Iasi code camp 20 april 2013 windows authentication-spring security -kerberos

513 views

Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Iasi code camp 20 april 2013 windows authentication-spring security -kerberos

  1. 1. A bridge between two worlds:Spring Security & KerberosClaudiu Stancu
  2. 2. •Me & the other me•Security concepts•Kerberos•All together•Code timeAgenda3
  3. 3. IN YOUR ZONEAbout me…4Development Discipline Lead at Endava
  4. 4. IN YOUR ZONEThe other me…5
  5. 5. IN YOUR ZONESecurity concepts – Data types6PUBLIC PRIVATECONFIDENTIAL SECRET
  6. 6. IN YOUR ZONEAuthentication7“The process of verifying that the users of our applicationare who they say they are”
  7. 7. IN YOUR ZONEAuthentication8Credentials Based
  8. 8. IN YOUR ZONEAuthentication9Biometrics Authentication
  9. 9. IN YOUR ZONEAuthentication10Two factor authentication
  10. 10. IN YOUR ZONEAuthentication11• Browser certificates• Single Sing On• Hardware authentication
  11. 11. IN YOUR ZONEAuthorization12Assign authenticated Principals to one or more RolesAssign the Principal’s Role(s) to secured resources
  12. 12. IN YOUR ZONESpring Security13Servlet FiltersDelegation
  13. 13. IN YOUR ZONESpring Security – Filters14o.s.s.web.context.SecurityContextPersistenceFiltero.s.s.web.authentication.logout.LogoutFiltero.s.s.web.authentication.UsernamePasswordAuthenticationo.s.s.web.session.SessionManagementFilterSecured ResourceRequest Response
  14. 14. IN YOUR ZONESpring Security – Fundamentals15Security InterceptorAuthenticationManagerAccess DecisionManagerRun-AsManagerAfter-InvocationManager
  15. 15. IN YOUR ZONESpring Security – Authentication Manager16AuthenticationManagerProviderManagerLDAPAuthenticationProviderCASAuthenticationProviderKerberosAuthenticationProviderDAOAuthenticationProviderRemember MeAuthenticationProvider
  16. 16. IN YOUR ZONESpring Security – Access Decision Manager17Affirmative BasedAbstractDecision VoterAccess DecisionManagerAbstract AccessDecisionManagerConsensus Based Unanimous Based Role VoterAccess Decision Manager Grant / Deny access?Affirmative based At least one voter grant accessConsensus based Majority grant accessUnanimous based If all voters grant access
  17. 17. IN YOUR ZONEKerberos18
  18. 18. IN YOUR ZONEKerberos19{cstancu, 192.168.1.2}SessionKey1TGTTGTSessionKey1
  19. 19. IN YOUR ZONEKerberos20{SessionKey1}Authenticator TGT{SessionKey2}AuthenticatorMail Ticket{SessionKey2}okTGTSessionKey1Mail Ticket{SessionKey1}SessionKey2Mail TicketSessionKey2
  20. 20. IN YOUR ZONEAll together21(1)HTTP GET resource.html
  21. 21. IN YOUR ZONEAll together22(3) Kerberos TGS_REQ
  22. 22. IN YOUR ZONEAll together23(5)HTTPGETAuthorizationNegotiate w/SPNEGO Token(6) HTTP 200 – OKresource.html
  23. 23. IN YOUR ZONECode time…24
  24. 24. IN YOUR ZONE 25
  25. 25. IN YOUR ZONE 26Claudiu Stancu | Development Discipline Lead

×