WAM and the Java Stack
description
Transcript of WAM and the Java Stack
WAM and the Java Stack
Disclaimer
• This is a training NOT a presentation.– Be prepared to learn and participate in labs
• Please ask questions• Prerequisites:
– Basic Java knowledge– Basic Spring knowledge– LDS Account Integration Training – Part 1
Outline
• Spring Security and Authorization
• WAM (Web Access Management)• WAM integration w/o Spring Security• WAM integration w/ Spring Security
Review
• Authentication vs. Authorization• Previously discussed authentication with Spring
Security• Now focus on authorization with Spring Security
Authorization with Spring Security
• http://static.springsource.org/spring-security/site/features.html– Comprehensive Authorization Services
• HTTP requests authorization (securing urls)• @PreAuthorize annotation
Protecting Urls
• Example of protecting urls<sec:http security="none" pattern="/errors/accessDenied*"/>
<sec:http> <sec:intercept-url access="hasRole('ROLE_ADMIN')" pattern="/secure/**" /> <sec:intercept-url access="isAuthenticated()" pattern="**" />
<sec:access-denied-handler error-page="/errors/accessDenied" /></sec:http>
????
• Fine grained authorization<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %><sec:authorize access="hasRole(‘ROLE_CHICKEN')"> Content only visible to users who have the “chicken" authority in their list of GrantedAuthority(s). </sec:authorize><sec:authorize url="/chicken"> Content only visible to users authorized to send requests to the "/chicken" URL. </sec:authorize>
@PreAuthorize annotation
• Scanning enabled with following element:
• Some examples:
<sec:global-method-security pre-post-annotations="enabled"/>
@PreAuthorize("hasRole('ROLE_ADMIN')") public void create(User newUser);
@PreAuthorize("#user.username == authentication.username") public void doSomething(User user);
• <lds-account:authorities-populators > </lds-account:authorities-populators> •
Authorities Populators
• http://code.lds.org/maven-sites/stack/module.html?module=lds-account/stack-lds-account-spring/index.html#Authorities_Populators
• Example<lds-account:authorities-populators include-defaults="false"> <lds-account:member /> <lds-account:workforce /> <lds-account:role name="ROLE_USER" /> <lds-account:custom ref="customAuthoritiesPopulator"/> </lds-account:authorities-populators>
TODO: show example of specifying on a authentication element
Demo
WAM (Web Access Management)
What is WAM?
• WAM stands for Web Access Management• Authentication
– Authentication management– Single Sign-on
• Authorization– Url (course-grained)– Entitlements (fine-grained)
Architectural Overview of WAM
Injected Headers
• WAM injected headers:– https://tech.lds.org/wiki/SSO_Injected_Headers
• How the headers map with LDS Account (LDAP) attributes:– https://ldsteams.ldschurch.org/sites/wam/
Implementation%20Details/HTTP%20Headers.aspx• Required headers
– policy-ldsaccountid– policy-cn
Wamulator
• For complete documentation:– http://tech.lds.org/wiki/WAMulator
• WAM Maven plugin provided to start/stop the wamulator
Demo
Stack / WAM integration w/o Spring Security• code.lds.org/maven-sites/stack/module.html?
module=lds-account/stack-lds-account-wam/index.html#Configuration
<filter> <filter-name>wamContextFilter</filter-name> <filter-class>org.lds.stack.wam.filter.WamContextFilter</filter-class> </filter>
<filter-mapping> <filter-name>wamContextFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
WamContext
• Accessed with:
• WamContexts consists of 3 main parts:– LdsAccountDetails object
– WamRequestProvider
– EntitlementService
WamContextHolder.getWamContext();
WamContextHolder.getWamContext().getLdsAccountDetails().getPreferredName();
WamContextHolder.getWamContext().getWamRequestProvider ().getCookieHeader();
WamContextHolder.getWamContext().getEntitlementService()….
Demo
Lab 1
https://tech.lds.org/wiki/WAM_Integration_-_Part_1#Lab_1
WAM and Spring Security
Why WAM and Spring Security?
• Spring Security provides– Full featured authorization system– Abstraction to authentication and authorization– Allows for complex fallback authentication systems– Facilitates proxy support
WAM Spring Security Integration
• Integration point<lds-account:wam ><intercept url TODO…</lds-acount:wam>
<sec:authentication-manager> <sec:authentication-provider ref="ldsAccountAuthenticationProvider" /></sec:authentication-manager>
Demo
Spring Security and WAM authorization
• Spring provides programming tools– Full featured EL capabilities– Convenient annotations– Management central to the application
Spring Security EntryPoint
• Simplifies WAM configuration / management• Utilizes WAM for authentication
– User details injected if authenticated• Allows course grained authorization to be
managed within the application
Spring Integration
Demo
Lab 2
https://tech.lds.org/wiki/WAM_Integration_-_Part_1#Lab_2
Conclusion
• LDS Account rocks!• The Java Stack integration with LDS Account and
Spring Security rocks!
Credit Where Credit is Due
• http:// http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html
• Spring Security 3 – by Peter Mularien• http://en.wikipedia.org/wiki/