Download presentation
Presentation is loading. Please wait.
1
Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007
2
Enterprise Systems & Services Using Spring Security and CAS Who am I? Application Developer @ Rutgers Java Developer for 5+ years Lead Developer on JA-SIG CAS Committer on Spring Security
3
Enterprise Systems & Services Using Spring Security and CAS Agenda 1.History and Overview 2.Benefits for Programmers 3.Benefits for Users 4.Demo 5.Case Study 6.Future Directions 7.Discussion
4
Enterprise Systems & Services Using Spring Security and CAS 1. Overview & History
5
Enterprise Systems & Services Using Spring Security and CAS What is Spring Security? Spring Security is a powerful and flexible security solution for enterprise software.
6
Enterprise Systems & Services Using Spring Security and CAS Users Used worldwide at: –Major institutions such as Rutgers –Major financial institutions and banks –Several Australian government departments Integrated with: –Frameworks such as Grails, Trails, etc. –Applications such as Roller, Mule
7
Enterprise Systems & Services Using Spring Security and CAS Authentication Features LDAP BASIC Digest JAAS CAS X.509 Certificates DAO Run-as Replacement Form-based login Anonymous Remember-Me SiteMinder HTTP Switch User Concurrent User Limiting Container Adapters Write your own…
8
Enterprise Systems & Services Using Spring Security and CAS Technical Details Uses Spring IoC container –DI, events, localization and JdbcTemplate Completely interface-driven High cohesion, loosely coupled Encourage customization and extension Java 1.3+ compatible –Java 5 code packaged in “Tiger” JAR
9
Enterprise Systems & Services Using Spring Security and CAS How Spring Security Works Servlet Container Web User FilterToBeanProxy IoC Container FilterChainProxy Filter 1Filter 3Filter 4Filter 5Filter 2 Filter XServlet
10
Enterprise Systems & Services Using Spring Security and CAS How Spring Security Works #Filter NameMain Purpose 1 HttpSessionContext IntegrationFilter Stores SecurityContextHolder between HTTP requests 2LogoutFilter Clears SecurityContextHolder when logout requested 3 Authentication Mechanism Filters Puts Authentication into SecurityContextHolder 4 Exception TranslationFilter Converts Acegi Security exceptions into HTTP 5 FilterSecurity Interceptor Authorizes web filter requests based on URL patterns
11
Enterprise Systems & Services Using Spring Security and CAS How Spring Security Works Authentication Mechanism Filter 3 Authentication “Request” ProviderManager Authentication “Response” creates calls Security ContextHolder populates returns
12
Enterprise Systems & Services Using Spring Security and CAS What is JA-SIG CAS? JA-SIG CAS is single sign on for the web. It provides a trusted mechanism for authenticating users across your applications.
13
Enterprise Systems & Services Using Spring Security and CAS Users Deployed by: –Institutions of Higher Education –Non-profits –Commercial companies –etc Deployed worldwide: –U.S., Canada, Hong Kong –Belgium, France, Russia, China, Japan –India, Australia, New Zealand –Greece, Turkey, England –Netherlands, Spain, Sweden, Portugal –Etc.
14
Enterprise Systems & Services Using Spring Security and CAS 3 rd year of project Over 1000 downloads a month Active community of deployers Driven by community feedback
15
Enterprise Systems & Services Using Spring Security and CAS Authentication Features LDAP DAO NTLM SPNEGO RADIUS File System X.509 “Trusted” JAAS Acegi
16
Enterprise Systems & Services Using Spring Security and CAS Other Features Clustering Client Libraries (PHP, Java, etc.) Demo-able/Quickstart WAR file Quality Documentation Active community mailing lists
17
Enterprise Systems & Services Using Spring Security and CAS Technical Details Use Spring IoC Container –DI, Localization, events, JdbcTemplate, LdapTemplate, etc. Completely interface driven Encourage customization and extension Java 1.5+/Servlet 2.4 compatible
18
Enterprise Systems & Services Using Spring Security and CAS How CAS Works
19
Enterprise Systems & Services Using Spring Security and CAS How CAS Works Servlet Container Web User DispatcherServlet WebFlow Controller action 0 action 1 action n action n-1...
20
Enterprise Systems & Services Using Spring Security and CAS How CAS Works action n Credentials creates CentralAuthenticationService calls Authentication Manager Authentication creates returns TicketRegistry Ticket creates calls
21
Enterprise Systems & Services Using Spring Security and CAS 2. Benefits for Programmers
22
Enterprise Systems & Services Using Spring Security and CAS Benefits for Programmers Code reduction –Declaratively configured –No audit logs for authentication –OOTB authorization and authentication Tag Libs Proxy Authentication Domain object instance security Only one place to “watch” for account security
23
Enterprise Systems & Services Using Spring Security and CAS 3. Benefits for Users
24
Enterprise Systems & Services Using Spring Security and CAS Benefits for Users Single Sign On Passwords are only passed to one “trusted” resource Better Application security Harder to trick someone with “phishing” attempts
25
Enterprise Systems & Services Using Spring Security and CAS 4. How to Integrate
26
Demo
27
Enterprise Systems & Services Using Spring Security and CAS 5. Case Study
28
Enterprise Systems & Services Using Spring Security and CAS Rutgers Case Study – Where Were We? Duplicating authentication code on each application Multiple authentication methods Sign in to each application De-centralized authentication
29
Enterprise Systems & Services Using Spring Security and CAS Rutgers Case Study – What We Did Introduced a portal Centralized authentication Single Sign On Proxy Authentication Introduced Acegi into Java applications
30
Enterprise Systems & Services Using Spring Security and CAS Rutgers Case Study – What it Got Us Better user experience Minimized access to passwords Created “horizontal” authentication component Standardized security code (still a work in progress though)
31
Enterprise Systems & Services Using Spring Security and CAS 6. Future Directions
32
Enterprise Systems & Services Using Spring Security and CAS Acegi Roadmap 1.0.x branch -> minor updates 2.0 –Renamed to Spring Security –Support for Spring 2.0 –OpenId Support –Windows Domain Support –Updated CAS Support
33
Enterprise Systems & Services Using Spring Security and CAS CAS Roadmap Additional Protocol Support Internationalization Configuration/Setup Screens Advanced Monitoring Integration with Account Management Systems
34
Enterprise Systems & Services Using Spring Security and CAS Conclusion Acegi Security is fully-featured solution –Many authentication strategies –Decoupled web and method authorization –Completely customizable by end users –Active community, quality documentation, etc. CAS is a fully-featured solution –Many authentication strategies –Easily pluggable and extensible –Active community, quality documentation, etc. –Support for multiple platforms
35
Enterprise Systems & Services Using Spring Security and CAS 7. Discussion
36
Enterprise Systems & Services Using Spring Security and CAS Spring Security Web Site –http://www.acegisecurity.orghttp://www.acegisecurity.org Forum –http://forum.springframework.orghttp://forum.springframework.org Mailing Lists –Acegi Developer List https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
37
Enterprise Systems & Services Using Spring Security and CAS CAS Mailing Lists CAS Community Discussion List –http://tp.its.yale.edu/mailman/listinfo/cashttp://tp.its.yale.edu/mailman/listinfo/cas CAS Developer’s Discussion List –http://tp.its.yale.edu/mailman/listinfo/cas-devhttp://tp.its.yale.edu/mailman/listinfo/cas-dev CAS Announcement List –https://lists.wisc.edu/read/all_forums/subscribe?name=cas- announcehttps://lists.wisc.edu/read/all_forums/subscribe?name=cas- announce Links to archives, etc.: –http://www.ja-sig.org/products/cas/community/lists/http://www.ja-sig.org/products/cas/community/lists/
38
Enterprise Systems & Services Using Spring Security and CAS CAS Sites Product Web Site –http://www.ja-sig.org/products/cas/http://www.ja-sig.org/products/cas/ Wiki –http://www.ja-sig.org/wikihttp://www.ja-sig.org/wiki Issue Tracker –http://www.ja-sig.org/issueshttp://www.ja-sig.org/issues Source Code –http://developer.ja-sig.org/source/http://developer.ja-sig.org/source/
39
Questions?
Similar presentations
