SlideShare a Scribd company logo

Spring Framework - Spring Security

Introduction to Spring Security Framework

1 of 95
Download to read offline
Spring Framework - Security




                SPRING FRAMEWORK
Dmitry Noskov   Spring Security 3.0
Application security
   Security is arguably one of the most critical
    architectural components of any application written
    in the 21st century




                       Spring Framework - Security   Dmitry Noskov
What is Spring Security
   a powerful and highly customizable authentication
    and access-control framework
   build on top of Spring Framework
   de-facto standard for securing Spring-based
    applications




                       Spring Framework - Security   Dmitry Noskov
Fundamentals (1)
   principal
       user that performs the action
   authentication
       confirming truth of credentials
   authorization
       define access policy for principal




                            Spring Framework - Security   Dmitry Noskov
Fundamentals (2)
   Authentication
       the principal in a Spring Security-specific manner
   GrantedAuthority
       application-wide permissions granted to a principal
   SecurityContext
       hold the Authentication and other security information
   SecurityContextHolder
       provide access to SecurityContext


                            Spring Framework - Security   Dmitry Noskov
SecurityContextHolder
   provide access to SecurityContext
   strategies
     ThreadLocal
     InreritableThreadLocal

     Global




                         Spring Framework - Security   Dmitry Noskov

Recommended

Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해beom kyun choi
 

More Related Content

What's hot

OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
Getting started with Spring Security
Getting started with Spring SecurityGetting started with Spring Security
Getting started with Spring SecurityKnoldus Inc.
 
Spring Framework - Core
Spring Framework - CoreSpring Framework - Core
Spring Framework - CoreDzmitry Naskou
 
Spring Framework - MVC
Spring Framework - MVCSpring Framework - MVC
Spring Framework - MVCDzmitry Naskou
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOPDzmitry Naskou
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot IntroductionJeevesh Pandey
 
AngularJS $http Interceptors (Explanation and Examples)
AngularJS $http Interceptors (Explanation and Examples)AngularJS $http Interceptors (Explanation and Examples)
AngularJS $http Interceptors (Explanation and Examples)Brian Swartzfager
 
Being Functional on Reactive Streams with Spring Reactor
Being Functional on Reactive Streams with Spring ReactorBeing Functional on Reactive Streams with Spring Reactor
Being Functional on Reactive Streams with Spring ReactorMax Huang
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web APIhabib_786
 
Spring Boot and REST API
Spring Boot and REST APISpring Boot and REST API
Spring Boot and REST API07.pallav
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with SpringJoshua Long
 
Spring boot - an introduction
Spring boot - an introductionSpring boot - an introduction
Spring boot - an introductionJonathan Holloway
 

What's hot (20)

OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
 
Getting started with Spring Security
Getting started with Spring SecurityGetting started with Spring Security
Getting started with Spring Security
 
Spring Framework - Core
Spring Framework - CoreSpring Framework - Core
Spring Framework - Core
 
Spring boot
Spring bootSpring boot
Spring boot
 
Spring boot
Spring bootSpring boot
Spring boot
 
Spring Framework - MVC
Spring Framework - MVCSpring Framework - MVC
Spring Framework - MVC
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot Introduction
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
AngularJS $http Interceptors (Explanation and Examples)
AngularJS $http Interceptors (Explanation and Examples)AngularJS $http Interceptors (Explanation and Examples)
AngularJS $http Interceptors (Explanation and Examples)
 
Spring beans
Spring beansSpring beans
Spring beans
 
Spring Web MVC
Spring Web MVCSpring Web MVC
Spring Web MVC
 
Being Functional on Reactive Streams with Spring Reactor
Being Functional on Reactive Streams with Spring ReactorBeing Functional on Reactive Streams with Spring Reactor
Being Functional on Reactive Streams with Spring Reactor
 
Spring MVC
Spring MVCSpring MVC
Spring MVC
 
Spring data jpa
Spring data jpaSpring data jpa
Spring data jpa
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web API
 
Spring Boot and REST API
Spring Boot and REST APISpring Boot and REST API
Spring Boot and REST API
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with Spring
 
Spring boot - an introduction
Spring boot - an introductionSpring boot - an introduction
Spring boot - an introduction
 

Similar to Spring Framework - Spring Security

Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
Spring security4.x
Spring security4.xSpring security4.x
Spring security4.xZeeshan Khan
 
Integrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight ApplicationsIntegrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight ApplicationsDan Wahlin
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAASrahmed_sct
 
Web Development Security
Web Development SecurityWeb Development Security
Web Development SecurityRafael Monteiro
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
Hacking the Grails Spring Security Plugins
Hacking the Grails Spring Security PluginsHacking the Grails Spring Security Plugins
Hacking the Grails Spring Security PluginsGR8Conf
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache ShiroSmita Prasad
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
The hidden gems of Spring Security
The hidden gems of Spring SecurityThe hidden gems of Spring Security
The hidden gems of Spring SecurityMassimiliano Dessì
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityIMC Institute
 
Java secure development part 3
Java secure development   part 3Java secure development   part 3
Java secure development part 3Rafel Ivgi
 
Advance java session 19
Advance java session 19Advance java session 19
Advance java session 19Smita B Kumar
 

Similar to Spring Framework - Spring Security (20)

Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
Spring security4.x
Spring security4.xSpring security4.x
Spring security4.x
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
Spring Security Framework
Spring Security FrameworkSpring Security Framework
Spring Security Framework
 
Integrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight ApplicationsIntegrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight Applications
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAAS
 
Web Development Security
Web Development SecurityWeb Development Security
Web Development Security
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
Rolebased security
Rolebased securityRolebased security
Rolebased security
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdf
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdf
 
Hacking the Grails Spring Security Plugins
Hacking the Grails Spring Security PluginsHacking the Grails Spring Security Plugins
Hacking the Grails Spring Security Plugins
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache Shiro
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring Security
 
The hidden gems of Spring Security
The hidden gems of Spring SecurityThe hidden gems of Spring Security
The hidden gems of Spring Security
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application Security
 
Java secure development part 3
Java secure development   part 3Java secure development   part 3
Java secure development part 3
 
Advance java session 19
Advance java session 19Advance java session 19
Advance java session 19
 
Ria Spring Blaze Ds
Ria Spring Blaze DsRia Spring Blaze Ds
Ria Spring Blaze Ds
 

Recently uploaded

How AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxHow AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxInfosec
 
Enterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewEnterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewAshraf Fouad
 
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...ShapeBlue
 
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...ShapeBlue
 
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...Neo4j
 
The Art of the Possible with Graph by Dr Jim Webber Neo4j.pptx
The Art of the Possible with Graph by Dr Jim Webber Neo4j.pptxThe Art of the Possible with Graph by Dr Jim Webber Neo4j.pptx
The Art of the Possible with Graph by Dr Jim Webber Neo4j.pptxNeo4j
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceSusan Ibach
 
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...DianaGray10
 
Geospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriGeospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriSafe Software
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceVijayananda Mohire
 
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31shyamraj55
 
New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024ThousandEyes
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, TripadvisorProduct School
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...UiPathCommunity
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareAsma Ben Abacha
 
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...SearchNorwich
 
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...Product School
 
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlueCloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlueShapeBlue
 
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...2toLead Limited
 

Recently uploaded (20)

How AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxHow AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptx
 
Enterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewEnterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book Review
 
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...
 
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
 
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
 
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
 
The Art of the Possible with Graph by Dr Jim Webber Neo4j.pptx
The Art of the Possible with Graph by Dr Jim Webber Neo4j.pptxThe Art of the Possible with Graph by Dr Jim Webber Neo4j.pptx
The Art of the Possible with Graph by Dr Jim Webber Neo4j.pptx
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data science
 
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
 
Geospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriGeospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & Esri
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial Intelligence
 
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
 
New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in Healthcare
 
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
 
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
 
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlueCloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
 
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
 

Spring Framework - Spring Security

  • 1. Spring Framework - Security SPRING FRAMEWORK Dmitry Noskov Spring Security 3.0
  • 2. Application security  Security is arguably one of the most critical architectural components of any application written in the 21st century Spring Framework - Security Dmitry Noskov
  • 3. What is Spring Security  a powerful and highly customizable authentication and access-control framework  build on top of Spring Framework  de-facto standard for securing Spring-based applications Spring Framework - Security Dmitry Noskov
  • 4. Fundamentals (1)  principal  user that performs the action  authentication  confirming truth of credentials  authorization  define access policy for principal Spring Framework - Security Dmitry Noskov
  • 5. Fundamentals (2)  Authentication  the principal in a Spring Security-specific manner  GrantedAuthority  application-wide permissions granted to a principal  SecurityContext  hold the Authentication and other security information  SecurityContextHolder  provide access to SecurityContext Spring Framework - Security Dmitry Noskov
  • 6. SecurityContextHolder  provide access to SecurityContext  strategies  ThreadLocal  InreritableThreadLocal  Global Spring Framework - Security Dmitry Noskov
  • 7. Getting started SecurityContext context = SecurityContextHolder.getContext(); Object principal = context.getAuthentication().getPrincipal(); if (principal instanceof UserDetails) { String username = ((UserDetails)principal).getUsername(); } else { String username = principal.toString(); } Spring Framework - Security Dmitry Noskov
  • 8. Use case Spring Framework - Security Dmitry Noskov
  • 9. Namespace <beans xmlns="http://www.springframework.org/schema/beans" xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema /beans http://www.springframework.org/schema/ beans/spring-beans-3.0.xsd http://www.springframework.org/schema /security http://www.springframework.org/schema /security/spring-security-3.0.xsd"> Spring Framework - Security Dmitry Noskov
  • 10. Filters Spring Framework - Security Dmitry Noskov
  • 11. Security filter <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> Spring Framework - Security Dmitry Noskov
  • 12. Filter chain Spring Framework - Security Dmitry Noskov
  • 13. Filter chain (2) <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy"> <sec:filter-chain-map path-type="ant"> <sec:filter-chain pattern="/login.do*" filters="none"/> <sec:filter-chain pattern="/**.do*" filters=" securityContextPersistenceFilter, logoutFilter, usernamePasswordAuthenticationFilter, rememberMeAuthenticationFilter, exceptionTranslationFilter, filterSecurityInterceptor" /> </sec:filter-chain-map> </bean> Spring Framework - Security Dmitry Noskov
  • 14. Basic filters Filter Description ChannelProcessingFilter ensures that a request is being sent over HTTP or HTTPS SecurityContextPersistentFilter Populates the security context using information obtained from the repository (http session) LogoutFilter Used to log a user out of the application UsernamePasswordAuthenticationFilter Accepts the user’s principal and credentials and attempts to authenticate the user BasicAuthenticationFilter Attempts to authenticate a user by processing an HTTP Basic authentication ExceptionTranslationFilter Handles any AccessDeniedException or AuthenticationException FilterSecurityInterceptor Decides whether or not to allow access to a secured resource http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns- config.html#ns-custom-filters Spring Framework - Security Dmitry Noskov
  • 15. Authentication Spring Framework - Security Dmitry Noskov
  • 16. Authentication variants  credential-based  two-factor  hardware  other… Spring Framework - Security Dmitry Noskov
  • 17. Authentication mechanisms  basic  form  x.509  JAAS  etc. Spring Framework - Security Dmitry Noskov
  • 18. Authentication storage  RDMBS  LDAP  custom storage  etc. Spring Framework - Security Dmitry Noskov
  • 19. Fundamentals Filter Manager Provider Authentication UserDetails Spring Framework - Security Dmitry Noskov
  • 20. HTML form <form action="j_spring_security_check" method="post"> <span>Login:</span><input name="login" type="text"/> <span>Password:</span><input name="password" type="password"/> <input type="submit" value="Login"> </form> Spring Framework - Security Dmitry Noskov
  • 21. Username-password filter <bean id="..." class="...security.web.authentication.UsernamePasswordAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager"/> <property name="filterProcessesUrl" value="/j_spring_security_check"/> <property name="usernameParameter" value="login"/> <property name="passwordParameter" value="password"/> <property name="authenticationSuccessHandler"> <bean class="...security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> <property name="defaultTargetUrl" value="/index.do"/> </bean> </property> <property name="authenticationFailureHandler"> <bean class="...security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <property name="defaultFailureUrl" value="/login.do"/> </bean> </property> <property name="rememberMeServices" ref="rememberMeService"/> </bean> Spring Framework - Security Dmitry Noskov
  • 22. Core authentication services  AuthenticationManager  handles authentication requests  AuthenticationProvider  performs authentication  UserDetailsService  responsible for returning an UserDetails object  UerDetails  provides the core user information Spring Framework - Security Dmitry Noskov
  • 23. AuthenticationManager public interface AuthenticationManager { /* Attempts to authenticate the passed Authentication object, * returning a fully populated Authentication object (including * granted authorities) if successful. * @param authentication the authentication request object * @return a fully authenticated object including credentials * @throws AuthenticationException if authentication fails */ Authentication authenticate(Authentication authentication) throws AuthenticationException; } Spring Framework - Security Dmitry Noskov
  • 24. AuthenticationProvider public interface AuthenticationProvider { /* Performs authentication. * @param authentication the authentication request object. * @return a fully authenticated object including credentials. * @throws AuthenticationException if authentication fails.*/ Authentication authenticate(Authentication authentication) throws AuthenticationException; /*Returns true if this provider supports the indicated *Authentication object.*/ boolean supports(Class<? extends Object> authentication); } Spring Framework - Security Dmitry Noskov
  • 25. UserDetailsService /*Core interface which loads user-specific data.*/ public interface UserDetailsService { /* Locates the user based on the username. * @param username the username identifying the user * @return a fully populated user record (never null) * @throws UsernameNotFoundException if the user could not be found or the user has no GrantedAuthority * @throws DataAccessException if user could not be found for a repository-specific reason*/ UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException; } Spring Framework - Security Dmitry Noskov
  • 26. UserDetails /* Provides core user information.*/ public interface UserDetails extends Serializable { Collection<GrantedAuthority> getAuthorities(); String getPassword(); String getUsername(); boolean isAccountNonExpired(); boolean isAccountNonLocked(); boolean isCredentialsNonExpired(); boolean isEnabled(); } Spring Framework - Security Dmitry Noskov
  • 27. Authentication manager <bean id="..." class="...security.authentication.ProviderManager"> <property name="providers"> <list> <ref local="casAuthenticationProvider"/> <ref local="daoAuthenticationProvider"/> <ref local="ldapAuthenticationProvider"/> </list> </property> </bean> Spring Framework - Security Dmitry Noskov
  • 28. Authentication provider <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="userDetailsService"/> <property name="saltSource" ref bean="saltSource"/> <property name="passwordEncoder" ref="passwordEncoder"/> </bean> <bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> <property name="dataSource" ref="dataSource"/> </bean> Spring Framework - Security Dmitry Noskov
  • 29. Authentication DB schema Spring Framework - Security Dmitry Noskov
  • 30. Password encoding  PasswordEncoder  MD5  SHA  SaltSource  SystemWide  reflection Spring Framework - Security Dmitry Noskov
  • 31. Session management <bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter"> <property name="invalidSessionUrl" value="/timeout.do"/> <property name="sessionAuthenticationStrategy" ref="strategy"/> </bean> <bean id="strategy" class="…SessionFixationProtectionStrategy"> <property name="alwaysCreateSession" value="true"/> <property name="migrateSessionAttributes" value="true"/> </bean> Spring Framework - Security Dmitry Noskov
  • 32. Logout <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <constructor-arg> <bean class="…SimpleUrlLogoutSuccessHandler"> <property name="defaultTargetUrl" value="/login"/> </bean> </constructor-arg> <constructor-arg> <bean class="…SecurityContextLogoutHandler"/> </constructor-arg> <property name="filterProcessesUrl" value="/logout"/> </bean> Spring Framework - Security Dmitry Noskov
  • 33. Remember Me authentication  RememberMeAuthenticationFilter  RememberMeServices  RememberMeAuthenticationProvider Spring Framework - Security Dmitry Noskov
  • 34. RememberMe service public interface RememberMeServices { Authentication autoLogin(HttpServletRequest request, HttpServletResponse response); void loginFail(HttpServletRequest request, HttpServletResponse response); void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication); } Spring Framework - Security Dmitry Noskov
  • 35. Remember Me shema Spring Framework - Security Dmitry Noskov
  • 36. Anonymous authentication <bean id="anonymousAuthenticationFilter" class="...web.authentication.AnonymousAuthenticationFilter"> <property name="key" value="foobar"/> <property name="userAttribute" value="anonymous,ROLE_ANONYMOUS"/> </bean> <bean id="anonymousAuthenticationProvider" class="...authentication.AnonymousAuthenticationProvider"> <property name="key" value="foobar"/> </bean> Spring Framework - Security Dmitry Noskov
  • 37. Authentication with magic tags <sec:http auto-config="true"> <sec:form-login login-page="" login-processing-url=""/> <sec:anonymous enabled="true"/> <sec:logout invalidate-session="true" logout-url=""/> <sec:remember-me services-ref=""/> </sec:http> Spring Framework - Security Dmitry Noskov
  • 38. Authorization Spring Framework - Security Dmitry Noskov
  • 39. Use case Spring Framework - Security Dmitry Noskov
  • 40. Authorization  handling  pre-invocation  after invocation  implementations  voting based  expression based Spring Framework - Security Dmitry Noskov
  • 41. Security layers  WEB (URLs)  Servlet Filter  methods  Spring AOP  AspectJ  content  JSP tag Spring Framework - Security Dmitry Noskov
  • 42. Security interceptor (1) Spring Framework - Security Dmitry Noskov
  • 43. Security interceptor (2) Security Interceptor Authentication Access Decision Run-As After-Invocation Manager Manager Manager Manager Spring Framework - Security Dmitry Noskov
  • 44. Voting based DecisionManager DecisionVoter ConfigAttribute Spring Framework - Security Dmitry Noskov
  • 45. Decision managers Decision manager Description AffirmativeBased Allows access if at least one voter votes to grant access ConsensusBased Allows access if a consensus of voters vote to grant access UnanimousBased Allows access if all voters vote to grant access Spring Framework - Security Dmitry Noskov
  • 46. Decision voter public interface AccessDecisionVoter { int ACCESS_GRANTED = 1; int ACCESS_ABSTAIN = 0; int ACCESS_DENIED = -1; boolean supports(ConfigAttribute attribute); boolean supports(Class<?> clazz); int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes); } Spring Framework - Security Dmitry Noskov
  • 47. Basic expressions Expression Description hasRole(‘ROLE_USER’) Returns true if the current principal has the specified role hasAnyRole(‘ROLE_USER’, ‘ROLE_ADMIN’) Returns true if the current principal has any of the roles principal Allows direct access to the principal object representing the current user authentication Allows direct access to the current Authentication object obtained from the SecurityContext permitAll Always evaluates to true denyAll Always evaluates to false isAnonymous() Returns true if the current principal is an anonymous user isRememberMe() Returns true if the current principal is a remember-me user Spring Framework - Security Dmitry Noskov
  • 48. WEB authorization Spring Framework - Security Dmitry Noskov
  • 49. Web authorization <bean id="..." class="web.access.intercept.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authManager"/> <property name="accessDecisionManager" ref="decisionManager"/> <property name="securityMetadataSource"> <sec:filter-security-metadata-source> <sec:intercept-url pattern="/index.do*" access="IS_AUTHENTICATED_FULLY"/> <sec:intercept-url pattern="/**" access="ROLE_USER" filters="none" method="GET" requires-channel="https"/> </sec:filter-security-metadata-source> </property> </bean> Spring Framework - Security Dmitry Noskov
  • 50. WEB authorization with magic tags <sec:http use-expressions="true"> <sec:intercept-url pattern="/index*" access="isAuthenticated()"/> <sec:intercept-url pattern="/**" access="hasRole('ROLE_USER')" filters="none" method="GET" requires-channel="https"/> </sec:http> Spring Framework - Security Dmitry Noskov
  • 51. WEB authorization <bean id="webExpressionHandler" class="…DefaultWebSecurityExpressionHandler"/> <bean id="webExpressionVoter" class="…WebExpressionVoter"> <property name="expressionHandler" ref="webExpressionHandler"/> </bean> <bean class="org.springframework.security.access.vote.AffirmativeBased"> <property name="decisionVoters"> <list> <ref bean="webExpressionVoter"/> </list> </property> </bean> Spring Framework - Security Dmitry Noskov
  • 52. Custom expression root public class CustomWebSecurityExpressionRoot extends WebSecurityExpressionRoot { public CustomWebSecurityExpressionRoot(Authentication a, FilterInvocation fi) { super(a, fi); } public boolean hasAllRoles(String... roles) { return false; } } Spring Framework - Security Dmitry Noskov
  • 53. Custom expression handler public class CustomWebSecurityExpressionHandler extends DefaultWebSecurityExpressionHandler { @Override public EvaluationContext createEvaluationContext(Authentication a, FilterInvocation fi) { StandardEvaluationContext ctx = (StandardEvaluationContext)super.createEvaluationContext(a, fi); SecurityExpressionRoot root = new CustomWebSecurityExpressionRoot(a, fi); ctx.setRootObject(root); return ctx; } } Spring Framework - Security Dmitry Noskov
  • 54. Method authorization Spring Framework - Security Dmitry Noskov
  • 55. Method authorization  annotation driven  voting based - @Secured  expression based - @Pre/@Post  JSR-250 - @RolesAllowed  xml driven Spring Framework - Security Dmitry Noskov
  • 56. Configuration <sec:global-method-security> access-decision-manager-ref="accessDecisionManager" jsr250-annotations="disabled" pre-post-annotations="disabled" secured-annotations="enabled" </sec:global-method-security> Spring Framework - Security Dmitry Noskov
  • 57. Annotation driven (voting)  voting @Secured({"ROLE_USER"}) void create(Customer customer);  jsr-250 @RolesAllowed({"ROLE_USER"}) void create(Customer customer); Spring Framework - Security Dmitry Noskov
  • 58. Annotation driven (expression)  1 @PreAuthorize("hasRole('ROLE_USER')") void create(Customer customer);  2 @PreAuthorize("hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')") void create(Customer customer);  3 @PreAuthorize("hasAnyRole('ROLE_USER', 'ROLE_ADMIN')") void create(Customer customer); Spring Framework - Security Dmitry Noskov
  • 59. XML driven authorization (1) <bean id="methodInterceptor" class="…MethodSecurityInterceptor"> <property name="authenticationManager" ref="authManager"/> <property name="accessDecisionManager" ref="decisionManager"/> <property name="securityMetadataSource"> <value> org.training.AccountService.createAccount=ROLE_USER org.training.AccountService.delete*=ROLE_ADMIN </value> </property> </bean> Spring Framework - Security Dmitry Noskov
  • 60. XML driven authorization (2) <bean id="accountService" class="org.training.AccountServiceImpl"> <sec:intercept-methods> <sec:protect access="ROLE_USER" method="createAccount"/> <sec:protect access="ROLE_ADMIN" method="delete*"/> </sec:intercept-methods> </bean> Spring Framework - Security Dmitry Noskov
  • 61. Domain Object Security Spring Framework - Security Dmitry Noskov
  • 62. ACL DB scheme Spring Framework - Security Dmitry Noskov
  • 63. ACL_CLASS  ACL_SID  ACL_OBJECT_IDENTITY  ACL_ENTRY Spring Framework - Security Dmitry Noskov
  • 64. Basic classes  Acl  AccessControlEntry  Permission  Sid  ObjectIdentity  represents the identity of an individual domain object Spring Framework - Security Dmitry Noskov
  • 65. Basic ACL services  AclService  MutableAclService  LookupStrategy  ObjectIdentityRetrievalStrategy  SidRetrievalStrategy Spring Framework - Security Dmitry Noskov
  • 66. Permissions  base permissions  read (1)  write (2)  create (4)  delete (8)  administration (16)  custom permissions Spring Framework - Security Dmitry Noskov
  • 67. Spring Framework - Security Dmitry Noskov
  • 68. Configuration (voting) <sec:global-method-security access-decision-manager-ref="accessDecisionManager" secured-annotations="enabled"> </sec:global-method-security> <bean id="accessDecisionManager" class="…AffirmativeBased"> <property name="decisionVoters"> <list> <ref bean="voter1"/> <ref bean="voter2"/> </list> </property> </bean> Spring Framework - Security Dmitry Noskov
  • 69. @Secured  annotation @Secured("ACL_CUSTOMER_READ") public Customer getProjectsByCustomer(Customer customer) {}  voter <bean id="customerReadVoter" class="…AclEntryVoter"> <constructor-arg ref="aclService"/> <constructor-arg value="ACL_CUSTOMER_READ"/> <constructor-arg> <array> <util:constant static-field="…BasePermission.READ"/> </array> </constructor-arg> <property name="processDomainObjectClass" value="…Customer"/> </bean> Spring Framework - Security Dmitry Noskov
  • 70. Configuration (expressions) <sec:global-method-security pre-post-annotations="enabled"> <sec:expression-handler ref="expressionHandler"/> </sec:global-method-security> <bean id="expressionHandler" class="…DefaultMethodSecurityExpressionHandler"> <property name="permissionEvaluator" ref="permissionEvaluator"/> </bean> <bean id="permissionEvaluator" class="…AclPermissionEvaluator"> <constructor-arg ref="aclService"/> </bean> Spring Framework - Security Dmitry Noskov
  • 71. Permission evaluator public interface PermissionEvaluator { boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission); boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission); } Spring Framework - Security Dmitry Noskov
  • 72. @PreAuthorize  by domain object @PreAuthorize("hasPermission(#customer, 'delete')") public void delete(Customer customer);  by identifier @PreAuthorize( "hasPermission(#id, 'org.training.Customer', 'read') or " + "hasPermission(#id, 'org.training.Customer', 'admin')") public Customer getById(Long id);  hardcode @PreAuthorize("#customer.owner.id == principal.id") public void create(Customer customer); Spring Framework - Security Dmitry Noskov
  • 73. @PreFilter  single parameter @PreFilter("hasPermission(filterObject, 'read')") public List<Customer> filterCustomers(List<Customer> customers) { return customers; }  multiple parameters @PreFilter(filterTarget = "customers", value = "hasPermission(filterObject, 'update')") public void updateCustomers(List<Customer> customers, State st) { } Spring Framework - Security Dmitry Noskov
  • 74. Additional features Spring Framework - Security Dmitry Noskov
  • 75. RunAsManager /*Creates a new temporary Authentication object.*/ public interface RunAsManager { / *Returns a replacement Authentication object for the current *secure object, or null if replacement not required*/ Authentication buildRunAs(Authentication authentication, Object object, Collection<ConfigAttribute> attr); boolean supports(ConfigAttribute attribute); boolean supports(Class<?> clazz); } Spring Framework - Security Dmitry Noskov
  • 76. RunAs configuration (1) <bean id="runAsManager" class="…RunAsManagerImpl"> <property name="rolePrefix" value="ROLE_"/> <property name="key" value="someKey"/> </bean> <bean class="…RunAsImplAuthenticationProvider"> <property name="key" value="someKey"/> </bean> Spring Framework - Security Dmitry Noskov
  • 77. RunAs configuration (2)  magic tag <sec:global-method-security run-as-manager-ref="runAsManager"> </sec:global-method-security>  interceptor bean <bean class="…MethodSecurityInterceptor"> <property name="runAsManager" ref="runAsManager"/> </bean> Spring Framework - Security Dmitry Noskov
  • 78. After invocation Spring Framework - Security Dmitry Noskov
  • 79. Basic services public interface AfterInvocationManager { Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> attributes, Object returnedObject) throws AccessDeniedException; boolean supports(ConfigAttribute attribute); boolean supports(Class<?> clazz); } public interface AfterInvocationProvider { Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> attributes, Object returnedObject) throws AccessDeniedException; boolean supports(ConfigAttribute attribute); boolean supports(Class<?> clazz); } Spring Framework - Security Dmitry Noskov
  • 80. Configuration  custom provider <sec:global-method-security> <sec:after-invocation-provider ref="myProvider"/> </sec:global-method-security>  custom manager <bean class="…MethodSecurityInterceptor"> <property name="afterInvocationManager" ref="myManager"/> </bean> Spring Framework - Security Dmitry Noskov
  • 81. @Post  @PostAuthorize @PreAuthorize("hasRole('ROLE_USER')") @PostAuthorize("hasPermission(returnObject, 'read')") public Employee getEmployeeByName(String name) { }  @PostFilter @PreAuthorize("hasRole('ROLE_USER')") @PostFilter("hasPermission(filterObject, 'read')") public List<Employee> getEmployees() { } Spring Framework - Security Dmitry Noskov
  • 82. JSP tag library Spring Framework - Security Dmitry Noskov
  • 83. Authentication <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <sec:authentication property="principal" var="user"/> <div class="links"><div>Logged in: ${user.name}</div></div> <div class="links"> <div><sec:authentication property="principal.name"/></div> </div> Spring Framework - Security Dmitry Noskov
  • 84. Authorize (1) <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <sec:authorize ifAllGranted="ROLE_ADMIN, ROLE_SUPERVISOR"> </sec:authorize> <security:authorize ifAnyGranted="ROLE_ADMIN, ROLE_SUPERVISOR"> </security:authorize> <security:authorize ifNotGranted="ROLE_ADMIN, ROLE_SUPERVISOR"> </security:authorize> Spring Framework - Security Dmitry Noskov
  • 85. Authorize (2) <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <sec:authorize access="hasRole('supervisor')"> This content will only be visible to users who have the "supervisor" authority in their list of <tt>GrantedAuthority</tt>s. </sec:authorize> Spring Framework - Security Dmitry Noskov
  • 86. Authorize (3)  JSP <sec:authorize url="/admin" > This content will only be visible to users who are authorized to send requests to the "/admin" URL. </sec:authorize>  security interceptor <bean id="..." class="web.access.intercept.FilterSecurityInterceptor"> <property name="securityMetadataSource"> <sec:filter-security-metadata-source> <sec:intercept-url pattern="/admin*" access="ROLE_ADMIN"/> </sec:filter-security-metadata-source> </property> </bean> Spring Framework - Security Dmitry Noskov
  • 87. ACL <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <sec:accesscontrollist hasPermission="1,2" domainObject="object"> This will be shown if the user has either of the permissions represented by the values "1" or "2" on the given object. </sec:accesscontrollist> Spring Framework - Security Dmitry Noskov
  • 88. Summary Spring Framework - Security Dmitry Noskov
  • 89. Separation of concerns  business logic is decoupled from security concern  authentication and authorization are decoupled Spring Framework - Security Dmitry Noskov
  • 90. Flexibility  authentication mechanisms  basic, form, cookies, SSO  user data storage  RDBMS, LDAP, etc.  based on Spring Spring Framework - Security Dmitry Noskov
  • 91. Portability  portable across containers  can be deployed as-is  runs in standalone environment Spring Framework - Security Dmitry Noskov
  • 92. Books Spring Framework - Security Dmitry Noskov
  • 93. Links  main features http://static.springsource.org/spring-security/site/features.html  articles http://static.springsource.org/spring-security/site/articles.html  reference http://static.springsource.org/spring- security/site/docs/3.0.x/reference/springsecurity.html  blog http://blog.springsource.com/category/security/  refcardz http://refcardz.dzone.com/refcardz/expression-based- authorization Spring Framework - Security Dmitry Noskov
  • 94. Questions Spring Framework - Core Dmitry Noskov
  • 95. The end http://www.linkedin.com/in/noskovd http://www.slideshare.net/analizator/presentations