Acegi Security

Document created by resplin Employee on Jun 6, 2015
Version 1Show Document
  • View in full screen mode

Obsolete Pages{{Obsolete}}

The official documentation is at: http://docs.alfresco.com



SecurityThird-Party Libraries


Spring Security Research


Objectives


  • We need to have a security infrastructure that protects our application at all levels in the stack
  • We need to be able to secure at the folder and file level (not property level yet) for both users and roles
  • We need to have a single sign-on (SSO) framework that functions in both and Windows and *ux environment
  • Evaluate Acegi to determine it's code quality, performance and how adaptable it is to replace it's implementation for object level security, authentication providers (pulling credentials from disparate systems) and ACL management
  • Implement a simple example using Acegi that will demonstrate protecting a resource depending on the user and using code and web folders to access it

Features


  • Only at version 0.7
  • First impression from the documentation alone is very good, it seems very comprehensive and flexible but that brings complexity
  • Code is very good quality it looks like a professional has written it as opposed to someone in their bedroom, however comments are slightly lacking but you could forgive that with the documentation you get
  • AOP approach; An Authentication object is associated with the current thread and objects that are 'secured' are examined by Acegi before and optionally after execution, this means security code does not have to litter the repository code base
  • Most implementations can be replaced i.e. you can provide custom authentication providers to retrieve credentials from your own schema, you can replace the access decision manager implementation and so on.
  • Has 'After Invocation' security so you can remove things from collections that the caller does not have permission to see, this maybe useful for manipulating search results
  • Web based authentication can hook into the container security mechanism or can be completely app server agnostic by only using filters
  • SSO is achieved using the Yale Central Authentication Service (CAS) but as mentioned above other SSO providers such as JOSSO could be integrated if necessary
  • A JAAS provider implementation is supplied which maybe an easy way to get LDAP/Active Directory support
  • ACL framework is provided, again it's all adaptable for your own schema etc. The out of the box implementation is sufficient for most projects needs
  • Checks for whether methods can be called by the current user are done by role (user level is not supported)
  • ACL checks are done using the parameters of the method being called i.e. the path (these can be configured to the user level)

Single Sign On


  • Yale's CAS is fully integrated which gives an SSO solution, however, it is not a seamless experience as the user is still required to login at the beginning of the session
  • Furthermore, it appears that this maybe more of a centralisation solution as opposed to a single signon solution as a cookie is used to represent the previously authenticated user, so unless the same browser is used to access all webapps another login will be required. Also 'tokens' are used for single requests only so I'm not sure how this can give you single sign on across multiple apps
  • JOSSO is another Java based SSO solution, it mentions domain wide SSO tokens (cookies in the same domain and browser session) so hints at a proper SSO solution but there is no mention of NTLM/Kerberos integration, only LDAP
  • NLTM or Kerberos are used by Windows to authenticate network users, to enable a seamless single sign on scenario (where Windows credentials are used) support for one of these protocols is required, Acegi has neither :-(
  • As Kerberos is an industry standard (unlike NTLM) a mixed Windows and Unix/Linux SSO solution should be possible if we add support for Kerberos to Acegi
  • Java has had support for Kerberos (via GSS-API, a standard common layer over security services) since 1.4. In fact there are JAAS login modules that provide Kerberos authentication. Furthermore, as Windows caches Kerberos tickets it may be possible to access these thus providing a seamless login
  • jCFIS is an open source project that provides NTLM authentication for java based webapps
  • There are several examples of using NTLM authentication (jCFIS, HttpClient, JetSpeed) in webapps outside of an SSO scenario too, so if we wanted to make use of the Windows user database but not the browser challenge/response login mechanism this also seems possible

Customization


  • To use our own schema for authentication we can simply configure the JdbcDaoImpl implementation to use different queries
  • If our schema is more complex and this is not possible we will need to implement the AuthenticationProvider interface
  • The ObjectDefinitionSource interface is used to return ConfigAttributeDefinition's which represent what roles and ACLs can access methods and URLs, if we want to store these in the database we will need to provide an implementation of the ObjectDefinitionSource interface
  • To get user level checks we will have to provide an implementation of the AccessDecisionVoter interface OR we make the implementation of ObjectDefinitionSource 'understand' users as well as roles
  • To use our own schema for storing ACL information we will have to provide an implementation of the AclProvider interface (or extension of the BasicAclProvider class)
  • Any domain objects we want ACL checked will need to implement the AclObjectIdentity interface or be wrapped by something that does; might be a good idea to encapsulate all our paths in an object, this could be the JSR170 Node
  • To use the supplied JDBC based ACL provider we would need to use the supplied database schema and the domain objects will need to extend NamedEntityObjectIdentity
  • We will need to create an authentication provider to wrap jCFIS to get NTLM authentication support
  • We will need to create an authentication provider to provide Kerberos support

Questions


  • Is there a NTLM equivalent for *UX is it Kerberos or PAM?
  • Can Firefox be configured to use NTLM (research suggests it should) or Kerberos?

Conclusion


I think we should definitely use Acegi as the base of our security infrastructure. Although it is only at version 0.7 and it is open source it has a professional feel to it. Performance and code quality is also very good.

The SSO requirement is bit more cloudy as to what we would use but with Acegi's flexible design we have a multitude of options for integration.

One thing is clear though, we need to design our user, role and ACL management with a focus on separation as we may well need to authenticate the username with one system, retrieve the roles from another and query our own schema for ACLs.

Attachments

    Outcomes