Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Pawan Modi
Senior R&D Engineer
modipawan8126@gmail.com
Authentication
▪ Authentication pertains to the question “Who are you?”
Authorization
▪ Authorization pertains to the question “What may you do?”
▪ This is achieved by making secured resources accessible to
particular roles.
6/25/2009 Senior R&D Engineer Page 5
Authentication object
▪ Authentication objects contains the username,
password and the roles granted to the user.
Authentication Manager
▪ Authentication Manager creates & validates
Authentication object.
AccessDecisionManger
▪ Access to resources is controlled by the
AccessDecisionManager.
6/25/2009 Senior R&D Engineer Page 6
Acegi Security provides comprehensive security services
for J2EE-based enterprise software applications.
Authorization Check
▪ Does the user have the required roles?
Page
6/25/2009 Senior R&D Engineer 11
Computer Associates Siteminder
Page
6/25/2009 Senior R&D Engineer 14
Acegi Filters are critical & backbone of the Acegi
configuration.
AuthenticationProcessingFilter
HttpSessionContextIntegrationFilter
ExceptonTranslationFilter
FilterSecurityInterceptor
Page
6/25/2009 Senior R&D Engineer 18
Every HTTP request passes through chain made of three filters.
Filters are chained together by an object called the
FilterChainProxy.
FilterChainProxy creates and starts these filters.
Page
6/25/2009 Senior R&D Engineer 19
AuthenticationProcessingFilter
First filter through which all HTTP request
passes.
Handles the Authentication Request Check .
Handles logging into the application.
Validates of username/password combinations
Uses the AuthenticationManager to do its work.
Diagram representing AuthenticationProcessingFilter
and its dependencies:
Page
6/25/2009 Senior R&D Engineer 20
Page
6/25/2009 Senior R&D Engineer 21
AuthenticationProcessingFilter
One of the beans configured in the
authenticationProcessingFilter is the
authenticationManager bean.
This bean manages the various providers you configure.
A provider is essentially a repository of usernames with
corresponding passwords and roles.
Example: one provider could access an Active Directory for
employee credentials, while your second provider might
access a database for customer credentials.
Page
6/25/2009 Senior R&D Engineer 22
HttpSessionContextIntegrationFilter
Page
6/25/2009 Senior R&D Engineer 26
FilterSecurityInterceptor
FilterSecurityInterceptor is a part of securityEnforcementFilter filter.
Knows which resources are secure and which roles have access to them.
Page
6/25/2009 Senior R&D Engineer 27
AuthenticationManager
AM is of type ProviderManager & it forms a proxy to the
AuthenticationProvider.
Authentication object is created and validated by the AM
AM is responsible for passing requests through a chain of
AuthenticationProviders.
AuthenticationProvider validates the inputted username/password
combination and extracts the role appointed to that user.
AuthenticationProvider is itself a proxy to an AuthenticationDao that is
basically an registry containing usernames, passwords and roles.
AuthenticationDao is of several types like in-memory, database via JDBC or
even LDAP.
In the Dao two default users (jklaassen and bouerj) have been defined each
with a different role.
Multiple ProviderManagers can be associated to one AM.
Page
6/25/2009 Senior R&D Engineer 28
AccessDecisionManager
ADM is responsible for the authorization.
Access to resources is controlled by the ADM.
ADM takes the available user information and decides to grant
access.
ADM uses a Voter to determine if the user will be authorized
Developer has to specify which rolenames should be handled by
a specific voter by specifying the role prefix.
Multiple voters can be associated to one
AccessDecisionManager.
So it is possible to let Acegi consult several different
username/password registries (mixture of LDAP, Database and
NT Domain registries) available with many different rolenames
configured and voted on by several Voters.
Page
6/25/2009 Senior R&D Engineer 29
AuthenticationEntryPoint
AuthenticationEntryPoint is a bean & part of
securityEnforcementFilter filter.
http://www.acegisecurity.org/guide/springsecurity.html#taglib
http://www.tfo-
eservices.eu/wb_tutorials/media/SpringAcegiTutorial/HTML/SpringAcegiTutorial-1_1-
html.html
Page
6/25/2009 Senior R&D Engineer 33