Using Spring Security and CAS - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

Using Spring Security and CAS

Description:

Java Developer for 5 years. Lead Developer on JA-SIG CAS ... Applications such as Roller, Mule. Enterprise Systems & Services. Using Spring Security and CAS ... – PowerPoint PPT presentation

Number of Views:602
Avg rating:3.0/5.0
Slides: 40
Provided by: sbatt
Category:
Tags: cas | mule | security | spring | using

less

Transcript and Presenter's Notes

Title: Using Spring Security and CAS


1
Using Spring Security and CAS
  • JA-SIG Summer Conference
  • Denver, CO
  • June 24 27, 2007

2
Who am I?
  • Application Developer _at_ Rutgers
  • Java Developer for 5 years
  • Lead Developer on JA-SIG CAS
  • Committer on Spring Security

3
Agenda
  • History and Overview
  • Benefits for Programmers
  • Benefits for Users
  • Demo
  • Case Study
  • Future Directions
  • Discussion

4
1.
Overview History
5
What is Spring Security?
  • Spring Security is a
  • powerful and flexible security solution for
    enterprise software.

6
Users
  • Used worldwide at
  • Major institutions such as Rutgers
  • Major financial institutions and banks
  • Several Australian government departments
  • Integrated with
  • Frameworks such as Grails, Trails, etc.
  • Applications such as Roller, Mule

7
Authentication Features
  • LDAP
  • BASIC
  • Digest
  • JAAS
  • CAS
  • X.509 Certificates
  • DAO
  • Run-as Replacement
  • Form-based login
  • Anonymous
  • Remember-Me
  • SiteMinder
  • HTTP Switch User
  • Concurrent User Limiting
  • Container Adapters
  • Write your own

8
Technical Details
  • Uses Spring IoC container
  • DI, events, localization and JdbcTemplate
  • Completely interface-driven
  • High cohesion, loosely coupled
  • Encourage customization and extension
  • Java 1.3 compatible
  • Java 5 code packaged in Tiger JAR

9
How Spring Security Works
Servlet Container
Web User
Filter X
Servlet
FilterToBeanProxy
IoC Container
FilterChainProxy
Filter 1
Filter 3
Filter 4
Filter 5
Filter 2
10
How Spring Security Works
11
How Spring Security Works
Authentication Request
creates
Filter 3
Authentication Mechanism
ProviderManager
calls
creates
populates
returns
Authentication Response
Security ContextHolder
12
What is JA-SIG CAS?
  • JA-SIG CAS is single sign on for the web. It
    provides a trusted mechanism for authenticating
    users across your applications.

13
Users
  • Deployed by
  • Institutions of Higher Education
  • Non-profits
  • Commercial companies
  • etc
  • Deployed worldwide
  • U.S., Canada, Hong Kong
  • Belgium, France, Russia, China, Japan
  • India, Australia, New Zealand
  • Greece, Turkey, England
  • Netherlands, Spain, Sweden, Portugal
  • Etc.

14
  • 3rd year of project
  • Over 1000 downloads a month
  • Active community of deployers
  • Driven by community feedback

15
Authentication Features
  • LDAP
  • DAO
  • NTLM
  • SPNEGO
  • RADIUS
  • File System
  • X.509
  • Trusted
  • JAAS
  • Acegi

16
Other Features
  • Clustering
  • Client Libraries (PHP, Java, etc.)
  • Demo-able/Quickstart WAR file
  • Quality Documentation
  • Active community mailing lists

17
Technical Details
  • Use Spring IoC Container
  • DI, Localization, events, JdbcTemplate,
    LdapTemplate, etc.
  • Completely interface driven
  • Encourage customization and extension
  • Java 1.5/Servlet 2.4 compatible

18
How CAS Works
19
How CAS Works
Servlet Container
Web User
WebFlow Controller
DispatcherServlet
action0
action1
actionn
actionn-1
. . .
20
How CAS Works
Credentials
creates
calls
creates
actionn
CentralAuthenticationService
Ticket
calls
calls
returns
creates
Authentication Manager
Authentication
TicketRegistry
21
2.
Benefits for Programmers
22
Benefits for Programmers
  • Code reduction
  • Declaratively configured
  • No audit logs for authentication
  • OOTB authorization and authentication
  • Tag Libs
  • Proxy Authentication
  • Domain object instance security
  • Only one place to watch for account security

23
3.
Benefits for Users
24
Benefits for Users
  • Single Sign On
  • Passwords are only passed to one trusted
    resource
  • Better Application security
  • Harder to trick someone with phishing attempts

25
4.
How to Integrate
26
Demo
27
5.
Case Study
28
Rutgers Case Study Where Were We?
  • Duplicating authentication code on each
    application
  • Multiple authentication methods
  • Sign in to each application
  • De-centralized authentication

29
Rutgers Case Study What We Did
  • Introduced a portal
  • Centralized authentication
  • Single Sign On
  • Proxy Authentication
  • Introduced Acegi into Java applications

30
Rutgers Case Study What it Got Us
  • Better user experience
  • Minimized access to passwords
  • Created horizontal authentication component
  • Standardized security code
  • (still a work in progress though)

31
6.
Future Directions
32
Acegi Roadmap
  • 1.0.x branch -gt minor updates
  • 2.0
  • Renamed to Spring Security
  • Support for Spring 2.0
  • OpenId Support
  • Windows Domain Support
  • Updated CAS Support

33
CAS Roadmap
  • Additional Protocol Support
  • Internationalization
  • Configuration/Setup Screens
  • Advanced Monitoring
  • Integration with Account Management Systems

34
Conclusion
  • Acegi Security is fully-featured solution
  • Many authentication strategies
  • Decoupled web and method authorization
  • Completely customizable by end users
  • Active community, quality documentation, etc.
  • CAS is a fully-featured solution
  • Many authentication strategies
  • Easily pluggable and extensible
  • Active community, quality documentation, etc.
  • Support for multiple platforms

35
7.
Discussion
36
Spring Security
  • Web Site
  • http//www.acegisecurity.org
  • Forum
  • http//forum.springframework.org
  • Mailing Lists
  • Acegi Developer List
  • https//lists.sourceforge.net/lists/listinfo/acegi
    security-developer

37
CAS Mailing Lists
  • CAS Community Discussion List
  • http//tp.its.yale.edu/mailman/listinfo/cas
  • CAS Developers Discussion List
  • http//tp.its.yale.edu/mailman/listinfo/cas-dev
  • CAS Announcement List
  • https//lists.wisc.edu/read/all_forums/subscribe?n
    amecas-announce
  • Links to archives, etc.
  • http//www.ja-sig.org/products/cas/community/lists
    /

38
CAS Sites
  • Product Web Site
  • http//www.ja-sig.org/products/cas/
  • Wiki
  • http//www.ja-sig.org/wiki
  • Issue Tracker
  • http//www.ja-sig.org/issues
  • Source Code
  • http//developer.ja-sig.org/source/

39
Questions?
Write a Comment
User Comments (0)
About PowerShow.com