320 likes | 436 Views
WAM and the Java Stack. Disclaimer. This is a training NOT a presentation. Be prepared to learn and participate in labs Please ask questions Prerequisites: Basic Java knowledge Basic Spring knowledge LDS Account Integration Training – Part 1. Outline. Spring Security and Authorization
E N D
Disclaimer • This is a training NOT a presentation. • Be prepared to learn and participate in labs • Please ask questions • Prerequisites: • Basic Java knowledge • Basic Spring knowledge • LDS Account Integration Training – Part 1
Outline • Spring Security and Authorization • WAM (Web Access Management) • WAM integration w/o Spring Security • WAM integration w/ Spring Security
Review • Authentication vs. Authorization • Previously discussed authentication with Spring Security • Now focus on authorization with Spring Security
Authorization with Spring Security • http://static.springsource.org/spring-security/site/features.html • Comprehensive Authorization Services • HTTP requests authorization (securing urls) • @PreAuthorizeannotation
Protecting Urls • Example of protecting urls <sec:http security="none" pattern="/errors/accessDenied*"/> <sec:http> <sec:intercept-url access="hasRole('ROLE_ADMIN')" pattern="/secure/**" /> <sec:intercept-url access="isAuthenticated()" pattern="**" /> <sec:access-denied-handler error-page="/errors/accessDenied" /> </sec:http>
???? • Fine grained authorization <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <sec:authorize access="hasRole(‘ROLE_CHICKEN')"> Content only visible to users who have the “chicken" authority in their list of GrantedAuthority(s). </sec:authorize> <sec:authorizeurl="/chicken"> Content only visible to users authorized to send requests to the "/chicken" URL. </sec:authorize>
@PreAuthorize annotation • Scanning enabled with following element: • Some examples: <sec:global-method-security pre-post-annotations="enabled"/> @PreAuthorize("hasRole('ROLE_ADMIN')") public void create(User newUser); @PreAuthorize("#user.username == authentication.username") public void doSomething(User user);
<lds-account:authorities-populators > </lds-account:authorities-populators>
Authorities Populators • http://code.lds.org/maven-sites/stack/module.html?module=lds-account/stack-lds-account-spring/index.html#Authorities_Populators • Example <lds-account:authorities-populatorsinclude-defaults="false"> <lds-account:member/> <lds-account:workforce/> <lds-account:role name="ROLE_USER" /> <lds-account:custom ref="customAuthoritiesPopulator"/> </lds-account:authorities-populators> TODO: show example of specifying on a authentication element
What is WAM? • WAM stands for Web Access Management • Authentication • Authentication management • Single Sign-on • Authorization • Url (course-grained) • Entitlements (fine-grained)
Injected Headers • WAM injected headers: • https://tech.lds.org/wiki/SSO_Injected_Headers • How the headers map with LDS Account (LDAP) attributes: • https://ldsteams.ldschurch.org/sites/wam/Implementation%20Details/HTTP%20Headers.aspx • Required headers • policy-ldsaccountid • policy-cn
Wamulator • For complete documentation: • http://tech.lds.org/wiki/WAMulator • WAM Maven plugin provided to start/stop the wamulator
Stack / WAM integration w/o Spring Security • code.lds.org/maven-sites/stack/module.html?module=lds-account/stack-lds-account-wam/index.html#Configuration <filter> <filter-name>wamContextFilter</filter-name> <filter-class>org.lds.stack.wam.filter.WamContextFilter</filter-class> </filter> <filter-mapping> <filter-name>wamContextFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
WamContext • Accessed with: • WamContexts consists of 3 main parts: • LdsAccountDetails object • WamRequestProvider • EntitlementService WamContextHolder.getWamContext(); WamContextHolder.getWamContext().getLdsAccountDetails().getPreferredName(); WamContextHolder.getWamContext().getWamRequestProvider ().getCookieHeader(); WamContextHolder.getWamContext().getEntitlementService()….
Lab 1 https://tech.lds.org/wiki/WAM_Integration_-_Part_1#Lab_1
Why WAM and Spring Security? • Spring Security provides • Full featured authorization system • Abstraction to authentication and authorization • Allows for complex fallback authentication systems • Facilitates proxy support
WAM Spring Security Integration • Integration point <lds-account:wam> <intercept url TODO … </lds-acount:wam> <sec:authentication-manager> <sec:authentication-provider ref="ldsAccountAuthenticationProvider" /> </sec:authentication-manager>
Spring Security and WAM authorization • Spring provides programming tools • Full featured EL capabilities • Convenient annotations • Management central to the application
Spring Security EntryPoint • Simplifies WAM configuration / management • Utilizes WAM for authentication • User details injected if authenticated • Allows course grained authorization to be managed within the application
Lab 2 https://tech.lds.org/wiki/WAM_Integration_-_Part_1#Lab_2
Conclusion • LDS Account rocks! • The Java Stack integration with LDS Account and Spring Security rocks!
Credit Where Credit is Due • http:// http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html • Spring Security 3 – by Peter Mularien • http://en.wikipedia.org/wiki/