a re introduction to spring security
play

A (re)introduction to Spring Security Agenda Before Spring - PDF document

Jun 10, 2023 •253 likes •452 views

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

  1. A (re)introduction to Spring Security Agenda • Before Spring Security: Acegi security • Introducing Spring Security • View layer security • What’s coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma

  2. Before Spring Security There was... Acegi Security for Spring • Created by Ben Alex in 2003 • 1.0 released in March 2004 • Applies security rules using Servlet Filters and Spring AOP • Extremely powerful and flexible E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma

  3. What Acegi Offered • Declarative Security • Keeps security details out of your code • Authentication and Authorization • Against virtually any user store • Support for anonymous sessions, concurrent sessions, remember-me, channel-enforcement, and much more • Spring-based, but can be used for non- Spring web frameworks E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma The Downside of Acegi “Every time you use Acegi...A fairy dies.” - Daniel Deiphouse http://netzooid.com/blog/2007/12/03/every-time-you- use-acegi/ E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma

  4. Example Acegi Config <?xml version="1.0" encoding="UTF-8"?> </property> <beans xmlns="http://www.springframework.org/schema/beans" </bean> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <bean id="httpSessionIntegrationFilter" xsi:schemaLocation="http://www.springframework.org/schema/beans class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd"> <property name="forceEagerSessionCreation" value="true" /> <bean id="filterChainProxy" </bean> class="org.acegisecurity.util.FilterChainProxy"> <bean id="filterSecurityInterceptor" <property name="filterInvocationDefinitionSource"> class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <value> <property name="authenticationManager" ref="authenticationManager" /> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON <property name="accessDecisionManager" ref="accessDecisionManager" /> PATTERN_TYPE_APACHE_ANT <property name="objectDefinitionSource"> /**=channelProcessingFilter,httpSessionIntegrationFilter, <value> logoutFilter,authenticationProcessingFilter,rememberMeProcessingFilter, CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON anonymousProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor PATTERN_TYPE_APACHE_ANT </value> /booger.htm=ROLE_BOOGER </property> </value> </bean> </property> <bean id="authenticationProcessingFilter" </bean> class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter"> <bean id="anonymousProcessingFilter" <property name="authenticationManager" ref="authenticationManager"/> class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter"> <property name="authenticationFailureUrl" value="/login.htm?login_error=1" /> <property name="key" value="foobar" /> <property name="defaultTargetUrl" value="/" /> <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" /> <property name="filterProcessesUrl" value="/j_acegi_security_check" /> </bean> <property name="rememberMeServices" ref="rememberMeServices" /> <bean id="anonymousAuthenticationProvider" </bean> class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider"> <bean id="authenticationManager" <property name="key" value="foobar" /> class="org.acegisecurity.providers.ProviderManager"> </bean> <property name="providers"> � <bean id="rememberMeProcessingFilter" <list> � class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter"> <ref bean="daoAuthenticationProvider" /> � <property name="rememberMeServices" ref="rememberMeServices" /> <ref bean="anonymousAuthenticationProvider" /> � <property name="authenticationManager" ref="authenticationManager" /> <ref bean="rememberMeAuthenticationProvider" /> � </bean> </list> � <bean id="rememberMeServices" </property> � class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices"> </bean> � <property name="userDetailsService" ref="userDetailsService" /> <bean id="daoAuthenticationProvider" � <property name="key" value="roadRantz" /> class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> � </bean> <property name="userDetailsService" � <bean id="rememberMeAuthenticationProvider" ref="userDetailsService" /> � class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider"> </bean> � <property name="key" value="roadRantz" /> <bean id="userDetailsService" � </bean> class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl"> <bean id="logoutFilter" <property name="dataSource" ref="dataSource" /> class="org.acegisecurity.ui.logout.LogoutFilter"> <property name="usersByUsernameQuery" <constructor-arg value="/home.htm" /> value="SELECT email as username, password, 'true' FROM Motorist WHERE email=?" /> <constructor-arg> <property name="authoritiesByUsernameQuery" <list> value="SELECT email as username, privilege FROM Motorist_Privileges mp, Motorist m WHERE <ref bean="rememberMeServices"/> mp.motorist_id = m.id AND m.email=?" /> <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/> </bean> </list> <bean id="authenticationEntryPoint" </constructor-arg> class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"> </bean> <property name="loginFormUrl" value="/login.htm" /> <bean id="channelProcessingFilter" <property name="forceHttps" value="true" /> class="org.acegisecurity.securechannel.ChannelProcessingFilter"> </bean> <property name="channelDecisionManager" ref="channelDecisionManager" /> <bean id="accessDecisionManager" <property name="filterInvocationDefinitionSource"> class="org.acegisecurity.vote.UnanimousBased"> <value> <property name="allowIfAllAbstainDecisions" value="false" /> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON <property name="decisionVoters"> PATTERN_TYPE_APACHE_ANT <list> /login.htm=REQUIRES_SECURE_CHANNEL <bean class="org.acegisecurity.vote.RoleVoter" /> /j_acegi_security_check*=REQUIRES_SECURE_CHANNEL </list> /**=REQUIRES_INSECURE_CHANNEL </property> </value> </bean> </property> <bean id="exceptionTranslationFilter" </bean> class="org.acegisecurity.ui.ExceptionTranslationFilter"> </beans> <property name="authenticationEntryPoint" ref="authenticationEntryPoint" /> <property name="accessDeniedHandler"> <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl"> <property name="errorPage" value="/error.htm" /> </bean> E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma What was in that XML? E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma

  5. Introducing Spring Security Solution:Spring Security • All of the same goodness of Acegi • Plus some new stu � • Provides a new security namespace for Spring • Much less XML • Based on Spring, but can be used with non- Spring applications • Currently at version 2.0.5 • Version 3.0.0.RC1 is available E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma

  6. From the home page “Spring Security is a powerful, flexible security solution for enterprise software, with a particular emphasis on applications that use Spring.” E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma What Spring Security Isn’t • Firewall or proxy server • OS-level security • JVM security • Identity management or single-sign-on • Protection against cross-site scripting E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma

Recommend

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer Security Studies in what ways security mechanisms may fail Can we gain access to a computer system without authorizaDon? Can we compromise

986 views • 84 slides
Program Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor

Program Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor

Program Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger System Resources

377 views • 21 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
Introduction CMSC 414: Computer and Network Security Spring 2016 What is computer &amp; network

Introduction CMSC 414: Computer and Network Security Spring 2016 What is computer &amp; network

Introduction CMSC 414: Computer and Network Security Spring 2016 What is computer &amp; network security? Normally, we are concerned with correctness Does the software achieve the desired behavior? Security is a form of correctness

682 views • 47 slides
CSC591-006 Smartphone OS Security Introduction Spring 2012 Prof. William Enck NC State --

CSC591-006 Smartphone OS Security Introduction Spring 2012 Prof. William Enck NC State --

CSC591-006 Smartphone OS Security Introduction Spring 2012 Prof. William Enck NC State -- Department of Computer Science Page 1 Why Study Smartphone Security? New platform / theyre popular / its a buzzword Resource constrained

536 views • 40 slides
Lecture 5 - Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 5 - Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 5 - Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professors Jaeger A

599 views • 21 slides
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger The

868 views • 21 slides
Lecture 19 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 19 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 19 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

550 views • 26 slides
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

206 views • 20 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Advanced System Security CSE544 - Spring 2007 Introduction Computer and Network Security

Advanced System Security CSE544 - Spring 2007 Introduction Computer and Network Security

561 views • 18 slides
Lecture 20 &amp; 21 - Web Security CMPSC 443 - Spring 2012 Introduction Computer and Network

Lecture 20 &amp; 21 - Web Security CMPSC 443 - Spring 2012 Introduction Computer and Network

Lecture 20 &amp; 21 - Web Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

600 views • 42 slides
Wireless Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor

Wireless Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor

Wireless Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger At the mall ... 2

526 views • 21 slides
Lecture 12 - Network Security CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 12 - Network Security CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 12 - Network Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Idea

780 views • 20 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Web Security: Basic Web Security Model [continued] Spring

Web Security: Basic Web Security Model [continued] Spring

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Basic Web Security Model [continued] Spring 2015 Franziska (Franzi) Roesner

510 views • 18 slides
Virtual Machine Security CSE443 - Spring 2012 Introduction to Computer and Network Security

Virtual Machine Security CSE443 - Spring 2012 Introduction to Computer and Network Security

Virtual Machine Security CSE443 - Spring 2012 Introduction to Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger 1

489 views • 28 slides
Virtual Machine Security CSE497b - Spring 2007 Introduction Computer and Network Security

Virtual Machine Security CSE497b - Spring 2007 Introduction Computer and Network Security

Virtual Machine Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger 1

777 views • 22 slides
Lecture 2 - Security Overview CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 2 - Security Overview CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 2 - Security Overview CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

195 views • 19 slides
CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Introduction Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security About me Instructor: Mathias Payer Research area: system/software security Memory/type safety Mitigating control-flow

460 views • 25 slides
Lecture 5 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 5 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 5 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professors Jaeger A

220 views • 20 slides
Trustworthy Computing CSE443 - Spring 2012 Introduction to Computer and Network Security

Trustworthy Computing CSE443 - Spring 2012 Introduction to Computer and Network Security

Trustworthy Computing CSE443 - Spring 2012 Introduction to Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CSE443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page Trust

521 views • 22 slides
Lecture 14 - Web Security CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 14 - Web Security CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 14 - Web Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Network

346 views • 23 slides
Secrecy Security Policy CSE497b - Spring 2007 Introduction Computer and Network Security

Secrecy Security Policy CSE497b - Spring 2007 Introduction Computer and Network Security

Secrecy Security Policy CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Secrecy

389 views • 23 slides

More recommend