Upload File

architecture deep dive in spring security - meetupfiles.meetup.com/6015342/spring toronto - joe...

  • Home
  • Documents
  • Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes
24
Architecture Deep Dive in Spring Security Joe Grandja Spring Security Team github.com/jgrandja @joe_grandja

Upload: others

Post on 25-Feb-2021

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Architecture Deep Dive in

Spring Security

Joe Grandja Spring Security Team

github.com/jgrandja @joe_grandja

Page 2: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

• Authentication

• Authorization

• Exception Handling

3 Key Areas in Security

Page 3: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

User Database

Username Password Authorities

[email protected] password ROLE_USER

[email protected] password ROLE_USER

[email protected] password ROLE_USER, ROLE_ADMIN

mailto:[email protected]
mailto:[email protected]
mailto:[email protected]
Page 4: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Demo

Page 5: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Authentication

Authorization

Exception Handling

Page 6: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Authentication Filter

Page 7: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

AuthenticationAuthentication

Principal: [email protected]: passwordAuthorities: ——

Authenticated: FALSE

public interface Authentication extends Principal, Serializable { Object getPrincipal(); Object getCredentials(); Collection<? extends GrantedAuthority> getAuthorities();

. . .}

AuthenticationPrincipal: UserDetails

Credentials: ——Authorities: ROLE_USER

Authenticated: TRUE

Page 8: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

UserDetails / Service

public interface UserDetails extends Serializable { String getUsername(); String getPassword(); Collection<? extends GrantedAuthority> getAuthorities();

. . .}

AuthenticationPrincipal: UserDetails

Credentials: ——Authorities: ROLE_USER

Authenticated: TRUE

public interface UserDetailsService { UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;}

Page 9: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Security Context

SecurityContextHolder.getContext().setAuthentication(authenticated);

public interface SecurityContext extends Serializable { Authentication getAuthentication(); void setAuthentication(Authentication authentication);}

Page 10: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

• Authentication Filter creates an “Authentication Request" and passes it to the Authentication Manager

• Authentication Manager delegates to the Authentication Provider

• Authentication Provider uses a UserDetailsService to load the UserDetails and returns an “Authenticated Principal”

• Authentication Filter sets the Authentication in the SecurityContext

Authentication Recap

Page 11: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Authentication

Authorization

Exception Handling

Page 12: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Filter Security Interceptor

Request URI: /messages/inbox

Security Metadata

Request Pattern: /messages/**

Config Attributes: ROLE_USER

AuthenticationPrincipal: UserDetails

Credentials: ——Authorities: ROLE_USER

Authenticated: TRUE

Page 13: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Access DecisionAuthentication

Principal: UserDetailsCredentials: ——Authorities: ROLE_USER

Authenticated: TRUE

Security Metadata

Request Pattern: /messages/**

Config Attributes: ROLE_USER

Request URI: /messages/inbox

Page 14: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

• FilterSecurityInterceptor obtains the “Security Metadata” by matching on the current request

• FilterSecurityInterceptor gets the current Authentication

• The Authentication, Security Metadata and Request is passed to the AccessDecisionManager

• The AccessDecisionManager delegates to it's AccessDecisionVoter(s) for decisioning

Authorization Recap

Page 15: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Authentication

Authorization

Exception Handling

Page 16: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Access Denied

Security Metadata

Request Pattern: /admin/**

Config Attributes: ROLE_ADMIN

Request URI: /admin/messages

AuthenticationPrincipal: UserDetails

Credentials: ——Authorities: ROLE_USER

Authenticated: TRUE

Page 17: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Access Denied Handler

public interface AccessDeniedHandler {

void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException;

}

Page 18: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

“Unauthenticated”

Security Metadata

Request Pattern: /messsages/**

Config Attributes: ROLE_USER

Request URI: /messages/inbox

Authentication

Principal: anonymousUser

Page 19: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Start Authentication

WWW-Authenticate: Basic realm=spring

public interface AuthenticationEntryPoint { void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException;}

Page 20: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

• When "Access Denied" for current Authentication, the ExceptionTranslationFilter delegates to the AccessDeniedHandler, which by default, returns a 403 Status.

• When current Authentication is "Anonymous", the ExceptionTranslationFilter delegates to the AuthenticationEntryPoint to start the Authentication process.

Exception Handling Recap

Page 21: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Authentication

Authorization

Exception Handling

Summary

Page 22: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Thank You! …for coming out

Page 23: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Demo Sample

Joe Grandja Spring Security Team

github.com/jgrandja @joe_grandja

github.com/jgrandja/messaging-sample

Page 24: Architecture Deep Dive in Spring Security - Meetupfiles.meetup.com/6015342/Spring Toronto - Joe Grandja.pdf•Authentication Filter creates an “Authentication Request" and passes

Spring Security Filter Chain


IN2120 Information Security · • Authentication frameworks for e-Government User Authentication IN2120 2. Taxonomy of Authentication User Authentication IN2120 3 Authentication

Outline User authentication –Password authentication, salt –Challenge-response authentication protocols –Biometrics –Token-based authentication Authentication

Lecture 6.1: Protocols - Authentication and Key Exchange I CS 436/636/736 Spring 2012 Nitesh Saxena

Lecture 4 - Authentication and Accesstrj1/cse497b-s07/slides/cse497b-lecture-4-authorization.pdfLecture 4 - Authentication and Access CSE497b - Spring 2007 Introduction Computer and

Iasi code camp 20 april 2013 windows authentication-spring security -kerberos

Authentication Nick Feamster CS 6262 Spring 2009

Lecture 6.2: Protocols - Authentication and Key Exchange II CS 436/636/736 Spring 2012 Nitesh Saxena

Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008

RESEARCH ARTICLE Evaluation of Authentication …Authentication Center (AUC): Authentication Center where all authentication algorithms are defined. The Authentication Centre (AUC)

Define authentication Authentication credentials Authentication models Authentication servers Extended authentication protocols Virtual

INF3510 Information Security University of Oslo Spring ...€¦ · UiO Spring 2012 L07 - INF3510 Information Security 12 User authentication credentials: Overview • The „thing‟

Class 16 Deniable Authentication CIS 755: Advanced Computer Security Spring 2014

RightPlug Product Authentication Strategy R002rightplug.org/whitepapers/RightPlug Product Authentication Strategy... · RightPlug Product Authentication Strategy ... Product authentication

Toronto Spring Conference Jun Li (@jeffreyjunli) Ross ...files.meetup.com/6015342/Lessons Learned from... · Toronto Spring Conference. Disclaimer ... 1.0.0 Spring Boot Spring Boot,

1 Introduction to Information Security 0368-3065, Spring 2015 Lecture 13: Authentication Avishai Wool

Spring Security Reference...Spring Security Reference 4.1.5.RELEASE Spring Security iv JDBC Authentication ..... 22 LDAP Authentication

Lab10 Authentication with AWS · Lab10 Authentication with AWS (Amplify + Cognito) Software Studio DataLab, CS, NTHU 2020 Spring

Lecture 5.1: Message Authentication Codes, and Key Distribution CS 436/636/736 Spring 2013 Nitesh Saxena

INF3510 Information Security University of Oslo Spring 2010 ......Authentication: Multi-factor • Multi-factor authentication aims to combine two or more authentication techniques

Authentication User Authentication - Cypherpunks

Shouhuai XuCS4363 Cryptography Spring 20071 Lecture 10. Data Integrity: Message Authentication Schemes

Computer Security and Authentication CS 5352 Spring 06

Authentication & Passwords CS 665 Spring 07 03/15/07

Lecture 12.2: User-Enabled Device Authentication II CS 436/636/736 Spring 2012 Nitesh Saxena

User Authentication Using Keystroke Dynamics Jeff Hieb & Kunal Pharas ECE 614 Spring 2005 University of Louisville

FIDO and the Future of Simpler and Stronger Authentication...Dr. Andrea Höller Infineon Technologies Austria AG FIDO and the Future of Simpler and Stronger Authentication RISE Spring

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication

Lecture 12.1: User-Enabled Device Authentication - I CS 436/636/736 Spring 2012 Nitesh Saxena

Authentication. TOPICS Objectives Legacy Authentication Protocols IEEE 802.1X Authentication Extensible Authentication Protocol (EAP) Authentication Servers

Spring Securit y 2 - jugs.org · Spring Securit y A uthentication 13 LDAP-Anmeldung Benutzername User1 Abbrechen OK Kennwort **** Anwendung ffnet Authentication Manager Daten LDAP

Stateless authentication for microservices - Spring I/O 2015

Lecture 8: User-Enabled Device Authentication CS 436/636/736 Spring 2014 Nitesh Saxena

Lecture 5: Protocols - Authentication and Key Exchange CS 436/636/736 Spring 2015 Nitesh Saxena

Spring Boot Authentication...and More!

Authentication On-Boarding. Aadhaar Authentication Enrolment Aadhaar Generation Update Secure Aadhaar Authentication Framework Aadhaar Authentication