SlideShare a Scribd company logo

securing-portlets-with-spring-security.pdf

J
jcarrey

The document discusses securing portlets with Spring Security. It provides an overview of JSR 168 portlet security capabilities and then discusses how to apply Spring Security to secure portlets. The main components discussed are the PortletProcessingInterceptor, AuthenticationManager, AuthenticationDetailsSource, AuthenticationProvider, UserDetailsService, and PortletSessionContextIntegrationInterceptor which are used to secure portlets similarly to how Spring Security secures servlets. It also discusses applying security at the rendering, dispatch, service layers and integrating portlet and servlet security.

1 of 44
Download to read offline
Securing Portlets With Spring Security John A. Lewis Chief Software Architect Unicon, Inc. JA-SIG Spring 2008 Conference 28 April 2008 © Copyright Unicon, Inc., 2007. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Agenda ● JSR 168 Portlet Security ● Spring Security (aka “Acegi”) ● Spring Portlet Security ● Applying Portlet Security ● Resources ● Questions & Answers 2
JSR 168 Portlet Security What does the spec give us to work with? 3
Portal Authentication ● The portal is completely responsible for authentication – This means we just use what it gives us – we don't redirect for authentication purpose ● The JSR 168 PortletRequest class provides two methods for getting user identity (the same ones as the Servlet spec) String getRemoteUser() Principal getUserPrincipal() 4
Portal Authorization ● Portals generally provide the ability to assign a set of “Roles” to the User ● The JSR 168 PortletRequest class provides a method for getting at these roles (the same ones as the Servlet spec) boolean isUserInRole(String) 5
Declaring Portal Roles ● Same as declaring roles for Servlet container- based security ● Include all portal roles that may be used in web.xml: ... <security-role> <role-name>manager</role-name> </security-role> ... 6
Mapping Portal Roles To Portlet Roles ● In portlet.xml: <portlet> <portlet-name>books</portlet-name> ... Portlet Role <security-role-ref> <role-name>ADMINISTRATOR</role-name> <role-link>manager</role-link> </security-role-ref> </portlet> Portal Role Warning! If you are storing your SecurityContext in the PortletSession with APPLICATION_SCOPE (more on this later), make sure these are the same in all your <portlet> declarations – the first one to be invoked on a page will determine the mapping for all portlets in your webapp. 7
Security Constraints ● Require a secure transport in portlet.xml: <portlet-app> ... <portlet> <portlet-name>accountSummary</portlet-name> ... </portlet> ... <security-constraint> <display-name>Secure Portlets</display-name> <portlet-collection> <portlet-name>accountSummary</portlet-name> </portlet-collection> <user-data-constraint/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </portlet-app> 8
Other Portlet Security Info ● PortletRequest has a couple other key security-related methods: StringgetAuthType() String getAuthType() Returns name of authentication scheme used (BASIC_AUTH, CLIENT_CERT_AUTH, custom) or null if user is not authenticated. boolean isSecure() boolean isSecure() Returns true if the request was made over a secure channel (such as HTTPS) 9
Portlet User Attributes ● Can also use the USER_INFO Map available as a PortletRequest attribute. ● May contain arbitrary user information: – user.name.given – user.bdate – user.gender – etc. ● Some portals expose security-related information here, but this mechanism should be avoided if possible 10
Spring Security a.k.a Acegi Security A quick overview 11
What Is Spring Security? ● Powerful, flexible security framework for enterprise software ● Emphasis on applications using Spring ● Comprehensive authentication, authorization, and instance-based access control ● Avoids security code in your business logic – treats security as a cross-cutting concern ● Built-in support for a wide variety of authentication and integration standards 12
Spring Security Releases ● Acegi Security (the old name) – Current Version: 1.0.7 – Initial GA Release: May 2006 – Portlet support in Sandbox ● Spring Security (the new name) – Current Version: 2.0.0 – Initial GA Release: April 2008 – Portlet support Included – Changes packaging from org.acegisecurity to org.springframework.security 13
Applications Are Like Onions ● Spring Security can be applied at multiple layers in your application: – Apply security as markup is constructed in the Rendering Layer using the supplied JSP taglib – Restrict access to areas of web application in the Dispatch Layer based on URL pattern-matching – Secure method invocation on the Service Layer to ensure calls are from properly authorized user – Provide Access Control Lists (ACLs) for individual objects in the Domain Layer 14
Spring Portlet Security Applying Spring Security to Portlets 15
Portlet Challenges ● Portlets have some key differences from Servlets: – No Filters – Can't treat URLs like Paths – Multiple Request Phases ● These create some challenges in applying the normal Spring Security patterns ● So we need some different infrastructure for wiring Spring Security into our portlet application 16
Six Main Portlet Security Beans ● PortletProcessingInterceptor ● AuthenticationManager ● AuthenticationDetailsSource ● AuthenticationProvider ● UserDetailsService ● PortletSessionContextIntegrationInterceptor 17
PortletProcessingInterceptor ● Interceptor that processes portlet requests for authentication by invoking the configured AuthenticationManager ● Creates the initial AuthenticationToken from the PortletRequest security methods <bean id="portletProcessingInterceptor" class="org.springframework.security.ui.portlet. PortletProcessingInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="authenticationDetailsSource" ref="portletAuthenticationDetailsSource" /> </bean> Portlet equivalent of AuthenticationProcessingFilter used for traditional servlet web applications 18
AuthenticationManager ● Use normal provider-based AuthenticationManager bean ● Declared via special namespace schema: <sec:authentication-manager alias="authenticationManager" /> Can use multiple providers if you are authenticating from Portlets and Servlets 19
AuthenticationDetailsSource ● Can be used to check isUserInRole(...) to get list of Portal Roles into the Authentication Request: <bean name=”portletAuthenticationDetailsSource” class="org.springframework.security.ui.portlet. PortletPreAuthenticatedAuthenticationDetailsSource"> <property name="mappableRolesRetriever"> <bean class="org.springframework.security. authoritymapping.SimpleMappableAttributesRetriever"> <property name="mappableAttributes"> <list> <value>ADMIN</value> </list> </property> </bean> Only needed if we are using Portal Roles for </property> our security decisions </bean> 20
AuthenticationProvider ● PreAuthenticatedAuthenticationProvider processes pre-authenticated authentication request (from PortletProcessingInterceptor) ● A valid PreAuthenticatedAuthenticationToken with non-null principal & credentials will succeed <bean id="portletAuthenticationProvider" class="org.springframework.security.providers.preauth. PreAuthenticatedAuthenticationProvider"> <sec:custom-authentication-provider /> <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" /> </bean> 21
UserDetailsService ● Bean that knows how to populate user details (including GrantedAuthorities) for the authenticated user – PreAuthenticatedGrantedAuthoritiesUserDetailsService will use purely data contained in the PreAuthenticatedAuthenticationToken <bean name="preAuthenticatedUserDetailsService" class="org.springframework.security.providers.preauth. PreAuthenticatedGrantedAuthoritiesUserDetailsService" /> Can also use any other UserDetailsService that can populate UserDetails by username, such as JdbcUserDetailsManager or LdapUserDetailsManager 22
PortletSessionContextIntegrationInterceptor ● Interceptor that retrieves/stores the contents of the SecurityContextHolder in the active PortletSession ● Without this, every request would trigger a full authentication cycle ● Default is to use APPLICATION_SCOPE <bean id="portletSessionContextIntegrationInterceptor" class="org.springframework.security.context. PortletSessionContextIntegrationInterceptor" /> Portlet equivalent of HttpSessionContextIntegrationFilter, used for traditional servlet web applications 23
Using The Two Interceptors ● Add them to our Portlet's HandlerMapping: <bean id="portletModeHandlerMapping" class="org.springframework.web.portlet.handler. PortletModeHandlerMapping"> <property name="interceptors"> <list> <ref bean="portletSessionContextIntegrationInterceptor"/> <ref bean="portletProcessingInterceptor"/> </list> </property> <property name="portletModeMap"> <map> <entry key="view"><ref bean="viewController"/></entry> <entry key="edit"><ref bean="editController"/></entry> <entry key="help"><ref bean="helpController"/></entry> </map> </property> </bean> Warning! This ordering is critical – they will not work correctly if they are reversed! 24
Applying Portlet Security To The Rendering Layer Customizing our markup based on security information 25
Spring Security JSP TagLib ● Allows us to access authentication information and to check authorizations ● Useful for showing/hiding information or navigation controls based on security info <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <p>Username: <sec:authentication property="principal.username"/></p> <sec:authorize ifAllGranted="ROLE_USER"> <p>You are an authorized user of this system.</p> </sec:authorize> <sec:authorize ifAllGranted="ROLE_ADMINISTRATOR"> <p>You are an administrator of this system.</p> </sec:authorize> Warning: Don't rely on this to restrict access to areas of the application. Just because navigation doesn't appear in the markup doesn't mean a clever hacker can't generate a GET/POST that will still get there. 26
Applying Portlet Security To The Dispatch Layer Controlling where users can go in the application 27
Secure Portlet Request Dispatching ● Portlet Requests don't have a path structure, so we can't use the path-based patterns of FilterSecurityInterceptor to control access ● Something standard may be added in the future – perhaps a ConfigAttributeDefinition for various aspects of Portlet Requests that we can use as an ObjectDefinitionSource 28
Using a HandlerInterceptor ● Best practice in Spring 2.0 is to build a custom HandlerInterceptor for your Portlet ● Compare contents of SecurityContextHolder. getContext(). getAuthentication() with Portlet Mode, Window State, Render Parameters – whatever you want to use to determine permission ● Throw a PortletSecurityException if access is not permitted, otherwise allow processing to proceed 29
Using Annotations ● If using Spring 2.5 Annotation-based Dispatching, use Security Annotations as well – ApplicationContext entry: <sec:global-method-security secured-annotations="enabled" /> – Annotated method: import org.springframework.security.annotation.Secured; ... @Secured({"ROLE_ADMIN"}) @RequestMapping(params="action=view") public String deleteItems(RequestParam("item") int itemId) { ... 30
Applying Portlet Security To The Service Layer Making sure Services are invoked by only by user with proper permissions 31
AccessDecisionManager ● Standard Spring Security bean for making decisions about access to resources <bean id="accessDecisionManager" class="org.springframework.security.vote. AffirmativeBased"> <property name="decisionVoters"> <list> <bean class="org.springframework.security. vote.RoleVoter" /> <bean class="org.springframework.security. vote.AuthenticatedVoter" /> </list> </property> </bean> 32
MethodSecurityInterceptor <bean id="myService" class="sample.service.MyService"> <sec:intercept-methods access-decision-manager-ref="accessDecisionManager"> <sec:protect method="sample.service.MyService.*" access="IS_AUTHENTICATED_FULLY" /> <sec:protect method="sample.service.MyService.add*" access="ROLE_ADMINISTRATOR" /> <sec:protect method="sample.service.MyService.del*" access="ROLE_ADMINISTRATOR" /> <sec:protect method="sample.service.MyService.save*" access="ROLE_ADMINISTRATOR" /> </sec:intercept-methods> </bean> 33
Applying Portlet Security To Servlets Using the whole web/portlet application as one secure bundle 34
Bridging The Gap ● We can reuse the Portlet SecurityContext in getting resources from Servlets in the same web application ● Useful for securing: – AJAX Calls – Dynamic Images – PDF Reports ● Need to get Portlets and Servlets to share session data to do this 35
Portlets & Servlets Sharing Session ● Possible according to JSR 168 (PLT 15.4) – Must be in the same webapp – Portlet must use APPLICATION_SCOPE ● Sometime tricky in practice – Portlet requests go thru Portal webapp URL – Servlet requests go thru Portlet webapp URL – Session tracking via JSESSIONID Cookie usually uses URL path to webapp – not shared! Tomcat 5.5.4 + On <Connector> element set emptySessionPath=true 36
Apply Servlet Filter Chain ● In web.xml: <filter> <filter-name>securityFilterChainProxy</filter-name> <filter-class>org.springframework.web.filter. DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>securityFilterChainProxy</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> 37
FilterChainProxy ● Since the portal handles authentication, you only need a few entries in this bean: <bean id="servletSecurityFilterChainProxy" class="org.springframework.security.util. FilterChainProxy"> <sec:filter-chain-map path-type="ant"> <sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilter, exceptionTranslationFilter, filterSecurityInterceptor" /> </sec:filter-chain-map> </bean> 38
HttpSessionContextIntegrationFilter ● If session sharing is working properly, it will populate the SecurityContextHolder using the same SecurityContext as the Portlet side <bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context. HttpSessionContextIntegrationFilter" /> This will only work if PortletSessionContextIntegrationInterceptor is storing in the APPLICATION_SCOPE of the PortletSession (which is the default) 39
ExceptionTranslationFilter ● Since we are relying on the Portal for authentication, then an Exception means that authentication has already failed ● PreAuthenticatedProcessingFilterEntryPoint returns SC_FORBIDDEN (HTTP 403 error) <bean id="exceptionTranslationFilter" class="org.springframework.security.ui. ExceptionTranslationFilter"> <property name="authenticationEntryPoint"> <bean class="org.springframework.security.ui.preauth. PreAuthenticatedProcessingFilterEntryPoint" /> </property> </bean> 40
FilterSecurityInterceptor ● Secure resource URLs accordingly ● Use the same AuthenticationManager and AccessDecisionManager as in the portlet <bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web. FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="accessDecisionManager" /> <property name="objectDefinitionSource"> <sec:filter-invocation-definition-source> <sec:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_FULLY" /> </sec:filter-invocation-definition-source> </property> </bean> 41
Resources Places to go to actually use this stuff! 42
Resources ● Spring Security 2.0 Website – http://static.springframework.org/spring-security/site/ ● Sample Applications – Small sample included in Spring Security distro – Bigger sample on the Spring Portlet Wiki http://opensource.atlassian.com/confluence/spring/display/JSR168/ 43
Questions & Answers John A. Lewis Chief Software Architect Unicon, Inc. jlewis@unicon.net www.unicon.net 44

Recommended

Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring Security
John Lewis
 
Introduction to java standard portlets
Introduction to java standard portletsIntroduction to java standard portlets
Introduction to java standard portlets
Rohan Faye
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE Security
Alex Kim
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIRO
Cygnet Infotech
 
Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5
Anil Saldanha
 
As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0
Bruno Borges
 
Uploaded
UploadedUploaded
Uploadedjcarrey
 
h.pdf
h.pdfh.pdf
h.pdf
jcarrey
 

Recommended

Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring Security
John Lewis
 
Introduction to java standard portlets
Introduction to java standard portletsIntroduction to java standard portlets
Introduction to java standard portlets
Rohan Faye
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE Security
Alex Kim
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIRO
Cygnet Infotech
 
Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5
Anil Saldanha
 
As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0
Bruno Borges
 
Uploaded
UploadedUploaded
Uploadedjcarrey
 
h.pdf
h.pdfh.pdf
h.pdf
jcarrey
 
Documento2.doc.docx
Documento2.doc.docxDocumento2.doc.docx
Documento2.doc.docx
jcarrey
 
Vw Passat 2011
Vw Passat 2011Vw Passat 2011
Vw Passat 2011Sergio Velasquez
 
11 pavimentacion
11 pavimentacion11 pavimentacion
11 pavimentacionSergio Velasquez
 
355 1 EOS 2006.pdf
355 1 EOS 2006.pdf355 1 EOS 2006.pdf
355 1 EOS 2006.pdfjcarrey
 
Motor sincrono y asincrono eplicacion
Motor sincrono y asincrono eplicacionMotor sincrono y asincrono eplicacion
Motor sincrono y asincrono eplicacion
Mario Alberto Rodriguez
 
Adhesivos estructurales
Adhesivos estructuralesAdhesivos estructurales
Adhesivos estructuralesJavier Sabonis
 
Adhesivos en carroceria loctite
Adhesivos en carroceria loctiteAdhesivos en carroceria loctite
Adhesivos en carroceria loctiteJavier Sabonis
 
poliuretano en las lunas parabrisas
poliuretano en las lunas parabrisaspoliuretano en las lunas parabrisas
poliuretano en las lunas parabrisasJavier Sabonis
 
discos multiláminas
discos multiláminasdiscos multiláminas
discos multiláminasJavier Sabonis
 
llave youth
llave youthllave youth
llave youthJavier Sabonis
 
Rta vw sharan seat alhambra-ford galaxy diesel
Rta vw sharan seat alhambra-ford galaxy dieselRta vw sharan seat alhambra-ford galaxy diesel
Rta vw sharan seat alhambra-ford galaxy dieselcarphead1
 
Mini cooper
Mini cooperMini cooper
Mini cooperMarRoura
 
Lunas
LunasLunas
LunasJavier Sabonis
 
El Renacimiento
El RenacimientoEl Renacimiento
El RenacimientoJavier Sabonis
 
Caracteristicas de soplador de aire caliente
Caracteristicas de soplador de aire calienteCaracteristicas de soplador de aire caliente
Caracteristicas de soplador de aire calienteJavier Sabonis
 
Estructura de los hongos
Estructura de los hongos Estructura de los hongos
Estructura de los hongos Sergio Velasquez
 
291 2 Cambio automatico 09G.pdf
291 2 Cambio automatico 09G.pdf291 2 Cambio automatico 09G.pdf
291 2 Cambio automatico 09G.pdfjcarrey
 
Bobina cop
Bobina copBobina cop
Bobina cop
Mario Alberto Rodriguez
 
libro de Elementos amovibles
libro de Elementos amovibleslibro de Elementos amovibles
libro de Elementos amoviblesJavier Sabonis
 
082 Motor 2 8L V6 24V.pdf
082 Motor 2 8L V6 24V.pdf082 Motor 2 8L V6 24V.pdf
082 Motor 2 8L V6 24V.pdfjcarrey
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
Lalit Kale
 

More Related Content

Viewers also liked

Documento2.doc.docx
Documento2.doc.docxDocumento2.doc.docx
Documento2.doc.docx
jcarrey
 
355 1 EOS 2006.pdf
355 1 EOS 2006.pdf355 1 EOS 2006.pdf
355 1 EOS 2006.pdfjcarrey
 
Motor sincrono y asincrono eplicacion
Motor sincrono y asincrono eplicacionMotor sincrono y asincrono eplicacion
Motor sincrono y asincrono eplicacion
Mario Alberto Rodriguez
 
Adhesivos estructurales
Adhesivos estructuralesAdhesivos estructurales
Adhesivos estructuralesJavier Sabonis
 
Adhesivos en carroceria loctite
Adhesivos en carroceria loctiteAdhesivos en carroceria loctite
Adhesivos en carroceria loctiteJavier Sabonis
 
poliuretano en las lunas parabrisas
poliuretano en las lunas parabrisaspoliuretano en las lunas parabrisas
poliuretano en las lunas parabrisasJavier Sabonis
 
Rta vw sharan seat alhambra-ford galaxy diesel
Rta vw sharan seat alhambra-ford galaxy dieselRta vw sharan seat alhambra-ford galaxy diesel
Rta vw sharan seat alhambra-ford galaxy dieselcarphead1
 
Mini cooper
Mini cooperMini cooper
Mini cooperMarRoura
 
Caracteristicas de soplador de aire caliente
Caracteristicas de soplador de aire calienteCaracteristicas de soplador de aire caliente
Caracteristicas de soplador de aire calienteJavier Sabonis
 
291 2 Cambio automatico 09G.pdf
291 2 Cambio automatico 09G.pdf291 2 Cambio automatico 09G.pdf
291 2 Cambio automatico 09G.pdfjcarrey
 
Bobina cop
Bobina copBobina cop
Bobina cop
Mario Alberto Rodriguez
 
libro de Elementos amovibles
libro de Elementos amovibleslibro de Elementos amovibles
libro de Elementos amoviblesJavier Sabonis
 
082 Motor 2 8L V6 24V.pdf
082 Motor 2 8L V6 24V.pdf082 Motor 2 8L V6 24V.pdf
082 Motor 2 8L V6 24V.pdfjcarrey
 

Viewers also liked (20)

Documento2.doc.docx
Documento2.doc.docxDocumento2.doc.docx
Documento2.doc.docx
 
Vw Passat 2011
Vw Passat 2011Vw Passat 2011
Vw Passat 2011
 
11 pavimentacion
11 pavimentacion11 pavimentacion
11 pavimentacion
 
355 1 EOS 2006.pdf
355 1 EOS 2006.pdf355 1 EOS 2006.pdf
355 1 EOS 2006.pdf
 
Motor sincrono y asincrono eplicacion
Motor sincrono y asincrono eplicacionMotor sincrono y asincrono eplicacion
Motor sincrono y asincrono eplicacion
 
Adhesivos estructurales
Adhesivos estructuralesAdhesivos estructurales
Adhesivos estructurales
 
Adhesivos en carroceria loctite
Adhesivos en carroceria loctiteAdhesivos en carroceria loctite
Adhesivos en carroceria loctite
 
poliuretano en las lunas parabrisas
poliuretano en las lunas parabrisaspoliuretano en las lunas parabrisas
poliuretano en las lunas parabrisas
 
discos multiláminas
discos multiláminasdiscos multiláminas
discos multiláminas
 
llave youth
llave youthllave youth
llave youth
 
Rta vw sharan seat alhambra-ford galaxy diesel
Rta vw sharan seat alhambra-ford galaxy dieselRta vw sharan seat alhambra-ford galaxy diesel
Rta vw sharan seat alhambra-ford galaxy diesel
 
Mini cooper
Mini cooperMini cooper
Mini cooper
 
Lunas
LunasLunas
Lunas
 
El Renacimiento
El RenacimientoEl Renacimiento
El Renacimiento
 
Caracteristicas de soplador de aire caliente
Caracteristicas de soplador de aire calienteCaracteristicas de soplador de aire caliente
Caracteristicas de soplador de aire caliente
 
Estructura de los hongos
Estructura de los hongos Estructura de los hongos
Estructura de los hongos
 
291 2 Cambio automatico 09G.pdf
291 2 Cambio automatico 09G.pdf291 2 Cambio automatico 09G.pdf
291 2 Cambio automatico 09G.pdf
 
Bobina cop
Bobina copBobina cop
Bobina cop
 
libro de Elementos amovibles
libro de Elementos amovibleslibro de Elementos amovibles
libro de Elementos amovibles
 
082 Motor 2 8L V6 24V.pdf
082 Motor 2 8L V6 24V.pdf082 Motor 2 8L V6 24V.pdf
082 Motor 2 8L V6 24V.pdf
 

Similar to securing-portlets-with-spring-security.pdf

Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
Lalit Kale
 
Spring security4.x
Spring security4.xSpring security4.x
Spring security4.x
Zeeshan Khan
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVC
John Lewis
 
Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)
ERPScan
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample application
Anil Allewar
 
TechEvent Eclipse Microprofile
TechEvent Eclipse MicroprofileTechEvent Eclipse Microprofile
TechEvent Eclipse Microprofile
Trivadis
 
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Arun Gupta
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
Puma Security, LLC
 
Spring Security Framework
Spring Security FrameworkSpring Security Framework
Spring Security Framework
Jayasree Perilakkalam
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
Jesus Perez Franco
 
Anil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil Saldanha
 
Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1
Vibrant Technologies & Computers
 
Academy PRO: ASP .NET Core
Academy PRO: ASP .NET Core Academy PRO: ASP .NET Core
Academy PRO: ASP .NET Core
Binary Studio
 
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connections Developers
 
JMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocialJMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocial
Ryan Baxter
 

Similar to securing-portlets-with-spring-security.pdf (20)

Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
Spring security4.x
Spring security4.xSpring security4.x
Spring security4.x
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVC
 
Pixels_Camp
Pixels_CampPixels_Camp
Pixels_Camp
 
Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample application
 
TechEvent Eclipse Microprofile
TechEvent Eclipse MicroprofileTechEvent Eclipse Microprofile
TechEvent Eclipse Microprofile
 
Java EE Services
Java EE ServicesJava EE Services
Java EE Services
 
Struts2 - 101
Struts2 - 101Struts2 - 101
Struts2 - 101
 
Servlet 3.0
Servlet 3.0Servlet 3.0
Servlet 3.0
 
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
Spring Security Framework
Spring Security FrameworkSpring Security Framework
Spring Security Framework
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
 
Anil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseap
 
Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1
 
Academy PRO: ASP .NET Core
Academy PRO: ASP .NET Core Academy PRO: ASP .NET Core
Academy PRO: ASP .NET Core
 
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
 
JMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocialJMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocial
 

More from jcarrey

developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdfjcarrey
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdfjcarrey
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdfjcarrey
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdfjcarrey
 
343 1 El nuevo AUDI A4 2005.pdf
343 1 El nuevo AUDI A4 2005.pdf343 1 El nuevo AUDI A4 2005.pdf
343 1 El nuevo AUDI A4 2005.pdfjcarrey
 
Audi A5 coupe 2008 Trabajos de montaje interiores.pdf
Audi A5 coupe 2008 Trabajos de montaje interiores.pdfAudi A5 coupe 2008 Trabajos de montaje interiores.pdf
Audi A5 coupe 2008 Trabajos de montaje interiores.pdfjcarrey
 
Audi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdf
Audi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdfAudi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdf
Audi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdfjcarrey
 
343 1 El Nuevo AUDI 2005.pdf
343 1 El Nuevo AUDI 2005.pdf343 1 El Nuevo AUDI 2005.pdf
343 1 El Nuevo AUDI 2005.pdfjcarrey
 
343 2 El Nuevo AUDI A4 2005.pdf
343 2 El Nuevo AUDI A4 2005.pdf343 2 El Nuevo AUDI A4 2005.pdf
343 2 El Nuevo AUDI A4 2005.pdfjcarrey
 
344 1 El nuevo AUDI A6 Avant 2005.pdf
344 1 El nuevo AUDI A6 Avant 2005.pdf344 1 El nuevo AUDI A6 Avant 2005.pdf
344 1 El nuevo AUDI A6 Avant 2005.pdfjcarrey
 
344 2 El nuevo AUDI A6 Avant 2005.pdf
344 2 El nuevo AUDI A6 Avant 2005.pdf344 2 El nuevo AUDI A6 Avant 2005.pdf
344 2 El nuevo AUDI A6 Avant 2005.pdfjcarrey
 
346 Freno de estacionamiento electromecanico.pdf
346 Freno de estacionamiento electromecanico.pdf346 Freno de estacionamiento electromecanico.pdf
346 Freno de estacionamiento electromecanico.pdfjcarrey
 
347 El sistema de control de Presion de Neumaticos.pdf
347 El sistema de control de Presion de Neumaticos.pdf347 El sistema de control de Presion de Neumaticos.pdf
347 El sistema de control de Presion de Neumaticos.pdfjcarrey
 
349 1 FOX 2006.pdf
349 1 FOX 2006.pdf349 1 FOX 2006.pdf
349 1 FOX 2006.pdfjcarrey
 
349 2 FOX 2006.pdf
349 2 FOX 2006.pdf349 2 FOX 2006.pdf
349 2 FOX 2006.pdfjcarrey
 
350 Motor TDI 3 0l V6.pdf
350 Motor TDI 3 0l V6.pdf350 Motor TDI 3 0l V6.pdf
350 Motor TDI 3 0l V6.pdfjcarrey
 
351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf
351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf
351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdfjcarrey
 
352 Inyector bomba con Valvula Piezoelectrica.pdf
352 Inyector bomba con Valvula Piezoelectrica.pdf352 Inyector bomba con Valvula Piezoelectrica.pdf
352 Inyector bomba con Valvula Piezoelectrica.pdfjcarrey
 
354 1 Jetta 2006.pdf
354 1 Jetta 2006.pdf354 1 Jetta 2006.pdf
354 1 Jetta 2006.pdfjcarrey
 
354 2 Jetta 2006.pdf
354 2 Jetta 2006.pdf354 2 Jetta 2006.pdf
354 2 Jetta 2006.pdfjcarrey
 

More from jcarrey (20)

developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdf
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdf
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdf
 
developersguide.pdf
developersguide.pdfdevelopersguide.pdf
developersguide.pdf
 
343 1 El nuevo AUDI A4 2005.pdf
343 1 El nuevo AUDI A4 2005.pdf343 1 El nuevo AUDI A4 2005.pdf
343 1 El nuevo AUDI A4 2005.pdf
 
Audi A5 coupe 2008 Trabajos de montaje interiores.pdf
Audi A5 coupe 2008 Trabajos de montaje interiores.pdfAudi A5 coupe 2008 Trabajos de montaje interiores.pdf
Audi A5 coupe 2008 Trabajos de montaje interiores.pdf
 
Audi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdf
Audi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdfAudi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdf
Audi A5 Coupe 2008 Carroceria Trabajos de montaje exterior.pdf
 
343 1 El Nuevo AUDI 2005.pdf
343 1 El Nuevo AUDI 2005.pdf343 1 El Nuevo AUDI 2005.pdf
343 1 El Nuevo AUDI 2005.pdf
 
343 2 El Nuevo AUDI A4 2005.pdf
343 2 El Nuevo AUDI A4 2005.pdf343 2 El Nuevo AUDI A4 2005.pdf
343 2 El Nuevo AUDI A4 2005.pdf
 
344 1 El nuevo AUDI A6 Avant 2005.pdf
344 1 El nuevo AUDI A6 Avant 2005.pdf344 1 El nuevo AUDI A6 Avant 2005.pdf
344 1 El nuevo AUDI A6 Avant 2005.pdf
 
344 2 El nuevo AUDI A6 Avant 2005.pdf
344 2 El nuevo AUDI A6 Avant 2005.pdf344 2 El nuevo AUDI A6 Avant 2005.pdf
344 2 El nuevo AUDI A6 Avant 2005.pdf
 
346 Freno de estacionamiento electromecanico.pdf
346 Freno de estacionamiento electromecanico.pdf346 Freno de estacionamiento electromecanico.pdf
346 Freno de estacionamiento electromecanico.pdf
 
347 El sistema de control de Presion de Neumaticos.pdf
347 El sistema de control de Presion de Neumaticos.pdf347 El sistema de control de Presion de Neumaticos.pdf
347 El sistema de control de Presion de Neumaticos.pdf
 
349 1 FOX 2006.pdf
349 1 FOX 2006.pdf349 1 FOX 2006.pdf
349 1 FOX 2006.pdf
 
349 2 FOX 2006.pdf
349 2 FOX 2006.pdf349 2 FOX 2006.pdf
349 2 FOX 2006.pdf
 
350 Motor TDI 3 0l V6.pdf
350 Motor TDI 3 0l V6.pdf350 Motor TDI 3 0l V6.pdf
350 Motor TDI 3 0l V6.pdf
 
351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf
351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf
351 Sistema de Inyeccion Common Rail Motor 3 0l TDI V6.pdf
 
352 Inyector bomba con Valvula Piezoelectrica.pdf
352 Inyector bomba con Valvula Piezoelectrica.pdf352 Inyector bomba con Valvula Piezoelectrica.pdf
352 Inyector bomba con Valvula Piezoelectrica.pdf
 
354 1 Jetta 2006.pdf
354 1 Jetta 2006.pdf354 1 Jetta 2006.pdf
354 1 Jetta 2006.pdf
 
354 2 Jetta 2006.pdf
354 2 Jetta 2006.pdf354 2 Jetta 2006.pdf
354 2 Jetta 2006.pdf
 

Recently uploaded

Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 

Recently uploaded (20)

Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 

securing-portlets-with-spring-security.pdf

  • 1. Securing Portlets With Spring Security John A. Lewis Chief Software Architect Unicon, Inc. JA-SIG Spring 2008 Conference 28 April 2008 © Copyright Unicon, Inc., 2007. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/
  • 2. Agenda ● JSR 168 Portlet Security ● Spring Security (aka “Acegi”) ● Spring Portlet Security ● Applying Portlet Security ● Resources ● Questions & Answers 2
  • 3. JSR 168 Portlet Security What does the spec give us to work with? 3
  • 4. Portal Authentication ● The portal is completely responsible for authentication – This means we just use what it gives us – we don't redirect for authentication purpose ● The JSR 168 PortletRequest class provides two methods for getting user identity (the same ones as the Servlet spec) String getRemoteUser() Principal getUserPrincipal() 4
  • 5. Portal Authorization ● Portals generally provide the ability to assign a set of “Roles” to the User ● The JSR 168 PortletRequest class provides a method for getting at these roles (the same ones as the Servlet spec) boolean isUserInRole(String) 5
  • 6. Declaring Portal Roles ● Same as declaring roles for Servlet container- based security ● Include all portal roles that may be used in web.xml: ... <security-role> <role-name>manager</role-name> </security-role> ... 6
  • 7. Mapping Portal Roles To Portlet Roles ● In portlet.xml: <portlet> <portlet-name>books</portlet-name> ... Portlet Role <security-role-ref> <role-name>ADMINISTRATOR</role-name> <role-link>manager</role-link> </security-role-ref> </portlet> Portal Role Warning! If you are storing your SecurityContext in the PortletSession with APPLICATION_SCOPE (more on this later), make sure these are the same in all your <portlet> declarations – the first one to be invoked on a page will determine the mapping for all portlets in your webapp. 7
  • 8. Security Constraints ● Require a secure transport in portlet.xml: <portlet-app> ... <portlet> <portlet-name>accountSummary</portlet-name> ... </portlet> ... <security-constraint> <display-name>Secure Portlets</display-name> <portlet-collection> <portlet-name>accountSummary</portlet-name> </portlet-collection> <user-data-constraint/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </portlet-app> 8
  • 9. Other Portlet Security Info ● PortletRequest has a couple other key security-related methods: StringgetAuthType() String getAuthType() Returns name of authentication scheme used (BASIC_AUTH, CLIENT_CERT_AUTH, custom) or null if user is not authenticated. boolean isSecure() boolean isSecure() Returns true if the request was made over a secure channel (such as HTTPS) 9
  • 10. Portlet User Attributes ● Can also use the USER_INFO Map available as a PortletRequest attribute. ● May contain arbitrary user information: – user.name.given – user.bdate – user.gender – etc. ● Some portals expose security-related information here, but this mechanism should be avoided if possible 10
  • 11. Spring Security a.k.a Acegi Security A quick overview 11
  • 12. What Is Spring Security? ● Powerful, flexible security framework for enterprise software ● Emphasis on applications using Spring ● Comprehensive authentication, authorization, and instance-based access control ● Avoids security code in your business logic – treats security as a cross-cutting concern ● Built-in support for a wide variety of authentication and integration standards 12
  • 13. Spring Security Releases ● Acegi Security (the old name) – Current Version: 1.0.7 – Initial GA Release: May 2006 – Portlet support in Sandbox ● Spring Security (the new name) – Current Version: 2.0.0 – Initial GA Release: April 2008 – Portlet support Included – Changes packaging from org.acegisecurity to org.springframework.security 13
  • 14. Applications Are Like Onions ● Spring Security can be applied at multiple layers in your application: – Apply security as markup is constructed in the Rendering Layer using the supplied JSP taglib – Restrict access to areas of web application in the Dispatch Layer based on URL pattern-matching – Secure method invocation on the Service Layer to ensure calls are from properly authorized user – Provide Access Control Lists (ACLs) for individual objects in the Domain Layer 14
  • 15. Spring Portlet Security Applying Spring Security to Portlets 15
  • 16. Portlet Challenges ● Portlets have some key differences from Servlets: – No Filters – Can't treat URLs like Paths – Multiple Request Phases ● These create some challenges in applying the normal Spring Security patterns ● So we need some different infrastructure for wiring Spring Security into our portlet application 16
  • 17. Six Main Portlet Security Beans ● PortletProcessingInterceptor ● AuthenticationManager ● AuthenticationDetailsSource ● AuthenticationProvider ● UserDetailsService ● PortletSessionContextIntegrationInterceptor 17
  • 18. PortletProcessingInterceptor ● Interceptor that processes portlet requests for authentication by invoking the configured AuthenticationManager ● Creates the initial AuthenticationToken from the PortletRequest security methods <bean id="portletProcessingInterceptor" class="org.springframework.security.ui.portlet. PortletProcessingInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="authenticationDetailsSource" ref="portletAuthenticationDetailsSource" /> </bean> Portlet equivalent of AuthenticationProcessingFilter used for traditional servlet web applications 18
  • 19. AuthenticationManager ● Use normal provider-based AuthenticationManager bean ● Declared via special namespace schema: <sec:authentication-manager alias="authenticationManager" /> Can use multiple providers if you are authenticating from Portlets and Servlets 19
  • 20. AuthenticationDetailsSource ● Can be used to check isUserInRole(...) to get list of Portal Roles into the Authentication Request: <bean name=”portletAuthenticationDetailsSource” class="org.springframework.security.ui.portlet. PortletPreAuthenticatedAuthenticationDetailsSource"> <property name="mappableRolesRetriever"> <bean class="org.springframework.security. authoritymapping.SimpleMappableAttributesRetriever"> <property name="mappableAttributes"> <list> <value>ADMIN</value> </list> </property> </bean> Only needed if we are using Portal Roles for </property> our security decisions </bean> 20
  • 21. AuthenticationProvider ● PreAuthenticatedAuthenticationProvider processes pre-authenticated authentication request (from PortletProcessingInterceptor) ● A valid PreAuthenticatedAuthenticationToken with non-null principal & credentials will succeed <bean id="portletAuthenticationProvider" class="org.springframework.security.providers.preauth. PreAuthenticatedAuthenticationProvider"> <sec:custom-authentication-provider /> <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" /> </bean> 21
  • 22. UserDetailsService ● Bean that knows how to populate user details (including GrantedAuthorities) for the authenticated user – PreAuthenticatedGrantedAuthoritiesUserDetailsService will use purely data contained in the PreAuthenticatedAuthenticationToken <bean name="preAuthenticatedUserDetailsService" class="org.springframework.security.providers.preauth. PreAuthenticatedGrantedAuthoritiesUserDetailsService" /> Can also use any other UserDetailsService that can populate UserDetails by username, such as JdbcUserDetailsManager or LdapUserDetailsManager 22
  • 23. PortletSessionContextIntegrationInterceptor ● Interceptor that retrieves/stores the contents of the SecurityContextHolder in the active PortletSession ● Without this, every request would trigger a full authentication cycle ● Default is to use APPLICATION_SCOPE <bean id="portletSessionContextIntegrationInterceptor" class="org.springframework.security.context. PortletSessionContextIntegrationInterceptor" /> Portlet equivalent of HttpSessionContextIntegrationFilter, used for traditional servlet web applications 23
  • 24. Using The Two Interceptors ● Add them to our Portlet's HandlerMapping: <bean id="portletModeHandlerMapping" class="org.springframework.web.portlet.handler. PortletModeHandlerMapping"> <property name="interceptors"> <list> <ref bean="portletSessionContextIntegrationInterceptor"/> <ref bean="portletProcessingInterceptor"/> </list> </property> <property name="portletModeMap"> <map> <entry key="view"><ref bean="viewController"/></entry> <entry key="edit"><ref bean="editController"/></entry> <entry key="help"><ref bean="helpController"/></entry> </map> </property> </bean> Warning! This ordering is critical – they will not work correctly if they are reversed! 24
  • 25. Applying Portlet Security To The Rendering Layer Customizing our markup based on security information 25
  • 26. Spring Security JSP TagLib ● Allows us to access authentication information and to check authorizations ● Useful for showing/hiding information or navigation controls based on security info <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <p>Username: <sec:authentication property="principal.username"/></p> <sec:authorize ifAllGranted="ROLE_USER"> <p>You are an authorized user of this system.</p> </sec:authorize> <sec:authorize ifAllGranted="ROLE_ADMINISTRATOR"> <p>You are an administrator of this system.</p> </sec:authorize> Warning: Don't rely on this to restrict access to areas of the application. Just because navigation doesn't appear in the markup doesn't mean a clever hacker can't generate a GET/POST that will still get there. 26
  • 27. Applying Portlet Security To The Dispatch Layer Controlling where users can go in the application 27
  • 28. Secure Portlet Request Dispatching ● Portlet Requests don't have a path structure, so we can't use the path-based patterns of FilterSecurityInterceptor to control access ● Something standard may be added in the future – perhaps a ConfigAttributeDefinition for various aspects of Portlet Requests that we can use as an ObjectDefinitionSource 28
  • 29. Using a HandlerInterceptor ● Best practice in Spring 2.0 is to build a custom HandlerInterceptor for your Portlet ● Compare contents of SecurityContextHolder. getContext(). getAuthentication() with Portlet Mode, Window State, Render Parameters – whatever you want to use to determine permission ● Throw a PortletSecurityException if access is not permitted, otherwise allow processing to proceed 29
  • 30. Using Annotations ● If using Spring 2.5 Annotation-based Dispatching, use Security Annotations as well – ApplicationContext entry: <sec:global-method-security secured-annotations="enabled" /> – Annotated method: import org.springframework.security.annotation.Secured; ... @Secured({"ROLE_ADMIN"}) @RequestMapping(params="action=view") public String deleteItems(RequestParam("item") int itemId) { ... 30
  • 31. Applying Portlet Security To The Service Layer Making sure Services are invoked by only by user with proper permissions 31
  • 32. AccessDecisionManager ● Standard Spring Security bean for making decisions about access to resources <bean id="accessDecisionManager" class="org.springframework.security.vote. AffirmativeBased"> <property name="decisionVoters"> <list> <bean class="org.springframework.security. vote.RoleVoter" /> <bean class="org.springframework.security. vote.AuthenticatedVoter" /> </list> </property> </bean> 32
  • 33. MethodSecurityInterceptor <bean id="myService" class="sample.service.MyService"> <sec:intercept-methods access-decision-manager-ref="accessDecisionManager"> <sec:protect method="sample.service.MyService.*" access="IS_AUTHENTICATED_FULLY" /> <sec:protect method="sample.service.MyService.add*" access="ROLE_ADMINISTRATOR" /> <sec:protect method="sample.service.MyService.del*" access="ROLE_ADMINISTRATOR" /> <sec:protect method="sample.service.MyService.save*" access="ROLE_ADMINISTRATOR" /> </sec:intercept-methods> </bean> 33
  • 34. Applying Portlet Security To Servlets Using the whole web/portlet application as one secure bundle 34
  • 35. Bridging The Gap ● We can reuse the Portlet SecurityContext in getting resources from Servlets in the same web application ● Useful for securing: – AJAX Calls – Dynamic Images – PDF Reports ● Need to get Portlets and Servlets to share session data to do this 35
  • 36. Portlets & Servlets Sharing Session ● Possible according to JSR 168 (PLT 15.4) – Must be in the same webapp – Portlet must use APPLICATION_SCOPE ● Sometime tricky in practice – Portlet requests go thru Portal webapp URL – Servlet requests go thru Portlet webapp URL – Session tracking via JSESSIONID Cookie usually uses URL path to webapp – not shared! Tomcat 5.5.4 + On <Connector> element set emptySessionPath=true 36
  • 37. Apply Servlet Filter Chain ● In web.xml: <filter> <filter-name>securityFilterChainProxy</filter-name> <filter-class>org.springframework.web.filter. DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>securityFilterChainProxy</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> 37
  • 38. FilterChainProxy ● Since the portal handles authentication, you only need a few entries in this bean: <bean id="servletSecurityFilterChainProxy" class="org.springframework.security.util. FilterChainProxy"> <sec:filter-chain-map path-type="ant"> <sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilter, exceptionTranslationFilter, filterSecurityInterceptor" /> </sec:filter-chain-map> </bean> 38
  • 39. HttpSessionContextIntegrationFilter ● If session sharing is working properly, it will populate the SecurityContextHolder using the same SecurityContext as the Portlet side <bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context. HttpSessionContextIntegrationFilter" /> This will only work if PortletSessionContextIntegrationInterceptor is storing in the APPLICATION_SCOPE of the PortletSession (which is the default) 39
  • 40. ExceptionTranslationFilter ● Since we are relying on the Portal for authentication, then an Exception means that authentication has already failed ● PreAuthenticatedProcessingFilterEntryPoint returns SC_FORBIDDEN (HTTP 403 error) <bean id="exceptionTranslationFilter" class="org.springframework.security.ui. ExceptionTranslationFilter"> <property name="authenticationEntryPoint"> <bean class="org.springframework.security.ui.preauth. PreAuthenticatedProcessingFilterEntryPoint" /> </property> </bean> 40
  • 41. FilterSecurityInterceptor ● Secure resource URLs accordingly ● Use the same AuthenticationManager and AccessDecisionManager as in the portlet <bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web. FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="accessDecisionManager" /> <property name="objectDefinitionSource"> <sec:filter-invocation-definition-source> <sec:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_FULLY" /> </sec:filter-invocation-definition-source> </property> </bean> 41
  • 42. Resources Places to go to actually use this stuff! 42
  • 43. Resources ● Spring Security 2.0 Website – http://static.springframework.org/spring-security/site/ ● Sample Applications – Small sample included in Spring Security distro – Bigger sample on the Spring Portlet Wiki http://opensource.atlassian.com/confluence/spring/display/JSR168/ 43
  • 44. Questions & Answers John A. Lewis Chief Software Architect Unicon, Inc. jlewis@unicon.net www.unicon.net 44