The document discusses securing portlets with Spring Security. It provides an overview of JSR 168 portlet security capabilities and then discusses how to apply Spring Security to secure portlets. The main components discussed are the PortletProcessingInterceptor, AuthenticationManager, AuthenticationDetailsSource, AuthenticationProvider, UserDetailsService, and PortletSessionContextIntegrationInterceptor which are used to secure portlets similarly to how Spring Security secures servlets. It also discusses applying security at the rendering, dispatch, service layers and integrating portlet and servlet security.
In this session, attendees will learn how to secure JSR-168 Portlets using the latest version of Acegi Security, called Spring Security 2.0. The 2.0 release of Spring Security includes new support for JSR-168 Portlet development. In this session we'll cover how the Acegi security model translates into the Portlet world, show how to configure the authentication provider for JSR-168 Portlets, and discuss the special interceptors for processing Portlet requests and for storing the security context in the Portlet session. Finally we'll show how Portlets and Servlets in the same webapp can share security context, which allows for secure AJAX calls and dynamic images from within Portlets.
This presentation gives an overview on Java standard portlets. It speaks about the trends in java portals and java specification requests created to achieve the Java portlet programming. It also tells the portal advantage over the conventional approach of web programming based on Java platform.
In this webinar, we focus specifically on how Apache SHIRO can help developers in providing better security architecture. You will also learn the following Application security is gaining critical attention due to increase in cyber-attacks and risks of business and financial losses.
In the context of J2EE development and Java web application development, security concerns are addressed through multiple means. This informative 45 min session to understand approaches and strategies for building secure web applications.
- Planning for Security: Authentication, Authorization, Session Management and Cryptography
- Comparing Different Approaches for Security: JAAS, Spring, Grails
- How to use the simplified universal approach of Apache SHIRO
- A LIVE DEMO on using SHIRO to secure web applications
If you have any query please write to us at inquiry@cygnet-infotech.com
In this session, attendees will learn how to secure JSR-168 Portlets using the latest version of Acegi Security, called Spring Security 2.0. The 2.0 release of Spring Security includes new support for JSR-168 Portlet development. In this session we'll cover how the Acegi security model translates into the Portlet world, show how to configure the authentication provider for JSR-168 Portlets, and discuss the special interceptors for processing Portlet requests and for storing the security context in the Portlet session. Finally we'll show how Portlets and Servlets in the same webapp can share security context, which allows for secure AJAX calls and dynamic images from within Portlets.
This presentation gives an overview on Java standard portlets. It speaks about the trends in java portals and java specification requests created to achieve the Java portlet programming. It also tells the portal advantage over the conventional approach of web programming based on Java platform.
In this webinar, we focus specifically on how Apache SHIRO can help developers in providing better security architecture. You will also learn the following Application security is gaining critical attention due to increase in cyber-attacks and risks of business and financial losses.
In the context of J2EE development and Java web application development, security concerns are addressed through multiple means. This informative 45 min session to understand approaches and strategies for building secure web applications.
- Planning for Security: Authentication, Authorization, Session Management and Cryptography
- Comparing Different Approaches for Security: JAAS, Spring, Grails
- How to use the simplified universal approach of Apache SHIRO
- A LIVE DEMO on using SHIRO to secure web applications
If you have any query please write to us at inquiry@cygnet-infotech.com
Java EE Application Security With PicketLinkpigorcraveiro
In this presentation we will take a look at PicketLink, a security framework for Java EE and learn how its identity management, authentication and authorization features can be used to address the security requirements for all aspects of application development.
Java EE Application Security With PicketLinkpigorcraveiro
In this presentation we will take a look at PicketLink, a security framework for Java EE and learn how its identity management, authentication and authorization features can be used to address the security requirements for all aspects of application development.
Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.
Starting with Spring MVC 2.5, Annotation-Based Controllers became the preferred model for development (the Interface-based Controller hierarchy will be deprecated in Spring 3). This session will teach developers familiar with the old model how to use the new Annotation-based Controllers. This will also provide the basis for writing JSR 286 portlets using Spring 3.
Sample code available here:
http://www.ja-sig.org/wiki/x/vYS8AQ
Full screencast available here:
http://vimeo.com/10020881
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
Building microservices sample applicationAnil Allewar
The slides provide details on how to build the sample Microservices application that covers the whole distributed system paradigm.
Please refer to the introduction to Microservices before following the contents in this slide
https://www.slideshare.net/anilallewar/introduction-to-microservices-78270318
Thi presentation is about -
SSL Concepts,
Configure SSL between IHS and WAS,
The ikeyman tool,
For more details visit -
http://vibranttechnologies.co.in/websphere-classes-in-mumbai.html
JMP103 : Extending Your Application Arsenal With OpenSocial
Yun Zhi Lin, IBM China Investment Company Limited; Ryan Baxter, IBM
OpenSocial. You have heard the hype, maybe you have even seen the demos, but what is all the fuss about? This is your chance to get all your questions answered. In this session we’ll not only teach you about OpenSocial and how IBM is using it to enable exciting new features in IBM Notes and Domino Social Edition, IBM Connections, and IBM Connections Mail, but how you can use it to enhance your applications. You’ll walk away from this session armed with the knowledge to build compelling social apps and all the code you need to get started!
Sun, 26/Jan 08:00 AM – 10:00 AM
JMP103 : Extending Your App Arsenal With OpenSocialRyan Baxter
OpenSocial: You have heard the hype, maybe you have even seen the demos, but what is all the fuss about? This is your chance to get all your questions answered. In this session we will not only teach you about OpenSocial and how IBM is using it to enable exciting new features in Notes and Domino Social Edition, IBM Connections, and IBM Connections Mail, but how you can use it to enhance YOUR applications. You will walk away from this session armed with the knowledge to build compelling social apps and all the code you need to get started!
Similar to securing-portlets-with-spring-security.pdf (20)
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
3. JSR 168 Portlet Security
What does the spec
give us to work with?
3
4. Portal Authentication
●
The portal is completely responsible for
authentication
– This means we just use what it gives us – we
don't redirect for authentication purpose
●
The JSR 168 PortletRequest class provides
two methods for getting user identity (the
same ones as the Servlet spec)
String getRemoteUser()
Principal getUserPrincipal()
4
5. Portal Authorization
●
Portals generally provide the ability to assign
a set of “Roles” to the User
●
The JSR 168 PortletRequest class provides a
method for getting at these roles (the same
ones as the Servlet spec)
boolean isUserInRole(String)
5
6. Declaring Portal Roles
●
Same as declaring roles for Servlet container-
based security
●
Include all portal roles that may be used in
web.xml:
...
<security-role>
<role-name>manager</role-name>
</security-role>
...
6
7. Mapping Portal Roles To Portlet Roles
●
In portlet.xml:
<portlet>
<portlet-name>books</portlet-name>
...
Portlet Role
<security-role-ref>
<role-name>ADMINISTRATOR</role-name>
<role-link>manager</role-link>
</security-role-ref>
</portlet> Portal Role
Warning!
If you are storing your SecurityContext in the PortletSession with
APPLICATION_SCOPE (more on this later), make sure these are the
same in all your <portlet> declarations – the first one to be invoked
on a page will determine the mapping for all portlets in your webapp. 7
8. Security Constraints
●
Require a secure transport in portlet.xml:
<portlet-app>
...
<portlet>
<portlet-name>accountSummary</portlet-name>
...
</portlet>
...
<security-constraint>
<display-name>Secure Portlets</display-name>
<portlet-collection>
<portlet-name>accountSummary</portlet-name>
</portlet-collection>
<user-data-constraint/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
</portlet-app>
8
9. Other Portlet Security Info
●
PortletRequest has a couple other key
security-related methods:
StringgetAuthType()
String getAuthType()
Returns name of authentication scheme used
(BASIC_AUTH, CLIENT_CERT_AUTH, custom) or
null if user is not authenticated.
boolean isSecure()
boolean isSecure()
Returns true if the request was made over a
secure channel (such as HTTPS)
9
10. Portlet User Attributes
● Can also use the USER_INFO Map available as
a PortletRequest attribute.
●
May contain arbitrary user information:
– user.name.given
– user.bdate
– user.gender
– etc.
●
Some portals expose security-related
information here, but this mechanism should
be avoided if possible
10
12. What Is Spring Security?
●
Powerful, flexible security framework
for enterprise software
●
Emphasis on applications using Spring
●
Comprehensive authentication, authorization,
and instance-based access control
●
Avoids security code in your business logic –
treats security as a cross-cutting concern
●
Built-in support for a wide variety of
authentication and integration standards
12
13. Spring Security Releases
●
Acegi Security (the old name)
– Current Version: 1.0.7
– Initial GA Release: May 2006
– Portlet support in Sandbox
●
Spring Security (the new name)
– Current Version: 2.0.0
– Initial GA Release: April 2008
– Portlet support Included
– Changes packaging from org.acegisecurity
to org.springframework.security
13
14. Applications Are Like Onions
●
Spring Security can be applied at multiple
layers in your application:
– Apply security as markup is constructed in the
Rendering Layer using the supplied JSP taglib
– Restrict access to areas of web application in the
Dispatch Layer based on URL pattern-matching
– Secure method invocation on the Service Layer to
ensure calls are from properly authorized user
– Provide Access Control Lists (ACLs) for individual
objects in the Domain Layer
14
16. Portlet Challenges
●
Portlets have some key differences
from Servlets:
– No Filters
– Can't treat URLs like Paths
– Multiple Request Phases
●
These create some challenges in applying the
normal Spring Security patterns
●
So we need some different infrastructure for
wiring Spring Security into our portlet
application
16
17. Six Main Portlet Security Beans
●
PortletProcessingInterceptor
●
AuthenticationManager
●
AuthenticationDetailsSource
●
AuthenticationProvider
●
UserDetailsService
●
PortletSessionContextIntegrationInterceptor
17
18. PortletProcessingInterceptor
●
Interceptor that processes portlet requests
for authentication by invoking the configured
AuthenticationManager
●
Creates the initial AuthenticationToken from
the PortletRequest security methods
<bean id="portletProcessingInterceptor"
class="org.springframework.security.ui.portlet.
PortletProcessingInterceptor">
<property name="authenticationManager"
ref="authenticationManager" />
<property name="authenticationDetailsSource"
ref="portletAuthenticationDetailsSource" />
</bean>
Portlet equivalent of AuthenticationProcessingFilter
used for traditional servlet web applications
18
19. AuthenticationManager
●
Use normal provider-based
AuthenticationManager bean
●
Declared via special namespace schema:
<sec:authentication-manager
alias="authenticationManager" />
Can use multiple providers if you are
authenticating from Portlets and Servlets
19
20. AuthenticationDetailsSource
●
Can be used to check isUserInRole(...) to get
list of Portal Roles into the Authentication
Request:
<bean name=”portletAuthenticationDetailsSource”
class="org.springframework.security.ui.portlet.
PortletPreAuthenticatedAuthenticationDetailsSource">
<property name="mappableRolesRetriever">
<bean class="org.springframework.security.
authoritymapping.SimpleMappableAttributesRetriever">
<property name="mappableAttributes">
<list>
<value>ADMIN</value>
</list>
</property>
</bean> Only needed if we are using Portal Roles for
</property> our security decisions
</bean>
20
21. AuthenticationProvider
●
PreAuthenticatedAuthenticationProvider
processes pre-authenticated authentication
request (from PortletProcessingInterceptor)
●
A valid PreAuthenticatedAuthenticationToken
with non-null principal & credentials will
succeed
<bean id="portletAuthenticationProvider"
class="org.springframework.security.providers.preauth.
PreAuthenticatedAuthenticationProvider">
<sec:custom-authentication-provider />
<property name="preAuthenticatedUserDetailsService"
ref="preAuthenticatedUserDetailsService" />
</bean>
21
22. UserDetailsService
●
Bean that knows how to populate user details
(including GrantedAuthorities) for the
authenticated user
– PreAuthenticatedGrantedAuthoritiesUserDetailsService
will use purely data contained in the
PreAuthenticatedAuthenticationToken
<bean name="preAuthenticatedUserDetailsService"
class="org.springframework.security.providers.preauth.
PreAuthenticatedGrantedAuthoritiesUserDetailsService" />
Can also use any other UserDetailsService that can populate UserDetails
by username, such as JdbcUserDetailsManager or LdapUserDetailsManager
22
23. PortletSessionContextIntegrationInterceptor
●
Interceptor that retrieves/stores the contents
of the SecurityContextHolder in the active
PortletSession
●
Without this, every request would trigger a
full authentication cycle
● Default is to use APPLICATION_SCOPE
<bean id="portletSessionContextIntegrationInterceptor"
class="org.springframework.security.context.
PortletSessionContextIntegrationInterceptor" />
Portlet equivalent of HttpSessionContextIntegrationFilter,
used for traditional servlet web applications
23
24. Using The Two Interceptors
●
Add them to our Portlet's HandlerMapping:
<bean id="portletModeHandlerMapping"
class="org.springframework.web.portlet.handler.
PortletModeHandlerMapping">
<property name="interceptors">
<list>
<ref bean="portletSessionContextIntegrationInterceptor"/>
<ref bean="portletProcessingInterceptor"/>
</list>
</property>
<property name="portletModeMap">
<map>
<entry key="view"><ref bean="viewController"/></entry>
<entry key="edit"><ref bean="editController"/></entry>
<entry key="help"><ref bean="helpController"/></entry>
</map>
</property>
</bean> Warning! This ordering is critical – they
will not work correctly if they are reversed!
24
26. Spring Security JSP TagLib
●
Allows us to access authentication
information and to check authorizations
●
Useful for showing/hiding information or
navigation controls based on security info
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags" %>
<p>Username: <sec:authentication property="principal.username"/></p>
<sec:authorize ifAllGranted="ROLE_USER">
<p>You are an authorized user of this system.</p>
</sec:authorize>
<sec:authorize ifAllGranted="ROLE_ADMINISTRATOR">
<p>You are an administrator of this system.</p>
</sec:authorize>
Warning: Don't rely on this to restrict access to areas of the application.
Just because navigation doesn't appear in the markup doesn't mean a
clever hacker can't generate a GET/POST that will still get there. 26
27. Applying Portlet Security
To The Dispatch Layer
Controlling where users can go
in the application
27
28. Secure Portlet Request Dispatching
●
Portlet Requests don't have a path structure,
so we can't use the path-based patterns of
FilterSecurityInterceptor to control access
●
Something standard may be added in the
future – perhaps a ConfigAttributeDefinition
for various aspects of Portlet Requests that
we can use as an ObjectDefinitionSource
28
29. Using a HandlerInterceptor
●
Best practice in Spring 2.0 is to build a
custom HandlerInterceptor for your Portlet
●
Compare contents of SecurityContextHolder.
getContext(). getAuthentication() with Portlet
Mode, Window State, Render Parameters –
whatever you want to use to determine
permission
●
Throw a PortletSecurityException if access is
not permitted, otherwise allow processing to
proceed
29
30. Using Annotations
●
If using Spring 2.5 Annotation-based
Dispatching, use Security Annotations as well
– ApplicationContext entry:
<sec:global-method-security secured-annotations="enabled" />
– Annotated method:
import org.springframework.security.annotation.Secured;
...
@Secured({"ROLE_ADMIN"})
@RequestMapping(params="action=view")
public String deleteItems(RequestParam("item") int itemId) {
...
30
31. Applying Portlet Security
To The Service Layer
Making sure Services are invoked by
only by user with proper permissions
31
32. AccessDecisionManager
●
Standard Spring Security bean for making
decisions about access to resources
<bean id="accessDecisionManager"
class="org.springframework.security.vote.
AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.
vote.RoleVoter" />
<bean class="org.springframework.security.
vote.AuthenticatedVoter" />
</list>
</property>
</bean>
32
34. Applying Portlet Security
To Servlets
Using the whole web/portlet application
as one secure bundle
34
35. Bridging The Gap
●
We can reuse the Portlet SecurityContext in
getting resources from Servlets in the same
web application
●
Useful for securing:
– AJAX Calls
– Dynamic Images
– PDF Reports
●
Need to get Portlets and Servlets to share
session data to do this
35
36. Portlets & Servlets Sharing Session
●
Possible according to JSR 168 (PLT 15.4)
– Must be in the same webapp
– Portlet must use APPLICATION_SCOPE
●
Sometime tricky in practice
– Portlet requests go thru Portal webapp URL
– Servlet requests go thru Portlet webapp URL
– Session tracking via JSESSIONID Cookie usually
uses URL path to webapp – not shared!
Tomcat 5.5.4 +
On <Connector> element set emptySessionPath=true
36
38. FilterChainProxy
●
Since the portal handles authentication, you
only need a few entries in this bean:
<bean id="servletSecurityFilterChainProxy"
class="org.springframework.security.util.
FilterChainProxy">
<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/**"
filters="httpSessionContextIntegrationFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</sec:filter-chain-map>
</bean>
38
39. HttpSessionContextIntegrationFilter
●
If session sharing is working properly, it will
populate the SecurityContextHolder using the
same SecurityContext as the Portlet side
<bean id="httpSessionContextIntegrationFilter"
class="org.springframework.security.context.
HttpSessionContextIntegrationFilter" />
This will only work if PortletSessionContextIntegrationInterceptor
is storing in the APPLICATION_SCOPE of the PortletSession
(which is the default)
39
40. ExceptionTranslationFilter
●
Since we are relying on the Portal for
authentication, then an Exception means that
authentication has already failed
●
PreAuthenticatedProcessingFilterEntryPoint
returns SC_FORBIDDEN (HTTP 403 error)
<bean id="exceptionTranslationFilter"
class="org.springframework.security.ui.
ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<bean class="org.springframework.security.ui.preauth.
PreAuthenticatedProcessingFilterEntryPoint" />
</property>
</bean>
40
41. FilterSecurityInterceptor
●
Secure resource URLs accordingly
●
Use the same AuthenticationManager and
AccessDecisionManager as in the portlet
<bean id="filterSecurityInterceptor"
class="org.springframework.security.intercept.web.
FilterSecurityInterceptor">
<property name="authenticationManager"
ref="authenticationManager" />
<property name="accessDecisionManager"
ref="accessDecisionManager" />
<property name="objectDefinitionSource">
<sec:filter-invocation-definition-source>
<sec:intercept-url pattern="/resources/**"
access="IS_AUTHENTICATED_FULLY" />
</sec:filter-invocation-definition-source>
</property>
</bean> 41
43. Resources
●
Spring Security 2.0 Website
– http://static.springframework.org/spring-security/site/
●
Sample Applications
– Small sample included in Spring Security distro
– Bigger sample on the Spring Portlet Wiki
http://opensource.atlassian.com/confluence/spring/display/JSR168/
43
44. Questions & Answers
John A. Lewis
Chief Software Architect
Unicon, Inc.
jlewis@unicon.net
www.unicon.net
44