• Save
Enterprise Security mit Spring Security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Enterprise Security mit Spring Security

on

  • 6,026 views

Spring Security, der Nachfolger des Acegi Security Frameworks, stellt ein Framework zur Umsetzung von Enterprise Security Anforderungen zur Verfügung, wie z.B. Authentifizierung, URL- und ...

Spring Security, der Nachfolger des Acegi Security Frameworks, stellt ein Framework zur Umsetzung von Enterprise Security Anforderungen zur Verfügung, wie z.B. Authentifizierung, URL- und Methoden-Filter, Single-Sign-On und Insatzbasierten Berechtigungen. Dabei ist es ein reines Security Framework, welches mit nahezu jedem Web- und Anwendungsframework eingesetzt werden kann.

Statistics

Views

Total Views
6,026
Views on SlideShare
5,996
Embed Views
30

Actions

Likes
2
Downloads
0
Comments
0

2 Embeds 30

http://www.slideshare.net 29
https://xingmodules.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Enterprise Security mit Spring Security Presentation Transcript

  • 1. Enterprise Security mit Spring Security Mike Wiesner SpringSource Germany Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
  • 2. Über mich • Senior Consultant bei SpringSource Germany • Spring-/Security-Consulting • Trainings • IT-Security Consulting / Reviews • mike.wiesner@springsource.com Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 2
  • 3. Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
  • 4. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 4
  • 5. Was ist Spring Security? • Spring Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 6. Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 7. Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 8. Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung –nutzt Spring als Basis Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 9. Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung –nutzt Spring als Basis –kann für jede Java-Anwendung benutzt werden Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 10. Was ist es nicht? • Firewall, proxy server, IDS • Betriebssystem Sicherheit • JVM (sandbox) security • Dies ist Basis-Sicherheit die immer benötigt wird! Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 6
  • 11. Hauptmerkmale • Authentifizierung • Web URL Autorisierung • Methodenaufruf Autorisierung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 7
  • 12. Hauptmerkmale • Authentifizierung • Web URL Autorisierung • Methodenaufruf Autorisierung • Channel security • Human user detection • Domain instance based security (ACLs) • WS-Security (mit Spring Web Services) • Flow Authorization (mit Spring Web Flow) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 7
  • 13. Integrationen ... • Spring Portfolio • RFC 1945, 2617 etc • AspectJ • Major containers • JA-SIG CAS • JAAS • JOSSO • Jasypt • NTLM via JCIFS • Grails and Trails • OpenID • Mule • SiteMinder • DWR • Atlassian Crowd • Appfuse • jCaptcha • AndroMDA Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 8
  • 14. Neues in Spring Security 2 • Spring Security 2 baut auf dem beliebten Acegi Framework auf • Einfacherere Konfiguration durch Namespace • Verbesserte LDAP-Unterstützung • Verbesserte Single Sign-On Unterstützung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 9
  • 15. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 10
  • 16. Kern-Konzepte • Servlet Filter • Authentifizierung • Repositories • Web Autorisierung • Methoden Autorisierung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 11
  • 17. Servlet Filter • DelegatingFilterProxy in der web.xml • Leitet Aufrufe zu “springSecurityFilterChain” weiter DelegatingFilterProxy web.xml springSecurityFilterChain spring-context.xml Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 12
  • 18. DEMO Securing Web Applications Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
  • 19. <intercept-url> • Mindests eins notwendig, z.B.: –/** = IS_AUTHENTICATED_ANONYMOUSLY • Erzeugt ein FilterSecurityInterceptor • und eine Filterkette für diese URL Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 14
  • 20. <intercept-url /> <http> <intercept-url pattern=quot;/admin/**quot; access=quot;ROLE_ADMINquot; /> <!-- REST Support --> <intercept-url pattern=quot;/User/**quot; method=quot;POSTquot; access=quot;ROLE_SUPERVISORquot;/> </http> • Auslesen von oben nach unten –spezifischstes Pattern oben –Catch-All unten Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 15
  • 21. Formular Login • HTML-Formular als Loginseite • Defaults: –Loginseite: /spring_security_login –Fehlerseite: /spring_security_login?login_error –Action-URL: /j_spring_security_check • Spring Security erzeugt Login-Formular –Solange keine eigene Seite angegeben wird Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 16
  • 22. Basic authentication • Definiert in RFC 1945 und 2617 • Wird als HTTP-Header gesendet • Wird häufig in Remote-Protokollen benutzt • Achtung: Base64 is keine Verschlüsselung! –Deshalb immer HTTPS verwenden Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 17
  • 23. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 18
  • 24. Authenifizierungen • Form • JA-SIG CAS • Basic • JOSSO • JDBC • SiteMinder • LDAP • Atlassian • NTLM Crowd • Containers • OpenID • JAAS • X.509 • Digest Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 19
  • 25. Repositories • Authentifizierungsprovider liefern oft nur Benutzernamen • Benötigt wird oft mehr (z.B. Rollen, Rechte, ...) • Repositories liefern diese zusätzlichen Informationen Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 20
  • 26. JDBC-Repositories • <jdbc-user-details data-source-ref=”x”/> • Anpassbare SQL-Queries USER AUTHORITIES USERNAME USERNAME PASSWORD AUTHORITY ENABLED Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 21
  • 27. LDAP <ldap-user-service user-search-base=quot;ou=peoplequot; user-search-filter=quot;uid={0}quot; group-search-filter=quot;member={0}quot; group-search-base=quot;ou=groupsquot; /> • Findet z.B. –uid=admin,ou=people • Und alle Gruppen unter „ou=groups“ mit dem Attribute: –member: uid=admin,ou=people Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 22
  • 28. Eingebauter LDAP Server • Eingebauter Apache DS (zum Testen): – <ldap-server ldif=quot;classpath:users.ldifquot; root=quot;dc=springsource,dc=comquot;/> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 23
  • 29. Kombinationen Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
  • 30. Kombinationen • OpenID zum Authentifizieren –JDBC für User Details Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
  • 31. Kombinationen • OpenID zum Authentifizieren –JDBC für User Details • NTLM (Windows) zum Authentifizieren –LDAP für User Details (z.B. Active Directory) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
  • 32. Kombinationen • OpenID zum Authentifizieren –JDBC für User Details • NTLM (Windows) zum Authentifizieren –LDAP für User Details (z.B. Active Directory) • JA-SIG CAS zum Authentifizieren –Eigener UserDetailsProvider der z.B. Hibernate benutzt Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
  • 33. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 25
  • 34. URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
  • 35. URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
  • 36. URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web • Oder nur eine URL für sämtliche Aktionen (z.B. AJAX) –Nur die Header sind unterschiedlich Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
  • 37. URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web • Oder nur eine URL für sämtliche Aktionen (z.B. AJAX) –Nur die Header sind unterschiedlich • Oder Bugs im Webcontainer Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
  • 38. Method Authorization Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 39. Method Authorization Business Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 40. Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 41. Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 42. Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 43. Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
  • 44. Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
  • 45. Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) JSR-250 Common Annotation @RolesAllowed(quot;PERM_DELETE_USERquot;) public void deleteUser(User user); Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
  • 46. DEMO Method Authorization Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
  • 47. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 30
  • 48. Authorization • URL checks für grobgranulare Autorisierung • Method checks für feingranulare Autorisierung • Keine Rollen in Annotations –stattdessen Rechte Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 31
  • 49. Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
  • 50. Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Wo findet das statt? User * * Role * * Right Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
  • 51. Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Wo findet das statt? User * * Role * * Right @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
  • 52. Testing • Benutzer erstellen keine Bug-Reports wenn Sie „zu viel“ dürfen • Security-Bugs müssen während der Entwicklung gefunden werden • Zum Testen Business-Code deaktivieren Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 33
  • 53. Software Design • Security sollte nicht das Software Design vorgeben –„Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety“ - Benjamin Franklin • Evolutionäres Design durch Requirements • Security muss sich daran anpassen • Mit Spring Security ist das möglich Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 34
  • 54. Fragen? Mike Wiesner SpringSource Germany ? mike.wiesner@springsource.com Skype: mikewiesner http://www.springsource.com/de http://www.mwiesner.com Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 35