Using Spring Security and CAS

JA-SIG Summer ConferenceDenver, CO

June 24 – 27, 2007

Enterprise Systems & Services

Using Spring Security and CAS

Who am I?

• Application Developer @ Rutgers

• Java Developer for 5+ years

• Lead Developer on JA-SIG CAS

• Committer on Spring Security

Enterprise Systems & Services

Using Spring Security and CAS

Agenda

1.History and Overview2.Benefits for Programmers3.Benefits for Users4.Demo5.Case Study6.Future Directions7.Discussion

Enterprise Systems & Services

Using Spring Security and CAS

1.Overview & History

Enterprise Systems & Services

Using Spring Security and CAS

What is Spring Security?

Spring Security is apowerful and flexible security

solution for enterprise software.

Enterprise Systems & Services

Using Spring Security and CAS

Users

• Used worldwide at:– Major institutions such as Rutgers– Major financial institutions and banks– Several Australian government departments

• Integrated with:– Frameworks such as Grails, Trails, etc.– Applications such as Roller, Mule

Enterprise Systems & Services

Using Spring Security and CAS

Authentication Features

• LDAP• BASIC• Digest• JAAS• CAS• X.509 Certificates• DAO• Run-as Replacement• Form-based login• Anonymous

• Remember-Me• SiteMinder• HTTP Switch User• Concurrent User Limiting• Container Adapters

• Write your own…

Enterprise Systems & Services

Using Spring Security and CAS

Technical Details

• Uses Spring IoC container– DI, events, localization and JdbcTemplate

• Completely interface-driven

• High cohesion, loosely coupled

• Encourage customization and extension

• Java 1.3+ compatible– Java 5 code packaged in “Tiger” JAR

Enterprise Systems & Services

Using Spring Security and CAS

How Spring Security Works

Servlet Container

WebUser FilterToBeanProxy

IoC Container

FilterChainProxy

Filter 1 Filter 3 Filter 4 Filter 5Filter 2

Filter X Servlet

Enterprise Systems & Services

Using Spring Security and CAS

How Spring Security Works

# Filter Name Main Purpose

1HttpSessionContextIntegrationFilter

Stores SecurityContextHolder between HTTP requests

2 LogoutFilterClears SecurityContextHolder when logout requested

3Authentication Mechanism Filters

Puts Authentication into SecurityContextHolder

4ExceptionTranslationFilter

Converts Acegi Security exceptions into HTTP

5FilterSecurityInterceptor

Authorizes web filter requests based on URL patterns

Enterprise Systems & Services

Using Spring Security and CAS

How Spring Security Works

AuthenticationMechanism

Filter 3

Authentication“Request”

ProviderManager

Authentication“Response”

creates

creates

calls

SecurityContextHolder

populates returns

Enterprise Systems & Services

Using Spring Security and CAS

What is JA-SIG CAS?

JA-SIG CAS is single sign on for the web. It provides a trusted

mechanism for authenticating users across your applications.

Enterprise Systems & Services

Using Spring Security and CAS

Users

• Deployed by:– Institutions of Higher Education– Non-profits– Commercial companies– etc

• Deployed worldwide:– U.S., Canada, Hong Kong– Belgium, France, Russia, China, Japan– India, Australia, New Zealand– Greece, Turkey, England– Netherlands, Spain, Sweden, Portugal– Etc.

Enterprise Systems & Services

Using Spring Security and CAS

• 3rd year of project• Over 1000 downloads a month• Active community of deployers• Driven by community feedback

Enterprise Systems & Services

Using Spring Security and CAS

Authentication Features

• LDAP• DAO• NTLM• SPNEGO• RADIUS• File System• X.509• “Trusted”• JAAS• Acegi

Enterprise Systems & Services

Using Spring Security and CAS

Other Features

• Clustering

• Client Libraries (PHP, Java, etc.)

• Demo-able/Quickstart WAR file

• Quality Documentation

• Active community mailing lists

Enterprise Systems & Services

Using Spring Security and CAS

Technical Details

• Use Spring IoC Container– DI, Localization, events, JdbcTemplate, LdapTemplate, etc.

• Completely interface driven

• Encourage customization and extension

• Java 1.5+/Servlet 2.4 compatible

Enterprise Systems & Services

Using Spring Security and CAS

How CAS Works

Enterprise Systems & Services

Using Spring Security and CAS

How CAS Works

Servlet Container

WebUser DispatcherServlet WebFlow

Controller

action0 action1 actionnactionn-1. . .

Enterprise Systems & Services

Using Spring Security and CAS

How CAS Works

actionn

Credentials

creates

CentralAuthenticationServicecalls

AuthenticationManager

Authentication creates

returns

TicketRegistry

Ticketcreates

callscalls

Enterprise Systems & Services

Using Spring Security and CAS

2.Benefits for Programmers

Enterprise Systems & Services

Using Spring Security and CAS

Benefits for Programmers

• Code reduction– Declaratively configured– No audit logs for authentication– OOTB authorization and authentication

• Tag Libs

• Proxy Authentication

• Domain object instance security

• Only one place to “watch” for account security

Enterprise Systems & Services

Using Spring Security and CAS

3.Benefits for Users

Enterprise Systems & Services

Using Spring Security and CAS

Benefits for Users

• Single Sign On

• Passwords are only passed to one “trusted” resource

• Better Application security

• Harder to trick someone with “phishing” attempts

Enterprise Systems & Services

Using Spring Security and CAS

4.How to Integrate

Demo

Enterprise Systems & Services

Using Spring Security and CAS

5.Case Study

Enterprise Systems & Services

Using Spring Security and CAS

Rutgers Case Study – Where Were We?

• Duplicating authentication code on each application

• Multiple authentication methods

• Sign in to each application

• De-centralized authentication

Enterprise Systems & Services

Using Spring Security and CAS

Rutgers Case Study – What We Did

• Introduced a portal

• Centralized authentication

• Single Sign On

• Proxy Authentication

• Introduced Acegi into Java applications

Enterprise Systems & Services

Using Spring Security and CAS

Rutgers Case Study – What it Got Us

• Better user experience

• Minimized access to passwords

• Created “horizontal” authentication component

• Standardized security code

• (still a work in progress though)

Enterprise Systems & Services

Using Spring Security and CAS

6.Future Directions

Enterprise Systems & Services

Using Spring Security and CAS

Acegi Roadmap

• 1.0.x branch -> minor updates

• 2.0– Renamed to Spring Security– Support for Spring 2.0– OpenId Support– Windows Domain Support– Updated CAS Support

Enterprise Systems & Services

Using Spring Security and CAS

CAS Roadmap

• Additional Protocol Support

• Internationalization

• Configuration/Setup Screens

• Advanced Monitoring

• Integration with Account Management Systems

Enterprise Systems & Services

Using Spring Security and CAS

Conclusion

• Acegi Security is fully-featured solution– Many authentication strategies– Decoupled web and method authorization– Completely customizable by end users– Active community, quality documentation, etc.

• CAS is a fully-featured solution– Many authentication strategies– Easily pluggable and extensible– Active community, quality documentation, etc.– Support for multiple platforms

Enterprise Systems & Services

Using Spring Security and CAS

7.Discussion

Enterprise Systems & Services

Using Spring Security and CAS

Spring Security

• Web Site– http://www.acegisecurity.org

• Forum– http://forum.springframework.org

• Mailing Lists– Acegi Developer List

• https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Enterprise Systems & Services

Using Spring Security and CAS

CAS Mailing Lists

• CAS Community Discussion List– http://tp.its.yale.edu/mailman/listinfo/cas

• CAS Developer’s Discussion List– http://tp.its.yale.edu/mailman/listinfo/cas-dev

• CAS Announcement List– https://lists.wisc.edu/read/all_forums/subscribe?name=cas-ann

ounce

• Links to archives, etc.:– http://www.ja-sig.org/products/cas/community/lists/

Enterprise Systems & Services

Using Spring Security and CAS

CAS Sites

• Product Web Site– http://www.ja-sig.org/products/cas/

• Wiki– http://www.ja-sig.org/wiki

• Issue Tracker– http://www.ja-sig.org/issues

• Source Code– http://developer.ja-sig.org/source/

Questions?