Tweet
Tweet

Slide 1

Slide 1 text

SpringOne 2GX 2010. All rights reserved. Do not distribute without permission. Chicago, October 19 - 22, 2010 Introduction to Spring Security 3/3.1 Mike Wiesner - SpringSource

Slide 2

Slide 2 text

Mike Wiesner • Senior Consultant with SpringSource • 10+ years experience in Java • Spring Security Developer • Focus: – Application Security – Integration – Authentication Systems • mwiesner@vmware.com

Slide 3

Slide 3 text

Spring + Security = Spring Security

Slide 4

Slide 4 text

What is Spring Security? • A flexible and powerful Java Enterprise Security Framework • which is build on top of Spring • but can be used for EVERY Java application 4

Slide 5

Slide 5 text

Spring + Authentication + Authorization = Spring Security

Slide 6

Slide 6 text

Spring Security 2.x • Built on Spring 2.0 / Java 1.4 • Successor of the Acegi Security System for Spring • Simpler configuration (Namespace) • Better LDAP support • More Single Sign On options 6

Slide 7

Slide 7 text

Spring Security 3.0 • Built on: Spring 3 / Java 5 • Spring Expression Language support • Extended Namespace support • Simpler API (Array -> Collections, varargs, ...) • Aspect Library for AspectJ weaving • Smaller modules • Fine tuning based on user feedback 7

Slide 8

Slide 8 text

Around Spring Security 3 • Spring Security Extensions – SAML2 (contributed by Vladimir Schäfer) – Kerberos – Start your own! • OAuth for Spring Security (contributed by Ryan Heaton) • Facelets tag library for Spring Security (Web Flow 2.2.0) 8

Slide 9

Slide 9 text

Authentication Highlights • Form • Basic / Digest • JDBC • LDAP • JAAS • JA-SIG CAS • Atlassian Crowd • OpenID • X.509 • JOSSO 9

Slide 10

Slide 10 text

SpringOne 2GX 2009. All rights reserved. Do not distribute without permission. Chicago, October 19 - 22, 2010 Demo Time!

Slide 11

Slide 11 text

Encoding Problems 11 Internet Tomcat Browser File- System ../ %C0%AE%C0%AE%C0%AF

Slide 12

Slide 12 text

Defense in Depth

Slide 13

Slide 13 text

SpringOne 2GX 2009. All rights reserved. Do not distribute without permission. Chicago, October 19 - 22, 2010 Demo Time!

Slide 14

Slide 14 text

Method Security 14 Security Business Caller Service Security Interceptor call call exception security check

Slide 15

Slide 15 text

User Role

Slide 16

Slide 16 text

User Role Right

Slide 17

Slide 17 text

User Role Right

Slide 18

Slide 18 text

User Role Right

Slide 19

Slide 19 text

User Role Right

Slide 20

Slide 20 text

User Role Right Role

Slide 21

Slide 21 text

SpringOne 2GX 2009. All rights reserved. Do not distribute without permission. Chicago, October 19 - 22, 2010 Demo Time!

Slide 22

Slide 22 text

Request requestor from to deletable

Slide 23

Slide 23 text

Request requestor from to deletable

Slide 24

Slide 24 text

Request requestor from to deletable

Slide 25

Slide 25 text

Request requestor from to Secured deletable

Slide 26

Slide 26 text

Request requestor from to Secured deletable AspectJ Request requestor from to deletable

Slide 27

Slide 27 text

SpringOne 2GX 2009. All rights reserved. Do not distribute without permission. Chicago, October 19 - 22, 2010 Demo Time!

Slide 28

Slide 28 text

Kerberos/SPNEGO Client Kerberos Server (e.g. Active Directory) Your web application (1) GET (2) AUTH required (5) GET + Service Ticket (3) Request Service Ticket (4) Return Service Ticket

Slide 29

Slide 29 text

SpringOne 2GX 2009. All rights reserved. Do not distribute without permission. Chicago, October 19 - 22, 2010 Spring Security 3.1

Slide 30

Slide 30 text

SpringOne 2GX 2009. All rights reserved. Do not distribute without permission. Chicago, October 19 - 22, 2010 Q&A Mike Wiesner mwiesner@vmware.com http://git.springsource.org/ s2gx-2010/spring-security-3