Presentation is loading. Please wait.

Presentation is loading. Please wait.

LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.

Published byBriana McDonald Modified over 8 years ago

Similar presentations

Presentation on theme: "LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions."— Presentation transcript:

1 LDS Account and the Java Stack

2 Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions Prerequisites: – Basic Java knowledge – Basic Spring knowledge

3 Outline LDS Account Overview – History – Authentication – User Details Spring Security Overview – Authentication – LDS Account integration – In memory integration LDS Account Search Spring Security and Authorization

4 History Historically each application handled authentication as a one off – Troublesome for users (many credentials to remember) – User information duplicated over and over throughout the enterprise – Difficult to get user information at all Screaming for consolidation and a single, central solution

5 LDS Account "LDS Account is a single user name and password for any person who interacts with online LDS Church resources. LDS Account is the primary account authentication credentials for most Church sites and applications. It reduces development costs that would be incurred as the user interfaces change, or as upgrades to security and the registration process are required. Unlike previous authentication systems, LDS Account is a branded single sign-on solution that is centrally managed at ldsaccount.lds.org."

6 LDS Account (cont.) "LDS Account has become the key to accessing all the resources the Church has to offer, such as family history tools, ward and stake websites, employment resources, and more.... The idea is to have only one username and password that you can use with all password-protected websites the Church has."

7 What is LDS Account? LDS Account is meant to be the single source for user authentication and basic user information LDS Account is implemented with LDAP LDS Account is an application for maintaining user attributes

8 LDS Account Uses LDAP Lightweight Directory Access Protocol Distributed directory of information – Much like a database – Not queried with SQL – For further information about the Directory structure, please see the corresponding section at: http://en.wikipedia.org/wiki/Lightweight_Directory_ Access_Protocol LDS Account = LDAP WAM = Single Sign-on

9 User Details LDS Account also provides user information – User details – User details can be exposed through LDAP attributes WAM headers SAML attributes

10 LDS Account User Details Integration The LDS Account module acts as a Java model for LDS Account information LdsAccountDetails.java is the abstraction layer for LDS Account user details integration Factories generate LdsAccountDetails object for each user – Factories handle the different formats in which the raw user details attributes are provide to the application LDAP attributes, WAM headers, SAML, …

11 Lab 1 https://tech.lds.org/wiki/LDS_Account_Integration _-_Part_1#Lab_1

12 LDS Account Spring Security Integration

13 Authentication vs. Authorization Authentication - "you are who you say you are" – Identification of an individual user of the application – Credential-based authentication Authorization - "you have appropriate permissions to perform the operation you are attempting" – Availability of functionality and data to users who are authorized (or allowed) to access it – http://en.wikipedia.org/wiki/Authentication#Authent ication_vs._authorization

14 Spring Security Spring Security is a highly customizable and pluggable enterprise authentication / authorization security framework – Provides tools for managing application access (authentication) – Rules for what users can access (by url) (authorization) – Securing methods (authorization),... Overcomes lack of depth in J2EE Servlet Specification Further information can be found here: http://static.springsource.org/spring- security/site/reference.html

15 Spring Security (authentication) Spring comes with many pluggable authentication providers – Support provided for authenticating with: LDAP X.509 (Certificates) Databases (JDBC) JAAS OAuth HTTP BASIC Form-based …

16 Spring Security Authentication Manager Basic configuration: Native Spring in memory authentication provider configuration (applicationContext.xml)...

17 Spring Security Web Configuration Configure filter in web.xml springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy springSecurityFilterChain /*

18 Spring Security Context Configuration Configure applicationContext.xml Please see documentation for further element and attribute information: http://static.springsource.org/spring- security/site/docs/3.1.x/reference/springsecurity- single.html

19 Demo

20 Spring Security/LDS Account Integration LDS Account authentication provider hooks into Spring Security In-memory implementation Namespace handlers simplify the configuration http://code.lds.org/maven- sites/stack/module.html?module=lds- account/stack-lds-account- spring/index.html#LDAP_Global_Directory_Auth entication

21 Spring Security/In-memory Authentication In-memory authentication provides quick setup Useful for testing http://code.lds.org/maven- sites/stack/module.html?module=lds- account/stack-lds-account- spring/index.html#In_Memory_Authentication Attribute information: https://ldsteams.ldschurch.org/sites/wam/Imple mentation%20Details/HTTP%20Headers.aspx

22 Access LdsAccountDetails Through injection Through static lookup @Inject private Provider ldsAccountDetails; public void someMethod() { //not the get() is a call on the provider to grab the current instance String preferredName = ldsAccountDetails.get().getPreferredName(); //… } LdsAccountDetails ldsAccountDetails = ((LdsAccountUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getLdsAccountDetails(); String preferredName = ldsAccountDetails.getPreferredName(); //…

23 Demo

24 Lab 2 https://tech.lds.org/wiki/LDS_Account_Integration _-_Part_1#Lab_2

25 LDS Account (LDAP) Search

26 LDS Account Search Configuration / Usage Configuration Usage <lds-account:ldap-server url="ldaps://gdirstage.wh.ldsglobal.net:636" manager-dn="cn=XXXXX,ou=apps,o=lds" manager-password="XXXXX"/> @Inject private LdsAccountSearch ldsAccountSearch; public List findLdapUsers(String cnValue, String snValue) { return ldsAccountSearch.search( SearchClause.or( SearchClause.equals(LdsAccountAttributes.USERNAME, cnValue + "*"), SearchClause.equals(LdsAccountAttributes.SUR_NAME, snValue + "*") ) ); }

27 LDS Account Usage http://code.lds.org/maven-sites/stack/module.html?module=lds- account/stack-lds-account-spring/index.html#LDAP_Search Searching format For more info: http://code.lds.org/maven- sites/stack/module.html?module=lds-account/stack-lds-account- spring/apidocs/org/lds/stack/ldsaccount/spring/ldap/LdapSearch.html Native LDAP search query: (|(cn={0}*)(sn={1}*)) Abstracted search query: SearchClause.or( SearchClause.equals("cn", value + "*"), SearchClause.equals("sn", value + "*") )

28 Demo

29 Authorization with Spring Security

30 Review Authentication vs. Authorization Previously discussed authentication with Spring Security Now focus on authorization with Spring Security

31 Authorization with Spring Security Comprehensive Authorization Services – http://static.springsource.org/spring- security/site/features.html HTTP requests authorization (securing urls) @PreAuthorize annotation Granted authorities – http://static.springsource.org/spring- security/site/docs/3.1.x/reference/springsecurity- single.html#tech-granted-authority

32 Protecting Urls Example of protecting urls http://static.springsource.org/spring- security/site/docs/3.1.x/reference/springsecurity -single.html#el-access

33 Authorize Tag Fine grained authorization http://static.springsource.org/spring- security/site/docs/3.1.x/reference/springsecurity -single.html#d0e6860 Content only visible to users who have the "admin" authority in their list of GrantedAuthority(s). Content only visible to users authorized to send requests to the "/secure" URL.

34 @PreAuthorize annotation Scanning enabled with following element: Some examples: @PreAuthorize("hasRole('ROLE_ADMIN')") public void create(User newUser); @PreAuthorize("#user.username == principal.username") public void doSomething(User user);

35 Authorities Populators MemberAuthoritiesPopulator – Adds ROLE_MEMBER authority if a member WorkforceAuthoritiesPopulator – Adds ROLE_WORKFORCE authority if currently a Church employee PositionsV2AuthoritiesPopulator – Adds a granted authority for each position held Position name prepended with ROLE_ Ex. ROLE_WARD_CLERK, or ROLE_PRIMARY_TEACHER

36 Authorities Populators http://code.lds.org/maven- sites/stack/module.html?module=lds- account/stack-lds-account- spring/index.html#Authorities_Populators Example

37 Demo

38 Conclusion LDS Account rocks! The Java Stack integration with LDS Account and Spring Security rocks!

39 Credit Where Credit is Due http:// http://static.springsource.org/spring- security/site/docs/3.1.x/reference/springsecurity -single.html Spring Security 3 – by Peter Mularien http://en.wikipedia.org/wiki/

Download ppt "LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions."

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.

MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
A Brief Introduction 2012 Spring Security. What is it? Security toolkit for Java applications Primarily intended for web applications Open Source from.

A Brief Introduction 2012 Spring Security. What is it? Security toolkit for Java applications Primarily intended for web applications Open Source from.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
Understanding Active Directory

Understanding Active Directory
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.

Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Intermediate Spring Matt Wheeler. Notes This is a training NOT a presentation Please ask questions Prerequisites – Introduction to Java Stack – Basic.

Intermediate Spring Matt Wheeler. Notes This is a training NOT a presentation Please ask questions Prerequisites – Introduction to Java Stack – Basic.
Module 12: Designing an AD LDS Implementation. AD LDS Usage AD LDS is most commonly used as a solution to the following requirements: Providing an LDAP-based.

Module 12: Designing an AD LDS Implementation. AD LDS Usage AD LDS is most commonly used as a solution to the following requirements: Providing an LDAP-based.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation www.telerik.com.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.

Similar presentations

Ads by Google