Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security - In Real Life

schmittjoh
June 09, 2012
4.6k

Security - In Real Life

schmittjoh

June 09, 2012
Tweet

Transcript

  1. 2 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Agenda Introduction Authentication System Authorization System Real Life Use Cases
  2. 3 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Agenda Introduction Authentication System Authorization System Real Life Use Cases
  3. 4 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap
  4. 5 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners
  5. 6 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners Token
  6. 7 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token
  7. 8 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider
  8. 9 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider Encoder
  9. 10 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthenticationProvider Token UserProvider Encoder UserChecker
  10. 11 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthFailureHandler AuthenticationProvider Token UserProvider Encoder UserChecker
  11. 12 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy UserProvider Encoder UserChecker
  12. 13 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy UserProvider Encoder UserChecker
  13. 14 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy RememberMe UserProvider Encoder UserChecker
  14. 15 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy RememberMe LogoutHandler LogoutSuccessHandler UserProvider Encoder UserChecker
  15. 16 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Agenda Introduction Authentication System Authorization System Real Life Use Cases
  16. 17 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor
  17. 18 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager
  18. 19 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter
  19. 20 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter
  20. 21 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter AclProvider PermissionMap
  21. 22 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider PermissionMap
  22. 23 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider AuthenticationTrustResolver PermissionMap
  23. 24 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider AuthenticationTrustResolver PermissionMap ExpressionVoter
  24. 25 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Agenda Introduction Authentication System Authorization System Real Life Use Cases
  25. 26 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #1: I want to functionally test my application. How can I test parts that need a logged-in user?
  26. 27 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #2: In my application, I want to customize what happens when access is denied.
  27. 28 Johannes Schmitt | Security: In Real Life | 07.06.2012

    ExceptionListener The exception listener can be invoked from any part of your code EntryPoint AccessDeniedHandler Do not write your own exception listener which handles AccessDeniedExceptions! AuthenticationException AccessDeniedException
  28. 29 Johannes Schmitt | Security: In Real Life | 07.06.2012

    We only need to adjust specific parts of the security system - AccessDeniedHandler - Configuration
  29. 30 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #3: In my application, I want to use the ACL system. Are there best practices for integrating it?
  30. 31 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #4: In my application, I do not want to use an ORM, but receive all user details via an API.
  31. 32 Johannes Schmitt | Security: In Real Life | 07.06.2012

    We only need to adjust specific parts of the security system - AuthenticationProvider - Configuration
  32. 33 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #5: In my application, I want to allow login via AJAX.
  33. 34 Johannes Schmitt | Security: In Real Life | 07.06.2012

    We only need to adjust specific parts of the security system - AuthenticationSuccessHandler - AuthenticationFailureHandler - Configuration
  34. 35 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #6: In my application, I want to have localized paths for login.
  35. 36 Johannes Schmitt | Security: In Real Life | 07.06.2012

    What needs to be changed? Configuration only!
  36. 37 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Use Case #7: In my application, I want to offer multiple login options like Twitter, Facebook, etc. in addition to form login.
  37. 38 Johannes Schmitt | Security: In Real Life | 07.06.2012

    We are going to assume the following database schema
  38. 39 Johannes Schmitt | Security: In Real Life | 07.06.2012

    We only need to adjust specific parts of the security system - EntryPoint - User Providers - Github User Provider - Twitter User Provider - Id-based User Provider - Email-based User Provider - Configuration
  39. 40 Johannes Schmitt | Security: In Real Life | 07.06.2012

    Thanks! Twitter: @JohannesMS Github: schmittjoh http://jmsyst.com/
  40. 41 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authentication system consists of many classes with a distinct purpose FirewallListener FirewallMap Listeners AuthSuccessHandler AuthFailureHandler AuthenticationProvider Token SessionAuthStrategy RememberMe LogoutHandler LogoutSuccessHandler UserProvider Encoder UserChecker
  41. 42 Johannes Schmitt | Security: In Real Life | 07.06.2012

    The authorization system consists of many classes with a distinct purpose AccessListener SecurityContext MethodSecurityInterceptor AccessDecisionManager Voter AclVoter RoleVoter AuthenticatedVoter RoleHierarchy AclProvider AuthenticationTrustResolver PermissionMap ExpressionVoter
  42. 43 Johannes Schmitt | Security: In Real Life | 07.06.2012

    ExceptionListener The exception listener can be invoked from any part of your code EntryPoint AccessDeniedHandler AuthenticationException AccessDeniedException