Authentication & Authorisation

Pawan Modi
Senior R&D Engineer
modipawan8126@gmail.com

6/25/2009 Senior R&D Engineer Page 1

  How Web Security Works
 Basic Definitions / Acegi Terminology
 Acegi Introduction
 Acegi Web Security
 Authentication Object
 Authorization
 Filters
 FilterToBeanProxy
 FilterChainProxy
 Conclusion
6/25/2009 Senior R&D Engineer Page 2
  check if the resource is secured
 check if the requesting user has been authenticated
 check if the authenticated user is properly authorized
to access the requested resource
 serve the requested resource.
 If the user has not been authenticated yet then walk
through the Login dialog.
 If anything is out of order then display the
corresponding error page
 if the resource is not secure then skip all previously
mentioned steps and serve the resource right away.
6/25/2009 Senior R&D Engineer Page 3


6/25/2009 Senior R&D Engineer Page 4

  Principal
▪ A principal generally means a user, device or some other
system which can perform an action in your application.

 Authentication
▪ Authentication pertains to the question “Who are you?”

 Authorization
▪ Authorization pertains to the question “What may you do?”
▪ This is achieved by making secured resources accessible to
particular roles.
6/25/2009 Senior R&D Engineer Page 5
  Authentication object
▪ Authentication objects contains the username,
password and the roles granted to the user.

 Authentication Manager
▪ Authentication Manager creates & validates
Authentication object.

 AccessDecisionManger
▪ Access to resources is controlled by the
AccessDecisionManager.
6/25/2009 Senior R&D Engineer Page 6
  Acegi Security provides comprehensive security services
for J2EE-based enterprise software applications.

 Acegi depends on the Spring framework.

 Acegi configuration is done through associating JavaBeans

with each other via a XML configuration file.

 Acegi Security supports a wide range of authentication

models.

 Acegi Security provides a deep set of authorization

capabilities.
6/25/2009 Senior R&D Engineer Page 7
  Basic problem with J2EE or EJB security specifications
are
▪ Lack of security depth requires for the enterprise application.
▪ Security is not portable at WAR or EAR level.

 Acegi Security overcomes these problems and also

brings you dozens of other useful, entirely
customisable security features.

 Acegi is able to plug in its security functionality in a

modular way.

6/25/2009 Senior R&D Engineer Page 8

 Acegi security is implemented by following Four
Checks.
 Restricted Access Check
▪ Is the resource secured?

 Existing Authentication Check

▪ Has the user been authenticated?

 Authentication Request Check

▪ Are the correct username and password provided?

 Authorization Check
▪ Does the user have the required roles?

6/25/2009 Senior R&D Engineer Page 9

  Authentication object is key to the Acegi framework.

 Authentication object contains the username,

password and the roles granted to the user.

 Authentication object is created and validated by the

AuthenticationManager.

 Access to resources is controlled by the

AccessDecisionManager.
Page
6/25/2009 Senior R&D Engineer 10
 Acegi Security supports a wide range of authentication models
 HTTP BASIC authentication headers (an IEFT RFC-based standard)

 HTTP Digest authentication headers (an IEFT RFC-based standard)

 HTTP X.509 client certificate exchange (an IEFT RFC-based standard)

 LDAP (a very common approach to cross-platform authentication

needs, especially in large environments)

 Form-based authentication (for simple user interface needs)

Page
6/25/2009 Senior R&D Engineer 11
  Computer Associates Siteminder

 JA-SIG Central Authentication Service (otherwise known as

CAS, which is a popular open source single sign on system)

 Transparent authentication context propagation for Remote

Method Invocation (RMI) and HttpInvoker (a Spring remoting
protocol)

 Automatic "remember-me" authentication (so you can tick a

box to avoid re-authentication for a predetermined period of
time)

 Java Authentication and Authorization Service (JAAS)

Page
6/25/2009 Senior R&D Engineer 12
  Anonymous authentication (allowing every call to
automatically assume a particular security identity)

 Run-as authentication (which is useful if one call

should proceed with a different security identity)

 Container integration with JBoss, Jetty, Resin and

Tomcat (so you can still use Container Manager
Authentication if desired)

 Your own authentication systems.

Page
6/25/2009 Senior R&D Engineer 13
  Acegi Security includes one concrete GrantedAuthority implementation i.e.
GrantedAuthorityImpl.

 All Authentication implementations are required to store an array of

GrantedAuthority objects.

 All AuthenticationProviders use GrantedAuthorityImpl to populate the

Authentication object.

 GrantedAuthority objects are inserted into the Authentication object by the

AuthenticationManager and are later read by AccessDecisionManagers when
making authorization decisions.

 GrantedAuthority is an interface with only one method:

public String getAuthority();

Page
6/25/2009 Senior R&D Engineer 14
  Acegi Filters are critical & backbone of the Acegi
configuration.

 Acegi uses filters to enable web application

security.

 Acegi security uses following two basic filters.

▪ FilterToBeanProxy
▪ FilterChainProxy
Page
6/25/2009 Senior R&D Engineer 15
 Most filters are configured using the
FilterToBeanProxy.

 FilterToBeanProxy is filter that goes in to web.xml.

 This is not the filter that actually implement the logic.

 This filter delegate the Filter's methods to a bean which is

obtained from the Spring application context .

 The bean must implement javax.servlet.Filter.

Page
6/25/2009 Senior R&D Engineer 16

 FilterToBeanProxy only requires a single initialization
parameter i.e. targetClass or targetBean.
▪ targetClass parameter locates the first object in the
application context of the specified class.
▪ targetBean locates the object by bean name.

 FilterToBeanProxy is a very useful class but the

problem is that the lines of code required for <filter>
and <filter-mapping> entries in web.xml explodes
when using more than a few filters. Therefore it is
strongly recommended to use FilterChainProxy.
Page
6/25/2009 Senior R&D Engineer 17
 Acegi uses a chain of (at least) three filters to
enable web application security.

 AuthenticationProcessingFilter
 HttpSessionContextIntegrationFilter
 ExceptonTranslationFilter
 FilterSecurityInterceptor

Page
6/25/2009 Senior R&D Engineer 18
  Every HTTP request passes through chain made of three filters.
 Filters are chained together by an object called the
FilterChainProxy.
 FilterChainProxy creates and starts these filters.

 This proxy is configured in the configuration XML file.

 Any additional filters will be added to the FilterChainProxy
configuration list.
 FilterChainProxy will locate the first URI pattern that matches
the current web request.

Page
6/25/2009 Senior R&D Engineer 19
 AuthenticationProcessingFilter

 First filter through which all HTTP request
passes.
 Handles the Authentication Request Check .
 Handles logging into the application.
 Validates of username/password combinations
 Uses the AuthenticationManager to do its work.
 Diagram representing AuthenticationProcessingFilter
and its dependencies:
Page
6/25/2009 Senior R&D Engineer 20
 Page
6/25/2009 Senior R&D Engineer 21
 AuthenticationProcessingFilter

 One of the beans configured in the
authenticationProcessingFilter is the
authenticationManager bean.
 This bean manages the various providers you configure.
 A provider is essentially a repository of usernames with
corresponding passwords and roles.
 Example: one provider could access an Active Directory for
employee credentials, while your second provider might
access a database for customer credentials.

Page
6/25/2009 Senior R&D Engineer 22
 HttpSessionContextIntegrationFilter

 Maintains the Authentication object between various

requests and passes it to the AuthenticationManager
and the AccessDecisionManager when ever needed.
 Propagate the established authentication object
through all requests.
 Filter wraps the authentication object a ThreadLocal
and hands that wrapper over to the other filters in the
chain
Page
6/25/2009 Senior R&D Engineer 23
 Page
6/25/2009 Senior R&D Engineer 24
 ExceptonTranslationFilter
 One of the two essential filters in the security system.
 Performs the Existing Authentication Check.
 Catches any authentication or authorization error.
▪ If the exception was caused by the absence of an Authentication
object i.e. the user has not logged in yet then it spawns the
configured AuthenticationEntryPoint to prompt the user for login.
▪ If the exception was caused by an authorization exception thrown
by FilterSecurityInterceptor i.e. the user is logged in but is not
authorized for the resource requested then it will send an
SC_FORBIDDEN (HTTP 403) error to the browser.
 ExceptonTranslationFilter depends
FilterSecurityInterceptor to do its work.
Page
6/25/2009 Senior R&D Engineer 25
 ExceptonTranslationFilter leaves all the hard work to it's collaborators i.e.
FilterSecurityInterceptor and authenticationEntryPoint.

Page
6/25/2009 Senior R&D Engineer 26
 FilterSecurityInterceptor
 FilterSecurityInterceptor is a part of securityEnforcementFilter filter.

 One of the two essential filters in the security system.

 Manages the Restricted Access Check and the Authorisation check.

 Knows which resources are secure and which roles have access to them.

 FilterSecurityInterceptor uses the AuthenticationManager

and AccessDecisionManager to do its work.

 In Acegi security the secured resources are called as object definitions.

Page
6/25/2009 Senior R&D Engineer 27
 AuthenticationManager
 AM is of type ProviderManager & it forms a proxy to the
AuthenticationProvider.
 Authentication object is created and validated by the AM
 AM is responsible for passing requests through a chain of
AuthenticationProviders.
 AuthenticationProvider validates the inputted username/password
combination and extracts the role appointed to that user.
 AuthenticationProvider is itself a proxy to an AuthenticationDao that is
basically an registry containing usernames, passwords and roles.
 AuthenticationDao is of several types like in-memory, database via JDBC or
even LDAP.
 In the Dao two default users (jklaassen and bouerj) have been defined each
with a different role.
 Multiple ProviderManagers can be associated to one AM.

Page
6/25/2009 Senior R&D Engineer 28
 AccessDecisionManager
 ADM is responsible for the authorization.
 Access to resources is controlled by the ADM.
 ADM takes the available user information and decides to grant
access.
 ADM uses a Voter to determine if the user will be authorized
 Developer has to specify which rolenames should be handled by
a specific voter by specifying the role prefix.
 Multiple voters can be associated to one
AccessDecisionManager.
 So it is possible to let Acegi consult several different
username/password registries (mixture of LDAP, Database and
NT Domain registries) available with many different rolenames
configured and voted on by several Voters.
Page
6/25/2009 Senior R&D Engineer 29
 AuthenticationEntryPoint
 AuthenticationEntryPoint is a bean & part of
securityEnforcementFilter filter.

 Starting point of the authentication dialog.

 If the FilterSecurityInterceptor determines that there is no

available authentication object present then the
SecurityEnforcementFilter will pass control to the
AuthenticationEntryPoint.

 AuthenticationEntryPoint in this example is of type

AuthenticationProcessingFilterEntryPoint.
Page
6/25/2009 Senior R&D Engineer 30
  Acegi configuration is done through associating JavaBeans with
each other via a XML configuration file.

 Acegi is able to plug in its security functionality in a modular

way.

 Authentication object contains the username, password and the

roles granted to the user.

 Authentication object is created and validated by the

AuthenticationManager.

 Access to resources is controlled by the

AccessDecisionManager.
Page
6/25/2009 Senior R&D Engineer 31
  Acegi uses filters to enable web application security.

 Filters are chained together by an object called the

FilterChainProxy.

 AuthenticationProcessingFilter make use of

authenticationManager bean

 ExceptonTranslationFilter catches any authentication or

authorization error.

 FilterSecurityInterceptor knows which resources are secure and

which roles have access to them.

 AuthenticationEntryPoint is a bean & part of

securityEnforcementFilter filter.
Page
6/25/2009 Senior R&D Engineer 32
 http://www.acegisecurity.org/

 http://www.acegisecurity.org/guide/springsecurity.html#taglib

 http://www.tfo-
eservices.eu/wb_tutorials/media/SpringAcegiTutorial/HTML/SpringAcegiTutorial-1_1-
html.html

Page
6/25/2009 Senior R&D Engineer 33