Ace Gi Security
Transcript of Ace Gi Security
-
7/25/2019 Ace Gi Security
1/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Acegi Security
Matt [email protected]
-
7/25/2019 Ace Gi Security
2/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
J2EEs CMA
Container Managed Authentication (CMA) built intothe Servlet API
Configure security-constraints in web.xmlConfigure Authentication Realm in your applicationserver
-
7/25/2019 Ace Gi Security
3/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Basic Authentication
Secure Area
/*
*
BASIC
Protected Area
-
7/25/2019 Ace Gi Security
4/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Form Authentication/WEB-INF/web.xml:
Secure Area
*.html
*
FORM
/login.jsp /loginError.jsp
-
7/25/2019 Ace Gi Security
5/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Form Authentication/login.jsp
Username:
Password:
Login
/loginError.jsp
Login failed - please try again.
-
7/25/2019 Ace Gi Security
6/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Tomcat Realms
MemoryRealm, JDBCRealm, DataSourceRealm,JAASRealm, JNDIRealm
JDBCRealmExample:
-
7/25/2019 Ace Gi Security
7/23www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Problems with CMA
Not as portable as youd think
Not all servlet containers ship with a JDBCRealm
Form-based authentication problems:
Often cant control SQL for user/role query
No way to filter on /j_security_check to trapwhen users first login
Implementation different on various servers
-
7/25/2019 Ace Gi Security
8/23www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Solution: Acegi Security
Everything can be configured in your application
Secure URLs by role with regular expressions
URL patterns can be regular expressions or Ant-
style patterns (i.e. /**/admin*.html)Authentication methods supported: Basic, Digest,Form, Yale Central Authentication Service (CAS)
Authentication Providers: JDBC, XML, LDAP, CAS
-
7/25/2019 Ace Gi Security
9/23www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Configuration: web.xml
TIP: You may want to filter on *.html, *.jsp and /j_security_check so JavaScript and CSS files are not
rocessed
securityFilter
net.sf.acegisecurity.util.FilterToBeanProxy
targetClass
net.sf.acegisecurity.util.FilterChainProxy
securityFilter
/*
-
7/25/2019 Ace Gi Security
10/23www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
appContext-security.xml
The filterChainProxybean contains the filter list that will process theauthentication process. These filters each perform specific duties:
httpSessionContextIntegrationFilter: This filter is responsible forcommunicating with the user's session to store the user's
authentication in the ContextHolder.basicProcessingFilter: This filter processes an HTTP request's BASICauthorization headers, placing the result into the ContextHolder.
securityEnforcementFilter: This filter wraps requests to theFilterSecurityInterceptor, which defines the URLs that roles canaccess.
-
7/25/2019 Ace Gi Security
11/23www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
appContext-security.xml
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/j_security_check*=httpSessionContextIntegrationFilter,authenticationProcessingFilter
/
*.html*=httpSessionContextIntegrationFilter,remoteUserFilter,anonymousProcessingFilter,securityEnforcementFilter
/*.jsp=httpSessionContextIntegrationFilter,remoteUserFilter
-
7/25/2019 Ace Gi Security
12/23www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Basic Authentication
-
7/25/2019 Ace Gi Security
13/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Secure HTTP Request
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/*.html*=ROLE_USER
/*.jsp=ROLE_USER
-
7/25/2019 Ace Gi Security
14/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Form Authentication
Changing from Basic to Form-based authenticationis just XML configuration
Login and Error pages can be same as CMA pages
No code needed to support Remember Me andPassword Encryption - just XML
Can configure SSL channels based on URL-pattern
-
7/25/2019 Ace Gi Security
15/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Authentication Providers
...
tomcat=tomcat,ROLE_USER
springlive=springlive,ROLE_USER
-
7/25/2019 Ace Gi Security
16/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Password Encryption
tomcat=536c0b339345616c1b33caf454454d8b8a190d6c,ROLE_USER
springlive=2a9152cff1d25b5bbaa3e5fbc7acdc6905c9f251,ROLE_USER
-
7/25/2019 Ace Gi Security
17/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
JDBC Provider
To use JDBC, just define a bean with a dataSourcedependency:
Default SQL for select users and roles:"SELECT username,password,enabled FROM users WHERE username = ?";
"SELECT username,authority FROM authorities WHERE username = ?";
-
7/25/2019 Ace Gi Security
18/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Customize SQLSpecify usersByUsernameQueryandauthoritiesByUsernameQueryproperties tooverride SQL:
SELECT username,password,enabled as 'true' FROM users WHERE username = ?
SELECT username,rolename FROM user_roles WHERE username = ?
-
7/25/2019 Ace Gi Security
19/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Secure Methods by Role
org.appfuse.service.UserManager.getUser=ROLE_ADMIN
org.appfuse.service.UserManager.getUsers=ROLE_USER
org.appfuse.service.UserManager.removeUser=ROLE_ADMIN
org.appfuse.service.UserManager.saveUser=ROLE_ADMIN
...
-
7/25/2019 Ace Gi Security
20/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
Other FeaturesAccess Control Lists (ACLs): Control permissionsper object
AfterMethodInvocation Interceptor: Removesobjects from collections when user cant read them
Auditing and Event Logging:
-
7/25/2019 Ace Gi Security
21/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
J2EE vs. Acegi Security
Security Framework Pros Cons
J2EE Security It is easy to set up from anapplication perspective.
User Realm configuration is inthe hands of the deployer.
Because it's a standard, manysources of documentation areavailable.
It can be difficult to port fromone application server to theother.
Even though the application-developer configuration isstandardized, the realmconfiguration for servers is not.Service layer methods can onlybe secured if using EJBs.
-
7/25/2019 Ace Gi Security
22/23
www.virtuas.comwww.springlive.com 2005, Virtuas, LLC
J2EE vs. Acegi Security
Security Framework Pros Cons
Acegi SecuritySecurity configuration is completelyself-contained in the application you don't have to worry aboutapplication server portability.
It solves many of the shortcomings ofJ2EE security and allows all the samethings, with the option to customize.It supports single sign-on with CAS.
Its evolving and improving veryrapidly.
It allows you to secure methods of
any Spring-managed bean andfiltering objects based on their ACLs.
It requires a lot of XML toconfigure.
The learning curve can be a littlesteep and seem overwhelming at
first.
Realm information is packagedwith the application, making ittough for a deployer to change.
-
7/25/2019 Ace Gi Security
23/23
www virtuas comwww springlive com 2005 Vi t LLC
Questions?