Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.
-
Upload
matthew-phelps -
Category
Documents
-
view
213 -
download
0
Transcript of Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.
![Page 1: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/1.jpg)
Using Spring Security and CAS
JA-SIG Summer ConferenceDenver, CO
June 24 – 27, 2007
![Page 2: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/2.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Who am I?
• Application Developer @ Rutgers
• Java Developer for 5+ years
• Lead Developer on JA-SIG CAS
• Committer on Spring Security
![Page 3: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/3.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Agenda
1.History and Overview2.Benefits for Programmers3.Benefits for Users4.Demo5.Case Study6.Future Directions7.Discussion
![Page 4: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/4.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
1.Overview & History
![Page 5: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/5.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
What is Spring Security?
Spring Security is apowerful and flexible security
solution for enterprise software.
![Page 6: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/6.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Users
• Used worldwide at:– Major institutions such as Rutgers– Major financial institutions and banks– Several Australian government departments
• Integrated with:– Frameworks such as Grails, Trails, etc.– Applications such as Roller, Mule
![Page 7: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/7.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Authentication Features
• LDAP• BASIC• Digest• JAAS• CAS• X.509 Certificates• DAO• Run-as Replacement• Form-based login• Anonymous
• Remember-Me• SiteMinder• HTTP Switch User• Concurrent User Limiting• Container Adapters
• Write your own…
![Page 8: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/8.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Technical Details
• Uses Spring IoC container– DI, events, localization and JdbcTemplate
• Completely interface-driven
• High cohesion, loosely coupled
• Encourage customization and extension
• Java 1.3+ compatible– Java 5 code packaged in “Tiger” JAR
![Page 9: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/9.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
How Spring Security Works
Servlet Container
WebUser FilterToBeanProxy
IoC Container
FilterChainProxy
Filter 1 Filter 3 Filter 4 Filter 5Filter 2
Filter X Servlet
![Page 10: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/10.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
How Spring Security Works
# Filter Name Main Purpose
1HttpSessionContextIntegrationFilter
Stores SecurityContextHolder between HTTP requests
2 LogoutFilterClears SecurityContextHolder when logout requested
3Authentication Mechanism Filters
Puts Authentication into SecurityContextHolder
4ExceptionTranslationFilter
Converts Acegi Security exceptions into HTTP
5FilterSecurityInterceptor
Authorizes web filter requests based on URL patterns
![Page 11: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/11.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
How Spring Security Works
AuthenticationMechanism
Filter 3
Authentication“Request”
ProviderManager
Authentication“Response”
creates
creates
calls
SecurityContextHolder
populates returns
![Page 12: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/12.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
What is JA-SIG CAS?
JA-SIG CAS is single sign on for the web. It provides a trusted
mechanism for authenticating users across your applications.
![Page 13: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/13.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Users
• Deployed by:– Institutions of Higher Education– Non-profits– Commercial companies– etc
• Deployed worldwide:– U.S., Canada, Hong Kong– Belgium, France, Russia, China, Japan– India, Australia, New Zealand– Greece, Turkey, England– Netherlands, Spain, Sweden, Portugal– Etc.
![Page 14: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/14.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
• 3rd year of project• Over 1000 downloads a month• Active community of deployers• Driven by community feedback
![Page 15: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/15.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Authentication Features
• LDAP• DAO• NTLM• SPNEGO• RADIUS• File System• X.509• “Trusted”• JAAS• Acegi
![Page 16: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/16.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Other Features
• Clustering
• Client Libraries (PHP, Java, etc.)
• Demo-able/Quickstart WAR file
• Quality Documentation
• Active community mailing lists
![Page 17: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/17.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Technical Details
• Use Spring IoC Container– DI, Localization, events, JdbcTemplate, LdapTemplate, etc.
• Completely interface driven
• Encourage customization and extension
• Java 1.5+/Servlet 2.4 compatible
![Page 18: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/18.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
How CAS Works
![Page 19: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/19.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
How CAS Works
Servlet Container
WebUser DispatcherServlet WebFlow
Controller
action0 action1 actionnactionn-1. . .
![Page 20: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/20.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
How CAS Works
actionn
Credentials
creates
CentralAuthenticationServicecalls
AuthenticationManager
Authentication creates
returns
TicketRegistry
Ticketcreates
callscalls
![Page 21: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/21.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
2.Benefits for Programmers
![Page 22: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/22.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Benefits for Programmers
• Code reduction– Declaratively configured– No audit logs for authentication– OOTB authorization and authentication
• Tag Libs
• Proxy Authentication
• Domain object instance security
• Only one place to “watch” for account security
![Page 23: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/23.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
3.Benefits for Users
![Page 24: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/24.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Benefits for Users
• Single Sign On
• Passwords are only passed to one “trusted” resource
• Better Application security
• Harder to trick someone with “phishing” attempts
![Page 25: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/25.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
4.How to Integrate
![Page 26: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/26.jpg)
Demo
![Page 27: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/27.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
5.Case Study
![Page 28: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/28.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Rutgers Case Study – Where Were We?
• Duplicating authentication code on each application
• Multiple authentication methods
• Sign in to each application
• De-centralized authentication
![Page 29: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/29.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Rutgers Case Study – What We Did
• Introduced a portal
• Centralized authentication
• Single Sign On
• Proxy Authentication
• Introduced Acegi into Java applications
![Page 30: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/30.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Rutgers Case Study – What it Got Us
• Better user experience
• Minimized access to passwords
• Created “horizontal” authentication component
• Standardized security code
• (still a work in progress though)
![Page 31: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/31.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
6.Future Directions
![Page 32: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/32.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Acegi Roadmap
• 1.0.x branch -> minor updates
• 2.0– Renamed to Spring Security– Support for Spring 2.0– OpenId Support– Windows Domain Support– Updated CAS Support
![Page 33: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/33.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
CAS Roadmap
• Additional Protocol Support
• Internationalization
• Configuration/Setup Screens
• Advanced Monitoring
• Integration with Account Management Systems
![Page 34: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/34.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Conclusion
• Acegi Security is fully-featured solution– Many authentication strategies– Decoupled web and method authorization– Completely customizable by end users– Active community, quality documentation, etc.
• CAS is a fully-featured solution– Many authentication strategies– Easily pluggable and extensible– Active community, quality documentation, etc.– Support for multiple platforms
![Page 35: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/35.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
7.Discussion
![Page 36: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/36.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
Spring Security
• Web Site– http://www.acegisecurity.org
• Forum– http://forum.springframework.org
• Mailing Lists– Acegi Developer List
• https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
![Page 37: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/37.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
CAS Mailing Lists
• CAS Community Discussion List– http://tp.its.yale.edu/mailman/listinfo/cas
• CAS Developer’s Discussion List– http://tp.its.yale.edu/mailman/listinfo/cas-dev
• CAS Announcement List– https://lists.wisc.edu/read/all_forums/subscribe?name=cas-ann
ounce
• Links to archives, etc.:– http://www.ja-sig.org/products/cas/community/lists/
![Page 38: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/38.jpg)
Enterprise Systems & Services
Using Spring Security and CAS
CAS Sites
• Product Web Site– http://www.ja-sig.org/products/cas/
• Wiki– http://www.ja-sig.org/wiki
• Issue Tracker– http://www.ja-sig.org/issues
• Source Code– http://developer.ja-sig.org/source/
![Page 39: Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.](https://reader034.fdocuments.us/reader034/viewer/2022051620/56649ee15503460f94bf1ed9/html5/thumbnails/39.jpg)
Questions?