Spring seguridad

Solo disponible en BuenasTareas
  • Páginas : 6 (1392 palabras )
  • Descarga(s) : 0
  • Publicado : 28 de noviembre de 2011
Leer documento completo
Vista previa del texto
Securing Portlets With Spring Security
John A. Lewis
Chief Software Architect Unicon, Inc. JA-SIG Spring 2008 Conference 28 April 2008

© Copyright Unicon, Inc., 2007. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/ Agenda


JSR 168 Portlet Security Spring Security (aka “Acegi”) Spring Portlet Security Applying Portlet Security Resources Questions & Answers
2











JSR 168 Portlet Security
What does the spec give us to work with?

3

Portal Authentication


The portal is completely responsible for authentication


This means we just use what it gives us – we don'tredirect for authentication purpose



The JSR 168 PortletRequest class provides two methods for getting user identity (the same ones as the Servlet spec) String getRemoteUser() Principal getUserPrincipal()
4

Portal Authorization


Portals generally provide the ability to assign a set of “Roles” to the User The JSR 168 PortletRequest class provides a method for getting at these roles(the same ones as the Servlet spec) boolean isUserInRole(String)



5

Declaring Portal Roles


Same as declaring roles for Servlet containerbased security Include all portal roles that may be used in web.xml:
... manager ...



6

Mapping Portal Roles To Portlet Roles


In portlet.xml:
books ... ADMINISTRATOR manager Warning!
If you are storing yourSecurityContext in the PortletSession with APPLICATION_SCOPE (more on this later), make sure these are the same in all your declarations – the first one to be invoked on a page will determine the mapping for all portlets in your webapp.

Portlet Role

Portal Role

7

Security Constraints


Require a secure transport in portlet.xml:

... accountSummary ... ... Secure Portlets accountSummaryCONFIDENTIAL ...

8

Other Portlet Security Info


PortletRequest has a couple other key security-related methods: StringgetAuthType() String getAuthType()

Returns name of authentication scheme used (BASIC_AUTH, CLIENT_CERT_AUTH, custom) or null if user is not authenticated.

boolean isSecure() boolean isSecure()

Returns true if the request was made over a secure channel(such as HTTPS)
9

Portlet User Attributes


Can also use the USER_INFO Map available as a PortletRequest attribute. May contain arbitrary user information:
– – – –



user.name.given user.bdate user.gender etc.



Some portals expose security-related information here, but this mechanism should be avoided if possible
10

Spring Security
a.k.a Acegi Security A quick overview11

What Is Spring Security?


Powerful, flexible security framework for enterprise software Emphasis on applications using Spring Comprehensive authentication, authorization, and instance-based access control Avoids security code in your business logic – treats security as a cross-cutting concern Built-in support for a wide variety of authentication and integration standards
12



●●



Spring Security Releases


Acegi Security (the old name)
– – –

Current Version: 1.0.7 Initial GA Release: May 2006 Portlet support in Sandbox Current Version: 2.0.0 Initial GA Release: April 2008 Portlet support Included Changes packaging from org.acegisecurity to org.springframework.security
13



Spring Security (the new name)
– – – –

Applications Are Like Onions●

Spring Security can be applied at multiple layers in your application:


Apply security as markup is constructed in the Rendering Layer using the supplied JSP taglib Restrict access to areas of web application in the Dispatch Layer based on URL pattern-matching Secure method invocation on the Service Layer to ensure calls are from properly authorized user Provide Access Control Lists...
tracking img