LDS_Account_Integration_Training

Report
LDS Account and the Java Stack
Disclaimer
• This is a training NOT a presentation.
– Be prepared to learn and participate in labs
• Please ask questions
• Prerequisites:
– Basic Java knowledge
– Basic Spring knowledge
Outline
• LDS Account Overview
– History
– Authentication
– User Details
• Spring Security Overview
– Authentication
– LDS Account integration
– In memory integration
• LDS Account Search
• Spring Security and Authorization
History
• Historically each application handled
authentication as a one off
– Troublesome for users (many credentials to
remember)
– User information duplicated over and over
throughout the enterprise
– Difficult to get user information at all
• Screaming for consolidation and a single, central
solution
LDS Account
"LDS Account is a single user name and password
for any person who interacts with online LDS
Church resources. LDS Account is the primary
account authentication credentials for most
Church sites and applications. It reduces
development costs that would be incurred as the
user interfaces change, or as upgrades to security
and the registration process are required. Unlike
previous authentication systems, LDS Account is
a branded single sign-on solution that is centrally
managed at ldsaccount.lds.org."
LDS Account (cont.)
"LDS Account has become the key to accessing all
the resources the Church has to offer, such as
family history tools, ward and stake websites,
employment resources, and more. ... The idea is
to have only one username and password that
you can use with all password-protected
websites the Church has."
What is LDS Account?
• LDS Account is meant to be the single source for
user authentication and basic user information
• LDS Account is implemented with LDAP
• LDS Account is an application for maintaining
user attributes
LDS Account Uses LDAP
• Lightweight Directory Access Protocol
• Distributed directory of information
– Much like a database
– Not queried with SQL
– For further information about the Directory
structure, please see the corresponding section at:
http://en.wikipedia.org/wiki/Lightweight_Directory_
Access_Protocol
• LDS Account = LDAP
• WAM = Single Sign-on
User Details
• LDS Account also provides user information
– User details
– User details can be exposed through
• LDAP attributes
• WAM headers
• SAML attributes
LDS Account User Details Integration
• The LDS Account module acts as a Java model for
LDS Account information
• LdsAccountDetails.java is the abstraction layer
for LDS Account user details integration
• Factories generate LdsAccountDetails object for
each user
– Factories handle the different formats in which the
raw user details attributes are provide to the
application
• LDAP attributes, WAM headers, SAML, …
Lab 1
https://tech.lds.org/wiki/LDS_Account_Integration
_-_Part_1#Lab_1
LDS Account Spring Security Integration
Authentication vs. Authorization
• Authentication - "you are who you say you are"
– Identification of an individual user of the application
– Credential-based authentication
• Authorization - "you have appropriate
permissions to perform the operation you are
attempting"
– Availability of functionality and data to users who are
authorized (or allowed) to access it
– http://en.wikipedia.org/wiki/Authentication#Authent
ication_vs._authorization
Spring Security
• Spring Security is a highly customizable and
pluggable enterprise authentication / authorization
security framework
– Provides tools for managing application access
(authentication)
– Rules for what users can access (by url) (authorization)
– Securing methods (authorization), ...
• Overcomes lack of depth in J2EE Servlet
Specification
• Further information can be found here:
http://static.springsource.org/springsecurity/site/reference.html
Spring Security (authentication)
• Spring comes with many pluggable
authentication providers
– Support provided for authenticating with:
•
•
•
•
•
•
•
•
LDAP
X.509 (Certificates)
Databases (JDBC)
JAAS
OAuth
HTTP BASIC
Form-based
…
Spring Security Authentication Manager
• Basic configuration:
<sec:authentication-manager>
<sec:authentication-provider ref="someAuthenticationProvider"/>
</sec:authentication-manager>
<bean id="someAuthenticationProvider" class="org.lds.whatever.SomeCustomAuthenticationProvider">
...
</bean>
• Native Spring in memory authentication provider
configuration (applicationContext.xml)
<sec:authentication-manager>
<sec:authentication-provider>
<sec:user-service>
<sec:user name="billy" password="billyspassword" authorities="ROLE_USER, ROLE_ADMIN" />
<sec:user name="bob" password="bobspassword" authorities="ROLE_USER" />
</sec:user-service>
</sec:authentication-provider>
</sec:authentication-manager>
Spring Security Web Configuration
• Configure filter in web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Spring Security Context Configuration
• Configure applicationContext.xml
<sec:http security="none" pattern="/login.jsp*" />
<sec:http security="none" pattern="/errors/**" />
<sec:http>
<sec:access-denied-handler error-page="/errors/accessDenied" />
<sec:intercept-url pattern="/**" access="ROLE_ADMIN" />
<sec:form-login />
<sec:logout invalidate-session="true“ />
</sec:http>
• Please see documentation for further element and
attribute information:
http://static.springsource.org/springsecurity/site/docs/3.1.x/reference/springsecuritysingle.html
Demo
Spring Security/LDS Account Integration
• LDS Account authentication provider hooks into
Spring Security
• In-memory implementation
• Namespace handlers simplify the configuration
• http://code.lds.org/mavensites/stack/module.html?module=ldsaccount/stack-lds-accountspring/index.html#LDAP_Global_Directory_Auth
entication
Spring Security/In-memory Authentication
• In-memory authentication provides quick setup
• Useful for testing
• http://code.lds.org/mavensites/stack/module.html?module=ldsaccount/stack-lds-accountspring/index.html#In_Memory_Authentication
• Attribute information:
https://ldsteams.ldschurch.org/sites/wam/Imple
mentation%20Details/HTTP%20Headers.aspx
Access LdsAccountDetails
• Through injection
@Inject
private Provider<LdsAccountDetails> ldsAccountDetails;
public void someMethod() {
//not the get() is a call on the provider to grab the current instance
String preferredName = ldsAccountDetails.get().getPreferredName();
//…
}
• Through static lookup
LdsAccountDetails ldsAccountDetails = ((LdsAccountUser)
SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getLdsAccountDetails();
String preferredName = ldsAccountDetails.getPreferredName();
//…
Demo
Lab 2
https://tech.lds.org/wiki/LDS_Account_Integration
_-_Part_1#Lab_2
LDS Account (LDAP) Search
LDS Account Search Configuration /
Usage
• Configuration
<lds-account:ldap-server url="ldaps://gdirstage.wh.ldsglobal.net:636"
manager-dn="cn=XXXXX,ou=apps,o=lds" manager-password="XXXXX"/>
<lds-account:ldap-search />
• Usage
@Inject
private LdsAccountSearch ldsAccountSearch;
public List<LdsAccountDetails> findLdapUsers(String cnValue, String snValue) {
return ldsAccountSearch.search(
SearchClause.or(
SearchClause.equals(LdsAccountAttributes.USERNAME, cnValue + "*"),
SearchClause.equals(LdsAccountAttributes.SUR_NAME, snValue + "*")
)
);
}
LDS Account Usage
• http://code.lds.org/maven-sites/stack/module.html?module=ldsaccount/stack-lds-account-spring/index.html#LDAP_Search
• Searching format
Native LDAP search query: (|(cn={0}*)(sn={1}*))
Abstracted search query:
SearchClause.or(
SearchClause.equals("cn", value + "*"),
SearchClause.equals("sn", value + "*")
)
• For more info: http://code.lds.org/mavensites/stack/module.html?module=lds-account/stack-lds-accountspring/apidocs/org/lds/stack/ldsaccount/spring/ldap/LdapSearch.html
Demo
Authorization with Spring Security
Review
• Authentication vs. Authorization
• Previously discussed authentication with Spring
Security
• Now focus on authorization with Spring Security
Authorization with Spring Security
• Comprehensive Authorization Services
– http://static.springsource.org/springsecurity/site/features.html
• HTTP requests authorization (securing urls)
• @PreAuthorize annotation
• Granted authorities
– http://static.springsource.org/springsecurity/site/docs/3.1.x/reference/springsecuritysingle.html#tech-granted-authority
Protecting Urls
• Example of protecting urls
<sec:http security="none" pattern="/errors/accessDenied*"/>
<sec:http>
<sec:intercept-url access="hasRole('ROLE_ADMIN')" pattern="/secure/**" />
<sec:intercept-url access="isAuthenticated()" pattern="**" />
<sec:access-denied-handler error-page="/errors/accessDenied" />
</sec:http>
• http://static.springsource.org/springsecurity/site/docs/3.1.x/reference/springsecurity
-single.html#el-access
Authorize Tag
• Fine grained authorization
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<sec:authorize access="hasRole('ROLE_ADMIN')">
Content only visible to users who have the "admin" authority in their list of GrantedAuthority(s).
</sec:authorize>
<sec:authorize url="/secure">
Content only visible to users authorized to send requests to the "/secure" URL.
</sec:authorize>
• http://static.springsource.org/springsecurity/site/docs/3.1.x/reference/springsecurity
-single.html#d0e6860
@PreAuthorize annotation
• Scanning enabled with following element:
<sec:global-method-security pre-post-annotations="enabled"/>
• Some examples:
@PreAuthorize("hasRole('ROLE_ADMIN')")
public void create(User newUser);
@PreAuthorize("#user.username == principal.username")
public void doSomething(User user);
Authorities Populators
• MemberAuthoritiesPopulator
– Adds ROLE_MEMBER authority if a member
• WorkforceAuthoritiesPopulator
– Adds ROLE_WORKFORCE authority if currently a
Church employee
• PositionsV2AuthoritiesPopulator
– Adds a granted authority for each position held
• Position name prepended with ROLE_
• Ex. ROLE_WARD_CLERK, or ROLE_PRIMARY_TEACHER
Authorities Populators
• http://code.lds.org/mavensites/stack/module.html?module=ldsaccount/stack-lds-accountspring/index.html#Authorities_Populators
• Example
<lds-account:authorities-populators id="authoritiesPopulators" include-defaults="false">
<lds-account:member />
<lds-account:workforce />
<lds-account:role name="ROLE_USER" />
</lds-account:authorities-populators>
<lds-account:ldap authorities-populators-ref="authoritiesPopulators" />
Demo
Conclusion
• LDS Account rocks!
• The Java Stack integration with LDS Account and
Spring Security rocks!
Credit Where Credit is Due
• http:// http://static.springsource.org/springsecurity/site/docs/3.1.x/reference/springsecurity
-single.html
• Spring Security 3 – by Peter Mularien
• http://en.wikipedia.org/wiki/

similar documents