A bridge between two worlds: Spring Security & Kerberos
Claudiu Stancu
•Me & the other me
•Security concepts
•Kerberos
•All together
•Code time
Agenda
3
4IN YOUR ZONE
About me…
Development Discipline Lead at Endava
5IN YOUR ZONE
The other me…
6IN YOUR ZONE
Security concepts – Data types
PUBLIC PRIVATE
CONFIDENTIAL SECRET
7IN YOUR ZONE
Authentication
“The process of verifying that the users of our application are who they say they are”
8IN YOUR ZONE
Authentication
Credentials Based
9IN YOUR ZONE
Authentication
Biometrics Authentication
10IN YOUR ZONE
Authentication
Two factor authentication
11IN YOUR ZONE
Authentication
• Browser certificates
• Single Sing On
• Hardware authentication
12IN YOUR ZONE
Authorization
Assign authenticated Principals to one or more Roles
Assign the Principal’s Role(s) to secured resources
13IN YOUR ZONE
Spring Security
Servlet Filters
Delegation
14IN YOUR ZONE
Spring Security – Filters
o.s.s.web.context.SecurityContextPersistenceFilter
o.s.s.web.authentication.logout.LogoutFilter
o.s.s.web.authentication.UsernamePasswordAuthentication
o.s.s.web.session.SessionManagementFilter
Secured Resource
Request Response
15IN YOUR ZONE
Spring Security – Fundamentals
Security Interceptor
Authentication Manager
Access Decision Manager
Run-As Manager
After-Invocation Manager
16IN YOUR ZONE
Spring Security – Authentication Manager
Authentication Manager
Provider Manager
LDAP Authentication
Provider
CAS Authentication
Provider
Kerberos Authentication
Provider
DAO Authentication
Provider
Remember Me Authentication
Provider
17IN YOUR ZONE
Spring Security – Access Decision Manager
Affirmative Based
Abstract Decision Voter
Access Decision Manager
Abstract Access Decision Manager
Consensus Based Unanimous Based Role Voter
Access Decision Manager Grant / Deny access?
Affirmative based At least one voter grant access
Consensus based Majority grant access
Unanimous based If all voters grant access
18IN YOUR ZONE
Kerberos
19IN YOUR ZONE
Kerberos
{cstancu, 192.168.1.2}
SessionKey1
TGT
TGT
SessionKey1
20IN YOUR ZONE
Kerberos
{SessionKey1}Authenticator TGT
{SessionKey2}Authenticator
Mail Ticket{SessionKey2}
ok
TGT
SessionKey1
Mail Ticket
{SessionKey1}SessionKey2
Mail Ticket
SessionKey2
21IN YOUR ZONE
All together
(1)HTTP GET resource.html
WW
W-A
uthe
ntica
te: N
egoc
iate
(2
) HTT
P 401
– Den
ied:
22IN YOUR ZONE
All together
(3) Kerberos TGS_REQ
(4) Kerberos TGS_REP
23IN YOUR ZONE
All together
(5) H
TTP
GET
Aut
horiz
ation
Negotiate w/SPNEGO Token
(6) HTTP 200 – OK
reso
urce
.htm
l
24IN YOUR ZONE
Code time…
25IN YOUR ZONE
26IN YOUR ZONE
Claudiu Stancu | Development Discipline Lead