Spring seguridad

Solo disponible en BuenasTareas
  • Páginas : 6 (1392 palabras )
  • Descarga(s) : 0
  • Publicado : 28 de noviembre de 2011
Leer documento completo
Vista previa del texto
Securing Portlets With Spring Security
John A. Lewis
Chief Software Architect Unicon, Inc. JA-SIG Spring 2008 Conference 28 April 2008

© Copyright Unicon, Inc., 2007. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/ Agenda

JSR 168 Portlet Security Spring Security (aka “Acegi”) Spring Portlet Security Applying Portlet Security Resources Questions & Answers

JSR 168 Portlet Security
What does the spec give us to work with?


Portal Authentication

The portal is completely responsible for authentication

This means we just use what it gives us – we don'tredirect for authentication purpose

The JSR 168 PortletRequest class provides two methods for getting user identity (the same ones as the Servlet spec) String getRemoteUser() Principal getUserPrincipal()

Portal Authorization

Portals generally provide the ability to assign a set of “Roles” to the User The JSR 168 PortletRequest class provides a method for getting at these roles(the same ones as the Servlet spec) boolean isUserInRole(String)


Declaring Portal Roles

Same as declaring roles for Servlet containerbased security Include all portal roles that may be used in web.xml:
... manager ...


Mapping Portal Roles To Portlet Roles

In portlet.xml:
books ... ADMINISTRATOR manager Warning!
If you are storing yourSecurityContext in the PortletSession with APPLICATION_SCOPE (more on this later), make sure these are the same in all your declarations – the first one to be invoked on a page will determine the mapping for all portlets in your webapp.

Portlet Role

Portal Role


Security Constraints

Require a secure transport in portlet.xml:

... accountSummary ... ... Secure Portlets accountSummaryCONFIDENTIAL ...


Other Portlet Security Info

PortletRequest has a couple other key security-related methods: StringgetAuthType() String getAuthType()

Returns name of authentication scheme used (BASIC_AUTH, CLIENT_CERT_AUTH, custom) or null if user is not authenticated.

boolean isSecure() boolean isSecure()

Returns true if the request was made over a secure channel(such as HTTPS)

Portlet User Attributes

Can also use the USER_INFO Map available as a PortletRequest attribute. May contain arbitrary user information:
– – – –

user.name.given user.bdate user.gender etc.

Some portals expose security-related information here, but this mechanism should be avoided if possible

Spring Security
a.k.a Acegi Security A quick overview11

What Is Spring Security?

Powerful, flexible security framework for enterprise software Emphasis on applications using Spring Comprehensive authentication, authorization, and instance-based access control Avoids security code in your business logic – treats security as a cross-cutting concern Built-in support for a wide variety of authentication and integration standards


Spring Security Releases

Acegi Security (the old name)
– – –

Current Version: 1.0.7 Initial GA Release: May 2006 Portlet support in Sandbox Current Version: 2.0.0 Initial GA Release: April 2008 Portlet support Included Changes packaging from org.acegisecurity to org.springframework.security

Spring Security (the new name)
– – – –

Applications Are Like Onions●

Spring Security can be applied at multiple layers in your application:

Apply security as markup is constructed in the Rendering Layer using the supplied JSP taglib Restrict access to areas of web application in the Dispatch Layer based on URL pattern-matching Secure method invocation on the Service Layer to ensure calls are from properly authorized user Provide Access Control Lists...
tracking img