Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007

Enterprise Systems & Services Using Spring Security and CAS Who am I? Application Rutgers Java Developer for 5+ years Lead Developer on JA-SIG CAS Committer on Spring Security

Enterprise Systems & Services Using Spring Security and CAS Agenda 1.History and Overview 2.Benefits for Programmers 3.Benefits for Users 4.Demo 5.Case Study 6.Future Directions 7.Discussion

Enterprise Systems & Services Using Spring Security and CAS 1. Overview & History

Enterprise Systems & Services Using Spring Security and CAS What is Spring Security? Spring Security is a powerful and flexible security solution for enterprise software.

Enterprise Systems & Services Using Spring Security and CAS Users Used worldwide at: –Major institutions such as Rutgers –Major financial institutions and banks –Several Australian government departments Integrated with: –Frameworks such as Grails, Trails, etc. –Applications such as Roller, Mule

Enterprise Systems & Services Using Spring Security and CAS Authentication Features LDAP BASIC Digest JAAS CAS X.509 Certificates DAO Run-as Replacement Form-based login Anonymous Remember-Me SiteMinder HTTP Switch User Concurrent User Limiting Container Adapters Write your own…

Enterprise Systems & Services Using Spring Security and CAS Technical Details Uses Spring IoC container –DI, events, localization and JdbcTemplate Completely interface-driven High cohesion, loosely coupled Encourage customization and extension Java 1.3+ compatible –Java 5 code packaged in “Tiger” JAR

Enterprise Systems & Services Using Spring Security and CAS How Spring Security Works Servlet Container Web User FilterToBeanProxy IoC Container FilterChainProxy Filter 1Filter 3Filter 4Filter 5Filter 2 Filter XServlet

Enterprise Systems & Services Using Spring Security and CAS How Spring Security Works #Filter NameMain Purpose 1 HttpSessionContext IntegrationFilter Stores SecurityContextHolder between HTTP requests 2LogoutFilter Clears SecurityContextHolder when logout requested 3 Authentication Mechanism Filters Puts Authentication into SecurityContextHolder 4 Exception TranslationFilter Converts Acegi Security exceptions into HTTP 5 FilterSecurity Interceptor Authorizes web filter requests based on URL patterns

Enterprise Systems & Services Using Spring Security and CAS How Spring Security Works Authentication Mechanism Filter 3 Authentication “Request” ProviderManager Authentication “Response” creates calls Security ContextHolder populates returns

Enterprise Systems & Services Using Spring Security and CAS What is JA-SIG CAS? JA-SIG CAS is single sign on for the web. It provides a trusted mechanism for authenticating users across your applications.

Enterprise Systems & Services Using Spring Security and CAS Users Deployed by: –Institutions of Higher Education –Non-profits –Commercial companies –etc Deployed worldwide: –U.S., Canada, Hong Kong –Belgium, France, Russia, China, Japan –India, Australia, New Zealand –Greece, Turkey, England –Netherlands, Spain, Sweden, Portugal –Etc.

Enterprise Systems & Services Using Spring Security and CAS 3 rd year of project Over 1000 downloads a month Active community of deployers Driven by community feedback

Enterprise Systems & Services Using Spring Security and CAS Authentication Features LDAP DAO NTLM SPNEGO RADIUS File System X.509 “Trusted” JAAS Acegi

Enterprise Systems & Services Using Spring Security and CAS Other Features Clustering Client Libraries (PHP, Java, etc.) Demo-able/Quickstart WAR file Quality Documentation Active community mailing lists

Enterprise Systems & Services Using Spring Security and CAS Technical Details Use Spring IoC Container –DI, Localization, events, JdbcTemplate, LdapTemplate, etc. Completely interface driven Encourage customization and extension Java 1.5+/Servlet 2.4 compatible

Enterprise Systems & Services Using Spring Security and CAS How CAS Works

Enterprise Systems & Services Using Spring Security and CAS How CAS Works Servlet Container Web User DispatcherServlet WebFlow Controller action 0 action 1 action n action n-1...

Enterprise Systems & Services Using Spring Security and CAS How CAS Works action n Credentials creates CentralAuthenticationService calls Authentication Manager Authentication creates returns TicketRegistry Ticket creates calls

Enterprise Systems & Services Using Spring Security and CAS 2. Benefits for Programmers

Enterprise Systems & Services Using Spring Security and CAS Benefits for Programmers Code reduction –Declaratively configured –No audit logs for authentication –OOTB authorization and authentication Tag Libs Proxy Authentication Domain object instance security Only one place to “watch” for account security

Enterprise Systems & Services Using Spring Security and CAS 3. Benefits for Users

Enterprise Systems & Services Using Spring Security and CAS Benefits for Users Single Sign On Passwords are only passed to one “trusted” resource Better Application security Harder to trick someone with “phishing” attempts

Enterprise Systems & Services Using Spring Security and CAS 4. How to Integrate

Demo

Enterprise Systems & Services Using Spring Security and CAS 5. Case Study

Enterprise Systems & Services Using Spring Security and CAS Rutgers Case Study – Where Were We? Duplicating authentication code on each application Multiple authentication methods Sign in to each application De-centralized authentication

Enterprise Systems & Services Using Spring Security and CAS Rutgers Case Study – What We Did Introduced a portal Centralized authentication Single Sign On Proxy Authentication Introduced Acegi into Java applications

Enterprise Systems & Services Using Spring Security and CAS Rutgers Case Study – What it Got Us Better user experience Minimized access to passwords Created “horizontal” authentication component Standardized security code (still a work in progress though)

Enterprise Systems & Services Using Spring Security and CAS 6. Future Directions

Enterprise Systems & Services Using Spring Security and CAS Acegi Roadmap 1.0.x branch -> minor updates 2.0 –Renamed to Spring Security –Support for Spring 2.0 –OpenId Support –Windows Domain Support –Updated CAS Support

Enterprise Systems & Services Using Spring Security and CAS CAS Roadmap Additional Protocol Support Internationalization Configuration/Setup Screens Advanced Monitoring Integration with Account Management Systems

Enterprise Systems & Services Using Spring Security and CAS Conclusion Acegi Security is fully-featured solution –Many authentication strategies –Decoupled web and method authorization –Completely customizable by end users –Active community, quality documentation, etc. CAS is a fully-featured solution –Many authentication strategies –Easily pluggable and extensible –Active community, quality documentation, etc. –Support for multiple platforms

Enterprise Systems & Services Using Spring Security and CAS 7. Discussion

Enterprise Systems & Services Using Spring Security and CAS Spring Security Web Site – Forum – Mailing Lists –Acegi Developer List

Enterprise Systems & Services Using Spring Security and CAS CAS Mailing Lists CAS Community Discussion List – CAS Developer’s Discussion List – CAS Announcement List – announcehttps://lists.wisc.edu/read/all_forums/subscribe?name=cas- announce Links to archives, etc.: –

Enterprise Systems & Services Using Spring Security and CAS CAS Sites Product Web Site – Wiki – Issue Tracker – Source Code –

Questions?