LDS Account and the Java Stack
This presentation is the property of its rightful owner.
Sponsored Links
1 / 39

LDS Account and the Java Stack PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on
  • Presentation posted in: General

LDS Account and the Java Stack. Disclaimer. This is a training NOT a presentation. Be prepared to learn and participate in labs Please ask questions Prerequisites: Basic Java knowledge Basic Spring knowledge. Outline. LDS Account Overview History Authentication User Details

Download Presentation

LDS Account and the Java Stack

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Lds account and the java stack

LDS Account and the Java Stack


Disclaimer

Disclaimer

  • This is a training NOT a presentation.

    • Be prepared to learn and participate in labs

  • Please ask questions

  • Prerequisites:

    • Basic Java knowledge

    • Basic Spring knowledge


Outline

Outline

  • LDS Account Overview

    • History

    • Authentication

    • User Details

  • Spring Security Overview

    • Authentication

    • LDS Account integration

    • In memory integration

  • LDS Account Search

  • Spring Security and Authorization


History

History

  • Historically each application handled authentication as a one off

    • Troublesome for users (many credentials to remember)

    • User information duplicated over and over throughout the enterprise

    • Difficult to get user information at all

  • Screaming for consolidation and a single, central solution


Lds account

LDS Account

"LDS Account is a single user name and password for any person who interacts with online LDS Church resources. LDS Account is the primary account authentication credentials for most Church sites and applications. It reduces development costs that would be incurred as the user interfaces change, or as upgrades to security and the registration process are required. Unlike previous authentication systems, LDS Account is a branded single sign-on solution that is centrally managed at ldsaccount.lds.org."


Lds account cont

LDS Account (cont.)

"LDS Account has become the key to accessing all the resources the Church has to offer, such as family history tools, ward and stake websites, employment resources, and more. ... The idea is to have only one username and password that you can use with all password-protected websites the Church has."


What is lds account

What is LDS Account?

  • LDS Account is meant to be the single source for user authentication and basic user information

  • LDS Account is implemented with LDAP

  • LDS Account is an application for maintaining user attributes


Lds account uses ldap

LDS Account Uses LDAP

  • Lightweight Directory Access Protocol

  • Distributed directory of information

    • Much like a database

    • Not queried with SQL

    • For further information about the Directory structure, please see the corresponding section at: http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

  • LDS Account = LDAP

  • WAM = Single Sign-on


User details

User Details

  • LDS Account also provides user information

    • User details

    • User details can be exposed through

      • LDAP attributes

      • WAM headers

      • SAML attributes


Lds account user details integration

LDS Account User Details Integration

  • The LDS Account module acts as a Java model for LDS Account information

  • LdsAccountDetails.java is the abstraction layer for LDS Account user details integration

  • Factories generate LdsAccountDetails object for each user

    • Factories handle the different formats in which the raw user details attributes are provide to the application

      • LDAP attributes, WAM headers, SAML, …


Lab 1

Lab 1

https://tech.lds.org/wiki/LDS_Account_Integration_-_Part_1#Lab_1


Lds account spring security integration

LDS Account Spring Security Integration


Authentication vs authorization

Authentication vs. Authorization

  • Authentication - "you are who you say you are"

    • Identification of an individual user of the application

    • Credential-based authentication

  • Authorization - "you have appropriate permissions to perform the operation you are attempting"

    • Availability of functionality and data to users who are authorized (or allowed) to access it

    • http://en.wikipedia.org/wiki/Authentication#Authentication_vs._authorization


Spring security

Spring Security

  • Spring Security is a highly customizable and pluggable enterprise authentication / authorization security framework

    • Provides tools for managing application access (authentication)

    • Rules for what users can access (by url) (authorization)

    • Securing methods (authorization), ...

  • Overcomes lack of depth in J2EE Servlet Specification

  • Further information can be found here: http://static.springsource.org/spring-security/site/reference.html


Spring security authentication

Spring Security (authentication)

  • Spring comes with many pluggable authentication providers

    • Support provided for authenticating with:

      • LDAP

      • X.509 (Certificates)

      • Databases (JDBC)

      • JAAS

      • OAuth

      • HTTP BASIC

      • Form-based


Spring security authentication manager

Spring Security Authentication Manager

  • Basic configuration:

  • Native Spring in memory authentication provider configuration (applicationContext.xml)

<sec:authentication-manager>

<sec:authentication-provider ref="someAuthenticationProvider"/>

</sec:authentication-manager>

<bean id="someAuthenticationProvider" class="org.lds.whatever.SomeCustomAuthenticationProvider">

...

</bean>

<sec:authentication-manager>

<sec:authentication-provider>

<sec:user-service>

<sec:user name="billy" password="billyspassword" authorities="ROLE_USER, ROLE_ADMIN" />

<sec:user name="bob" password="bobspassword" authorities="ROLE_USER" />

</sec:user-service>

</sec:authentication-provider>

</sec:authentication-manager>


Spring security web configuration

Spring Security Web Configuration

  • Configure filter in web.xml

<filter>

<filter-name>springSecurityFilterChain</filter-name>

<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

</filter>

<filter-mapping>

<filter-name>springSecurityFilterChain</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>


Spring security context configuration

Spring Security Context Configuration

  • Configure applicationContext.xml

  • Please see documentation for further element and attribute information:

    http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html

<sec:http security="none" pattern="/login.jsp*" />

<sec:http security="none" pattern="/errors/**" />

<sec:http>

<sec:access-denied-handler error-page="/errors/accessDenied" />

<sec:intercept-url pattern="/**" access="ROLE_ADMIN" />

<sec:form-login />

<sec:logout invalidate-session="true“ />

</sec:http>


Lds account and the java stack

Demo


Spring security lds account integration

Spring Security/LDS Account Integration

  • LDS Account authentication provider hooks into Spring Security

  • In-memory implementation

  • Namespace handlers simplify the configuration

  • http://code.lds.org/maven-sites/stack/module.html?module=lds-account/stack-lds-account-spring/index.html#LDAP_Global_Directory_Authentication


Spring security in memory authentication

Spring Security/In-memory Authentication

  • In-memory authentication provides quick setup

  • Useful for testing

  • http://code.lds.org/maven-sites/stack/module.html?module=lds-account/stack-lds-account-spring/index.html#In_Memory_Authentication

  • Attribute information: https://ldsteams.ldschurch.org/sites/wam/Implementation%20Details/HTTP%20Headers.aspx


Access ldsaccountdetails

Access LdsAccountDetails

  • Through injection

  • Through static lookup

@Inject

private Provider<LdsAccountDetails> ldsAccountDetails;

public void someMethod() {

//not the get() is a call on the provider to grab the current instance

String preferredName = ldsAccountDetails.get().getPreferredName();

//…

}

LdsAccountDetailsldsAccountDetails = ((LdsAccountUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getLdsAccountDetails();

String preferredName = ldsAccountDetails.getPreferredName();

//…


Lds account and the java stack

Demo


Lab 2

Lab 2

https://tech.lds.org/wiki/LDS_Account_Integration_-_Part_1#Lab_2


Lds account ldap search

LDS Account (LDAP) Search


Lds account search configuration usage

LDS Account Search Configuration / Usage

  • Configuration

  • Usage

<lds-account:ldap-server url="ldaps://gdirstage.wh.ldsglobal.net:636"

manager-dn="cn=XXXXX,ou=apps,o=lds" manager-password="XXXXX"/>

<lds-account:ldap-search />

@Inject

private LdsAccountSearchldsAccountSearch;

public List<LdsAccountDetails> findLdapUsers(String cnValue, String snValue) {

return ldsAccountSearch.search(

SearchClause.or(

SearchClause.equals(LdsAccountAttributes.USERNAME, cnValue + "*"),

SearchClause.equals(LdsAccountAttributes.SUR_NAME, snValue + "*")

)

);

}


Lds account usage

LDS Account Usage

  • http://code.lds.org/maven-sites/stack/module.html?module=lds-account/stack-lds-account-spring/index.html#LDAP_Search

  • Searching format

  • For more info: http://code.lds.org/maven-sites/stack/module.html?module=lds-account/stack-lds-account-spring/apidocs/org/lds/stack/ldsaccount/spring/ldap/LdapSearch.html

Native LDAP search query: (|(cn={0}*)(sn={1}*))

Abstracted search query:

SearchClause.or(

SearchClause.equals("cn", value + "*"),

SearchClause.equals("sn", value + "*")

)


Lds account and the java stack

Demo


Authorization with spring security

Authorization with Spring Security


Review

Review

  • Authentication vs. Authorization

  • Previously discussed authentication with Spring Security

  • Now focus on authorization with Spring Security


Authorization with spring security1

Authorization with Spring Security

  • Comprehensive Authorization Services

    • http://static.springsource.org/spring-security/site/features.html

      • HTTP requests authorization (securing urls)

      • @PreAuthorize annotation

  • Granted authorities

    • http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#tech-granted-authority


Protecting urls

Protecting Urls

  • Example of protecting urls

  • http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#el-access

<sec:http security="none" pattern="/errors/accessDenied*"/>

<sec:http>

<sec:intercept-url access="hasRole('ROLE_ADMIN')" pattern="/secure/**" />

<sec:intercept-url access="isAuthenticated()" pattern="**" />

<sec:access-denied-handler error-page="/errors/accessDenied" />

</sec:http>


Authorize tag

Authorize Tag

  • Fine grained authorization

  • http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6860

<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

<sec:authorize access="hasRole('ROLE_ADMIN')">

Content only visible to users who have the "admin" authority in their list of GrantedAuthority(s).

</sec:authorize>

<sec:authorizeurl="/secure">

Content only visible to users authorized to send requests to the "/secure" URL.

</sec:authorize>


@ preauthorize annotation

@PreAuthorize annotation

  • Scanning enabled with following element:

  • Some examples:

<sec:global-method-security pre-post-annotations="enabled"/>

@PreAuthorize("hasRole('ROLE_ADMIN')")

public void create(User newUser);

@PreAuthorize("#user.username == principal.username")

public void doSomething(User user);


Authorities populators

Authorities Populators

  • MemberAuthoritiesPopulator

    • Adds ROLE_MEMBER authority if a member

  • WorkforceAuthoritiesPopulator

    • Adds ROLE_WORKFORCE authority if currently a Church employee

  • PositionsV2AuthoritiesPopulator

    • Adds a granted authority for each position held

      • Position name prepended with ROLE_

      • Ex. ROLE_WARD_CLERK, or ROLE_PRIMARY_TEACHER


Authorities populators1

Authorities Populators

  • http://code.lds.org/maven-sites/stack/module.html?module=lds-account/stack-lds-account-spring/index.html#Authorities_Populators

  • Example

<lds-account:authorities-populators id="authoritiesPopulators" include-defaults="false">

<lds-account:member />

<lds-account:workforce />

<lds-account:role name="ROLE_USER" />

</lds-account:authorities-populators>

<lds-account:ldap authorities-populators-ref="authoritiesPopulators" />


Lds account and the java stack

Demo


Conclusion

Conclusion

  • LDS Account rocks!

  • The Java Stack integration with LDS Account and Spring Security rocks!


Credit where credit is due

Credit Where Credit is Due

  • http:// http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html

  • Spring Security 3 – by Peter Mularien

  • http://en.wikipedia.org/wiki/


  • Login