SlideShare uma empresa Scribd logo

Securing Portlets With Spring Security

Transferir como ODP, PDF
John Lewis
John Lewis

In this session, attendees will learn how to secure JSR-168 Portlets using the latest version of Acegi Security, called Spring Security 2.0. The 2.0 release of Spring Security includes new support for JSR-168 Portlet development. In this session we'll cover how the Acegi security model translates into the Portlet world, show how to configure the authentication provider for JSR-168 Portlets, and discuss the special interceptors for processing Portlet requests and for storing the security context in the Portlet session. Finally we'll show how Portlets and Servlets in the same webapp can share security context, which allows for secure AJAX calls and dynamic images from within Portlets.

TecnologiaNotícias e política
1 de 44
Securing Portlets With Spring Security ,[object Object],[object Object],[object Object],[object Object],[object Object],© Copyright Unicon, Inc., 2007. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
JSR 168 Portlet Security What does the spec give us to work with?
Portal Authentication ,[object Object],[object Object],[object Object],String getRemoteUser() Principal getUserPrincipal()
Portal Authorization ,[object Object],[object Object],boolean isUserInRole(String)
Declaring Portal Roles ,[object Object],[object Object],... <security-role> <role-name>manager</role-name> </security-role> ...
Mapping Portal Roles To Portlet Roles ,[object Object],<portlet> <portlet-name>books</portlet-name> ... <security-role-ref> <role-name>ADMINISTRATOR</role-name> <role-link>manager</role-link> </security-role-ref> </portlet> Portlet Role Portal Role Warning! If you are storing your SecurityContext in the PortletSession with APPLICATION_SCOPE (more on this later) , make sure these are the same in all your <portlet> declarations – the first one to be invoked on a page will determine the mapping for all portlets in your webapp.
Security Constraints ,[object Object],<portlet-app> ... <portlet> <portlet-name>accountSummary</portlet-name> ... </portlet> ... <security-constraint> <display-name>Secure Portlets</display-name> <portlet-collection> <portlet-name>accountSummary</portlet-name> </portlet-collection> <user-data-constraint/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </portlet-app>
Other Portlet Security Info ,[object Object],[object Object],[object Object],String getAuthType() boolean isSecure()
Portlet User Attributes ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Spring Security a.k.a Acegi Security A quick overview
What Is Spring Security? ,[object Object],[object Object],[object Object],[object Object],[object Object]
Spring Security Releases ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Applications Are Like Onions ,[object Object],[object Object],[object Object],[object Object],[object Object]
Spring Portlet Security Applying Spring Security to Portlets
Portlet Challenges ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Six Main Portlet Security Beans ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
PortletProcessingInterceptor <bean id=&quot;portletProcessingInterceptor&quot; class=&quot;org.springframework.security.ui.portlet. PortletProcessingInterceptor&quot;> <property name=&quot;authenticationManager&quot; ref=&quot;authenticationManager&quot; /> <property name=&quot;authenticationDetailsSource&quot; ref=&quot;portletAuthenticationDetailsSource&quot; / > </bean> ,[object Object],[object Object],Portlet equivalent of AuthenticationProcessingFilter used for traditional servlet web applications
AuthenticationManager <sec:authentication-manager alias=&quot;authenticationManager&quot; /> ,[object Object],[object Object],Can use multiple providers if you are authenticating from Portlets and Servlets
AuthenticationDetailsSource <bean name=” portletAuthenticationDetailsSource” class=&quot;org.springframework.security.ui.portlet. PortletPreAuthenticatedAuthenticationDetailsSource&quot;> <property name=&quot;mappableRolesRetriever&quot;> <bean class=&quot;org.springframework.security. authoritymapping.SimpleMappableAttributesRetriever&quot;> <property name=&quot;mappableAttributes&quot;> <list> <value>ADMIN</value> </list> </property> </bean> </property> </bean> ,[object Object],Only needed if we are using Portal Roles for our security decisions
AuthenticationProvider <bean id=&quot;portletAuthenticationProvider&quot; class=&quot;org.springframework.security.providers.preauth. PreAuthenticatedAuthenticationProvider&quot;> <sec:custom-authentication-provider /> <property name=&quot;preAuthenticatedUserDetailsService&quot; ref=&quot; preAuthenticatedUserDetailsService &quot; /> </bean> ,[object Object],[object Object]
UserDetailsService <bean name=&quot;preAuthenticatedUserDetailsService&quot; class=&quot;org.springframework.security.providers.preauth. PreAuthenticatedGrantedAuthoritiesUserDetailsService&quot; /> ,[object Object],[object Object],Can also use any other UserDetailsService that can populate UserDetails by username, such as JdbcUserDetailsManager or LdapUserDetailsManager
PortletSessionContextIntegrationInterceptor <bean id=&quot;portletSessionContextIntegrationInterceptor&quot; class=&quot;org.springframework.security.context. PortletSessionContextIntegrationInterceptor&quot; /> ,[object Object],[object Object],[object Object],Portlet equivalent of HttpSessionContextIntegrationFilter, used for traditional servlet web applications
Using The Two Interceptors <bean id=&quot;portletModeHandlerMapping&quot; class=&quot;org.springframework.web.portlet.handler. PortletModeHandlerMapping&quot;> <property name=&quot;interceptors&quot;> <list> <ref bean=&quot; portletSessionContextIntegrationInterceptor &quot;/> <ref bean=&quot; portletProcessingInterceptor &quot;/> </list> </property> <property name=&quot;portletModeMap&quot;> <map> <entry key=&quot;view&quot;><ref bean=&quot;viewController&quot;/></entry> <entry key=&quot;edit&quot;><ref bean=&quot;editController&quot;/></entry> <entry key=&quot;help&quot;><ref bean=&quot;helpController&quot;/></entry> </map> </property> </bean> ,[object Object],Warning! This ordering is critical – they will not work correctly if they are reversed!
Applying Portlet Security To The Rendering Layer Customizing our markup based on security information
Spring Security JSP TagLib <%@ taglib prefix=&quot;sec&quot; uri=&quot;http://www.springframework.org/security/tags&quot; %> <p>Username: <sec:authentication property=&quot;principal.username&quot;/></p> < sec :authorize ifAllGranted=&quot;ROLE_USER&quot;> <p>You are an authorized user of this system.</p> </ sec :authorize> <sec:authorize ifAllGranted=&quot;ROLE_ADMINISTRATOR&quot;> <p>You are an administrator of this system.</p> </sec:authorize> ,[object Object],[object Object],Warning: Don't rely on this to restrict access to areas of the application. Just because navigation doesn't appear in the markup doesn't mean a clever hacker can't generate a GET/POST that will still get there.
Applying Portlet Security To The Dispatch Layer Controlling where users can go in the application
Secure Portlet Request Dispatching ,[object Object],[object Object]
Using a HandlerInterceptor ,[object Object],[object Object],[object Object]
Using Annotations ,[object Object],[object Object],[object Object],<sec:global-method-security secured-annotations=&quot;enabled&quot; /> import org.springframework.security.annotation.Secured; ... @Secured({&quot;ROLE_ADMIN&quot;}) @RequestMapping(params=&quot;action=view&quot;) public String deleteItems(RequestParam(&quot;item&quot;) int itemId) { ...
Applying Portlet Security To The Service Layer Making sure Services are invoked by only by user with proper permissions
AccessDecisionManager <bean id=&quot;accessDecisionManager&quot; class=&quot;org.springframework.security.vote. AffirmativeBased&quot;> <property name=&quot;decisionVoters&quot;> <list> <bean class=&quot;org.springframework.security. vote.RoleVoter&quot; /> <bean class=&quot;org.springframework.security. vote.AuthenticatedVoter&quot; /> </list> </property> </bean> ,[object Object]
MethodSecurityInterceptor <bean id=&quot;myService&quot; class=&quot;sample.service.MyService&quot;> <sec:intercept-methods access-decision-manager-ref=&quot;accessDecisionManager&quot;> <sec:protect method=&quot;sample.service.MyService.*&quot; access=&quot;IS_AUTHENTICATED_FULLY&quot; /> <sec:protect method=&quot;sample.service.MyService.add*&quot; access=&quot;ROLE_ADMINISTRATOR&quot; /> <sec:protect method=&quot;sample.service.MyService.del*&quot; access=&quot;ROLE_ADMINISTRATOR&quot; /> <sec:protect method=&quot;sample.service.MyService.save*&quot; access=&quot;ROLE_ADMINISTRATOR&quot; /> </sec:intercept-methods> </bean>
Applying Portlet Security To Servlets Using the whole web/portlet application as one secure bundle
Bridging The Gap ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Portlets & Servlets Sharing Session ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Tomcat 5.5.4 + On <Connector> element set emptySessionPath=true
Apply Servlet Filter Chain ,[object Object],<filter> <filter-name>securityFilterChainProxy</filter-name> <filter-class>org.springframework.web.filter. DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>securityFilterChainProxy</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
FilterChainProxy ,[object Object],<bean id=&quot;servletSecurityFilterChainProxy&quot; class=&quot;org.springframework.security.util. FilterChainProxy&quot;> <sec:filter-chain-map path-type=&quot;ant&quot;> <sec:filter-chain pattern=&quot;/**&quot; filters=&quot;httpSessionContextIntegrationFilter, exceptionTranslationFilter, filterSecurityInterceptor&quot; /> </sec:filter-chain-map> </bean>
HttpSessionContextIntegrationFilter ,[object Object],<bean id=&quot;httpSessionContextIntegrationFilter&quot; class=&quot;org.springframework.security.context. HttpSessionContextIntegrationFilter&quot; /> This will only work if PortletSessionContextIntegrationInterceptor is storing in the APPLICATION_SCOPE of the PortletSession (which is the default)
ExceptionTranslationFilter ,[object Object],[object Object],<bean id=&quot;exceptionTranslationFilter&quot; class=&quot;org.springframework.security.ui. ExceptionTranslationFilter&quot;> <property name=&quot;authenticationEntryPoint&quot;> <bean class=&quot;org.springframework.security.ui.preauth. PreAuthenticatedProcessingFilterEntryPoint&quot; /> </property> </bean>
FilterSecurityInterceptor ,[object Object],[object Object],<bean id=&quot;filterSecurityInterceptor&quot; class=&quot;org.springframework.security.intercept.web. FilterSecurityInterceptor&quot;> <property name=&quot;authenticationManager&quot; ref=&quot;authenticationManager&quot; /> <property name=&quot;accessDecisionManager&quot; ref=&quot;accessDecisionManager&quot; /> <property name=&quot;objectDefinitionSource&quot;> <sec:filter-invocation-definition-source> <sec:intercept-url pattern=&quot;/resources/**&quot; access=&quot;IS_AUTHENTICATED_FULLY&quot; /> </sec:filter-invocation-definition-source> </property> </bean>
Resources Places to go to actually use this stuff!
Resources ,[object Object],[object Object],[object Object],[object Object],[object Object],http://opensource.atlassian.com/confluence/spring/display/JSR168/
Questions & Answers John A. Lewis Chief Software Architect Unicon, Inc. [email_address] www.unicon.net

Recomendados

Portlet Specification 3.0 Is Here!
Portlet Specification 3.0 Is Here! Portlet Specification 3.0 Is Here!
Portlet Specification 3.0 Is Here! Dev_Events
 
Java Portlet 2.0 (JSR 286) Specification
Java Portlet 2.0 (JSR 286) SpecificationJava Portlet 2.0 (JSR 286) Specification
Java Portlet 2.0 (JSR 286) SpecificationJohn Lewis
 
Introduction to java standard portlets
Introduction to java standard portletsIntroduction to java standard portlets
Introduction to java standard portletsRohan Faye
 
Servlet 3.0
Servlet 3.0Servlet 3.0
Servlet 3.0Minh Hoang
 
Portlets 2.0 JSR286
Portlets 2.0 JSR286Portlets 2.0 JSR286
Portlets 2.0 JSR286C2B2 Consulting
 
Developing JSR 286 Portlets
Developing JSR 286 PortletsDeveloping JSR 286 Portlets
Developing JSR 286 PortletsCris Holdorph
 
Spring 3.x - Spring MVC
Spring 3.x - Spring MVCSpring 3.x - Spring MVC
Spring 3.x - Spring MVCGuy Nir
 
Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Arun Gupta
 

Recomendados

Portlet Specification 3.0 Is Here!
Portlet Specification 3.0 Is Here! Portlet Specification 3.0 Is Here!
Portlet Specification 3.0 Is Here! Dev_Events
 
Java Portlet 2.0 (JSR 286) Specification
Java Portlet 2.0 (JSR 286) SpecificationJava Portlet 2.0 (JSR 286) Specification
Java Portlet 2.0 (JSR 286) SpecificationJohn Lewis
 
Introduction to java standard portlets
Introduction to java standard portletsIntroduction to java standard portlets
Introduction to java standard portletsRohan Faye
 
Servlet 3.0
Servlet 3.0Servlet 3.0
Servlet 3.0Minh Hoang
 
Portlets 2.0 JSR286
Portlets 2.0 JSR286Portlets 2.0 JSR286
Portlets 2.0 JSR286C2B2 Consulting
 
Developing JSR 286 Portlets
Developing JSR 286 PortletsDeveloping JSR 286 Portlets
Developing JSR 286 PortletsCris Holdorph
 
Spring 3.x - Spring MVC
Spring 3.x - Spring MVCSpring 3.x - Spring MVC
Spring 3.x - Spring MVCGuy Nir
 
Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Arun Gupta
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
JSF Component Behaviors
JSF Component BehaviorsJSF Component Behaviors
JSF Component BehaviorsAndy Schwartz
 
Servlet by Rj
Servlet by RjServlet by Rj
Servlet by RjShree M.L.Kakadiya MCA mahila college, Amreli
 
Java Server Faces (JSF) - advanced
Java Server Faces (JSF) - advancedJava Server Faces (JSF) - advanced
Java Server Faces (JSF) - advancedBG Java EE Course
 
Listeners and filters in servlet
Listeners and filters in servletListeners and filters in servlet
Listeners and filters in servletShree M.L.Kakadiya MCA mahila college, Amreli
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCJohn Lewis
 
Spring MVC
Spring MVCSpring MVC
Spring MVCyuvalb
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVCJohn Lewis
 
Jsp in Servlet by Rj
Jsp in Servlet by RjJsp in Servlet by Rj
Jsp in Servlet by RjShree M.L.Kakadiya MCA mahila college, Amreli
 
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Arun Gupta
 
JSF 2.0 (JavaEE Webinar)
JSF 2.0 (JavaEE Webinar)JSF 2.0 (JavaEE Webinar)
JSF 2.0 (JavaEE Webinar)Roger Kitain
 
A Complete Tour of JSF 2
A Complete Tour of JSF 2A Complete Tour of JSF 2
A Complete Tour of JSF 2Jim Driscoll
 
Identifing Listeners and Filters
Identifing Listeners and FiltersIdentifing Listeners and Filters
Identifing Listeners and FiltersPeople Strategists
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityIMC Institute
 
Jsf intro
Jsf introJsf intro
Jsf introvantinhkhuc
 
Servlets - filter, listeners, wrapper, internationalization
Servlets - filter, listeners, wrapper, internationalizationServlets - filter, listeners, wrapper, internationalization
Servlets - filter, listeners, wrapper, internationalizationsusant sahu
 
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsRest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsCarol McDonald
 
Introduction To ASP.NET MVC
Introduction To ASP.NET MVCIntroduction To ASP.NET MVC
Introduction To ASP.NET MVCAlan Dean
 
Java Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXJava Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXIMC Institute
 
WEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES ServletWEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES ServletJyothishmathi Institute of Technology and Science Karimnagar
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injavatanujagrawal
 

Mais conteúdo relacionado

Mais procurados

securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
JSF Component Behaviors
JSF Component BehaviorsJSF Component Behaviors
JSF Component BehaviorsAndy Schwartz
 
Java Server Faces (JSF) - advanced
Java Server Faces (JSF) - advancedJava Server Faces (JSF) - advanced
Java Server Faces (JSF) - advancedBG Java EE Course
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCJohn Lewis
 
Spring MVC
Spring MVCSpring MVC
Spring MVCyuvalb
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVCJohn Lewis
 
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Arun Gupta
 
JSF 2.0 (JavaEE Webinar)
JSF 2.0 (JavaEE Webinar)JSF 2.0 (JavaEE Webinar)
JSF 2.0 (JavaEE Webinar)Roger Kitain
 
A Complete Tour of JSF 2
A Complete Tour of JSF 2A Complete Tour of JSF 2
A Complete Tour of JSF 2Jim Driscoll
 
Identifing Listeners and Filters
Identifing Listeners and FiltersIdentifing Listeners and Filters
Identifing Listeners and FiltersPeople Strategists
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityIMC Institute
 
Servlets - filter, listeners, wrapper, internationalization
Servlets - filter, listeners, wrapper, internationalizationServlets - filter, listeners, wrapper, internationalization
Servlets - filter, listeners, wrapper, internationalizationsusant sahu
 
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsRest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsCarol McDonald
 
Introduction To ASP.NET MVC
Introduction To ASP.NET MVCIntroduction To ASP.NET MVC
Introduction To ASP.NET MVCAlan Dean
 
Java Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXJava Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXIMC Institute
 

Mais procurados (20)

securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdf
 
JSF Component Behaviors
JSF Component BehaviorsJSF Component Behaviors
JSF Component Behaviors
 
Servlet by Rj
Servlet by RjServlet by Rj
Servlet by Rj
 
Java Server Faces (JSF) - advanced
Java Server Faces (JSF) - advancedJava Server Faces (JSF) - advanced
Java Server Faces (JSF) - advanced
 
Listeners and filters in servlet
Listeners and filters in servletListeners and filters in servlet
Listeners and filters in servlet
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVC
 
Spring MVC
Spring MVCSpring MVC
Spring MVC
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVC
 
Jsp in Servlet by Rj
Jsp in Servlet by RjJsp in Servlet by Rj
Jsp in Servlet by Rj
 
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
 
JSF 2.0 (JavaEE Webinar)
JSF 2.0 (JavaEE Webinar)JSF 2.0 (JavaEE Webinar)
JSF 2.0 (JavaEE Webinar)
 
A Complete Tour of JSF 2
A Complete Tour of JSF 2A Complete Tour of JSF 2
A Complete Tour of JSF 2
 
Identifing Listeners and Filters
Identifing Listeners and FiltersIdentifing Listeners and Filters
Identifing Listeners and Filters
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application Security
 
Jsf intro
Jsf introJsf intro
Jsf intro
 
Servlets - filter, listeners, wrapper, internationalization
Servlets - filter, listeners, wrapper, internationalizationServlets - filter, listeners, wrapper, internationalization
Servlets - filter, listeners, wrapper, internationalization
 
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsRest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
 
Introduction To ASP.NET MVC
Introduction To ASP.NET MVCIntroduction To ASP.NET MVC
Introduction To ASP.NET MVC
 
Java Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXJava Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAX
 
WEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES ServletWEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES Servlet
 

Semelhante a Securing Portlets With Spring Security

securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injavatanujagrawal
 
Automated Testing Of Web Applications Using XML
Automated Testing Of Web Applications Using XMLAutomated Testing Of Web Applications Using XML
Automated Testing Of Web Applications Using XMLdiongillard
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Getting Started with Enterprise Library 3.0 in ASP.NET
Getting Started with Enterprise Library 3.0 in ASP.NETGetting Started with Enterprise Library 3.0 in ASP.NET
Getting Started with Enterprise Library 3.0 in ASP.NETPhilWinstanley
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptaljbsysatm
 
Spring training
Spring trainingSpring training
Spring trainingTechFerry
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Aduci
 
SgCodeJam24 Workshop Extract
SgCodeJam24 Workshop ExtractSgCodeJam24 Workshop Extract
SgCodeJam24 Workshop Extractremko caprio
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Steve Sofian
 
SCWCD 2. servlet req - resp (cap3 - cap4)
SCWCD 2. servlet req - resp (cap3 - cap4)SCWCD 2. servlet req - resp (cap3 - cap4)
SCWCD 2. servlet req - resp (cap3 - cap4)Francesco Ierna
 
Lightning Component - Components, Actions and Events
Lightning Component - Components, Actions and EventsLightning Component - Components, Actions and Events
Lightning Component - Components, Actions and EventsDurgesh Dhoot
 
Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onMatt Raible
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 

Semelhante a Securing Portlets With Spring Security (20)

securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdf
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injava
 
Automated Testing Of Web Applications Using XML
Automated Testing Of Web Applications Using XMLAutomated Testing Of Web Applications Using XML
Automated Testing Of Web Applications Using XML
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE Security
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Getting Started with Enterprise Library 3.0 in ASP.NET
Getting Started with Enterprise Library 3.0 in ASP.NETGetting Started with Enterprise Library 3.0 in ASP.NET
Getting Started with Enterprise Library 3.0 in ASP.NET
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptal
 
Spring training
Spring trainingSpring training
Spring training
 
Application Security
Application SecurityApplication Security
Application Security
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
 
SgCodeJam24 Workshop Extract
SgCodeJam24 Workshop ExtractSgCodeJam24 Workshop Extract
SgCodeJam24 Workshop Extract
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010
 
SCWCD 2. servlet req - resp (cap3 - cap4)
SCWCD 2. servlet req - resp (cap3 - cap4)SCWCD 2. servlet req - resp (cap3 - cap4)
SCWCD 2. servlet req - resp (cap3 - cap4)
 
Lightning Component - Components, Actions and Events
Lightning Component - Components, Actions and EventsLightning Component - Components, Actions and Events
Lightning Component - Components, Actions and Events
 
Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-on
 
Struts2.0basic
Struts2.0basicStruts2.0basic
Struts2.0basic
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 

Mais de John Lewis

Jasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus SolutionJasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus SolutionJohn Lewis
 
IMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade ExchangeIMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade ExchangeJohn Lewis
 
New Opportunites to Connect Learning with LIS and LTI
New Opportunites to Connect Learning with LIS and LTINew Opportunites to Connect Learning with LIS and LTI
New Opportunites to Connect Learning with LIS and LTIJohn Lewis
 
Open Source Your Project (With Jasig)
Open Source Your Project (With Jasig)Open Source Your Project (With Jasig)
Open Source Your Project (With Jasig)John Lewis
 
Sakai uPortal Integration Options
Sakai uPortal Integration OptionsSakai uPortal Integration Options
Sakai uPortal Integration OptionsJohn Lewis
 
Sprint Portlet MVC Seminar
Sprint Portlet MVC SeminarSprint Portlet MVC Seminar
Sprint Portlet MVC SeminarJohn Lewis
 
Agile Engineering
Agile EngineeringAgile Engineering
Agile EngineeringJohn Lewis
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarJohn Lewis
 
Leveraging Open Source
Leveraging Open SourceLeveraging Open Source
Leveraging Open SourceJohn Lewis
 
Open Source Licensing
Open Source LicensingOpen Source Licensing
Open Source LicensingJohn Lewis
 
Real World Identity Managment
Real World Identity ManagmentReal World Identity Managment
Real World Identity ManagmentJohn Lewis
 

Mais de John Lewis (12)

Jasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus SolutionJasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus Solution
 
IMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade ExchangeIMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade Exchange
 
New Opportunites to Connect Learning with LIS and LTI
New Opportunites to Connect Learning with LIS and LTINew Opportunites to Connect Learning with LIS and LTI
New Opportunites to Connect Learning with LIS and LTI
 
Open Source Your Project (With Jasig)
Open Source Your Project (With Jasig)Open Source Your Project (With Jasig)
Open Source Your Project (With Jasig)
 
Sakai uPortal Integration Options
Sakai uPortal Integration OptionsSakai uPortal Integration Options
Sakai uPortal Integration Options
 
Sprint Portlet MVC Seminar
Sprint Portlet MVC SeminarSprint Portlet MVC Seminar
Sprint Portlet MVC Seminar
 
Agile Engineering
Agile EngineeringAgile Engineering
Agile Engineering
 
Scrum Process
Scrum ProcessScrum Process
Scrum Process
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour Webinar
 
Leveraging Open Source
Leveraging Open SourceLeveraging Open Source
Leveraging Open Source
 
Open Source Licensing
Open Source LicensingOpen Source Licensing
Open Source Licensing
 
Real World Identity Managment
Real World Identity ManagmentReal World Identity Managment
Real World Identity Managment
 

Último

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Último (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

Securing Portlets With Spring Security

  • 1.
  • 2.
  • 3. JSR 168 Portlet Security What does the spec give us to work with?
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11. Spring Security a.k.a Acegi Security A quick overview
  • 12.
  • 13.
  • 14.
  • 15. Spring Portlet Security Applying Spring Security to Portlets
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25. Applying Portlet Security To The Rendering Layer Customizing our markup based on security information
  • 26.
  • 27. Applying Portlet Security To The Dispatch Layer Controlling where users can go in the application
  • 28.
  • 29.
  • 30.
  • 31. Applying Portlet Security To The Service Layer Making sure Services are invoked by only by user with proper permissions
  • 32.
  • 33. MethodSecurityInterceptor <bean id=&quot;myService&quot; class=&quot;sample.service.MyService&quot;> <sec:intercept-methods access-decision-manager-ref=&quot;accessDecisionManager&quot;> <sec:protect method=&quot;sample.service.MyService.*&quot; access=&quot;IS_AUTHENTICATED_FULLY&quot; /> <sec:protect method=&quot;sample.service.MyService.add*&quot; access=&quot;ROLE_ADMINISTRATOR&quot; /> <sec:protect method=&quot;sample.service.MyService.del*&quot; access=&quot;ROLE_ADMINISTRATOR&quot; /> <sec:protect method=&quot;sample.service.MyService.save*&quot; access=&quot;ROLE_ADMINISTRATOR&quot; /> </sec:intercept-methods> </bean>
  • 34. Applying Portlet Security To Servlets Using the whole web/portlet application as one secure bundle
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42. Resources Places to go to actually use this stuff!
  • 43.
  • 44. Questions & Answers John A. Lewis Chief Software Architect Unicon, Inc. [email_address] www.unicon.net