Disclaimer This is a training NOT a presentation. Be prepared
to learn and participate in labs Please ask questions
Prerequisites: Basic Java knowledge Basic Spring knowledge
Slide 3
Outline LDS Account Overview History Authentication User
Details Spring Security Overview Authentication LDS Account
integration In memory integration LDS Account Search Spring
Security and Authorization
Slide 4
History Historically each application handled authentication as
a one off Troublesome for users (many credentials to remember) User
information duplicated over and over throughout the enterprise
Difficult to get user information at all Screaming for
consolidation and a single, central solution
Slide 5
LDS Account "LDS Account is a single user name and password for
any person who interacts with online LDS Church resources. LDS
Account is the primary account authentication credentials for most
Church sites and applications. It reduces development costs that
would be incurred as the user interfaces change, or as upgrades to
security and the registration process are required. Unlike previous
authentication systems, LDS Account is a branded single sign-on
solution that is centrally managed at ldsaccount.lds.org."
Slide 6
LDS Account (cont.) "LDS Account has become the key to
accessing all the resources the Church has to offer, such as family
history tools, ward and stake websites, employment resources, and
more.... The idea is to have only one username and password that
you can use with all password-protected websites the Church
has."
Slide 7
What is LDS Account? LDS Account is meant to be the single
source for user authentication and basic user information LDS
Account is implemented with LDAP LDS Account is an application for
maintaining user attributes
Slide 8
LDS Account Uses LDAP Lightweight Directory Access Protocol
Distributed directory of information Much like a database Not
queried with SQL For further information about the Directory
structure, please see the corresponding section at:
http://en.wikipedia.org/wiki/Lightweight_Directory_ Access_Protocol
LDS Account = LDAP WAM = Single Sign-on
Slide 9
User Details LDS Account also provides user information User
details User details can be exposed through LDAP attributes WAM
headers SAML attributes
Slide 10
LDS Account User Details Integration The LDS Account module
acts as a Java model for LDS Account information
LdsAccountDetails.java is the abstraction layer for LDS Account
user details integration Factories generate LdsAccountDetails
object for each user Factories handle the different formats in
which the raw user details attributes are provide to the
application LDAP attributes, WAM headers, SAML,
Authentication vs. Authorization Authentication - "you are who
you say you are" Identification of an individual user of the
application Credential-based authentication Authorization - "you
have appropriate permissions to perform the operation you are
attempting" Availability of functionality and data to users who are
authorized (or allowed) to access it
http://en.wikipedia.org/wiki/Authentication#Authent
ication_vs._authorization
Slide 14
Spring Security Spring Security is a highly customizable and
pluggable enterprise authentication / authorization security
framework Provides tools for managing application access
(authentication) Rules for what users can access (by url)
(authorization) Securing methods (authorization),... Overcomes lack
of depth in J2EE Servlet Specification Further information can be
found here: http://static.springsource.org/spring-
security/site/reference.html
Slide 15
Spring Security (authentication) Spring comes with many
pluggable authentication providers Support provided for
authenticating with: LDAP X.509 (Certificates) Databases (JDBC)
JAAS OAuth HTTP BASIC Form-based
Slide 16
Spring Security Authentication Manager Basic configuration:
Native Spring in memory authentication provider configuration
(applicationContext.xml)...
Slide 17
Spring Security Web Configuration Configure filter in web.xml
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain /*
Slide 18
Spring Security Context Configuration Configure
applicationContext.xml Please see documentation for further element
and attribute information: http://static.springsource.org/spring-
security/site/docs/3.1.x/reference/springsecurity- single.html
Slide 19
Demo
Slide 20
Spring Security/LDS Account Integration LDS Account
authentication provider hooks into Spring Security In-memory
implementation Namespace handlers simplify the configuration
http://code.lds.org/maven- sites/stack/module.html?module=lds-
account/stack-lds-account-
spring/index.html#LDAP_Global_Directory_Auth entication
Slide 21
Spring Security/In-memory Authentication In-memory
authentication provides quick setup Useful for testing
http://code.lds.org/maven- sites/stack/module.html?module=lds-
account/stack-lds-account-
spring/index.html#In_Memory_Authentication Attribute information:
https://ldsteams.ldschurch.org/sites/wam/Imple
mentation%20Details/HTTP%20Headers.aspx
Slide 22
Access LdsAccountDetails Through injection Through static
lookup @Inject private Provider ldsAccountDetails; public void
someMethod() { //not the get() is a call on the provider to grab
the current instance String preferredName =
ldsAccountDetails.get().getPreferredName(); // } LdsAccountDetails
ldsAccountDetails = ((LdsAccountUser)
SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getLdsAccountDetails();
String preferredName = ldsAccountDetails.getPreferredName();
//
Protecting Urls Example of protecting urls
http://static.springsource.org/spring-
security/site/docs/3.1.x/reference/springsecurity
-single.html#el-access
Slide 33
Authorize Tag Fine grained authorization
http://static.springsource.org/spring-
security/site/docs/3.1.x/reference/springsecurity
-single.html#d0e6860 Content only visible to users who have the
"admin" authority in their list of GrantedAuthority(s). Content
only visible to users authorized to send requests to the "/secure"
URL.
Slide 34
@PreAuthorize annotation Scanning enabled with following
element: Some examples: @PreAuthorize("hasRole('ROLE_ADMIN')")
public void create(User newUser); @PreAuthorize("#user.username ==
principal.username") public void doSomething(User user);
Slide 35
Authorities Populators MemberAuthoritiesPopulator Adds
ROLE_MEMBER authority if a member WorkforceAuthoritiesPopulator
Adds ROLE_WORKFORCE authority if currently a Church employee
PositionsV2AuthoritiesPopulator Adds a granted authority for each
position held Position name prepended with ROLE_ Ex.
ROLE_WARD_CLERK, or ROLE_PRIMARY_TEACHER
Slide 36
Authorities Populators http://code.lds.org/maven-
sites/stack/module.html?module=lds- account/stack-lds-account-
spring/index.html#Authorities_Populators Example
Slide 37
Demo
Slide 38
Conclusion LDS Account rocks! The Java Stack integration with
LDS Account and Spring Security rocks!
Slide 39
Credit Where Credit is Due http://
http://static.springsource.org/spring-
security/site/docs/3.1.x/reference/springsecurity -single.html
Spring Security 3 by Peter Mularien
http://en.wikipedia.org/wiki/
