A bridge between two worlds: Spring Security & Kerberos

Claudiu Stancu

•Me & the other me

•Security concepts

•Kerberos

•All together

•Code time

Agenda

3

4IN YOUR ZONE

About me…

Development Discipline Lead at Endava

5IN YOUR ZONE

The other me…

6IN YOUR ZONE

Security concepts – Data types

PUBLIC PRIVATE

CONFIDENTIAL SECRET

7IN YOUR ZONE

Authentication

“The process of verifying that the users of our application are who they say they are”

8IN YOUR ZONE

Authentication

Credentials Based

9IN YOUR ZONE

Authentication

Biometrics Authentication

10IN YOUR ZONE

Authentication

Two factor authentication

11IN YOUR ZONE

Authentication

• Browser certificates

• Single Sing On

• Hardware authentication

12IN YOUR ZONE

Authorization

Assign authenticated Principals to one or more Roles

Assign the Principal’s Role(s) to secured resources

13IN YOUR ZONE

Spring Security

Servlet Filters

Delegation

14IN YOUR ZONE

Spring Security – Filters

o.s.s.web.context.SecurityContextPersistenceFilter

o.s.s.web.authentication.logout.LogoutFilter

o.s.s.web.authentication.UsernamePasswordAuthentication

o.s.s.web.session.SessionManagementFilter

Secured Resource

Request Response

15IN YOUR ZONE

Spring Security – Fundamentals

Security Interceptor

Authentication Manager

Access Decision Manager

Run-As Manager

After-Invocation Manager

16IN YOUR ZONE

Spring Security – Authentication Manager

Authentication Manager

Provider Manager

LDAP Authentication

Provider

CAS Authentication

Provider

Kerberos Authentication

Provider

DAO Authentication

Provider

Remember Me Authentication

Provider

17IN YOUR ZONE

Spring Security – Access Decision Manager

Affirmative Based

Abstract Decision Voter

Access Decision Manager

Abstract Access Decision Manager

Consensus Based Unanimous Based Role Voter

Access Decision Manager Grant / Deny access?

Affirmative based At least one voter grant access

Consensus based Majority grant access

Unanimous based If all voters grant access

18IN YOUR ZONE

Kerberos

19IN YOUR ZONE

Kerberos

{cstancu, 192.168.1.2}

SessionKey1

TGT

TGT

SessionKey1

20IN YOUR ZONE

Kerberos

{SessionKey1}Authenticator TGT

{SessionKey2}Authenticator

Mail Ticket{SessionKey2}

ok

TGT

SessionKey1

Mail Ticket

{SessionKey1}SessionKey2

Mail Ticket

SessionKey2

21IN YOUR ZONE

All together

(1)HTTP GET resource.html

WW

W-A

uthe

ntica

te: N

egoc

iate

(2

) HTT

P 401

– Den

ied:

22IN YOUR ZONE

All together

(3) Kerberos TGS_REQ

(4) Kerberos TGS_REP

23IN YOUR ZONE

All together

(5) H

TTP

GET

Aut

horiz

ation

Negotiate w/SPNEGO Token

(6) HTTP 200 – OK

reso

urce

.htm

l

24IN YOUR ZONE

Code time…

25IN YOUR ZONE

26IN YOUR ZONE

Claudiu Stancu | Development Discipline Lead