Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jason Ferguson.  “Vell, Jason’s just zis guy, you know?”  In the Air Force for 16.5 years  Two trips to Afghanistan ▪ Can say “get to work” and “get.

Published byKeagan Sayler Modified over 9 years ago

Similar presentations

Presentation on theme: "Jason Ferguson.  “Vell, Jason’s just zis guy, you know?”  In the Air Force for 16.5 years  Two trips to Afghanistan ▪ Can say “get to work” and “get."— Presentation transcript:

1 Jason Ferguson

2  “Vell, Jason’s just zis guy, you know?”  In the Air Force for 16.5 years  Two trips to Afghanistan ▪ Can say “get to work” and “get in line” in Pashto and Dari  Java Programmer for 6 years  A military programming shop is NOTHING LIKE a commercial shop  12 weeks of training  Morning PT

3

4  You’re familiar with Java  You’re at least somewhat familiar with Spring  You can read a Javadoc to get information I am not covering  You can create a database schema in the database of your choice and configure JDBC/Hibernate/whatever

5  What Spring Security Is And What It Does  Core Concepts  Configuration  Developing With Spring Security  Method-Level Security  JSP Tag Libraries

6  Core Security Filters  Majority of the Security Namespace  Session Management

7  Provides Enterprise-Level Authentication and Authorization Services  Authentication is based on implementation of GrantedAuthority interface  Usually “ROLE_USER”,”ROLE_ADMIN”, etc  Authorization is based on Access Control List  Don’t have time to cover tonight

8  Simple answer: “just about any”  Unless you’re “weird”  Types:  Simple Form-Based  HTTP Basic and Digest  LDAP  X.509 Client Certificate  OpenID  Etc, etc.

9  Originally was the ACEGI project  Configuration was “death by XML”  Project lead liked it that way  ACEGI was rebranded as “Spring Security” around the Spring 2.0 release  With the Security Namespace and as additional modules became available, death by XML gave way to Configuration By Convention

10  Authentication is the equivalent of logging in with a username and password  Based on that username/password, an access control mechanism allows or disallows the user to perform certain tasks  Authorization is the equivalent of an Access Control List (ACL)  An AccessDecisionManager decides to allow/disallow access to a secure object based on the Authentication

11  Authentication represents the principal (person logging into the application)  GrantedAuthority – what permissions the principal has  SecurityContext holds the Authentication  SecurityContextHolder provides access to the SecurityContext

12  UserDetails provides information to build an Authentication  UserDetailsService creates a UserDetails object from a passed String

13  Add following to dependencies to pom.xml:  spring-security-core  spring-security-web  spring-security-config  Optional dependencies:  spring-security-taglibs  spring-security-ldap  spring-security-acl  spring-security-cas-client  spring-security-openid

14  The “simple” schema: create table users( username varchar_ignorecase(50) not null primary key, password varchar_ignorecase(50) not null, enabled boolean not null ); create table authorities ( username varchar_ignorecase(50) not null, authority varchar_ignorecase(50) not null, constraint fk_authorities_users foreign key(username) references users(username)); create unique index ix_auth_username on authorities (username,authority);

15  Add to web.xml: springSecurityFilterChain org.springframework.web.filter.DelegatingFilt erProxy springSecurityFilterChain /*

16  Specifying the Security Namespace : <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans- 3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring- context-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring- security-3.0.xsd">

17  Web Security enabled via tag:  // blah blah we’ll get to this later

18  Simplest way: create a class that implements UserDetailsService interface, then use it as the authentication provider 

19  Common Expressions:  hasRole(rolename)  hasAnyRole(rolename, rolename,…)  isAuthenticated()  isFullyAuthenticated()  permitAll()

20  Securing By URL uses the tag:  Pattern is the URL to secure, access is the expression to use to secure the URL

21  An individual user is represented by a UserDetails Object  API Link API Link  Sample Implementation of User object

22  UserDetailsService implementations do one thing: return a UserDetails implementation  API Link API Link  Sample Implementation of UserDetailsService

23  Form-based login is most common (really?)  Uses the tag  Attributes:  login-page specifies name of custom login page ▪ Generated automagically if we don’t create our own  login-processing-url specifies URL to process the login action  JSP default uses “j_username” and “j_password” fields

24  Steps to implement hashing/salting:  Create a tag within the tag ▪ MD5 or SHA-1: use the hash=“md5” or hash=“sha” attribute ▪ Stronger SHA: ▪ Create a bean named “saltSource” with a class of org.springframework.security.providers.encoding.ShaPasswordEncoder ▪ Use a with XXX being the higher strength  Use tag within to specify user property to user for hashing

25

26  One problem: need a specific tag specifically for the login page, or the login page will be secured as well  Creates an infinite loop in the logs  Example:

27  Full support for LDAP authentication  Process overview:  Obtain DN from username  Authenticate User  Load GrantedAuthority collection for user

28  LDAP Test Server  Authentication Provider:  Security Context Source  Bean with class org.springframework.security.ldap.DefaultSpringSecurityContextSource  Constructor argument for LDAP server address  Properties for userDn and password

29  Create a bean named “contextSource” with a class of org.springframework.security.ld ap.DefaultSpringSecurityContext Source  Pass the server as a constructor argument  Pass userDn and password as properties

30

31  Create a bean named “ldapAuthProvider” of class org.springframework.security.ldap.authent ication.LdapAuthenticationProvider  Create a constructor argument of a bean w/ class org.springframework.security.ldap.authent ication.BindAuthenticator  Constructor argument of the context source  Property “ userDnPatterns ”: list of userDn “wildcards”  Continued…

32  Create another constructor argument bean of class org.springframework.security.ldap.userdetail s.DefaultLdapAuthoritiesPopulator  Constructor arg of the context source  Constructor arg w/ the value “ou=groups”  Property “groupRoleAttribute” w/ value “ou”

33 uid={0},ou=people

34  Using a X.509 client certificate is simple: 

35  Spring Security can secure methods at the service layer  Application Context configuration:  Methods are Secured With the @PreAuthorize annotation

36  @PostAuthorize  @PreFilter and @PostFilter  Used with Domain Object (ACL) security  Filters a returned collection based on a given expression (hasRole(), etc)

37  Spring Security Provides a Tag Library for accessing the SecurityContext and using security constraints in JSPs  What can it do?  Restrict display of certain content by GrantedAuthority

38  Declaration in JSP:

39  The tag is used to restrict the display of content based on GrantedAuthority  Example: Admin Menu

40  used to access the current Authentication object in the Security Context   display content based on permissions granted to a Domain Object 

41

Download ppt "Jason Ferguson.  “Vell, Jason’s just zis guy, you know?”  In the Air Force for 16.5 years  Two trips to Afghanistan ▪ Can say “get to work” and “get."

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Apache Struts Technology

Apache Struts Technology
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Authentication and Security Joshua Scotton.  Sessions  Login and Authentication.

Authentication and Security Joshua Scotton.  Sessions  Login and Authentication.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
A Brief Introduction 2012 Spring Security. What is it? Security toolkit for Java applications Primarily intended for web applications Open Source from.

A Brief Introduction 2012 Spring Security. What is it? Security toolkit for Java applications Primarily intended for web applications Open Source from.
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
Development of a Web Based B&B Reservation System Elizabeth Gates 22July04.

Development of a Web Based B&B Reservation System Elizabeth Gates 22July04.
DT228/3 Web Development Databases. Database Almost all web application on the net access a database e.g. shopping sites, message boards, search engines.

DT228/3 Web Development Databases. Database Almost all web application on the net access a database e.g. shopping sites, message boards, search engines.
Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.

Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.
Apache Struts Technology A MVC Framework for Java Web Applications.

Apache Struts Technology A MVC Framework for Java Web Applications.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.

LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Introduction to Java web programming Dr Jim Briggs JWP intro1.

Introduction to Java web programming Dr Jim Briggs JWP intro1.
Java Enterprise Edition Java Web Development Structure of a web project Introduction to Web Applications The first project Introduction to Java Web Development.

Java Enterprise Edition Java Web Development Structure of a web project Introduction to Web Applications The first project Introduction to Java Web Development.
UNIT-V The MVC architecture and Struts Framework.

UNIT-V The MVC architecture and Struts Framework.
CST 200 - JavaScript Validating Form Data with JavaScript.

CST JavaScript Validating Form Data with JavaScript.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Spring Overview, Application demo -Midhila Paineni 09/23/2011 Spring Overview, Application demo9/8/20151.

Spring Overview, Application demo -Midhila Paineni 09/23/2011 Spring Overview, Application demo9/8/20151.
Chapter 5 Java Script And Forms JavaScript, Third Edition.

Chapter 5 Java Script And Forms JavaScript, Third Edition.

Similar presentations

Ads by Google