SlideShare a Scribd company logo

securing-portlets-with-spring-security.pdf

J
jcarrey
TechnologyNews & Politics
1 of 44
Download to read offline
Securing Portlets With Spring Security John A. Lewis Chief Software Architect Unicon, Inc. JA-SIG Spring 2008 Conference 28 April 2008 © Copyright Unicon, Inc., 2007. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Agenda ● JSR 168 Portlet Security ● Spring Security (aka “Acegi”) ● Spring Portlet Security ● Applying Portlet Security ● Resources ● Questions & Answers 2
JSR 168 Portlet Security What does the spec give us to work with? 3
Portal Authentication ● The portal is completely responsible for authentication – This means we just use what it gives us – we don't redirect for authentication purpose ● The JSR 168 PortletRequest class provides two methods for getting user identity (the same ones as the Servlet spec) String getRemoteUser() Principal getUserPrincipal() 4
Portal Authorization ● Portals generally provide the ability to assign a set of “Roles” to the User ● The JSR 168 PortletRequest class provides a method for getting at these roles (the same ones as the Servlet spec) boolean isUserInRole(String) 5
Declaring Portal Roles ● Same as declaring roles for Servlet container- based security ● Include all portal roles that may be used in web.xml: ... <security-role> <role-name>manager</role-name> </security-role> ... 6
Mapping Portal Roles To Portlet Roles ● In portlet.xml: <portlet> <portlet-name>books</portlet-name> ... Portlet Role <security-role-ref> <role-name>ADMINISTRATOR</role-name> <role-link>manager</role-link> </security-role-ref> </portlet> Portal Role Warning! If you are storing your SecurityContext in the PortletSession with APPLICATION_SCOPE (more on this later), make sure these are the same in all your <portlet> declarations – the first one to be invoked on a page will determine the mapping for all portlets in your webapp. 7
Security Constraints ● Require a secure transport in portlet.xml: <portlet-app> ... <portlet> <portlet-name>accountSummary</portlet-name> ... </portlet> ... <security-constraint> <display-name>Secure Portlets</display-name> <portlet-collection> <portlet-name>accountSummary</portlet-name> </portlet-collection> <user-data-constraint/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </portlet-app> 8
Other Portlet Security Info ● PortletRequest has a couple other key security-related methods: StringgetAuthType() String getAuthType() Returns name of authentication scheme used (BASIC_AUTH, CLIENT_CERT_AUTH, custom) or null if user is not authenticated. boolean isSecure() boolean isSecure() Returns true if the request was made over a secure channel (such as HTTPS) 9
Portlet User Attributes ● Can also use the USER_INFO Map available as a PortletRequest attribute. ● May contain arbitrary user information: – user.name.given – user.bdate – user.gender – etc. ● Some portals expose security-related information here, but this mechanism should be avoided if possible 10
Spring Security a.k.a Acegi Security A quick overview 11
What Is Spring Security? ● Powerful, flexible security framework for enterprise software ● Emphasis on applications using Spring ● Comprehensive authentication, authorization, and instance-based access control ● Avoids security code in your business logic – treats security as a cross-cutting concern ● Built-in support for a wide variety of authentication and integration standards 12
Spring Security Releases ● Acegi Security (the old name) – Current Version: 1.0.7 – Initial GA Release: May 2006 – Portlet support in Sandbox ● Spring Security (the new name) – Current Version: 2.0.0 – Initial GA Release: April 2008 – Portlet support Included – Changes packaging from org.acegisecurity to org.springframework.security 13
Applications Are Like Onions ● Spring Security can be applied at multiple layers in your application: – Apply security as markup is constructed in the Rendering Layer using the supplied JSP taglib – Restrict access to areas of web application in the Dispatch Layer based on URL pattern-matching – Secure method invocation on the Service Layer to ensure calls are from properly authorized user – Provide Access Control Lists (ACLs) for individual objects in the Domain Layer 14
Spring Portlet Security Applying Spring Security to Portlets 15
Portlet Challenges ● Portlets have some key differences from Servlets: – No Filters – Can't treat URLs like Paths – Multiple Request Phases ● These create some challenges in applying the normal Spring Security patterns ● So we need some different infrastructure for wiring Spring Security into our portlet application 16
Six Main Portlet Security Beans ● PortletProcessingInterceptor ● AuthenticationManager ● AuthenticationDetailsSource ● AuthenticationProvider ● UserDetailsService ● PortletSessionContextIntegrationInterceptor 17
PortletProcessingInterceptor ● Interceptor that processes portlet requests for authentication by invoking the configured AuthenticationManager ● Creates the initial AuthenticationToken from the PortletRequest security methods <bean id="portletProcessingInterceptor" class="org.springframework.security.ui.portlet. PortletProcessingInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="authenticationDetailsSource" ref="portletAuthenticationDetailsSource" /> </bean> Portlet equivalent of AuthenticationProcessingFilter used for traditional servlet web applications 18
AuthenticationManager ● Use normal provider-based AuthenticationManager bean ● Declared via special namespace schema: <sec:authentication-manager alias="authenticationManager" /> Can use multiple providers if you are authenticating from Portlets and Servlets 19
AuthenticationDetailsSource ● Can be used to check isUserInRole(...) to get list of Portal Roles into the Authentication Request: <bean name=”portletAuthenticationDetailsSource” class="org.springframework.security.ui.portlet. PortletPreAuthenticatedAuthenticationDetailsSource"> <property name="mappableRolesRetriever"> <bean class="org.springframework.security. authoritymapping.SimpleMappableAttributesRetriever"> <property name="mappableAttributes"> <list> <value>ADMIN</value> </list> </property> </bean> Only needed if we are using Portal Roles for </property> our security decisions </bean> 20
AuthenticationProvider ● PreAuthenticatedAuthenticationProvider processes pre-authenticated authentication request (from PortletProcessingInterceptor) ● A valid PreAuthenticatedAuthenticationToken with non-null principal & credentials will succeed <bean id="portletAuthenticationProvider" class="org.springframework.security.providers.preauth. PreAuthenticatedAuthenticationProvider"> <sec:custom-authentication-provider /> <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" /> </bean> 21
UserDetailsService ● Bean that knows how to populate user details (including GrantedAuthorities) for the authenticated user – PreAuthenticatedGrantedAuthoritiesUserDetailsService will use purely data contained in the PreAuthenticatedAuthenticationToken <bean name="preAuthenticatedUserDetailsService" class="org.springframework.security.providers.preauth. PreAuthenticatedGrantedAuthoritiesUserDetailsService" /> Can also use any other UserDetailsService that can populate UserDetails by username, such as JdbcUserDetailsManager or LdapUserDetailsManager 22
PortletSessionContextIntegrationInterceptor ● Interceptor that retrieves/stores the contents of the SecurityContextHolder in the active PortletSession ● Without this, every request would trigger a full authentication cycle ● Default is to use APPLICATION_SCOPE <bean id="portletSessionContextIntegrationInterceptor" class="org.springframework.security.context. PortletSessionContextIntegrationInterceptor" /> Portlet equivalent of HttpSessionContextIntegrationFilter, used for traditional servlet web applications 23
Using The Two Interceptors ● Add them to our Portlet's HandlerMapping: <bean id="portletModeHandlerMapping" class="org.springframework.web.portlet.handler. PortletModeHandlerMapping"> <property name="interceptors"> <list> <ref bean="portletSessionContextIntegrationInterceptor"/> <ref bean="portletProcessingInterceptor"/> </list> </property> <property name="portletModeMap"> <map> <entry key="view"><ref bean="viewController"/></entry> <entry key="edit"><ref bean="editController"/></entry> <entry key="help"><ref bean="helpController"/></entry> </map> </property> </bean> Warning! This ordering is critical – they will not work correctly if they are reversed! 24
Applying Portlet Security To The Rendering Layer Customizing our markup based on security information 25
Spring Security JSP TagLib ● Allows us to access authentication information and to check authorizations ● Useful for showing/hiding information or navigation controls based on security info <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <p>Username: <sec:authentication property="principal.username"/></p> <sec:authorize ifAllGranted="ROLE_USER"> <p>You are an authorized user of this system.</p> </sec:authorize> <sec:authorize ifAllGranted="ROLE_ADMINISTRATOR"> <p>You are an administrator of this system.</p> </sec:authorize> Warning: Don't rely on this to restrict access to areas of the application. Just because navigation doesn't appear in the markup doesn't mean a clever hacker can't generate a GET/POST that will still get there. 26
Applying Portlet Security To The Dispatch Layer Controlling where users can go in the application 27
Secure Portlet Request Dispatching ● Portlet Requests don't have a path structure, so we can't use the path-based patterns of FilterSecurityInterceptor to control access ● Something standard may be added in the future – perhaps a ConfigAttributeDefinition for various aspects of Portlet Requests that we can use as an ObjectDefinitionSource 28
Using a HandlerInterceptor ● Best practice in Spring 2.0 is to build a custom HandlerInterceptor for your Portlet ● Compare contents of SecurityContextHolder. getContext(). getAuthentication() with Portlet Mode, Window State, Render Parameters – whatever you want to use to determine permission ● Throw a PortletSecurityException if access is not permitted, otherwise allow processing to proceed 29
Using Annotations ● If using Spring 2.5 Annotation-based Dispatching, use Security Annotations as well – ApplicationContext entry: <sec:global-method-security secured-annotations="enabled" /> – Annotated method: import org.springframework.security.annotation.Secured; ... @Secured({"ROLE_ADMIN"}) @RequestMapping(params="action=view") public String deleteItems(RequestParam("item") int itemId) { ... 30
Applying Portlet Security To The Service Layer Making sure Services are invoked by only by user with proper permissions 31
AccessDecisionManager ● Standard Spring Security bean for making decisions about access to resources <bean id="accessDecisionManager" class="org.springframework.security.vote. AffirmativeBased"> <property name="decisionVoters"> <list> <bean class="org.springframework.security. vote.RoleVoter" /> <bean class="org.springframework.security. vote.AuthenticatedVoter" /> </list> </property> </bean> 32
MethodSecurityInterceptor <bean id="myService" class="sample.service.MyService"> <sec:intercept-methods access-decision-manager-ref="accessDecisionManager"> <sec:protect method="sample.service.MyService.*" access="IS_AUTHENTICATED_FULLY" /> <sec:protect method="sample.service.MyService.add*" access="ROLE_ADMINISTRATOR" /> <sec:protect method="sample.service.MyService.del*" access="ROLE_ADMINISTRATOR" /> <sec:protect method="sample.service.MyService.save*" access="ROLE_ADMINISTRATOR" /> </sec:intercept-methods> </bean> 33
Applying Portlet Security To Servlets Using the whole web/portlet application as one secure bundle 34
Bridging The Gap ● We can reuse the Portlet SecurityContext in getting resources from Servlets in the same web application ● Useful for securing: – AJAX Calls – Dynamic Images – PDF Reports ● Need to get Portlets and Servlets to share session data to do this 35
Portlets & Servlets Sharing Session ● Possible according to JSR 168 (PLT 15.4) – Must be in the same webapp – Portlet must use APPLICATION_SCOPE ● Sometime tricky in practice – Portlet requests go thru Portal webapp URL – Servlet requests go thru Portlet webapp URL – Session tracking via JSESSIONID Cookie usually uses URL path to webapp – not shared! Tomcat 5.5.4 + On <Connector> element set emptySessionPath=true 36
Apply Servlet Filter Chain ● In web.xml: <filter> <filter-name>securityFilterChainProxy</filter-name> <filter-class>org.springframework.web.filter. DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>securityFilterChainProxy</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> 37
FilterChainProxy ● Since the portal handles authentication, you only need a few entries in this bean: <bean id="servletSecurityFilterChainProxy" class="org.springframework.security.util. FilterChainProxy"> <sec:filter-chain-map path-type="ant"> <sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilter, exceptionTranslationFilter, filterSecurityInterceptor" /> </sec:filter-chain-map> </bean> 38
HttpSessionContextIntegrationFilter ● If session sharing is working properly, it will populate the SecurityContextHolder using the same SecurityContext as the Portlet side <bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context. HttpSessionContextIntegrationFilter" /> This will only work if PortletSessionContextIntegrationInterceptor is storing in the APPLICATION_SCOPE of the PortletSession (which is the default) 39
ExceptionTranslationFilter ● Since we are relying on the Portal for authentication, then an Exception means that authentication has already failed ● PreAuthenticatedProcessingFilterEntryPoint returns SC_FORBIDDEN (HTTP 403 error) <bean id="exceptionTranslationFilter" class="org.springframework.security.ui. ExceptionTranslationFilter"> <property name="authenticationEntryPoint"> <bean class="org.springframework.security.ui.preauth. PreAuthenticatedProcessingFilterEntryPoint" /> </property> </bean> 40
FilterSecurityInterceptor ● Secure resource URLs accordingly ● Use the same AuthenticationManager and AccessDecisionManager as in the portlet <bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web. FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="accessDecisionManager" /> <property name="objectDefinitionSource"> <sec:filter-invocation-definition-source> <sec:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_FULLY" /> </sec:filter-invocation-definition-source> </property> </bean> 41
Resources Places to go to actually use this stuff! 42
Resources ● Spring Security 2.0 Website – http://static.springframework.org/spring-security/site/ ● Sample Applications – Small sample included in Spring Security distro – Bigger sample on the Spring Portlet Wiki http://opensource.atlassian.com/confluence/spring/display/JSR168/ 43
Questions & Answers John A. Lewis Chief Software Architect Unicon, Inc. jlewis@unicon.net www.unicon.net 44

Recommended

Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring SecurityJohn Lewis
 
Introduction to java standard portlets
Introduction to java standard portletsIntroduction to java standard portlets
Introduction to java standard portletsRohan Faye
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Anil Saldanha
 
As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0Bruno Borges
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
Uploaded
UploadedUploaded
Uploadedjcarrey
 

Recommended

Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring SecurityJohn Lewis
 
Introduction to java standard portlets
Introduction to java standard portletsIntroduction to java standard portlets
Introduction to java standard portletsRohan Faye
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Anil Saldanha
 
As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0Bruno Borges
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
Uploaded
UploadedUploaded
Uploadedjcarrey
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
Spring security4.x
Spring security4.xSpring security4.x
Spring security4.xZeeshan Khan
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCJohn Lewis
 
Pixels_Camp
Pixels_CampPixels_Camp
Pixels_CampNelson Gomes
 
Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)ERPScan
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample applicationAnil Allewar
 
TechEvent Eclipse Microprofile
TechEvent Eclipse MicroprofileTechEvent Eclipse Microprofile
TechEvent Eclipse MicroprofileTrivadis
 
Java EE Services
Java EE ServicesJava EE Services
Java EE ServicesAbdalla Mahmoud
 
Struts2 - 101
Struts2 - 101Struts2 - 101
Struts2 - 101Munish Gupta
 
Servlet 3.0
Servlet 3.0Servlet 3.0
Servlet 3.0Minh Hoang
 
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Arun Gupta
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsPuma Security, LLC
 
Spring Security Framework
Spring Security FrameworkSpring Security Framework
Spring Security FrameworkJayasree Perilakkalam
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Anil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil Saldanha
 
Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1Vibrant Technologies & Computers
 
Academy PRO: ASP .NET Core
Academy PRO: ASP .NET Core Academy PRO: ASP .NET Core
Academy PRO: ASP .NET Core Binary Studio
 
JMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocialJMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocialRyan Baxter
 
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connections Developers
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdfjcarrey
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdfjcarrey
 

More Related Content

Similar to securing-portlets-with-spring-security.pdf

Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
Spring security4.x
Spring security4.xSpring security4.x
Spring security4.xZeeshan Khan
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCJohn Lewis
 
Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)ERPScan
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample applicationAnil Allewar
 
TechEvent Eclipse Microprofile
TechEvent Eclipse MicroprofileTechEvent Eclipse Microprofile
TechEvent Eclipse MicroprofileTrivadis
 
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Arun Gupta
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsPuma Security, LLC
 
Anil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil Saldanha
 
Academy PRO: ASP .NET Core
Academy PRO: ASP .NET Core Academy PRO: ASP .NET Core
Academy PRO: ASP .NET Core Binary Studio
 
JMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocialJMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocialRyan Baxter
 
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connections Developers
 

Similar to securing-portlets-with-spring-security.pdf (20)

Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
Spring security4.x
Spring security4.xSpring security4.x
Spring security4.x
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVC
 
Pixels_Camp
Pixels_CampPixels_Camp
Pixels_Camp
 
Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample application
 
TechEvent Eclipse Microprofile
TechEvent Eclipse MicroprofileTechEvent Eclipse Microprofile
TechEvent Eclipse Microprofile
 
Java EE Services
Java EE ServicesJava EE Services
Java EE Services
 
Struts2 - 101
Struts2 - 101Struts2 - 101
Struts2 - 101
 
Servlet 3.0
Servlet 3.0Servlet 3.0
Servlet 3.0
 
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
Spring Security Framework
Spring Security FrameworkSpring Security Framework
Spring Security Framework
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
 
Anil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseap
 
Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1
 
Academy PRO: ASP .NET Core
Academy PRO: ASP .NET Core Academy PRO: ASP .NET Core
Academy PRO: ASP .NET Core
 
JMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocialJMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocial
 
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
 

More from jcarrey

developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdfjcarrey
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdfjcarrey
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdfjcarrey
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdfjcarrey
 
343 1 El nuevo AUDI A4 2005.pdf
343 1 El nuevo AUDI A4 2005.pdf343 1 El nuevo AUDI A4 2005.pdf
343 1 El nuevo AUDI A4 2005.pdfjcarrey
 
Audi A5 coupe 2008 Trabajos de montaje interiores.pdf
Audi A5 coupe 2008 Trabajos de montaje interiores.pdfAudi A5 coupe 2008 Trabajos de montaje interiores.pdf
Audi A5 coupe 2008 Trabajos de montaje interiores.pdfjcarrey
 
Audi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdf
Audi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdfAudi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdf
Audi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdfjcarrey
 
343 1 El Nuevo AUDI 2005.pdf
343 1 El Nuevo AUDI 2005.pdf343 1 El Nuevo AUDI 2005.pdf
343 1 El Nuevo AUDI 2005.pdfjcarrey
 
343 2 El Nuevo AUDI A4 2005.pdf
343 2 El Nuevo AUDI A4 2005.pdf343 2 El Nuevo AUDI A4 2005.pdf
343 2 El Nuevo AUDI A4 2005.pdfjcarrey
 
344 1 El nuevo AUDI A6 Avant 2005.pdf
344 1 El nuevo AUDI A6 Avant 2005.pdf344 1 El nuevo AUDI A6 Avant 2005.pdf
344 1 El nuevo AUDI A6 Avant 2005.pdfjcarrey
 
344 2 El nuevo AUDI A6 Avant 2005.pdf
344 2 El nuevo AUDI A6 Avant 2005.pdf344 2 El nuevo AUDI A6 Avant 2005.pdf
344 2 El nuevo AUDI A6 Avant 2005.pdfjcarrey
 
346 Freno de estacionamiento electromecanico.pdf
346 Freno de estacionamiento electromecanico.pdf346 Freno de estacionamiento electromecanico.pdf
346 Freno de estacionamiento electromecanico.pdfjcarrey
 
347 El sistema de control de Presion de Neumaticos.pdf
347 El sistema de control de Presion de Neumaticos.pdf347 El sistema de control de Presion de Neumaticos.pdf
347 El sistema de control de Presion de Neumaticos.pdfjcarrey
 
349 1 FOX 2006.pdf
349 1 FOX 2006.pdf349 1 FOX 2006.pdf
349 1 FOX 2006.pdfjcarrey
 
349 2 FOX 2006.pdf
349 2 FOX 2006.pdf349 2 FOX 2006.pdf
349 2 FOX 2006.pdfjcarrey
 
350 Motor TDI 3 0l V6.pdf
350 Motor TDI 3 0l V6.pdf350 Motor TDI 3 0l V6.pdf
350 Motor TDI 3 0l V6.pdfjcarrey
 
351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf
351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf
351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdfjcarrey
 
352 Inyector bomba con Valvula Piezoelectrica.pdf
352 Inyector bomba con Valvula Piezoelectrica.pdf352 Inyector bomba con Valvula Piezoelectrica.pdf
352 Inyector bomba con Valvula Piezoelectrica.pdfjcarrey
 
354 1 Jetta 2006.pdf
354 1 Jetta 2006.pdf354 1 Jetta 2006.pdf
354 1 Jetta 2006.pdfjcarrey
 
354 2 Jetta 2006.pdf
354 2 Jetta 2006.pdf354 2 Jetta 2006.pdf
354 2 Jetta 2006.pdfjcarrey
 

More from jcarrey (20)

developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdf
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdf
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdf
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdf
 
343 1 El nuevo AUDI A4 2005.pdf
343 1 El nuevo AUDI A4 2005.pdf343 1 El nuevo AUDI A4 2005.pdf
343 1 El nuevo AUDI A4 2005.pdf
 
Audi A5 coupe 2008 Trabajos de montaje interiores.pdf
Audi A5 coupe 2008 Trabajos de montaje interiores.pdfAudi A5 coupe 2008 Trabajos de montaje interiores.pdf
Audi A5 coupe 2008 Trabajos de montaje interiores.pdf
 
Audi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdf
Audi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdfAudi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdf
Audi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdf
 
343 1 El Nuevo AUDI 2005.pdf
343 1 El Nuevo AUDI 2005.pdf343 1 El Nuevo AUDI 2005.pdf
343 1 El Nuevo AUDI 2005.pdf
 
343 2 El Nuevo AUDI A4 2005.pdf
343 2 El Nuevo AUDI A4 2005.pdf343 2 El Nuevo AUDI A4 2005.pdf
343 2 El Nuevo AUDI A4 2005.pdf
 
344 1 El nuevo AUDI A6 Avant 2005.pdf
344 1 El nuevo AUDI A6 Avant 2005.pdf344 1 El nuevo AUDI A6 Avant 2005.pdf
344 1 El nuevo AUDI A6 Avant 2005.pdf
 
344 2 El nuevo AUDI A6 Avant 2005.pdf
344 2 El nuevo AUDI A6 Avant 2005.pdf344 2 El nuevo AUDI A6 Avant 2005.pdf
344 2 El nuevo AUDI A6 Avant 2005.pdf
 
346 Freno de estacionamiento electromecanico.pdf
346 Freno de estacionamiento electromecanico.pdf346 Freno de estacionamiento electromecanico.pdf
346 Freno de estacionamiento electromecanico.pdf
 
347 El sistema de control de Presion de Neumaticos.pdf
347 El sistema de control de Presion de Neumaticos.pdf347 El sistema de control de Presion de Neumaticos.pdf
347 El sistema de control de Presion de Neumaticos.pdf
 
349 1 FOX 2006.pdf
349 1 FOX 2006.pdf349 1 FOX 2006.pdf
349 1 FOX 2006.pdf
 
349 2 FOX 2006.pdf
349 2 FOX 2006.pdf349 2 FOX 2006.pdf
349 2 FOX 2006.pdf
 
350 Motor TDI 3 0l V6.pdf
350 Motor TDI 3 0l V6.pdf350 Motor TDI 3 0l V6.pdf
350 Motor TDI 3 0l V6.pdf
 
351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf
351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf
351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf
 
352 Inyector bomba con Valvula Piezoelectrica.pdf
352 Inyector bomba con Valvula Piezoelectrica.pdf352 Inyector bomba con Valvula Piezoelectrica.pdf
352 Inyector bomba con Valvula Piezoelectrica.pdf
 
354 1 Jetta 2006.pdf
354 1 Jetta 2006.pdf354 1 Jetta 2006.pdf
354 1 Jetta 2006.pdf
 
354 2 Jetta 2006.pdf
354 2 Jetta 2006.pdf354 2 Jetta 2006.pdf
354 2 Jetta 2006.pdf
 

Recently uploaded

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Recently uploaded (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

securing-portlets-with-spring-security.pdf

  • 1. Securing Portlets With Spring Security John A. Lewis Chief Software Architect Unicon, Inc. JA-SIG Spring 2008 Conference 28 April 2008 © Copyright Unicon, Inc., 2007. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/
  • 2. Agenda ● JSR 168 Portlet Security ● Spring Security (aka “Acegi”) ● Spring Portlet Security ● Applying Portlet Security ● Resources ● Questions & Answers 2
  • 3. JSR 168 Portlet Security What does the spec give us to work with? 3
  • 4. Portal Authentication ● The portal is completely responsible for authentication – This means we just use what it gives us – we don't redirect for authentication purpose ● The JSR 168 PortletRequest class provides two methods for getting user identity (the same ones as the Servlet spec) String getRemoteUser() Principal getUserPrincipal() 4
  • 5. Portal Authorization ● Portals generally provide the ability to assign a set of “Roles” to the User ● The JSR 168 PortletRequest class provides a method for getting at these roles (the same ones as the Servlet spec) boolean isUserInRole(String) 5
  • 6. Declaring Portal Roles ● Same as declaring roles for Servlet container- based security ● Include all portal roles that may be used in web.xml: ... <security-role> <role-name>manager</role-name> </security-role> ... 6
  • 7. Mapping Portal Roles To Portlet Roles ● In portlet.xml: <portlet> <portlet-name>books</portlet-name> ... Portlet Role <security-role-ref> <role-name>ADMINISTRATOR</role-name> <role-link>manager</role-link> </security-role-ref> </portlet> Portal Role Warning! If you are storing your SecurityContext in the PortletSession with APPLICATION_SCOPE (more on this later), make sure these are the same in all your <portlet> declarations – the first one to be invoked on a page will determine the mapping for all portlets in your webapp. 7
  • 8. Security Constraints ● Require a secure transport in portlet.xml: <portlet-app> ... <portlet> <portlet-name>accountSummary</portlet-name> ... </portlet> ... <security-constraint> <display-name>Secure Portlets</display-name> <portlet-collection> <portlet-name>accountSummary</portlet-name> </portlet-collection> <user-data-constraint/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </portlet-app> 8
  • 9. Other Portlet Security Info ● PortletRequest has a couple other key security-related methods: StringgetAuthType() String getAuthType() Returns name of authentication scheme used (BASIC_AUTH, CLIENT_CERT_AUTH, custom) or null if user is not authenticated. boolean isSecure() boolean isSecure() Returns true if the request was made over a secure channel (such as HTTPS) 9
  • 10. Portlet User Attributes ● Can also use the USER_INFO Map available as a PortletRequest attribute. ● May contain arbitrary user information: – user.name.given – user.bdate – user.gender – etc. ● Some portals expose security-related information here, but this mechanism should be avoided if possible 10
  • 11. Spring Security a.k.a Acegi Security A quick overview 11
  • 12. What Is Spring Security? ● Powerful, flexible security framework for enterprise software ● Emphasis on applications using Spring ● Comprehensive authentication, authorization, and instance-based access control ● Avoids security code in your business logic – treats security as a cross-cutting concern ● Built-in support for a wide variety of authentication and integration standards 12
  • 13. Spring Security Releases ● Acegi Security (the old name) – Current Version: 1.0.7 – Initial GA Release: May 2006 – Portlet support in Sandbox ● Spring Security (the new name) – Current Version: 2.0.0 – Initial GA Release: April 2008 – Portlet support Included – Changes packaging from org.acegisecurity to org.springframework.security 13
  • 14. Applications Are Like Onions ● Spring Security can be applied at multiple layers in your application: – Apply security as markup is constructed in the Rendering Layer using the supplied JSP taglib – Restrict access to areas of web application in the Dispatch Layer based on URL pattern-matching – Secure method invocation on the Service Layer to ensure calls are from properly authorized user – Provide Access Control Lists (ACLs) for individual objects in the Domain Layer 14
  • 15. Spring Portlet Security Applying Spring Security to Portlets 15
  • 16. Portlet Challenges ● Portlets have some key differences from Servlets: – No Filters – Can't treat URLs like Paths – Multiple Request Phases ● These create some challenges in applying the normal Spring Security patterns ● So we need some different infrastructure for wiring Spring Security into our portlet application 16
  • 17. Six Main Portlet Security Beans ● PortletProcessingInterceptor ● AuthenticationManager ● AuthenticationDetailsSource ● AuthenticationProvider ● UserDetailsService ● PortletSessionContextIntegrationInterceptor 17
  • 18. PortletProcessingInterceptor ● Interceptor that processes portlet requests for authentication by invoking the configured AuthenticationManager ● Creates the initial AuthenticationToken from the PortletRequest security methods <bean id="portletProcessingInterceptor" class="org.springframework.security.ui.portlet. PortletProcessingInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="authenticationDetailsSource" ref="portletAuthenticationDetailsSource" /> </bean> Portlet equivalent of AuthenticationProcessingFilter used for traditional servlet web applications 18
  • 19. AuthenticationManager ● Use normal provider-based AuthenticationManager bean ● Declared via special namespace schema: <sec:authentication-manager alias="authenticationManager" /> Can use multiple providers if you are authenticating from Portlets and Servlets 19
  • 20. AuthenticationDetailsSource ● Can be used to check isUserInRole(...) to get list of Portal Roles into the Authentication Request: <bean name=”portletAuthenticationDetailsSource” class="org.springframework.security.ui.portlet. PortletPreAuthenticatedAuthenticationDetailsSource"> <property name="mappableRolesRetriever"> <bean class="org.springframework.security. authoritymapping.SimpleMappableAttributesRetriever"> <property name="mappableAttributes"> <list> <value>ADMIN</value> </list> </property> </bean> Only needed if we are using Portal Roles for </property> our security decisions </bean> 20
  • 21. AuthenticationProvider ● PreAuthenticatedAuthenticationProvider processes pre-authenticated authentication request (from PortletProcessingInterceptor) ● A valid PreAuthenticatedAuthenticationToken with non-null principal & credentials will succeed <bean id="portletAuthenticationProvider" class="org.springframework.security.providers.preauth. PreAuthenticatedAuthenticationProvider"> <sec:custom-authentication-provider /> <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" /> </bean> 21
  • 22. UserDetailsService ● Bean that knows how to populate user details (including GrantedAuthorities) for the authenticated user – PreAuthenticatedGrantedAuthoritiesUserDetailsService will use purely data contained in the PreAuthenticatedAuthenticationToken <bean name="preAuthenticatedUserDetailsService" class="org.springframework.security.providers.preauth. PreAuthenticatedGrantedAuthoritiesUserDetailsService" /> Can also use any other UserDetailsService that can populate UserDetails by username, such as JdbcUserDetailsManager or LdapUserDetailsManager 22
  • 23. PortletSessionContextIntegrationInterceptor ● Interceptor that retrieves/stores the contents of the SecurityContextHolder in the active PortletSession ● Without this, every request would trigger a full authentication cycle ● Default is to use APPLICATION_SCOPE <bean id="portletSessionContextIntegrationInterceptor" class="org.springframework.security.context. PortletSessionContextIntegrationInterceptor" /> Portlet equivalent of HttpSessionContextIntegrationFilter, used for traditional servlet web applications 23
  • 24. Using The Two Interceptors ● Add them to our Portlet's HandlerMapping: <bean id="portletModeHandlerMapping" class="org.springframework.web.portlet.handler. PortletModeHandlerMapping"> <property name="interceptors"> <list> <ref bean="portletSessionContextIntegrationInterceptor"/> <ref bean="portletProcessingInterceptor"/> </list> </property> <property name="portletModeMap"> <map> <entry key="view"><ref bean="viewController"/></entry> <entry key="edit"><ref bean="editController"/></entry> <entry key="help"><ref bean="helpController"/></entry> </map> </property> </bean> Warning! This ordering is critical – they will not work correctly if they are reversed! 24
  • 25. Applying Portlet Security To The Rendering Layer Customizing our markup based on security information 25
  • 26. Spring Security JSP TagLib ● Allows us to access authentication information and to check authorizations ● Useful for showing/hiding information or navigation controls based on security info <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <p>Username: <sec:authentication property="principal.username"/></p> <sec:authorize ifAllGranted="ROLE_USER"> <p>You are an authorized user of this system.</p> </sec:authorize> <sec:authorize ifAllGranted="ROLE_ADMINISTRATOR"> <p>You are an administrator of this system.</p> </sec:authorize> Warning: Don't rely on this to restrict access to areas of the application. Just because navigation doesn't appear in the markup doesn't mean a clever hacker can't generate a GET/POST that will still get there. 26
  • 27. Applying Portlet Security To The Dispatch Layer Controlling where users can go in the application 27
  • 28. Secure Portlet Request Dispatching ● Portlet Requests don't have a path structure, so we can't use the path-based patterns of FilterSecurityInterceptor to control access ● Something standard may be added in the future – perhaps a ConfigAttributeDefinition for various aspects of Portlet Requests that we can use as an ObjectDefinitionSource 28
  • 29. Using a HandlerInterceptor ● Best practice in Spring 2.0 is to build a custom HandlerInterceptor for your Portlet ● Compare contents of SecurityContextHolder. getContext(). getAuthentication() with Portlet Mode, Window State, Render Parameters – whatever you want to use to determine permission ● Throw a PortletSecurityException if access is not permitted, otherwise allow processing to proceed 29
  • 30. Using Annotations ● If using Spring 2.5 Annotation-based Dispatching, use Security Annotations as well – ApplicationContext entry: <sec:global-method-security secured-annotations="enabled" /> – Annotated method: import org.springframework.security.annotation.Secured; ... @Secured({"ROLE_ADMIN"}) @RequestMapping(params="action=view") public String deleteItems(RequestParam("item") int itemId) { ... 30
  • 31. Applying Portlet Security To The Service Layer Making sure Services are invoked by only by user with proper permissions 31
  • 32. AccessDecisionManager ● Standard Spring Security bean for making decisions about access to resources <bean id="accessDecisionManager" class="org.springframework.security.vote. AffirmativeBased"> <property name="decisionVoters"> <list> <bean class="org.springframework.security. vote.RoleVoter" /> <bean class="org.springframework.security. vote.AuthenticatedVoter" /> </list> </property> </bean> 32
  • 33. MethodSecurityInterceptor <bean id="myService" class="sample.service.MyService"> <sec:intercept-methods access-decision-manager-ref="accessDecisionManager"> <sec:protect method="sample.service.MyService.*" access="IS_AUTHENTICATED_FULLY" /> <sec:protect method="sample.service.MyService.add*" access="ROLE_ADMINISTRATOR" /> <sec:protect method="sample.service.MyService.del*" access="ROLE_ADMINISTRATOR" /> <sec:protect method="sample.service.MyService.save*" access="ROLE_ADMINISTRATOR" /> </sec:intercept-methods> </bean> 33
  • 34. Applying Portlet Security To Servlets Using the whole web/portlet application as one secure bundle 34
  • 35. Bridging The Gap ● We can reuse the Portlet SecurityContext in getting resources from Servlets in the same web application ● Useful for securing: – AJAX Calls – Dynamic Images – PDF Reports ● Need to get Portlets and Servlets to share session data to do this 35
  • 36. Portlets & Servlets Sharing Session ● Possible according to JSR 168 (PLT 15.4) – Must be in the same webapp – Portlet must use APPLICATION_SCOPE ● Sometime tricky in practice – Portlet requests go thru Portal webapp URL – Servlet requests go thru Portlet webapp URL – Session tracking via JSESSIONID Cookie usually uses URL path to webapp – not shared! Tomcat 5.5.4 + On <Connector> element set emptySessionPath=true 36
  • 37. Apply Servlet Filter Chain ● In web.xml: <filter> <filter-name>securityFilterChainProxy</filter-name> <filter-class>org.springframework.web.filter. DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>securityFilterChainProxy</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> 37
  • 38. FilterChainProxy ● Since the portal handles authentication, you only need a few entries in this bean: <bean id="servletSecurityFilterChainProxy" class="org.springframework.security.util. FilterChainProxy"> <sec:filter-chain-map path-type="ant"> <sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilter, exceptionTranslationFilter, filterSecurityInterceptor" /> </sec:filter-chain-map> </bean> 38
  • 39. HttpSessionContextIntegrationFilter ● If session sharing is working properly, it will populate the SecurityContextHolder using the same SecurityContext as the Portlet side <bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context. HttpSessionContextIntegrationFilter" /> This will only work if PortletSessionContextIntegrationInterceptor is storing in the APPLICATION_SCOPE of the PortletSession (which is the default) 39
  • 40. ExceptionTranslationFilter ● Since we are relying on the Portal for authentication, then an Exception means that authentication has already failed ● PreAuthenticatedProcessingFilterEntryPoint returns SC_FORBIDDEN (HTTP 403 error) <bean id="exceptionTranslationFilter" class="org.springframework.security.ui. ExceptionTranslationFilter"> <property name="authenticationEntryPoint"> <bean class="org.springframework.security.ui.preauth. PreAuthenticatedProcessingFilterEntryPoint" /> </property> </bean> 40
  • 41. FilterSecurityInterceptor ● Secure resource URLs accordingly ● Use the same AuthenticationManager and AccessDecisionManager as in the portlet <bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web. FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="accessDecisionManager" /> <property name="objectDefinitionSource"> <sec:filter-invocation-definition-source> <sec:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_FULLY" /> </sec:filter-invocation-definition-source> </property> </bean> 41
  • 42. Resources Places to go to actually use this stuff! 42
  • 43. Resources ● Spring Security 2.0 Website – http://static.springframework.org/spring-security/site/ ● Sample Applications – Small sample included in Spring Security distro – Bigger sample on the Spring Portlet Wiki http://opensource.atlassian.com/confluence/spring/display/JSR168/ 43
  • 44. Questions & Answers John A. Lewis Chief Software Architect Unicon, Inc. jlewis@unicon.net www.unicon.net 44