessingfilter, exceptiontranslationfilter, filterinvocationinterceptor]]></value> </property>

- Commonly Used Filters HttpSessionContextIntegrationFilter: o keeps the contents of the SecurityContext between HTTP requests. AuthenticationProcessingFilter: o Form based authentications (JSP for ex) BasicProcessingFilter: o BASIC HTTP header-based authentication (WebServices) RememberMeProcessingFilter: o cookie that enables remember-me services AnonymousProcessingFilter: o allows anonymous access FilterSecurityInterceptor: o protects web URIs

- Filters (a closer look) HttpSessionContextIntegrationFilter <bean id="httpsessioncontextintegrationfilter" class="org.acegisecurity.context.httpsessioncontextintegrationfilter"> AuthenticationProcessingFilter: <bean id="authenticationprocessingfilter class="org.acegisecurity.ui.webapp.authenticationprocessingfilter"> <property name="authenticationmanager" ref="authenticationmanager"/> <property name="authenticationfailureurl" value="/acegilogin.jsp?login_error=1"/> <property name="defaulttargeturl" value="/"/> <property name="filterprocessesurl" value="/j_acegi_security_check"/> <property name="remembermeservices" ref="remembermeservices"/> BasicProcessingFilter: <bean id="basicprocessingfilter" class="org.acegisecurity.ui.basicauth.basicprocessingfilter"> <property name="authenticationmanager"><ref local="authenticationmanager"/></property> <property name="authenticationentrypoint"><ref local="basicprocessingfilterentrypoint"/></property>

- Filters (a closer look) RememberMeProcessingFilter: <bean id="remembermeprocessingfilter" class="org.acegisecurity.ui.rememberme.remembermeprocessingfilter"> <property name="authenticationmanager"><ref local="authenticationmanager"/></property> <property name="remembermeservices"><ref local="remembermeservices"/></property> <bean id="remembermeservices" class="org.acegisecurity.ui.rememberme.tokenbasedremembermeservices "> <property name="userdetailsservice" ref="userdetailsservice"/> <property name="key" value="changethis"/> AnonymousProcessingFilter: <bean id="anonymousprocessingfilter" class="org.acegisecurity.providers.anonymous.anonymousprocessingfil ter"> <property name="key" value="changethis"/> <property name="userattribute" value="anonymoususer,role_anonymous"/>

- Filters (a closer look) FilterSecurityInterceptor: o Allows to incorporate all kinds of managers that will participate in the authentication/authorization process. o More specific URLs should be listed at the top <bean id="filterinvocationinterceptor" class="org.acegisecurity.intercept.web.filtersecurityinterceptor"> <property name="authenticationmanager"> <ref bean="authenticationmanager"/> </property> <property name="accessdecisionmanager"> <ref local="httprequestaccessdecisionmanager"/> </property> <property name="objectdefinitionsource"> <value><![cdata[convert_url_to_lowercase_before_comparison PATTERN_TYPE_APACHE_ANT /index.jsp=role_anonymous,role_user /switchuser.jsp=role_supervisor /acegilogin.jsp*=role_anonymous,role_user /**=ROLE_USER]]> </value> </property>

- Authentication Manager AuthenticationManager is responsible for passing requests through a chain of AuthenticationProviders, and it might be configured in a following way: <bean id="authenticationmanager" class="org.acegisecurity.providers.providermanager"> <property name="providers"> <list> <ref local="daoauthenticationprovider"/> <ref local="anonymousauthenticationprovider"/> <ref local="remembermeauthenticationprovider"/> </list> </property>

- Authentication Provider AuthenticationProvider points to the location where principal information such as usernames,passwords, and access rights are stored. <bean id="daoauthenticationprovider" class="org.acegisecurity.providers.dao.daoauthenticationprovider"> <property name="userdetailsservice" ref="userdetailsservice"/> <!-- UserDetailsService is the most commonly frequently Acegi Security interface implemented by end users --> <bean id="userdetailsservice" class="org.acegisecurity.userdetails.memory.inmemorydaoimpl"> <property name="userproperties"> <bean class="org.springframework.beans.factory.config.propertiesfactorybe an"> <property name="location" value="/web-inf/users.properties"/>

- Key features (cont.) Authentication Provider (Easy to understand, configure, and demonstrate) o ProviderManager Most popular implementation a wrapper around a list of one or more Authentication Providers provided to the class Authenticate method of the AuthenticationManager delegates to that specific provider Wrapper class cycles through the list of providers until it locate a compatible one. o Recommendation for Developers Developers should examine providers to determine the one that suits their needs best

- Key features Authorization - Security Interception o key to protecting resources under Acegi o Prior to access to the resource and interception determines whether or not the resource should be protected o Traces the chain of authorization to receive access to a protected resource o Assuming the user is authenticated, it delegates to an implementation of the AccessDecisionManager receives key parameters such as the authenticated Authentication object resource properties, among others. The final decision for access is left in the hands of the AccessDecisionManager.

- Key features (cont.) AccessDecisionManager o tallies votes ConsensusBased grants or denies access based upon the consensus of nonabstain votes UnanimousBased requires unanimous consent in order to grant access but does ignore abstains AffirmativeBased grants access if at least one access granted is received while deny votes are disregarded.

- Key features (cont.) Configure the authorization system starting with the RoleVoter and UnanimousBased : applicationcontext.xml: <bean id="rolevoter" class="net.sf.acegisecurity.vote.rolevoter"/> <bean id="accessdecisionmanager" class="net.sf.acegisecurity.vote.unanimousbased"> <property name="allowifallabstaindecisions"> <value>false</value> </property> <property name="decisionvoters"> <list> <ref local="rolevoter"/> </list> </property>

Future Will be promoted to be an official part of the Spring Framework o New name Spring Security o In version 2M1 Spring Security 2 will offer o considerably simplified configuration o Windows NTLM authentication o a user management API o persistence-backed remember-me services o hierarchical roles o Spring LdapTemplate support o considerable ACL enhancements o portlet support o and much more.

- References http://en.wikipedia.org/wiki/acegi_security_framework_(java) http://www.thespringexperience.com/show_session_view.jsp?pres entationid=9249&showid=147 http://www.javalobby.org/articles/acegisecurity/part1.jsp

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information