Spring seguridad
John A. Lewis
Chief Software Architect Unicon, Inc. JA-SIG Spring 2008 Conference 28 April 2008
© Copyright Unicon, Inc., 2007. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/Agenda
●
JSR 168 Portlet Security Spring Security (aka “Acegi”) Spring Portlet Security Applying Portlet Security Resources Questions & Answers
2
●
●
●
●
●
JSR 168 Portlet Security
What does the spec give us to work with?
3
Portal Authentication
●
The portal is completely responsible for authentication
–
This means we just use what it gives us – we don'tredirect for authentication purpose
●
The JSR 168 PortletRequest class provides two methods for getting user identity (the same ones as the Servlet spec) String getRemoteUser() Principal getUserPrincipal()
4
Portal Authorization
●
Portals generally provide the ability to assign a set of “Roles” to the User The JSR 168 PortletRequest class provides a method for getting at these roles(the same ones as the Servlet spec) boolean isUserInRole(String)
●
5
Declaring Portal Roles
●
Same as declaring roles for Servlet containerbased security Include all portal roles that may be used in web.xml:
... manager ...
●
6
Mapping Portal Roles To Portlet Roles
●
In portlet.xml:
books ... ADMINISTRATOR manager Warning!
If you are storing yourSecurityContext in the PortletSession with APPLICATION_SCOPE (more on this later), make sure these are the same in all your declarations – the first one to be invoked on a page will determine the mapping for all portlets in your webapp.
Portlet Role
Portal Role
7
Security Constraints
●
Require a secure transport in portlet.xml:
... accountSummary ... ... Secure Portlets accountSummaryCONFIDENTIAL ...
8
Other Portlet Security Info
●
PortletRequest has a couple other key security-related methods: StringgetAuthType() String getAuthType()
Returns name of authentication scheme used (BASIC_AUTH, CLIENT_CERT_AUTH, custom) or null if user is not authenticated.
boolean isSecure() boolean isSecure()
Returns true if the request was made over a secure channel(such as HTTPS)
9
Portlet User Attributes
●
Can also use the USER_INFO Map available as a PortletRequest attribute. May contain arbitrary user information:
– – – –
●
user.name.given user.bdate user.gender etc.
●
Some portals expose security-related information here, but this mechanism should be avoided if possible
10
Spring Security
a.k.a Acegi Security A quick overview11
What Is Spring Security?
●
Powerful, flexible security framework for enterprise software Emphasis on applications using Spring Comprehensive authentication, authorization, and instance-based access control Avoids security code in your business logic – treats security as a cross-cutting concern Built-in support for a wide variety of authentication and integration standards
12
●
●●
●
Spring Security Releases
●
Acegi Security (the old name)
– – –
Current Version: 1.0.7 Initial GA Release: May 2006 Portlet support in Sandbox Current Version: 2.0.0 Initial GA Release: April 2008 Portlet support Included Changes packaging from org.acegisecurity to org.springframework.security
13
●
Spring Security (the new name)
– – – –
Applications Are Like Onions●
Spring Security can be applied at multiple layers in your application:
–
Apply security as markup is constructed in the Rendering Layer using the supplied JSP taglib Restrict access to areas of web application in the Dispatch Layer based on URL pattern-matching Secure method invocation on the Service Layer to ensure calls are from properly authorized user Provide Access Control Lists...
Regístrate para leer el documento completo.