Authentication & Authorisation

Pawan Modi Senior R&D Engineer modipawan8126@gmail.com

6/25/2009

Senior R&D Engineer

Page 1

         

How Web Security Works Basic Definitions / Acegi Terminology Acegi Introduction Acegi Web Security Authentication Object Authorization Filters FilterToBeanProxy FilterChainProxy Conclusion
Senior R&D Engineer Page 2

6/25/2009

 check if the resource is secured  check if the requesting user has been authenticated  check if the authenticated user is properly authorized    

to access the requested resource serve the requested resource. If the user has not been authenticated yet then walk through the Login dialog. If anything is out of order then display the corresponding error page if the resource is not secure then skip all previously mentioned steps and serve the resource right away.
Senior R&D Engineer

6/25/2009

Page 3

6/25/2009

Senior R&D Engineer

Page 4

 Principal
▪ A principal generally means a user, device or some other system which can perform an action in your application.

 Authentication
▪ Authentication pertains to the question “Who are you?”

 Authorization
▪ Authorization pertains to the question “What may you do?” ▪ This is achieved by making secured resources accessible to particular roles.
6/25/2009 Senior R&D Engineer Page 5

 Authentication object ▪ Authentication objects contains the username, password and the roles granted to the user.  Authentication Manager ▪ Authentication Manager creates & validates Authentication object.  AccessDecisionManger ▪ Access to resources is controlled by the AccessDecisionManager.
6/25/2009 Senior R&D Engineer Page 6

 Acegi Security provides comprehensive security services

for J2EE-based enterprise software applications.

 Acegi depends on the Spring framework.  Acegi configuration is done through associating JavaBeans

with each other via a XML configuration file. models.

 Acegi Security supports a wide range of authentication  Acegi Security provides a deep set of authorization

capabilities.

6/25/2009

Senior R&D Engineer

Page 7

 Basic problem with J2EE or EJB security specifications

are

▪ Lack of security depth requires for the enterprise application. ▪ Security is not portable at WAR or EAR level.

 Acegi Security overcomes these problems and also

brings you dozens of other useful, entirely customisable security features.

 Acegi is able to plug in its security functionality in a

modular way.

6/25/2009

Senior R&D Engineer

Page 8

Acegi security is implemented by following Four Checks.
 Restricted Access Check
▪ Is the resource secured?

 Existing Authentication Check

▪ Has the user been authenticated? ▪ Are the correct username and password provided? ▪ Does the user have the required roles?
Senior R&D Engineer Page 9

 Authentication Request Check  Authorization Check

6/25/2009

 Authentication object is key to the Acegi framework.  Authentication object contains the username,

password and the roles granted to the user.
 Authentication object is created and validated by the

AuthenticationManager.
 Access to resources is controlled by the

AccessDecisionManager.
6/25/2009 Senior R&D Engineer Page 10

Acegi Security supports a wide range of authentication models
 HTTP BASIC authentication headers (an IEFT RFC-based standard)  HTTP Digest authentication headers (an IEFT RFC-based standard)  HTTP X.509 client certificate exchange (an IEFT RFC-based standard)  LDAP (a very common approach to cross-platform authentication

needs, especially in large environments)

 Form-based authentication (for simple user interface needs)

6/25/2009

Senior R&D Engineer

Page 11

 Computer Associates Siteminder  JA-SIG Central Authentication Service (otherwise known as

CAS, which is a popular open source single sign on system)

 Transparent authentication context propagation for Remote

Method Invocation (RMI) and HttpInvoker (a Spring remoting protocol) box to avoid re-authentication for a predetermined period of time)

 Automatic "remember-me" authentication (so you can tick a

 Java Authentication and Authorization Service (JAAS)
6/25/2009 Senior R&D Engineer Page 12

 Anonymous authentication (allowing every call to

automatically assume a particular security identity)

 Run-as authentication (which is useful if one call

should proceed with a different security identity)

 Container integration with JBoss, Jetty, Resin and

Tomcat (so you can still use Container Manager Authentication if desired)

 Your own authentication systems.
6/25/2009 Senior R&D Engineer Page 13

 Acegi Security includes one concrete GrantedAuthority implementation i.e.

GrantedAuthorityImpl.

 All Authentication implementations are required to store an array of

GrantedAuthority objects.

 All AuthenticationProviders use GrantedAuthorityImpl to populate the

Authentication object.

 GrantedAuthority objects are inserted into the Authentication object by the

AuthenticationManager and are later read by AccessDecisionManagers when making authorization decisions.

 GrantedAuthority is an interface with only one method:

public String getAuthority();
6/25/2009 Senior R&D Engineer Page 14

 Acegi Filters are critical & backbone of the Acegi

configuration.
 Acegi uses filters to enable web application

security.
 Acegi security uses following two basic filters. ▪ FilterToBeanProxy ▪ FilterChainProxy
6/25/2009 Senior R&D Engineer Page 15

Most filters are configured using the FilterToBeanProxy.
 FilterToBeanProxy is filter that goes in to web.xml.  This is not the filter that actually implement the logic.  This filter delegate the Filter's methods to a bean which is

obtained from the Spring application context .

 The bean must implement javax.servlet.Filter.
6/25/2009 Senior R&D Engineer Page 16


 FilterToBeanProxy only requires a single initialization

parameter i.e. targetClass or targetBean.

▪ targetClass parameter locates the first object in the application context of the specified class. ▪ targetBean locates the object by bean name.

 FilterToBeanProxy is a very useful class but the

problem is that the lines of code required for <filter> and <filter-mapping> entries in web.xml explodes when using more than a few filters. Therefore it is strongly recommended to use FilterChainProxy.
Senior R&D Engineer Page 17

6/25/2009

Acegi uses a chain of (at least) three filters to enable web application security.
 AuthenticationProcessingFilter  HttpSessionContextIntegrationFilter  ExceptonTranslationFilter  FilterSecurityInterceptor

6/25/2009

Senior R&D Engineer

Page 18

 Every HTTP request passes through chain made of three filters.  Filters are chained together by an object called the

FilterChainProxy.  FilterChainProxy creates and starts these filters.

 This proxy is configured in the configuration XML file.  Any additional filters will be added to the FilterChainProxy

configuration list.  FilterChainProxy will locate the first URI pattern that matches the current web request.
Page 19

6/25/2009

Senior R&D Engineer

 

AuthenticationProcessingFilter
 First filter through which all HTTP request     

passes. Handles the Authentication Request Check . Handles logging into the application. Validates of username/password combinations Uses the AuthenticationManager to do its work. Diagram representing AuthenticationProcessingFilter and its dependencies:
Senior R&D Engineer Page 20

6/25/2009

6/25/2009

Senior R&D Engineer

Page 21

 

AuthenticationProcessingFilter
 One of the beans configured in the

authenticationProcessingFilter is the authenticationManager bean.  This bean manages the various providers you configure.  A provider is essentially a repository of usernames with corresponding passwords and roles.  Example: one provider could access an Active Directory for employee credentials, while your second provider might access a database for customer credentials.
Senior R&D Engineer Page 22

6/25/2009

HttpSessionContextIntegrationFilter
 Maintains the Authentication object between various

requests and passes it to the AuthenticationManager and the AccessDecisionManager when ever needed.  Propagate the established authentication object through all requests.  Filter wraps the authentication object a ThreadLocal and hands that wrapper over to the other filters in the chain
6/25/2009 Senior R&D Engineer Page 23

6/25/2009

Senior R&D Engineer

Page 24

ExceptonTranslationFilter
 One of the two essential filters in the security system.  Performs the Existing Authentication Check.  Catches any authentication or authorization error.
▪ If the exception was caused by the absence of an Authentication object i.e. the user has not logged in yet then it spawns the configured AuthenticationEntryPoint to prompt the user for login. ▪ If the exception was caused by an authorization exception thrown by FilterSecurityInterceptor i.e. the user is logged in but is not authorized for the resource requested then it will send an SC_FORBIDDEN (HTTP 403) error to the browser.

 ExceptonTranslationFilter depends

FilterSecurityInterceptor to do its work.
Senior R&D Engineer Page 25

6/25/2009

ExceptonTranslationFilter leaves all the hard work to it's collaborators i.e. FilterSecurityInterceptor and authenticationEntryPoint.

6/25/2009

Senior R&D Engineer

Page 26

FilterSecurityInterceptor
 FilterSecurityInterceptor is a part of securityEnforcementFilter filter.  One of the two essential filters in the security system.  Manages the Restricted Access Check and the Authorisation check.  Knows which resources are secure and which roles have access to them.  FilterSecurityInterceptor uses the AuthenticationManager

and AccessDecisionManager to do its work.

 In Acegi security the secured resources are called as object definitions.

6/25/2009

Senior R&D Engineer

Page 27

AuthenticationManager
 AM is of type ProviderManager & it forms a proxy to the       

AuthenticationProvider. Authentication object is created and validated by the AM AM is responsible for passing requests through a chain of AuthenticationProviders. AuthenticationProvider validates the inputted username/password combination and extracts the role appointed to that user. AuthenticationProvider is itself a proxy to an AuthenticationDao that is basically an registry containing usernames, passwords and roles. AuthenticationDao is of several types like in-memory, database via JDBC or even LDAP. In the Dao two default users (jklaassen and bouerj) have been defined each with a different role. Multiple ProviderManagers can be associated to one AM.
Page 28

6/25/2009

Senior R&D Engineer

AccessDecisionManager
 ADM is responsible for the authorization.  Access to resources is controlled by the ADM.  ADM takes the available user information and decides to grant    

access. ADM uses a Voter to determine if the user will be authorized Developer has to specify which rolenames should be handled by a specific voter by specifying the role prefix. Multiple voters can be associated to one AccessDecisionManager. So it is possible to let Acegi consult several different username/password registries (mixture of LDAP, Database and NT Domain registries) available with many different rolenames configured and voted on by several Voters.
Senior R&D Engineer Page 29

6/25/2009

AuthenticationEntryPoint
 AuthenticationEntryPoint is a bean & part of

securityEnforcementFilter filter.

 Starting point of the authentication dialog.  If the FilterSecurityInterceptor determines that there is no

available authentication object present then the SecurityEnforcementFilter will pass control to the AuthenticationEntryPoint. AuthenticationProcessingFilterEntryPoint.
Senior R&D Engineer

 AuthenticationEntryPoint in this example is of type
6/25/2009 Page 30

 Acegi configuration is done through associating JavaBeans with

each other via a XML configuration file. way.

 Acegi is able to plug in its security functionality in a modular  Authentication object contains the username, password and the

roles granted to the user. AuthenticationManager.

 Authentication object is created and validated by the  Access to resources is controlled by the

AccessDecisionManager.

6/25/2009

Senior R&D Engineer

Page 31

 Acegi uses filters to enable web application security.  Filters are chained together by an object called the

FilterChainProxy.

 AuthenticationProcessingFilter make use of

authenticationManager bean authorization error.

 ExceptonTranslationFilter catches any authentication or  FilterSecurityInterceptor knows which resources are secure and

which roles have access to them. securityEnforcementFilter filter.
Senior R&D Engineer

 AuthenticationEntryPoint is a bean & part of
6/25/2009 Page 32

  

http://www.acegisecurity.org/ http://www.acegisecurity.org/guide/springsecurity.html#taglib http://www.tfoeservices.eu/wb_tutorials/media/SpringAcegiTutorial/HTML/SpringAcegiTutorial-1_1html.html

6/25/2009

Senior R&D Engineer

Page 33