SlideShare ist ein Scribd-Unternehmen logo

Securing Portlets With Spring Security

Als ODP, PDF herunterladen
John Lewis
John Lewis

In this session, attendees will learn how to secure JSR-168 Portlets using the latest version of Acegi Security, called Spring Security 2.0. The 2.0 release of Spring Security includes new support for JSR-168 Portlet development. In this session we'll cover how the Acegi security model translates into the Portlet world, show how to configure the authentication provider for JSR-168 Portlets, and discuss the special interceptors for processing Portlet requests and for storing the security context in the Portlet session. Finally we'll show how Portlets and Servlets in the same webapp can share security context, which allows for secure AJAX calls and dynamic images from within Portlets.

TechnologieNews & Politik
1 von 44
Securing Portlets With Spring Security ,[object Object],[object Object],[object Object],[object Object],[object Object],© Copyright Unicon, Inc., 2007. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
JSR 168 Portlet Security What does the spec give us to work with?
Portal Authentication ,[object Object],[object Object],[object Object],String getRemoteUser() Principal getUserPrincipal()
Portal Authorization ,[object Object],[object Object],boolean isUserInRole(String)
Declaring Portal Roles ,[object Object],[object Object],... <security-role> <role-name>manager</role-name> </security-role> ...
Mapping Portal Roles To Portlet Roles ,[object Object],<portlet> <portlet-name>books</portlet-name> ... <security-role-ref> <role-name>ADMINISTRATOR</role-name> <role-link>manager</role-link> </security-role-ref> </portlet> Portlet Role Portal Role Warning! If you are storing your SecurityContext in the PortletSession with APPLICATION_SCOPE (more on this later) , make sure these are the same in all your <portlet> declarations – the first one to be invoked on a page will determine the mapping for all portlets in your webapp.
Security Constraints ,[object Object],<portlet-app> ... <portlet> <portlet-name>accountSummary</portlet-name> ... </portlet> ... <security-constraint> <display-name>Secure Portlets</display-name> <portlet-collection> <portlet-name>accountSummary</portlet-name> </portlet-collection> <user-data-constraint/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </portlet-app>
Other Portlet Security Info ,[object Object],[object Object],[object Object],String getAuthType() boolean isSecure()
Portlet User Attributes ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Spring Security a.k.a Acegi Security A quick overview
What Is Spring Security? ,[object Object],[object Object],[object Object],[object Object],[object Object]
Spring Security Releases ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Applications Are Like Onions ,[object Object],[object Object],[object Object],[object Object],[object Object]
Spring Portlet Security Applying Spring Security to Portlets
Portlet Challenges ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Six Main Portlet Security Beans ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
PortletProcessingInterceptor <bean id=&quot;portletProcessingInterceptor&quot; class=&quot;org.springframework.security.ui.portlet. PortletProcessingInterceptor&quot;> <property name=&quot;authenticationManager&quot; ref=&quot;authenticationManager&quot; /> <property name=&quot;authenticationDetailsSource&quot; ref=&quot;portletAuthenticationDetailsSource&quot; / > </bean> ,[object Object],[object Object],Portlet equivalent of AuthenticationProcessingFilter used for traditional servlet web applications
AuthenticationManager <sec:authentication-manager alias=&quot;authenticationManager&quot; /> ,[object Object],[object Object],Can use multiple providers if you are authenticating from Portlets and Servlets
AuthenticationDetailsSource <bean name=” portletAuthenticationDetailsSource” class=&quot;org.springframework.security.ui.portlet. PortletPreAuthenticatedAuthenticationDetailsSource&quot;> <property name=&quot;mappableRolesRetriever&quot;> <bean class=&quot;org.springframework.security. authoritymapping.SimpleMappableAttributesRetriever&quot;> <property name=&quot;mappableAttributes&quot;> <list> <value>ADMIN</value> </list> </property> </bean> </property> </bean> ,[object Object],Only needed if we are using Portal Roles for our security decisions
AuthenticationProvider <bean id=&quot;portletAuthenticationProvider&quot; class=&quot;org.springframework.security.providers.preauth. PreAuthenticatedAuthenticationProvider&quot;> <sec:custom-authentication-provider /> <property name=&quot;preAuthenticatedUserDetailsService&quot; ref=&quot; preAuthenticatedUserDetailsService &quot; /> </bean> ,[object Object],[object Object]
UserDetailsService <bean name=&quot;preAuthenticatedUserDetailsService&quot; class=&quot;org.springframework.security.providers.preauth. PreAuthenticatedGrantedAuthoritiesUserDetailsService&quot; /> ,[object Object],[object Object],Can also use any other UserDetailsService that can populate UserDetails by username, such as JdbcUserDetailsManager or LdapUserDetailsManager
PortletSessionContextIntegrationInterceptor <bean id=&quot;portletSessionContextIntegrationInterceptor&quot; class=&quot;org.springframework.security.context. PortletSessionContextIntegrationInterceptor&quot; /> ,[object Object],[object Object],[object Object],Portlet equivalent of HttpSessionContextIntegrationFilter, used for traditional servlet web applications
Using The Two Interceptors <bean id=&quot;portletModeHandlerMapping&quot; class=&quot;org.springframework.web.portlet.handler. PortletModeHandlerMapping&quot;> <property name=&quot;interceptors&quot;> <list> <ref bean=&quot; portletSessionContextIntegrationInterceptor &quot;/> <ref bean=&quot; portletProcessingInterceptor &quot;/> </list> </property> <property name=&quot;portletModeMap&quot;> <map> <entry key=&quot;view&quot;><ref bean=&quot;viewController&quot;/></entry> <entry key=&quot;edit&quot;><ref bean=&quot;editController&quot;/></entry> <entry key=&quot;help&quot;><ref bean=&quot;helpController&quot;/></entry> </map> </property> </bean> ,[object Object],Warning! This ordering is critical – they will not work correctly if they are reversed!
Applying Portlet Security To The Rendering Layer Customizing our markup based on security information
Spring Security JSP TagLib <%@ taglib prefix=&quot;sec&quot; uri=&quot;http://www.springframework.org/security/tags&quot; %> <p>Username: <sec:authentication property=&quot;principal.username&quot;/></p> < sec :authorize ifAllGranted=&quot;ROLE_USER&quot;> <p>You are an authorized user of this system.</p> </ sec :authorize> <sec:authorize ifAllGranted=&quot;ROLE_ADMINISTRATOR&quot;> <p>You are an administrator of this system.</p> </sec:authorize> ,[object Object],[object Object],Warning: Don't rely on this to restrict access to areas of the application. Just because navigation doesn't appear in the markup doesn't mean a clever hacker can't generate a GET/POST that will still get there.
Applying Portlet Security To The Dispatch Layer Controlling where users can go in the application
Secure Portlet Request Dispatching ,[object Object],[object Object]
Using a HandlerInterceptor ,[object Object],[object Object],[object Object]
Using Annotations ,[object Object],[object Object],[object Object],<sec:global-method-security secured-annotations=&quot;enabled&quot; /> import org.springframework.security.annotation.Secured; ... @Secured({&quot;ROLE_ADMIN&quot;}) @RequestMapping(params=&quot;action=view&quot;) public String deleteItems(RequestParam(&quot;item&quot;) int itemId) { ...
Applying Portlet Security To The Service Layer Making sure Services are invoked by only by user with proper permissions
AccessDecisionManager <bean id=&quot;accessDecisionManager&quot; class=&quot;org.springframework.security.vote. AffirmativeBased&quot;> <property name=&quot;decisionVoters&quot;> <list> <bean class=&quot;org.springframework.security. vote.RoleVoter&quot; /> <bean class=&quot;org.springframework.security. vote.AuthenticatedVoter&quot; /> </list> </property> </bean> ,[object Object]
MethodSecurityInterceptor <bean id=&quot;myService&quot; class=&quot;sample.service.MyService&quot;> <sec:intercept-methods access-decision-manager-ref=&quot;accessDecisionManager&quot;> <sec:protect method=&quot;sample.service.MyService.*&quot; access=&quot;IS_AUTHENTICATED_FULLY&quot; /> <sec:protect method=&quot;sample.service.MyService.add*&quot; access=&quot;ROLE_ADMINISTRATOR&quot; /> <sec:protect method=&quot;sample.service.MyService.del*&quot; access=&quot;ROLE_ADMINISTRATOR&quot; /> <sec:protect method=&quot;sample.service.MyService.save*&quot; access=&quot;ROLE_ADMINISTRATOR&quot; /> </sec:intercept-methods> </bean>
Applying Portlet Security To Servlets Using the whole web/portlet application as one secure bundle
Bridging The Gap ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Portlets & Servlets Sharing Session ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Tomcat 5.5.4 + On <Connector> element set emptySessionPath=true
Apply Servlet Filter Chain ,[object Object],<filter> <filter-name>securityFilterChainProxy</filter-name> <filter-class>org.springframework.web.filter. DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>securityFilterChainProxy</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
FilterChainProxy ,[object Object],<bean id=&quot;servletSecurityFilterChainProxy&quot; class=&quot;org.springframework.security.util. FilterChainProxy&quot;> <sec:filter-chain-map path-type=&quot;ant&quot;> <sec:filter-chain pattern=&quot;/**&quot; filters=&quot;httpSessionContextIntegrationFilter, exceptionTranslationFilter, filterSecurityInterceptor&quot; /> </sec:filter-chain-map> </bean>
HttpSessionContextIntegrationFilter ,[object Object],<bean id=&quot;httpSessionContextIntegrationFilter&quot; class=&quot;org.springframework.security.context. HttpSessionContextIntegrationFilter&quot; /> This will only work if PortletSessionContextIntegrationInterceptor is storing in the APPLICATION_SCOPE of the PortletSession (which is the default)
ExceptionTranslationFilter ,[object Object],[object Object],<bean id=&quot;exceptionTranslationFilter&quot; class=&quot;org.springframework.security.ui. ExceptionTranslationFilter&quot;> <property name=&quot;authenticationEntryPoint&quot;> <bean class=&quot;org.springframework.security.ui.preauth. PreAuthenticatedProcessingFilterEntryPoint&quot; /> </property> </bean>
FilterSecurityInterceptor ,[object Object],[object Object],<bean id=&quot;filterSecurityInterceptor&quot; class=&quot;org.springframework.security.intercept.web. FilterSecurityInterceptor&quot;> <property name=&quot;authenticationManager&quot; ref=&quot;authenticationManager&quot; /> <property name=&quot;accessDecisionManager&quot; ref=&quot;accessDecisionManager&quot; /> <property name=&quot;objectDefinitionSource&quot;> <sec:filter-invocation-definition-source> <sec:intercept-url pattern=&quot;/resources/**&quot; access=&quot;IS_AUTHENTICATED_FULLY&quot; /> </sec:filter-invocation-definition-source> </property> </bean>
Resources Places to go to actually use this stuff!
Resources ,[object Object],[object Object],[object Object],[object Object],[object Object],http://opensource.atlassian.com/confluence/spring/display/JSR168/
Questions & Answers John A. Lewis Chief Software Architect Unicon, Inc. [email_address] www.unicon.net

Empfohlen

Portlet Specification 3.0 Is Here!
Portlet Specification 3.0 Is Here! Portlet Specification 3.0 Is Here!
Portlet Specification 3.0 Is Here! Dev_Events
 
Java Portlet 2.0 (JSR 286) Specification
Java Portlet 2.0 (JSR 286) SpecificationJava Portlet 2.0 (JSR 286) Specification
Java Portlet 2.0 (JSR 286) SpecificationJohn Lewis
 
Introduction to java standard portlets
Introduction to java standard portletsIntroduction to java standard portlets
Introduction to java standard portletsRohan Faye
 
Servlet 3.0
Servlet 3.0Servlet 3.0
Servlet 3.0Minh Hoang
 
Portlets 2.0 JSR286
Portlets 2.0 JSR286Portlets 2.0 JSR286
Portlets 2.0 JSR286C2B2 Consulting
 
Developing JSR 286 Portlets
Developing JSR 286 PortletsDeveloping JSR 286 Portlets
Developing JSR 286 PortletsCris Holdorph
 
Spring 3.x - Spring MVC
Spring 3.x - Spring MVCSpring 3.x - Spring MVC
Spring 3.x - Spring MVCGuy Nir
 
Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Arun Gupta
 

Empfohlen

Portlet Specification 3.0 Is Here!
Portlet Specification 3.0 Is Here! Portlet Specification 3.0 Is Here!
Portlet Specification 3.0 Is Here! Dev_Events
 
Java Portlet 2.0 (JSR 286) Specification
Java Portlet 2.0 (JSR 286) SpecificationJava Portlet 2.0 (JSR 286) Specification
Java Portlet 2.0 (JSR 286) SpecificationJohn Lewis
 
Introduction to java standard portlets
Introduction to java standard portletsIntroduction to java standard portlets
Introduction to java standard portletsRohan Faye
 
Servlet 3.0
Servlet 3.0Servlet 3.0
Servlet 3.0Minh Hoang
 
Portlets 2.0 JSR286
Portlets 2.0 JSR286Portlets 2.0 JSR286
Portlets 2.0 JSR286C2B2 Consulting
 
Developing JSR 286 Portlets
Developing JSR 286 PortletsDeveloping JSR 286 Portlets
Developing JSR 286 PortletsCris Holdorph
 
Spring 3.x - Spring MVC
Spring 3.x - Spring MVCSpring 3.x - Spring MVC
Spring 3.x - Spring MVCGuy Nir
 
Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Arun Gupta
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
JSF Component Behaviors
JSF Component BehaviorsJSF Component Behaviors
JSF Component BehaviorsAndy Schwartz
 
Servlet by Rj
Servlet by RjServlet by Rj
Servlet by RjShree M.L.Kakadiya MCA mahila college, Amreli
 
Java Server Faces (JSF) - advanced
Java Server Faces (JSF) - advancedJava Server Faces (JSF) - advanced
Java Server Faces (JSF) - advancedBG Java EE Course
 
Listeners and filters in servlet
Listeners and filters in servletListeners and filters in servlet
Listeners and filters in servletShree M.L.Kakadiya MCA mahila college, Amreli
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCJohn Lewis
 
Spring MVC
Spring MVCSpring MVC
Spring MVCyuvalb
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVCJohn Lewis
 
Jsp in Servlet by Rj
Jsp in Servlet by RjJsp in Servlet by Rj
Jsp in Servlet by RjShree M.L.Kakadiya MCA mahila college, Amreli
 
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Arun Gupta
 
JSF 2.0 (JavaEE Webinar)
JSF 2.0 (JavaEE Webinar)JSF 2.0 (JavaEE Webinar)
JSF 2.0 (JavaEE Webinar)Roger Kitain
 
A Complete Tour of JSF 2
A Complete Tour of JSF 2A Complete Tour of JSF 2
A Complete Tour of JSF 2Jim Driscoll
 
Identifing Listeners and Filters
Identifing Listeners and FiltersIdentifing Listeners and Filters
Identifing Listeners and FiltersPeople Strategists
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityIMC Institute
 
Jsf intro
Jsf introJsf intro
Jsf introvantinhkhuc
 
Servlets - filter, listeners, wrapper, internationalization
Servlets - filter, listeners, wrapper, internationalizationServlets - filter, listeners, wrapper, internationalization
Servlets - filter, listeners, wrapper, internationalizationsusant sahu
 
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsRest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsCarol McDonald
 
Introduction To ASP.NET MVC
Introduction To ASP.NET MVCIntroduction To ASP.NET MVC
Introduction To ASP.NET MVCAlan Dean
 
Java Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXJava Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXIMC Institute
 
WEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES ServletWEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES ServletJyothishmathi Institute of Technology and Science Karimnagar
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injavatanujagrawal
 

Weitere ähnliche Inhalte

Was ist angesagt?

securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
JSF Component Behaviors
JSF Component BehaviorsJSF Component Behaviors
JSF Component BehaviorsAndy Schwartz
 
Java Server Faces (JSF) - advanced
Java Server Faces (JSF) - advancedJava Server Faces (JSF) - advanced
Java Server Faces (JSF) - advancedBG Java EE Course
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCJohn Lewis
 
Spring MVC
Spring MVCSpring MVC
Spring MVCyuvalb
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVCJohn Lewis
 
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Arun Gupta
 
JSF 2.0 (JavaEE Webinar)
JSF 2.0 (JavaEE Webinar)JSF 2.0 (JavaEE Webinar)
JSF 2.0 (JavaEE Webinar)Roger Kitain
 
A Complete Tour of JSF 2
A Complete Tour of JSF 2A Complete Tour of JSF 2
A Complete Tour of JSF 2Jim Driscoll
 
Identifing Listeners and Filters
Identifing Listeners and FiltersIdentifing Listeners and Filters
Identifing Listeners and FiltersPeople Strategists
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityIMC Institute
 
Servlets - filter, listeners, wrapper, internationalization
Servlets - filter, listeners, wrapper, internationalizationServlets - filter, listeners, wrapper, internationalization
Servlets - filter, listeners, wrapper, internationalizationsusant sahu
 
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsRest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsCarol McDonald
 
Introduction To ASP.NET MVC
Introduction To ASP.NET MVCIntroduction To ASP.NET MVC
Introduction To ASP.NET MVCAlan Dean
 
Java Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXJava Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXIMC Institute
 

Was ist angesagt? (20)

securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdf
 
JSF Component Behaviors
JSF Component BehaviorsJSF Component Behaviors
JSF Component Behaviors
 
Servlet by Rj
Servlet by RjServlet by Rj
Servlet by Rj
 
Java Server Faces (JSF) - advanced
Java Server Faces (JSF) - advancedJava Server Faces (JSF) - advanced
Java Server Faces (JSF) - advanced
 
Listeners and filters in servlet
Listeners and filters in servletListeners and filters in servlet
Listeners and filters in servlet
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVC
 
Spring MVC
Spring MVCSpring MVC
Spring MVC
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVC
 
Jsp in Servlet by Rj
Jsp in Servlet by RjJsp in Servlet by Rj
Jsp in Servlet by Rj
 
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
 
JSF 2.0 (JavaEE Webinar)
JSF 2.0 (JavaEE Webinar)JSF 2.0 (JavaEE Webinar)
JSF 2.0 (JavaEE Webinar)
 
A Complete Tour of JSF 2
A Complete Tour of JSF 2A Complete Tour of JSF 2
A Complete Tour of JSF 2
 
Identifing Listeners and Filters
Identifing Listeners and FiltersIdentifing Listeners and Filters
Identifing Listeners and Filters
 
Java Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application SecurityJava Web Programming [9/9] : Web Application Security
Java Web Programming [9/9] : Web Application Security
 
Jsf intro
Jsf introJsf intro
Jsf intro
 
Servlets - filter, listeners, wrapper, internationalization
Servlets - filter, listeners, wrapper, internationalizationServlets - filter, listeners, wrapper, internationalization
Servlets - filter, listeners, wrapper, internationalization
 
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsRest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
 
Introduction To ASP.NET MVC
Introduction To ASP.NET MVCIntroduction To ASP.NET MVC
Introduction To ASP.NET MVC
 
Java Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXJava Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAX
 
WEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES ServletWEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES Servlet
 

Ähnlich wie Securing Portlets With Spring Security

securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injavatanujagrawal
 
Automated Testing Of Web Applications Using XML
Automated Testing Of Web Applications Using XMLAutomated Testing Of Web Applications Using XML
Automated Testing Of Web Applications Using XMLdiongillard
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Getting Started with Enterprise Library 3.0 in ASP.NET
Getting Started with Enterprise Library 3.0 in ASP.NETGetting Started with Enterprise Library 3.0 in ASP.NET
Getting Started with Enterprise Library 3.0 in ASP.NETPhilWinstanley
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptaljbsysatm
 
Spring training
Spring trainingSpring training
Spring trainingTechFerry
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Aduci
 
SgCodeJam24 Workshop Extract
SgCodeJam24 Workshop ExtractSgCodeJam24 Workshop Extract
SgCodeJam24 Workshop Extractremko caprio
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Steve Sofian
 
SCWCD 2. servlet req - resp (cap3 - cap4)
SCWCD 2. servlet req - resp (cap3 - cap4)SCWCD 2. servlet req - resp (cap3 - cap4)
SCWCD 2. servlet req - resp (cap3 - cap4)Francesco Ierna
 
Lightning Component - Components, Actions and Events
Lightning Component - Components, Actions and EventsLightning Component - Components, Actions and Events
Lightning Component - Components, Actions and EventsDurgesh Dhoot
 
Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onMatt Raible
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 

Ähnlich wie Securing Portlets With Spring Security (20)

securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdf
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injava
 
Automated Testing Of Web Applications Using XML
Automated Testing Of Web Applications Using XMLAutomated Testing Of Web Applications Using XML
Automated Testing Of Web Applications Using XML
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE Security
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Getting Started with Enterprise Library 3.0 in ASP.NET
Getting Started with Enterprise Library 3.0 in ASP.NETGetting Started with Enterprise Library 3.0 in ASP.NET
Getting Started with Enterprise Library 3.0 in ASP.NET
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptal
 
Spring training
Spring trainingSpring training
Spring training
 
Application Security
Application SecurityApplication Security
Application Security
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
Incorporating Web Services in Mobile Applications - Web 2.0 San Fran 2009
 
SgCodeJam24 Workshop Extract
SgCodeJam24 Workshop ExtractSgCodeJam24 Workshop Extract
SgCodeJam24 Workshop Extract
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010
 
SCWCD 2. servlet req - resp (cap3 - cap4)
SCWCD 2. servlet req - resp (cap3 - cap4)SCWCD 2. servlet req - resp (cap3 - cap4)
SCWCD 2. servlet req - resp (cap3 - cap4)
 
Lightning Component - Components, Actions and Events
Lightning Component - Components, Actions and EventsLightning Component - Components, Actions and Events
Lightning Component - Components, Actions and Events
 
Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-on
 
Struts2.0basic
Struts2.0basicStruts2.0basic
Struts2.0basic
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 

Mehr von John Lewis

Jasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus SolutionJasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus SolutionJohn Lewis
 
IMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade ExchangeIMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade ExchangeJohn Lewis
 
New Opportunites to Connect Learning with LIS and LTI
New Opportunites to Connect Learning with LIS and LTINew Opportunites to Connect Learning with LIS and LTI
New Opportunites to Connect Learning with LIS and LTIJohn Lewis
 
Open Source Your Project (With Jasig)
Open Source Your Project (With Jasig)Open Source Your Project (With Jasig)
Open Source Your Project (With Jasig)John Lewis
 
Sakai uPortal Integration Options
Sakai uPortal Integration OptionsSakai uPortal Integration Options
Sakai uPortal Integration OptionsJohn Lewis
 
Sprint Portlet MVC Seminar
Sprint Portlet MVC SeminarSprint Portlet MVC Seminar
Sprint Portlet MVC SeminarJohn Lewis
 
Agile Engineering
Agile EngineeringAgile Engineering
Agile EngineeringJohn Lewis
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarJohn Lewis
 
Leveraging Open Source
Leveraging Open SourceLeveraging Open Source
Leveraging Open SourceJohn Lewis
 
Open Source Licensing
Open Source LicensingOpen Source Licensing
Open Source LicensingJohn Lewis
 
Real World Identity Managment
Real World Identity ManagmentReal World Identity Managment
Real World Identity ManagmentJohn Lewis
 

Mehr von John Lewis (12)

Jasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus SolutionJasig uMobile - Open Source Enterprise Mobile Campus Solution
Jasig uMobile - Open Source Enterprise Mobile Campus Solution
 
IMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade ExchangeIMS LIS Outcomes and Sakai: Standardizing Grade Exchange
IMS LIS Outcomes and Sakai: Standardizing Grade Exchange
 
New Opportunites to Connect Learning with LIS and LTI
New Opportunites to Connect Learning with LIS and LTINew Opportunites to Connect Learning with LIS and LTI
New Opportunites to Connect Learning with LIS and LTI
 
Open Source Your Project (With Jasig)
Open Source Your Project (With Jasig)Open Source Your Project (With Jasig)
Open Source Your Project (With Jasig)
 
Sakai uPortal Integration Options
Sakai uPortal Integration OptionsSakai uPortal Integration Options
Sakai uPortal Integration Options
 
Sprint Portlet MVC Seminar
Sprint Portlet MVC SeminarSprint Portlet MVC Seminar
Sprint Portlet MVC Seminar
 
Agile Engineering
Agile EngineeringAgile Engineering
Agile Engineering
 
Scrum Process
Scrum ProcessScrum Process
Scrum Process
 
Shibboleth Guided Tour Webinar
Shibboleth Guided Tour WebinarShibboleth Guided Tour Webinar
Shibboleth Guided Tour Webinar
 
Leveraging Open Source
Leveraging Open SourceLeveraging Open Source
Leveraging Open Source
 
Open Source Licensing
Open Source LicensingOpen Source Licensing
Open Source Licensing
 
Real World Identity Managment
Real World Identity ManagmentReal World Identity Managment
Real World Identity Managment
 

Kürzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Kürzlich hochgeladen (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Securing Portlets With Spring Security

  • 1.
  • 2.
  • 3. JSR 168 Portlet Security What does the spec give us to work with?
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11. Spring Security a.k.a Acegi Security A quick overview
  • 12.
  • 13.
  • 14.
  • 15. Spring Portlet Security Applying Spring Security to Portlets
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25. Applying Portlet Security To The Rendering Layer Customizing our markup based on security information
  • 26.
  • 27. Applying Portlet Security To The Dispatch Layer Controlling where users can go in the application
  • 28.
  • 29.
  • 30.
  • 31. Applying Portlet Security To The Service Layer Making sure Services are invoked by only by user with proper permissions
  • 32.
  • 33. MethodSecurityInterceptor <bean id=&quot;myService&quot; class=&quot;sample.service.MyService&quot;> <sec:intercept-methods access-decision-manager-ref=&quot;accessDecisionManager&quot;> <sec:protect method=&quot;sample.service.MyService.*&quot; access=&quot;IS_AUTHENTICATED_FULLY&quot; /> <sec:protect method=&quot;sample.service.MyService.add*&quot; access=&quot;ROLE_ADMINISTRATOR&quot; /> <sec:protect method=&quot;sample.service.MyService.del*&quot; access=&quot;ROLE_ADMINISTRATOR&quot; /> <sec:protect method=&quot;sample.service.MyService.save*&quot; access=&quot;ROLE_ADMINISTRATOR&quot; /> </sec:intercept-methods> </bean>
  • 34. Applying Portlet Security To Servlets Using the whole web/portlet application as one secure bundle
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42. Resources Places to go to actually use this stuff!
  • 43.
  • 44. Questions & Answers John A. Lewis Chief Software Architect Unicon, Inc. [email_address] www.unicon.net