spring security

a new topics, on my way to master.

1. web.xml, define the secure filters. one special points, about “springSecurityFilterChain”, which is a special spring internal infrastructure bean created by the namespace to handle web security.
If you are familiar with pre-namespace versions of the framework, you can probably already guess roughly what’s going on here. The <http> element is responsible for creating a FilterChainProxy and the filter beans which it uses. Common problems like incorrect filter ordering are no longer an issue as the filter positions are predefined.>
as “http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ns-config.html&#8221;.
2.

	<!-- This bean id should not be changed -->
	<bean id="authenticationProcessingFilter" scope="prototype"
		class="com.db.cfc.frontend.common.security.filter.AuthProcessinglFilter">
		<security:custom-filter position="PRE_AUTH_FILTER" />
		<property name="authenticationManager" ref="authenticationManager" />
	</bean>

	<bean id="exceptionTranslationFilter"
		class="org.springframework.security.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
		<property name="accessDeniedHandler">
			<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/WEB-INF/jsp/error/AccessDenied.jsp" />
			</bean>
		</property>
	</bean>

	<bean id="authenticationEntryPoint"
		class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />

	<bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
		<security:custom-authentication-provider />
		<property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
	</bean>

	<bean id="preAuthenticatedUserDetailsService" class="com.db.cfc.frontend.common.security.service.impl.UserDetailsService">
		<property name="profileService" ref="profileService" />
		<property name="securityService" ref="securityService" />
	</bean>

	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref bean="preAuthenticatedAuthenticationProvider" />
			</list>
		</property>
	</bean>

inside, the application_context_security.xml, using the xmlns:security=”http://www.springframework.org/schema/security&#8221; namespace, to define the < http > configuration, would automatically create the springSecurityFilterChain, which is something like an alias to the filterChainProxy.

and the filter –> authenticationManager –> provider –> userDetailService configuration inside the application_context_security.xml, would configure corresponding beans.

in addition, there is something called, “entry-point”, which i need to continue investigate.

<!– ACL context configuration start –>
<security:http entry-point-ref=”authenticationEntryPoint”
auto-config=”false” session-fixation-protection=”none”
lowercase-comparisons=”false” access-denied-page=”/WEB-INF/jsp/error/AccessDenied.jsp”>

<!– Common to all roles, but authenticated –>
<security:intercept-url pattern=”/1/*.action”
access=”ROLE_BR_B_C_E,ROLE_BR_B_C_V,ROLE_BR_B_M_E,
ROLE_BR_B_M_V,ROLE_BR_S_C_E,
ROLE_BR_S_C_V,ROLE_BR_S_M_E,ROLE_BR_S_M_V,ROLE_DD_B_C_E,
ROLE_DD_B_C_V,ROLE_DD_B_M_E,
ROLE_DD_B_M_V,ROLE_DD_S_C_E,ROLE_DD_S_C_V,ROLE_DD_S_M_E,
ROLE_DD_S_M_V,
ROLE_SA_E,ROLE_SA_V,ROLE_CFC-SALES_V,ROLE_CFC-SALES_E” />
<security:anonymous />

</security:http>

<bean id=”exceptionTranslationFilter”
class=”org.springframework.security.ui.ExceptionTranslationFilter”>
<property name=”authenticationEntryPoint” ref=”authenticationEntryPoint” />
<property name=”accessDeniedHandler”>
<bean class=”org.springframework.security.ui.AccessDeniedHandlerImpl”>
<property name=”errorPage” value=”/WEB-INF/jsp/error/AccessDenied.jsp” />
</bean>
</property>
</bean>

<bean id=”authenticationEntryPoint”
class=”org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint” /

in addition, http://heraclitusonsoftware.wordpress.com/software-development/spring/simple-web-application-with-spring-security-part-13/#comment-1882
which explains some part of my foundings, saved my effort for typing. ^_^

addon, i found out its FilterSecurityInterceptor.java, which maintains the security configurations inside the applcation_context_security.xml, as
<security:http entry-point-ref=”authenticationEntryPoint”
auto-config=”false” session-fixation-protection=”none”
lowercase-comparisons=”false” access-denied-page=”/WEB-INF/jsp/error/AccessDenied.jsp”>

<!– Common to all roles, but authenticated –>
<security:intercept-url pattern=”/1/*.action”
access=”ROLE_BR_B_C_E,ROLE_BR_B_C_V,ROLE_BR_B_M_E,ROLE_BR_B_M_V,ROLE_BR_S_C_E,
ROLE_BR_S_C_V,ROLE_BR_S_M_E,ROLE_BR_S_M_V,ROLE_DD_B_C_E,ROLE_DD_B_C_V,ROLE_DD_B_M_E,
ROLE_DD_B_M_V,ROLE_DD_S_C_E,ROLE_DD_S_C_V,ROLE_DD_S_M_E,ROLE_DD_S_M_V,
ROLE_SA_E,ROLE_SA_V,ROLE_CFC-SALES_V,ROLE_CFC-SALES_E” />
<security:anonymous />

</security:http>

and this same class, FilterSecurityInterceptor,during its doFilter() process, it would call its super class AbstractSecurityInterceptor ‘s method AbstractSecurityInterceptor.beforeInvocation(), where the xml configuration checks against the userDetails data.

and


  Abstract class that implements security interception for secure objects.
  

The AbstractSecurityInterceptor will ensure the proper startup configuration of the security interceptor. It will also implement the proper handling of secure object invocations, namely:

  1. Obtain the {@link Authentication} object from the {@link SecurityContextHolder}.
  2. Determine if the request relates to a secured or public invocation by looking up the secure object request against the {@link ObjectDefinitionSource}.
  3. For an invocation that is secured (there is a ConfigAttributeDefinition for the secure object invocation):
    1. If either the {@link org.springframework.security.Authentication#isAuthenticated()} returns false, or the {@link #alwaysReauthenticate} is true, authenticate the request against the configured {@link AuthenticationManager}. When authenticated, replace the Authentication object on the SecurityContextHolder with the returned value.
    2. Authorize the request against the configured {@link AccessDecisionManager}.
    3. Perform any run-as replacement via the configured {@link RunAsManager}.
    4. Pass control back to the concrete subclass, which will actually proceed with executing the object. A {@link InterceptorStatusToken} is returned so that after the subclass has finished proceeding with execution of the object, its finally clause can ensure the AbstractSecurityInterceptor is re-called and tidies up correctly.
    5. The concrete subclass will re-call the AbstractSecurityInterceptor via the {@link #afterInvocation(InterceptorStatusToken, Object)} method.
    6. If the RunAsManager replaced the Authentication object, return the SecurityContextHolder to the object that existed after the call to AuthenticationManager.
    7. If an AfterInvocationManager is defined, invoke the invocation manager and allow it to replace the object due to be returned to the caller.
  4. For an invocation that is public (there is no ConfigAttributeDefinition for the secure object invocation):
    1. As described above, the concrete subclass will be returned an InterceptorStatusToken which is subsequently re-presented to the AbstractSecurityInterceptor after the secure object has been executed. The AbstractSecurityInterceptor will take no further action when its {@link #afterInvocation(InterceptorStatusToken, Object)} is called.
  5. Control again returns to the concrete subclass, along with the Object that should be returned to the caller. The subclass will then return that result or exception to the original caller.
@author Ben Alex @version $Id: AbstractSecurityInterceptor.java 3046 2008-05-09 18:09:56Z luke_t $

i love spring security, its cool.!
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/technical-overview.html#tech-intro-authentication

there are in general two steps, authentication and authorisation.
1. authentication is generally done by authenticationManager, eg, org.springframework.security.providers.ProviderManager, together with providers, userDetailService.
2. authorisation is generally done by AbstractSecurityInterceptor, which would retrieve the configureAttributes, like ROLE_A, ROLE_B in <intercept-url pattern=’/secure/**’ access=’ROLE_A,ROLE_B’/>, for example; and using a accessDecisionManager to decide, the previously retrieved authentication object against the configAttributes.

and these two postes, are equally cool,
http://asahu05.wordpress.com/2010/07/20/spring-acegi-security-in-flex-application

and http://enlightensoft.wordpress.com/2010/04/09/spring-security-3-0-part-1/