SlideShare a Scribd company logo

Enterprise Security mit Spring Security

Mike Wiesner
Mike Wiesner

Spring Security, der Nachfolger des Acegi Security Frameworks, stellt ein Framework zur Umsetzung von Enterprise Security Anforderungen zur Verfügung, wie z.B. Authentifizierung, URL- und Methoden-Filter, Single-Sign-On und Insatzbasierten Berechtigungen. Dabei ist es ein reines Security Framework, welches mit nahezu jedem Web- und Anwendungsframework eingesetzt werden kann.

Technology
1 of 54
Enterprise Security mit Spring Security Mike Wiesner SpringSource Germany Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
Über mich • Senior Consultant bei SpringSource Germany • Spring-/Security-Consulting • Trainings • IT-Security Consulting / Reviews • mike.wiesner@springsource.com Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 2
Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 4
Was ist Spring Security? • Spring Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung –nutzt Spring als Basis Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung –nutzt Spring als Basis –kann für jede Java-Anwendung benutzt werden Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
Was ist es nicht? • Firewall, proxy server, IDS • Betriebssystem Sicherheit • JVM (sandbox) security • Dies ist Basis-Sicherheit die immer benötigt wird! Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 6
Hauptmerkmale • Authentifizierung • Web URL Autorisierung • Methodenaufruf Autorisierung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 7
Hauptmerkmale • Authentifizierung • Web URL Autorisierung • Methodenaufruf Autorisierung • Channel security • Human user detection • Domain instance based security (ACLs) • WS-Security (mit Spring Web Services) • Flow Authorization (mit Spring Web Flow) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 7
Integrationen ... • Spring Portfolio • RFC 1945, 2617 etc • AspectJ • Major containers • JA-SIG CAS • JAAS • JOSSO • Jasypt • NTLM via JCIFS • Grails and Trails • OpenID • Mule • SiteMinder • DWR • Atlassian Crowd • Appfuse • jCaptcha • AndroMDA Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 8
Neues in Spring Security 2 • Spring Security 2 baut auf dem beliebten Acegi Framework auf • Einfacherere Konfiguration durch Namespace • Verbesserte LDAP-Unterstützung • Verbesserte Single Sign-On Unterstützung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 9
Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 10
Kern-Konzepte • Servlet Filter • Authentifizierung • Repositories • Web Autorisierung • Methoden Autorisierung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 11
Servlet Filter • DelegatingFilterProxy in der web.xml • Leitet Aufrufe zu “springSecurityFilterChain” weiter DelegatingFilterProxy web.xml springSecurityFilterChain spring-context.xml Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 12
DEMO Securing Web Applications Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
<intercept-url> • Mindests eins notwendig, z.B.: –/** = IS_AUTHENTICATED_ANONYMOUSLY • Erzeugt ein FilterSecurityInterceptor • und eine Filterkette für diese URL Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 14
<intercept-url /> <http> <intercept-url pattern=quot;/admin/**quot; access=quot;ROLE_ADMINquot; /> <!-- REST Support --> <intercept-url pattern=quot;/User/**quot; method=quot;POSTquot; access=quot;ROLE_SUPERVISORquot;/> </http> • Auslesen von oben nach unten –spezifischstes Pattern oben –Catch-All unten Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 15
Formular Login • HTML-Formular als Loginseite • Defaults: –Loginseite: /spring_security_login –Fehlerseite: /spring_security_login?login_error –Action-URL: /j_spring_security_check • Spring Security erzeugt Login-Formular –Solange keine eigene Seite angegeben wird Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 16
Basic authentication • Definiert in RFC 1945 und 2617 • Wird als HTTP-Header gesendet • Wird häufig in Remote-Protokollen benutzt • Achtung: Base64 is keine Verschlüsselung! –Deshalb immer HTTPS verwenden Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 17
Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 18
Authenifizierungen • Form • JA-SIG CAS • Basic • JOSSO • JDBC • SiteMinder • LDAP • Atlassian • NTLM Crowd • Containers • OpenID • JAAS • X.509 • Digest Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 19
Repositories • Authentifizierungsprovider liefern oft nur Benutzernamen • Benötigt wird oft mehr (z.B. Rollen, Rechte, ...) • Repositories liefern diese zusätzlichen Informationen Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 20
JDBC-Repositories • <jdbc-user-details data-source-ref=”x”/> • Anpassbare SQL-Queries USER AUTHORITIES USERNAME USERNAME PASSWORD AUTHORITY ENABLED Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 21
LDAP <ldap-user-service user-search-base=quot;ou=peoplequot; user-search-filter=quot;uid={0}quot; group-search-filter=quot;member={0}quot; group-search-base=quot;ou=groupsquot; /> • Findet z.B. –uid=admin,ou=people • Und alle Gruppen unter „ou=groups“ mit dem Attribute: –member: uid=admin,ou=people Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 22
Eingebauter LDAP Server • Eingebauter Apache DS (zum Testen): – <ldap-server ldif=quot;classpath:users.ldifquot; root=quot;dc=springsource,dc=comquot;/> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 23
Kombinationen Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
Kombinationen • OpenID zum Authentifizieren –JDBC für User Details Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
Kombinationen • OpenID zum Authentifizieren –JDBC für User Details • NTLM (Windows) zum Authentifizieren –LDAP für User Details (z.B. Active Directory) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
Kombinationen • OpenID zum Authentifizieren –JDBC für User Details • NTLM (Windows) zum Authentifizieren –LDAP für User Details (z.B. Active Directory) • JA-SIG CAS zum Authentifizieren –Eigener UserDetailsProvider der z.B. Hibernate benutzt Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 25
URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web • Oder nur eine URL für sämtliche Aktionen (z.B. AJAX) –Nur die Header sind unterschiedlich Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web • Oder nur eine URL für sämtliche Aktionen (z.B. AJAX) –Nur die Header sind unterschiedlich • Oder Bugs im Webcontainer Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
Method Authorization Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
Method Authorization Business Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) JSR-250 Common Annotation @RolesAllowed(quot;PERM_DELETE_USERquot;) public void deleteUser(User user); Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
DEMO Method Authorization Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 30
Authorization • URL checks für grobgranulare Autorisierung • Method checks für feingranulare Autorisierung • Keine Rollen in Annotations –stattdessen Rechte Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 31
Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Wo findet das statt? User * * Role * * Right Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Wo findet das statt? User * * Role * * Right @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
Testing • Benutzer erstellen keine Bug-Reports wenn Sie „zu viel“ dürfen • Security-Bugs müssen während der Entwicklung gefunden werden • Zum Testen Business-Code deaktivieren Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 33
Software Design • Security sollte nicht das Software Design vorgeben –„Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety“ - Benjamin Franklin • Evolutionäres Design durch Requirements • Security muss sich daran anpassen • Mit Spring Security ist das möglich Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 34
Fragen? Mike Wiesner SpringSource Germany ? mike.wiesner@springsource.com Skype: mikewiesner http://www.springsource.com/de http://www.mwiesner.com Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 35

Recommended

Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Spring security
Spring securitySpring security
Spring securitysakhibarun
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 

Recommended

Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Spring security
Spring securitySpring security
Spring securitysakhibarun
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 
Spring Security
Spring SecuritySpring Security
Spring SecurityManish Sharma
 
Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring SecurityBurt Beckwith
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React AppsZachary Klein
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache ShiroSmita Prasad
 
What's New in spring-security-core 2.0
What's New in spring-security-core 2.0What's New in spring-security-core 2.0
What's New in spring-security-core 2.0Burt Beckwith
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework'sMohammed Fazuluddin
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2360|Conferences
 

More Related Content

What's hot

Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring SecurityBurt Beckwith
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React AppsZachary Klein
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache ShiroSmita Prasad
 
What's New in spring-security-core 2.0
What's New in spring-security-core 2.0What's New in spring-security-core 2.0
What's New in spring-security-core 2.0Burt Beckwith
 

What's hot (20)

Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring Security
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring Security
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache Shiro
 
What's New in spring-security-core 2.0
What's New in spring-security-core 2.0What's New in spring-security-core 2.0
What's New in spring-security-core 2.0
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 

Similar to Enterprise Security mit Spring Security

Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2360|Conferences
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Penetration Testing as an auditing tool
Penetration Testing as an auditing toolPenetration Testing as an auditing tool
Penetration Testing as an auditing toolsyrinxtech
 
Kubernetes meetup k8s_aug_2019
Kubernetes meetup k8s_aug_2019Kubernetes meetup k8s_aug_2019
Kubernetes meetup k8s_aug_2019dhubbard858
 
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityHigh-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityAtlassian
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
From Developer to Production, Promoting your Webservices
From Developer to Production, Promoting your WebservicesFrom Developer to Production, Promoting your Webservices
From Developer to Production, Promoting your Webserviceskingsfleet
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
Creating a Whatsapp Clone - Part I.pdf
Creating a Whatsapp Clone - Part I.pdfCreating a Whatsapp Clone - Part I.pdf
Creating a Whatsapp Clone - Part I.pdfShaiAlmog1
 
Optaros Surf Code Camp Api
Optaros Surf Code Camp ApiOptaros Surf Code Camp Api
Optaros Surf Code Camp ApiJeff Potts
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web Appelliando dias
 
Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1csharney
 
Scripting Support in GlassFish v3 Prelude
Scripting Support in GlassFish v3 PreludeScripting Support in GlassFish v3 Prelude
Scripting Support in GlassFish v3 PreludeEduardo Pelegri-Llopart
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Atlassian
 

Similar to Enterprise Security mit Spring Security (20)

Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practices
 
Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Penetration Testing as an auditing tool
Penetration Testing as an auditing toolPenetration Testing as an auditing tool
Penetration Testing as an auditing tool
 
Kubernetes meetup k8s_aug_2019
Kubernetes meetup k8s_aug_2019Kubernetes meetup k8s_aug_2019
Kubernetes meetup k8s_aug_2019
 
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityHigh-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
From Developer to Production, Promoting your Webservices
From Developer to Production, Promoting your WebservicesFrom Developer to Production, Promoting your Webservices
From Developer to Production, Promoting your Webservices
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA Hum
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA Hum
 
Creating a Whatsapp Clone - Part I.pdf
Creating a Whatsapp Clone - Part I.pdfCreating a Whatsapp Clone - Part I.pdf
Creating a Whatsapp Clone - Part I.pdf
 
Optaros Surf Code Camp Api
Optaros Surf Code Camp ApiOptaros Surf Code Camp Api
Optaros Surf Code Camp Api
 
Security On Rails
Security On RailsSecurity On Rails
Security On Rails
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web App
 
Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1
 
Scripting Support in GlassFish v3 Prelude
Scripting Support in GlassFish v3 PreludeScripting Support in GlassFish v3 Prelude
Scripting Support in GlassFish v3 Prelude
 
Web Space10 Overview
Web Space10 OverviewWeb Space10 Overview
Web Space10 Overview
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
 

Recently uploaded

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Enterprise Security mit Spring Security

  • 1. Enterprise Security mit Spring Security Mike Wiesner SpringSource Germany Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
  • 2. Über mich • Senior Consultant bei SpringSource Germany • Spring-/Security-Consulting • Trainings • IT-Security Consulting / Reviews • mike.wiesner@springsource.com Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 2
  • 3. Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
  • 4. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 4
  • 5. Was ist Spring Security? • Spring Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 6. Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 7. Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 8. Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung –nutzt Spring als Basis Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 9. Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung –nutzt Spring als Basis –kann für jede Java-Anwendung benutzt werden Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 10. Was ist es nicht? • Firewall, proxy server, IDS • Betriebssystem Sicherheit • JVM (sandbox) security • Dies ist Basis-Sicherheit die immer benötigt wird! Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 6
  • 11. Hauptmerkmale • Authentifizierung • Web URL Autorisierung • Methodenaufruf Autorisierung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 7
  • 12. Hauptmerkmale • Authentifizierung • Web URL Autorisierung • Methodenaufruf Autorisierung • Channel security • Human user detection • Domain instance based security (ACLs) • WS-Security (mit Spring Web Services) • Flow Authorization (mit Spring Web Flow) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 7
  • 13. Integrationen ... • Spring Portfolio • RFC 1945, 2617 etc • AspectJ • Major containers • JA-SIG CAS • JAAS • JOSSO • Jasypt • NTLM via JCIFS • Grails and Trails • OpenID • Mule • SiteMinder • DWR • Atlassian Crowd • Appfuse • jCaptcha • AndroMDA Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 8
  • 14. Neues in Spring Security 2 • Spring Security 2 baut auf dem beliebten Acegi Framework auf • Einfacherere Konfiguration durch Namespace • Verbesserte LDAP-Unterstützung • Verbesserte Single Sign-On Unterstützung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 9
  • 15. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 10
  • 16. Kern-Konzepte • Servlet Filter • Authentifizierung • Repositories • Web Autorisierung • Methoden Autorisierung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 11
  • 17. Servlet Filter • DelegatingFilterProxy in der web.xml • Leitet Aufrufe zu “springSecurityFilterChain” weiter DelegatingFilterProxy web.xml springSecurityFilterChain spring-context.xml Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 12
  • 18. DEMO Securing Web Applications Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
  • 19. <intercept-url> • Mindests eins notwendig, z.B.: –/** = IS_AUTHENTICATED_ANONYMOUSLY • Erzeugt ein FilterSecurityInterceptor • und eine Filterkette für diese URL Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 14
  • 20. <intercept-url /> <http> <intercept-url pattern=quot;/admin/**quot; access=quot;ROLE_ADMINquot; /> <!-- REST Support --> <intercept-url pattern=quot;/User/**quot; method=quot;POSTquot; access=quot;ROLE_SUPERVISORquot;/> </http> • Auslesen von oben nach unten –spezifischstes Pattern oben –Catch-All unten Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 15
  • 21. Formular Login • HTML-Formular als Loginseite • Defaults: –Loginseite: /spring_security_login –Fehlerseite: /spring_security_login?login_error –Action-URL: /j_spring_security_check • Spring Security erzeugt Login-Formular –Solange keine eigene Seite angegeben wird Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 16
  • 22. Basic authentication • Definiert in RFC 1945 und 2617 • Wird als HTTP-Header gesendet • Wird häufig in Remote-Protokollen benutzt • Achtung: Base64 is keine Verschlüsselung! –Deshalb immer HTTPS verwenden Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 17
  • 23. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 18
  • 24. Authenifizierungen • Form • JA-SIG CAS • Basic • JOSSO • JDBC • SiteMinder • LDAP • Atlassian • NTLM Crowd • Containers • OpenID • JAAS • X.509 • Digest Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 19
  • 25. Repositories • Authentifizierungsprovider liefern oft nur Benutzernamen • Benötigt wird oft mehr (z.B. Rollen, Rechte, ...) • Repositories liefern diese zusätzlichen Informationen Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 20
  • 26. JDBC-Repositories • <jdbc-user-details data-source-ref=”x”/> • Anpassbare SQL-Queries USER AUTHORITIES USERNAME USERNAME PASSWORD AUTHORITY ENABLED Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 21
  • 27. LDAP <ldap-user-service user-search-base=quot;ou=peoplequot; user-search-filter=quot;uid={0}quot; group-search-filter=quot;member={0}quot; group-search-base=quot;ou=groupsquot; /> • Findet z.B. –uid=admin,ou=people • Und alle Gruppen unter „ou=groups“ mit dem Attribute: –member: uid=admin,ou=people Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 22
  • 28. Eingebauter LDAP Server • Eingebauter Apache DS (zum Testen): – <ldap-server ldif=quot;classpath:users.ldifquot; root=quot;dc=springsource,dc=comquot;/> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 23
  • 29. Kombinationen Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
  • 30. Kombinationen • OpenID zum Authentifizieren –JDBC für User Details Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
  • 31. Kombinationen • OpenID zum Authentifizieren –JDBC für User Details • NTLM (Windows) zum Authentifizieren –LDAP für User Details (z.B. Active Directory) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
  • 32. Kombinationen • OpenID zum Authentifizieren –JDBC für User Details • NTLM (Windows) zum Authentifizieren –LDAP für User Details (z.B. Active Directory) • JA-SIG CAS zum Authentifizieren –Eigener UserDetailsProvider der z.B. Hibernate benutzt Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
  • 33. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 25
  • 34. URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
  • 35. URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
  • 36. URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web • Oder nur eine URL für sämtliche Aktionen (z.B. AJAX) –Nur die Header sind unterschiedlich Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
  • 37. URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web • Oder nur eine URL für sämtliche Aktionen (z.B. AJAX) –Nur die Header sind unterschiedlich • Oder Bugs im Webcontainer Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
  • 38. Method Authorization Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 39. Method Authorization Business Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 40. Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 41. Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 42. Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 43. Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
  • 44. Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
  • 45. Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) JSR-250 Common Annotation @RolesAllowed(quot;PERM_DELETE_USERquot;) public void deleteUser(User user); Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
  • 46. DEMO Method Authorization Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
  • 47. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 30
  • 48. Authorization • URL checks für grobgranulare Autorisierung • Method checks für feingranulare Autorisierung • Keine Rollen in Annotations –stattdessen Rechte Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 31
  • 49. Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
  • 50. Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Wo findet das statt? User * * Role * * Right Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
  • 51. Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Wo findet das statt? User * * Role * * Right @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
  • 52. Testing • Benutzer erstellen keine Bug-Reports wenn Sie „zu viel“ dürfen • Security-Bugs müssen während der Entwicklung gefunden werden • Zum Testen Business-Code deaktivieren Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 33
  • 53. Software Design • Security sollte nicht das Software Design vorgeben –„Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety“ - Benjamin Franklin • Evolutionäres Design durch Requirements • Security muss sich daran anpassen • Mit Spring Security ist das möglich Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 34
  • 54. Fragen? Mike Wiesner SpringSource Germany ? mike.wiesner@springsource.com Skype: mikewiesner http://www.springsource.com/de http://www.mwiesner.com Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 35