a re introduction to spring security
play

A (re)introduction to Spring Security Agenda Before Spring - PDF document

Jun 10, 2023 •253 likes •452 views

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

  1. A (re)introduction to Spring Security Agenda • Before Spring Security: Acegi security • Introducing Spring Security • View layer security • What’s coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma

  2. Before Spring Security There was... Acegi Security for Spring • Created by Ben Alex in 2003 • 1.0 released in March 2004 • Applies security rules using Servlet Filters and Spring AOP • Extremely powerful and flexible E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma

  3. What Acegi Offered • Declarative Security • Keeps security details out of your code • Authentication and Authorization • Against virtually any user store • Support for anonymous sessions, concurrent sessions, remember-me, channel-enforcement, and much more • Spring-based, but can be used for non- Spring web frameworks E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma The Downside of Acegi “Every time you use Acegi...A fairy dies.” - Daniel Deiphouse http://netzooid.com/blog/2007/12/03/every-time-you- use-acegi/ E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma

  4. Example Acegi Config <?xml version="1.0" encoding="UTF-8"?> </property> <beans xmlns="http://www.springframework.org/schema/beans" </bean> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <bean id="httpSessionIntegrationFilter" xsi:schemaLocation="http://www.springframework.org/schema/beans class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd"> <property name="forceEagerSessionCreation" value="true" /> <bean id="filterChainProxy" </bean> class="org.acegisecurity.util.FilterChainProxy"> <bean id="filterSecurityInterceptor" <property name="filterInvocationDefinitionSource"> class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <value> <property name="authenticationManager" ref="authenticationManager" /> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON <property name="accessDecisionManager" ref="accessDecisionManager" /> PATTERN_TYPE_APACHE_ANT <property name="objectDefinitionSource"> /**=channelProcessingFilter,httpSessionIntegrationFilter, <value> logoutFilter,authenticationProcessingFilter,rememberMeProcessingFilter, CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON anonymousProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor PATTERN_TYPE_APACHE_ANT </value> /booger.htm=ROLE_BOOGER </property> </value> </bean> </property> <bean id="authenticationProcessingFilter" </bean> class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter"> <bean id="anonymousProcessingFilter" <property name="authenticationManager" ref="authenticationManager"/> class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter"> <property name="authenticationFailureUrl" value="/login.htm?login_error=1" /> <property name="key" value="foobar" /> <property name="defaultTargetUrl" value="/" /> <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" /> <property name="filterProcessesUrl" value="/j_acegi_security_check" /> </bean> <property name="rememberMeServices" ref="rememberMeServices" /> <bean id="anonymousAuthenticationProvider" </bean> class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider"> <bean id="authenticationManager" <property name="key" value="foobar" /> class="org.acegisecurity.providers.ProviderManager"> </bean> <property name="providers"> � <bean id="rememberMeProcessingFilter" <list> � class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter"> <ref bean="daoAuthenticationProvider" /> � <property name="rememberMeServices" ref="rememberMeServices" /> <ref bean="anonymousAuthenticationProvider" /> � <property name="authenticationManager" ref="authenticationManager" /> <ref bean="rememberMeAuthenticationProvider" /> � </bean> </list> � <bean id="rememberMeServices" </property> � class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices"> </bean> � <property name="userDetailsService" ref="userDetailsService" /> <bean id="daoAuthenticationProvider" � <property name="key" value="roadRantz" /> class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> � </bean> <property name="userDetailsService" � <bean id="rememberMeAuthenticationProvider" ref="userDetailsService" /> � class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider"> </bean> � <property name="key" value="roadRantz" /> <bean id="userDetailsService" � </bean> class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl"> <bean id="logoutFilter" <property name="dataSource" ref="dataSource" /> class="org.acegisecurity.ui.logout.LogoutFilter"> <property name="usersByUsernameQuery" <constructor-arg value="/home.htm" /> value="SELECT email as username, password, 'true' FROM Motorist WHERE email=?" /> <constructor-arg> <property name="authoritiesByUsernameQuery" <list> value="SELECT email as username, privilege FROM Motorist_Privileges mp, Motorist m WHERE <ref bean="rememberMeServices"/> mp.motorist_id = m.id AND m.email=?" /> <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/> </bean> </list> <bean id="authenticationEntryPoint" </constructor-arg> class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"> </bean> <property name="loginFormUrl" value="/login.htm" /> <bean id="channelProcessingFilter" <property name="forceHttps" value="true" /> class="org.acegisecurity.securechannel.ChannelProcessingFilter"> </bean> <property name="channelDecisionManager" ref="channelDecisionManager" /> <bean id="accessDecisionManager" <property name="filterInvocationDefinitionSource"> class="org.acegisecurity.vote.UnanimousBased"> <value> <property name="allowIfAllAbstainDecisions" value="false" /> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON <property name="decisionVoters"> PATTERN_TYPE_APACHE_ANT <list> /login.htm=REQUIRES_SECURE_CHANNEL <bean class="org.acegisecurity.vote.RoleVoter" /> /j_acegi_security_check*=REQUIRES_SECURE_CHANNEL </list> /**=REQUIRES_INSECURE_CHANNEL </property> </value> </bean> </property> <bean id="exceptionTranslationFilter" </bean> class="org.acegisecurity.ui.ExceptionTranslationFilter"> </beans> <property name="authenticationEntryPoint" ref="authenticationEntryPoint" /> <property name="accessDeniedHandler"> <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl"> <property name="errorPage" value="/error.htm" /> </bean> E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma What was in that XML? E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma

  5. Introducing Spring Security Solution:Spring Security • All of the same goodness of Acegi • Plus some new stu � • Provides a new security namespace for Spring • Much less XML • Based on Spring, but can be used with non- Spring applications • Currently at version 2.0.5 • Version 3.0.0.RC1 is available E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma

  6. From the home page “Spring Security is a powerful, flexible security solution for enterprise software, with a particular emphasis on applications that use Spring.” E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma What Spring Security Isn’t • Firewall or proxy server • OS-level security • JVM security • Identity management or single-sign-on • Protection against cross-site scripting E-mail: craig@habuma.com Blog: http://www.springloaded.info Source Code: svn://svn.geekisp.com/SiA svn://svn.geekisp.com/habuma

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer Security Studies in what ways security mechanisms may fail Can we gain access to a computer system without authorizaDon? Can we compromise

986 views • 84 slides
Program Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor

Program Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor

Program Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger System Resources

377 views • 21 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
Introduction CMSC 414: Computer and Network Security Spring 2016 What is computer &amp; network

Introduction CMSC 414: Computer and Network Security Spring 2016 What is computer &amp; network

Introduction CMSC 414: Computer and Network Security Spring 2016 What is computer &amp; network security? Normally, we are concerned with correctness Does the software achieve the desired behavior? Security is a form of correctness

682 views • 47 slides
CSC591-006 Smartphone OS Security Introduction Spring 2012 Prof. William Enck NC State --

CSC591-006 Smartphone OS Security Introduction Spring 2012 Prof. William Enck NC State --

CSC591-006 Smartphone OS Security Introduction Spring 2012 Prof. William Enck NC State -- Department of Computer Science Page 1 Why Study Smartphone Security? New platform / theyre popular / its a buzzword Resource constrained

536 views • 40 slides
Lecture 5 - Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 5 - Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 5 - Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professors Jaeger A

599 views • 21 slides
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger The

868 views • 21 slides
Lecture 19 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 19 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 19 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

550 views • 26 slides
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

206 views • 20 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Advanced System Security CSE544 - Spring 2007 Introduction Computer and Network Security

Advanced System Security CSE544 - Spring 2007 Introduction Computer and Network Security

561 views • 18 slides
Lecture 20 &amp; 21 - Web Security CMPSC 443 - Spring 2012 Introduction Computer and Network

Lecture 20 &amp; 21 - Web Security CMPSC 443 - Spring 2012 Introduction Computer and Network

Lecture 20 &amp; 21 - Web Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

600 views • 42 slides
Wireless Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor

Wireless Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor

Wireless Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger At the mall ... 2

526 views • 21 slides
Lecture 12 - Network Security CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 12 - Network Security CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 12 - Network Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Idea

780 views • 20 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Web Security: Basic Web Security Model [continued] Spring

Web Security: Basic Web Security Model [continued] Spring

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Basic Web Security Model [continued] Spring 2015 Franziska (Franzi) Roesner

510 views • 18 slides
Handouts Apache MyFaces Session Slide 5 JSF is a new technology that enables you to create

Handouts Apache MyFaces Session Slide 5 JSF is a new technology that enables you to create

Handouts Apache MyFaces Session Slide 5 JSF is a new technology that enables you to create Java-based web apps. It is more than only a new framework/technology; it is a widely adopted industrial standard. Since JSF provides a clear lifecycle

290 views • 11 slides
Conditional desires Kai von Fintel Slides at http://kvf.me/cd The perennial puzzle 2 + 2 = ? 2

Conditional desires Kai von Fintel Slides at http://kvf.me/cd The perennial puzzle 2 + 2 = ? 2

Conditional desires Kai von Fintel Slides at http://kvf.me/cd The perennial puzzle 2 + 2 = ? 2 / 48 if + want = ? 3 / 48 The plan starting points an expected reading another reading (or even two?) the solution space

771 views • 49 slides
Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What is a Web Application

Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What is a Web Application

Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What is a Web Application Client server program with browser as client Examples: Gmail, Dropbox, Netflix, Zoho,... Server Server Database Client Front Back Browser End

1.09k views • 34 slides
Extracting Functional and Nonfunctional Contracts from Java Classes and Enterprise Java Beans

Extracting Functional and Nonfunctional Contracts from Java Classes and Enterprise Java Beans

Extracting Functional and Nonfunctional Contracts from Java Classes and Enterprise Java Beans Nikola Milanovic and Miroslaw Malek {milanovi,malek}@informatik.hu-berlin.de Humboldt University Berlin Workshop on Architecting Dependable Systems

389 views • 28 slides
Inquiry Analysis for Beanstalk in Propel East and Propel School May 2013 R=0.32 Slide 2

Inquiry Analysis for Beanstalk in Propel East and Propel School May 2013 R=0.32 Slide 2

Inquiry Analysis for Beanstalk in Propel East and Propel School May 2013 R=0.32 Slide 2 Inquiry, Beanstalk,May 2013, Propel East/Northside paired, 2-tailed t (145)= 0.30 p =0.76 N 146 146 Mean 0.66 0.65 SD 0.12 0.12 SE 0.01

546 views • 52 slides
Entity Beans Vue objet dune base de donnes (exemples: client, compte,) en gnral,

Entity Beans Vue objet dune base de donnes (exemples: client, compte,) en gnral,

5. Enterprise JavaBeans 5.3 Entity Beans Entity Beans Vue objet dune base de donnes (exemples: client, compte,) en gnral, une ligne d une table relationnelle (SGBD-R) ou un objet persistant (SGBD- OO) sont persistant

326 views • 17 slides
T YPES OF M ODELS Prasun Dewan Department of Computer Science University of North Carolina at

T YPES OF M ODELS Prasun Dewan Department of Computer Science University of North Carolina at

T YPES OF M ODELS Prasun Dewan Department of Computer Science University of North Carolina at Chapel Hill dewan@cs.unc.edu Code available at: https://github.com/pdewan/ColabTeaching P RE -R EQUISITES Model-Interactor Separation 2 M ODEL T

454 views • 16 slides
Using Gaussian Mixture Models to Detect Figurative Language in Context Linlin Li and Caroline

Using Gaussian Mixture Models to Detect Figurative Language in Context Linlin Li and Caroline

Introduction Using Gaussian Mixture Model to Detect Figurative Language Evaluating the GMM Approach Conclusion Using Gaussian Mixture Models to Detect Figurative Language in Context Linlin Li and Caroline Sporleder Cluster of Excellence, MMCI

411 views • 21 slides

More recommend