• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Spring security
 

Spring security

on

  • 978 views

 

Statistics

Views

Total Views
978
Views on SlideShare
978
Embed Views
0

Actions

Likes
1
Downloads
28
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Spring security Spring security Presentation Transcript

    • Spring Security
    • Notion de sécurité • La sécurité est un aspect crucial dans la plupart des applications • La sécurité est une préoccupation qui transcende les fonctionnalités dune application • Une application ne doit jamais prendre en charge sa propre sécurité • C’est mieux de distinguer entre l’application et la sécurité
    • Acegi Security • Lancé en 2003 • Devenu extrêmement populaire • Services de sécurité pour le framework Spring • Depuis la version 1.1.0, Acegi devient un module de Spring
    • Spring Security “Spring Security is a powerful, flexible security solution for enterprise software, with a particular emphasis on applications that use Spring.” Spring Security • offre une sécurité déclarative pour vos applications basées sur Spring • gère lauthentification et lautorisation • tire pleinement parti des techniques dinjection de dépendance (DI) et de l’orienté aspect sur lesquelles est basé le framework Spring
    • Spring Security n’est pas … • Firewall, proxy server, IDS (Intrusion Detection System) • Operating system security • JVM (sandbox) security
    • Qui l’utilise ? • Plus de 231 000 téléchargements sur SourceForge • Au moins 20 000 téléchargements et 14,000 postes dans le forum de la communiqué • Utilisé dans de nombreux environnements exigeants - Les grandes banques - Défense et le gouvernement - Universités - Les vendeurs de logiciels indépendants - OSS comme OpenNMS, OAJ, Roller, AtLeap,....
    • Il fonctionne bien avec ... • Spring Portfolio • JAAS • AspectJ • Jasypt • JA-SIG CAS • Grails • JOSSO • Mule • NTLM via JCIFS • DWR • OpenID • Appfuse • SiteMinder • AndroMDA • Atlassian Crowd • jCaptcha
    • Domaines de capacité • Authentification • Authorisation Web URL • Lautorisation d’une invocation de la méthode • WS-Security (via Spring Web Services) • Authorisation de débit (via Spring Web Flow) • Détéction de l’utilisateur (Captcha) …
    • Concepts clés • Filtres (Security Interceptor) • Authentification • Authorisation • Authorisation Web • Méthode d’authorisation
    • Éléments fondamentaux de Spring Security Security Interceptor Authentication Access Decision Run-As After-Invocation Manager Manager Manager Manager
    • Spring Security Filtres
    • Security Interceptor • Un verrou qui protège les ressources sécurisées, pour permettre à l’utilisateur de saisir un username et un mot de passe SECURITY CALLER SERVICE INTERCEPTOR demande Contrôle de sécurité exception demande • Mise en œuvre dépend de ressources sécuriisées •URL - filtre de servlet •Méthodes – Aspects • Déléguer des responsabilités aux différents managers
    • Filtres de Spring Security Demande Réponse Integration Filter Authentication Processing Filter Exception Translation Filter Filter Security Interceptor Secured Web Resource Filter What it does responsible for retrieving a previously stored authentication (most Integration Filter likely stored in the HTTP session) so that it will be ready for Spring Security’s other filters to Process Authentication determine if the request is an authentication request. If so, the user information (typically a username/ Processing Filter password pair) is retrieved from the request and passed on to the authentication manager Exception Translation translates exceptions, for AuthenticationException request will be sent to a login screen, for Filter AccessDeniedException returns HTTP 403 to the browser Filter Security examine the request and determine whether the user has the necessary privileges to access the Interceptor secured resource. It leans heavily on the authentication manager and the access decision manager
    • Filtres de Spring SecurityFilter PurposeHttpRequestIntegrationFilter Populates the security context using information from the user principalCaptchaValidationProcessingFilter Helps to identify a user as a human using Captcha techniquesConcurrentSessionFilter Ensures that a user is not simultaneously logged in more than a set number of timesHttpSessionContextIntegrationFilter Populates the security context using information obtained from the http sessionFilterSecurityInterceptor Decides whether or not to allow access to a secured resourceAnonymousProcessingFilter Used to identify an unauthenticated user as an anonymous userChannelProcessingFilter Ensures that a request is being sent over HTTP or HTTPSBasicProcessingFilter Attempts to authenticate a user by processing an HTTP Basic authenticationCasProcessingFilter Authenticates a user by processing a CAS (Central Authentication Service) ticketDigestProcessingFilter Attempts to authenticate a user by processing an HTTP Digest authenticationExceptionTranslationFilter Handles any AccessDeniedException or AuthenticationExceptionLogoutFilter Used to log a user out of the applicationRememberMeProcessingFilter Automatically authenticates a user who has asked to be “remembered” by the applicationSwitchUserProcessingFilter Used to switch out a user. Provides functionality similar to Unix’s suAuthenticationProcessingFilter Accepts the user’s principal and credentials and attempts to authenticate the userSiteminderAuthenticationProcessingFilter Authenticates a users by processing CA/Netegrity SiteMinder headers.X509ProcessingFilter Authenticates a user by processing an X.509 certificate submitted by a client web BrowserSecurityContextHolderAwareRequestFilter Populates the servlet request with a request wrapper.
    • Flux d‘exécution d’une requête à travers les filtres de Spring Security Servlet Container Web User Security Interceptor Filter X Servlet Filter Chain Filter 1 Filter 2 Filter 3 Filter 4 Filter 5 Spring Container
    • Spring Security Authentification
    • Gestion d’authentification• verifier le principal (souvent un username et un password)• Spring Security est livré avec des gestionnaires dauthentification flexibles quicouvrent les stratégies dauthentification les plus courantes Authentication Manager Provider Manager DAO CAS X.509 Authentication Authentication Authentication Provider Provider Provider JAAS LDAP Authentication Authentication Provider Provider
    • Spring Security Authorisation
    • Gestion de décision d’accès• Chargé de décider si lutilisateur a laccès approprié aux ressources• Spring Security est livré avec trois implémentations du gestionnaire de la décision daccès Access decision manager How it decides to grant/deny access Affirmative Based Allows access if at least one voter votes to grant access Consensus Based Allows access if a consensus of voters vote to grant access Unanimous Based Allows access if all voters vote to grant access
    • Authorisation Web <authz:authorize ifAllGranted="ROLE_MOTORIST,ROLE_VIP"> Welcome VIP Motorist!<br/> <a href="j_acegi_logout">Logoff</a> </authz:authorize> <authz:authorize ifAnyGranted="ROLE_MOTORIST,ROLE_VIP"> Welcome Motorist!<br/> <a href="j_acegi_logout">Logoff</a> </authz:authorize> <authz:authorize ifNotGranted="ROLE_ANONYMOUS"> <p>This is super-secret content that anonymous users arent allowed to see.</p> </authz:authorize> <authz:authorize ifAllGranted="ROLE_MOTORIST“ ifAnyGranted="ROLE_VIP,ROLE_FAST_LANE“ ifNotGranted="ROLE_ADMIN"> <p>Only special users see this content.</p> </authz:authorize>
    • Méthode d’authorisation@Secured(“ROLE_ADMIN”)@Secured(“ROLE_REGISTRAR”)public void enrollStudentInCourse(Course course, Student student)throws CourseException { ……}
    • Démo
    • Bibliographie Spring in ACTION by Craig Walls Chapter 7 – Securing Spring http://www.manning.com/walls3/ Spring in ACTION by Craig Walls Chapter 7 – Securing Spring http://www.manning.com/walls3/ http://static.springsource.org/spring-security/site/articles.html http://www.infoq.com/presentations/Spring-Security-3