iasi code camp 20 april 2013 windows authentication-spring security -kerberos
DESCRIPTION
TRANSCRIPT
![Page 1: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/1.jpg)
A bridge between two worlds: Spring Security & Kerberos
Claudiu Stancu
![Page 2: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/2.jpg)
![Page 3: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/3.jpg)
•Me & the other me
•Security concepts
•Kerberos
•All together
•Code time
Agenda
3
![Page 4: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/4.jpg)
4IN YOUR ZONE
About me…
Development Discipline Lead at Endava
![Page 5: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/5.jpg)
5IN YOUR ZONE
The other me…
![Page 6: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/6.jpg)
6IN YOUR ZONE
Security concepts – Data types
PUBLIC PRIVATE
CONFIDENTIAL SECRET
![Page 7: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/7.jpg)
7IN YOUR ZONE
Authentication
“The process of verifying that the users of our application are who they say they are”
![Page 8: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/8.jpg)
8IN YOUR ZONE
Authentication
Credentials Based
![Page 9: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/9.jpg)
9IN YOUR ZONE
Authentication
Biometrics Authentication
![Page 10: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/10.jpg)
10IN YOUR ZONE
Authentication
Two factor authentication
![Page 11: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/11.jpg)
11IN YOUR ZONE
Authentication
• Browser certificates
• Single Sing On
• Hardware authentication
![Page 12: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/12.jpg)
12IN YOUR ZONE
Authorization
Assign authenticated Principals to one or more Roles
Assign the Principal’s Role(s) to secured resources
![Page 13: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/13.jpg)
13IN YOUR ZONE
Spring Security
Servlet Filters
Delegation
![Page 14: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/14.jpg)
14IN YOUR ZONE
Spring Security – Filters
o.s.s.web.context.SecurityContextPersistenceFilter
o.s.s.web.authentication.logout.LogoutFilter
o.s.s.web.authentication.UsernamePasswordAuthentication
o.s.s.web.session.SessionManagementFilter
Secured Resource
Request Response
![Page 15: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/15.jpg)
15IN YOUR ZONE
Spring Security – Fundamentals
Security Interceptor
Authentication Manager
Access Decision Manager
Run-As Manager
After-Invocation Manager
![Page 16: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/16.jpg)
16IN YOUR ZONE
Spring Security – Authentication Manager
Authentication Manager
Provider Manager
LDAP Authentication
Provider
CAS Authentication
Provider
Kerberos Authentication
Provider
DAO Authentication
Provider
Remember Me Authentication
Provider
![Page 17: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/17.jpg)
17IN YOUR ZONE
Spring Security – Access Decision Manager
Affirmative Based
Abstract Decision Voter
Access Decision Manager
Abstract Access Decision Manager
Consensus Based Unanimous Based Role Voter
Access Decision Manager Grant / Deny access?
Affirmative based At least one voter grant access
Consensus based Majority grant access
Unanimous based If all voters grant access
![Page 18: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/18.jpg)
18IN YOUR ZONE
Kerberos
![Page 19: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/19.jpg)
19IN YOUR ZONE
Kerberos
{cstancu, 192.168.1.2}
SessionKey1
TGT
TGT
SessionKey1
![Page 20: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/20.jpg)
20IN YOUR ZONE
Kerberos
{SessionKey1}Authenticator TGT
{SessionKey2}Authenticator
Mail Ticket{SessionKey2}
ok
TGT
SessionKey1
Mail Ticket
{SessionKey1}SessionKey2
Mail Ticket
SessionKey2
![Page 21: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/21.jpg)
21IN YOUR ZONE
All together
(1)HTTP GET resource.html
WW
W-A
uthe
ntica
te: N
egoc
iate
(2
) HTT
P 401
– Den
ied:
![Page 22: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/22.jpg)
22IN YOUR ZONE
All together
(3) Kerberos TGS_REQ
(4) Kerberos TGS_REP
![Page 23: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/23.jpg)
23IN YOUR ZONE
All together
(5) H
TTP
GET
Aut
horiz
ation
Negotiate w/SPNEGO Token
(6) HTTP 200 – OK
reso
urce
.htm
l
![Page 24: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/24.jpg)
24IN YOUR ZONE
Code time…
![Page 25: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/25.jpg)
25IN YOUR ZONE
![Page 26: Iasi code camp 20 april 2013 windows authentication-spring security -kerberos](https://reader034.vdocuments.net/reader034/viewer/2022051514/549d00c0ac7959e22a8b489c/html5/thumbnails/26.jpg)
26IN YOUR ZONE
Claudiu Stancu | Development Discipline Lead