Upload
matthew-phelps
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Using Spring Security and CAS
JA-SIG Summer ConferenceDenver, CO
June 24 – 27, 2007
Enterprise Systems & Services
Using Spring Security and CAS
Who am I?
• Application Developer @ Rutgers
• Java Developer for 5+ years
• Lead Developer on JA-SIG CAS
• Committer on Spring Security
Enterprise Systems & Services
Using Spring Security and CAS
Agenda
1.History and Overview2.Benefits for Programmers3.Benefits for Users4.Demo5.Case Study6.Future Directions7.Discussion
Enterprise Systems & Services
Using Spring Security and CAS
1.Overview & History
Enterprise Systems & Services
Using Spring Security and CAS
What is Spring Security?
Spring Security is apowerful and flexible security
solution for enterprise software.
Enterprise Systems & Services
Using Spring Security and CAS
Users
• Used worldwide at:– Major institutions such as Rutgers– Major financial institutions and banks– Several Australian government departments
• Integrated with:– Frameworks such as Grails, Trails, etc.– Applications such as Roller, Mule
Enterprise Systems & Services
Using Spring Security and CAS
Authentication Features
• LDAP• BASIC• Digest• JAAS• CAS• X.509 Certificates• DAO• Run-as Replacement• Form-based login• Anonymous
• Remember-Me• SiteMinder• HTTP Switch User• Concurrent User Limiting• Container Adapters
• Write your own…
Enterprise Systems & Services
Using Spring Security and CAS
Technical Details
• Uses Spring IoC container– DI, events, localization and JdbcTemplate
• Completely interface-driven
• High cohesion, loosely coupled
• Encourage customization and extension
• Java 1.3+ compatible– Java 5 code packaged in “Tiger” JAR
Enterprise Systems & Services
Using Spring Security and CAS
How Spring Security Works
Servlet Container
WebUser FilterToBeanProxy
IoC Container
FilterChainProxy
Filter 1 Filter 3 Filter 4 Filter 5Filter 2
Filter X Servlet
Enterprise Systems & Services
Using Spring Security and CAS
How Spring Security Works
# Filter Name Main Purpose
1HttpSessionContextIntegrationFilter
Stores SecurityContextHolder between HTTP requests
2 LogoutFilterClears SecurityContextHolder when logout requested
3Authentication Mechanism Filters
Puts Authentication into SecurityContextHolder
4ExceptionTranslationFilter
Converts Acegi Security exceptions into HTTP
5FilterSecurityInterceptor
Authorizes web filter requests based on URL patterns
Enterprise Systems & Services
Using Spring Security and CAS
How Spring Security Works
AuthenticationMechanism
Filter 3
Authentication“Request”
ProviderManager
Authentication“Response”
creates
creates
calls
SecurityContextHolder
populates returns
Enterprise Systems & Services
Using Spring Security and CAS
What is JA-SIG CAS?
JA-SIG CAS is single sign on for the web. It provides a trusted
mechanism for authenticating users across your applications.
Enterprise Systems & Services
Using Spring Security and CAS
Users
• Deployed by:– Institutions of Higher Education– Non-profits– Commercial companies– etc
• Deployed worldwide:– U.S., Canada, Hong Kong– Belgium, France, Russia, China, Japan– India, Australia, New Zealand– Greece, Turkey, England– Netherlands, Spain, Sweden, Portugal– Etc.
Enterprise Systems & Services
Using Spring Security and CAS
• 3rd year of project• Over 1000 downloads a month• Active community of deployers• Driven by community feedback
Enterprise Systems & Services
Using Spring Security and CAS
Authentication Features
• LDAP• DAO• NTLM• SPNEGO• RADIUS• File System• X.509• “Trusted”• JAAS• Acegi
Enterprise Systems & Services
Using Spring Security and CAS
Other Features
• Clustering
• Client Libraries (PHP, Java, etc.)
• Demo-able/Quickstart WAR file
• Quality Documentation
• Active community mailing lists
Enterprise Systems & Services
Using Spring Security and CAS
Technical Details
• Use Spring IoC Container– DI, Localization, events, JdbcTemplate, LdapTemplate, etc.
• Completely interface driven
• Encourage customization and extension
• Java 1.5+/Servlet 2.4 compatible
Enterprise Systems & Services
Using Spring Security and CAS
How CAS Works
Enterprise Systems & Services
Using Spring Security and CAS
How CAS Works
Servlet Container
WebUser DispatcherServlet WebFlow
Controller
action0 action1 actionnactionn-1. . .
Enterprise Systems & Services
Using Spring Security and CAS
How CAS Works
actionn
Credentials
creates
CentralAuthenticationServicecalls
AuthenticationManager
Authentication creates
returns
TicketRegistry
Ticketcreates
callscalls
Enterprise Systems & Services
Using Spring Security and CAS
2.Benefits for Programmers
Enterprise Systems & Services
Using Spring Security and CAS
Benefits for Programmers
• Code reduction– Declaratively configured– No audit logs for authentication– OOTB authorization and authentication
• Tag Libs
• Proxy Authentication
• Domain object instance security
• Only one place to “watch” for account security
Enterprise Systems & Services
Using Spring Security and CAS
3.Benefits for Users
Enterprise Systems & Services
Using Spring Security and CAS
Benefits for Users
• Single Sign On
• Passwords are only passed to one “trusted” resource
• Better Application security
• Harder to trick someone with “phishing” attempts
Enterprise Systems & Services
Using Spring Security and CAS
4.How to Integrate
Demo
Enterprise Systems & Services
Using Spring Security and CAS
5.Case Study
Enterprise Systems & Services
Using Spring Security and CAS
Rutgers Case Study – Where Were We?
• Duplicating authentication code on each application
• Multiple authentication methods
• Sign in to each application
• De-centralized authentication
Enterprise Systems & Services
Using Spring Security and CAS
Rutgers Case Study – What We Did
• Introduced a portal
• Centralized authentication
• Single Sign On
• Proxy Authentication
• Introduced Acegi into Java applications
Enterprise Systems & Services
Using Spring Security and CAS
Rutgers Case Study – What it Got Us
• Better user experience
• Minimized access to passwords
• Created “horizontal” authentication component
• Standardized security code
• (still a work in progress though)
Enterprise Systems & Services
Using Spring Security and CAS
6.Future Directions
Enterprise Systems & Services
Using Spring Security and CAS
Acegi Roadmap
• 1.0.x branch -> minor updates
• 2.0– Renamed to Spring Security– Support for Spring 2.0– OpenId Support– Windows Domain Support– Updated CAS Support
Enterprise Systems & Services
Using Spring Security and CAS
CAS Roadmap
• Additional Protocol Support
• Internationalization
• Configuration/Setup Screens
• Advanced Monitoring
• Integration with Account Management Systems
Enterprise Systems & Services
Using Spring Security and CAS
Conclusion
• Acegi Security is fully-featured solution– Many authentication strategies– Decoupled web and method authorization– Completely customizable by end users– Active community, quality documentation, etc.
• CAS is a fully-featured solution– Many authentication strategies– Easily pluggable and extensible– Active community, quality documentation, etc.– Support for multiple platforms
Enterprise Systems & Services
Using Spring Security and CAS
7.Discussion
Enterprise Systems & Services
Using Spring Security and CAS
Spring Security
• Web Site– http://www.acegisecurity.org
• Forum– http://forum.springframework.org
• Mailing Lists– Acegi Developer List
• https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Enterprise Systems & Services
Using Spring Security and CAS
CAS Mailing Lists
• CAS Community Discussion List– http://tp.its.yale.edu/mailman/listinfo/cas
• CAS Developer’s Discussion List– http://tp.its.yale.edu/mailman/listinfo/cas-dev
• CAS Announcement List– https://lists.wisc.edu/read/all_forums/subscribe?name=cas-ann
ounce
• Links to archives, etc.:– http://www.ja-sig.org/products/cas/community/lists/
Enterprise Systems & Services
Using Spring Security and CAS
CAS Sites
• Product Web Site– http://www.ja-sig.org/products/cas/
• Wiki– http://www.ja-sig.org/wiki
• Issue Tracker– http://www.ja-sig.org/issues
• Source Code– http://developer.ja-sig.org/source/
Questions?