SlideShare a Scribd company logo

Enterprise Security mit Spring Security

Mike Wiesner
Mike Wiesner

Spring Security, der Nachfolger des Acegi Security Frameworks, stellt ein Framework zur Umsetzung von Enterprise Security Anforderungen zur Verfügung, wie z.B. Authentifizierung, URL- und Methoden-Filter, Single-Sign-On und Insatzbasierten Berechtigungen. Dabei ist es ein reines Security Framework, welches mit nahezu jedem Web- und Anwendungsframework eingesetzt werden kann.

Technology
1 of 54
Enterprise Security mit Spring Security Mike Wiesner SpringSource Germany Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
Über mich • Senior Consultant bei SpringSource Germany • Spring-/Security-Consulting • Trainings • IT-Security Consulting / Reviews • mike.wiesner@springsource.com Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 2
Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 4
Was ist Spring Security? • Spring Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung –nutzt Spring als Basis Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung –nutzt Spring als Basis –kann für jede Java-Anwendung benutzt werden Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
Was ist es nicht? • Firewall, proxy server, IDS • Betriebssystem Sicherheit • JVM (sandbox) security • Dies ist Basis-Sicherheit die immer benötigt wird! Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 6
Hauptmerkmale • Authentifizierung • Web URL Autorisierung • Methodenaufruf Autorisierung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 7
Hauptmerkmale • Authentifizierung • Web URL Autorisierung • Methodenaufruf Autorisierung • Channel security • Human user detection • Domain instance based security (ACLs) • WS-Security (mit Spring Web Services) • Flow Authorization (mit Spring Web Flow) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 7
Integrationen ... • Spring Portfolio • RFC 1945, 2617 etc • AspectJ • Major containers • JA-SIG CAS • JAAS • JOSSO • Jasypt • NTLM via JCIFS • Grails and Trails • OpenID • Mule • SiteMinder • DWR • Atlassian Crowd • Appfuse • jCaptcha • AndroMDA Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 8
Neues in Spring Security 2 • Spring Security 2 baut auf dem beliebten Acegi Framework auf • Einfacherere Konfiguration durch Namespace • Verbesserte LDAP-Unterstützung • Verbesserte Single Sign-On Unterstützung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 9
Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 10
Kern-Konzepte • Servlet Filter • Authentifizierung • Repositories • Web Autorisierung • Methoden Autorisierung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 11
Servlet Filter • DelegatingFilterProxy in der web.xml • Leitet Aufrufe zu “springSecurityFilterChain” weiter DelegatingFilterProxy web.xml springSecurityFilterChain spring-context.xml Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 12
DEMO Securing Web Applications Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
<intercept-url> • Mindests eins notwendig, z.B.: –/** = IS_AUTHENTICATED_ANONYMOUSLY • Erzeugt ein FilterSecurityInterceptor • und eine Filterkette für diese URL Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 14
<intercept-url /> <http> <intercept-url pattern=quot;/admin/**quot; access=quot;ROLE_ADMINquot; /> <!-- REST Support --> <intercept-url pattern=quot;/User/**quot; method=quot;POSTquot; access=quot;ROLE_SUPERVISORquot;/> </http> • Auslesen von oben nach unten –spezifischstes Pattern oben –Catch-All unten Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 15
Formular Login • HTML-Formular als Loginseite • Defaults: –Loginseite: /spring_security_login –Fehlerseite: /spring_security_login?login_error –Action-URL: /j_spring_security_check • Spring Security erzeugt Login-Formular –Solange keine eigene Seite angegeben wird Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 16
Basic authentication • Definiert in RFC 1945 und 2617 • Wird als HTTP-Header gesendet • Wird häufig in Remote-Protokollen benutzt • Achtung: Base64 is keine Verschlüsselung! –Deshalb immer HTTPS verwenden Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 17
Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 18
Authenifizierungen • Form • JA-SIG CAS • Basic • JOSSO • JDBC • SiteMinder • LDAP • Atlassian • NTLM Crowd • Containers • OpenID • JAAS • X.509 • Digest Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 19
Repositories • Authentifizierungsprovider liefern oft nur Benutzernamen • Benötigt wird oft mehr (z.B. Rollen, Rechte, ...) • Repositories liefern diese zusätzlichen Informationen Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 20
JDBC-Repositories • <jdbc-user-details data-source-ref=”x”/> • Anpassbare SQL-Queries USER AUTHORITIES USERNAME USERNAME PASSWORD AUTHORITY ENABLED Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 21
LDAP <ldap-user-service user-search-base=quot;ou=peoplequot; user-search-filter=quot;uid={0}quot; group-search-filter=quot;member={0}quot; group-search-base=quot;ou=groupsquot; /> • Findet z.B. –uid=admin,ou=people • Und alle Gruppen unter „ou=groups“ mit dem Attribute: –member: uid=admin,ou=people Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 22
Eingebauter LDAP Server • Eingebauter Apache DS (zum Testen): – <ldap-server ldif=quot;classpath:users.ldifquot; root=quot;dc=springsource,dc=comquot;/> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 23
Kombinationen Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
Kombinationen • OpenID zum Authentifizieren –JDBC für User Details Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
Kombinationen • OpenID zum Authentifizieren –JDBC für User Details • NTLM (Windows) zum Authentifizieren –LDAP für User Details (z.B. Active Directory) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
Kombinationen • OpenID zum Authentifizieren –JDBC für User Details • NTLM (Windows) zum Authentifizieren –LDAP für User Details (z.B. Active Directory) • JA-SIG CAS zum Authentifizieren –Eigener UserDetailsProvider der z.B. Hibernate benutzt Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 25
URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web • Oder nur eine URL für sämtliche Aktionen (z.B. AJAX) –Nur die Header sind unterschiedlich Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web • Oder nur eine URL für sämtliche Aktionen (z.B. AJAX) –Nur die Header sind unterschiedlich • Oder Bugs im Webcontainer Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
Method Authorization Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
Method Authorization Business Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) JSR-250 Common Annotation @RolesAllowed(quot;PERM_DELETE_USERquot;) public void deleteUser(User user); Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
DEMO Method Authorization Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 30
Authorization • URL checks für grobgranulare Autorisierung • Method checks für feingranulare Autorisierung • Keine Rollen in Annotations –stattdessen Rechte Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 31
Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Wo findet das statt? User * * Role * * Right Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Wo findet das statt? User * * Role * * Right @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
Testing • Benutzer erstellen keine Bug-Reports wenn Sie „zu viel“ dürfen • Security-Bugs müssen während der Entwicklung gefunden werden • Zum Testen Business-Code deaktivieren Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 33
Software Design • Security sollte nicht das Software Design vorgeben –„Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety“ - Benjamin Franklin • Evolutionäres Design durch Requirements • Security muss sich daran anpassen • Mit Spring Security ist das möglich Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 34
Fragen? Mike Wiesner SpringSource Germany ? mike.wiesner@springsource.com Skype: mikewiesner http://www.springsource.com/de http://www.mwiesner.com Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 35

Recommended

Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Spring security
Spring securitySpring security
Spring securitysakhibarun
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 

Recommended

Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Spring security
Spring securitySpring security
Spring securitysakhibarun
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 
Spring Security
Spring SecuritySpring Security
Spring SecurityManish Sharma
 
Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring SecurityBurt Beckwith
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React AppsZachary Klein
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache ShiroSmita Prasad
 
What's New in spring-security-core 2.0
What's New in spring-security-core 2.0What's New in spring-security-core 2.0
What's New in spring-security-core 2.0Burt Beckwith
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework'sMohammed Fazuluddin
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2360|Conferences
 

More Related Content

What's hot

Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring SecurityBurt Beckwith
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React AppsZachary Klein
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache ShiroSmita Prasad
 
What's New in spring-security-core 2.0
What's New in spring-security-core 2.0What's New in spring-security-core 2.0
What's New in spring-security-core 2.0Burt Beckwith
 

What's hot (20)

Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring Security
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring Security
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache Shiro
 
What's New in spring-security-core 2.0
What's New in spring-security-core 2.0What's New in spring-security-core 2.0
What's New in spring-security-core 2.0
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 

Similar to Enterprise Security mit Spring Security

Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2360|Conferences
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Penetration Testing as an auditing tool
Penetration Testing as an auditing toolPenetration Testing as an auditing tool
Penetration Testing as an auditing toolsyrinxtech
 
Kubernetes meetup k8s_aug_2019
Kubernetes meetup k8s_aug_2019Kubernetes meetup k8s_aug_2019
Kubernetes meetup k8s_aug_2019dhubbard858
 
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityHigh-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityAtlassian
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
From Developer to Production, Promoting your Webservices
From Developer to Production, Promoting your WebservicesFrom Developer to Production, Promoting your Webservices
From Developer to Production, Promoting your Webserviceskingsfleet
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
Creating a Whatsapp Clone - Part I.pdf
Creating a Whatsapp Clone - Part I.pdfCreating a Whatsapp Clone - Part I.pdf
Creating a Whatsapp Clone - Part I.pdfShaiAlmog1
 
Optaros Surf Code Camp Api
Optaros Surf Code Camp ApiOptaros Surf Code Camp Api
Optaros Surf Code Camp ApiJeff Potts
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web Appelliando dias
 
Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1csharney
 
Scripting Support in GlassFish v3 Prelude
Scripting Support in GlassFish v3 PreludeScripting Support in GlassFish v3 Prelude
Scripting Support in GlassFish v3 PreludeEduardo Pelegri-Llopart
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Atlassian
 

Similar to Enterprise Security mit Spring Security (20)

Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practices
 
Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Penetration Testing as an auditing tool
Penetration Testing as an auditing toolPenetration Testing as an auditing tool
Penetration Testing as an auditing tool
 
Kubernetes meetup k8s_aug_2019
Kubernetes meetup k8s_aug_2019Kubernetes meetup k8s_aug_2019
Kubernetes meetup k8s_aug_2019
 
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityHigh-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
From Developer to Production, Promoting your Webservices
From Developer to Production, Promoting your WebservicesFrom Developer to Production, Promoting your Webservices
From Developer to Production, Promoting your Webservices
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA Hum
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA Hum
 
Creating a Whatsapp Clone - Part I.pdf
Creating a Whatsapp Clone - Part I.pdfCreating a Whatsapp Clone - Part I.pdf
Creating a Whatsapp Clone - Part I.pdf
 
Optaros Surf Code Camp Api
Optaros Surf Code Camp ApiOptaros Surf Code Camp Api
Optaros Surf Code Camp Api
 
Security On Rails
Security On RailsSecurity On Rails
Security On Rails
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web App
 
Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1Nevmug Lighthouse Automation7.1
Nevmug Lighthouse Automation7.1
 
Scripting Support in GlassFish v3 Prelude
Scripting Support in GlassFish v3 PreludeScripting Support in GlassFish v3 Prelude
Scripting Support in GlassFish v3 Prelude
 
Web Space10 Overview
Web Space10 OverviewWeb Space10 Overview
Web Space10 Overview
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

Enterprise Security mit Spring Security

  • 1. Enterprise Security mit Spring Security Mike Wiesner SpringSource Germany Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
  • 2. Über mich • Senior Consultant bei SpringSource Germany • Spring-/Security-Consulting • Trainings • IT-Security Consulting / Reviews • mike.wiesner@springsource.com Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 2
  • 3. Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
  • 4. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 4
  • 5. Was ist Spring Security? • Spring Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 6. Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 7. Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 8. Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung –nutzt Spring als Basis Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 9. Was ist Spring Security? • Spring Security –ist ein mächtiges und flexibles Sicherheitsframework –ist für die Java Enterprise Softwareentwicklung –nutzt Spring als Basis –kann für jede Java-Anwendung benutzt werden Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 5
  • 10. Was ist es nicht? • Firewall, proxy server, IDS • Betriebssystem Sicherheit • JVM (sandbox) security • Dies ist Basis-Sicherheit die immer benötigt wird! Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 6
  • 11. Hauptmerkmale • Authentifizierung • Web URL Autorisierung • Methodenaufruf Autorisierung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 7
  • 12. Hauptmerkmale • Authentifizierung • Web URL Autorisierung • Methodenaufruf Autorisierung • Channel security • Human user detection • Domain instance based security (ACLs) • WS-Security (mit Spring Web Services) • Flow Authorization (mit Spring Web Flow) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 7
  • 13. Integrationen ... • Spring Portfolio • RFC 1945, 2617 etc • AspectJ • Major containers • JA-SIG CAS • JAAS • JOSSO • Jasypt • NTLM via JCIFS • Grails and Trails • OpenID • Mule • SiteMinder • DWR • Atlassian Crowd • Appfuse • jCaptcha • AndroMDA Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 8
  • 14. Neues in Spring Security 2 • Spring Security 2 baut auf dem beliebten Acegi Framework auf • Einfacherere Konfiguration durch Namespace • Verbesserte LDAP-Unterstützung • Verbesserte Single Sign-On Unterstützung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 9
  • 15. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 10
  • 16. Kern-Konzepte • Servlet Filter • Authentifizierung • Repositories • Web Autorisierung • Methoden Autorisierung Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 11
  • 17. Servlet Filter • DelegatingFilterProxy in der web.xml • Leitet Aufrufe zu “springSecurityFilterChain” weiter DelegatingFilterProxy web.xml springSecurityFilterChain spring-context.xml Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 12
  • 18. DEMO Securing Web Applications Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
  • 19. <intercept-url> • Mindests eins notwendig, z.B.: –/** = IS_AUTHENTICATED_ANONYMOUSLY • Erzeugt ein FilterSecurityInterceptor • und eine Filterkette für diese URL Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 14
  • 20. <intercept-url /> <http> <intercept-url pattern=quot;/admin/**quot; access=quot;ROLE_ADMINquot; /> <!-- REST Support --> <intercept-url pattern=quot;/User/**quot; method=quot;POSTquot; access=quot;ROLE_SUPERVISORquot;/> </http> • Auslesen von oben nach unten –spezifischstes Pattern oben –Catch-All unten Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 15
  • 21. Formular Login • HTML-Formular als Loginseite • Defaults: –Loginseite: /spring_security_login –Fehlerseite: /spring_security_login?login_error –Action-URL: /j_spring_security_check • Spring Security erzeugt Login-Formular –Solange keine eigene Seite angegeben wird Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 16
  • 22. Basic authentication • Definiert in RFC 1945 und 2617 • Wird als HTTP-Header gesendet • Wird häufig in Remote-Protokollen benutzt • Achtung: Base64 is keine Verschlüsselung! –Deshalb immer HTTPS verwenden Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 17
  • 23. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 18
  • 24. Authenifizierungen • Form • JA-SIG CAS • Basic • JOSSO • JDBC • SiteMinder • LDAP • Atlassian • NTLM Crowd • Containers • OpenID • JAAS • X.509 • Digest Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 19
  • 25. Repositories • Authentifizierungsprovider liefern oft nur Benutzernamen • Benötigt wird oft mehr (z.B. Rollen, Rechte, ...) • Repositories liefern diese zusätzlichen Informationen Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 20
  • 26. JDBC-Repositories • <jdbc-user-details data-source-ref=”x”/> • Anpassbare SQL-Queries USER AUTHORITIES USERNAME USERNAME PASSWORD AUTHORITY ENABLED Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 21
  • 27. LDAP <ldap-user-service user-search-base=quot;ou=peoplequot; user-search-filter=quot;uid={0}quot; group-search-filter=quot;member={0}quot; group-search-base=quot;ou=groupsquot; /> • Findet z.B. –uid=admin,ou=people • Und alle Gruppen unter „ou=groups“ mit dem Attribute: –member: uid=admin,ou=people Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 22
  • 28. Eingebauter LDAP Server • Eingebauter Apache DS (zum Testen): – <ldap-server ldif=quot;classpath:users.ldifquot; root=quot;dc=springsource,dc=comquot;/> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 23
  • 29. Kombinationen Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
  • 30. Kombinationen • OpenID zum Authentifizieren –JDBC für User Details Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
  • 31. Kombinationen • OpenID zum Authentifizieren –JDBC für User Details • NTLM (Windows) zum Authentifizieren –LDAP für User Details (z.B. Active Directory) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
  • 32. Kombinationen • OpenID zum Authentifizieren –JDBC für User Details • NTLM (Windows) zum Authentifizieren –LDAP für User Details (z.B. Active Directory) • JA-SIG CAS zum Authentifizieren –Eigener UserDetailsProvider der z.B. Hibernate benutzt Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 24
  • 33. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 25
  • 34. URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
  • 35. URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
  • 36. URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web • Oder nur eine URL für sämtliche Aktionen (z.B. AJAX) –Nur die Header sind unterschiedlich Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
  • 37. URL-Filter sind nicht genug! • Keine 1 zu 1 Beziehung zu Resourcen, z.B. Print Views –/listCustomers.html und /print.view?page=listCustomers • Oder es gibt keine URLs –Anwendungen außerhalb vom Web • Oder nur eine URL für sämtliche Aktionen (z.B. AJAX) –Nur die Header sind unterschiedlich • Oder Bugs im Webcontainer Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 26
  • 38. Method Authorization Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 39. Method Authorization Business Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 40. Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 41. Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 42. Method Authorization Business Security Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 27
  • 43. Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
  • 44. Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
  • 45. Methoden Autorisierung <global-method-security> <protect-pointcut expression=quot;execution(* admin.*.*(..))quot; access=quot;PERM_ADMIN_OPquot;/> <protect-pointcut expression=quot;execution(* admin.User.delete(..))quot; access=quot;PERM_DELETE_USERquot;/> </global-method-security> @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) JSR-250 Common Annotation @RolesAllowed(quot;PERM_DELETE_USERquot;) public void deleteUser(User user); Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 28
  • 46. DEMO Method Authorization Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited.
  • 47. Agenda • Was ist Spring Security? • Absichern von Webanwendungen • Authentifizierung • Absichern von „Nicht-“Webanwendungen • Best Practices Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 30
  • 48. Authorization • URL checks für grobgranulare Autorisierung • Method checks für feingranulare Autorisierung • Keine Rollen in Annotations –stattdessen Rechte Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 31
  • 49. Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
  • 50. Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Wo findet das statt? User * * Role * * Right Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
  • 51. Role-Based Access Control @Secured(quot;ROLE_ADMINquot;) public void deleteUser(User user) Wo findet das statt? User * * Role * * Right @Secured(quot;PERM_DELETE_USERquot;) public void deleteUser(User user) Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 32
  • 52. Testing • Benutzer erstellen keine Bug-Reports wenn Sie „zu viel“ dürfen • Security-Bugs müssen während der Entwicklung gefunden werden • Zum Testen Business-Code deaktivieren Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 33
  • 53. Software Design • Security sollte nicht das Software Design vorgeben –„Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety“ - Benjamin Franklin • Evolutionäres Design durch Requirements • Security muss sich daran anpassen • Mit Spring Security ist das möglich Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 34
  • 54. Fragen? Mike Wiesner SpringSource Germany ? mike.wiesner@springsource.com Skype: mikewiesner http://www.springsource.com/de http://www.mwiesner.com Copyright 2008 SpringSource. Copying, publishing or distributing without express written permission is prohibited. 35