|
|
@@ -0,0 +1,4016 @@
|
|
|
+<?xml version="1.0" encoding="UTF-8"?>
|
|
|
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
|
+"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
+
|
|
|
+<book>
|
|
|
+ <bookinfo>
|
|
|
+ <title>Acegi Security System for Spring</title>
|
|
|
+
|
|
|
+ <subtitle>Reference Documentation</subtitle>
|
|
|
+
|
|
|
+ <releaseinfo>0.7</releaseinfo>
|
|
|
+
|
|
|
+ <authorgroup>
|
|
|
+ <author>
|
|
|
+ <firstname>Ben</firstname>
|
|
|
+
|
|
|
+ <surname>Alex</surname>
|
|
|
+ </author>
|
|
|
+ </authorgroup>
|
|
|
+ </bookinfo>
|
|
|
+
|
|
|
+ <toc></toc>
|
|
|
+
|
|
|
+ <preface id="preface">
|
|
|
+ <title>Preface</title>
|
|
|
+
|
|
|
+ <para>This document provides a reference guide to the Acegi Security
|
|
|
+ System for Spring, which is a series of classes that deliver
|
|
|
+ authentication and authorization services within the Spring
|
|
|
+ Framework.</para>
|
|
|
+
|
|
|
+ <para>I would like to acknowledge this reference was prepared using the
|
|
|
+ DocBook configuration included with the Spring Framework. The Spring team
|
|
|
+ in turn acknowledge Chris Bauer (Hibernate) for his assistance with their
|
|
|
+ DocBook.</para>
|
|
|
+ </preface>
|
|
|
+
|
|
|
+ <chapter id="security">
|
|
|
+ <title>Security</title>
|
|
|
+
|
|
|
+ <sect1 id="security-before-you-begin">
|
|
|
+ <title>Before You Begin</title>
|
|
|
+
|
|
|
+ <para>For your security, each official release JAR of Acegi Security has
|
|
|
+ been signed by the project leader. This does not in any way alter the
|
|
|
+ liability disclaimer contained in the License, but it does ensure you
|
|
|
+ are using a properly reviewed, official build of Acegi Security. Please
|
|
|
+ refer to the <literal>readme.txt</literal> file in the root of the
|
|
|
+ release distribution for instructions on how to validate the JARs are
|
|
|
+ correctly signed, and which certificate has been used to sign
|
|
|
+ them.</para>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-introduction">
|
|
|
+ <title>Introduction</title>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring provides authentication and
|
|
|
+ authorization capabilities for Spring-powered projects, with full
|
|
|
+ integration with popular web containers. The security architecture was
|
|
|
+ designed from the ground up using "The Spring Way" of development, which
|
|
|
+ includes using bean contexts, interceptors and interface-driven
|
|
|
+ programming. As a consequence, the Acegi Security System for Spring is
|
|
|
+ useful out-of-the-box for those seeking to secure their Spring-based
|
|
|
+ applications, and can be easily adapted to complex customized
|
|
|
+ requirements.</para>
|
|
|
+
|
|
|
+ <para>Security involves two distinct operations, authentication and
|
|
|
+ authorization. The former relates to resolving whether or not a caller
|
|
|
+ is who they claim to be. Authorization on the other hand relates to
|
|
|
+ determining whether or not an authenticated caller is permitted to
|
|
|
+ perform a given operation.</para>
|
|
|
+
|
|
|
+ <para>Throughout the Acegi Security System for Spring, the user, system
|
|
|
+ or agent that needs to be authenticated is referred to as a "principal".
|
|
|
+ The security architecture does not have a notion of roles or groups,
|
|
|
+ which you may be familiar with from other security
|
|
|
+ implementations.</para>
|
|
|
+
|
|
|
+ <sect2 id="security-introduction-status">
|
|
|
+ <title>Current Status</title>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring is widely used by members
|
|
|
+ of the Spring Community. The APIs are considered stable and only minor
|
|
|
+ changes are expected. Having said that, like many other projects we
|
|
|
+ need to strike a balance between backward compatibility and
|
|
|
+ improvement. Effective version 0.6.1, Acegi Security uses the Apache
|
|
|
+ Portable Runtime Project versioning guidelines, available from
|
|
|
+ <literal>http://apr.apache.org/versioning.html</literal>.</para>
|
|
|
+
|
|
|
+ <para>Some improvements are currently intended prior to the 1.0.0
|
|
|
+ release. These are:</para>
|
|
|
+
|
|
|
+ <itemizedlist spacing="compact">
|
|
|
+ <listitem>
|
|
|
+ <para>Replacing the Ant build with a Maven build. When this
|
|
|
+ happens the <literal>lib</literal> directory will no longer be
|
|
|
+ distributed in ZIP releases or hosted in CVS.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>"Remember me" functionality. Some discussion on this can be
|
|
|
+ found at
|
|
|
+ <literal>http://sourceforge.net/mailarchive/forum.php?thread_id=5177499&forum_id=40659</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>A sample web application which demonstrates the access
|
|
|
+ control list package.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Implementation of an
|
|
|
+ <literal>ObjectDefinitionSource</literal> that retrieves its
|
|
|
+ details from a database.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Deprecation of Acegi Security's various EH-CACHE-based cache
|
|
|
+ implementations. Instead Acegi Security will provide new cache
|
|
|
+ implementations which use Spring Framework's new (currently in
|
|
|
+ CVS) <literal>EhCacheManagerFactoryBean</literal> factory. The
|
|
|
+ deprecated classes may be removed from the 1.0.0 release.</para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist>
|
|
|
+
|
|
|
+ <para>Whilst this list is subject to change and not in any particular
|
|
|
+ order, none of the above improvements are likely to result in changes
|
|
|
+ to the API. The improvements are also relatively minor to implement.
|
|
|
+ Users of Acegi Security System for Spring should therefore be
|
|
|
+ comfortable depending on the current version of the project in their
|
|
|
+ applications.</para>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-high-level-design">
|
|
|
+ <title>High Level Design</title>
|
|
|
+
|
|
|
+ <sect2 id="security-high-level-design-key-components">
|
|
|
+ <title>Key Components</title>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring essentially comprises seven
|
|
|
+ key functional parts:</para>
|
|
|
+
|
|
|
+ <itemizedlist spacing="compact">
|
|
|
+ <listitem>
|
|
|
+ <para>An <literal>Authentication</literal> object which holds the
|
|
|
+ principal, credentials and the authorities granted to the
|
|
|
+ principal. The object can also store additional information
|
|
|
+ associated with an authentication request, such as the source
|
|
|
+ TCP/IP address.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>A <literal>ContextHolder</literal> which holds the
|
|
|
+ <literal>Authentication</literal> object in a
|
|
|
+ <literal>ThreadLocal</literal>-bound object.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>An <literal>AuthenticationManager</literal> to authenticate
|
|
|
+ the <literal>Authentication</literal> object presented via the
|
|
|
+ <literal>ContextHolder</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>An <literal>AccessDecisionManager</literal> to authorize a
|
|
|
+ given operation.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>A <literal>RunAsManager</literal> to optionally replace the
|
|
|
+ <literal>Authentication</literal> object whilst a given operation
|
|
|
+ is being executed.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>A "secure object" interceptor, which coordinates the
|
|
|
+ authentication, authorization, run-as replacement and execution of
|
|
|
+ a given operation.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>An acess control list (ACL) management package, which can be
|
|
|
+ used to obtain ACLs for domain object instances.</para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist>
|
|
|
+
|
|
|
+ <para>Secure objects refer to any type of object that can have
|
|
|
+ security applied to it. A secure object must provide some form of
|
|
|
+ callback, so that the security interceptor can transparently do its
|
|
|
+ work as required, and callback the object when it is time for it to
|
|
|
+ proceed with the requested operation. If secure objects cannot provide
|
|
|
+ a native callback approach, a wrapper needs to be written so this
|
|
|
+ becomes possible.</para>
|
|
|
+
|
|
|
+ <para>Each secure object has its own package under
|
|
|
+ <literal>net.sf.acegisecurity.intercept</literal>. Every other package
|
|
|
+ in the security system is secure object independent, in that it can
|
|
|
+ support any type of secure object presented.</para>
|
|
|
+
|
|
|
+ <para>Only developers contemplating an entirely new way of
|
|
|
+ intercepting and authorizing requests would need to use secure objects
|
|
|
+ directly. For example, it would be possible to build a new secure
|
|
|
+ object to secure calls to a messaging system that does not use
|
|
|
+ <literal>MethodInvocation</literal>s. Most Spring applications will
|
|
|
+ simply use the three currently supported secure object types
|
|
|
+ (<literal>MethodInvocation</literal>, <literal>JoinPoint</literal> and
|
|
|
+ <literal>FilterInterceptor</literal>) with complete
|
|
|
+ transparency.</para>
|
|
|
+
|
|
|
+ <para>Each of the seven key parts is discussed in detail throughout
|
|
|
+ this document.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-high-level-design-supported-secure-objects">
|
|
|
+ <title>Supported Secure Objects</title>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring currently supports three
|
|
|
+ secure objects.</para>
|
|
|
+
|
|
|
+ <para>The first handles an AOP Alliance
|
|
|
+ <literal>MethodInvocation</literal>. This is the secure object type
|
|
|
+ used to protect Spring beans. Developers will generally use this
|
|
|
+ secure object type to secure their business objects. To make a
|
|
|
+ standard Spring-hosted bean available as a
|
|
|
+ <literal>MethodInvocation</literal>, the bean is simply published
|
|
|
+ through a <literal>ProxyFactoryBean</literal> or
|
|
|
+ <literal>BeanNameAutoProxyCreator</literal> or
|
|
|
+ <literal>DefaultAdvisorAutoProxyCreator</literal>. Most Spring
|
|
|
+ developers would already be familiar with these due to their use in
|
|
|
+ transactions and other areas of Spring.</para>
|
|
|
+
|
|
|
+ <para>The second type is an AspectJ <literal>JoinPoint</literal>.
|
|
|
+ AspectJ has a particular use in securing domain object instances, as
|
|
|
+ these are most often managed outside the Spring bean container. By
|
|
|
+ using AspectJ, standard constructs such as <literal>new
|
|
|
+ Person();</literal> can be used and full security will be applied to
|
|
|
+ them by Acegi Security. The
|
|
|
+ <literal>AspectJSecurityInterceptor</literal> is still managed by
|
|
|
+ Spring, which creates the aspect singleton and wires it with the
|
|
|
+ appropriate authentication managers, access decision managers and so
|
|
|
+ on.</para>
|
|
|
+
|
|
|
+ <para>The third type is a <literal>FilterInvocation</literal>. This is
|
|
|
+ an object included with the Acegi Security System for Spring. It is
|
|
|
+ created by an included filter and simply wraps the HTTP
|
|
|
+ <literal>ServletRequest</literal>, <literal>ServletResponse</literal>
|
|
|
+ and <literal>FilterChain</literal>. The
|
|
|
+ <literal>FilterInvocation</literal> enables HTTP resources to be
|
|
|
+ secured. Developers do not usually need to understand the mechanics of
|
|
|
+ how this works, because they just add the filters to their
|
|
|
+ <literal>web.xml</literal> and let the security system do its
|
|
|
+ work.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-high-level-design-configuration-attributes">
|
|
|
+ <title>Configuration Attributes</title>
|
|
|
+
|
|
|
+ <para>Every secure object can represent an infinite number of
|
|
|
+ individual requests. For example, a
|
|
|
+ <literal>MethodInvocation</literal> can represent the invocation of
|
|
|
+ any method with any arguments, whilst a
|
|
|
+ <literal>FilterInvocation</literal> can represent any HTTP URL.</para>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring needs to record the
|
|
|
+ configuration that applies to each of these possible requests. The
|
|
|
+ security configuration of a request to
|
|
|
+ <literal>BankManager.getBalance(int accountNumber)</literal> needs to
|
|
|
+ be very different from the security configuration of a request to
|
|
|
+ <literal>BankManager.approveLoan(int applicationNumber)</literal>.
|
|
|
+ Similarly, the security configuration of a request to
|
|
|
+ <literal>http://some.bank.com/index.htm</literal> needs to be very
|
|
|
+ different from the security configuration of
|
|
|
+ <literal>http://some.bank.com/manage/timesheet.jsp</literal>.</para>
|
|
|
+
|
|
|
+ <para>To store the various security configurations associated with
|
|
|
+ different requests, a configuration attribute is used. At an
|
|
|
+ implementation level a configuration attribute is represented by the
|
|
|
+ <literal>ConfigAttribute</literal> interface. One concrete
|
|
|
+ implementation of <literal>ConfigAttribute</literal> is provided,
|
|
|
+ <literal>SecurityConfig</literal>, which simply stores a configuration
|
|
|
+ attribute as a <literal>String</literal>.</para>
|
|
|
+
|
|
|
+ <para>The collection of <literal>ConfigAttribute</literal>s associated
|
|
|
+ with a particular request is held in a
|
|
|
+ <literal>ConfigAttributeDefinition</literal>. This concrete class is
|
|
|
+ simply a holder of <literal>ConfigAttribute</literal>s and does
|
|
|
+ nothing special.</para>
|
|
|
+
|
|
|
+ <para>When a request is received by the security interceptor, it needs
|
|
|
+ to determine which configuration attributes apply. In other words, it
|
|
|
+ needs to find the <literal>ConfigAttributeDefinition</literal> which
|
|
|
+ applies to the request. This decision is handled by the
|
|
|
+ <literal>ObjectDefinitionSource</literal> interface. The main method
|
|
|
+ provided by this interface is <literal>public
|
|
|
+ ConfigAttributeDefinition getAttributes(Object object)</literal>, with
|
|
|
+ the <literal>Object</literal> being the secure object. Recall the
|
|
|
+ secure object contains details of the request, so the
|
|
|
+ <literal>ObjectDefinitionSource</literal> implementation will be able
|
|
|
+ to extract the details it requires to lookup the relevant
|
|
|
+ <literal>ConfigAttributeDefinition</literal>.</para>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-request-contexts">
|
|
|
+ <title>Request Contexts</title>
|
|
|
+
|
|
|
+ <sect2 id="security-contexts">
|
|
|
+ <title>Contexts</title>
|
|
|
+
|
|
|
+ <para>Many applications require a way of sharing objects between
|
|
|
+ classes, but without resorting to passing them in method signatures.
|
|
|
+ This is commonly achieved by using a <literal>ThreadLocal</literal>.
|
|
|
+ The Acegi Security System for Spring uses
|
|
|
+ <literal>ThreadLocal</literal> functionality and introduces the
|
|
|
+ concept of "request contexts".</para>
|
|
|
+
|
|
|
+ <para>By placing an object into a request context, that object becomes
|
|
|
+ available to any other object on the current thread of execution. The
|
|
|
+ request context is not passed around as a method parameter, but is
|
|
|
+ held in a <literal>ThreadLocal</literal>. The Acegi Security System
|
|
|
+ for Spring uses the request context to pass around the authentication
|
|
|
+ request and response.</para>
|
|
|
+
|
|
|
+ <para>A request context is a concrete implementation of the
|
|
|
+ <literal>Context</literal> interface, which exposes a single
|
|
|
+ method:</para>
|
|
|
+
|
|
|
+ <programlisting>public void validate() throws ContextInvalidException;</programlisting>
|
|
|
+
|
|
|
+ <para>This <literal>validate()</literal> method is called to confirm
|
|
|
+ the <literal>Context</literal> is properly setup. An implementation
|
|
|
+ will typically use this method to check that the objects it holds are
|
|
|
+ properly setup.</para>
|
|
|
+
|
|
|
+ <para>The <literal>ContextHolder</literal> class makes the
|
|
|
+ <literal>Context</literal> available to the current thread of
|
|
|
+ execution using a <literal>ThreadLocal</literal>. A
|
|
|
+ <literal>ContextInterceptor</literal> is also provided, which is
|
|
|
+ intended to be chained into the bean context using
|
|
|
+ <literal>ProxyFactoryBean</literal>. The
|
|
|
+ <literal>ContextInterceptor</literal> simply calls
|
|
|
+ <literal>Context.validate()</literal>, which guarantees to business
|
|
|
+ methods that a valid <literal>Context</literal> is available from the
|
|
|
+ <literal>ContextHolder</literal>.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-contexts-secure-contexts">
|
|
|
+ <title>Secure Contexts</title>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring requires the
|
|
|
+ <literal>ContextHolder</literal> to contain a request context that
|
|
|
+ implements the <literal>SecureContext</literal> interface. An
|
|
|
+ implementation is provided named <literal>SecureContextImpl</literal>.
|
|
|
+ The <literal>SecureContext</literal> simply extends the
|
|
|
+ <literal>Context</literal> discussed above and adds a holder and
|
|
|
+ validation for an <literal>Authentication</literal> object.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-contexts-custom-contexts">
|
|
|
+ <title>Custom Contexts</title>
|
|
|
+
|
|
|
+ <para>Developers can create their own request context classes to store
|
|
|
+ application-specific objects. Such request context classes will need
|
|
|
+ to implement the <literal>Context</literal> interface. If the Acegi
|
|
|
+ Security System for Spring is to be used, developers must ensure any
|
|
|
+ custom request contexts implement the <literal>SecureContext</literal>
|
|
|
+ interface.</para>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-interception">
|
|
|
+ <title>Security Interception</title>
|
|
|
+
|
|
|
+ <sect2 id="security-interception-all-secure-objects">
|
|
|
+ <title>All Secure Objects</title>
|
|
|
+
|
|
|
+ <para>As described in the High Level Design section, each secure
|
|
|
+ object has its own security interceptor which is responsible for
|
|
|
+ handling each request. Handling involves a number of
|
|
|
+ operations:</para>
|
|
|
+
|
|
|
+ <orderedlist>
|
|
|
+ <listitem>
|
|
|
+ <para>Store the configuration attributes that are associated with
|
|
|
+ each secure request.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Extract the <literal>ConfigAttributeDefinition</literal>
|
|
|
+ that applies to the request from the relevant
|
|
|
+ <literal>ObjectDefinitionSource</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Obtain the <literal>Authentication</literal> object from the
|
|
|
+ <literal>SecureContext</literal>, which is held in the
|
|
|
+ <literal>ContextHolder</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Pass the <literal>Authentication</literal> object to the
|
|
|
+ <literal>AuthenticationManager</literal>, update the
|
|
|
+ <literal>ContextHolder</literal> with the response.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Pass the <literal>Authentication</literal> object, the
|
|
|
+ <literal>ConfigAttributeDefinition</literal>, and the secure
|
|
|
+ object to the <literal>AccessDecisionManager</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Pass the <literal>Authentication</literal> object, the
|
|
|
+ <literal>ConfigAttributeDefinition</literal>, and the secure
|
|
|
+ object to the <literal>RunAsManager</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>If the <literal>RunAsManager</literal> returns a new
|
|
|
+ <literal>Authentication</literal> object, update the
|
|
|
+ <literal>ContextHolder</literal> with it.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Proceed with the request execution of the secure
|
|
|
+ object.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>If the <literal>RunAsManager</literal> earlier returned a
|
|
|
+ new <literal>Authentication</literal> object, update the
|
|
|
+ <literal>ContextHolder</literal> with the
|
|
|
+ <literal>Authentication</literal> object that was previously
|
|
|
+ returned by the <literal>AuthenticationManager</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Return any result received from the secure object
|
|
|
+ execution.</para>
|
|
|
+ </listitem>
|
|
|
+ </orderedlist>
|
|
|
+
|
|
|
+ <para>Whilst this may seem quite involved, don't worry. Developers
|
|
|
+ interact with the security process by simply implementing basic
|
|
|
+ interfaces (such as <literal>AccessDecisionManager</literal>), which
|
|
|
+ are fully documented below.</para>
|
|
|
+
|
|
|
+ <para>The <literal>AbstractSecurityInterceptor</literal> handles the
|
|
|
+ majority of the flow listed above. Each secure object has its own
|
|
|
+ security interceptor which subclasses
|
|
|
+ <literal>AbstractSecurityInterceptor</literal>. Each of these secure
|
|
|
+ object-specific security interceptors are discussed below.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-interception-aopalliance">
|
|
|
+ <title>AOP Alliance (MethodInvocation) Security Interceptor</title>
|
|
|
+
|
|
|
+ <para>To secure <literal>MethodInvocation</literal>s, developers
|
|
|
+ simply add a properly configured
|
|
|
+ <literal>MethodSecurityInterceptor</literal> into the application
|
|
|
+ context. Next the beans requiring security are chained into the
|
|
|
+ interceptor. This chaining is accomplished using Spring’s
|
|
|
+ <literal>ProxyFactoryBean</literal> or
|
|
|
+ <literal>BeanNameAutoProxyCreator</literal>, as commonly used by many
|
|
|
+ other parts of Spring (refer to the sample application for examples).
|
|
|
+ Alternatively, Acegi Security provides a
|
|
|
+ <literal>MethodDefinitionSourceAdvisor</literal> which may be used
|
|
|
+ with Spring's <literal>DefaultAdvisorAutoProxyCreator</literal> to
|
|
|
+ automatically chain the security interceptor in front of any beans
|
|
|
+ defined against the <literal>MethodSecurityInterceptor</literal>. The
|
|
|
+ <literal>MethodSecurityInterceptor</literal> itself is configured as
|
|
|
+ follows:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="bankManagerSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
|
|
+ <property name="validateConfigAttributes"><value>true</value></property>
|
|
|
+ <property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
|
+ <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
|
|
+ <property name="runAsManager"><ref bean="runAsManager"/></property>
|
|
|
+ <property name="objectDefinitionSource">
|
|
|
+ <value>
|
|
|
+ net.sf.acegisecurity.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER
|
|
|
+ net.sf.acegisecurity.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOMER,RUN_AS_SERVER
|
|
|
+ </value>
|
|
|
+ </property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>As shown above, the <literal>MethodSecurityInterceptor</literal>
|
|
|
+ is configured with a reference to an
|
|
|
+ <literal>AuthenticationManager</literal>,
|
|
|
+ <literal>AccessDecisionManager</literal> and
|
|
|
+ <literal>RunAsManager</literal>, which are each discussed in separate
|
|
|
+ sections below. The <literal>MethodSecurityInterceptor</literal> is
|
|
|
+ also configured with configuration attributes that apply to different
|
|
|
+ method signatures. A full discussion of configuration attributes is
|
|
|
+ provided in the High Level Design section of this document.</para>
|
|
|
+
|
|
|
+ <para>The <literal>MethodSecurityInterceptor</literal> can be
|
|
|
+ configured with configuration attributes in three ways. The first is
|
|
|
+ via a property editor and the application context, which is shown
|
|
|
+ above. The second is via defining the configuration attributes in your
|
|
|
+ source code using Jakarta Commons Attributes. The third is via writing
|
|
|
+ your own <literal>ObjectDefinitionSource</literal>, although this is
|
|
|
+ beyond the scope of this document. Irrespective of the approach used,
|
|
|
+ the <literal>ObjectDefinitionSource</literal> is responsible for
|
|
|
+ returning a <literal>ConfigAttributeDefinition</literal> object that
|
|
|
+ contains all of the configuration attributes associated with a single
|
|
|
+ secure method.</para>
|
|
|
+
|
|
|
+ <para>It should be noted that the
|
|
|
+ <literal>MethodSecurityInterceptor.setObjectDefinitionSource()</literal>
|
|
|
+ method actually expects an instance of
|
|
|
+ <literal>MethodDefinitionSource</literal>. This is a marker interface
|
|
|
+ which subclasses <literal>ObjectDefinitionSource</literal>. It simply
|
|
|
+ denotes the <literal>ObjectDefinitionSource</literal> understands
|
|
|
+ <literal>MethodInvocation</literal>s. In the interests of simplicity
|
|
|
+ we'll continue to refer to the
|
|
|
+ <literal>MethodDefinitionSource</literal> as an
|
|
|
+ <literal>ObjectDefinitionSource</literal>, as the distinction is of
|
|
|
+ little relevance to most users of the
|
|
|
+ <literal>MethodSecurityInterceptor</literal>.</para>
|
|
|
+
|
|
|
+ <para>If using the application context property editor approach (as
|
|
|
+ shown above), commas are used to delimit the different configuration
|
|
|
+ attributes that apply to a given method pattern. Each configuration
|
|
|
+ attribute is assigned into its own <literal>SecurityConfig</literal>
|
|
|
+ object. The <literal>SecurityConfig</literal> object is discussed in
|
|
|
+ the High Level Design section.</para>
|
|
|
+
|
|
|
+ <para>If using the Jakarta Commons Attributes approach, your bean
|
|
|
+ context will be configured differently:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="attributes" class="org.springframework.metadata.commons.CommonsAttributes"/>
|
|
|
+<bean id="objectDefinitionSource" class="net.sf.acegisecurity.intercept.method.MethodDefinitionAttributes">
|
|
|
+ <property name="attributes"><ref local="attributes"/></property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="bankManagerSecurity" class="net.sf.acegisecurity.intercept.method.MethodSecurityInterceptor">
|
|
|
+ <property name="validateConfigAttributes"><value>false</value></property>
|
|
|
+ <property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
|
+ <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
|
|
+ <property name="runAsManager"><ref bean="runAsManager"/></property>
|
|
|
+ <property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>In addition, your source code will contain Jakarta Commons
|
|
|
+ Attributes tags that refer to a concrete implementation of
|
|
|
+ <literal>ConfigAttribute</literal>. The following example uses the
|
|
|
+ <literal>SecurityConfig</literal> implementation to represent the
|
|
|
+ configuration attributes, and results in the same security
|
|
|
+ configuration as provided by the property editor approach
|
|
|
+ above:</para>
|
|
|
+
|
|
|
+ <para><programlisting>public interface BankManager {
|
|
|
+
|
|
|
+ /**
|
|
|
+ * @@SecurityConfig("ROLE_SUPERVISOR")
|
|
|
+ * @@SecurityConfig("RUN_AS_SERVER")
|
|
|
+ */
|
|
|
+ public void deleteSomething(int id);
|
|
|
+
|
|
|
+ /**
|
|
|
+ * @@SecurityConfig("ROLE_SUPERVISOR")
|
|
|
+ * @@SecurityConfig("RUN_AS_SERVER")
|
|
|
+ */
|
|
|
+ public void deleteAnother(int id);
|
|
|
+
|
|
|
+ /**
|
|
|
+ * @@SecurityConfig("ROLE_TELLER")
|
|
|
+ * @@SecurityConfig("ROLE_SUPERVISOR")
|
|
|
+ * @@SecurityConfig("BANKSECURITY_CUSTOMER")
|
|
|
+ * @@SecurityConfig("RUN_AS_SERVER")
|
|
|
+ */
|
|
|
+ public float getBalance(int id);
|
|
|
+}</programlisting></para>
|
|
|
+
|
|
|
+ <para>You might have noticed the
|
|
|
+ <literal>validateConfigAttributes</literal> property in the above
|
|
|
+ <literal>MethodSecurityInterceptor</literal> examples. When set to
|
|
|
+ <literal>true</literal> (the default), at startup time the
|
|
|
+ <literal>MethodSecurityInterceptor</literal> will evaluate if the
|
|
|
+ provided configuration attributes are valid. It does this by checking
|
|
|
+ each configuration attribute can be processed by either the
|
|
|
+ <literal>AccessDecisionManager</literal> or the
|
|
|
+ <literal>RunAsManager</literal>. If neither of these can process a
|
|
|
+ given configuration attribute, an exception is thrown. If using the
|
|
|
+ Jakarta Commons Attributes method of configuration, you should set
|
|
|
+ <literal>validateConfigAttributes</literal> to
|
|
|
+ <literal>false</literal>.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-interception-aspectj">
|
|
|
+ <title>AspectJ (JoinPoint) Security Interceptor</title>
|
|
|
+
|
|
|
+ <para>The AspectJ security interceptor is very similar to the AOP
|
|
|
+ Alliance security interceptor discussed in the previous section.
|
|
|
+ Indeed we will only discuss the differences in this section.</para>
|
|
|
+
|
|
|
+ <para>The AspectJ interceptor is named
|
|
|
+ <literal>AspectJSecurityInterceptor</literal>. Unlike the AOP Alliance
|
|
|
+ security interceptor, which relies on the Spring application context
|
|
|
+ to weave in the security interceptor via proxying, the
|
|
|
+ <literal>AspectJSecurityInterceptor</literal> is weaved in via the
|
|
|
+ AspectJ compiler. It would not be uncommon to use both types of
|
|
|
+ security interceptors in the same application, with
|
|
|
+ <literal>AspectJSecurityInterceptor</literal> being used for domain
|
|
|
+ object instance security and the AOP Alliance
|
|
|
+ <literal>MethodSecurityInterceptor</literal> being used for services
|
|
|
+ layer security.</para>
|
|
|
+
|
|
|
+ <para>Let's first consider how the
|
|
|
+ <literal>AspectJSecurityInterceptor</literal> is configured in the
|
|
|
+ Spring application context:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="bankManagerSecurity" class="net.sf.acegisecurity.intercept.method.aspectj.AspectJSecurityInterceptor">
|
|
|
+ <property name="validateConfigAttributes"><value>true</value></property>
|
|
|
+ <property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
|
+ <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
|
|
+ <property name="runAsManager"><ref bean="runAsManager"/></property>
|
|
|
+ <property name="objectDefinitionSource">
|
|
|
+ <value>
|
|
|
+ net.sf.acegisecurity.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER
|
|
|
+ net.sf.acegisecurity.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOMER,RUN_AS_SERVER
|
|
|
+ </value>
|
|
|
+ </property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>As you can see, aside from the class name, the
|
|
|
+ <literal>AspectJSecurityInterceptor</literal> is exactly the same as
|
|
|
+ the AOP Alliance security interceptor. Indeed the two interceptors can
|
|
|
+ share the same <literal>objectDefinitionSource</literal>, as the
|
|
|
+ <literal>ObjectDefinitionSource</literal> works with
|
|
|
+ <literal>java.lang.reflect.Method</literal>s rather than an AOP
|
|
|
+ library-specific class. Of course, your access decisions have access
|
|
|
+ to the relevant AOP library-specific invocation (ie
|
|
|
+ <literal>MethodInvocation</literal> or <literal>JoinPoint</literal>)
|
|
|
+ and as such can consider a range of addition criteria when making
|
|
|
+ access decisions (such as method arguments).</para>
|
|
|
+
|
|
|
+ <para>Next you'll need to define an AspectJ <literal>aspect</literal>.
|
|
|
+ For example:</para>
|
|
|
+
|
|
|
+ <para><programlisting>package net.sf.acegisecurity.samples.aspectj;
|
|
|
+
|
|
|
+import net.sf.acegisecurity.intercept.method.aspectj.AspectJSecurityInterceptor;
|
|
|
+import net.sf.acegisecurity.intercept.method.aspectj.AspectJCallback;
|
|
|
+import org.springframework.beans.factory.InitializingBean;
|
|
|
+
|
|
|
+public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
|
|
+
|
|
|
+ private AspectJSecurityInterceptor securityInterceptor;
|
|
|
+
|
|
|
+ pointcut domainObjectInstanceExecution(): target(PersistableEntity)
|
|
|
+ && execution(public * *(..)) && !within(DomainObjectInstanceSecurityAspect);
|
|
|
+
|
|
|
+ Object around(): domainObjectInstanceExecution() {
|
|
|
+ if (this.securityInterceptor != null) {
|
|
|
+ AspectJCallback callback = new AspectJCallback() {
|
|
|
+ public Object proceedWithObject() {
|
|
|
+ return proceed();
|
|
|
+ }
|
|
|
+ };
|
|
|
+ return this.securityInterceptor.invoke(thisJoinPoint, callback);
|
|
|
+ } else {
|
|
|
+ return proceed();
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ public AspectJSecurityInterceptor getSecurityInterceptor() {
|
|
|
+ return securityInterceptor;
|
|
|
+ }
|
|
|
+
|
|
|
+ public void setSecurityInterceptor(AspectJSecurityInterceptor securityInterceptor) {
|
|
|
+ this.securityInterceptor = securityInterceptor;
|
|
|
+ }
|
|
|
+
|
|
|
+ public void afterPropertiesSet() throws Exception {
|
|
|
+ if (this.securityInterceptor == null)
|
|
|
+ throw new IllegalArgumentException("securityInterceptor required");
|
|
|
+ }
|
|
|
+}</programlisting></para>
|
|
|
+
|
|
|
+ <para>In the above example, the security interceptor will be applied
|
|
|
+ to every instance of <literal>PersistableEntity</literal>, which is an
|
|
|
+ abstract class not shown (you can use any other class or
|
|
|
+ <literal>pointcut</literal> expression you like). For those curious,
|
|
|
+ <literal>AspectJCallback</literal> is needed because the
|
|
|
+ <literal>proceed();</literal> statement has special meaning only
|
|
|
+ within an <literal>around()</literal> body. The
|
|
|
+ <literal>AspectJSecurityInterceptor</literal> calls this anonymous
|
|
|
+ <literal>AspectJCallback</literal> class when it wants the target
|
|
|
+ object to continue.</para>
|
|
|
+
|
|
|
+ <para>You will need to configure Spring to load the aspect and wire it
|
|
|
+ with the <literal>AspectJSecurityInterceptor</literal>. A bean
|
|
|
+ declaration which achieves this is shown below:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="domainObjectInstanceSecurityAspect"
|
|
|
+ class="net.sf.acegisecurity.samples.aspectj.DomainObjectInstanceSecurityAspect"
|
|
|
+ factory-method="aspectOf">
|
|
|
+ <property name="securityInterceptor"><ref bean="aspectJSecurityInterceptor"/></property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>That's it! Now you can create your beans from anywhere within
|
|
|
+ your application, using whatever means you think fit (eg <literal>new
|
|
|
+ Person();</literal>) and they will have the security interceptor
|
|
|
+ applied.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-interception-filterinvocation">
|
|
|
+ <title>FilterInvocation Security Interceptor</title>
|
|
|
+
|
|
|
+ <para>To secure <literal>FilterInvocation</literal>s, developers need
|
|
|
+ to add a filter to their <literal>web.xml</literal> that delegates to
|
|
|
+ the <literal>SecurityEnforcementFilter</literal>. A typical
|
|
|
+ configuration example is provided below: <programlisting><filter>
|
|
|
+ <filter-name>Acegi HTTP Request Security Filter</filter-name>
|
|
|
+ <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
|
|
|
+ <init-param>
|
|
|
+ <param-name>targetClass</param-name>
|
|
|
+ <param-value>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
|
|
|
+ </init-param>
|
|
|
+</filter>
|
|
|
+
|
|
|
+<filter-mapping>
|
|
|
+ <filter-name>Acegi HTTP Request Security Filter</filter-name>
|
|
|
+ <url-pattern>/*</url-pattern>
|
|
|
+</filter-mapping></programlisting></para>
|
|
|
+
|
|
|
+ <para>Notice that the filter is actually a
|
|
|
+ <literal>FilterToBeanProxy</literal>. Most of the filters used by the
|
|
|
+ Acegi Security System for Spring use this class. Refer to the Filters
|
|
|
+ section to learn more about this bean.</para>
|
|
|
+
|
|
|
+ <para>In the application context you will need to configure three
|
|
|
+ beans:</para>
|
|
|
+
|
|
|
+ <programlisting><bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
|
|
|
+ <property name="filterSecurityInterceptor"><ref bean="filterInvocationInterceptor"/></property>
|
|
|
+ <property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="authenticationEntryPoint" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
|
|
|
+ <property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
|
|
|
+ <property name="forceHttps"><value>false</value></property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
|
|
|
+ <property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
|
+ <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
|
|
+ <property name="runAsManager"><ref bean="runAsManager"/></property>
|
|
|
+ <property name="objectDefinitionSource">
|
|
|
+ <value>
|
|
|
+ CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
|
|
+ \A/secure/super/.*\Z=ROLE_WE_DONT_HAVE
|
|
|
+ \A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
|
|
|
+ </value>
|
|
|
+ </property>
|
|
|
+</bean></programlisting>
|
|
|
+
|
|
|
+ <para>The <literal>AuthenticationEntryPoint</literal> will be called
|
|
|
+ if the user requests a secure HTTP resource but they are not
|
|
|
+ authenticated. The class handles presenting the appropriate response
|
|
|
+ to the user so that authentication can begin. Three concrete
|
|
|
+ implementations are provided with the Acegi Security System for
|
|
|
+ Spring: <literal>AuthenticationProcessingFilterEntryPoint</literal>
|
|
|
+ for commencing a form-based authentication,
|
|
|
+ <literal>BasicProcessingFilterEntryPoint</literal> for commencing a
|
|
|
+ Http Basic authentication process, and
|
|
|
+ <literal>CasProcessingFilterEntryPoint</literal> for commencing a Yale
|
|
|
+ Central Authentication Service (CAS) login. The
|
|
|
+ <literal>AuthenticationProcessingFilterEntryPoint</literal> and
|
|
|
+ <literal>CasProcessingFilterEntryPoint</literal> have optional
|
|
|
+ properties related to forcing the use of HTTPS, so please refer to the
|
|
|
+ JavaDocs if you require this.</para>
|
|
|
+
|
|
|
+ <para>The <literal>PortMapper</literal> provides information on which
|
|
|
+ HTTPS ports correspond to which HTTP ports. This is used by the
|
|
|
+ <literal>AuthenticationProcessingFilterEntryPoint</literal> and
|
|
|
+ several other beans. The default implementation,
|
|
|
+ <literal>PortMapperImpl</literal>, knows the common HTTP ports 80 and
|
|
|
+ 8080 map to HTTPS ports 443 and 8443 respectively. You can customise
|
|
|
+ this mapping if desired.</para>
|
|
|
+
|
|
|
+ <para>The <literal>SecurityEnforcementFilter</literal> primarily
|
|
|
+ provides session management support and initiates authentication when
|
|
|
+ required. It delegates actual <literal>FilterInvocation</literal>
|
|
|
+ security decisions to the configured
|
|
|
+ <literal>FilterSecurityInterceptor</literal>.</para>
|
|
|
+
|
|
|
+ <para>Like any other security interceptor, the
|
|
|
+ <literal>FilterSecurityInterceptor</literal> requires a reference to
|
|
|
+ an <literal>AuthenticationManager</literal>,
|
|
|
+ <literal>AccessDecisionManager</literal> and
|
|
|
+ <literal>RunAsManager</literal>, which are each discussed in separate
|
|
|
+ sections below. The <literal>FilterSecurityInterceptor</literal> is
|
|
|
+ also configured with configuration attributes that apply to different
|
|
|
+ HTTP URL requests. A full discussion of configuration attributes is
|
|
|
+ provided in the High Level Design section of this document.</para>
|
|
|
+
|
|
|
+ <para>The <literal>FilterSecurityInterceptor</literal> can be
|
|
|
+ configured with configuration attributes in two ways. The first is via
|
|
|
+ a property editor and the application context, which is shown above.
|
|
|
+ The second is via writing your own
|
|
|
+ <literal>ObjectDefinitionSource</literal>, although this is beyond the
|
|
|
+ scope of this document. Irrespective of the approach used, the
|
|
|
+ <literal>ObjectDefinitionSource</literal> is responsible for returning
|
|
|
+ a <literal>ConfigAttributeDefinition</literal> object that contains
|
|
|
+ all of the configuration attributes associated with a single secure
|
|
|
+ HTTP URL.</para>
|
|
|
+
|
|
|
+ <para>It should be noted that the
|
|
|
+ <literal>FilterSecurityInterceptor.setObjectDefinitionSource()</literal>
|
|
|
+ method actually expects an instance of
|
|
|
+ <literal>FilterInvocationDefinitionSource</literal>. This is a marker
|
|
|
+ interface which subclasses <literal>ObjectDefinitionSource</literal>.
|
|
|
+ It simply denotes the <literal>ObjectDefinitionSource</literal>
|
|
|
+ understands <literal>FilterInvocation</literal>s. In the interests of
|
|
|
+ simplicity we'll continue to refer to the
|
|
|
+ <literal>FilterInvocationDefinitionSource</literal> as an
|
|
|
+ <literal>ObjectDefinitionSource</literal>, as the distinction is of
|
|
|
+ little relevance to most users of the
|
|
|
+ <literal>FilterSecurityInterceptor</literal>.</para>
|
|
|
+
|
|
|
+ <para>If using the application context property editor approach (as
|
|
|
+ shown above), commas are used to delimit the different configuration
|
|
|
+ attributes that apply to each HTTP URL. Each configuration attribute
|
|
|
+ is assigned into its own <literal>SecurityConfig</literal> object. The
|
|
|
+ <literal>SecurityConfig</literal> object is discussed in the High
|
|
|
+ Level Design section. The <literal>ObjectDefinitionSource</literal>
|
|
|
+ created by the property editor,
|
|
|
+ <literal>FilterInvocationDefinitionSource</literal>, matches
|
|
|
+ configuration attributes against <literal>FilterInvocations</literal>
|
|
|
+ based on expression evaluation of the request URL. Two standard
|
|
|
+ expression syntaxes are supported. The default is to treat all
|
|
|
+ expressions as regular expressions. Alternatively, the presence of a
|
|
|
+ <literal>PATTERN_TYPE_APACHE_ANT</literal> directive will cause all
|
|
|
+ expressions to be treated as Apache Ant paths. It is not possible to
|
|
|
+ mix expression syntaxes within the same definition. For example, the
|
|
|
+ earlier configuration could be generated using Apache Ant paths as
|
|
|
+ follows:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
|
|
|
+ <property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
|
+ <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
|
|
+ <property name="runAsManager"><ref bean="runAsManager"/></property>
|
|
|
+ <property name="objectDefinitionSource">
|
|
|
+ <value>
|
|
|
+ CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
|
|
+ PATTERN_TYPE_APACHE_ANT
|
|
|
+ /secure/super/**=ROLE_WE_DONT_HAVE
|
|
|
+ /secure/**=ROLE_SUPERVISOR,ROLE_TELLER
|
|
|
+ </value>
|
|
|
+ </property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>Irrespective of the type of expression syntax used, expressions
|
|
|
+ are always evaluated in the order they are defined. Thus it is
|
|
|
+ important that more specific expressions are defined higher in the
|
|
|
+ list than less specific expressions. This is reflected in our example
|
|
|
+ above, where the more specific <literal>/secure/super/</literal>
|
|
|
+ pattern appears higher than the less specific
|
|
|
+ <literal>/secure/</literal> pattern. If they were reversed, the
|
|
|
+ <literal>/secure/</literal> pattern would always match and the
|
|
|
+ <literal>/secure/super/</literal> pattern would never be
|
|
|
+ evaluated.</para>
|
|
|
+
|
|
|
+ <para>The special keyword
|
|
|
+ <literal>CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON</literal> causes
|
|
|
+ the <literal>FilterInvocationDefinitionSource</literal> to
|
|
|
+ automatically convert a request URL to lowercase before comparison
|
|
|
+ against the expressions. Whilst by default the case of the request URL
|
|
|
+ is not converted, it is generally recommended to use
|
|
|
+ <literal>CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON</literal> and
|
|
|
+ write each expression assuming lowercase.</para>
|
|
|
+
|
|
|
+ <para>As with other security interceptors, the
|
|
|
+ <literal>validateConfigAttributes</literal> property is observed. When
|
|
|
+ set to <literal>true</literal> (the default), at startup time the
|
|
|
+ <literal>FilterSecurityInterceptor</literal> will evaluate if the
|
|
|
+ provided configuration attributes are valid. It does this by checking
|
|
|
+ each configuration attribute can be processed by either the
|
|
|
+ <literal>AccessDecisionManager</literal> or the
|
|
|
+ <literal>RunAsManager</literal>. If neither of these can process a
|
|
|
+ given configuration attribute, an exception is thrown.</para>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-authentication">
|
|
|
+ <title>Authentication</title>
|
|
|
+
|
|
|
+ <sect2 id="security-authentication-requests">
|
|
|
+ <title>Authentication Requests</title>
|
|
|
+
|
|
|
+ <para>Authentication requires a way for client code to present its
|
|
|
+ security identification to the Acegi Security System for Spring. This
|
|
|
+ is the role of the <literal>Authentication</literal> interface. The
|
|
|
+ <literal>Authentication</literal> interface holds three important
|
|
|
+ objects: the principal (the identity of the caller), the credentials
|
|
|
+ (the proof of the identity of the caller, such as a password), and the
|
|
|
+ authorities that have been granted to the principal. The principal and
|
|
|
+ its credentials are populated by the client code, whilst the granted
|
|
|
+ authorities are populated by the
|
|
|
+ <literal>AuthenticationManager</literal>. The Acegi Security System
|
|
|
+ for Spring includes several concrete <literal>Authentication</literal>
|
|
|
+ implementations:</para>
|
|
|
+
|
|
|
+ <itemizedlist spacing="compact">
|
|
|
+ <listitem>
|
|
|
+ <para><literal>UsernamePasswordAuthenticationToken</literal>
|
|
|
+ allows a username and password to be presented as the principal
|
|
|
+ and credentials respectively. It is also what is created by the
|
|
|
+ HTTP Session Authentication system.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>TestingAuthenticationToken</literal> facilitates
|
|
|
+ unit testing by automatically being considered an authenticated
|
|
|
+ object by its associated
|
|
|
+ <literal>AuthenticationProvider</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>RunAsUserToken</literal> is used by the default
|
|
|
+ run-as authentication replacement implementation. This is
|
|
|
+ discussed further in the Run-As Authentication Replacement
|
|
|
+ section.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>CasAuthenticationToken</literal> is used to
|
|
|
+ represent a successful Yale Central Authentication Service (CAS)
|
|
|
+ authentication. This is discussed further in the CAS
|
|
|
+ section.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>PrincipalAcegiUserToken</literal> and
|
|
|
+ <literal>JettyAcegiUserToken</literal> implement
|
|
|
+ <literal>AuthByAdapter</literal> (a subclass of
|
|
|
+ <literal>Authentication</literal>) and are used whenever
|
|
|
+ authentication is completed by Acegi Security System for Spring
|
|
|
+ container adapters. This is discussed further in the Container
|
|
|
+ Adapters section.</para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist>
|
|
|
+
|
|
|
+ <para>The authorities granted to a principal are represented by the
|
|
|
+ <literal>GrantedAuthority</literal> interface. The
|
|
|
+ <literal>GrantedAuthority</literal> interface is discussed at length
|
|
|
+ in the Authorization section.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-authentication-manager">
|
|
|
+ <title>Authentication Manager</title>
|
|
|
+
|
|
|
+ <para>As discussed in the Security Interception section, the
|
|
|
+ <literal>AbstractSecurityInterceptor</literal> extracts the
|
|
|
+ <literal>Authentication</literal> object from the
|
|
|
+ <literal>SecureContext</literal> in the
|
|
|
+ <literal>ContextHolder</literal>. This is then passed to an
|
|
|
+ <literal>AuthenticationManager</literal>. The
|
|
|
+ <literal>AuthenticationManager</literal> interface is very
|
|
|
+ simple:</para>
|
|
|
+
|
|
|
+ <programlisting>public Authentication authenticate(Authentication authentication) throws AuthenticationException;</programlisting>
|
|
|
+
|
|
|
+ <para>Implementations of <literal>AuthenticationManager</literal> are
|
|
|
+ required to throw an <literal>AuthenticationException</literal> should
|
|
|
+ authentication fail, or return a fully populated
|
|
|
+ <literal>Authentication</literal> object. In particular, the returned
|
|
|
+ <literal>Authentication</literal> object should contain an array of
|
|
|
+ <literal>GrantedAuthority</literal> objects. The
|
|
|
+ <literal>SecurityInterceptor</literal> places the populated
|
|
|
+ <literal>Authentication</literal> object back in the
|
|
|
+ <literal>SecureContext</literal> in the
|
|
|
+ <literal>ContextHolder</literal>, overwriting the original
|
|
|
+ <literal>Authentication</literal> object.</para>
|
|
|
+
|
|
|
+ <para>The <literal>AuthenticationException</literal> has a number of
|
|
|
+ subclasses. The most important are
|
|
|
+ <literal>BadCredentialsException</literal> (an incorrect principal or
|
|
|
+ credentials), <literal>DisabledException</literal> and
|
|
|
+ <literal>LockedException</literal>. The latter two exceptions indicate
|
|
|
+ the principal was found, but the credentials were not checked and
|
|
|
+ authentication is denied. An
|
|
|
+ <literal>AuthenticationServiceException</literal> is also provided,
|
|
|
+ which indicates the authentication system could not process the
|
|
|
+ request (eg a database was unavailable).</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-authentication-provider">
|
|
|
+ <title>Provider-Based Authentication</title>
|
|
|
+
|
|
|
+ <para>Whilst the basic <literal>Authentication</literal> and
|
|
|
+ <literal>AuthenticationManager</literal> interfaces enable users to
|
|
|
+ develop their own authentication systems, users should consider using
|
|
|
+ the provider-based authentication packages provided by the Acegi
|
|
|
+ Security System for Spring. The key class,
|
|
|
+ <literal>ProviderManager</literal>, is configured via the bean context
|
|
|
+ with a list of <literal>AuthenticationProvider</literal>s:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
|
|
|
+ <property name="providers">
|
|
|
+ <list>
|
|
|
+ <ref bean="daoAuthenticationProvider"/>
|
|
|
+ <ref bean="someOtherAuthenticationProvider"/>
|
|
|
+ </list>
|
|
|
+ </property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para><literal>ProviderManager</literal> calls a series of registered
|
|
|
+ <literal>AuthenticationProvider</literal> implementations, until one
|
|
|
+ is found that indicates it is able to authenticate a given
|
|
|
+ <literal>Authentication</literal> class. When the first compatible
|
|
|
+ <literal>AuthenticationProvider</literal> is located, it is passed the
|
|
|
+ authentication request. The <literal>AuthenticationProvider</literal>
|
|
|
+ will then either throw an <literal>AuthenticationException</literal>
|
|
|
+ or return a fully populated <literal>Authentication</literal>
|
|
|
+ object.</para>
|
|
|
+
|
|
|
+ <para>Note the <literal>ProviderManager</literal> may throw a
|
|
|
+ <literal>ProviderNotFoundException</literal> (a subclass of
|
|
|
+ <literal>AuthenticationException</literal>) if it none of the
|
|
|
+ registered <literal>AuthenticationProviders</literal> can validate the
|
|
|
+ <literal>Authentication</literal> object.</para>
|
|
|
+
|
|
|
+ <para>Several <literal>AuthenticationProvider</literal>
|
|
|
+ implementations are provided with the Acegi Security System for
|
|
|
+ Spring:</para>
|
|
|
+
|
|
|
+ <para><itemizedlist spacing="compact">
|
|
|
+ <listitem>
|
|
|
+ <para><literal>TestingAuthenticationProvider</literal> is able
|
|
|
+ to authenticate a <literal>TestingAuthenticationToken</literal>.
|
|
|
+ The limit of its authentication is simply to treat whatever is
|
|
|
+ contained in the <literal>TestingAuthenticationToken</literal>
|
|
|
+ as valid. This makes it ideal for use during unit testing, as
|
|
|
+ you can create an <literal>Authentication</literal> object with
|
|
|
+ precisely the <literal>GrantedAuthority</literal> objects
|
|
|
+ required for calling a given method. You definitely would not
|
|
|
+ register this <literal>AuthenticationProvider</literal> on a
|
|
|
+ production system.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>DaoAuthenticationProvider</literal> is able to
|
|
|
+ authenticate a
|
|
|
+ <literal>UsernamePasswordAuthenticationToken</literal> by
|
|
|
+ accessing an authentication respository via a data access
|
|
|
+ object. This is discussed further below, as it is the main way
|
|
|
+ authentication is initially handled.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>RunAsImplAuthenticationToken</literal> is able to
|
|
|
+ authenticate a <literal>RunAsUserToken</literal>. This is
|
|
|
+ discussed further in the Run-As Authentication Replacement
|
|
|
+ section. You would not register this
|
|
|
+ <literal>AuthenticationProvider</literal> if you were not using
|
|
|
+ run-as replacement.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>AuthByAdapterProvider</literal> is able to
|
|
|
+ authenticate any <literal>AuthByAdapter</literal> (a subclass of
|
|
|
+ <literal>Authentication</literal> used with container adapters).
|
|
|
+ This is discussed further in the Container Adapters section. You
|
|
|
+ would not register this
|
|
|
+ <literal>AuthenticationProvider</literal> if you were not using
|
|
|
+ container adapters.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>CasAuthenticationProvider</literal> is able to
|
|
|
+ authenticate Yale Central Authentication Service (CAS) tickets.
|
|
|
+ This is discussed further in the CAS Single Sign On
|
|
|
+ section.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>JaasAuthenticationProvider</literal> is able to
|
|
|
+ delegate authentication requests to a JAAS
|
|
|
+ <literal>LoginModule</literal>. This is discussed further
|
|
|
+ below.</para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist></para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-authentication-provider-dao">
|
|
|
+ <title>Data Access Object Authentication Provider</title>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring includes a
|
|
|
+ production-quality <literal>AuthenticationProvider</literal>
|
|
|
+ implementation called <literal>DaoAuthenticationProvider</literal>.
|
|
|
+ This authentication provider is able to authenticate a
|
|
|
+ <literal>UsernamePasswordAuthenticationToken</literal> by obtaining
|
|
|
+ authentication details from a data access object configured at bean
|
|
|
+ creation time:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
|
|
|
+ <property name="authenticationDao"><ref bean="inMemoryDaoImpl"/></property>
|
|
|
+ <property name="saltSource"><ref bean="saltSource"/></property>
|
|
|
+ <property name="passwordEncoder"><ref bean="passwordEncoder"/></property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>The <literal>PasswordEncoder</literal> and
|
|
|
+ <literal>SaltSource</literal> are optional. A
|
|
|
+ <literal>PasswordEncoder</literal> provides encoding and decoding of
|
|
|
+ passwords obtained from the authentication repository. A
|
|
|
+ <literal>SaltSource</literal> enables the passwords to be populated
|
|
|
+ with a "salt", which enhances the security of the passwords in the
|
|
|
+ authentication repository. <literal>PasswordEncoder</literal>
|
|
|
+ implementations are provided with the Acegi Security System for Spring
|
|
|
+ covering MD5, SHA and cleartext encodings. Two
|
|
|
+ <literal>SaltSource</literal> implementations are also provided:
|
|
|
+ <literal>SystemWideSaltSource</literal> which encodes all passwords
|
|
|
+ with the same salt, and <literal>ReflectionSaltSource</literal>, which
|
|
|
+ inspects a given property of the returned
|
|
|
+ <literal>UserDetails</literal> object to obtain the salt. Please refer
|
|
|
+ to the JavaDocs for further details on these optional features.</para>
|
|
|
+
|
|
|
+ <para>In addition to the properties above, the
|
|
|
+ <literal>DaoAuthenticationProvider</literal> supports optional caching
|
|
|
+ of <literal>UserDetails</literal> objects. The
|
|
|
+ <literal>UserCache</literal> interface enables the
|
|
|
+ <literal>DaoAuthenticationProvider</literal> to place a
|
|
|
+ <literal>UserDetails</literal> object into the cache, and retrieve it
|
|
|
+ from the cache upon subsequent authentication attempts for the same
|
|
|
+ username. By default the <literal>DaoAuthenticationProvider</literal>
|
|
|
+ uses the <literal>NullUserCache</literal>, which performs no caching.
|
|
|
+ A usable caching implementation is also provided,
|
|
|
+ <literal>EhCacheBasedUserCache</literal>, which is configured as
|
|
|
+ follows:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
|
|
|
+ <property name="authenticationDao"><ref bean="authenticationDao"/></property>
|
|
|
+ <property name="userCache"><ref bean="userCache"/></property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="userCache" class="net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
|
|
|
+ <property name="minutesToIdle"><value>5</value></property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>For a class to be able to provide the
|
|
|
+ <literal>DaoAuthenticationProvider</literal> with access to an
|
|
|
+ authentication repository, it must implement the
|
|
|
+ <literal>AuthenticationDao</literal> interface:</para>
|
|
|
+
|
|
|
+ <para><programlisting>public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException;</programlisting></para>
|
|
|
+
|
|
|
+ <para>The <literal>UserDetails</literal> is an interface that provides
|
|
|
+ getters that guarantee non-null provision of basic authentication
|
|
|
+ information such as the username, password, granted authorities and
|
|
|
+ whether the user is enabled or disabled. A concrete implementation,
|
|
|
+ <literal>User</literal>, is also provided. Acegi Security users will
|
|
|
+ need to decide when writing their <literal>AuthenticationDao</literal>
|
|
|
+ what type of <literal>UserDetails</literal> to return. In most cases
|
|
|
+ <literal>User</literal> will be used directly or subclassed, although
|
|
|
+ special circumstances (such as object relational mappers) may require
|
|
|
+ users to write their own <literal>UserDetails</literal> implementation
|
|
|
+ from scratch.</para>
|
|
|
+
|
|
|
+ <para>Given <literal>AuthenticationDao</literal> is so simple to
|
|
|
+ implement, it should be easy for users to retrieve authentication
|
|
|
+ information using a persistence strategy of their choice.</para>
|
|
|
+
|
|
|
+ <para>A design decision was made not to support account locking in the
|
|
|
+ <literal>DaoAuthenticationProvider</literal>, as doing so would have
|
|
|
+ increased the complexity of the <literal>AuthenticationDao</literal>
|
|
|
+ interface. For instance, a method would be required to increase the
|
|
|
+ count of unsuccessful authentication attempts. Such functionality
|
|
|
+ could be easily provided by leveraging the application event
|
|
|
+ publishing features discussed below.</para>
|
|
|
+
|
|
|
+ <para><literal>DaoAuthenticationProvider</literal> returns an
|
|
|
+ <literal>Authentication</literal> object which in turn has its
|
|
|
+ <literal>principal</literal> property set. The principal will be
|
|
|
+ either a <literal>String</literal> (which is essentially the username)
|
|
|
+ or a <literal>UserDetails</literal> object (which was looked up from
|
|
|
+ the <literal>AuthenticationDao</literal>). By default the
|
|
|
+ <literal>UserDetails</literal> is returned, as this enables
|
|
|
+ applications to add extra properties potentially of use in
|
|
|
+ applications, such as the user's full name, email address etc. If
|
|
|
+ using container adapters, or if your applications were written to
|
|
|
+ operate with <literal>String</literal>s (as was the case for releases
|
|
|
+ prior to Acegi Security 0.6), you should set the
|
|
|
+ <literal>DaoAuthenticationProvider.forcePrincipalAsString</literal>
|
|
|
+ property to <literal>true</literal> in your application
|
|
|
+ context.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-authentication-provider-events">
|
|
|
+ <title>Event Publishing</title>
|
|
|
+
|
|
|
+ <para>The <literal>DaoAuthenticationProvider</literal> automatically
|
|
|
+ obtains the <literal>ApplicationContext</literal> it is running in at
|
|
|
+ startup time. This allows the provider to publish events through the
|
|
|
+ standard Spring event framework. Three types of event messages are
|
|
|
+ published:</para>
|
|
|
+
|
|
|
+ <itemizedlist spacing="compact">
|
|
|
+ <listitem>
|
|
|
+ <para><literal>AuthenticationSuccessEvent</literal> is published
|
|
|
+ when an authentication request is successful.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>AuthenticationFailureDisabledEvent</literal> is
|
|
|
+ published when an authentication request is unsuccessful because
|
|
|
+ the returned <literal>UserDetails</literal> is disabled. This is
|
|
|
+ normally the case when an account is locked.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>AuthenticationFailureUsernameNotFoundEvent</literal>
|
|
|
+ is published when an authentication request is unsuccessful
|
|
|
+ because the <literal>AuthenticationDao</literal> could not locate
|
|
|
+ the <literal>UserDetails</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>AuthenticationFailurePasswordEvent</literal> is
|
|
|
+ published when an authentication request is unsuccessful because
|
|
|
+ the presented password did not match that in the
|
|
|
+ <literal>UserDetails</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist>
|
|
|
+
|
|
|
+ <para>Each event contains two objects: the
|
|
|
+ <literal>Authentication</literal> object that represented the
|
|
|
+ authentication request, and the <literal>UserDetails</literal> object
|
|
|
+ that was found in response to the authentication request (clearly the
|
|
|
+ latter will be a dummy object in the case of
|
|
|
+ <literal>AuthenticationFailureUsernameNotFoundEvent</literal>). The
|
|
|
+ <literal>Authentication</literal> interface provides a
|
|
|
+ <literal>getDetails()</literal> method which often includes
|
|
|
+ information that event consumers may find useful (eg the TCP/IP
|
|
|
+ address that the authentication request originated from).</para>
|
|
|
+
|
|
|
+ <para>As per standard Spring event handling, you can receive these
|
|
|
+ events by adding a bean to the application context which implements
|
|
|
+ the <literal>ApplicationListener</literal> interface. Included with
|
|
|
+ Acegi Security is a <literal>LoggerListener</literal> class which
|
|
|
+ receives these events and publishes their details to Commons Logging.
|
|
|
+ Refer to the JavaDocs for <literal>LoggerListener</literal> for
|
|
|
+ details on the logging priorities used for different message
|
|
|
+ types.</para>
|
|
|
+
|
|
|
+ <para>This event publishing system enables you to implement account
|
|
|
+ locking and record authentication event history. This might be of
|
|
|
+ interest to application users, who can be advised of the times and
|
|
|
+ source IP address of all unsuccessful password attempts (and account
|
|
|
+ lockouts) since their last successful login. Such capabilities are
|
|
|
+ simple to implement and greatly improve the security of your
|
|
|
+ application.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-authentication-provider-in-memory">
|
|
|
+ <title>In-Memory Authentication</title>
|
|
|
+
|
|
|
+ <para>Whilst it is easy to use the
|
|
|
+ <literal>DaoAuthenticationProvider</literal> and create a custom
|
|
|
+ <literal>AuthenticationDao</literal> implementation that extracts
|
|
|
+ information from a persistence engine of choice, many applications do
|
|
|
+ not require such complexity. One alternative is to configure an
|
|
|
+ authentication repository in the application context itself using the
|
|
|
+ <literal>InMemoryDaoImpl</literal>:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="inMemoryDaoImpl" class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">
|
|
|
+ <property name="userMap">
|
|
|
+ <value>
|
|
|
+ marissa=koala,ROLE_TELLER,ROLE_SUPERVISOR
|
|
|
+ dianne=emu,ROLE_TELLER
|
|
|
+ scott=wombat,ROLE_TELLER
|
|
|
+ peter=opal,disabled,ROLE_TELLER
|
|
|
+ </value>
|
|
|
+ </property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>The <literal>userMap</literal> property contains each of the
|
|
|
+ usernames, passwords, a list of granted authorities and an optional
|
|
|
+ enabled/disabled keyword. Commas delimit each token. The username must
|
|
|
+ appear to the left of the equals sign, and the password must be the
|
|
|
+ first token to the right of the equals sign. The
|
|
|
+ <literal>enabled</literal> and <literal>disabled</literal> keywords
|
|
|
+ (case insensitive) may appear in the second or any subsequent token.
|
|
|
+ Any remaining tokens are treated as granted authorities, which are
|
|
|
+ created as <literal>GrantedAuthorityImpl</literal> objects (refer to
|
|
|
+ the Authorization section for further discussion on granted
|
|
|
+ authorities). Note that if a user has no password and/or no granted
|
|
|
+ authorities, the user will not be created in the in-memory
|
|
|
+ authentication repository.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-authentication-provider-jdbc">
|
|
|
+ <title>JDBC Authentication</title>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring also includes an
|
|
|
+ authentication provider that can obtain authentication information
|
|
|
+ from a JDBC data source. The typical configuration for the
|
|
|
+ <literal>JdbcDaoImpl</literal> is shown below:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
|
|
|
+ <property name="driverClassName"><value>org.hsqldb.jdbcDriver</value></property>
|
|
|
+ <property name="url"><value>jdbc:hsqldb:hsql://localhost:9001</value></property>
|
|
|
+ <property name="username"><value>sa</value></property>
|
|
|
+ <property name="password"><value></value></property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="jdbcDaoImpl" class="net.sf.acegisecurity.providers.dao.jdbc.JdbcDaoImpl">
|
|
|
+ <property name="dataSource"><ref bean="dataSource"/></property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>You can use different relational database management systems by
|
|
|
+ modifying the <literal>DriverManagerDataSource</literal> shown above.
|
|
|
+ Irrespective of the database used, a standard schema must be used as
|
|
|
+ indicated in <literal>dbinit.txt</literal>.</para>
|
|
|
+
|
|
|
+ <para>If you default schema is unsuitable for your needs,
|
|
|
+ <literal>JdbcDaoImpl</literal> provides two properties that allow
|
|
|
+ customisation of the SQL statements. You may also subclass the
|
|
|
+ <literal>JdbcDaoImpl</literal> if further customisation is necessary.
|
|
|
+ Please refer to the JavaDocs for details.</para>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring ships with a Hypersonic SQL
|
|
|
+ instance that has the required authentication information and sample
|
|
|
+ data already populated. To use this server, simply execute the
|
|
|
+ <literal>server.bat</literal> or <literal>server.sh</literal> script
|
|
|
+ included in the distribution. This will load a new database server
|
|
|
+ instance that will service requests made to the URL indicated in the
|
|
|
+ bean context configuration shown above.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-authentication-provider-jaas">
|
|
|
+ <title>JAAS Authentication</title>
|
|
|
+
|
|
|
+ <para>Acegi Security provides a package able to delegate
|
|
|
+ authentication requests to the Java Authentication and Authorization
|
|
|
+ Service (JAAS). This package is discussed in detail below.</para>
|
|
|
+
|
|
|
+ <para>Central to JAAS operation are login configuration files. To
|
|
|
+ learn more about JAAS login configuration files, consult the JAAS
|
|
|
+ reference documentation available from Sun Microsystems. We expect you
|
|
|
+ to have a basic understanding of JAAS and its login configuration file
|
|
|
+ syntax in order to understand this section.</para>
|
|
|
+
|
|
|
+ <sect3>
|
|
|
+ <title>JaasAuthenticationProvider</title>
|
|
|
+
|
|
|
+ <para>The <literal>JaasAuthenticationProvider</literal> attempts to
|
|
|
+ authenticate a user’s principal and credentials through JAAS.</para>
|
|
|
+
|
|
|
+ <para>Let’s assume we have a JAAS login configuration file,
|
|
|
+ <literal>/WEB-INF/login.conf</literal>, with the following
|
|
|
+ contents:</para>
|
|
|
+
|
|
|
+ <para><programlisting>JAASTest {
|
|
|
+ sample.SampleLoginModule required;
|
|
|
+};</programlisting></para>
|
|
|
+
|
|
|
+ <para>Like all Acegi Security beans, the
|
|
|
+ <literal>JaasAuthenticationProvider</literal> is configured via the
|
|
|
+ application context. The following definitions would correspond to
|
|
|
+ the above JAAS login configuration file:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="jaasAuthenticationProvider" class="net.sf.acegisecurity.providers.jaas.JaasAuthenticationProvider">
|
|
|
+ <property name="loginConfig">
|
|
|
+ <value>/WEB-INF/login.conf</value>
|
|
|
+ </property>
|
|
|
+ <property name="loginContextName">
|
|
|
+ <value>JAASTest</value>
|
|
|
+ </property>
|
|
|
+ <property name="callbackHandlers">
|
|
|
+ <list>
|
|
|
+ <bean class="net.sf.acegisecurity.providers.jaas.JaasNameCallbackHandler"/>
|
|
|
+ <bean class="net.sf.acegisecurity.providers.jaas.JaasPasswordCallbackHandler"/>
|
|
|
+ </list>
|
|
|
+ </property>
|
|
|
+ <property name="authorityGranters">
|
|
|
+ <list>
|
|
|
+ <bean class="net.sf.acegisecurity.providers.jaas.TestAuthorityGranter"/>
|
|
|
+ </list>
|
|
|
+ </property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>The <literal>CallbackHandler</literal>s and
|
|
|
+ <literal>AuthorityGranter</literal>s are discussed below.</para>
|
|
|
+ </sect3>
|
|
|
+
|
|
|
+ <sect3>
|
|
|
+ <title>Callbacks</title>
|
|
|
+
|
|
|
+ <para>Most JAAS <literal>LoginModule</literal>s require a callback
|
|
|
+ of some sort. These callbacks are usually used to obtain the
|
|
|
+ username and password from the user. In an Acegi Security
|
|
|
+ deployment, Acegi Security is responsible for this user interaction
|
|
|
+ (typically via a reference to a
|
|
|
+ <literal>ContextHolder</literal>-managed
|
|
|
+ <literal>Authentication</literal> object). The JAAS package for
|
|
|
+ Acegi Security provides two default callback handlers,
|
|
|
+ <literal>JaasNameCallbackHandler</literal> and
|
|
|
+ <literal>JaasPasswordCallbackHandler</literal>. Each of these
|
|
|
+ callback handlers implement
|
|
|
+ <literal>JaasAuthenticationCallbackHandler</literal>. In most cases
|
|
|
+ these callback handlers can simply be used without understanding the
|
|
|
+ internal mechanics. For those needing full control over the callback
|
|
|
+ behavior, internally <literal>JaasAutheticationProvider</literal>
|
|
|
+ wraps these <literal>JaasAuthenticationCallbackHandler</literal>s
|
|
|
+ with an <literal>InternalCallbackHandler</literal>. The
|
|
|
+ <literal>InternalCallbackHandler</literal> is the class that
|
|
|
+ actually implements JAAS’ normal <literal>CallbackHandler</literal>
|
|
|
+ interface. Any time that the JAAS <literal>LoginModule</literal> is
|
|
|
+ used, it is passed a list of application context configured
|
|
|
+ <literal>InternalCallbackHandler</literal>s. If the
|
|
|
+ <literal>LoginModule</literal> requests a callback against the
|
|
|
+ <literal>InternalCallbackHandler</literal>s, the callback is in-turn
|
|
|
+ passed to the <literal>JaasAuthenticationCallbackHandler</literal>s
|
|
|
+ being wrapped.</para>
|
|
|
+ </sect3>
|
|
|
+
|
|
|
+ <sect3>
|
|
|
+ <title>AuthorityGranters</title>
|
|
|
+
|
|
|
+ <para>JAAS works with principals. Even “roles” are represented as
|
|
|
+ principals in JAAS. Acegi Security, on the other hand, works with
|
|
|
+ <literal>Authentication</literal> objects. Each
|
|
|
+ <literal>Authentication</literal> object contains a single
|
|
|
+ principal, and multiple <literal>GrantedAuthority</literal>[]s. To
|
|
|
+ facilitate mapping between these different concepts, the Acegi
|
|
|
+ Security JAAS package includes an
|
|
|
+ <literal>AuthorityGranter</literal> interface. An
|
|
|
+ <literal>AuthorityGranter</literal> is responsible for inspecting a
|
|
|
+ JAAS principal and returning a <literal>String</literal>. The
|
|
|
+ <literal>JaasAuthenticationProvider</literal> then creates a
|
|
|
+ <literal>JaasGrantedAuthority</literal> (which implements Acegi
|
|
|
+ Security’s <literal>GrantedAuthority</literal> interface) containing
|
|
|
+ both the <literal>AuthorityGranter</literal>-returned
|
|
|
+ <literal>String</literal> and the JAAS principal that the
|
|
|
+ <literal>AuthorityGranter</literal> was passed. The
|
|
|
+ <literal>JaasAuthenticationProvider</literal> obtains the JAAS
|
|
|
+ principals by firstly successfully authenticating the user’s
|
|
|
+ credentials using the JAAS <literal>LoginModule</literal>, and then
|
|
|
+ accessing the <literal>LoginContext</literal> it returns. A call to
|
|
|
+ <literal>LoginContext.getSubject().getPrincipals()</literal> is
|
|
|
+ made, with each resulting principal passed to each
|
|
|
+ <literal>AuthorityGranter</literal> defined against the
|
|
|
+ <literal>JaasAuthenticationProvider.setAuthorityGranters(List)</literal>
|
|
|
+ property. Acegi Security does not include any production
|
|
|
+ <literal>AuthorityGranter</literal>s given every JAAS principal has
|
|
|
+ an implementation-specific meaning. However, there is a
|
|
|
+ <literal>TestAuthorityGranter</literal> in the unit tests that
|
|
|
+ demonstrates a simple <literal>AuthorityGranter</literal>
|
|
|
+ implementation.</para>
|
|
|
+ </sect3>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-authentication-recommendations">
|
|
|
+ <title>Authentication Recommendations</title>
|
|
|
+
|
|
|
+ <para>With the heavy use of interfaces throughout the authentication
|
|
|
+ system (<literal>Authentication</literal>,
|
|
|
+ <literal>AuthenticationManager</literal>,
|
|
|
+ <literal>AuthenticationProvider</literal> and
|
|
|
+ <literal>AuthenticationDao</literal>) it might be confusing to a new
|
|
|
+ user to know which part of the authentication system to customize. In
|
|
|
+ general, the following is recommended:</para>
|
|
|
+
|
|
|
+ <itemizedlist>
|
|
|
+ <listitem>
|
|
|
+ <para>Use the
|
|
|
+ <literal>UsernamePasswordAuthenticationToken</literal>
|
|
|
+ implementation where possible.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>If you simply need to implement a new authentication
|
|
|
+ repository (eg to obtain user details from your application’s
|
|
|
+ existing database), use the
|
|
|
+ <literal>DaoAuthenticationProvider</literal> along with the
|
|
|
+ <literal>AuthenticationDao</literal>. It is the fastest and safest
|
|
|
+ way to integrate an external database.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>If you're using Container Adapters or a
|
|
|
+ <literal>RunAsManager</literal> that replaces the
|
|
|
+ <literal>Authentication</literal> object, ensure you have
|
|
|
+ registered the <literal>AuthByAdapterProvider</literal> and
|
|
|
+ <literal>RunAsManagerImplProvider</literal> respectively with your
|
|
|
+ <literal>ProviderManager</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Never enable the
|
|
|
+ <literal>TestingAuthenticationProvider</literal> on a production
|
|
|
+ system. Doing so will allow any client to simply present a
|
|
|
+ <literal>TestingAuthenticationToken</literal> and obtain whatever
|
|
|
+ access they request.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Adding a new <literal>AuthenticationProvider</literal> is
|
|
|
+ sufficient to support most custom authentication requirements.
|
|
|
+ Only unusual requirements would require the
|
|
|
+ <literal>ProviderManager</literal> to be replaced with a different
|
|
|
+ <literal>AuthenticationManager</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-authorization">
|
|
|
+ <title>Authorization</title>
|
|
|
+
|
|
|
+ <sect2 id="security-authorization-granted-authorities">
|
|
|
+ <title>Granted Authorities</title>
|
|
|
+
|
|
|
+ <para>As briefly mentioned in the Authentication section, all
|
|
|
+ <literal>Authentication</literal> implementations are required to
|
|
|
+ store an array of <literal>GrantedAuthority</literal> objects. These
|
|
|
+ represent the authorities that have been granted to the principal. The
|
|
|
+ <literal>GrantedAuthority</literal> objects are inserted into the
|
|
|
+ <literal>Authentication</literal> object by the
|
|
|
+ <literal>AuthenticationManager</literal> and are later read by
|
|
|
+ <literal>AccessDecisionManager</literal>s when making authorization
|
|
|
+ decisions.</para>
|
|
|
+
|
|
|
+ <para><literal>GrantedAuthority</literal> is an interface with only
|
|
|
+ one method:</para>
|
|
|
+
|
|
|
+ <para><programlisting>public String getAuthority();</programlisting></para>
|
|
|
+
|
|
|
+ <para>This method allows <literal>AccessDecisionManager</literal>s to
|
|
|
+ obtain a precise <literal>String</literal> representation of the
|
|
|
+ <literal>GrantedAuthority</literal>. By returning a representation as
|
|
|
+ a <literal>String</literal>, a <literal>GrantedAuthority</literal> can
|
|
|
+ be easily "read" by most <literal>AccessDecisionManager</literal>s. If
|
|
|
+ a <literal>GrantedAuthority</literal> cannot be precisely represented
|
|
|
+ as a <literal>String</literal>, the
|
|
|
+ <literal>GrantedAuthority</literal> is considered "complex" and
|
|
|
+ <literal>getAuthority()</literal> must return
|
|
|
+ <literal>null</literal>.</para>
|
|
|
+
|
|
|
+ <para>An example of a "complex" <literal>GrantedAuthority</literal>
|
|
|
+ would be an implementation that stores a list of operations and
|
|
|
+ authority thresholds that apply to different customer account numbers.
|
|
|
+ Representing this complex <literal>GrantedAuthority</literal> as a
|
|
|
+ <literal>String</literal> would be quite complex, and as a result the
|
|
|
+ <literal>getAuthority()</literal> method should return
|
|
|
+ <literal>null</literal>. This will indicate to any
|
|
|
+ <literal>AccessDecisionManager</literal> that it will need to
|
|
|
+ specifically support the <literal>GrantedAuthority</literal>
|
|
|
+ implementation in order to understand its contents.</para>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring includes one concrete
|
|
|
+ <literal>GrantedAuthority</literal> implementation,
|
|
|
+ <literal>GrantedAuthorityImpl</literal>. This allows any
|
|
|
+ user-specified <literal>String</literal> to be converted into a
|
|
|
+ <literal>GrantedAuthority</literal>. All
|
|
|
+ <literal>AuthenticationProvider</literal>s included with the security
|
|
|
+ architecture use <literal>GrantedAuthorityImpl</literal> to populate
|
|
|
+ the <literal>Authentication</literal> object.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-authorization-access-decision-managers">
|
|
|
+ <title>Access Decision Managers</title>
|
|
|
+
|
|
|
+ <para>The <literal>AccessDecisionManager</literal> is called by the
|
|
|
+ <literal>AbstractSecurityInterceptor</literal> and is responsible for
|
|
|
+ making final access control decisions. The
|
|
|
+ <literal>AccessDecisionManager</literal> interface contains three
|
|
|
+ methods:</para>
|
|
|
+
|
|
|
+ <para><programlisting>public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) throws AccessDeniedException;
|
|
|
+public boolean supports(ConfigAttribute attribute);
|
|
|
+public boolean supports(Class clazz);</programlisting></para>
|
|
|
+
|
|
|
+ <para>As can be seen from the first method, the
|
|
|
+ <literal>AccessDecisionManager</literal> is passed via method
|
|
|
+ parameters all information that is likely to be of value in assessing
|
|
|
+ an authorization decision. In particular, passing the secure
|
|
|
+ <literal>Object</literal> enables those arguments contained in the
|
|
|
+ actual secure object invocation to be inspected. For example, let's
|
|
|
+ assume the secure object was a <literal>MethodInvocation</literal>. It
|
|
|
+ would be easy to query the <literal>MethodInvocation</literal> for any
|
|
|
+ <literal>Customer</literal> argument, and then implement some sort of
|
|
|
+ security logic in the <literal>AccessDecisionManager</literal> to
|
|
|
+ ensure the principal is permitted to operate on that customer.
|
|
|
+ Implementations are expected to throw an
|
|
|
+ <literal>AccessDeniedException</literal> if access is denied.</para>
|
|
|
+
|
|
|
+ <para>The <literal>supports(ConfigAttribute)</literal> method is
|
|
|
+ called by the <literal>AbstractSecurityInterceptor</literal> at
|
|
|
+ startup time to determine if the
|
|
|
+ <literal>AccessDecisionManager</literal> can process the passed
|
|
|
+ <literal>ConfigAttribute</literal>. The
|
|
|
+ <literal>supports(Class)</literal> method is called by a security
|
|
|
+ interceptor implementation to ensure the configured
|
|
|
+ <literal>AccessDecisionManager</literal> supports the type of secure
|
|
|
+ object that the security interceptor will present.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-authorization-voting-decision-manager">
|
|
|
+ <title>Voting Decision Manager</title>
|
|
|
+
|
|
|
+ <para>Whilst users can implement their own
|
|
|
+ <literal>AccessDecisionManager</literal> to control all aspects of
|
|
|
+ authorization, the Acegi Security System for Spring includes several
|
|
|
+ <literal>AccessDecisionManager</literal> implementations that are
|
|
|
+ based on voting. Using this approach, a series of
|
|
|
+ <literal>AccessDecisionVoter</literal> implementations are polled on
|
|
|
+ an authorization decision. The
|
|
|
+ <literal>AccessDecisionManager</literal> then decides whether or not
|
|
|
+ to throw an <literal>AccessDeniedException</literal> based on its
|
|
|
+ assessment of the votes.</para>
|
|
|
+
|
|
|
+ <para>The <literal>AccessDecisionVoter</literal> interface has three
|
|
|
+ methods:</para>
|
|
|
+
|
|
|
+ <para><programlisting>public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
|
|
|
+public boolean supports(ConfigAttribute attribute);
|
|
|
+public boolean supports(Class clazz);</programlisting></para>
|
|
|
+
|
|
|
+ <para>Concrete implementations return an <literal>int</literal>, with
|
|
|
+ possible values being reflected in the
|
|
|
+ <literal>AccessDecisionVoter</literal> static fields
|
|
|
+ <literal>ACCESS_ABSTAIN</literal>, <literal>ACCESS_DENIED</literal>
|
|
|
+ and <literal>ACCESS_GRANTED</literal>. A voting implementation will
|
|
|
+ return <literal>ACCESS_ABSTAIN</literal> if it has no opinion on an
|
|
|
+ authorization decision. If it does have an opinion, it must return
|
|
|
+ either <literal>ACCESS_DENIED</literal> or
|
|
|
+ <literal>ACCESS_GRANTED</literal>.</para>
|
|
|
+
|
|
|
+ <para>There are three concrete
|
|
|
+ <literal>AccessDecisionManager</literal>s provided with the Acegi
|
|
|
+ Security System for Spring that tally the votes. The
|
|
|
+ <literal>ConsensusBased</literal> implementation will grant or deny
|
|
|
+ access based on the consensus of non-abstain votes. Properties are
|
|
|
+ provided to control behavior in the event of an equality of votes or
|
|
|
+ if all votes are abstain. The <literal>AffirmativeBased</literal>
|
|
|
+ implementation will grant access if one or more
|
|
|
+ <literal>ACCESS_GRANTED</literal> votes were received (ie a deny vote
|
|
|
+ will be ignored, provided there was at least one grant vote). Like the
|
|
|
+ <literal>ConsensusBased</literal> implementation, there is a parameter
|
|
|
+ that controls the behavior if all voters abstain. The
|
|
|
+ <literal>UnanimousBased</literal> provider expects unanimous
|
|
|
+ <literal>ACCESS_GRANTED</literal> votes in order to grant access,
|
|
|
+ ignoring abstains. It will deny access if there is any
|
|
|
+ <literal>ACCESS_DENIED</literal> vote. Like the other implementations,
|
|
|
+ there is a parameter that controls the behaviour if all voters
|
|
|
+ abstain.</para>
|
|
|
+
|
|
|
+ <para>It is possible to implement a custom
|
|
|
+ <literal>AccessDecisionManager</literal> that tallies votes
|
|
|
+ differently. For example, votes from a particular
|
|
|
+ <literal>AccessDecisionVoter</literal> might receive additional
|
|
|
+ weighting, whilst a deny vote from a particular voter may have a veto
|
|
|
+ effect.</para>
|
|
|
+
|
|
|
+ <para>There is one concrete <literal>AccessDecisionVoter</literal>
|
|
|
+ implementation provided with the Acegi Security System for Spring. The
|
|
|
+ <literal>RoleVoter</literal> class will vote if any ConfigAttribute
|
|
|
+ begins with <literal>ROLE_</literal>. It will vote to grant access if
|
|
|
+ there is a <literal>GrantedAuthority</literal> which returns a
|
|
|
+ <literal>String</literal> representation (via the
|
|
|
+ <literal>getAuthority()</literal> method) exactly equal to one or more
|
|
|
+ <literal>ConfigAttributes</literal> starting with
|
|
|
+ <literal>ROLE_</literal>. If there is no exact match of any
|
|
|
+ <literal>ConfigAttribute</literal> starting with
|
|
|
+ <literal>ROLE_</literal>, the <literal>RoleVoter</literal> will vote
|
|
|
+ to deny access. If no <literal>ConfigAttribute</literal> begins with
|
|
|
+ <literal>ROLE_</literal>, the voter will abstain.
|
|
|
+ <literal>RoleVoter</literal> is case sensitive on comparisons as well
|
|
|
+ as the <literal>ROLE_</literal> prefix.</para>
|
|
|
+
|
|
|
+ <para>It is possible to implement a custom
|
|
|
+ <literal>AccessDecisionVoter</literal>. Several examples are provided
|
|
|
+ in the Acegi Security System for Spring unit tests, including
|
|
|
+ <literal>ContactSecurityVoter</literal> and
|
|
|
+ <literal>DenyVoter</literal>. The
|
|
|
+ <literal>ContactSecurityVoter</literal> abstains from voting decisions
|
|
|
+ where a <literal>CONTACT_OWNED_BY_CURRENT_USER</literal>
|
|
|
+ <literal>ConfigAttribute</literal> is not found. If voting, it queries
|
|
|
+ the <literal>MethodInvocation</literal> to extract the owner of the
|
|
|
+ <literal>Contact</literal> object that is subject of the method call.
|
|
|
+ It votes to grant access if the <literal>Contact</literal> owner
|
|
|
+ matches the principal presented in the
|
|
|
+ <literal>Authentication</literal> object. It could have just as easily
|
|
|
+ compared the <literal>Contact</literal> owner with some
|
|
|
+ <literal>GrantedAuthority</literal> the
|
|
|
+ <literal>Authentication</literal> object presented. All of this is
|
|
|
+ achieved with relatively few lines of code and demonstrates the
|
|
|
+ flexibility of the authorization model.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-authorization-taglib">
|
|
|
+ <title>Authorization Tag Library</title>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring comes bundled with a JSP
|
|
|
+ tag library that eases JSP writing. The tag library is known as
|
|
|
+ <literal>authz</literal>.</para>
|
|
|
+
|
|
|
+ <para>This library allows you to easy develop JSP pages which
|
|
|
+ reference the security environment. For example,
|
|
|
+ <literal>authz</literal> allows you to determine if a principal holds
|
|
|
+ a particular granted authority, holds a group of granted authorities,
|
|
|
+ or does not hold a given granted authority.</para>
|
|
|
+
|
|
|
+ <sect3>
|
|
|
+ <title>Usage</title>
|
|
|
+
|
|
|
+ <para>The following JSP fragment illustrates how to use the
|
|
|
+ <literal>authz</literal> taglib:</para>
|
|
|
+
|
|
|
+ <para><programlisting><authz:authorize ifAllGranted="ROLE_SUPERVISOR">
|
|
|
+ <td>
|
|
|
+ <A HREF="del.htm?id=<c:out value="${contact.id}"/>">Del</A>
|
|
|
+ </td>
|
|
|
+</authz:authorize></programlisting></para>
|
|
|
+
|
|
|
+ <para>This code was copied from the Contacts sample
|
|
|
+ application.</para>
|
|
|
+
|
|
|
+ <para>What this code says is: if the principal has been granted
|
|
|
+ ROLE_SUPERVISOR, allow the tag's body to be output.</para>
|
|
|
+ </sect3>
|
|
|
+
|
|
|
+ <sect3>
|
|
|
+ <title>Installation</title>
|
|
|
+
|
|
|
+ <para>Installation is a simple matter. Simply copy the
|
|
|
+ <literal>acegi-security-taglib.jar</literal> file into your
|
|
|
+ application's <literal>WEB-INF/lib</literal> folder. The tag library
|
|
|
+ includes it's TLD, which makes it easier to work with JSP 1.2+
|
|
|
+ containers.</para>
|
|
|
+
|
|
|
+ <para>If you are using a JSP 1.1 container, you will need to declare
|
|
|
+ the JSP tag library in your application's <literal>web.xml</literal>
|
|
|
+ file, with code such as this:</para>
|
|
|
+
|
|
|
+ <para><programlisting><taglib>
|
|
|
+ <taglib-uri>http://acegisecurity.sf.net/authz</taglib-uri>
|
|
|
+ <taglib-location>/WEB-INF/authz.tld</taglib-location>
|
|
|
+</taglib></programlisting></para>
|
|
|
+
|
|
|
+ <para>For JSP 1.1 containers you will also need to extract the
|
|
|
+ <literal>authz.tld</literal> file from the
|
|
|
+ <literal>acegi-security-taglib.jar</literal> file and put it into
|
|
|
+ your application's <literal>WEB-INF/lib</literal> folder. Use a
|
|
|
+ regular Zip tool, or Java's JAR utility.</para>
|
|
|
+ </sect3>
|
|
|
+
|
|
|
+ <sect3>
|
|
|
+ <title>Reference</title>
|
|
|
+
|
|
|
+ <para>The <literal>authz:authorize</literal> tag declares the
|
|
|
+ following attributes:</para>
|
|
|
+
|
|
|
+ <para><itemizedlist spacing="compact">
|
|
|
+ <listitem>
|
|
|
+ <para><literal>ifAllGranted</literal>: All the listed roles
|
|
|
+ must be granted for the tag to output its body.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>ifAnyGranted</literal>: Any of the listed roles
|
|
|
+ must be granted for the tag to output its body.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>ifNotGranted</literal>: None of the listed
|
|
|
+ roles must be granted for the tag to output its body.</para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist></para>
|
|
|
+
|
|
|
+ <para>You'll note that in each attribute you can list multiple
|
|
|
+ roles. Simply separate the roles using a comma. The
|
|
|
+ <literal>authorize</literal> tag ignores whitespace in
|
|
|
+ attributes.</para>
|
|
|
+
|
|
|
+ <para>The tag library logically ANDs all of it's parameters
|
|
|
+ together. This means that if you combine two or more attributes, all
|
|
|
+ attributes must be true for the tag to output it's body. Don't add
|
|
|
+ an <literal>ifAllGranted="ROLE_SUPERVISOR"</literal>, followed by an
|
|
|
+ <literal>ifNotGranted="ROLE_SUPERVISOR"</literal>, or you'll be
|
|
|
+ surprised to never see the tag's body.</para>
|
|
|
+
|
|
|
+ <para>By requiring all attributes to return true, the authorize tag
|
|
|
+ allows you to create more complex authorization scenarios. For
|
|
|
+ example, you could declare an
|
|
|
+ <literal>ifAllGranted="ROLE_SUPERVISOR"</literal> and an
|
|
|
+ <literal>ifNotGranted="ROLE_NEWBIE_SUPERVISOR"</literal> in the same
|
|
|
+ tag, in order to prevent new supervisors from seeing the tag body.
|
|
|
+ However it would no doubt be simpler to use
|
|
|
+ <literal>ifAllGranted="ROLE_EXPERIENCED_SUPERVISOR"</literal> rather
|
|
|
+ than inserting NOT conditions into your design.</para>
|
|
|
+
|
|
|
+ <para>One last item: the tag verifies the authorizations in a
|
|
|
+ specific order: first <literal>ifNotGranted</literal>, then
|
|
|
+ <literal>ifAllGranted</literal>, and finally,
|
|
|
+ <literal>ifAnyGranted</literal>.</para>
|
|
|
+ </sect3>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-authorization-recommendations">
|
|
|
+ <title>Authorization Recommendations</title>
|
|
|
+
|
|
|
+ <para>Given there are several ways to achieve similar authorization
|
|
|
+ outcomes in the Acegi Security System for Spring, the following
|
|
|
+ general recommendations are made:</para>
|
|
|
+
|
|
|
+ <itemizedlist>
|
|
|
+ <listitem>
|
|
|
+ <para>Grant authorities using
|
|
|
+ <literal>GrantedAuthorityImpl</literal> where possible. Because it
|
|
|
+ is already supported by the Acegi Security System for Spring, you
|
|
|
+ avoid the need to create custom
|
|
|
+ <literal>AuthenticationManager</literal> or
|
|
|
+ <literal>AuthenticationProvider</literal> implementations simply
|
|
|
+ to populate the <literal>Authentication</literal> object with a
|
|
|
+ custom <literal>GrantedAuthority</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Writing an <literal>AccessDecisionVoter</literal>
|
|
|
+ implementation and using either <literal>ConsensusBased</literal>,
|
|
|
+ <literal>AffirmativeBased</literal> or
|
|
|
+ <literal>UnanimousBased</literal> as the
|
|
|
+ <literal>AccessDecisionManager</literal> may be the best approach
|
|
|
+ to implementing your custom access decision rules.</para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-run-as">
|
|
|
+ <title>Run-As Authentication Replacement</title>
|
|
|
+
|
|
|
+ <sect2 id="security-run-as-purpose">
|
|
|
+ <title>Purpose</title>
|
|
|
+
|
|
|
+ <para>The <literal>AbstractSecurityInterceptor</literal> is able to
|
|
|
+ temporarily replace the <literal>Authentication</literal> object in
|
|
|
+ the <literal>SecureContext</literal> and
|
|
|
+ <literal>ContextHolder</literal> during the
|
|
|
+ <literal>SecurityInterceptorCallback</literal>. This only occurs if
|
|
|
+ the original <literal>Authentication</literal> object was successfully
|
|
|
+ processed by the <literal>AuthenticationManager</literal> and
|
|
|
+ <literal>AccessDecisionManager</literal>. The
|
|
|
+ <literal>RunAsManager</literal> will indicate the replacement
|
|
|
+ <literal>Authentication</literal> object, if any, that should be used
|
|
|
+ during the <literal>SecurityInterceptorCallback</literal>.</para>
|
|
|
+
|
|
|
+ <para>By temporarily replacing the <literal>Authentication</literal>
|
|
|
+ object during a <literal>SecurityInterceptorCallback</literal>, the
|
|
|
+ secured invocation will be able to call other objects which require
|
|
|
+ different authentication and authorization credentials. It will also
|
|
|
+ be able to perform any internal security checks for specific
|
|
|
+ <literal>GrantedAuthority</literal> objects.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-run-as-usage">
|
|
|
+ <title>Usage</title>
|
|
|
+
|
|
|
+ <para>A <literal>RunAsManager</literal> interface is provided by the
|
|
|
+ Acegi Security System for Spring:</para>
|
|
|
+
|
|
|
+ <para><programlisting>public Authentication buildRunAs(Authentication authentication, Object object, ConfigAttributeDefinition config);
|
|
|
+public boolean supports(ConfigAttribute attribute);
|
|
|
+public boolean supports(Class clazz);</programlisting></para>
|
|
|
+
|
|
|
+ <para>The first method returns the <literal>Authentication</literal>
|
|
|
+ object that should replace the existing
|
|
|
+ <literal>Authentication</literal> object for the duration of the
|
|
|
+ method invocation. If the method returns <literal>null</literal>, it
|
|
|
+ indicates no replacement should be made. The second method is used by
|
|
|
+ the <literal>AbstractSecurityInterceptor</literal> as part of its
|
|
|
+ startup validation of configuration attributes. The
|
|
|
+ <literal>supports(Class)</literal> method is called by a security
|
|
|
+ interceptor implementation to ensure the configured
|
|
|
+ <literal>RunAsManager</literal> supports the type of secure object
|
|
|
+ that the security interceptor will present.</para>
|
|
|
+
|
|
|
+ <para>One concrete implementation of a <literal>RunAsManager</literal>
|
|
|
+ is provided with the Acegi Security System for Spring. The
|
|
|
+ <literal>RunAsManagerImpl</literal> class returns a replacement
|
|
|
+ <literal>RunAsUserToken</literal> if any
|
|
|
+ <literal>ConfigAttribute</literal> starts with
|
|
|
+ <literal>RUN_AS_</literal>. If any such
|
|
|
+ <literal>ConfigAttribute</literal> is found, the replacement
|
|
|
+ <literal>RunAsUserToken</literal> will contain the same principal,
|
|
|
+ credentials and granted authorities as the original
|
|
|
+ <literal>Authentication</literal> object, along with a new
|
|
|
+ <literal>GrantedAuthorityImpl</literal> for each
|
|
|
+ <literal>RUN_AS_</literal> <literal>ConfigAttribute</literal>. Each
|
|
|
+ new <literal>GrantedAuthorityImpl</literal> will be prefixed with
|
|
|
+ <literal>ROLE_</literal>, followed by the <literal>RUN_AS</literal>
|
|
|
+ <literal>ConfigAttribute</literal>. For example, a
|
|
|
+ <literal>RUN_AS_SERVER</literal> will result in the replacement
|
|
|
+ <literal>RunAsUserToken</literal> containing a
|
|
|
+ <literal>ROLE_RUN_AS_SERVER</literal> granted authority.</para>
|
|
|
+
|
|
|
+ <para>The replacement <literal>RunAsUserToken</literal> is just like
|
|
|
+ any other <literal>Authentication</literal> object. It needs to be
|
|
|
+ authenticated by the <literal>AuthenticationManager</literal>,
|
|
|
+ probably via delegation to a suitable
|
|
|
+ <literal>AuthenticationProvider</literal>. The
|
|
|
+ <literal>RunAsImplAuthenticationProvider</literal> performs such
|
|
|
+ authentication. It simply accepts as valid any
|
|
|
+ <literal>RunAsUserToken</literal> presented.</para>
|
|
|
+
|
|
|
+ <para>To ensure malicious code does not create a
|
|
|
+ <literal>RunAsUserToken</literal> and present it for guaranteed
|
|
|
+ acceptance by the <literal>RunAsImplAuthenticationProvider</literal>,
|
|
|
+ the hash of a key is stored in all generated tokens. The
|
|
|
+ <literal>RunAsManagerImpl</literal> and
|
|
|
+ <literal>RunAsImplAuthenticationProvider</literal> is created in the
|
|
|
+ bean context with the same key:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="runAsManager" class="net.sf.acegisecurity.runas.RunAsManagerImpl">
|
|
|
+ <property name="key"><value>my_run_as_password</value></property>
|
|
|
+</bean></programlisting><programlisting><bean id="runAsAuthenticationProvider" class="net.sf.acegisecurity.runas.RunAsImplAuthenticationProvider">
|
|
|
+ <property name="key"><value>my_run_as_password</value></property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>By using the same key, each <literal>RunAsUserToken</literal>
|
|
|
+ can be validated it was created by an approved
|
|
|
+ <literal>RunAsManagerImpl</literal>. The
|
|
|
+ <literal>RunAsUserToken</literal> is immutable after creation for
|
|
|
+ security reasons.</para>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-ui">
|
|
|
+ <title>User Interfacing with the ContextHolder</title>
|
|
|
+
|
|
|
+ <sect2 id="security-ui-purpose">
|
|
|
+ <title>Purpose</title>
|
|
|
+
|
|
|
+ <para>Everything presented so far assumes one thing: the
|
|
|
+ <literal>ContextHolder</literal> is populated with a valid
|
|
|
+ <literal>SecureContext</literal>, which in turn contains a valid
|
|
|
+ <literal>Authentication</literal> object. Developers are free to do
|
|
|
+ this in whichever way they like, such as directly calling the relevant
|
|
|
+ objects at runtime. However, several classes have been provided to
|
|
|
+ make this process transparent in many situations.</para>
|
|
|
+
|
|
|
+ <para>The <literal>net.sf.acegisecurity.ui</literal> package is
|
|
|
+ designed to make interfacing web application user interfaces with the
|
|
|
+ <literal>ContextHolder</literal> as simple as possible. There are two
|
|
|
+ major steps in doing this:</para>
|
|
|
+
|
|
|
+ <para><itemizedlist spacing="compact">
|
|
|
+ <listitem>
|
|
|
+ <para>Actually authenticate the user and place the resulting
|
|
|
+ <literal>Authentication</literal> object in a "well-known
|
|
|
+ location".</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Extract the <literal>Authentication</literal> object from
|
|
|
+ the "well-known location" and place in into the
|
|
|
+ <literal>ContextHolder</literal> for the duration of the secure
|
|
|
+ object invocation.</para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist></para>
|
|
|
+
|
|
|
+ <para>There are several alternatives are available for the first step,
|
|
|
+ which will be briefly discussed in this chapter. The most popular
|
|
|
+ approach is HTTP Session Authentication, which uses the
|
|
|
+ <literal>HttpSession</literal> object and filters to authenticate the
|
|
|
+ user. Another approach is HTTP Basic Authentication, which allows
|
|
|
+ clients to use HTTP headers to present authentication information to
|
|
|
+ the Acegi Security System for Spring. Alternatively, you can also use
|
|
|
+ Yale Central Authentication Service (CAS) for enterprise-wide single
|
|
|
+ sign on. The final approach is via Container Adapters, which allow
|
|
|
+ supported web containers to perform the authentication themselves.
|
|
|
+ HTTP Session and Basic Authentication is discussed below, whilst CAS
|
|
|
+ and Container Adapters are discussed in separate sections of this
|
|
|
+ document.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-ui-http-session">
|
|
|
+ <title>HTTP Session Authentication</title>
|
|
|
+
|
|
|
+ <para>HTTP Session Authentication involves using the
|
|
|
+ <literal>AuthenticationProcessingFilter</literal> to process a login
|
|
|
+ form. The login form simply contains <literal>j_username</literal> and
|
|
|
+ <literal>j_password</literal> input fields, and posts to a URL that is
|
|
|
+ monitored by the filter (by default
|
|
|
+ <literal>j_acegi_security_check</literal>). The filter is defined in
|
|
|
+ <literal>web.xml</literal> behind a
|
|
|
+ <literal>FilterToBeanProxy</literal> as follows:</para>
|
|
|
+
|
|
|
+ <para><programlisting><filter>
|
|
|
+ <filter-name>Acegi Authentication Processing Filter</filter-name>
|
|
|
+ <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
|
|
|
+ <init-param>
|
|
|
+ <param-name>targetClass</param-name>
|
|
|
+ <param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
|
|
|
+ </init-param>
|
|
|
+</filter>
|
|
|
+
|
|
|
+<filter-mapping>
|
|
|
+ <filter-name>Acegi Authentication Processing Filter</filter-name>
|
|
|
+ <url-pattern>/*</url-pattern>
|
|
|
+</filter-mapping></programlisting></para>
|
|
|
+
|
|
|
+ <para>For a discussion of <literal>FilterToBeanProxy</literal>, please
|
|
|
+ refer to the Filters section. The application context will need to
|
|
|
+ define the <literal>AuthenticationProcessingFilter</literal>:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
|
|
|
+ <property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
|
+ <property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property>
|
|
|
+ <property name="defaultTargetUrl"><value>/</value></property>
|
|
|
+ <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>The configured <literal>AuthenticationManager</literal>
|
|
|
+ processes each authentication request. If authentication fails, the
|
|
|
+ browser will be redirected to the
|
|
|
+ <literal>authenticationFailureUrl</literal>. The
|
|
|
+ <literal>AuthenticationException</literal> will be placed into the
|
|
|
+ <literal>HttpSession</literal> attribute indicated by
|
|
|
+ <literal>AbstractProcessingFilter.ACEGI_SECURITY_LAST_EXCEPTION_KEY</literal>,
|
|
|
+ enabling a reason to be provided to the user on the error page.</para>
|
|
|
+
|
|
|
+ <para>If authentication is successful, the resulting
|
|
|
+ <literal>Authentication</literal> object will be placed into the
|
|
|
+ <literal>HttpSession</literal> attribute indicated by
|
|
|
+ <literal>HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY</literal>.
|
|
|
+ This becomes the "well-known location" from which the
|
|
|
+ <literal>Authentication</literal> object is later extracted.</para>
|
|
|
+
|
|
|
+ <para>Once the <literal>HttpSession</literal> has been updated, the
|
|
|
+ browser will need to be redirected to the target URL. The target URL
|
|
|
+ is usually indicated by the <literal>HttpSession</literal> attribute
|
|
|
+ specified by
|
|
|
+ <literal>AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY</literal>.
|
|
|
+ This attribute is automatically set by the
|
|
|
+ <literal>SecurityEnforcementFilter</literal> when an
|
|
|
+ <literal>AuthenticationException</literal> occurs, so that after login
|
|
|
+ is completed the user can return to what they were trying to access.
|
|
|
+ If for some reason the <literal>HttpSession</literal> does not
|
|
|
+ indicate the target URL, the browser will be redirected to the
|
|
|
+ <literal>defaultTargetUrl</literal> property.</para>
|
|
|
+
|
|
|
+ <para>Because this authentication approach is fully contained within a
|
|
|
+ single web application, HTTP Session Authentication is recommended to
|
|
|
+ be used instead of Container Adapters.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-ui-http-basic">
|
|
|
+ <title>HTTP Basic Authentication</title>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring provides a
|
|
|
+ <literal>BasicProcessingFilter</literal> which is capable of
|
|
|
+ processing authentication credentials presented in HTTP headers. This
|
|
|
+ can be used for authenticating calls made by Spring remoting protocols
|
|
|
+ (such as Hessian and Burlap), as well as normal user agents (such as
|
|
|
+ Internet Explorer and Navigator). The standard governing HTTP Basic
|
|
|
+ Authentication is defined by RFC 1945, Section 11, and the
|
|
|
+ <literal>BasicProcessingFilter</literal> conforms with this
|
|
|
+ RFC.</para>
|
|
|
+
|
|
|
+ <para>To implement HTTP Basic Authentication, it is necessary to add
|
|
|
+ the following filter to <literal>web.xml</literal>:</para>
|
|
|
+
|
|
|
+ <para><programlisting><filter>
|
|
|
+ <filter-name>Acegi HTTP BASIC Authorization Filter</filter-name>
|
|
|
+ <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
|
|
|
+ <init-param>
|
|
|
+ <param-name>targetClass</param-name>
|
|
|
+ <param-value>net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter</param-value>
|
|
|
+ </init-param>
|
|
|
+</filter>
|
|
|
+
|
|
|
+<filter-mapping>
|
|
|
+ <filter-name>Acegi HTTP BASIC Authorization Filter</filter-name>
|
|
|
+ <url-pattern>/*</url-pattern>
|
|
|
+</filter-mapping></programlisting></para>
|
|
|
+
|
|
|
+ <para>For a discussion of <literal>FilterToBeanProxy</literal>, please
|
|
|
+ refer to the Filters section. The application context will need to
|
|
|
+ define the <literal>BasicProcessingFilter</literal> and its required
|
|
|
+ collaborator:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="basicProcessingFilter" class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter">
|
|
|
+ <property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
|
+ <property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="authenticationEntryPoint" class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
|
|
|
+ <property name="realmName"><value>Name Of Your Realm</value></property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>The configured <literal>AuthenticationManager</literal>
|
|
|
+ processes each authentication request. If authentication fails, the
|
|
|
+ configured <literal>AuthenticationEntryPoint</literal> will be used to
|
|
|
+ retry the authentication process. Usually you will use the
|
|
|
+ <literal>BasicProcessingFilterEntryPoint</literal>, which returns a
|
|
|
+ 401 response with a suitable header to retry HTTP Basic
|
|
|
+ authentication. If authentication is successful, the resulting
|
|
|
+ <literal>Authentication</literal> object will be placed into the
|
|
|
+ <literal>HttpSession</literal> attribute indicated by
|
|
|
+ <literal>HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY</literal>.
|
|
|
+ This becomes the "well-known location" from which the
|
|
|
+ <literal>Authentication</literal> object is later extracted.</para>
|
|
|
+
|
|
|
+ <para>If the authentication event was successful, or authentication
|
|
|
+ was not attempted because the HTTP header did not contain a supported
|
|
|
+ authentication request, the filter chain will continue as normal. The
|
|
|
+ only time the filter chain will be interrupted is if authentication
|
|
|
+ fails and the <literal>AuthenticationEntryPoint</literal> is called,
|
|
|
+ as discussed in the previous paragraph.</para>
|
|
|
+
|
|
|
+ <para>HTTP Basic Authentication is recommended to be used instead of
|
|
|
+ Container Adapters. It can be used in conjunction with HTTP Session
|
|
|
+ Authentication, as demonstrated in the Contacts sample application.
|
|
|
+ You can also use it instead of HTTP Session Authentication if you
|
|
|
+ wish.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-ui-well-known">
|
|
|
+ <title>Well-Known Location Integration</title>
|
|
|
+
|
|
|
+ <para>Once a web application has used either HTTP Session
|
|
|
+ Authentication, HTTP Basic Authentication, or a Container Adapter, an
|
|
|
+ <literal>Authentication</literal> object will exist in a well-known
|
|
|
+ location. The final step in automatically integrating the user
|
|
|
+ interface with the backend security interceptor is to extract this
|
|
|
+ <literal>Authentication</literal> object from the well-known location
|
|
|
+ and place it into a <literal>SecureContext</literal> in the
|
|
|
+ <literal>ContextHolder</literal>.</para>
|
|
|
+
|
|
|
+ <para>The <literal>AbstractIntegrationFilter</literal> and its
|
|
|
+ subclasses provide this well-known location integration. These classes
|
|
|
+ are standard filters, and at the start of each request they will
|
|
|
+ attempt to extract the <literal>Authentication</literal> object from a
|
|
|
+ well-known location. The <literal>Authentication</literal> object will
|
|
|
+ then be added to a <literal>SecureContext</literal>, the
|
|
|
+ <literal>SecureContext</literal> associated with the
|
|
|
+ <literal>ContextHolder</literal> for the duration of the request, and
|
|
|
+ the <literal>ContextHolder</literal> be cleared when the request is
|
|
|
+ finished. Four concrete subclasses of
|
|
|
+ <literal>AbstractIntegrationFilter</literal> are provided with the
|
|
|
+ Acegi Security System for Spring:</para>
|
|
|
+
|
|
|
+ <para><itemizedlist>
|
|
|
+ <listitem>
|
|
|
+ <para><literal>HttpSessionIntegrationFilter</literal> is used
|
|
|
+ with HTTP Session Authentication, HTTP Basic Authentication, or
|
|
|
+ any other approach that populates the
|
|
|
+ <literal>HttpSession</literal> accordingly. It extracts the
|
|
|
+ <literal>Authentication</literal> object from the
|
|
|
+ <literal>HttpSession</literal> attribute indicated by
|
|
|
+ <literal>HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>HttpRequestIntegrationFilter</literal> is used
|
|
|
+ with Catalina, Jetty and Resin Container Adapters. It extracts
|
|
|
+ the authentication information from
|
|
|
+ <literal>HttpServletRequest.getUserPrincipal()</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>JbossIntegrationFilter</literal> is used with the
|
|
|
+ JBoss Container Adapter. It extracts the authentication from
|
|
|
+ <literal>java:comp/env/security/subject</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>AutoIntegrationFilter</literal> automatically
|
|
|
+ determines which filter to use. This makes a web application WAR
|
|
|
+ file more portable, as the <literal>web.xml</literal> is not
|
|
|
+ hard-coded to a specific
|
|
|
+ <literal>AbstractIntegrationFilter</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist></para>
|
|
|
+
|
|
|
+ <para>To define the <literal>AutoIntegrationFilter</literal>
|
|
|
+ (recommended), simply add the following to your web.xml:</para>
|
|
|
+
|
|
|
+ <para><programlisting><filter>
|
|
|
+ <filter-name>Acegi Security System for Spring Auto Integration Filter</filter-name>
|
|
|
+ <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
|
|
|
+ <init-param>
|
|
|
+ <param-name>targetClass</param-name>
|
|
|
+ <param-value>net.sf.acegisecurity.ui.AutoIntegrationFilter</param-value>
|
|
|
+ </init-param>
|
|
|
+</filter>
|
|
|
+
|
|
|
+<filter-mapping>
|
|
|
+ <filter-name>Acegi Security System for Spring Auto Integration Filter</filter-name>
|
|
|
+ <url-pattern>/*</url-pattern>
|
|
|
+</filter-mapping></programlisting></para>
|
|
|
+
|
|
|
+ <para>You will also need to add the following line to your application
|
|
|
+ context:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="autoIntegrationFilter" class="net.sf.acegisecurity.ui.AutoIntegrationFilter" /></programlisting></para>
|
|
|
+
|
|
|
+ <para>Once in the <literal>ContextHolder</literal>, the standard Acegi
|
|
|
+ Security System for Spring classes can be used. Because
|
|
|
+ <literal>ContextHolder</literal> is a standard object which is
|
|
|
+ populated using a filter at the container level, JSPs and Servlets do
|
|
|
+ not need to use Spring's MVC packages. This enables those applications
|
|
|
+ that use other MVC frameworks to still leverage Spring's other
|
|
|
+ capabilities, with full authentication and authorization support. The
|
|
|
+ <literal>debug.jsp</literal> page provided with the sample application
|
|
|
+ demonstrates accessing the <literal>ContextHolder</literal>
|
|
|
+ independent of Spring's MVC packages.</para>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-container-adapters">
|
|
|
+ <title>Container Adapters</title>
|
|
|
+
|
|
|
+ <sect2 id="security-container-adapters-overview">
|
|
|
+ <title>Overview</title>
|
|
|
+
|
|
|
+ <para>Early versions of the Acegi Security System for Spring
|
|
|
+ exclusively used Container Adapters for interfacing authentication
|
|
|
+ with end users. Whilst this worked well, it required considerable time
|
|
|
+ to support multiple container versions and the configuration itself
|
|
|
+ was relatively time-consuming for developers. For this reason the HTTP
|
|
|
+ Session Authentication and HTTP Basic Authentication approaches were
|
|
|
+ developed, and are today recommended for most applications.</para>
|
|
|
+
|
|
|
+ <para>Container Adapters enable the Acegi Security System for Spring
|
|
|
+ to integrate directly with the containers used to host end user
|
|
|
+ applications. This integration means that applications can continue to
|
|
|
+ leverage the authentication and authorization capabilities built into
|
|
|
+ containers (such as <literal>isUserInRole()</literal> and form-based
|
|
|
+ or basic authentication), whilst benefiting from the enhanced security
|
|
|
+ interception capabilities provided by the Acegi Security System for
|
|
|
+ Spring.</para>
|
|
|
+
|
|
|
+ <para>The integration between a container and the Acegi Security
|
|
|
+ System for Spring is achieved through an adapter. The adapter provides
|
|
|
+ a container-compatible user authentication provider, and needs to
|
|
|
+ return a container-compatible user object.</para>
|
|
|
+
|
|
|
+ <para>The adapter is instantiated by the container and is defined in a
|
|
|
+ container-specific configuration file. The adapter then loads a Spring
|
|
|
+ application context which defines the normal authentication manager
|
|
|
+ settings, such as the authentication providers that can be used to
|
|
|
+ authenticate the request. The application context is usually named
|
|
|
+ <literal>acegisecurity.xml</literal> and is placed in a
|
|
|
+ container-specific location.</para>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring currently supports Jetty,
|
|
|
+ Catalina (Tomcat), JBoss and Resin. Additional container adapters can
|
|
|
+ easily be written.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-container-adapters-adapter-provider">
|
|
|
+ <title>Adapter Authentication Provider</title>
|
|
|
+
|
|
|
+ <para>As is always the case, the container adapter generated
|
|
|
+ <literal>Authentication</literal> object still needs to be
|
|
|
+ authenticated by an <literal>AuthenticationManager</literal> when
|
|
|
+ requested to do so by the
|
|
|
+ <literal>AbstractSecurityInterceptor</literal>. The
|
|
|
+ <literal>AuthenticationManager</literal> needs to be certain the
|
|
|
+ adapter-provided <literal>Authentication</literal> object is valid and
|
|
|
+ was actually authenticated by a trusted adapter.</para>
|
|
|
+
|
|
|
+ <para>Adapters create <literal>Authentication</literal> objects which
|
|
|
+ are immutable and implement the <literal>AuthByAdapter</literal>
|
|
|
+ interface. These objects store the hash of a key that is defined by
|
|
|
+ the adapter. This allows the <literal>Authentication</literal> object
|
|
|
+ to be validated by the <literal>AuthByAdapterProvider</literal>. This
|
|
|
+ authentication provider is defined as follows:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="authByAdapterProvider" class="net.sf.acegisecurity.adapters.AuthByAdapterProvider">
|
|
|
+ <property name="key"><value>my_password</value></property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>The key must match the key that is defined in the
|
|
|
+ container-specific configuration file that starts the adapter. The
|
|
|
+ <literal>AuthByAdapterProvider</literal> automatically accepts as
|
|
|
+ valid any <literal>AuthByAdapter</literal> implementation that returns
|
|
|
+ the expected hash of the key.</para>
|
|
|
+
|
|
|
+ <para>To reiterate, this means the adapter will perform the initial
|
|
|
+ authentication using providers such as
|
|
|
+ <literal>DaoAuthenticationProvider</literal>, returning an
|
|
|
+ <literal>AuthByAdapter</literal> instance that contains a hash code of
|
|
|
+ the key. Later, when an application calls a security interceptor
|
|
|
+ managed resource, the <literal>AuthByAdapter</literal> instance in the
|
|
|
+ <literal>SecureContext</literal> in the
|
|
|
+ <literal>ContextHolder</literal> will be tested by the application's
|
|
|
+ <literal>AuthByAdapterProvider</literal>. There is no requirement for
|
|
|
+ additional authentication providers such as
|
|
|
+ <literal>DaoAuthenticationProvider</literal> within the
|
|
|
+ application-specific application context, as the only type of
|
|
|
+ <literal>Authentication</literal> instance that will be presented by
|
|
|
+ the application is from the container adapter.</para>
|
|
|
+
|
|
|
+ <para>Classloader issues are frequent with containers and the use of
|
|
|
+ container adapters illustrates this further. Each container requires a
|
|
|
+ very specific configuration. The installation instructions are
|
|
|
+ provided below. Once installed, please take the time to try the sample
|
|
|
+ application to ensure your container adapter is properly
|
|
|
+ configured.</para>
|
|
|
+
|
|
|
+ <para>When using container adapters with the
|
|
|
+ <literal>DaoAuthenticationProvider</literal>, ensure you set its
|
|
|
+ <literal>forcePrincipalAsString</literal> property to
|
|
|
+ <literal>true</literal>.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-container-adapters-catalina">
|
|
|
+ <title>Catalina (Tomcat) Installation</title>
|
|
|
+
|
|
|
+ <para>The following was tested with Jakarta Tomcat 4.1.30 and 5.0.19.
|
|
|
+ We automatically test the following directions using our container
|
|
|
+ integration test system and these versions of Catalina
|
|
|
+ (Tomcat).</para>
|
|
|
+
|
|
|
+ <para><literal>$CATALINA_HOME</literal> refers to the root of your
|
|
|
+ Catalina (Tomcat) installation.</para>
|
|
|
+
|
|
|
+ <para>Edit your <literal>$CATALINA_HOME/conf/server.xml</literal> file
|
|
|
+ so the <literal><Engine></literal> section contains only one
|
|
|
+ active <literal><Realm></literal> entry. An example realm
|
|
|
+ entry:</para>
|
|
|
+
|
|
|
+ <para><programlisting> <Realm className="net.sf.acegisecurity.adapters.catalina.CatalinaAcegiUserRealm"
|
|
|
+ appContextLocation="conf/acegisecurity.xml"
|
|
|
+ key="my_password" /></programlisting></para>
|
|
|
+
|
|
|
+ <para>Be sure to remove any other <literal><Realm></literal>
|
|
|
+ entry from your <literal><Engine></literal> section.</para>
|
|
|
+
|
|
|
+ <para>Copy <literal>acegisecurity.xml</literal> into
|
|
|
+ <literal>$CATALINA_HOME/conf</literal>.</para>
|
|
|
+
|
|
|
+ <para>Copy <literal>acegi-security-catalina-server.jar</literal> into
|
|
|
+ <literal>$CATALINA_HOME/server/lib</literal>.</para>
|
|
|
+
|
|
|
+ <para>Copy the following files into
|
|
|
+ <literal>$CATALINA_HOME/common/lib</literal>:</para>
|
|
|
+
|
|
|
+ <itemizedlist>
|
|
|
+ <listitem>
|
|
|
+ <para><literal>aopalliance.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>spring.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>acegi-security-catalina-common.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>commons-codec.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>burlap.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>hessian.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist>
|
|
|
+
|
|
|
+ <para>None of the above JAR files (or
|
|
|
+ <literal>acegi-security.jar</literal>) should be in your application's
|
|
|
+ <literal>WEB-INF/lib</literal>. The realm name indicated in your
|
|
|
+ <literal>web.xml</literal> does not matter with Catalina.</para>
|
|
|
+
|
|
|
+ <para>We have received reports of problems using this Container
|
|
|
+ Adapter with Mac OS X. A work-around is to use a script such as
|
|
|
+ follows:</para>
|
|
|
+
|
|
|
+ <para><programlisting>#!/bin/sh
|
|
|
+export CATALINA_HOME="/Library/Tomcat"
|
|
|
+export JAVA_HOME="/Library/Java/Home"
|
|
|
+cd /
|
|
|
+$CATALINA_HOME/bin/startup.sh</programlisting></para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-container-adapters-jetty">
|
|
|
+ <title>Jetty Installation</title>
|
|
|
+
|
|
|
+ <para>The following was tested with Jetty 4.2.18. We automatically
|
|
|
+ test the following directions using our container integration test
|
|
|
+ system and this version of Jetty.</para>
|
|
|
+
|
|
|
+ <para><literal>$JETTY_HOME</literal> refers to the root of your Jetty
|
|
|
+ installation.</para>
|
|
|
+
|
|
|
+ <para>Edit your <literal>$JETTY_HOME/etc/jetty.xml</literal> file so
|
|
|
+ the <literal><Configure class></literal> section has a new
|
|
|
+ addRealm call:</para>
|
|
|
+
|
|
|
+ <para><programlisting> <Call name="addRealm">
|
|
|
+ <Arg>
|
|
|
+ <New class="net.sf.acegisecurity.adapters.jetty.JettyAcegiUserRealm">
|
|
|
+ <Arg>Spring Powered Realm</Arg>
|
|
|
+ <Arg>my_password</Arg>
|
|
|
+ <Arg>etc/acegisecurity.xml</Arg>
|
|
|
+ </New>
|
|
|
+ </Arg>
|
|
|
+ </Call></programlisting></para>
|
|
|
+
|
|
|
+ <para>Copy <literal>acegisecurity.xml</literal> into
|
|
|
+ <literal>$JETTY_HOME/etc</literal>.</para>
|
|
|
+
|
|
|
+ <para>Copy the following files into
|
|
|
+ <literal>$JETTY_HOME/ext</literal>:<itemizedlist>
|
|
|
+ <listitem>
|
|
|
+ <para><literal>aopalliance.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>commons-logging.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>spring.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>acegi-security-jetty-ext.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>commons-codec.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>burlap.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>hessian.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist></para>
|
|
|
+
|
|
|
+ <para>None of the above JAR files (or
|
|
|
+ <literal>acegi-security.jar</literal>) should be in your application's
|
|
|
+ <literal>WEB-INF/lib</literal>. The realm name indicated in your
|
|
|
+ <literal>web.xml</literal> does matter with Jetty. The
|
|
|
+ <literal>web.xml</literal> must express the same
|
|
|
+ <literal><realm-name></literal> as your
|
|
|
+ <literal>jetty.xml</literal> (in the example above, "Spring Powered
|
|
|
+ Realm").</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-container-adapters-joss">
|
|
|
+ <title>JBoss Installation</title>
|
|
|
+
|
|
|
+ <para>The following was tested with JBoss 3.2.3. We automatically test
|
|
|
+ the following directions using our container integration test system
|
|
|
+ and this version of JBoss.</para>
|
|
|
+
|
|
|
+ <para><literal>$JBOSS_HOME</literal> refers to the root of your JBoss
|
|
|
+ installation.</para>
|
|
|
+
|
|
|
+ <para>Edit your
|
|
|
+ <literal>$JBOSS_HOME/server/your_config/conf/login-config.xml</literal>
|
|
|
+ file so that it contains a new entry under the
|
|
|
+ <literal><Policy></literal> section:</para>
|
|
|
+
|
|
|
+ <para><programlisting> <application-policy name = "SpringPoweredRealm">
|
|
|
+ <authentication>
|
|
|
+ <login-module code = "net.sf.acegisecurity.adapters.jboss.JbossSpringLoginModule"
|
|
|
+ flag = "required">
|
|
|
+ <module-option name = "appContextLocation">acegisecurity.xml</module-option>
|
|
|
+ <module-option name = "key">my_password</module-option>
|
|
|
+ </login-module>
|
|
|
+ </authentication>
|
|
|
+ </application-policy></programlisting></para>
|
|
|
+
|
|
|
+ <para>Copy <literal>acegisecurity.xml</literal> into
|
|
|
+ <literal>$JBOSS_HOME/server/your_config/conf</literal>.</para>
|
|
|
+
|
|
|
+ <para>Copy the following files into
|
|
|
+ <literal>$JBOSS_HOME/server/your_config/lib</literal>:<itemizedlist>
|
|
|
+ <listitem>
|
|
|
+ <para><literal>aopalliance.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>spring.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>acegi-security-jboss-lib.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>commons-codec.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>burlap.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>hessian.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist></para>
|
|
|
+
|
|
|
+ <para>None of the above JAR files (or
|
|
|
+ <literal>acegi-security.jar</literal>) should be in your application's
|
|
|
+ <literal>WEB-INF/lib</literal>. The realm name indicated in your
|
|
|
+ <literal>web.xml</literal> does not matter with JBoss. However, your
|
|
|
+ web application's <literal>WEB-INF/jboss-web.xml</literal> must
|
|
|
+ express the same <literal><security-domain></literal> as your
|
|
|
+ <literal>login-config.xml</literal>. For example, to match the above
|
|
|
+ example, your <literal>jboss-web.xml</literal> would look like
|
|
|
+ this:</para>
|
|
|
+
|
|
|
+ <para><programlisting><jboss-web>
|
|
|
+ <security-domain>java:/jaas/SpringPoweredRealm</security-domain>
|
|
|
+</jboss-web></programlisting></para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-container-adapters-resin">
|
|
|
+ <title>Resin Installation</title>
|
|
|
+
|
|
|
+ <para>The following was tested with Resin 3.0.6.</para>
|
|
|
+
|
|
|
+ <para><literal>$RESIN_HOME</literal> refers to the root of your Resin
|
|
|
+ installation.</para>
|
|
|
+
|
|
|
+ <para>Resin provides several ways to support the container adapter. In
|
|
|
+ the instructions below we have elected to maximise consistency with
|
|
|
+ other container adapter configurations. This will allow Resin users to
|
|
|
+ simply deploy the sample application and confirm correct
|
|
|
+ configuration. Developers comfortable with Resin are naturally able to
|
|
|
+ use its capabilities to package the JARs with the web application
|
|
|
+ itself, and/or support single sign-on.</para>
|
|
|
+
|
|
|
+ <para>Copy the following files into
|
|
|
+ <literal>$RESIN_HOME/lib</literal>:<itemizedlist>
|
|
|
+ <listitem>
|
|
|
+ <para><literal>aopalliance.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>commons-logging.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>spring.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>acegi-security-resin-lib.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>commons-codec.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>burlap.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>hessian.jar</literal></para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist></para>
|
|
|
+
|
|
|
+ <para>Unlike the container-wide <literal>acegisecurity.xml</literal>
|
|
|
+ files used by other container adapters, each Resin web application
|
|
|
+ will contain its own
|
|
|
+ <literal>WEB-INF/resin-acegisecurity.xml</literal> file. Each web
|
|
|
+ application will also contain a <literal>resin-web.xml</literal> file
|
|
|
+ which Resin uses to start the container adapter:</para>
|
|
|
+
|
|
|
+ <para><programlisting><web-app>
|
|
|
+ <authenticator>
|
|
|
+ <type>net.sf.acegisecurity.adapters.resin.ResinAcegiAuthenticator</type>
|
|
|
+ <init>
|
|
|
+ <app-context-location>WEB-INF/resin-acegisecurity.xml</app-context-location>
|
|
|
+ <key>my_password</key>
|
|
|
+ </init>
|
|
|
+ </authenticator>
|
|
|
+</web-app></programlisting></para>
|
|
|
+
|
|
|
+ <para>With the basic configuration provided above, none of the JAR
|
|
|
+ files listed (or <literal>acegi-security.jar</literal>) should be in
|
|
|
+ your application's <literal>WEB-INF/lib</literal>. The realm name
|
|
|
+ indicated in your <literal>web.xml</literal> does not matter with
|
|
|
+ Resin, as the relevant authentication class is indicated by the
|
|
|
+ <literal><authenticator></literal> setting.</para>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-cas">
|
|
|
+ <title>Yale Central Authentication Service (CAS) Single Sign On</title>
|
|
|
+
|
|
|
+ <sect2 id="security-cas-overview">
|
|
|
+ <title>Overview</title>
|
|
|
+
|
|
|
+ <para>Yale University produces an enterprise-wide single sign on
|
|
|
+ system known as CAS. Unlike other initiatives, Yale's Central
|
|
|
+ Authentication Service is open source, widely used, simple to
|
|
|
+ understand, platform independent, and supports proxy capabilities. The
|
|
|
+ Acegi Security System for Spring fully supports CAS, and provides an
|
|
|
+ easy migration path from single-application deployments of Acegi
|
|
|
+ Security through to multiple-application deployments secured by an
|
|
|
+ enterprise-wide CAS server.</para>
|
|
|
+
|
|
|
+ <para>You can learn more about CAS at
|
|
|
+ <literal>http://www.yale.edu/tp/auth/</literal>. You will need to
|
|
|
+ visit this URL to download the CAS Server files. Whilst the Acegi
|
|
|
+ Security System for Spring includes two CAS libraries in the
|
|
|
+ "-with-dependencies" ZIP file, you will still need the CAS Java Server
|
|
|
+ Pages and <literal>web.xml</literal> to customise and deploy your CAS
|
|
|
+ server.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-cas-how-cas-works">
|
|
|
+ <title>How CAS Works</title>
|
|
|
+
|
|
|
+ <para>Whilst the CAS web site above contains two documents that detail
|
|
|
+ the architecture of CAS, we present the general overview again here
|
|
|
+ within the context of the Acegi Security System for Spring. The
|
|
|
+ following refers to CAS 2.0, being the version of CAS that Acegi
|
|
|
+ Security System for Spring supports.</para>
|
|
|
+
|
|
|
+ <para>Somewhere in your enterprise you will need to setup a CAS
|
|
|
+ server. The CAS server is simply a standard WAR file, so there isn't
|
|
|
+ anything difficult about setting up your server. Inside the WAR file
|
|
|
+ you will customise the login and other single sign on pages displayed
|
|
|
+ to users. You will also need to specify in the web.xml a
|
|
|
+ <literal>PasswordHandler</literal>. The
|
|
|
+ <literal>PasswordHandler</literal> has a simple method that returns a
|
|
|
+ boolean as to whether a given username and password is valid. Your
|
|
|
+ <literal>PasswordHandler</literal> implementation will need to link
|
|
|
+ into some type of backend authentication repository, such as an LDAP
|
|
|
+ server or database.</para>
|
|
|
+
|
|
|
+ <para>If you are already running an existing CAS server instance, you
|
|
|
+ will have already established a <literal>PasswordHandler</literal>. If
|
|
|
+ you do not already have a <literal>PasswordHandler</literal>, you
|
|
|
+ might prefer to use the Acegi Security System for Spring
|
|
|
+ <literal>CasPasswordHandler</literal> class. This class delegates
|
|
|
+ through to the standard Acegi Security
|
|
|
+ <literal>AuthenticationManager</literal>, enabling you to use a
|
|
|
+ security configuration you might already have in place. You do not
|
|
|
+ need to use the <literal>CasPasswordHandler</literal> class on your
|
|
|
+ CAS server if you do not wish. The Acegi Security System for Spring
|
|
|
+ will function as a CAS client successfully irrespective of the
|
|
|
+ <literal>PasswordHandler</literal> you've chosen for your CAS
|
|
|
+ server.</para>
|
|
|
+
|
|
|
+ <para>Apart from the CAS server itself, the other key player is of
|
|
|
+ course the secure web applications deployed throughout your
|
|
|
+ enterprise. These web applications are known as "services". There are
|
|
|
+ two types of services: standard services and proxy services. A proxy
|
|
|
+ service is able to request resources from other services on behalf of
|
|
|
+ the user. This will be explained more fully later.</para>
|
|
|
+
|
|
|
+ <para>Services can be developed in a large variety of languages, due
|
|
|
+ to CAS 2.0's very light XML-based protocol. The Yale CAS home page
|
|
|
+ contains a clients archive which demonstrates CAS clients in Java,
|
|
|
+ Active Server Pages, Perl, Python and others. Naturally, Java support
|
|
|
+ is very strong given the CAS server is written in Java. You do not
|
|
|
+ need to use any of CAS' client classes in applications secured by the
|
|
|
+ Acegi Security System for Spring. This is handled transparently for
|
|
|
+ you.</para>
|
|
|
+
|
|
|
+ <para>The basic interaction between a web browser, CAS server and an
|
|
|
+ Acegi Security for System Spring secured service is as follows:</para>
|
|
|
+
|
|
|
+ <orderedlist>
|
|
|
+ <listitem>
|
|
|
+ <para>The web user is browsing the service's public pages. CAS or
|
|
|
+ Acegi Security is not involved.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>The user eventually requests a page that is either secure or
|
|
|
+ one of the beans it uses is secure. Acegi Security's
|
|
|
+ <literal>SecurityEnforcementFilter</literal> will detect the
|
|
|
+ <literal>AuthenticationException</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Because the user's <literal>Authentication</literal> object
|
|
|
+ (or lack thereof) caused an
|
|
|
+ <literal>AuthenticationException</literal>, the
|
|
|
+ <literal>SecurityEnforcementFilter</literal> will call the
|
|
|
+ configured <literal>AuthenticationEntryPoint</literal>. If using
|
|
|
+ CAS, this will be the
|
|
|
+ <literal>CasProcessingFilterEntryPoint</literal> class.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>The <literal>CasProcessingFilterEntry</literal> point will
|
|
|
+ redirect the user's browser to the CAS server. It will also
|
|
|
+ indicate a <literal>service</literal> parameter, which is the
|
|
|
+ callback URL for the Acegi Security service. For example, the URL
|
|
|
+ to which the browser is redirected might be
|
|
|
+ <literal>https://my.company.com/cas/login?service=https%3A%2F%2Fserver3.company.com%2Fwebapp%2Fj_acegi_cas_security_check</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>After the user's browser redirects to CAS, they will be
|
|
|
+ prompted for their username and password. If the user presents a
|
|
|
+ session cookie which indicates they've previously logged on, they
|
|
|
+ will not be prompted to login again (there is an exception to this
|
|
|
+ procedure, which we'll cover later). CAS will use the
|
|
|
+ <literal>PasswordHandler</literal> discussed above to decide
|
|
|
+ whether the username and password is valid.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Upon successful login, CAS will redirect the user's browser
|
|
|
+ back to the original service. It will also include a
|
|
|
+ <literal>ticket</literal> parameter, which is an opaque string
|
|
|
+ representing the "service ticket". Continuing our earlier example,
|
|
|
+ the URL the browser is redirected to might be
|
|
|
+ <literal>https://server3.company.com/webapp/j_acegi_cas_security_check?ticket=ST-0-ER94xMJmn6pha35CQRoZ</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Back in the service web application, the
|
|
|
+ <literal>CasProcessingFilter</literal> is always listening for
|
|
|
+ requests to <literal>/j_acegi_cas_security_check</literal> (this
|
|
|
+ is configurable, but we'll use the defaults in this introduction).
|
|
|
+ The processing filter will construct a
|
|
|
+ <literal>UsernamePasswordAuthenticationToken</literal>
|
|
|
+ representing the service ticket. The principal will be equal to
|
|
|
+ <literal>CasProcessingFilter.CAS_STATEFUL_IDENTIFIER</literal>,
|
|
|
+ whilst the credentials will be the service ticket opaque value.
|
|
|
+ This authentication request will then be handed to the configured
|
|
|
+ <literal>AuthenticationManager</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>The <literal>AuthenticationManager</literal> implementation
|
|
|
+ will be the <literal>ProviderManager</literal>, which is in turn
|
|
|
+ configured with the <literal>CasAuthenticationProvider</literal>.
|
|
|
+ The <literal>CasAuthenticationProvider</literal> only responds to
|
|
|
+ <literal>UsernamePasswordAuthenticationToken</literal>s containing
|
|
|
+ the CAS-specific principal (such as
|
|
|
+ <literal>CasProcessingFilter.CAS_STATEFUL_IDENTIFIER</literal>)
|
|
|
+ and <literal>CasAuthenticationToken</literal>s (discussed
|
|
|
+ later).</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>CasAuthenticationProvider</literal> will validate
|
|
|
+ the service ticket using a <literal>TicketValidator</literal>
|
|
|
+ implementation. Acegi Security includes one implementation, the
|
|
|
+ <literal>CasProxyTicketValidator</literal>. This implementation a
|
|
|
+ ticket validation class included in the CAS client library. The
|
|
|
+ <literal>CasProxyTicketValidator</literal> makes a HTTPS request
|
|
|
+ to the CAS server in order to validate the service ticket. The
|
|
|
+ <literal>CasProxyTicketValidator</literal> may also include a
|
|
|
+ proxy callback URL, which is included in this example:
|
|
|
+ <literal>https://my.company.com/cas/proxyValidate?service=https%3A%2F%2Fserver3.company.com%2Fwebapp%2Fj_acegi_cas_security_check&ticket=ST-0-ER94xMJmn6pha35CQRoZ&pgtUrl=https://server3.company.com/webapp/casProxy/receptor</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Back on the CAS server, the proxy validation request will be
|
|
|
+ received. If the presented service ticket matches the service URL
|
|
|
+ the ticket was issued to, CAS will provide an affirmative response
|
|
|
+ in XML indicating the username. If any proxy was involved in the
|
|
|
+ authentication (discussed below), the list of proxies is also
|
|
|
+ included in the XML response.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>[OPTIONAL] If the request to the CAS validation service
|
|
|
+ included the proxy callback URL (in the <literal>pgtUrl</literal>
|
|
|
+ parameter), CAS will include a <literal>pgtIou</literal> string in
|
|
|
+ the XML response. This <literal>pgtIou</literal> represents a
|
|
|
+ proxy-granting ticket IOU. The CAS server will then create its own
|
|
|
+ HTTPS connection back to the <literal>pgtUrl</literal>. This is to
|
|
|
+ mutually authenticate the CAS server and the claimed service URL.
|
|
|
+ The HTTPS connection will be used to send a proxy granting ticket
|
|
|
+ to the original web application. For example,
|
|
|
+ <literal>https://server3.company.com/webapp/casProxy/receptor?pgtIou=PGTIOU-0-R0zlgrl4pdAQwBvJWO3vnNpevwqStbSGcq3vKB2SqSFFRnjPHt&pgtId=PGT-1-si9YkkHLrtACBo64rmsi3v2nf7cpCResXg5MpESZFArbaZiOKH</literal>.
|
|
|
+ We suggest you use CAS' <literal>ProxyTicketReceptor</literal>
|
|
|
+ servlet to receive these proxy-granting tickets, if they are
|
|
|
+ required.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>The <literal>CasProxyTicketValidator</literal> will parse
|
|
|
+ the XML received from the CAS server. It will return to the
|
|
|
+ <literal>CasAuthenticationProvider</literal> a
|
|
|
+ <literal>TicketResponse</literal>, which includes the username
|
|
|
+ (mandatory), proxy list (if any were involved), and proxy-granting
|
|
|
+ ticket IOU (if the proxy callback was requested).</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Next <literal>CasAuthenticationProvider</literal> will call
|
|
|
+ a configured <literal>CasProxyDecider</literal>. The
|
|
|
+ <literal>CasProxyDecider</literal> indicates whether the proxy
|
|
|
+ list in the <literal>TicketResponse</literal> is acceptable to the
|
|
|
+ service. Several implementations are provided with the Acegi
|
|
|
+ Security System: <literal>RejectProxyTickets</literal>,
|
|
|
+ <literal>AcceptAnyCasProxy</literal> and
|
|
|
+ <literal>NamedCasProxyDecider</literal>. These names are largely
|
|
|
+ self-explanatory, except <literal>NamedCasProxyDecider</literal>
|
|
|
+ which allows a <literal>List</literal> of trusted proxies to be
|
|
|
+ provided.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para><literal>CasAuthenticationProvider</literal> will next
|
|
|
+ request a <literal>CasAuthoritiesPopulator</literal> to advise the
|
|
|
+ <literal>GrantedAuthority</literal> objects that apply to the user
|
|
|
+ contained in the <literal>TicketResponse</literal>. Acegi Security
|
|
|
+ includes a <literal>DaoCasAuthoritiesPopulator</literal> which
|
|
|
+ simply uses the <literal>AuthenticationDao</literal>
|
|
|
+ infrastructure to find the <literal>UserDetails</literal> and
|
|
|
+ their associated <literal>GrantedAuthority</literal>s. Note that
|
|
|
+ the password and enabled/disabled status of
|
|
|
+ <literal>UserDetails</literal> returned by the
|
|
|
+ <literal>AuthenticationDao</literal> are ignored, as the CAS
|
|
|
+ server is responsible for authentication decisions.
|
|
|
+ <literal>DaoCasAuthoritiesPopulator</literal> is only concerned
|
|
|
+ with retrieving the <literal>GrantedAuthority</literal>s.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>If there were no problems,
|
|
|
+ <literal>CasAuthenticationProvider</literal> constructs a
|
|
|
+ <literal>CasAuthenticationToken</literal> including the details
|
|
|
+ contained in the <literal>TicketResponse</literal> and the
|
|
|
+ <literal>GrantedAuthority</literal>s. The
|
|
|
+ <literal>CasAuthenticationToken</literal> contains the hash of a
|
|
|
+ key, so that the <literal>CasAuthenticationProvider</literal>
|
|
|
+ knows it created it.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Control then returns to
|
|
|
+ <literal>CasProcessingFilter</literal>, which places the created
|
|
|
+ <literal>CasAuthenticationToken</literal> into the
|
|
|
+ <literal>HttpSession</literal> attribute named
|
|
|
+ <literal>HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>The user's browser is redirected to the original page that
|
|
|
+ caused the <literal>AuthenticationException</literal>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>As the <literal>Authentication</literal> object is now in
|
|
|
+ the well-known location, it is handled like any other
|
|
|
+ authentication approach. Usually the
|
|
|
+ <literal>AutoIntegrationFilter</literal> will be used to associate
|
|
|
+ the <literal>Authentication</literal> object with the
|
|
|
+ <literal>ContextHolder</literal> for the duration of each
|
|
|
+ request.</para>
|
|
|
+ </listitem>
|
|
|
+ </orderedlist>
|
|
|
+
|
|
|
+ <para>It's good that you're still here! It might sound involved, but
|
|
|
+ you can relax as the Acegi Security System for Spring classes hide
|
|
|
+ much of the complexity. Let's now look at how this is
|
|
|
+ configured.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-cas-install-server">
|
|
|
+ <title>CAS Server Installation (Optional)</title>
|
|
|
+
|
|
|
+ <para>As mentioned above, the Acegi Security System for Spring
|
|
|
+ includes a <literal>PasswordHandler</literal> that bridges your
|
|
|
+ existing <literal>AuthenticationManager</literal> into CAS. You do not
|
|
|
+ need to use this <literal>PasswordHandler</literal> to use Acegi
|
|
|
+ Security on the client side (any CAS
|
|
|
+ <literal>PasswordHandler</literal> will do).</para>
|
|
|
+
|
|
|
+ <para>To install, you will need to download and extract the CAS server
|
|
|
+ archive. We used version 2.0.12. There will be a
|
|
|
+ <literal>/web</literal> directory in the root of the deployment. Copy
|
|
|
+ an <literal>applicationContext.xml</literal> containing your
|
|
|
+ <literal>AuthenticationManager</literal> as well as the
|
|
|
+ <literal>CasPasswordHandler</literal> into the
|
|
|
+ <literal>/web/WEB-INF</literal> directory. A sample
|
|
|
+ <literal>applicationContext.xml</literal> is included below:</para>
|
|
|
+
|
|
|
+ <programlisting><bean id="inMemoryDaoImpl" class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">
|
|
|
+ <property name="userMap">
|
|
|
+ <value>
|
|
|
+ marissa=koala,ROLES_IGNORED_BY_CAS
|
|
|
+ dianne=emu,ROLES_IGNORED_BY_CAS
|
|
|
+ scott=wombat,ROLES_IGNORED_BY_CAS
|
|
|
+ peter=opal,disabled,ROLES_IGNORED_BY_CAS
|
|
|
+ </value>
|
|
|
+ </property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
|
|
|
+ <property name="authenticationDao"><ref bean="inMemoryDaoImpl"/></property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
|
|
|
+ <property name="providers">
|
|
|
+ <list>
|
|
|
+ <ref bean="daoAuthenticationProvider"/>
|
|
|
+ </list>
|
|
|
+ </property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="casPasswordHandler" class="net.sf.acegisecurity.adapters.cas.CasPasswordHandler">
|
|
|
+ <property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
|
+</bean></programlisting>
|
|
|
+
|
|
|
+ <para>Note the granted authorities are ignored by CAS because it has
|
|
|
+ no way of communicating the granted authorities to calling
|
|
|
+ applications. CAS is only concerned with username and passwords (and
|
|
|
+ the enabled/disabled status).</para>
|
|
|
+
|
|
|
+ <para>Next you will need to edit the existing
|
|
|
+ <literal>/web/WEB-INF/web.xml</literal> file. Add (or edit in the case
|
|
|
+ of the <literal>authHandler</literal> property) the following
|
|
|
+ lines:</para>
|
|
|
+
|
|
|
+ <para><programlisting><context-param>
|
|
|
+ <param-name>edu.yale.its.tp.cas.authHandler</param-name>
|
|
|
+ <param-value>net.sf.acegisecurity.adapters.cas.CasPasswordHandlerProxy</param-value>
|
|
|
+</context-param>
|
|
|
+
|
|
|
+<context-param>
|
|
|
+ <param-name>contextConfigLocation</param-name>
|
|
|
+ <param-value>/WEB-INF/applicationContext.xml</param-value>
|
|
|
+</context-param>
|
|
|
+
|
|
|
+<listener>
|
|
|
+ <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
|
|
|
+</listener></programlisting></para>
|
|
|
+
|
|
|
+ <para>Copy the <literal>spring.jar</literal> and
|
|
|
+ <literal>acegi-security.jar</literal> files into
|
|
|
+ <literal>/web/WEB-INF/lib</literal>. Now use the <literal>ant
|
|
|
+ dist</literal> task in the <literal>build.xml</literal> in the root of
|
|
|
+ the directory structure. This will create
|
|
|
+ <literal>/lib/cas.war</literal>, which is ready for deployment to your
|
|
|
+ servlet container.</para>
|
|
|
+
|
|
|
+ <para>Note CAS heavily relies on HTTPS. You can't even test the system
|
|
|
+ without a HTTPS certificate. Whilst you should refer to your web
|
|
|
+ container's documentation on setting up HTTPS, if you need some
|
|
|
+ additional help or a test certificate you might like to check the
|
|
|
+ <literal>samples/contacts/etc/ssl</literal> directory.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-cas-install-client">
|
|
|
+ <title>CAS Acegi Security System Client Installation</title>
|
|
|
+
|
|
|
+ <para>The web application side of CAS is made easy due to the Acegi
|
|
|
+ Security System for Spring. It is assumed you already know the basics
|
|
|
+ of using the Acegi Security System for Spring, so these are not
|
|
|
+ covered again below. Only the CAS-specific beans are mentioned.</para>
|
|
|
+
|
|
|
+ <para>You will need to add a <literal>ServiceProperties</literal> bean
|
|
|
+ to your application context. This represents your service:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="serviceProperties" class="net.sf.acegisecurity.ui.cas.ServiceProperties">
|
|
|
+ <property name="service"><value>https://localhost:8443/contacts-cas/j_acegi_cas_security_check</value></property>
|
|
|
+ <property name="sendRenew"><value>false</value></property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>The <literal>service</literal> must equal a URL that will be
|
|
|
+ monitored by the <literal>CasProcessingFilter</literal>. The
|
|
|
+ <literal>sendRenew</literal> defaults to false, but should be set to
|
|
|
+ true if your application is particularly sensitive. What this
|
|
|
+ parameter does is tell the CAS login service that a single sign on
|
|
|
+ login is unacceptable. Instead, the user will need to re-enter their
|
|
|
+ username and password in order to gain access to the service.</para>
|
|
|
+
|
|
|
+ <para>The following beans should be configured to commence the CAS
|
|
|
+ authentication process:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="casProcessingFilter" class="net.sf.acegisecurity.ui.cas.CasProcessingFilter">
|
|
|
+ <property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
|
+ <property name="authenticationFailureUrl"><value>/casfailed.jsp</value></property>
|
|
|
+ <property name="defaultTargetUrl"><value>/</value></property>
|
|
|
+ <property name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
|
|
|
+ <property name="filterSecurityInterceptor"><ref bean="filterInvocationInterceptor"/></property>
|
|
|
+ <property name="authenticationEntryPoint"><ref bean="casProcessingFilterEntryPoint"/></property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="casProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
|
|
|
+ <property name="loginUrl"><value>https://localhost:8443/cas/login</value></property>
|
|
|
+ <property name="serviceProperties"><ref bean="serviceProperties"/></property>
|
|
|
+</bean></programlisting></para>
|
|
|
+
|
|
|
+ <para>You will also need to add the
|
|
|
+ <literal>CasProcessingFilter</literal> to web.xml:</para>
|
|
|
+
|
|
|
+ <para><programlisting><filter>
|
|
|
+ <filter-name>Acegi CAS Processing Filter</filter-name>
|
|
|
+ <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
|
|
|
+ <init-param>
|
|
|
+ <param-name>targetClass</param-name>
|
|
|
+ <param-value>net.sf.acegisecurity.ui.cas.CasProcessingFilter</param-value>
|
|
|
+ </init-param>
|
|
|
+</filter>
|
|
|
+
|
|
|
+<filter-mapping>
|
|
|
+ <filter-name>Acegi CAS Processing Filter</filter-name>
|
|
|
+ <url-pattern>/*</url-pattern>
|
|
|
+</filter-mapping></programlisting></para>
|
|
|
+
|
|
|
+ <para>The <literal>CasProcessingFilter</literal> has very similar
|
|
|
+ properties to the <literal>AuthenticationProcessingFilter</literal>
|
|
|
+ (used for form-based logins). Each property is
|
|
|
+ self-explanatory.</para>
|
|
|
+
|
|
|
+ <para>For CAS to operate, the
|
|
|
+ <literal>SecurityEnforcementFilter</literal> must have its
|
|
|
+ <literal>authenticationEntryPoint</literal> property set to the
|
|
|
+ <literal>CasProcessingFilterEntryPoint</literal> bean.</para>
|
|
|
+
|
|
|
+ <para>The <literal>CasProcessingFilterEntryPoint</literal> must refer
|
|
|
+ to the <literal>ServiceProperties</literal> bean (discussed above),
|
|
|
+ which provides the URL to the enterprise's CAS login server. This is
|
|
|
+ where the user's browser will be redirected.</para>
|
|
|
+
|
|
|
+ <para>Next you need to add an <literal>AuthenticationManager</literal>
|
|
|
+ that uses <literal>CasAuthenticationProvider</literal> and its
|
|
|
+ collaborators:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
|
|
|
+ <property name="providers">
|
|
|
+ <list>
|
|
|
+ <ref bean="casAuthenticationProvider"/>
|
|
|
+ </list>
|
|
|
+ </property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="casAuthenticationProvider" class="net.sf.acegisecurity.providers.cas.CasAuthenticationProvider">
|
|
|
+ <property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator"/></property>
|
|
|
+ <property name="casProxyDecider"><ref bean="casProxyDecider"/></property>
|
|
|
+ <property name="ticketValidator"><ref bean="casProxyTicketValidator"/></property>
|
|
|
+ <property name="statelessTicketCache"><ref bean="statelessTicketCache"/></property>
|
|
|
+ <property name="key"><value>my_password_for_this_auth_provider_only</value></property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="casProxyTicketValidator" class="net.sf.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator">
|
|
|
+ <property name="casValidate"><value>https://localhost:8443/cas/proxyValidate</value></property>
|
|
|
+ <property name="proxyCallbackUrl"><value>https://localhost:8443/contacts-cas/casProxy/receptor</value></property>
|
|
|
+ <property name="serviceProperties"><ref bean="serviceProperties"/></property>
|
|
|
+ <!-- <property name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property> -->
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="statelessTicketCache" class="net.sf.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">
|
|
|
+ <property name="minutesToIdle"><value>20</value></property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="casAuthoritiesPopulator" class="net.sf.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator">
|
|
|
+ <property name="authenticationDao"><ref bean="inMemoryDaoImpl"/></property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="casProxyDecider" class="net.sf.acegisecurity.providers.cas.proxy.RejectProxyTickets"/></programlisting></para>
|
|
|
+
|
|
|
+ <para>The beans are all reasonable self-explanatory if you refer back
|
|
|
+ to the "How CAS Works" section. Careful readers might notice one
|
|
|
+ surprise: the <literal>statelessTicketCache</literal> property of the
|
|
|
+ <literal>CasAuthenticationProvider</literal>. This is discussed in
|
|
|
+ detail in the "Advanced CAS Usage" section.</para>
|
|
|
+
|
|
|
+ <para>Note the <literal>CasProxyTicketValidator</literal> has a
|
|
|
+ remarked out <literal>trustStore</literal> property. This property
|
|
|
+ might be helpful if you experience HTTPS certificate issues. Also note
|
|
|
+ the <literal>proxyCallbackUrl</literal> is set so the service can
|
|
|
+ receive a proxy-granting ticket. As mentioned above, this is optional
|
|
|
+ and unnecessary if you do not require proxy-granting tickets. If you
|
|
|
+ do use this feature, you will need to configure a suitable servlet to
|
|
|
+ receive the proxy-granting tickets. We suggest you use CAS'
|
|
|
+ <literal>ProxyTicketReceptor</literal> by adding the following to your
|
|
|
+ web application's <literal>web.xml</literal>:</para>
|
|
|
+
|
|
|
+ <para><programlisting><servlet>
|
|
|
+ <servlet-name>casproxy</servlet-name>
|
|
|
+ <servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class>
|
|
|
+</servlet>
|
|
|
+
|
|
|
+<servlet-mapping>
|
|
|
+ <servlet-name>casproxy</servlet-name>
|
|
|
+ <url-pattern>/casProxy/*</url-pattern>
|
|
|
+</servlet-mapping></programlisting></para>
|
|
|
+
|
|
|
+ <para>This completes the configuration of CAS. If you haven't made any
|
|
|
+ mistakes, your web application should happily work within the
|
|
|
+ framework of CAS single sign on. No other parts of the Acegi Security
|
|
|
+ System for Spring need to be concerned about the fact CAS handled
|
|
|
+ authentication.</para>
|
|
|
+
|
|
|
+ <para>There is also a <literal>contacts-cas.war</literal> file in the
|
|
|
+ sample applications directory. This sample application uses the above
|
|
|
+ settings and can be deployed to see CAS in operation.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-cas-advanced-usage">
|
|
|
+ <title>Advanced CAS Usage</title>
|
|
|
+
|
|
|
+ <para>The <literal>CasAuthenticationProvider</literal> distinguishes
|
|
|
+ between stateful and stateless clients. A stateful client is
|
|
|
+ considered any that originates via the
|
|
|
+ <literal>CasProcessingFilter</literal>. A stateless client is any that
|
|
|
+ presents an authentication request via the
|
|
|
+ <literal>UsernamePasswordAuthenticationToken</literal> with a
|
|
|
+ principal equal to
|
|
|
+ <literal>CasProcessingFilter.CAS_STATELESS_IDENTIFIER</literal>.</para>
|
|
|
+
|
|
|
+ <para>Stateless clients are likely to be via remoting protocols such
|
|
|
+ as Hessian and Burlap. The <literal>BasicProcessingFilter</literal> is
|
|
|
+ still used in this case, but the remoting protocol client is expected
|
|
|
+ to present a username equal to the static string above, and a password
|
|
|
+ equal to a CAS service ticket. Clients should acquire a CAS service
|
|
|
+ ticket directly from the CAS server.</para>
|
|
|
+
|
|
|
+ <para>Because remoting protocols have no way of presenting themselves
|
|
|
+ within the context of a <literal>HttpSession</literal>, it isn't
|
|
|
+ possible to rely on the <literal>HttpSession</literal>'s
|
|
|
+ <literal>HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY</literal>
|
|
|
+ attribute to locate the <literal>CasAuthenticationToken</literal>.
|
|
|
+ Furthermore, because the CAS server invalidates a service ticket after
|
|
|
+ it has been validated by the <literal>TicketValidator</literal>,
|
|
|
+ presenting the same service ticket on subsequent requests will not
|
|
|
+ work. It is similarly very difficult to obtain a proxy-granting ticket
|
|
|
+ for a remoting protocol client, as they are often deployed on client
|
|
|
+ machines which rarely have HTTPS URLs that would be accessible to the
|
|
|
+ CAS server.</para>
|
|
|
+
|
|
|
+ <para>One obvious option is to not use CAS at all for remoting
|
|
|
+ protocol clients. However, this would eliminate many of the desirable
|
|
|
+ features of CAS.</para>
|
|
|
+
|
|
|
+ <para>As a middle-ground, the
|
|
|
+ <literal>CasAuthenticationProvider</literal> uses a
|
|
|
+ <literal>StatelessTicketCache</literal>. This is used solely for
|
|
|
+ requests with a principal equal to
|
|
|
+ <literal>CasProcessingFilter.CAS_STATELESS_IDENTIFIER</literal>. What
|
|
|
+ happens is the <literal>CasAuthenticationProvider</literal> will store
|
|
|
+ the resulting <literal>CasAuthenticationToken</literal> in the
|
|
|
+ <literal>StatelessTicketCache</literal>, keyed on the service ticket.
|
|
|
+ Accordingly, remoting protocol clients can present the same service
|
|
|
+ ticket and the <literal>CasAuthenticationProvider</literal> will not
|
|
|
+ need to contact the CAS server for validation (aside from the first
|
|
|
+ request).</para>
|
|
|
+
|
|
|
+ <para>The other aspect of advanced CAS usage involves creating proxy
|
|
|
+ tickets from the proxy-granting ticket. As indicated above, we
|
|
|
+ recommend you use CAS' <literal>ProxyTicketReceptor</literal> to
|
|
|
+ receive these tickets. The <literal>ProxyTicketReceptor</literal>
|
|
|
+ provides a static method that enables you to obtain a proxy ticket by
|
|
|
+ presenting the proxy-granting IOU ticket. You can obtain the
|
|
|
+ proxy-granting IOU ticket by calling
|
|
|
+ <literal>CasAuthenticationToken.getProxyGrantingTicketIou()</literal>.</para>
|
|
|
+
|
|
|
+ <para>It is hoped you find CAS integration easy and useful with the
|
|
|
+ Acegi Security System for Spring classes. Welcome to enterprise-wide
|
|
|
+ single sign on!</para>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-channels">
|
|
|
+ <title>Channel Security</title>
|
|
|
+
|
|
|
+ <sect2 id="security-channels-overview">
|
|
|
+ <title>Overview</title>
|
|
|
+
|
|
|
+ <para>In addition to coordinating the authentication and authorization
|
|
|
+ requirements of your application, the Acegi Security System for Spring
|
|
|
+ is also able to ensure unauthenticated web requests have certain
|
|
|
+ properties. These properties may include being of a particular
|
|
|
+ transport type, having a particular <literal>HttpSession</literal>
|
|
|
+ attribute set and so on. The most common requirement is for your web
|
|
|
+ requests to be received using a particular transport protocol, such as
|
|
|
+ HTTPS.</para>
|
|
|
+
|
|
|
+ <para>An important issue in considering transport security is that of
|
|
|
+ session hijacking. Your web container manages a
|
|
|
+ <literal>HttpSession</literal> by reference to a
|
|
|
+ <literal>jsessionid</literal> that is sent to user agents either via a
|
|
|
+ cookie or URL rewriting. If the <literal>jsessionid</literal> is ever
|
|
|
+ sent over HTTP, there is a possibility that session identifier can be
|
|
|
+ intercepted and used to impersonate the user after they complete the
|
|
|
+ authentication process. This is because most web containers maintain
|
|
|
+ the same session identifier for a given user, even after they switch
|
|
|
+ from HTTP to HTTPS pages.</para>
|
|
|
+
|
|
|
+ <para>If session hijacking is considered too significant a risk for
|
|
|
+ your particular application, the only option is to use HTTPS for every
|
|
|
+ request. This means the <literal>jsessionid</literal> is never sent
|
|
|
+ across an insecure channel. You will need to ensure your
|
|
|
+ <literal>web.xml</literal>-defined
|
|
|
+ <literal><welcome-file></literal> points to a HTTPS location,
|
|
|
+ and the application never directs the user to a HTTP location. The
|
|
|
+ Acegi Security System for Spring provides a solution to assist with
|
|
|
+ the latter.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-channels-installation">
|
|
|
+ <title>Configuration</title>
|
|
|
+
|
|
|
+ <para>To utilise Acegi Security's channel security services, add the
|
|
|
+ following lines to <literal>web.xml</literal>:</para>
|
|
|
+
|
|
|
+ <para><programlisting><filter>
|
|
|
+ <filter-name>Acegi Channel Processing Filter</filter-name>
|
|
|
+ <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
|
|
|
+ <init-param>
|
|
|
+ <param-name>targetClass</param-name>
|
|
|
+ <param-value>net.sf.acegisecurity.securechannel.ChannelProcessingFilter</param-value>
|
|
|
+ </init-param>
|
|
|
+</filter>
|
|
|
+
|
|
|
+<filter-mapping>
|
|
|
+ <filter-name>Acegi Channel Processing Filter</filter-name>
|
|
|
+ <url-pattern>/*</url-pattern>
|
|
|
+</filter-mapping></programlisting></para>
|
|
|
+
|
|
|
+ <para>As usual when running <literal>FilterToBeanProxy</literal>, you
|
|
|
+ will also need to configure the filter in your application
|
|
|
+ context:</para>
|
|
|
+
|
|
|
+ <para><programlisting><bean id="channelProcessingFilter" class="net.sf.acegisecurity.securechannel.ChannelProcessingFilter">
|
|
|
+ <property name="channelDecisionManager"><ref bean="channelDecisionManager"/></property>
|
|
|
+ <property name="filterInvocationDefinitionSource">
|
|
|
+ <value>
|
|
|
+ CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
|
|
+ \A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
|
|
|
+ \A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL
|
|
|
+ \A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
|
|
|
+ \A.*\Z=REQUIRES_INSECURE_CHANNEL
|
|
|
+ </value>
|
|
|
+ </property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="channelDecisionManager" class="net.sf.acegisecurity.securechannel.ChannelDecisionManagerImpl">
|
|
|
+ <property name="channelProcessors">
|
|
|
+ <list>
|
|
|
+ <ref bean="secureChannelProcessor"/>
|
|
|
+ <ref bean="insecureChannelProcessor"/>
|
|
|
+ </list>
|
|
|
+ </property>
|
|
|
+</bean>
|
|
|
+
|
|
|
+<bean id="secureChannelProcessor" class="net.sf.acegisecurity.securechannel.SecureChannelProcessor"/>
|
|
|
+<bean id="insecureChannelProcessor" class="net.sf.acegisecurity.securechannel.InsecureChannelProcessor"/></programlisting></para>
|
|
|
+
|
|
|
+ <para>Like <literal>FilterSecurityInterceptor</literal>, Apache Ant
|
|
|
+ style paths are also supported by the
|
|
|
+ <literal>ChannelProcessingFilter</literal>.</para>
|
|
|
+
|
|
|
+ <para>The <literal>ChannelProcessingFilter</literal> operates by
|
|
|
+ filtering all web requests and determining the configuration
|
|
|
+ attributes that apply. It then delegates to the
|
|
|
+ <literal>ChannelDecisionManager</literal>. The default implementation,
|
|
|
+ <literal>ChannelDecisionManagerImpl</literal>, should suffice in most
|
|
|
+ cases. It simply delegates through the list of configured
|
|
|
+ <literal>ChannelProcessor</literal> instances. A
|
|
|
+ <literal>ChannelProcessor</literal> will review the request, and if it
|
|
|
+ is unhappy with the request (eg it was received across the incorrect
|
|
|
+ transport protocol), it will perform a redirect, throw an exception or
|
|
|
+ take whatever other action is appropriate.</para>
|
|
|
+
|
|
|
+ <para>Included with the Acegi Security System for Spring are two
|
|
|
+ concrete <literal>ChannelProcessor</literal> implementations:
|
|
|
+ <literal>SecureChannelProcessor</literal> ensures requests with a
|
|
|
+ configuration attribute of <literal>REQUIRES_SECURE_CHANNEL</literal>
|
|
|
+ are received over HTTPS, whilst
|
|
|
+ <literal>InsecureChannelProcessor</literal> ensures requests with a
|
|
|
+ configuration attribute of
|
|
|
+ <literal>REQUIRES_INSECURE_CHANNEL</literal> are received over HTTP.
|
|
|
+ Both implementations delegate to a
|
|
|
+ <literal>ChannelEntryPoint</literal> if the required transport
|
|
|
+ protocol is not used. The two <literal>ChannelEntryPoint</literal>
|
|
|
+ implementations included with Acegi Security simply redirect the
|
|
|
+ request to HTTP and HTTPS as appropriate. Appropriate defaults are
|
|
|
+ assigned to the <literal>ChannelProcessor</literal> implementations
|
|
|
+ for the configuration attribute keywords they respond to and the
|
|
|
+ <literal>ChannelEntryPoint</literal> they delegate to, although you
|
|
|
+ have the ability to override these using the application
|
|
|
+ context.</para>
|
|
|
+
|
|
|
+ <para>Note that the redirections are absolute (eg
|
|
|
+ http://www.company.com:8080/app/page), not relative (eg /app/page).
|
|
|
+ During testing it was discovered that Internet Explorer 6 Service Pack
|
|
|
+ 1 has a bug whereby it does not respond correctly to a redirection
|
|
|
+ instruction which also changes the port to use. Accordingly, absolute
|
|
|
+ URLs are used in conjunction with bug detection logic in the
|
|
|
+ <literal>PortResolverImpl</literal> that is wired up by default to
|
|
|
+ many Acegi Security beans. Please refer to the JavaDocs for
|
|
|
+ <literal>PortResolverImpl</literal> for further details.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-channels-usage">
|
|
|
+ <title>Usage</title>
|
|
|
+
|
|
|
+ <para>Once configured, using the channel security filter is very easy.
|
|
|
+ Simply request pages without regard to the protocol (ie HTTP or HTTPS)
|
|
|
+ or port (eg 80, 8080, 443, 8443 etc). Obviously you'll still need a
|
|
|
+ way of making the initial request (probably via the
|
|
|
+ <literal>web.xml</literal> <literal><welcome-file></literal> or
|
|
|
+ a well-known home page URL), but once this is done the filter will
|
|
|
+ perform redirects as defined by your application context.</para>
|
|
|
+
|
|
|
+ <para>You can also add your own <literal>ChannelProcessor</literal>
|
|
|
+ implementations to the <literal>ChannelDecisionManagerImpl</literal>.
|
|
|
+ For example, you might set a <literal>HttpSession</literal> attribute
|
|
|
+ when a human user is detected via a "enter the contents of this
|
|
|
+ graphic" procedure. Your <literal>ChannelProcessor</literal> would
|
|
|
+ respond to say <literal>REQUIRES_HUMAN_USER</literal> configuration
|
|
|
+ attributes and redirect to an appropriate entry point to start the
|
|
|
+ human user validation process if the <literal>HttpSession</literal>
|
|
|
+ attribute is not currently set.</para>
|
|
|
+
|
|
|
+ <para>To decide whether a security check belongs in a
|
|
|
+ <literal>ChannelProcessor</literal> or an
|
|
|
+ <literal>AccessDecisionVoter</literal>, remember that the former is
|
|
|
+ designed to handle unauthenticated requests, whilst the latter is
|
|
|
+ designed to handle authenticated requests. The latter therefore has
|
|
|
+ access to the granted authorities of the authenticated principal. In
|
|
|
+ addition, problems detected by a <literal>ChannelProcessor</literal>
|
|
|
+ will generally cause a HTTP/HTTPS redirection so its requirements can
|
|
|
+ be met, whilst problems detected by an
|
|
|
+ <literal>AccessDecisionVoter</literal> will ultimately result in an
|
|
|
+ <literal>AccessDeniedException</literal> (depending on the governing
|
|
|
+ <literal>AccessDecisionManager</literal>).</para>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="acls">
|
|
|
+ <title>Instance-Based Access Control List (ACL) Security</title>
|
|
|
+
|
|
|
+ <sect2 id="acls-overview">
|
|
|
+ <title>Overview</title>
|
|
|
+
|
|
|
+ <para>THIS FEATURE WAS ADDED IN VERSION 0.6. WE WELCOME YOUR COMMENTS
|
|
|
+ AND IMPROVEMENTS.</para>
|
|
|
+
|
|
|
+ <para>Complex applications often will find the need to define access
|
|
|
+ permissions not simply at a web request or method invocation level.
|
|
|
+ Instead, security decisions need to comprise both who
|
|
|
+ (<literal>Authentication</literal>), where
|
|
|
+ (<literal>MethodInvocation</literal>) and what
|
|
|
+ (<literal>SomeDomainObject</literal>). In other words, authorization
|
|
|
+ decisions also need to consider the actual domain object instance
|
|
|
+ subject of a method invocation.</para>
|
|
|
+
|
|
|
+ <para>Imagine you're designing an application for a pet clinic. There
|
|
|
+ will be two main groups of users of your Spring-based application:
|
|
|
+ staff of the pet clinic, as well as the pet clinic's customers. The
|
|
|
+ staff will have access to all of the data, whilst your customers will
|
|
|
+ only be able to see their own customer records. To make it a little
|
|
|
+ more interesting, your customers can allow other users to see their
|
|
|
+ customer records, such as their "puppy preschool "mentor or president
|
|
|
+ of their local "Pony Club". Using Acegi Security System for Spring as
|
|
|
+ the foundation, you have several approaches that can be
|
|
|
+ used:<orderedlist>
|
|
|
+ <listitem>
|
|
|
+ <para>Write your business methods to enforce the security. You
|
|
|
+ could consult a collection within the
|
|
|
+ <literal>Customer</literal> domain object instance to determine
|
|
|
+ which users have access. By using the
|
|
|
+ <literal>ContextHolder.getContext()</literal> and casting it to
|
|
|
+ <literal>SecureContext</literal>, you'll be able to access the
|
|
|
+ <literal>Authentication</literal> object.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Write an <literal>AccessDecisionVoter</literal> to enforce
|
|
|
+ the security from the <literal>GrantedAuthority[]</literal>s
|
|
|
+ stored in the <literal>Authentication</literal> object. This
|
|
|
+ would mean your <literal>AuthenticationManager</literal> would
|
|
|
+ need to populate the <literal>Authentication</literal> with
|
|
|
+ custom <literal>GrantedAuthority</literal>[]s representing each
|
|
|
+ of the <literal>Customer</literal> domain object instances the
|
|
|
+ principal has access to.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Write an <literal>AccessDecisionVoter</literal> to enforce
|
|
|
+ the security and open the target <literal>Customer</literal>
|
|
|
+ domain object directly. This would mean your voter needs access
|
|
|
+ to a DAO that allows it to retrieve the
|
|
|
+ <literal>Customer</literal> object. It would then access the
|
|
|
+ <literal>Customer</literal> object's collection of approved
|
|
|
+ users and make the appropriate decision.</para>
|
|
|
+ </listitem>
|
|
|
+ </orderedlist></para>
|
|
|
+
|
|
|
+ <para>Each one of these approaches is perfectly legitimate. However,
|
|
|
+ the first couples your authorization checking to your business code.
|
|
|
+ The main problems with this include the enhanced difficulty of unit
|
|
|
+ testing and the fact it would be more difficult to reuse the
|
|
|
+ <literal>Customer</literal> authorization logic elsewhere. Obtaining
|
|
|
+ the <literal>GrantedAuthority[]</literal>s from the
|
|
|
+ <literal>Authentication</literal> object is also fine, but will not
|
|
|
+ scale to large numbers of <literal>Customer</literal>s. If a user
|
|
|
+ might be able to access 5,000 <literal>Customer</literal>s (unlikely
|
|
|
+ in this case, but imagine if it were a popular vet for a large Pony
|
|
|
+ Club!) the amount of memory consumed and time required to construct
|
|
|
+ the <literal>Authentication</literal> object would be undesirable. The
|
|
|
+ final method, opening the <literal>Customer</literal> directly from
|
|
|
+ external code, is probably the best of the three. It achieves
|
|
|
+ separation of concerns, and doesn't misuse memory or CPU cycles, but
|
|
|
+ it is still inefficient in that both the
|
|
|
+ <literal>AccessDecisionVoter</literal> and the eventual business
|
|
|
+ method itself will perform a call to the DAO responsible for
|
|
|
+ retrieving the <literal>Customer</literal> object. Two accesses per
|
|
|
+ method invocation is clearly undesirable. In addition, with every
|
|
|
+ approach listed you'll need to write your own access control list
|
|
|
+ (ACL) persistence and business logic from scratch.</para>
|
|
|
+
|
|
|
+ <para>Fortunately, there is another alternative, which we'll talk
|
|
|
+ about below.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="acls-acl-package">
|
|
|
+ <title>The net.sf.acegisecurity.acl Package</title>
|
|
|
+
|
|
|
+ <para>The <literal>net.sf.acegisecurity.acl</literal> package is very
|
|
|
+ simple, comprising only a handful of interfaces and a single class. It
|
|
|
+ provides the basic foundation for access control list (ACL) lookups.
|
|
|
+ The central interface is <literal>AclManager</literal>, which is
|
|
|
+ defined by two methods:</para>
|
|
|
+
|
|
|
+ <para><programlisting>public AclEntry[] getAcls(java.lang.Object domainInstance);
|
|
|
+public AclEntry[] getAcls(java.lang.Object domainInstance, Authentication authentication);</programlisting></para>
|
|
|
+
|
|
|
+ <para><literal>AclManager</literal> is intended to be used as a
|
|
|
+ collaborator against your business objects, or, more desirably,
|
|
|
+ <literal>AccessDecisionVoter</literal>s. This means you use Spring's
|
|
|
+ normal <literal>ApplicationContext</literal> features to wire up your
|
|
|
+ <literal>AccessDecisionVoter</literal> (or business method) with an
|
|
|
+ <literal>AclManager</literal>. Consideration was given to placing the
|
|
|
+ ACL information in the <literal>ContextHolder</literal>, but it was
|
|
|
+ felt this would be inefficient both in terms of memory usage as well
|
|
|
+ as the time spent loading potentially unused ACL information. The
|
|
|
+ trade-off of needing to wire up a collaborator for those objects
|
|
|
+ requiring ACL information is rather minor, particularly in a
|
|
|
+ Spring-managed application.</para>
|
|
|
+
|
|
|
+ <para>The first method of the <literal>AclManager</literal> will
|
|
|
+ return all ACLs applying to the domain object instance passed to it.
|
|
|
+ The second method does the same, but only returns those ACLs which
|
|
|
+ apply to the passed <literal>Authentication</literal> object.</para>
|
|
|
+
|
|
|
+ <para>The <literal>AclEntry</literal> interface returned by
|
|
|
+ <literal>AclManager</literal> is merely a marker interface. You will
|
|
|
+ need to provide an implementation that reflects that ACL permissions
|
|
|
+ for your application.</para>
|
|
|
+
|
|
|
+ <para>Rounding out the <literal>net.sf.acegisecurity.acl</literal>
|
|
|
+ package is an <literal>AclProviderManager</literal> class, with a
|
|
|
+ corresponding <literal>AclProvider</literal> interface.
|
|
|
+ <literal>AclProviderManager</literal> is a concrete implementation of
|
|
|
+ <literal>AclManager</literal>, which iterates through registered
|
|
|
+ <literal>AclProvider</literal>s. The first
|
|
|
+ <literal>AclProvider</literal> that indicates it can authoritatively
|
|
|
+ provide ACL information for the presented domain object instance will
|
|
|
+ be used. This is very similar to the
|
|
|
+ <literal>AuthenticationProvider</literal> interface used for
|
|
|
+ authentication.</para>
|
|
|
+
|
|
|
+ <para>With this background, let's now look at a usable ACL
|
|
|
+ implementation.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="acls-masking">
|
|
|
+ <title>Integer Masked ACLs</title>
|
|
|
+
|
|
|
+ <para>Acegi Security System for Spring includes a production-quality
|
|
|
+ ACL provider implementation. The implementation is based on integer
|
|
|
+ masking, which is commonly used for ACL permissions given its
|
|
|
+ flexibility and speed. Anyone who has used Unix's
|
|
|
+ <literal>chmod</literal> command will know all about this type of
|
|
|
+ permission masking (eg <literal>chmod 777</literal>). You'll find the
|
|
|
+ classes and interfaces for the integer masking ACL package under
|
|
|
+ <literal>net.sf.acegisecurity.acl.basic</literal>.</para>
|
|
|
+
|
|
|
+ <para>Extending the <literal>AclEntry</literal> interface is a
|
|
|
+ <literal>BasicAclEntry</literal> interface, with the main methods
|
|
|
+ shown below:</para>
|
|
|
+
|
|
|
+ <para><programlisting>public AclObjectIdentity getAclObjectIdentity();
|
|
|
+public AclObjectIdentity getAclObjectParentIdentity();
|
|
|
+public int getMask();
|
|
|
+public java.lang.Object getRecipient();</programlisting></para>
|
|
|
+
|
|
|
+ <para>As shown, each <literal>BasicAclEntry</literal> has four main
|
|
|
+ properties. The <literal>mask</literal> is the integer that represents
|
|
|
+ the permissions granted to the <literal>recipient</literal>. The
|
|
|
+ <literal>aclObjectIdentity</literal> is able to identify the domain
|
|
|
+ object instance for which the ACL applies, and the
|
|
|
+ <literal>aclObjectParentIdentity</literal> optionally specifies the
|
|
|
+ parent of the domain object instance. Multiple
|
|
|
+ <literal>BasicAclEntry</literal>s usually exist against a single
|
|
|
+ domain object instance, and as suggested by the parent identity
|
|
|
+ property, permissions granted higher in the object hierarchy will
|
|
|
+ trickle down and be inherited (unless blocked by integer zero).</para>
|
|
|
+
|
|
|
+ <para><literal>BasicAclEntry</literal> implementations typically
|
|
|
+ provide convenience methods, such as
|
|
|
+ <literal>isReadAllowed()</literal>, to avoid application classes
|
|
|
+ needing to perform bit masking themselves. The
|
|
|
+ <literal>SimpleAclEntry</literal> and
|
|
|
+ <literal>AbstractBasicAclEntry</literal> demonstrate and provide much
|
|
|
+ of this bit masking logic.</para>
|
|
|
+
|
|
|
+ <para>The <literal>AclObjectIdentity</literal> itself is merely a
|
|
|
+ marker interface, so you need to provide implementations for your
|
|
|
+ domain objects. However, the package does include a
|
|
|
+ <literal>NamedEntityObjectIdentity</literal> implementation which will
|
|
|
+ suit many needs. The <literal>NamedEntityObjectIdentity</literal>
|
|
|
+ identifies a given domain object instance by the classname of the
|
|
|
+ instance and the identity of the instance. A
|
|
|
+ <literal>NamedEntityObjectIdentity</literal> can be constructed
|
|
|
+ manually (by calling the constructor and providing the classname and
|
|
|
+ identity <literal>String</literal>s), or by passing in any domain
|
|
|
+ object that contains a <literal>getId()</literal> method.</para>
|
|
|
+
|
|
|
+ <para>The actual <literal>AclProvider</literal> implementation is
|
|
|
+ named <literal>BasicAclProvider</literal>. It has adopted a similar
|
|
|
+ design to that used by the authentication-related
|
|
|
+ <literal>DaoAuthenticationProvder</literal>. Specifically, you define
|
|
|
+ a <literal>BasicAclDao</literal> against the provider, so different
|
|
|
+ ACL repository types can be accessed in a pluggable manner. The
|
|
|
+ <literal>BasicAclProvider</literal> also supports pluggable cache
|
|
|
+ providers (with Acegi Security System for Spring including an
|
|
|
+ implementation that fronts EH-CACHE).</para>
|
|
|
+
|
|
|
+ <para>The <literal>BasicAclDao</literal> interface is very simple to
|
|
|
+ implement:</para>
|
|
|
+
|
|
|
+ <para><programlisting>public BasicAclEntry[] getAcls(AclObjectIdentity aclObjectIdentity);</programlisting></para>
|
|
|
+
|
|
|
+ <para>A <literal>BasicAclDao</literal> implementation needs to
|
|
|
+ understand the presented <literal>AclObjectIdentity</literal> and how
|
|
|
+ it maps to a storage repository, find the relevant records, and create
|
|
|
+ appropriate <literal>BasicAclEntry</literal> objects and return
|
|
|
+ them.</para>
|
|
|
+
|
|
|
+ <para>Acegi Security includes a single <literal>BasicAclDao</literal>
|
|
|
+ implementation called <literal>JdbcDaoImpl</literal>. As implied by
|
|
|
+ the name, it accesses ACL information from a JDBC database. The
|
|
|
+ default database schema and some sample data will aid in understanding
|
|
|
+ its function:</para>
|
|
|
+
|
|
|
+ <para><programlisting>CREATE TABLE acl_object_identity (
|
|
|
+ id IDENTITY NOT NULL,
|
|
|
+ object_identity VARCHAR_IGNORECASE(250) NOT NULL,
|
|
|
+ parent_object INTEGER,
|
|
|
+ acl_class VARCHAR_IGNORECASE(250) NOT NULL,
|
|
|
+ CONSTRAINT unique_object_identity UNIQUE(object_identity),
|
|
|
+ FOREIGN KEY (parent_object) REFERENCES acl_object_identity(id)
|
|
|
+);
|
|
|
+
|
|
|
+CREATE TABLE acl_permission (
|
|
|
+ id IDENTITY NOT NULL,
|
|
|
+ acl_object_identity INTEGER NOT NULL,
|
|
|
+ recipient VARCHAR_IGNORECASE(100) NOT NULL,
|
|
|
+ mask INTEGER NOT NULL,
|
|
|
+ CONSTRAINT unique_recipient UNIQUE(acl_object_identity, recipient),
|
|
|
+ FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity(id)
|
|
|
+);
|
|
|
+
|
|
|
+INSERT INTO acl_object_identity VALUES (1, 'corp.DomainObject:1', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
|
|
|
+INSERT INTO acl_object_identity VALUES (2, 'corp.DomainObject:2', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
|
|
|
+INSERT INTO acl_object_identity VALUES (3, 'corp.DomainObject:3', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
|
|
|
+INSERT INTO acl_object_identity VALUES (4, 'corp.DomainObject:4', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
|
|
|
+INSERT INTO acl_object_identity VALUES (5, 'corp.DomainObject:5', 3, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
|
|
|
+INSERT INTO acl_object_identity VALUES (6, 'corp.DomainObject:6', 3, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
|
|
|
+
|
|
|
+INSERT INTO acl_permission VALUES (null, 1, 'ROLE_SUPERVISOR', 1);
|
|
|
+INSERT INTO acl_permission VALUES (null, 2, 'ROLE_SUPERVISOR', 0);
|
|
|
+INSERT INTO acl_permission VALUES (null, 2, 'marissa', 2);
|
|
|
+INSERT INTO acl_permission VALUES (null, 3, 'scott', 14);
|
|
|
+INSERT INTO acl_permission VALUES (null, 6, 'scott', 1);</programlisting></para>
|
|
|
+
|
|
|
+ <para>As can be seen, database-specific constraints are used
|
|
|
+ extensively to ensure the integrity of the ACL information. If you
|
|
|
+ need to use a different database (Hypersonic SQL statements are shown
|
|
|
+ above), you should try to implement equivalent constraints.</para>
|
|
|
+
|
|
|
+ <para>The <literal>JdbcDaoImpl</literal> will only respond to requests
|
|
|
+ for <literal>NamedEntityObjectIdentity</literal>s. It converts such
|
|
|
+ identities into a single <literal>String</literal>, comprising
|
|
|
+ the<literal> NamedEntityObjectIdentity.getClassname()</literal> +
|
|
|
+ <literal>":"</literal> +
|
|
|
+ <literal>NamedEntityObjectIdentity.getId()</literal>. This yields the
|
|
|
+ type of <literal>object_identity</literal> values shown above. As
|
|
|
+ indicated by the sample data, each database row corresponds to a
|
|
|
+ single <literal>BasicAclEntry</literal>. As stated earlier and
|
|
|
+ demonstrated by <literal>corp.DomainObject:2</literal> in the above
|
|
|
+ sample data, each domain object instance will often have multiple
|
|
|
+ <literal>BasicAclEntry</literal>[]s.</para>
|
|
|
+
|
|
|
+ <para>As <literal>JdbcDaoImpl</literal> is required to return concrete
|
|
|
+ <literal>BasicAclEntry</literal> classes, it needs to know which
|
|
|
+ <literal>BasicAclEntry</literal> implementation it is to create and
|
|
|
+ populate. This is the role of the <literal>acl_class</literal> column.
|
|
|
+ <literal>JdbcDaoImpl</literal> will create the indicated class and set
|
|
|
+ its <literal>mask</literal>, <literal>recipient</literal>,
|
|
|
+ <literal>aclObjectIdentity</literal> and
|
|
|
+ <literal>aclObjectParentIdentity</literal> properties.</para>
|
|
|
+
|
|
|
+ <para>As you can probably tell from the sample data, the
|
|
|
+ <literal>parent_object_identity</literal> value can either be null or
|
|
|
+ in the same format as the <literal>object_identity</literal>. If
|
|
|
+ non-null, <literal>JdbcDaoImpl</literal> will create a
|
|
|
+ <literal>NamedEntityObjectIdentity</literal> to place inside the
|
|
|
+ returned <literal>BasicAclEntry</literal> class.</para>
|
|
|
+
|
|
|
+ <para>Returning to the <literal>BasicAclProvider</literal>, before it
|
|
|
+ can poll the <literal>BasicAclDao</literal> implementation it needs to
|
|
|
+ convert the domain object instance it was passed into an
|
|
|
+ <literal>AclObjectIdentity</literal>.
|
|
|
+ <literal>BasicAclProvider</literal> has a <literal>protected
|
|
|
+ AclObjectIdentity obtainIdentity(Object domainInstance)</literal>
|
|
|
+ method that is responsible for this. As a protected method, it enables
|
|
|
+ subclasses to easily override. The normal implementation checks
|
|
|
+ whether the passed domain object instance implements the
|
|
|
+ <literal>AclObjectIdentityAware</literal> interface, which is merely a
|
|
|
+ getter for an <literal>AclObjectIdentity</literal>. If the domain
|
|
|
+ object does implement this interface, that is the identity returned.
|
|
|
+ If the domain object does not implement this interface, the method
|
|
|
+ will attempt to create an <literal>AclObjectIdentity</literal> by
|
|
|
+ passing the domain object instance to the constructor of a class
|
|
|
+ defined by the
|
|
|
+ <literal>BasicAclProvider.getDefaultAclObjectIdentity()</literal>
|
|
|
+ method. By default the defined class is
|
|
|
+ <literal>NamedEntityObjectIdentity</literal>, which was described in
|
|
|
+ more detail above. Therefore, you will need to either (i) provide a
|
|
|
+ <literal>getId()</literal> method on your domain objects, (ii)
|
|
|
+ implement <literal>AclObjectIdentityAware</literal> on your domain
|
|
|
+ objects, (iii) provide an alternative
|
|
|
+ <literal>AclObjectIdentity</literal> implementation that will accept
|
|
|
+ your domain object in its constructor, or (iv) override the
|
|
|
+ <literal>obtainIdentity(Object)</literal> method.</para>
|
|
|
+
|
|
|
+ <para>Once the <literal>AclObjectIdentity</literal> of the domain
|
|
|
+ object instance is determined, the <literal>BasicAclProvider</literal>
|
|
|
+ will poll the DAO to obtain its <literal>BasicAclEntry</literal>[]s.
|
|
|
+ If any of the entries returned by the DAO indicate there is a parent,
|
|
|
+ that parent will be polled, and the process will repeat until there is
|
|
|
+ no further parent. The permissions assigned to a
|
|
|
+ <literal>recipient</literal> closest to the domain object instance
|
|
|
+ will always take priority and override any inherited permissions. From
|
|
|
+ the sample data above, the following inherited permissions would
|
|
|
+ apply:</para>
|
|
|
+
|
|
|
+ <para><programlisting>--- Mask integer 0 = no permissions
|
|
|
+--- Mask integer 1 = administer
|
|
|
+--- Mask integer 2 = read
|
|
|
+--- Mask integer 6 = read and write permissions
|
|
|
+--- Mask integer 14 = read and write and create permissions
|
|
|
+
|
|
|
+---------------------------------------------------------------------
|
|
|
+--- *** INHERITED RIGHTS FOR DIFFERENT INSTANCES AND RECIPIENTS ***
|
|
|
+--- INSTANCE RECIPIENT PERMISSION(S) (COMMENT #INSTANCE)
|
|
|
+---------------------------------------------------------------------
|
|
|
+--- 1 ROLE_SUPERVISOR Administer
|
|
|
+--- 2 ROLE_SUPERVISOR None (overrides parent #1)
|
|
|
+--- marissa Read
|
|
|
+--- 3 ROLE_SUPERVISOR Administer (from parent #1)
|
|
|
+--- scott Read, Write, Create
|
|
|
+--- 4 ROLE_SUPERVISOR Administer (from parent #1)
|
|
|
+--- 5 ROLE_SUPERVISOR Administer (from parent #3)
|
|
|
+--- scott Read, Write, Create (from parent #3)
|
|
|
+--- 6 ROLE_SUPERVISOR Administer (from parent #3)
|
|
|
+--- scott Administer (overrides parent #3)</programlisting></para>
|
|
|
+
|
|
|
+ <para>So the above explains how a domain object instance has its
|
|
|
+ <literal>AclObjectIdentity</literal> discovered, and the
|
|
|
+ <literal>BasicAclDao</literal> will be polled successively until an
|
|
|
+ array of inherited permissions is constructed for the domain object
|
|
|
+ instance. The final step is to determine the
|
|
|
+ <literal>BasicAclEntry</literal>[]s that are actually applicable to a
|
|
|
+ given <literal>Authentication</literal> object.</para>
|
|
|
+
|
|
|
+ <para>As you would recall, the <literal>AclManager</literal> (and all
|
|
|
+ delegates, up to and including <literal>BasicAclProvider</literal>)
|
|
|
+ provides a method which returns only those
|
|
|
+ <literal>BasicAclEntry</literal>[]s applying to a passed
|
|
|
+ <literal>Authentication</literal> object.
|
|
|
+ <literal>BasicAclProvider</literal> delivers this functionality by
|
|
|
+ delegating the filtering operation to an
|
|
|
+ <literal>EffectiveAclsResolver</literal> implementation. The default
|
|
|
+ implementation,
|
|
|
+ <literal>GrantedAuthorityEffectiveAclsResolver</literal>, will iterate
|
|
|
+ through the <literal>BasicAclEntry</literal>[]s and include only those
|
|
|
+ where the <literal>recipient</literal> is equal to either the
|
|
|
+ <literal>Authentication</literal>'s <literal>principal</literal> or
|
|
|
+ any of the <literal>Authentication</literal>'s
|
|
|
+ <literal>GrantedAuthority</literal>[]s. Please refer to the JavaDocs
|
|
|
+ for more information.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="acls-conclusion">
|
|
|
+ <title>Conclusion</title>
|
|
|
+
|
|
|
+ <para>Acegi Security's instance-specific ACL packages shield you from
|
|
|
+ much of the complexity of developing your own ACL approach. The
|
|
|
+ interfaces and classes detailed above provide a scalable, customisable
|
|
|
+ ACL solution that is decoupled from your application code. Whilst the
|
|
|
+ reference documentation may suggest complexity, the basic
|
|
|
+ implementation is able to support most typical applications
|
|
|
+ out-of-the-box.</para>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-filters">
|
|
|
+ <title>Filters</title>
|
|
|
+
|
|
|
+ <sect2 id="security-filters-overview">
|
|
|
+ <title>Overview</title>
|
|
|
+
|
|
|
+ <para>The Acegi Security System for Spring uses filters extensively.
|
|
|
+ Each filter is covered in detail in a respective section of this
|
|
|
+ document. This section includes information that applies to all
|
|
|
+ filters.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-filters-filtertobeanproxy">
|
|
|
+ <title>FilterToBeanProxy</title>
|
|
|
+
|
|
|
+ <para>Most filters are configured using the
|
|
|
+ <literal>FilterToBeanProxy</literal>. An example configuration from
|
|
|
+ <literal>web.xml</literal> follows:</para>
|
|
|
+
|
|
|
+ <para><programlisting><filter>
|
|
|
+ <filter-name>Acegi HTTP Request Security Filter</filter-name>
|
|
|
+ <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
|
|
|
+ <init-param>
|
|
|
+ <param-name>targetClass</param-name>
|
|
|
+ <param-value>net.sf.acegisecurity.ClassThatImplementsFilter</param-value>
|
|
|
+ </init-param>
|
|
|
+</filter></programlisting></para>
|
|
|
+
|
|
|
+ <para>Notice that the filter in <literal>web.xml</literal> is actually
|
|
|
+ a <literal>FilterToBeanProxy</literal>, and not the filter that will
|
|
|
+ actually implements the logic of the filter. What
|
|
|
+ <literal>FilterToBeanProxy</literal> does is delegate the
|
|
|
+ <literal>Filter</literal>'s methods through to a bean which is
|
|
|
+ obtained from the Spring application context. This enables the bean to
|
|
|
+ benefit from the Spring application context lifecycle support and
|
|
|
+ configuration flexibility. The bean must implement
|
|
|
+ <literal>javax.servlet.Filter</literal>.</para>
|
|
|
+
|
|
|
+ <para>The <literal>FilterToBeanProxy</literal> only requires a single
|
|
|
+ initialization parameter, <literal>targetClass</literal> or
|
|
|
+ <literal>targetBean</literal>. The <literal>targetClass</literal>
|
|
|
+ parameter locates the first object in the application context of the
|
|
|
+ specified class, whilst <literal>targetBean</literal> locates the
|
|
|
+ object by bean name. Like standard Spring web applications, the
|
|
|
+ <literal>FilterToBeanProxy</literal> accesses the application context
|
|
|
+ via<literal>
|
|
|
+ WebApplicationContextUtils.getWebApplicationContext(ServletContext)</literal>,
|
|
|
+ so you should configure a <literal>ContextLoaderListener</literal> in
|
|
|
+ <literal>web.xml</literal>.</para>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="security-filters-order">
|
|
|
+ <title>Filter Ordering</title>
|
|
|
+
|
|
|
+ <para>The order that filters are defined in <literal>web.xml</literal>
|
|
|
+ is important.</para>
|
|
|
+
|
|
|
+ <para>Irrespective of which filters you are actually using, the order
|
|
|
+ of the <literal><filter-mapping></literal>s should be as
|
|
|
+ follows:</para>
|
|
|
+
|
|
|
+ <orderedlist>
|
|
|
+ <listitem>
|
|
|
+ <para>Acegi Channel Processing Filter
|
|
|
+ (<literal>ChannelProcessingFilter</literal>)</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Acegi Authentication Processing Filter
|
|
|
+ (<literal>AuthenticationProcessingFilter</literal>)</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Acegi CAS Processing Filter
|
|
|
+ (<literal>CasProcessingFilter</literal>)</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Acegi HTTP BASIC Authorization Filter
|
|
|
+ (<literal>BasicProcessingFilter</literal>)</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Acegi Security System for Spring Auto Integration Filter
|
|
|
+ (<literal>AutoIntegrationFilter</literal>)</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Acegi HTTP Request Security Filter
|
|
|
+ (<literal>SecurityEnforcementFilter</literal>)</para>
|
|
|
+ </listitem>
|
|
|
+ </orderedlist>
|
|
|
+
|
|
|
+ <para>All of the above filters use
|
|
|
+ <literal>FilterToBeanProxy</literal>, which is discussed in the
|
|
|
+ previous section.</para>
|
|
|
+
|
|
|
+ <para>If you're using SiteMesh, ensure the Acegi Security filters
|
|
|
+ execute before the SiteMesh filters are called. This enables the
|
|
|
+ <literal>ContextHolder</literal> to be populated in time for use by
|
|
|
+ SiteMesh decorators.</para>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-sample">
|
|
|
+ <title>Contacts Sample Application</title>
|
|
|
+
|
|
|
+ <para>Included with the Acegi Security System for Spring is a very
|
|
|
+ simple application that can demonstrate the basic security facilities
|
|
|
+ provided by the system (and confirm your Container Adapter is properly
|
|
|
+ configured if you're using one).</para>
|
|
|
+
|
|
|
+ <para>The Contacts sample application includes two deployable versions:
|
|
|
+ <literal>contacts.war</literal> is configured with the HTTP Session
|
|
|
+ Authentication approach, and does not use Container Adapters. The
|
|
|
+ <literal>contacts-container-adapter.war</literal> is configured to use a
|
|
|
+ Container Adapter. If you're just wanting to see how the sample
|
|
|
+ application works, please use <literal>contacts.war</literal> as it does
|
|
|
+ not require special configuration of your container.</para>
|
|
|
+
|
|
|
+ <para>If you are going to use the
|
|
|
+ <literal>contacts-container-adapter.war</literal> version, first
|
|
|
+ configure your container as described in the Container Adapters section
|
|
|
+ of this chapter. Do not modify <literal>acegisecurity.xml</literal>. It
|
|
|
+ contains a very basic in-memory authentication configuration that is
|
|
|
+ compatible with the sample application.</para>
|
|
|
+
|
|
|
+ <para>To deploy, simply copy the relevant
|
|
|
+ <literal>contacts.war</literal> or
|
|
|
+ <literal>contacts-container-adapter.war</literal> file from the Acegi
|
|
|
+ Security System for Spring distribution into your container’s
|
|
|
+ <literal>webapps</literal> directory.</para>
|
|
|
+
|
|
|
+ <para>After starting your container, check the application can load.
|
|
|
+ Visit <literal>http://localhost:8080/contacts</literal> (or whichever
|
|
|
+ URL is appropriate for your web container and the WAR you deployed). A
|
|
|
+ random contact should be displayed. Click "Refresh" several times and
|
|
|
+ you will see different contacts. The business method that provides this
|
|
|
+ random contact is not secured.</para>
|
|
|
+
|
|
|
+ <para>Next, click "Debug". You will be prompted to authenticate, and a
|
|
|
+ series of usernames and passwords are suggested on that page. Simply
|
|
|
+ authenticate with any of these and view the resulting page. It should
|
|
|
+ contain a success message similar to the following:</para>
|
|
|
+
|
|
|
+ <blockquote>
|
|
|
+ <para>Context on ContextHolder is of type:
|
|
|
+ net.sf.acegisecurity.context.SecureContextImpl</para>
|
|
|
+
|
|
|
+ <para>The Context implements SecureContext.</para>
|
|
|
+
|
|
|
+ <para>Authentication object is of type:
|
|
|
+ net.sf.acegisecurity.adapters.PrincipalAcegiUserToken</para>
|
|
|
+
|
|
|
+ <para>Authentication object as a String:
|
|
|
+ net.sf.acegisecurity.adapters.PrincipalAcegiUserToken@e9a7c2:
|
|
|
+ Username: marissa; Password: [PROTECTED]; Authenticated: true; Granted
|
|
|
+ Authorities: ROLE_TELLER, ROLE_SUPERVISOR</para>
|
|
|
+
|
|
|
+ <para>Authentication object holds the following granted
|
|
|
+ authorities:</para>
|
|
|
+
|
|
|
+ <para>ROLE_TELLER (getAuthority(): ROLE_TELLER)</para>
|
|
|
+
|
|
|
+ <para>ROLE_SUPERVISOR (getAuthority(): ROLE_SUPERVISOR)</para>
|
|
|
+
|
|
|
+ <para>SUCCESS! Your [container adapter|web filter] appears to be
|
|
|
+ properly configured!</para>
|
|
|
+ </blockquote>
|
|
|
+
|
|
|
+ <para>If you receive a different message, and deployed
|
|
|
+ <literal>contacts-container-adapter.war</literal>, check you have
|
|
|
+ properly configured your Container Adapter. Refer to the instructions
|
|
|
+ provided above.</para>
|
|
|
+
|
|
|
+ <para>Once you successfully receive the above message, return to the
|
|
|
+ sample application's home page and click "Manage". You can then try out
|
|
|
+ the application. Notice that only the contacts belonging to the
|
|
|
+ currently logged on user are displayed, and only users with
|
|
|
+ <literal>ROLE_SUPERVISOR</literal> are granted access to delete their
|
|
|
+ contacts. Behind the scenes, the
|
|
|
+ <literal>MethodSecurityInterceptor</literal> is securing the business
|
|
|
+ objects. If you're using <literal>contacts.war</literal>, the
|
|
|
+ <literal>FilterSecurityInterceptor</literal> is also securing the HTTP
|
|
|
+ requests. If using <literal>contacts.war</literal>, be sure to try
|
|
|
+ visiting <literal>http://localhost:8080/contacts/secure/super</literal>,
|
|
|
+ which will demonstrate access being denied by the
|
|
|
+ <literal>SecurityEnforcementFilter</literal>.</para>
|
|
|
+
|
|
|
+ <para>The Contacts sample application also include a
|
|
|
+ <literal>client</literal> directory. Inside you will find a small
|
|
|
+ application that queries the backend business objects using the Hessian
|
|
|
+ and Burlap protocols. This demonstrates how to use the Acegi Security
|
|
|
+ System for Spring for authentication with Spring remoting protocols. To
|
|
|
+ try this client, ensure your servlet container is still running the
|
|
|
+ Contacts sample application, and then execute <literal>client marissa
|
|
|
+ marissa koala</literal>. The command-line parameters respectively
|
|
|
+ represent the owner of the contacts to extract, the username to use, and
|
|
|
+ the password to use. Note that you may need to edit
|
|
|
+ <literal>client.properties</literal> to use a different target URL. To
|
|
|
+ see that security does indeed work, try running <literal>client scott
|
|
|
+ marissa koala</literal>, which will try to obtain
|
|
|
+ <literal>scott</literal>'s contacts when authenticating as
|
|
|
+ <literal>marissa</literal>. To see it work properly, use <literal>client
|
|
|
+ scott scott wombat</literal>.</para>
|
|
|
+
|
|
|
+ <para>Please note the sample application's <literal>client</literal>
|
|
|
+ does not currently support CAS. You can still give it a try, though, if
|
|
|
+ you're ambitious: try <literal>client scott _cas_stateless_
|
|
|
+ YOUR-SERVICE-TICKET-ID-FOR-SCOTT</literal>.</para>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-become-involved">
|
|
|
+ <title>Become Involved</title>
|
|
|
+
|
|
|
+ <para>We welcome you to become involved in the Acegi Security System for
|
|
|
+ Spring project. There are many ways of contributing, including reading
|
|
|
+ the mailing list and responding to questions from other people, writing
|
|
|
+ new code, improving existing code, assisting with documentation, or
|
|
|
+ simply making suggestions.</para>
|
|
|
+
|
|
|
+ <para>SourceForge provides CVS services for the project, allowing
|
|
|
+ anybody to access the latest code. If you wish to contribute new code,
|
|
|
+ please observe the following requirements. These exist to maintain the
|
|
|
+ quality and consistency of the project:</para>
|
|
|
+
|
|
|
+ <itemizedlist>
|
|
|
+ <listitem>
|
|
|
+ <para>Run the Ant <literal>format</literal> task (or use a suitable
|
|
|
+ IDE plug-in) to convert your code into the project's consistent
|
|
|
+ style</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Ensure your code does not break any unit tests (run the Ant
|
|
|
+ <literal>tests</literal> target)</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Please use the container integration test system to test your
|
|
|
+ code in the project's officially supported containers</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>When writing a new container adapter, expand the container
|
|
|
+ integration test system to properly test it</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>If you have added new code, please provide suitable unit tests
|
|
|
+ (use <literal>ant clover.html</literal> to view coverage)</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Join the acegisecurity-developer and acegisecurity-cvs mailing
|
|
|
+ lists so you're in the loop</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Use CamelCase</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Add a CVS <literal>$Id: index.xml,v 1.3 2004/04/02 21:12:25
|
|
|
+ fbos Exp $</literal> tag to the JavaDocs for any new class you
|
|
|
+ create</para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist>
|
|
|
+
|
|
|
+ <para>Mentioned above is our container integration test system, which
|
|
|
+ aims to test the Acegi Security System for Spring container adapters
|
|
|
+ with current, production versions of each container. Some containers
|
|
|
+ might not be supported due to difficulties with starting or stopping the
|
|
|
+ container within an Ant target. You will need to download the container
|
|
|
+ release files as specified in the integration test
|
|
|
+ <literal>readme.txt</literal> file. These files are intentionally
|
|
|
+ excluded from CVS due to their large size.</para>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="security-further">
|
|
|
+ <title>Further Information</title>
|
|
|
+
|
|
|
+ <para>Questions and comments on the Acegi Security System for Spring are
|
|
|
+ welcome. Please use the Spring Community Forum web site at
|
|
|
+ <literal>http://forum.springframework.org</literal>. You're also welcome
|
|
|
+ to join the acegisecurity-developer mailing list. Our project home page
|
|
|
+ (where you can obtain the latest release of the project and access to
|
|
|
+ CVS, mailing lists, forums etc) is at
|
|
|
+ <literal>http://acegisecurity.sourceforge.net</literal>.</para>
|
|
|
+ </sect1>
|
|
|
+ </chapter>
|
|
|
+</book>
|
Carlos Sanchez
