John A. Lewis
Chief Software Architect Unicon, Inc. JA-SIG Spring 2008 Conference 28 April 2008
© Copyright Unicon, Inc., 2007. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/Agenda
JSR 168 Portlet Security Spring Security (aka “Acegi”) Spring Portlet Security Applying Portlet Security Resources Questions & Answers
JSR 168 Portlet Security
What does the spec give us to work with?
The portal is completely responsible for authentication
This means we just use what it gives us – we don'tredirect for authentication purpose
The JSR 168 PortletRequest class provides two methods for getting user identity (the same ones as the Servlet spec) String getRemoteUser() Principal getUserPrincipal()
Portals generally provide the ability to assign a set of “Roles” to the User The JSR 168 PortletRequest class provides a method for getting at these roles(the same ones as the Servlet spec) boolean isUserInRole(String)
Declaring Portal Roles
Same as declaring roles for Servlet containerbased security Include all portal roles that may be used in web.xml:
... manager ...
Mapping Portal Roles To Portlet Roles
books ... ADMINISTRATOR manager Warning!
If you are storing yourSecurityContext in the PortletSession with APPLICATION_SCOPE (more on this later), make sure these are the same in all your declarations – the first one to be invoked on a page will determine the mapping for all portlets in your webapp.
Require a secure transport in portlet.xml:
... accountSummary ... ... Secure Portlets accountSummaryCONFIDENTIAL ...
Other Portlet Security Info
PortletRequest has a couple other key security-related methods: StringgetAuthType() String getAuthType()
Returns name of authentication scheme used (BASIC_AUTH, CLIENT_CERT_AUTH, custom) or null if user is not authenticated.
boolean isSecure() boolean isSecure()
Returns true if the request was made over a secure channel(such as HTTPS)
Portlet User Attributes
Can also use the USER_INFO Map available as a PortletRequest attribute. May contain arbitrary user information:
– – – –
user.name.given user.bdate user.gender etc.
Some portals expose security-related information here, but this mechanism should be avoided if possible
a.k.a Acegi Security A quick overview11
What Is Spring Security?
Powerful, flexible security framework for enterprise software Emphasis on applications using Spring Comprehensive authentication, authorization, and instance-based access control Avoids security code in your business logic – treats security as a cross-cutting concern Built-in support for a wide variety of authentication and integration standards
Spring Security Releases
Acegi Security (the old name)
– – –
Current Version: 1.0.7 Initial GA Release: May 2006 Portlet support in Sandbox Current Version: 2.0.0 Initial GA Release: April 2008 Portlet support Included Changes packaging from org.acegisecurity to org.springframework.security
Spring Security (the new name)
– – – –
Applications Are Like Onions●
Spring Security can be applied at multiple layers in your application:
Apply security as markup is constructed in the Rendering Layer using the supplied JSP taglib Restrict access to areas of web application in the Dispatch Layer based on URL pattern-matching Secure method invocation on the Service Layer to ensure calls are from properly authorized user Provide Access Control Lists...