Acegi
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Acegi as PDF for free.
More details
- Words: 1,861
- Pages: 33
Authentication & Authorisation Pawan Modi Senior R&D Engineer [email protected]
6/25/2009
Senior R&D Engineer
Page 1
How Web Security Works Basic Definitions / Acegi Terminology Acegi Introduction Acegi Web Security Authentication Object Authorization Filters FilterToBeanProxy FilterChainProxy Conclusion
6/25/2009
Senior R&D Engineer
Page 2
check if the resource is secured check if the requesting user has been authenticated check if the authenticated user is properly authorized
to access the requested resource serve the requested resource. If the user has not been authenticated yet then walk through the Login dialog. If anything is out of order then display the corresponding error page if the resource is not secure then skip all previously mentioned steps and serve the resource right away.
6/25/2009
Senior R&D Engineer
Page 3
6/25/2009
Senior R&D Engineer
Page 4
Principal ▪ A principal generally means a user, device or some other system which can perform an action in your application.
Authentication ▪ Authentication pertains to the question “Who are you?”
Authorization ▪ Authorization pertains to the question “What may you do?” ▪ This is achieved by making secured resources accessible to particular roles. 6/25/2009
Senior R&D Engineer
Page 5
Authentication object ▪ Authentication objects contains the username, password and the roles granted to the user. Authentication Manager ▪ Authentication Manager creates & validates Authentication object. AccessDecisionManger ▪ Access to resources is controlled by the AccessDecisionManager. 6/25/2009
Senior R&D Engineer
Page 6
Acegi Security provides comprehensive security services
for J2EE-based enterprise software applications.
Acegi depends on the Spring framework. Acegi configuration is done through associating JavaBeans
with each other via a XML configuration file.
Acegi Security supports a wide range of authentication
models.
Acegi Security provides a deep set of authorization
capabilities.
6/25/2009
Senior R&D Engineer
Page 7
Basic problem with J2EE or EJB security specifications
are
▪ Lack of security depth requires for the enterprise application. ▪ Security is not portable at WAR or EAR level.
Acegi Security overcomes these problems and also
brings you dozens of other useful, entirely customisable security features.
Acegi is able to plug in its security functionality in a
modular way.
6/25/2009
Senior R&D Engineer
Page 8
Acegi security is implemented by following Four Checks. Restricted Access Check ▪ Is the resource secured?
Existing Authentication Check
▪ Has the user been authenticated?
Authentication Request Check
▪ Are the correct username and password provided?
Authorization Check
▪ Does the user have the required roles?
6/25/2009
Senior R&D Engineer
Page 9
Authentication object is key to the Acegi framework. Authentication object contains the username,
password and the roles granted to the user. Authentication object is created and validated by the
AuthenticationManager. Access to resources is controlled by the
AccessDecisionManager. 6/25/2009
Senior R&D Engineer
Page 10
Acegi Security supports a wide range of authentication models HTTP BASIC authentication headers (an IEFT RFC-based standard) HTTP Digest authentication headers (an IEFT RFC-based standard) HTTP X.509 client certificate exchange (an IEFT RFC-based standard) LDAP (a very common approach to cross-platform authentication
needs, especially in large environments)
Form-based authentication (for simple user interface needs)
6/25/2009
Senior R&D Engineer
Page 11
Computer Associates Siteminder JA-SIG Central Authentication Service (otherwise known as
CAS, which is a popular open source single sign on system)
Transparent authentication context propagation for Remote
Method Invocation (RMI) and HttpInvoker (a Spring remoting protocol)
Automatic "remember-me" authentication (so you can tick a
box to avoid re-authentication for a predetermined period of time)
Java Authentication and Authorization Service (JAAS) 6/25/2009
Senior R&D Engineer
Page 12
Anonymous authentication (allowing every call to
automatically assume a particular security identity)
Run-as authentication (which is useful if one call
should proceed with a different security identity)
Container integration with JBoss, Jetty, Resin and
Tomcat (so you can still use Container Manager Authentication if desired)
Your own authentication systems. 6/25/2009
Senior R&D Engineer
Page 13
Acegi Security includes one concrete GrantedAuthority implementation i.e.
GrantedAuthorityImpl.
All Authentication implementations are required to store an array of
GrantedAuthority objects.
All AuthenticationProviders use GrantedAuthorityImpl to populate the
Authentication object.
GrantedAuthority objects are inserted into the Authentication object by the
AuthenticationManager and are later read by AccessDecisionManagers when making authorization decisions.
GrantedAuthority is an interface with only one method:
public String getAuthority(); 6/25/2009
Senior R&D Engineer
Page 14
Acegi Filters are critical & backbone of the Acegi
configuration. Acegi uses filters to enable web application
security. Acegi security uses following two basic filters. ▪ FilterToBeanProxy ▪ FilterChainProxy 6/25/2009
Senior R&D Engineer
Page 15
Most filters are configured using the FilterToBeanProxy. FilterToBeanProxy is filter that goes in to web.xml. This is not the filter that actually implement the logic. This filter delegate the Filter's methods to a bean which is
obtained from the Spring application context .
The bean must implement javax.servlet.Filter. 6/25/2009
Senior R&D Engineer
Page 16
FilterToBeanProxy only requires a single initialization
parameter i.e. targetClass or targetBean.
▪ targetClass parameter locates the first object in the application context of the specified class. ▪ targetBean locates the object by bean name.
FilterToBeanProxy is a very useful class but the
problem is that the lines of code required for and entries in web.xml explodes when using more than a few filters. Therefore it is strongly recommended to use FilterChainProxy.
6/25/2009
Senior R&D Engineer
Page 17
Acegi uses a chain of (at least) three filters to enable web application security. AuthenticationProcessingFilter HttpSessionContextIntegrationFilter ExceptonTranslationFilter FilterSecurityInterceptor
6/25/2009
Senior R&D Engineer
Page 18
Every HTTP request passes through chain made of three filters. Filters are chained together by an object called the
FilterChainProxy. FilterChainProxy creates and starts these filters.
This proxy is configured in the configuration XML file. Any additional filters will be added to the FilterChainProxy
configuration list. FilterChainProxy will locate the first URI pattern that matches the current web request.
6/25/2009
Senior R&D Engineer
Page 19
AuthenticationProcessingFilter First filter through which all HTTP request
passes. Handles the Authentication Request Check . Handles logging into the application. Validates of username/password combinations Uses the AuthenticationManager to do its work. Diagram representing AuthenticationProcessingFilter and its dependencies:
6/25/2009
Senior R&D Engineer
Page 20
6/25/2009
Senior R&D Engineer
Page 21
AuthenticationProcessingFilter One of the beans configured in the
authenticationProcessingFilter is the authenticationManager bean. This bean manages the various providers you configure. A provider is essentially a repository of usernames with corresponding passwords and roles. Example: one provider could access an Active Directory for employee credentials, while your second provider might access a database for customer credentials.
6/25/2009
Senior R&D Engineer
Page 22
HttpSessionContextIntegrationFilter Maintains the Authentication object between various
requests and passes it to the AuthenticationManager and the AccessDecisionManager when ever needed. Propagate the established authentication object through all requests. Filter wraps the authentication object a ThreadLocal and hands that wrapper over to the other filters in the chain 6/25/2009
Senior R&D Engineer
Page 23
6/25/2009
Senior R&D Engineer
Page 24
ExceptonTranslationFilter One of the two essential filters in the security system. Performs the Existing Authentication Check. Catches any authentication or authorization error. ▪ If the exception was caused by the absence of an Authentication object i.e. the user has not logged in yet then it spawns the configured AuthenticationEntryPoint to prompt the user for login. ▪ If the exception was caused by an authorization exception thrown by FilterSecurityInterceptor i.e. the user is logged in but is not authorized for the resource requested then it will send an SC_FORBIDDEN (HTTP 403) error to the browser.
ExceptonTranslationFilter depends
FilterSecurityInterceptor to do its work.
6/25/2009
Senior R&D Engineer
Page 25
ExceptonTranslationFilter leaves all the hard work to it's collaborators i.e. FilterSecurityInterceptor and authenticationEntryPoint.
6/25/2009
Senior R&D Engineer
Page 26
FilterSecurityInterceptor FilterSecurityInterceptor is a part of securityEnforcementFilter filter. One of the two essential filters in the security system. Manages the Restricted Access Check and the Authorisation check. Knows which resources are secure and which roles have access to them. FilterSecurityInterceptor uses the AuthenticationManager
and AccessDecisionManager to do its work.
In Acegi security the secured resources are called as object definitions.
6/25/2009
Senior R&D Engineer
Page 27
AuthenticationManager AM is of type ProviderManager & it forms a proxy to the
AuthenticationProvider. Authentication object is created and validated by the AM AM is responsible for passing requests through a chain of AuthenticationProviders. AuthenticationProvider validates the inputted username/password combination and extracts the role appointed to that user. AuthenticationProvider is itself a proxy to an AuthenticationDao that is basically an registry containing usernames, passwords and roles. AuthenticationDao is of several types like in-memory, database via JDBC or even LDAP. In the Dao two default users (jklaassen and bouerj) have been defined each with a different role. Multiple ProviderManagers can be associated to one AM.
6/25/2009
Senior R&D Engineer
Page 28
AccessDecisionManager ADM is responsible for the authorization. Access to resources is controlled by the ADM. ADM takes the available user information and decides to grant
access. ADM uses a Voter to determine if the user will be authorized Developer has to specify which rolenames should be handled by a specific voter by specifying the role prefix. Multiple voters can be associated to one AccessDecisionManager. So it is possible to let Acegi consult several different username/password registries (mixture of LDAP, Database and NT Domain registries) available with many different rolenames configured and voted on by several Voters.
6/25/2009
Senior R&D Engineer
Page 29
AuthenticationEntryPoint AuthenticationEntryPoint is a bean & part of
securityEnforcementFilter filter.
Starting point of the authentication dialog. If the FilterSecurityInterceptor determines that there is no
available authentication object present then the SecurityEnforcementFilter will pass control to the AuthenticationEntryPoint.
AuthenticationEntryPoint in this example is of type
AuthenticationProcessingFilterEntryPoint.
6/25/2009
Senior R&D Engineer
Page 30
Acegi configuration is done through associating JavaBeans with
each other via a XML configuration file.
Acegi is able to plug in its security functionality in a modular
way.
Authentication object contains the username, password and the
roles granted to the user.
Authentication object is created and validated by the
AuthenticationManager.
Access to resources is controlled by the
AccessDecisionManager.
6/25/2009
Senior R&D Engineer
Page 31
Acegi uses filters to enable web application security. Filters are chained together by an object called the
FilterChainProxy.
AuthenticationProcessingFilter make use of
authenticationManager bean
ExceptonTranslationFilter catches any authentication or
authorization error.
FilterSecurityInterceptor knows which resources are secure and
which roles have access to them.
AuthenticationEntryPoint is a bean & part of
securityEnforcementFilter filter.
6/25/2009
Senior R&D Engineer
Page 32
http://www.acegisecurity.org/
http://www.acegisecurity.org/guide/springsecurity.html#taglib
http://www.tfoeservices.eu/wb_tutorials/media/SpringAcegiTutorial/HTML/SpringAcegiTutorial-1_1html.html
6/25/2009
Senior R&D Engineer
Page 33
6/25/2009
Senior R&D Engineer
Page 1
How Web Security Works Basic Definitions / Acegi Terminology Acegi Introduction Acegi Web Security Authentication Object Authorization Filters FilterToBeanProxy FilterChainProxy Conclusion
6/25/2009
Senior R&D Engineer
Page 2
check if the resource is secured check if the requesting user has been authenticated check if the authenticated user is properly authorized
to access the requested resource serve the requested resource. If the user has not been authenticated yet then walk through the Login dialog. If anything is out of order then display the corresponding error page if the resource is not secure then skip all previously mentioned steps and serve the resource right away.
6/25/2009
Senior R&D Engineer
Page 3
6/25/2009
Senior R&D Engineer
Page 4
Principal ▪ A principal generally means a user, device or some other system which can perform an action in your application.
Authentication ▪ Authentication pertains to the question “Who are you?”
Authorization ▪ Authorization pertains to the question “What may you do?” ▪ This is achieved by making secured resources accessible to particular roles. 6/25/2009
Senior R&D Engineer
Page 5
Authentication object ▪ Authentication objects contains the username, password and the roles granted to the user. Authentication Manager ▪ Authentication Manager creates & validates Authentication object. AccessDecisionManger ▪ Access to resources is controlled by the AccessDecisionManager. 6/25/2009
Senior R&D Engineer
Page 6
Acegi Security provides comprehensive security services
for J2EE-based enterprise software applications.
Acegi depends on the Spring framework. Acegi configuration is done through associating JavaBeans
with each other via a XML configuration file.
Acegi Security supports a wide range of authentication
models.
Acegi Security provides a deep set of authorization
capabilities.
6/25/2009
Senior R&D Engineer
Page 7
Basic problem with J2EE or EJB security specifications
are
▪ Lack of security depth requires for the enterprise application. ▪ Security is not portable at WAR or EAR level.
Acegi Security overcomes these problems and also
brings you dozens of other useful, entirely customisable security features.
Acegi is able to plug in its security functionality in a
modular way.
6/25/2009
Senior R&D Engineer
Page 8
Acegi security is implemented by following Four Checks. Restricted Access Check ▪ Is the resource secured?
Existing Authentication Check
▪ Has the user been authenticated?
Authentication Request Check
▪ Are the correct username and password provided?
Authorization Check
▪ Does the user have the required roles?
6/25/2009
Senior R&D Engineer
Page 9
Authentication object is key to the Acegi framework. Authentication object contains the username,
password and the roles granted to the user. Authentication object is created and validated by the
AuthenticationManager. Access to resources is controlled by the
AccessDecisionManager. 6/25/2009
Senior R&D Engineer
Page 10
Acegi Security supports a wide range of authentication models HTTP BASIC authentication headers (an IEFT RFC-based standard) HTTP Digest authentication headers (an IEFT RFC-based standard) HTTP X.509 client certificate exchange (an IEFT RFC-based standard) LDAP (a very common approach to cross-platform authentication
needs, especially in large environments)
Form-based authentication (for simple user interface needs)
6/25/2009
Senior R&D Engineer
Page 11
Computer Associates Siteminder JA-SIG Central Authentication Service (otherwise known as
CAS, which is a popular open source single sign on system)
Transparent authentication context propagation for Remote
Method Invocation (RMI) and HttpInvoker (a Spring remoting protocol)
Automatic "remember-me" authentication (so you can tick a
box to avoid re-authentication for a predetermined period of time)
Java Authentication and Authorization Service (JAAS) 6/25/2009
Senior R&D Engineer
Page 12
Anonymous authentication (allowing every call to
automatically assume a particular security identity)
Run-as authentication (which is useful if one call
should proceed with a different security identity)
Container integration with JBoss, Jetty, Resin and
Tomcat (so you can still use Container Manager Authentication if desired)
Your own authentication systems. 6/25/2009
Senior R&D Engineer
Page 13
Acegi Security includes one concrete GrantedAuthority implementation i.e.
GrantedAuthorityImpl.
All Authentication implementations are required to store an array of
GrantedAuthority objects.
All AuthenticationProviders use GrantedAuthorityImpl to populate the
Authentication object.
GrantedAuthority objects are inserted into the Authentication object by the
AuthenticationManager and are later read by AccessDecisionManagers when making authorization decisions.
GrantedAuthority is an interface with only one method:
public String getAuthority(); 6/25/2009
Senior R&D Engineer
Page 14
Acegi Filters are critical & backbone of the Acegi
configuration. Acegi uses filters to enable web application
security. Acegi security uses following two basic filters. ▪ FilterToBeanProxy ▪ FilterChainProxy 6/25/2009
Senior R&D Engineer
Page 15
Most filters are configured using the FilterToBeanProxy. FilterToBeanProxy is filter that goes in to web.xml. This is not the filter that actually implement the logic. This filter delegate the Filter's methods to a bean which is
obtained from the Spring application context .
The bean must implement javax.servlet.Filter. 6/25/2009
Senior R&D Engineer
Page 16
FilterToBeanProxy only requires a single initialization
parameter i.e. targetClass or targetBean.
▪ targetClass parameter locates the first object in the application context of the specified class. ▪ targetBean locates the object by bean name.
FilterToBeanProxy is a very useful class but the
problem is that the lines of code required for
6/25/2009
Senior R&D Engineer
Page 17
Acegi uses a chain of (at least) three filters to enable web application security. AuthenticationProcessingFilter HttpSessionContextIntegrationFilter ExceptonTranslationFilter FilterSecurityInterceptor
6/25/2009
Senior R&D Engineer
Page 18
Every HTTP request passes through chain made of three filters. Filters are chained together by an object called the
FilterChainProxy. FilterChainProxy creates and starts these filters.
This proxy is configured in the configuration XML file. Any additional filters will be added to the FilterChainProxy
configuration list. FilterChainProxy will locate the first URI pattern that matches the current web request.
6/25/2009
Senior R&D Engineer
Page 19
AuthenticationProcessingFilter First filter through which all HTTP request
passes. Handles the Authentication Request Check . Handles logging into the application. Validates of username/password combinations Uses the AuthenticationManager to do its work. Diagram representing AuthenticationProcessingFilter and its dependencies:
6/25/2009
Senior R&D Engineer
Page 20
6/25/2009
Senior R&D Engineer
Page 21
AuthenticationProcessingFilter One of the beans configured in the
authenticationProcessingFilter is the authenticationManager bean. This bean manages the various providers you configure. A provider is essentially a repository of usernames with corresponding passwords and roles. Example: one provider could access an Active Directory for employee credentials, while your second provider might access a database for customer credentials.
6/25/2009
Senior R&D Engineer
Page 22
HttpSessionContextIntegrationFilter Maintains the Authentication object between various
requests and passes it to the AuthenticationManager and the AccessDecisionManager when ever needed. Propagate the established authentication object through all requests. Filter wraps the authentication object a ThreadLocal and hands that wrapper over to the other filters in the chain 6/25/2009
Senior R&D Engineer
Page 23
6/25/2009
Senior R&D Engineer
Page 24
ExceptonTranslationFilter One of the two essential filters in the security system. Performs the Existing Authentication Check. Catches any authentication or authorization error. ▪ If the exception was caused by the absence of an Authentication object i.e. the user has not logged in yet then it spawns the configured AuthenticationEntryPoint to prompt the user for login. ▪ If the exception was caused by an authorization exception thrown by FilterSecurityInterceptor i.e. the user is logged in but is not authorized for the resource requested then it will send an SC_FORBIDDEN (HTTP 403) error to the browser.
ExceptonTranslationFilter depends
FilterSecurityInterceptor to do its work.
6/25/2009
Senior R&D Engineer
Page 25
ExceptonTranslationFilter leaves all the hard work to it's collaborators i.e. FilterSecurityInterceptor and authenticationEntryPoint.
6/25/2009
Senior R&D Engineer
Page 26
FilterSecurityInterceptor FilterSecurityInterceptor is a part of securityEnforcementFilter filter. One of the two essential filters in the security system. Manages the Restricted Access Check and the Authorisation check. Knows which resources are secure and which roles have access to them. FilterSecurityInterceptor uses the AuthenticationManager
and AccessDecisionManager to do its work.
In Acegi security the secured resources are called as object definitions.
6/25/2009
Senior R&D Engineer
Page 27
AuthenticationManager AM is of type ProviderManager & it forms a proxy to the
AuthenticationProvider. Authentication object is created and validated by the AM AM is responsible for passing requests through a chain of AuthenticationProviders. AuthenticationProvider validates the inputted username/password combination and extracts the role appointed to that user. AuthenticationProvider is itself a proxy to an AuthenticationDao that is basically an registry containing usernames, passwords and roles. AuthenticationDao is of several types like in-memory, database via JDBC or even LDAP. In the Dao two default users (jklaassen and bouerj) have been defined each with a different role. Multiple ProviderManagers can be associated to one AM.
6/25/2009
Senior R&D Engineer
Page 28
AccessDecisionManager ADM is responsible for the authorization. Access to resources is controlled by the ADM. ADM takes the available user information and decides to grant
access. ADM uses a Voter to determine if the user will be authorized Developer has to specify which rolenames should be handled by a specific voter by specifying the role prefix. Multiple voters can be associated to one AccessDecisionManager. So it is possible to let Acegi consult several different username/password registries (mixture of LDAP, Database and NT Domain registries) available with many different rolenames configured and voted on by several Voters.
6/25/2009
Senior R&D Engineer
Page 29
AuthenticationEntryPoint AuthenticationEntryPoint is a bean & part of
securityEnforcementFilter filter.
Starting point of the authentication dialog. If the FilterSecurityInterceptor determines that there is no
available authentication object present then the SecurityEnforcementFilter will pass control to the AuthenticationEntryPoint.
AuthenticationEntryPoint in this example is of type
AuthenticationProcessingFilterEntryPoint.
6/25/2009
Senior R&D Engineer
Page 30
Acegi configuration is done through associating JavaBeans with
each other via a XML configuration file.
Acegi is able to plug in its security functionality in a modular
way.
Authentication object contains the username, password and the
roles granted to the user.
Authentication object is created and validated by the
AuthenticationManager.
Access to resources is controlled by the
AccessDecisionManager.
6/25/2009
Senior R&D Engineer
Page 31
Acegi uses filters to enable web application security. Filters are chained together by an object called the
FilterChainProxy.
AuthenticationProcessingFilter make use of
authenticationManager bean
ExceptonTranslationFilter catches any authentication or
authorization error.
FilterSecurityInterceptor knows which resources are secure and
which roles have access to them.
AuthenticationEntryPoint is a bean & part of
securityEnforcementFilter filter.
6/25/2009
Senior R&D Engineer
Page 32
http://www.acegisecurity.org/
http://www.acegisecurity.org/guide/springsecurity.html#taglib
http://www.tfoeservices.eu/wb_tutorials/media/SpringAcegiTutorial/HTML/SpringAcegiTutorial-1_1html.html
6/25/2009
Senior R&D Engineer
Page 33
Related Documents
Acegi
May 2020 25
Spring Icin Acegi Guvenlik Sistemi Btosun Wwwjavadilicom
December 2019 13More Documents from "www.javadili.com"
Data Communication
April 2020 23
Acegi
May 2020 25
Cellulose Degrading Microorganisms.docx
November 2019 23
