Versions Compared

Old Version 22

changes.mady.by.user David E Tanner

Saved on

compared with

New Version 23

changes.mady.by.user David E Tanner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

*

Local

Authentication

Properties

*

:

A

set

of

CSF

properties

that

can

be

used

to

directly

set

the

user

and

roles

in

local

development

environments.

local.authentication=true


local.user.name=beaver


local.user.password=whatever

All

of

the

above

properties

must

be

present

to

set

a

user.

 

  The

local

authentication

properties

should

never

be

set

on

Education

Systems

servers.


They

are

set

in

the

Application

Property

File

that

resides

in

the

user's

home

folder.

Roles

may

be

set

also,

here

is

an

example:

local.mitroles

=

WTW_REPORT_ADMIN

\

|

1

5

21W,

WTW_READ

This

sets

two

roles,

WTW_REPORT_ADMIN

and

WTW_READ,

and

also

sets

qualifier

codes

1,

5,

and

21W

on

WTW_REPORT_ADMIN.

The

meaning

of

qualifier

codes

is

role

dependent,

and

some

roles

have

no

qualifiers.

In

this

case

the

qualifiers

represent

departments

that

the

user

has

this

role

for.

Only

MIT

roles

database

roles

may

be

set

this

way.

Other

roles

like

instructor

and

student

are

best

set

by

setting

the

user

as

shown

above

to

a

student

or

instructor.

exceptionTranslationFilter: catches all exceptions from the filters that follow. Applies configured exception handlers based on the exception type caught. For example, if an AuthenticationException is thrown, indicating that the request is not authenticated yet, then it calls the method to start the authentication process.  If an AccessDeniedException is thrown, indicating that the user is not authorized, then the AccessDeniedHandler is called.

filterSecurityInterceptor: Secures the requested HTTP resource(s) based on the SecurityContext. The work is delegated to a number of helpers configured for this bean. Requires a definition of what resources are to be protected and what roles apply. If the requested resource is supposed to be protected and there is no established authentication in the SecurityContext by this point, it throws an AuthenticationException which is handled as described before.  Otherwise, it will determine if authorization in the SecurityContext is sufficient for access to the resource, throwing AccessDeniedException if appropriate. 

There are several other filters in the CSF.

Panel

The Filter Chain Proxy and the Spring Security filters

Complexity is the price of flexibility. There are several interacting system artifacts, the components and their configurations.

Spring Security itself and the CSF components are all configured using the Spring context. Configurations for Spring Security and framework components related to it are found in the applicationContext-common-security.xml of an application or in CSF. Some configuration entries in web.xml and applicationContext-web.xml are also important. When you look at the entries in these files there are many more than what are described in this document, however, it is unusual to have to change entries not discussed.

The configuration bean for the filter chain is called the filterChainProxy. Here is a sample configuration:

Code Block
	<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
        <security:filter-chain-map path-type="ant">
           <security:filter-chain pattern="/css/**" filters="logoutFilter" />
           <security:filter-chain pattern="/img/**" filters="logoutFilter" />
           <security:filter-chain pattern="/js/**" filters="logoutFilter" />
           <security:filter-chain pattern="/docs/**" filters="logoutFilter" />
           <security:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilter,
           		logoutFilter,
           		ssoAuthenticationProcessingFilter,
           		basicAuthenticationProcessingFilter,
           		exceptionTranslationFilter,
           		filterSecurityInterceptor,
           		switchUserProcessingFilter"
           />
        </security:filter-chain-map>
	</bean>

In this example,

  1. We are telling the filter chain to run, that is authenticate and authorize, on url patterns that match everything except the contents of /images, /js, /css, and /docs.
  2. We are constructing the filter chain components processing order. The components are references to beans defined in the Spring context.

The beans in this example serve the following functions :

httpSessionContextIntegrationFilter: Gets an existing security context from the HTTP session, or creates a new empty context.

ssoAuthenticationProcessingFilter: If authentication has not already been established in the SecurityContext ( that is, was not present in the session ), checks to see if the user is already set in the servlet request, indicating that SSO has authenticated the user.  If so, it sets up all the data structures needed by the security context. This includes the list of roles that the user is authorized for, based on the results of calling the configured authorization services ( see below ).

basicAuthenticationProcessingFilter: If authentication has not already been established ( that is by either being present in the session or by SSO ), and the local.authentication property has been set, performs HTTP Basic authentication. The user is prompted for a username and password, which must match what is configured in the application property file.  This filter is intended as a solution to running the application with a security context in the absence of SSO, which is the situation on developer's local workstations. This filter checks that the user and password entered in the login prompt in the browser match the property values for Local Authentication Properties. It then sets up all the data structures needed by the security context. This includes the list of roles that the user is authorized for, based on the results of calling the configured authorization services ( see below ).

Code Block

...