DevCon 2012 William Boyd Securing Spring Building Blocks With Blackboard Security
 

DevCon 2012 William Boyd Securing Spring Building Blocks With Blackboard Security

on

  • 787 views

Client Presentation

Client Presentation

Statistics

Views

Total Views
787
Views on SlideShare
787
Embed Views
0

Actions

Likes
0
Downloads
9
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

DevCon 2012 William Boyd Securing Spring Building Blocks With Blackboard Security DevCon 2012 William Boyd Securing Spring Building Blocks With Blackboard Security Presentation Transcript

  • Securing SpringBuilding Blocks withBlackboard SecurityWilliam BoydSenior Software DeveloperLiberty University
  • Introduction – Why integrate Spring security andBlackboard security?• Spring security offers many benefits • Can be as simple to use as you want it to be • Robust • url-based security filtering • method-level security • Annotations • fully customizable• Spring security does a lot so you don‟t have to 2
  • Introduction – Why integrate Spring security andBlackboard security?• By using Blackboard‟s security framework, we can take advantage of features that are already provided in Bb and already integrate with Bb • Bb handles authentication and user information (using whatever authentication scheme you have selected) • Bb already has context-based provisioning in place through the use of context-based roles and entitlements• By integrating Bb‟s security framework with Spring security, we can take advantage of both 3
  • Introduction – Sample of our end goal• Pseudocode showing how easy it will be to handle security once we have everything set upWe want to secure this method so that only professors can use itsomething_only_prof_can_do() { do stuff;} 4
  • Introduction – Sample of our end goal• Pseudocode showing how easy it will be to handle security once we have everything set upWe want to secure this method so that only professors can use it@Secured(“ONLY_LET_PROF_DO_THIS”)something_only_prof_can_do() { do stuff;} 5
  • Introduction – Sample of our end goal• This example shows method-level security using the @Secured annotation• All of the other ways of doing security in Spring (such as url-based security) will be available as well• You can use any method of securing your application, or even a mixture of multiple methods 6
  • Introduction – What we will cover• What we need to do to integrate Spring/Bb authentication• What we need to do to integrate Spring/Bb authorization• What we can use from Bb for authorization• How to create and use your own custom entitlements for your building block 7
  • Integrating Bb Security and Spring Security• We will only cover a few relevant pieces of Spring security, there is plenty of documentation and more that it can do than I will show here• Spring security documentation: http://static.springsource.org/spring- security/site/docs/3.1.x/reference/springsecurity.html• My sample project: https://dl.dropbox.com/u/16806953/BbSpringSecurityExample.zip• Web application security generally happens in two parts 1. Authentication – determining who the user is and ensuring that they are who they say they are 2. Authorization – determining whether or not they should be able to access the resource they are trying to access 8
  • Integrating Spring Security with Bb Authentication• Authentication usually consists of 1. A login process for users who are not logged in 2. Something to validate their session on subsequent requests• By default, Spring security lets you set all this up with relative ease… but in our case Bb is already doing all of this (user is already logged in to Bb)• So we need to get Spring to recognize this login and give it access to the info about the user that Bb already has 9
  • Integrating Spring Security with Bb Authentication– Spring security preauthentication• Spring security‟s preauthentication setup allows us to set up Spring security to make use of existing authentication mechanisms that it does not control (in this case Bb)• Documentation on preauthentication: http://static.springsource.org/spring- security/site/docs/3.1.x/reference/preauth.html 10
  • Integrating Spring Security with Bb Authentication– Spring security preauthentication• When using preauthentication, there are multiple places you can “hook into” in order to load the Bb authentication data into spring• I wrote a custom AbstractPreAuthenticatedProcessingFilter which uses the Bb building blocks API to determine if the user is logged in and who they are • I could add more code to pull in more info about the user if I wanted to 11
  • Integrating Spring Security with Bb AuthenticationBlackboardPreAuthenticatedProcessingFilterpublic class BlackboardPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter { @Override protected Object getPreAuthenticatedCredentials(HttpServletRequest request) { Context context = ContextManagerFactory.getInstance().getContext(); BbSession session = context.getSession(); if (context != null && session != null && context.getUser() != null && session.isAuthenticated()) { return context.getUser().getUserName(); } else { return null; } } @Override protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) { Context context = ContextManagerFactory.getInstance().getContext(); BbSession session = context.getSession(); if (context != null && session != null && session.isAuthenticated()) { return context.getUser(); } else { return null; } }} 12
  • Integrating Spring Security with Bb Authentication– Spring security preauthentication configInside my application context config:<security:http auto-config="true" access-denied-page="/accessDeniedErrorPage"entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" access-decision-manager-ref="accessDecisionManager" use-expressions="true"> <security:session-management session-fixation-protection="none" /> <security:custom-filter after="PRE_AUTH_FILTER"ref="blackboardPreAuthenticatedProcessingFilter"/> <security:anonymous/></security:http> 13
  • Integrating Spring Security with Bb Authentication– Spring security preauthentication config<security:authentication-manager alias="authenticationManager"> <security:authentication-providerref="preAuthenticatedAuthenticationProvider"/> </security:authentication-manager> <bean id="preAuthenticatedAuthenticationProvider"class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"> <property name="preAuthenticatedUserDetailsService"ref="preAuthenticatedUserDetailsService"/> </bean> <bean id="preAuthenticatedUserDetailsService"class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"/> 14
  • Integrating Spring Security with Bb Authentication– Spring security preauthentication config<bean id="blackboardPreAuthenticatedProcessingFilter"class="edu.liberty.lms.lublackboard.security.BlackboardPreAuthenticatedProcessingFilter"> <property name="authenticationManager" ref="authenticationManager"/> <property name="authenticationDetailsSource"> <beanclass="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource"> <property name="mappableRolesRetriever"> <beanclass="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever" /> </property> <property name="userRoles2GrantedAuthoritiesMapper"> <beanclass="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper"> <property name="convertAttributeToUpperCase" value="true"/> </bean> </property> </bean> </property> </bean> 15
  • Integrating Spring Security with Bb Authentication– Spring security preauthentication config<bean id="preAuthenticatedProcessingFilterEntryPoint"class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/> 16
  • Integrating Spring Security with Bb Authorization• Authorization involves determining whether the current user should have access to the resource they are requesting• Can be handled by any sort of logic, but usually handled through the concept of roles and/or permissions• Documentation on Spring security authorization: http://static.springsource.org/spring- security/site/docs/3.1.x/reference/authorization.html 17
  • Integrating Spring Security with Bb Authorization• There are multiple ways to apply security rules in Spring to define who has access to what• Resources can be secured through expressions, which are just strings which are later interpreted by “voters” Example expression: hasRole(„admin‟)• How an expression gets interpreted depends entirely on what voters you use• These expressions can be defined in multiple places. My preferred method is to use @Secured annotations on my controller methods (you just put the expression in the value of the @Secured annotation like @Secured(“hasRole(admin)”)) 18
  • Integrating Spring Security with Bb Authorization• In Spring security, AccessDecisionManager holds a list of Voters, which vote (yes/no/abstain) on whether or not to grant the user access• Each voter checks each applicable expression and votes if that expression is recognized by that voter• We want to be able to utilize information about roles/permissions in Bb in order to authorize users for resources in our building block, so I wrote a custom voter and added it to the list 19
  • Integrating Spring Security with Bb Authorization– custom voter config<bean id="accessDecisionManager"class="org.springframework.security.access.vote.AffirmativeBased"> <property name="allowIfAllAbstainDecisions" value="false"/> <property name="decisionVoters"> <list> <bean class="org.springframework.security.access.vote.RoleVoter" /> <beanclass="org.springframework.security.access.vote.AuthenticatedVoter" /> <beanclass="edu.liberty.lms.lublackboard.security.BlackboardContextualRoleVoter" /> </list> </property> </bean> 20
  • Integrating Spring Security with Bb Authorization– custom voter config<bean id="accessDecisionManager"class="org.springframework.security.access.vote.AffirmativeBased"> <property name="allowIfAllAbstainDecisions" value="false"/> <property name="decisionVoters"> <list> <bean class="org.springframework.security.access.vote.RoleVoter" /> <beanclass="org.springframework.security.access.vote.AuthenticatedVoter" /> <beanclass="edu.liberty.lms.lublackboard.security.BlackboardContextualRoleVoter" /> </list> </property> </bean> 21
  • Integrating Spring Security with Bb Authorization– inside the customBlackboardContextualRoleVotersupports() returns true if the config attribute (expression) can beinterpreted by this voter (this voter will try to interpret any attribute thatstarts with “BB_”)private static final String ATTRIBUTE_PREFIX = "BB_";@Overridepublic boolean supports(ConfigAttribute attribute) { if (attribute.getAttribute().startsWith(ATTRIBUTE_PREFIX)) { return true; } else { return false; }} 22
  • Integrating Spring Security with Bb Authorization– inside the customBlackboardContextualRoleVotervote() checks the collection of attributes (the expression strings) that thevoter can interpret and implements logic to determine whether or notaccess should be granted@Overridepublic int vote(Authentication authentication, Object object, Collectionattributes) { …} 23
  • Integrating Spring Security with Bb Authorization– inside the customBlackboardContextualRoleVoterprivate static final String ATTRIBUTE_PREFIX = "BB_";private static final String SYSTEM_ADMIN_ROLE = "SYSTEM_ADMIN_ROLE";private static final String ENTITLEMENT_PREFIX = "ENTITLEMENT:";if (attribute.startsWith(ATTRIBUTE_PREFIX) && attribute.length() > ATTRIBUTE_PREFIX.length()) { String attributeCode = attribute.substring(ATTRIBUTE_PREFIX.length()); if (attributeCode.equals(SYSTEM_ADMIN_ROLE)) { if (!bbUserService.currentUserHasSystemRole(User.SystemRole.SYSTEM_ADMIN)) { return ACCESS_DENIED; } else { affirmatives++; } } else if (attributeCode.startsWith(ENTITLEMENT_PREFIX) && attributeCode.length() >ENTITLEMENT_PREFIX.length()) { String entitlement = attributeCode.substring(ENTITLEMENT_PREFIX.length()); if (!bbUserService.currentUserHasEntitlementInCurrentContext(entitlement)) { return ACCESS_DENIED; } else { affirmatives++; } }} 24
  • Integrating Spring Security with Bb Authorization– inside the customBlackboardContextualRoleVoterprivate static final String ATTRIBUTE_PREFIX = "BB_";private static final String SYSTEM_ADMIN_ROLE = "SYSTEM_ADMIN_ROLE";private static final String ENTITLEMENT_PREFIX = "ENTITLEMENT:";if (attribute.startsWith(ATTRIBUTE_PREFIX) && attribute.length() > ATTRIBUTE_PREFIX.length()) { String attributeCode = attribute.substring(ATTRIBUTE_PREFIX.length()); if (attributeCode.equals(SYSTEM_ADMIN_ROLE)) { if (!bbUserService.currentUserHasSystemRole(User.SystemRole.SYSTEM_ADMIN)) { return ACCESS_DENIED; } else { affirmatives++; } } else if (attributeCode.startsWith(ENTITLEMENT_PREFIX) && attributeCode.length() >ENTITLEMENT_PREFIX.length()) { String entitlement = attributeCode.substring(ENTITLEMENT_PREFIX.length()); if (!bbUserService.currentUserHasEntitlementInCurrentContext(entitlement)) { return ACCESS_DENIED; } else { affirmatives++; } }} 25
  • Integrating Spring Security with Bb Authorization– inside the customBlackboardContextualRoleVoterIn BbUserServiceImpl: @Override public boolean currentUserHasEntitlement(String entitlement) { return SecurityUtil.userHasEntitlement(entitlement); } @Override public boolean currentUserHasEntitlementInCurrentContext(String entitlement) { try { SecurityUtil.checkEntitlement(entitlement); return true; } catch (AccessException e) { return false; } } @Override public boolean currentUserHasSystemRole(SystemRole systemRole) { User currentUser = ContextManagerFactory.getInstance().getContext().getUser(); if (currentUser != null) { return systemRole.equals(user.getSystemRole()); } else { return false; } } 26
  • Integrating Spring Security with Bb Authorization• I can put whatever king of logic I want in my voter in order to allow it to interact with Bb Security via Bb building blocks API calls• To see what is possible using the Bb API, check the API docs (link goes to the SecurityUtil class which contains most of the useful stuff): http://library.blackboard.com/ref/6760ba98-8f24-44f2-8e65- 0dcee799abb8/blackboard/platform/security/SecurityUtil.ht ml• And check tutorials on edugarage such as this: http://www.edugarage.com/display/BBDN/Building+Block+S ecurity 27
  • Integrating Spring Security with Bb Authorization• The end result of this is that I can do this:@Secured(“BB_SYSTEM_ADMIN_ROLE”)public String adminStuff() { …}• Only users with a system role of system admin in Bb can access this method (otherwise they get an access denied page)• I could add logic to check for any system role (even custom ones) or even course/org roles 28
  • Integrating Spring Security with Bb Authorization• I can also do this:@Secured(“BB_ENTITLEMENT:course.content.EDIT”)public String entitlementStuff() { …}• Only users with the course.content.VIEW entitlement within the current course can access this function• You might use this to secure a method for editing a course content item, for example (I use it for methods for editing custom content items) 29
  • Integrating Spring Security with Bb Authorization• I also configured some other built-in Spring security voters alongside my custom voter so I can make use of some of the expressions they evaluate IS_AUTHENTICATED_ANONYMOUSLY – lets everyone in isAuthenticated() – lets everyone in if they are authenticated 30
  • Custom Entitlements• The edugarage tutorial talks about using Bb‟s entitlements for authorization, but what if we need provisioning specific to our building block?• You can create custom entitlements in your bb- manifest.xml 31
  • Custom Entitlements<entitlements> <entitlement uid=“organization.buildingblock.VIEW” label=“New Custom Entitlement” template=“course.statistics.report.VIEW” type=“Course”/></entitlements>uid – just a unique ID for your entitlement (this is what you use when checking to see if the user has this entitlement)label – label in the Bb interface when assigning the entitlement to a roletemplate – an existing entitlement to build this one off oftype – system, personal, or course 32
  • Custom Entitlements• Once you have created your custom entitlements, you can assign it to existing or custom roles in the system admin tab in Bb: Users > system roles and course/organization roles 33
  • ResourcesThis presentation:https://dl.dropbox.com/u/16806953/DevCon2012_bb_spring_security.pptxSample project:https://dl.dropbox.com/u/16806953/BbSpringSecurityExample.zip 34
  • We value your feedback!Please fill out a session evaluation. 35