LDS_Account_Integration_Training

January 6, 2018 | Author: Anonymous | Category: Engineering & Technology, Computer Science, Information Security
Share Embed Donate


Short Description

Download LDS_Account_Integration_Training...

Description

LDS Account and the Java Stack

Disclaimer

• This is a training NOT a presentation. – Be prepared to learn and participate in labs

• Please ask questions • Prerequisites: – Basic Java knowledge – Basic Spring knowledge

Outline • LDS Account Overview – History – Authentication – User Details

• Spring Security Overview – Authentication – LDS Account integration – In memory integration

• LDS Account Search • Spring Security and Authorization

History

• Historically each application handled authentication as a one off – Troublesome for users (many credentials to remember) – User information duplicated over and over throughout the enterprise – Difficult to get user information at all

• Screaming for consolidation and a single, central solution

LDS Account

"LDS Account is a single user name and password for any person who interacts with online LDS Church resources. LDS Account is the primary account authentication credentials for most Church sites and applications. It reduces development costs that would be incurred as the user interfaces change, or as upgrades to security and the registration process are required. Unlike previous authentication systems, LDS Account is a branded single sign-on solution that is centrally managed at ldsaccount.lds.org."

LDS Account (cont.)

"LDS Account has become the key to accessing all the resources the Church has to offer, such as family history tools, ward and stake websites, employment resources, and more. ... The idea is to have only one username and password that you can use with all password-protected websites the Church has."

What is LDS Account?

• LDS Account is meant to be the single source for user authentication and basic user information • LDS Account is implemented with LDAP • LDS Account is an application for maintaining user attributes

LDS Account Uses LDAP

• Lightweight Directory Access Protocol • Distributed directory of information – Much like a database – Not queried with SQL – For further information about the Directory structure, please see the corresponding section at: http://en.wikipedia.org/wiki/Lightweight_Directory_ Access_Protocol

• LDS Account = LDAP • WAM = Single Sign-on

User Details

• LDS Account also provides user information – User details – User details can be exposed through • LDAP attributes • WAM headers • SAML attributes

LDS Account User Details Integration

• The LDS Account module acts as a Java model for LDS Account information • LdsAccountDetails.java is the abstraction layer for LDS Account user details integration • Factories generate LdsAccountDetails object for each user – Factories handle the different formats in which the raw user details attributes are provide to the application • LDAP attributes, WAM headers, SAML, …

Lab 1

https://tech.lds.org/wiki/LDS_Account_Integration _-_Part_1#Lab_1

LDS Account Spring Security Integration

Authentication vs. Authorization

• Authentication - "you are who you say you are" – Identification of an individual user of the application – Credential-based authentication

• Authorization - "you have appropriate permissions to perform the operation you are attempting" – Availability of functionality and data to users who are authorized (or allowed) to access it – http://en.wikipedia.org/wiki/Authentication#Authent ication_vs._authorization

Spring Security • Spring Security is a highly customizable and pluggable enterprise authentication / authorization security framework – Provides tools for managing application access (authentication) – Rules for what users can access (by url) (authorization) – Securing methods (authorization), ...

• Overcomes lack of depth in J2EE Servlet Specification • Further information can be found here: http://static.springsource.org/springsecurity/site/reference.html

Spring Security (authentication)

• Spring comes with many pluggable authentication providers – Support provided for authenticating with: • • • • • • • •

LDAP X.509 (Certificates) Databases (JDBC) JAAS OAuth HTTP BASIC Form-based …

Spring Security Authentication Manager

• Basic configuration: ...

• Native Spring in memory authentication provider configuration (applicationContext.xml)

Spring Security Web Configuration

• Configure filter in web.xml springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy springSecurityFilterChain /*

Spring Security Context Configuration • Configure applicationContext.xml
View more...

Comments

Copyright � 2017 NANOPDF Inc.
SUPPORT NANOPDF