• Save
XKE - Spring Security Feedback
Upcoming SlideShare
Loading in...5
×
 

XKE - Spring Security Feedback

on

  • 1,257 views

Feedback about Spring Security in my last client.

Feedback about Spring Security in my last client.
Given at Xebia during XKE (June 11th, 2009).

Statistics

Views

Total Views
1,257
Views on SlideShare
1,257
Embed Views
0

Actions

Likes
2
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

XKE - Spring Security Feedback XKE - Spring Security Feedback Presentation Transcript

  • SPRING SECURITY FEEDBACK Fonctionnel Romain MATON June 11th, 2010 www.xebia.fr / blog.xebia.fr 1
  • Agenda Overview Vidal Role Strategy Remember Me Max Concurrent Session Troubleshooting What’s next ? Conclusion Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 2
  • Overview Creator : Ben Alex 2003 1.x Acegi 2.x Spring Security Spring ROO Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 3
  • Features Easy configuration EL based syntax Authentication and authorization HTTP Requests based Service Layer Security ▶ JSR-250 security annotations ▶ @Pre and @Post annotations ▶ AspectJ pointcuts CAS and OpenID integration Support X509, LDAP, HTTP Basic, Channels Remember Me Taglibs (JSP) Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 4
  • Support Static Doc : http://static.springsource.org/spring- security/site/docs/x.0.x/reference/springsecurity.html Jira : https://jira.springsource.org/browse/SEC Forum : http://forum.springsource.org/forumdisplay.php?f=33 Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 5
  • (Paint) Architecture Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 6
  • Install and first config Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 7
  • Role Hierarchy Strategy URLs or actions restrictions based on privileges Admin, User, Anonymous ▶ Hierarchy in XML : ROLE_ADMIN > ROLE_USER ROLE_USER > ROLE_ANONYMOUS An Admin is a User ! ▶ IS_AUTHENTICATED_ANONYMOUSLY or ROLE_ANONYMOUS with <security:anonymous /> Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 8
  • Role Hierarchy Strategy Setting role in UserDetailsService during authentication process Useable in taglib with ▶ <security:autorize ifAllGranted=“ROLE_USER” /> Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 9
  • Remember Me RememberMeAuthenticationFilter <security:rememberme user-service-ref= "…" /> <constructor-arg authentication-manager /> TokenBasedRememberMeServices PersistentTokenBasedRememberMeServices ▶ PersistentTokenRepository ▶ InMemoryTokenRepository (test only but why not) Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 10
  • Remember Me Encrypted cookie (irreversible encryption) ▶ Base64(Cookie(tokens: username, expirityTime, signature)) ▶ Signature = HEX(MD5("username:tokenExpiryTime:password:key")) Checkbox avec _spring_security_remember_me Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 11
  • Max Concurrent Session ConcurrentSessionFilter <listener> <listener-class> org.springframework.security.web.session.HttpSessionEventPublisher </listener-class> </listener> <security:concurrency-control /> <security:authentication-manager session-controller- ref="concurrentSessionController" alias= "…" /> SessionRegistry that saves Session ID Maximum Sessions Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 12
  • Max Concurrent Session Exception If Maximum Exceeded ▶ False : login the user and logout the oldest user ▶ True : exception thrown (max user limit) expiredUrl and redirectStrategy Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 13
  • DEMO ! + Our configurations Demo : http://localhost:8080/voff- client/user/defaultSearch?term=clamox Vidal Officine : 20100611 - XKE - melusine- security.xml Vidal Online : 20100611 - XKE - galaad-security.xml Hoptimal : 20100611 - XKE - perceval-security.xml A JSP : 20100611 - XKE - header.jsp Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 14
  • Troubleshooting <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd<beans http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> <bean id="securityPropertyPlaceholder" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> <property name="location" value="classpath:conf-web.properties" />xmlns="http://www.springframework.org/schema/beans" <property name="ignoreUnresolvablePlaceholders" value="true" /> </bean> <security:http auto-config="false" entry-point-ref="entryPoint" create-session="always"> <security:intercept-url pattern="/createAccount.html" access="ROLE_ANONYMOUS" /> <security:intercept-url pattern="/autoLogin.html" access="ROLE_ANONYMOUS" />xmlns:security="http://www.springframework.org/schema/s <security:intercept-url pattern="/adelierror.html" access="ROLE_ANONYMOUS" /> <security:intercept-url pattern="/**.html" access="ROLE_USER" /> <security:intercept-url pattern="/galaad-service/**" access="ROLE_USER" />ecurity" <security:intercept-url pattern="/login.html" filters="none" /> <security:intercept-url pattern="/ml.html" filters="none" /> <security:anonymous /> xmlns:xsi="http://www.w3.org/2001/XMLSchema- </security:http> <!-- The authentication manager, redefining the session controller -->instance" <security:authentication-manager alias="authenticationManager" session-controller-ref="concurrentSessionController" /> <!-- Entry point for http --> <bean id="entryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"> <property name="loginFormUrl" value="/login.html" /> </bean>xsi:schemaLocation="http://www.springframework.org/sche <!-- Filters --> <bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter"> <security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />ma/beans <property name="authenticationManager" ref="authenticationManager" /> <property name="filterProcessesUrl" value="/j_spring_security_check" /> <property name="defaultTargetUrl" value="/" />http://www.springframework.org/schema/beans/spring- <property name="authenticationFailureUrl" value="/login.html?login_error=1" /> <property name="rememberMeServices" ref="rememberMeServices" /> </bean>beans-3.0.xsd <bean id="rememberMeProcessingFilter" class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter"> <security:custom-filter position="REMEMBER_ME_FILTER" /> <property name="rememberMeServices" ref="rememberMeServices" /> http://www.springframework.org/schema/security <property name="authenticationManager" ref="authenticationManager" /> </bean> <bean id="concurrentSessionFilter" class="org.springframework.security.concurrent.ConcurrentSessionFilter">http://www.springframework.org/schema/security/spring- <security:custom-filter position="CONCURRENT_SESSION_FILTER" /> <property name="expiredUrl" value="/login.html?login_error=2" /> <property name="sessionRegistry" ref="sessionRegistry" />security-3.0.xsd"> <property name="logoutHandlers"> <list> <ref bean="securityContextLogoutHandler" /> <ref bean="rememberMeServices" /> </list> </property> </bean> <security:http use-expressions="true" auto-config="true"> <bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter"> <security:custom-filter position="LOGOUT_FILTER" /> <constructor-arg index="0" value="/login.html" /> <security:intercept-url pattern="/" access="permitAll" /> <constructor-arg index="1"> <list> <ref bean="securityContextLogoutHandler" /> <security:intercept-url pattern="/updateLivret.html" <ref bean="rememberMeServices" /> </list> </constructor-arg>access="isAuthenticated()" /> </bean> <!-- Providers --> </security:http> <bean id="customAuthenticationServiceProvider" class="com.vidal.galaad.web.security.VidalIdAuthenticationServiceProvider"> <security:custom-authentication-provider /> <property name="vidalIdConnector" ref="vidalIdConnector" /> <property name="vidalIdAuthorizationServiceProvider" ref="vidalIdAuthorizationServiceProvider" /> </bean> <bean id="autologinAuthenticationProvider" class="com.vidal.galaad.web.security.AutoLoginAuthenticationProvider"> <security:custom-authentication-provider /> <security:authentication-manager> </bean> <bean id="customRememberMeAuthenticationProvider" class="com.vidal.galaad.web.security.CustomRememberMeAuthenticationProvider"> <security:custom-authentication-provider /> <security:authentication-provider> <property name="key" value="galaad" /> </bean> <bean id="vidalIdAuthorizationServiceProvider" class="com.vidal.galaad.web.security.VidalIdAuthorizationServiceProvider"> <security:user-service id="userDetailsService" <constructor-arg> <ref bean="vidalIdConnector" /> </constructor-arg>properties="/WEB-INF/users.properties" /> </bean> <!-- Core beans --> </security:authentication-provider> <bean id="concurrentSessionController" class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl"> <property name="sessionRegistry" ref="sessionRegistry" /> <property name="maximumSessions" value="2" /> </security:authentication-manager> </bean> <bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices"> <property name="userDetailsService" ref="customAuthenticationServiceProvider" /> <property name="key" value="galaad" /> </bean> <bean id="securityContextLogoutHandler" class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" /> <bean id="sessionRegistry" class="org.springframework.security.concurrent.SessionRegistryImpl" /></beans> <!-- Vidal ID connector --> <bean id="vidalIdConnector" class="com.vidal.galaad.web.security.VidalIdConnectorImpl"> <property name="vidalIdUrl" value="${vidalid.url}" /> </bean> </beans> Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 15
  • Troubleshooting UserDetailsServiceWrapper deprecation Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 16
  • Troubleshooting Use a MethodSecurityExpressionHandler Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 17
  • Troubleshooting HTTP Basic, web.xml and auto-config=true <http> <form-login /> <http-basic /> <logout /> </http> Spring Security catch HTTP header tomcat-users.xml not used ! No more auto-config Just define form-login and logout Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 18
  • Troubleshooting REST Provider Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 19
  • Troubleshooting Concurrent Controller and Remember Me together :( ▶ No exception on maximum concurrent sessions ▶ When it happens, logout the oldest user ▶ Then, logically, show the login page... Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 20
  • Troubleshooting Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 21
  • Troubleshooting Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 22
  • Troubleshooting Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 23
  • Troubleshooting Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 24
  • Troubleshooting Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 25
  • Troubleshooting Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 26
  • TODO : ELs !!! Expression-Based Access Control ▶ hasRole([role]) ▶ hasAnyRole([role1,role2]) ▶ principal ▶ authentication ▶ permitAll ▶ denyAll ▶ isAnonymous() ▶ isRememberMe() ▶ isAuthenticated() ▶ isFullyAuthenticated() Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 27
  • TODO : @Secure !!! <sec:global-method-security secured- annotations="enabled" /> public class SecuredObject { @Secured({"ROLE_SECRET_AGENT"}) public String getSecuredData() { return "Top-Secret Data"; } } <sec:global-method-security jsr250- annotations="enabled" /> public class SecuredObject { @RolesAllowed({"ROLE_SECRET_AGENT"}) public String getSecuredData() { return "Top-Secret Data"; } } Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 28
  • Conclusion Great project ! Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 29
  • ConclusionBut not so simple tocustomize Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 30