Ace Gi Security

7/25/2019 Ace Gi Security

1/23

www.virtuas.comwww.springlive.com 2005, Virtuas, LLC

Acegi Security

Matt [email protected]


2/23


J2EEs CMA

Container Managed Authentication (CMA) built intothe Servlet API

Configure security-constraints in web.xmlConfigure Authentication Realm in your applicationserver


3/23


Basic Authentication

Secure Area

/*

*

BASIC

Protected Area


4/23


Form Authentication/WEB-INF/web.xml:

Secure Area

*.html

*

FORM

/login.jsp /loginError.jsp


5/23


Form Authentication/login.jsp

Username:

Password:

Login

/loginError.jsp

Login failed - please try again.


6/23


Tomcat Realms

MemoryRealm, JDBCRealm, DataSourceRealm,JAASRealm, JNDIRealm

JDBCRealmExample:


7/23www.virtuas.comwww.springlive.com 2005, Virtuas, LLC

Problems with CMA

Not as portable as youd think

Not all servlet containers ship with a JDBCRealm

Form-based authentication problems:

Often cant control SQL for user/role query

No way to filter on /j_security_check to trapwhen users first login

Implementation different on various servers



Solution: Acegi Security

Everything can be configured in your application

Secure URLs by role with regular expressions

URL patterns can be regular expressions or Ant-

style patterns (i.e. /**/admin*.html)Authentication methods supported: Basic, Digest,Form, Yale Central Authentication Service (CAS)

Authentication Providers: JDBC, XML, LDAP, CAS



Configuration: web.xml

TIP: You may want to filter on *.html, *.jsp and /j_security_check so JavaScript and CSS files are not

rocessed

securityFilter

net.sf.acegisecurity.util.FilterToBeanProxy

targetClass

net.sf.acegisecurity.util.FilterChainProxy

securityFilter

/*



appContext-security.xml

The filterChainProxybean contains the filter list that will process theauthentication process. These filters each perform specific duties:

httpSessionContextIntegrationFilter: This filter is responsible forcommunicating with the user's session to store the user's

authentication in the ContextHolder.basicProcessingFilter: This filter processes an HTTP request's BASICauthorization headers, placing the result into the ContextHolder.

securityEnforcementFilter: This filter wraps requests to theFilterSecurityInterceptor, which defines the URLs that roles canaccess.



appContext-security.xml

CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON

PATTERN_TYPE_APACHE_ANT

/j_security_check*=httpSessionContextIntegrationFilter,authenticationProcessingFilter

/

*.html*=httpSessionContextIntegrationFilter,remoteUserFilter,anonymousProcessingFilter,securityEnforcementFilter

/*.jsp=httpSessionContextIntegrationFilter,remoteUserFilter



Basic Authentication


13/23


Secure HTTP Request

CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON

PATTERN_TYPE_APACHE_ANT

/*.html*=ROLE_USER

/*.jsp=ROLE_USER


14/23


Form Authentication

Changing from Basic to Form-based authenticationis just XML configuration

Login and Error pages can be same as CMA pages

No code needed to support Remember Me andPassword Encryption - just XML

Can configure SSL channels based on URL-pattern


15/23


Authentication Providers

...

tomcat=tomcat,ROLE_USER

springlive=springlive,ROLE_USER


16/23


Password Encryption

tomcat=536c0b339345616c1b33caf454454d8b8a190d6c,ROLE_USER

springlive=2a9152cff1d25b5bbaa3e5fbc7acdc6905c9f251,ROLE_USER


17/23


JDBC Provider

To use JDBC, just define a bean with a dataSourcedependency:

Default SQL for select users and roles:"SELECT username,password,enabled FROM users WHERE username = ?";

"SELECT username,authority FROM authorities WHERE username = ?";


18/23


Customize SQLSpecify usersByUsernameQueryandauthoritiesByUsernameQueryproperties tooverride SQL:

SELECT username,password,enabled as 'true' FROM users WHERE username = ?

SELECT username,rolename FROM user_roles WHERE username = ?


19/23


Secure Methods by Role

org.appfuse.service.UserManager.getUser=ROLE_ADMIN

org.appfuse.service.UserManager.getUsers=ROLE_USER

org.appfuse.service.UserManager.removeUser=ROLE_ADMIN

org.appfuse.service.UserManager.saveUser=ROLE_ADMIN

...


20/23


Other FeaturesAccess Control Lists (ACLs): Control permissionsper object

AfterMethodInvocation Interceptor: Removesobjects from collections when user cant read them

Auditing and Event Logging:


21/23


J2EE vs. Acegi Security

Security Framework Pros Cons

J2EE Security It is easy to set up from anapplication perspective.

User Realm configuration is inthe hands of the deployer.

Because it's a standard, manysources of documentation areavailable.

It can be difficult to port fromone application server to theother.

Even though the application-developer configuration isstandardized, the realmconfiguration for servers is not.Service layer methods can onlybe secured if using EJBs.


22/23


J2EE vs. Acegi Security

Security Framework Pros Cons

Acegi SecuritySecurity configuration is completelyself-contained in the application you don't have to worry aboutapplication server portability.

It solves many of the shortcomings ofJ2EE security and allows all the samethings, with the option to customize.It supports single sign-on with CAS.

Its evolving and improving veryrapidly.

It allows you to secure methods of

any Spring-managed bean andfiltering objects based on their ACLs.

It requires a lot of XML toconfigure.

The learning curve can be a littlesteep and seem overwhelming at

first.

Realm information is packagedwith the application, making ittough for a deployer to change.


23/23

www virtuas comwww springlive com 2005 Vi t LLC

Questions?

[email protected]

Ace Gi Security

Documents

Transcript of Ace Gi Security