Spring Security 3. http://www.springsource.com/download/community?project=spring%20security

Similar documents
Acegi Security. What is Acegi Security Key features Conclusion Examples in reality References. Aureliusz Rempala Emily Brand Fan Wang

A (re)introduction to Spring Security

Spring Security. Reference Documentation. 2.0.x. Copyright

Reference Documentation

Spring Security 3. rpafktl Pen source. intruders with this easy to follow practical guide. Secure your web applications against malicious

<Insert Picture Here> Hudson Security Architecture. Winston Prakash. Click to edit Master subtitle style

Welcome to Spring Forward September 26, 2006 Penn State Great Valley

Pierce County IT Department GIS Division Xuejin Ruan Dan King

entries_inheriting, 208

Advanced OpenEdge REST/Mobile Security

Apache Ki (formerly JSecurity) DevNexus

vcommander will use SSL and session-based authentication to secure REST web services.

Securing RESTful Web Services Using Spring and OAuth 2.0

CMDBuild Authentication (file auth.conf)

Spring Security SAML module

Java Enterprise Security. Stijn Van den Enden

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

TIBCO Spotfire Platform IT Brief

Apache Shiro - Executive Summary

Authentication Methods

Application Security. Petr Křemen.

Space Details. Available Pages. BI Server Documentation - Latest. Description:

ADMINISTERING ADOBE LIVECYCLE MOSAIC 9.5

Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Identification and Implementation of Authentication and Authorization Patterns in the Spring Security Framework

Configuring Single Sign-on for WebVPN

ClearPass A CAS Extension Enabling Credential Replay

Table of contents. Jasig CAS support for the Spring Security plugin.

Security IIS Service Lesson 6

Crawl Proxy Installation and Configuration Guide

Enabling SSL and Client Certificates on the SAP J2EE Engine

Perceptive Experience Single Sign-On Solutions

A detailed walk through a CAS authentication

Master s Thesis EEG/ERP Portal Security in New Technologies

Criteria for web application security check. Version

Define BA Server Advanced Security

Ehcache Web Cache User Guide. Version 2.9

From centralized to single sign on

TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS

WebNow Single Sign-On Solutions

Single Sign-on (SSO) technologies for the Domino Web Server

Apache Roller, Acegi Security and Single Sign-on

WirelessOffice Administrator LDAP/Active Directory Support

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Using weblock s Servlet Filters for Application-Level Security

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Unlocking the Secrets of Alfresco Authentication. Mehdi BELMEKKI,! Consultancy Team! Alfresco!

There are more security levels in ARCHIBUS, as described bellow.

A Java proxy for MS SQL Server Reporting Services

Securing JAX-RS RESTful services. Miroslav Fuksa (software developer) Michal Gajdoš (software developer)

How To Set Up An Openfire With Libap On A Cdd (Dns) On A Pc Or Mac Or Ipad (Dnt) On An Ipad Or Ipa (Dn) On Your Pc Or Ipo (D

MarkLogic Server. Reference Application Architecture Guide. MarkLogic 8 February, Copyright 2015 MarkLogic Corporation. All rights reserved.

APPLICATION SECURITY ENHANCEMENTS IN JAVA EE 6

Xerox DocuShare Security Features. Security White Paper

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x

Complete Java Web Development

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

CentraSite SSO with Trusted Reverse Proxy

Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords

Web Applications Access Control Single Sign On

Active Directory Requirements and Setup

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

JVA-122. Secure Java Web Development

enterprise^ IBM WebSphere Application Server v7.0 Security "publishing Secure your WebSphere applications with Java EE and JAAS security standards

Siteminder Integration Guide

Tableau Server Security. Version 8.0

InternetVista Web scenario documentation

Integration of Shibboleth and (Web) Applications

Safewhere*Identify 3.4. Release Notes

Mobile Security Jump Start. Wayne Henshaw & Mike Jacobs Progress OpenEdge October 8, 2013

How To Test Your Web Site On Wapt On A Pc Or Mac Or Mac (Or Mac) On A Mac Or Ipad Or Ipa (Or Ipa) On Pc Or Ipam (Or Pc Or Pc) On An Ip

Implementing CAS. Adam Rybicki Jasig Conference, San Diego, CA March 7, 2010

SAML-Based SSO Solution

CA Performance Center

Configuring Nex-Gen Web Load Balancer

Working with Indicee Elements

Please return this document to when complete.

How To Configure The Jasig Casa Single Sign On On A Workstation On Ahtml.Org On A Server On A Microsoft Server On An Ubuntu (Windows) On A Linux Computer On A Raspberry V

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Kerberos and Windows SSO Guide Jahia EE v6.1

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

User-ID Best Practices

Remote Authentication and Single Sign-on Support in Tk20

SSC - Web applications and development Introduction and Java Servlet (II)

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Web. Services. Web Technologies. Today. Web. Technologies. Internet WWW. Protocols TCP/IP HTTP. Apache. Next Time. Lecture # Apache.

Secure Authentication and Session. State Management for Web Services

Deploying F5 with Microsoft Active Directory Federation Services

LISTSERV LDAP Documentation

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

WatchDox SharePoint Beta Guide. Application Version 1.0.0

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

SSO Plugin. Authentication service for HP, Kinetic, Jasper, SAP and CA products. J System Solutions. JSS SSO Plugin Authentication service

Angel Dichev RIG, SAP Labs

Transcription:

Spring Security 3 1. Introduction http://www.springsource.com/download/community?project=spring%20security 2. Security Namespace Configuration Web.xml configuration: <filter> </filter> <filter-name>springsecurityfilterchain</filter-name> <filter-class>org.sf.web.filter.delegatingfilterproxy</filter-class> <filter-mapping> <filter-name>springsecurityfilterchain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> To enable web security: (in applicationcontext-security.xml) <http auto-config='true'> <intercept-url pattern="/**" access="role_user" /> <intercept-url pattern="/login.jsp*" access="is_authenticated_anonymously"/> </http> The prefix ROLE_ is a marker which indicates that a simple comparison with the user's authorities should be made. To add the users: <authentication-manager> <authentication-provider ref="ldapauthenticationprovider"/> </authentication-manager> or <authentication-manager> <authentication-provider> <user-service> <user name="jimi" password="xxx" authorities="role_user" />

</user-service> </authentication-provider> </authentication-manager> Default logout URL: j_spring_security_logout To force HTTPS: <intercept-url pattern="/secure/**" access=" " requires-channel="https"/> Annotation-based security: <global-method-security secured-annotations="enabled" /> Ex: @Secured("IS_AUTHENTICATED_ANONYMOUSLY") 3. Sample Applications 4. Spring Security Community 5. Technical Overview SecurityContextHolder, to provide access to the SecurityContext. SecurityContext, to hold the Authentication and possibly request-specific security information. Authentication, to represent the principal in a Spring Security-specific manner. GrantedAuthority, to reflect the application-wide permissions granted to a principal. UserDetails, to provide the necessary information to build an Authentication object from your application's DAO or other source of security data. UserDetailsService, to create a UserDetails when passed in a String-based username (or certificate ID or the like). 6. Core Service AuthenticationManager: just an interface ProvideManager: default implementation for AuthenticationManager, delegate authentication to a list of AuthenticationProviders JdbcDaoImpl: retrieves the user details from a database.

7. The Security Filter Chain DelegatingFilterProxy provides the link between web.xml and the application context. 8. Core Security Filters FilterSecurityInterceptor performs security handling of HTTP resources via a filter implementation. The ExceptionTranslationFilter sits above the FilterSecurityInterceptor in the security filter stack. It handles exceptions thrown by the security interceptors and provides suitable and HTTP responses. The AuthenticationEntryPoint will be called if the user requests a secure HTTP resource but they are not authenticated. SecurityContextPersistenceFilter responsible for storage of the SecurityContext contents between HTTP requests and for clearing the SecurityContextHolder when a request is completed. UsernamePasswordAuthenticationFilter processes an authentication form submission. This filter by default responds to the URL /j_spring_security_check. 9. Basic and Digest Authentication BasicAuthenticationFilter is responsible for processing basic authentication credentials presented in HTTP headers. DigestAuthenticationFilter is capable of processing digest authentication credentials presented in HTTP headers. 10. Remember-Me Authentication Remember-me or persistent-login authentication refers to web sites being able to remember the identity of a principal between sessions. This is typically accomplished by sending a cookie to the browser, with the cookie being detected during future sessions and causing automated login to take place. 11. Session Management HTTP session related functionality is handled by a combination of the SessionManagementFilter and the SessionAuthenticationStrategy interface, which the filter delegates to. Typical usage includes session-fixation protection attack prevention, detection of session timeouts and restrictions on how many sessions an authenticated user may have open concurrently.

12. Anonymous Authentication 13. Authorization Architecture The GrantedAuthority objects are inserted into the Authentication object by the AuthenticationManager and are later read by AccessDecisionManagers when making authorization decisions. The AccessDecisionManager is called by the AbstractSecurityInterceptor and is responsible for making final access control decisions. Spring Security includes several AccessDecisionManager implementations that are based on voting. RoleHierarchy is used to create a hierarchy of roles. 14. Secure Object Implementations MethodSecurityInterceptor <bean id="bankmanagersecurity" class="org...methodsecurityinterceptor"> <property name="authenticationmanager" ref="authenticationmanager"/> <property name="accessdecisionmanager" ref="accessdecisionmanager"/> <property name="afterinvocationmanager" ref="afterinvocationmanager"/> <property name="securitymetadatasource"> <value> com.mycompany.bankmanager.delete*=role_supervisor com.mycompany.bankmanager.getbalance=role_teller,role_supervisor </value> </property> </bean> 15. Expression-Based Access Control Common Built-in Expressions hasrole([role]) hasanyrole([role1,role2]) principal authentication permitall denyall isanonymous() isrememberme() isauthenticated()

Annotations @PreAuthorized: decides whether a method can actually be invoked or not. Ex: @PreAuthorize("hasRole('ROLE_USER')") @Postfilter: specifies a method filtering expression which will be evaluated after a method has been invoked. 16. Domain Application Objects (ACL) Spring Security delivers three main ACL-related capabilities to your application: Tables: A way of efficiently retrieving ACL entries for all of your domain objects (and modifying those ACL) A way of ensuring a principal is permitted to work with your objects, before methods are called A way of ensuring a given principal is permitted to work with your objects (or something they return), after methods are called ACL_SID (Security Identity): uniquely identifies a principal or a GrantedAuthority. ACL_CLASS: uniquely identifies any domain object class in the system. ACL_OBJECT_IDENTITY: stores information for each unique domain object instance in the system ACL_ENTRY stores the individual permissions assigned to each recipient 17. Pre-Authentication Scenarios There are situations where you want to use Spring Security for authorization, but the user has already been reliably authenticated by some external system prior to accessing the application. 18. LDAP Authentication LdapAuthenticationProvider: delegates the work to two beans below. LdapAuthenticator: authenticates the user LdapAuthoritiesPopulator: retrieve the user s set of GrantedAuthorities. BindAuthenticator: implements the bind authentication strategy. FilterBasedLdapUserSearch: LdapUserSearch implementation which uses an LDAP filter to locate the user. LdapAuthoritiesPopulator: load a set of authorities for the user

19. JSP Tag Libraries <sec:authorize access="hasrole('supervisor')"> <sec:authorize url="/admin"> <sec:authentication property="principal.username" /> <sec:accesscontrollist haspermission="1,2" domainobject="$ {someobject}"> 20. Java Authentication and Authorization Service Provider Spring Security provides a package able to delegate authentication requests to the Java Authentication and Authorization Service (JAAS). 21. CAS Authentication JA-SIG produces an enterprise-wide single sign on system known as CAS. Unlike other initiatives, JA-SIG Central Authentication Service is open source, widely used, simple to understand, platform independent, and supports proxy capabilities. 22. X.509 Authentication Spring Security X.509 module extracts the client certificate using a filter. It maps the certificate to an application user and loads that user's set of granted authorities for use with the standard Spring Security infrastructure. 24. Spring Security Crypto Module The Spring Security Crypto module provides support for symmetric encryption, key generation, and password encoding. B. Main Elements <http> <intercept-url> <form-logging> <concurrency-control> <logout> <authentication-manager> <authentication-provider>

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information