Acegi Security. What is Acegi Security Key features Conclusion Examples in reality References. Aureliusz Rempala Emily Brand Fan Wang

Acegi Security

•

What is Acegi Security

•

Key features

•

Conclusion

• Examples in reality

• References

Aureliusz Rempala

Emily Brand

Fan Wang

Acegi Security

- What is Acegi Security?

• Provides

o

advanced authentication

o

advanced authorization

o

and other features for enterprise application

• built using the Spring Framework

• It is an official Spring Sub-Project

• Commercial support and training available from

interface21.

• Authentication Procedure

1. Check if resource is secure

2. Check if the user has been authenticated

3. Check if authenticated user is authorized

4. Serve the requested resource

Acegi Security

- Authentication Overview

•

Authentication mechanism key participants:

o

ExceptionTranslationFilter

Detects any Acegi Security exceptions that are thrown

o

AuthenticationEntryPoint

When the user is not authenticated, it sends back a response indicating

that s/he must authenticate.

o

authentication mechanism

collects authentication details from a user agent (usually a web

browser),

builds "Authentication request" object from the collected data,

presents the Authentication object to an AuthenticationProvider.

o

AuthenticationProvider

obtains UserDetail object from the UserDetailsService

validates the content of the Authentication object against UserDetail

object

puts the Authentication object is put in the SecurityContextHolder if

authentication is successful.

Acegi Security

- Key features (cont.)

Acegi performs HTTP session authentication through the use of a servlet filter:

Web.xml:

<filter>

<filter-name>Acegi Authentication Processing Filter</filter-name> <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy </filter-class> <init-param> <param-name>targetClass</param-name> <param-value> net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter </param-value> </init-param> </filter> <filter-mapping>

<filter-name>Acegi Authentication Processing Filter</filter-name> <url-pattern>/*</url-pattern>

</filter-mapping>

•

How and when authentication takes place is decided by the content of the

applicationContext.xml

Acegi Security

- securityContext.xml

•

FilterChainProxy

o

all of the requests pass through this bean

o

defines a cascade of filters

o

allows to define a different set of filters for different URL

o

the order of the filters is important.

•

Sample FilterChainProxy bean:

<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value><![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter,logoutFilter,authenticatio nProcessingFilter, basicProcessingFilter, securityContextHolderAwareRequestFilter, rememberMeProcessingFilter, anonymousProcessingFilter, exceptionTranslationFilter, filterInvocationInterceptor]]></value> </property>

Acegi Security

- Commonly Used Filters

•

HttpSessionContextIntegrationFilter:

o

keeps the contents of the SecurityContext between HTTP requests.

•

AuthenticationProcessingFilter:

o

Form based authentications (JSP for ex)

•

BasicProcessingFilter:

o

BASIC HTTP header-based authentication (WebServices)

•

RememberMeProcessingFilter:

o

cookie that enables remember-me services

•

AnonymousProcessingFilter:

o

allows anonymous access

•

FilterSecurityInterceptor:

Acegi Security

- Filters (a closer look)

•

HttpSessionContextIntegrationFilter

<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"> </bean>

•

AuthenticationProcessingFilter:

<bean id="authenticationProcessingFilter class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter"> <property name="authenticationManager" ref="authenticationManager"/> <property name="authenticationFailureUrl"

value="/acegilogin.jsp?login_error=1"/>

<property name="defaultTargetUrl" value="/"/>

<property name="filterProcessesUrl" value="/j_acegi_security_check"/> <property name="rememberMeServices" ref="rememberMeServices"/>

</bean>

•

BasicProcessingFilter:

<bean id="basicProcessingFilter" class="org.acegisecurity.ui.basicauth.BasicProcessingFilter"> <property name="authenticationManager"><ref local="authenticationManager"/></property> <property name="authenticationEntryPoint"><ref local="basicProcessingFilterEntryPoint"/></property>

Acegi Security

- Filters (a closer look)

•

RememberMeProcessingFilter:

<bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter"> <property name="authenticationManager"><ref local="authenticationManager"/></property> <property name="rememberMeServices"><ref local="rememberMeServices"/></property> </bean> <bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices ">

<property name="userDetailsService" ref="userDetailsService"/> <property name="key" value="changeThis"/>

</bean>

•

AnonymousProcessingFilter:

<bean id="anonymousProcessingFilter"

class="org.acegisecurity.providers.anonymous.AnonymousProcessingFil ter">

<property name="key" value="changeThis"/> <property name="userAttribute"

value="anonymousUser,ROLE_ANONYMOUS"/> </bean>

Acegi Security

- Filters (a closer look)

•

FilterSecurityInterceptor:

o

Allows to incorporate all kinds of managers that will participate in the

authentication/authorization process.

o

More specific URLs should be listed at the top

<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager"> <ref bean="authenticationManager"/> </property> <property name="accessDecisionManager"> <ref local="httpRequestAccessDecisionManager"/> </property> <property name="objectDefinitionSource"> <value><![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /index.jsp=ROLE_ANONYMOUS,ROLE_USER /switchuser.jsp=ROLE_SUPERVISOR /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER /**=ROLE_USER]]> </value> </property>

Acegi Security

- Authentication Manager

•

AuthenticationManager is responsible for passing requests through a chain of

AuthenticationProviders, and it might be configured in a following way:

<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref local="daoAuthenticationProvider"/> <ref local="anonymousAuthenticationProvider"/> <ref local="rememberMeAuthenticationProvider"/> </list> </property> </bean>

Acegi Security

- Authentication Provider

•

AuthenticationProvider points to the location where principal information such as

usernames,passwords, and access rights are stored.

<bean id="daoAuthenticationProvider"

class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="userDetailsService"/>

</bean>

<!-- UserDetailsService is the most commonly frequently Acegi Security

interface implemented by end users --> <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> <property name="userProperties"> <bean class="org.springframework.beans.factory.config.PropertiesFactoryBe an">

<property name="location" value="/WEB-INF/users.properties"/> </bean>

Acegi Security

- Key features (cont.)

• Authentication Provider (Easy to understand, configure, and

demonstrate)

o

ProviderManager

Most popular implementation

a wrapper around a list of one or more Authentication Providers

provided to the class

Authenticate method of the AuthenticationManager delegates to

that specific provider

Wrapper class

cycles through the list of providers until it locate a

compatible one.

o

Recommendation for Developers

Developers should examine providers to determine the one that

suits their needs best

Acegi Security

- Key features

• Authorization - Security Interception

o

key to protecting resources under Acegi

o

Prior to access to the resource and interception determines

whether or not the resource should be protected

o

Traces the chain of authorization to receive access to a

protected resource

o

Assuming the user is authenticated, it delegates to an

implementation of the

AccessDecisionManager

receives key parameters such as

the authenticated Authentication object

resource properties, among others.

The final decision for access is left in the hands of the

Acegi Security

- Key features (cont.)

• AccessDecisionManager

o

tallies votes

ConsensusBased

grants or denies access based upon the consensus of

non-abstain votes

UnanimousBased

requires unanimous consent in order to grant access but

does ignore abstains

AffirmativeBased

grants access if at least one access granted is received

while deny votes are disregarded.

Acegi Security

- Key features (cont.)

• Configure the authorization system starting with the

RoleVoter

_and

UnanimousBased

_:

applicationContext.xml:

<bean id="roleVoter"

class="net.sf.acegisecurity.vote.RoleVoter"/>

<bean id="accessDecisionManager"

class="net.sf.acegisecurity.vote.UnanimousBased">

<property name="allowIfAllAbstainDecisions">

<value>false</value> </property>

<property name="decisionVoters">

<list> <ref local="roleVoter"/> </list>

</property>

Acegi Security

Future

• Will be promoted to be an official part of the Spring Framework

o

New name

“

Spring Security

”

o

In version 2M1

• Spring Security 2 will offer

o

considerably simplified configuration

o

Windows NTLM authentication

o

a user management API

o

persistence-backed remember-me services

o

hierarchical roles

o

Spring LdapTemplate support

o

considerable ACL enhancements

o

portlet support

Acegi Security

- References

•

http://en.wikipedia.org/wiki/Acegi_security_framework_(Java)

•

http://www.thespringexperience.com/show_session_view.jsp?pres

entationId=9249&showId=147

•

http://www.javalobby.org/articles/acegisecurity/part1.jsp