XKE - Spring Security Feedback

1,344 views

Published on

Feedback about Spring Security in my last client.
Given at Xebia during XKE (June 11th, 2009).

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,344
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
1
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

XKE - Spring Security Feedback

  1. 1. SPRING SECURITY FEEDBACK Fonctionnel Romain MATON June 11th, 2010 www.xebia.fr / blog.xebia.fr 1
  2. 2. Agenda Overview Vidal Role Strategy Remember Me Max Concurrent Session Troubleshooting What’s next ? Conclusion Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 2
  3. 3. Overview Creator : Ben Alex 2003 1.x Acegi 2.x Spring Security Spring ROO Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 3
  4. 4. Features Easy configuration EL based syntax Authentication and authorization HTTP Requests based Service Layer Security ▶ JSR-250 security annotations ▶ @Pre and @Post annotations ▶ AspectJ pointcuts CAS and OpenID integration Support X509, LDAP, HTTP Basic, Channels Remember Me Taglibs (JSP) Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 4
  5. 5. Support Static Doc : http://static.springsource.org/spring- security/site/docs/x.0.x/reference/springsecurity.html Jira : https://jira.springsource.org/browse/SEC Forum : http://forum.springsource.org/forumdisplay.php?f=33 Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 5
  6. 6. (Paint) Architecture Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 6
  7. 7. Install and first config Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 7
  8. 8. Role Hierarchy Strategy URLs or actions restrictions based on privileges Admin, User, Anonymous ▶ Hierarchy in XML : ROLE_ADMIN > ROLE_USER ROLE_USER > ROLE_ANONYMOUS An Admin is a User ! ▶ IS_AUTHENTICATED_ANONYMOUSLY or ROLE_ANONYMOUS with <security:anonymous /> Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 8
  9. 9. Role Hierarchy Strategy Setting role in UserDetailsService during authentication process Useable in taglib with ▶ <security:autorize ifAllGranted=“ROLE_USER” /> Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 9
  10. 10. Remember Me RememberMeAuthenticationFilter <security:rememberme user-service-ref= "…" /> <constructor-arg authentication-manager /> TokenBasedRememberMeServices PersistentTokenBasedRememberMeServices ▶ PersistentTokenRepository ▶ InMemoryTokenRepository (test only but why not) Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 10
  11. 11. Remember Me Encrypted cookie (irreversible encryption) ▶ Base64(Cookie(tokens: username, expirityTime, signature)) ▶ Signature = HEX(MD5("username:tokenExpiryTime:password:key")) Checkbox avec _spring_security_remember_me Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 11
  12. 12. Max Concurrent Session ConcurrentSessionFilter <listener> <listener-class> org.springframework.security.web.session.HttpSessionEventPublisher </listener-class> </listener> <security:concurrency-control /> <security:authentication-manager session-controller- ref="concurrentSessionController" alias= "…" /> SessionRegistry that saves Session ID Maximum Sessions Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 12
  13. 13. Max Concurrent Session Exception If Maximum Exceeded ▶ False : login the user and logout the oldest user ▶ True : exception thrown (max user limit) expiredUrl and redirectStrategy Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 13
  14. 14. DEMO ! + Our configurations Demo : http://localhost:8080/voff- client/user/defaultSearch?term=clamox Vidal Officine : 20100611 - XKE - melusine- security.xml Vidal Online : 20100611 - XKE - galaad-security.xml Hoptimal : 20100611 - XKE - perceval-security.xml A JSP : 20100611 - XKE - header.jsp Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 14
  15. 15. Troubleshooting <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd<beans http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> <bean id="securityPropertyPlaceholder" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> <property name="location" value="classpath:conf-web.properties" />xmlns="http://www.springframework.org/schema/beans" <property name="ignoreUnresolvablePlaceholders" value="true" /> </bean> <security:http auto-config="false" entry-point-ref="entryPoint" create-session="always"> <security:intercept-url pattern="/createAccount.html" access="ROLE_ANONYMOUS" /> <security:intercept-url pattern="/autoLogin.html" access="ROLE_ANONYMOUS" />xmlns:security="http://www.springframework.org/schema/s <security:intercept-url pattern="/adelierror.html" access="ROLE_ANONYMOUS" /> <security:intercept-url pattern="/**.html" access="ROLE_USER" /> <security:intercept-url pattern="/galaad-service/**" access="ROLE_USER" />ecurity" <security:intercept-url pattern="/login.html" filters="none" /> <security:intercept-url pattern="/ml.html" filters="none" /> <security:anonymous /> xmlns:xsi="http://www.w3.org/2001/XMLSchema- </security:http> <!-- The authentication manager, redefining the session controller -->instance" <security:authentication-manager alias="authenticationManager" session-controller-ref="concurrentSessionController" /> <!-- Entry point for http --> <bean id="entryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"> <property name="loginFormUrl" value="/login.html" /> </bean>xsi:schemaLocation="http://www.springframework.org/sche <!-- Filters --> <bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter"> <security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />ma/beans <property name="authenticationManager" ref="authenticationManager" /> <property name="filterProcessesUrl" value="/j_spring_security_check" /> <property name="defaultTargetUrl" value="/" />http://www.springframework.org/schema/beans/spring- <property name="authenticationFailureUrl" value="/login.html?login_error=1" /> <property name="rememberMeServices" ref="rememberMeServices" /> </bean>beans-3.0.xsd <bean id="rememberMeProcessingFilter" class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter"> <security:custom-filter position="REMEMBER_ME_FILTER" /> <property name="rememberMeServices" ref="rememberMeServices" /> http://www.springframework.org/schema/security <property name="authenticationManager" ref="authenticationManager" /> </bean> <bean id="concurrentSessionFilter" class="org.springframework.security.concurrent.ConcurrentSessionFilter">http://www.springframework.org/schema/security/spring- <security:custom-filter position="CONCURRENT_SESSION_FILTER" /> <property name="expiredUrl" value="/login.html?login_error=2" /> <property name="sessionRegistry" ref="sessionRegistry" />security-3.0.xsd"> <property name="logoutHandlers"> <list> <ref bean="securityContextLogoutHandler" /> <ref bean="rememberMeServices" /> </list> </property> </bean> <security:http use-expressions="true" auto-config="true"> <bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter"> <security:custom-filter position="LOGOUT_FILTER" /> <constructor-arg index="0" value="/login.html" /> <security:intercept-url pattern="/" access="permitAll" /> <constructor-arg index="1"> <list> <ref bean="securityContextLogoutHandler" /> <security:intercept-url pattern="/updateLivret.html" <ref bean="rememberMeServices" /> </list> </constructor-arg>access="isAuthenticated()" /> </bean> <!-- Providers --> </security:http> <bean id="customAuthenticationServiceProvider" class="com.vidal.galaad.web.security.VidalIdAuthenticationServiceProvider"> <security:custom-authentication-provider /> <property name="vidalIdConnector" ref="vidalIdConnector" /> <property name="vidalIdAuthorizationServiceProvider" ref="vidalIdAuthorizationServiceProvider" /> </bean> <bean id="autologinAuthenticationProvider" class="com.vidal.galaad.web.security.AutoLoginAuthenticationProvider"> <security:custom-authentication-provider /> <security:authentication-manager> </bean> <bean id="customRememberMeAuthenticationProvider" class="com.vidal.galaad.web.security.CustomRememberMeAuthenticationProvider"> <security:custom-authentication-provider /> <security:authentication-provider> <property name="key" value="galaad" /> </bean> <bean id="vidalIdAuthorizationServiceProvider" class="com.vidal.galaad.web.security.VidalIdAuthorizationServiceProvider"> <security:user-service id="userDetailsService" <constructor-arg> <ref bean="vidalIdConnector" /> </constructor-arg>properties="/WEB-INF/users.properties" /> </bean> <!-- Core beans --> </security:authentication-provider> <bean id="concurrentSessionController" class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl"> <property name="sessionRegistry" ref="sessionRegistry" /> <property name="maximumSessions" value="2" /> </security:authentication-manager> </bean> <bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices"> <property name="userDetailsService" ref="customAuthenticationServiceProvider" /> <property name="key" value="galaad" /> </bean> <bean id="securityContextLogoutHandler" class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" /> <bean id="sessionRegistry" class="org.springframework.security.concurrent.SessionRegistryImpl" /></beans> <!-- Vidal ID connector --> <bean id="vidalIdConnector" class="com.vidal.galaad.web.security.VidalIdConnectorImpl"> <property name="vidalIdUrl" value="${vidalid.url}" /> </bean> </beans> Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 15
  16. 16. Troubleshooting UserDetailsServiceWrapper deprecation Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 16
  17. 17. Troubleshooting Use a MethodSecurityExpressionHandler Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 17
  18. 18. Troubleshooting HTTP Basic, web.xml and auto-config=true <http> <form-login /> <http-basic /> <logout /> </http> Spring Security catch HTTP header tomcat-users.xml not used ! No more auto-config Just define form-login and logout Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 18
  19. 19. Troubleshooting REST Provider Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 19
  20. 20. Troubleshooting Concurrent Controller and Remember Me together :( ▶ No exception on maximum concurrent sessions ▶ When it happens, logout the oldest user ▶ Then, logically, show the login page... Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 20
  21. 21. Troubleshooting Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 21
  22. 22. Troubleshooting Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 22
  23. 23. Troubleshooting Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 23
  24. 24. Troubleshooting Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 24
  25. 25. Troubleshooting Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 25
  26. 26. Troubleshooting Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 26
  27. 27. TODO : ELs !!! Expression-Based Access Control ▶ hasRole([role]) ▶ hasAnyRole([role1,role2]) ▶ principal ▶ authentication ▶ permitAll ▶ denyAll ▶ isAnonymous() ▶ isRememberMe() ▶ isAuthenticated() ▶ isFullyAuthenticated() Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 27
  28. 28. TODO : @Secure !!! <sec:global-method-security secured- annotations="enabled" /> public class SecuredObject { @Secured({"ROLE_SECRET_AGENT"}) public String getSecuredData() { return "Top-Secret Data"; } } <sec:global-method-security jsr250- annotations="enabled" /> public class SecuredObject { @RolesAllowed({"ROLE_SECRET_AGENT"}) public String getSecuredData() { return "Top-Secret Data"; } } Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 28
  29. 29. Conclusion Great project ! Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 29
  30. 30. ConclusionBut not so simple tocustomize Spring Security Feedback – Romain MATON - www.xebia.fr / blog.xebia.fr 30

×