click to play button
click to replay button
Spring Security 3 20100309 11.54.13AM
X
  1. Spring Security 3
  2. Who am I?
  3. Agenda
  4. Application Security
  5. What is Spring Security?
  6. What is its relation to Spring?
  7. What isn’t Spring Security?
  8. Who’s Using Spring Security?
  9. Who does it play nicely with?
  10. Capabilities
  11. Key Concepts
  12. How It All Ties Together
  13. How It Really Works
  14. How it Really Works
  15. How It Really Works
  16. How It Really Works
  17. How It Really Works
  18. Authentication Methods
  19. How It Really Works
  20. JSP-Based Authorization
  21. Annotation-Based
  22. XML Configuration – web.xml
  23. XML Configuration - Spring
  24. XML Configuration - Spring
  25. XML Configuration - Spring
  26. XML Configuration - Spring
  27. XML Configuration - Spring
  28. XML Configuration - Spring
  29. XML Configuration
  30. New Features
  31. XML Configuration
  32. XML Configuration - Spring
  33. XML Configuration
  34. New Features
  35. Migrating from Spring Security 2
  36. Resources
  37. Conclusion
  38. Resources
  39. Migrating from Spring Security 2
  40. Resources
  41. Conclusion
00:00 / 00:00
CC
Scott Battaglia Rutgers, the State University of New Jersey Scott_battaglia@rutgers.edu Software Architect @ Rutgers University Developer on Jasig CAS, Jasig OpenRegistry Committer to Spring Security 3 Technical Reviewer for an upcoming Spring Security 3 What is Spring Security? How it Works What are new Features in Spring Security 3? Spring Security 3 Examples Migrating from Spring Security 2 Conclusion Security is a crucial aspect of most applications Security is a concern that transcends an application’s functionality An application should play no part in securing itself It is better to keep security concerns separate from application concerns “Spring Security is a powerful, flexible security solution for enterprise software, with a particular emphasis on applications that use Spring.” provides declarative security for your Spring-based applications handles authentication and authorization takes full advantage of dependency injection (DI) and aspect-oriented techniques based on the Spring Framework Originally a non-related project (Acegi) Now a sponsored Spring Source supported project (since 1.1) Integrated with other Spring Source projects including Spring Web Flow Firewall, proxy server, IDS (Intrusion Detection System) Operating system security JVM (sandbox) security Over 231,000 downloads on SourceForge At least 20,000 downloads per release Over 14,000 posts in the community forum Used in many demanding environments Large banks and business Defense and government Universities Independent software vendors OSS like OpenNMS, OAJ, Roller, AtLeap,.... Spring Portfolio AspectJ Jasig CAS JOSSO NTLM via JCIFS OpenID SiteMinder Kerberos JAAS Jasypt Grails Mule DWR Appfuse AndroMDA SAML2 Authentication Web URL authorization Method invocation authorization Domain instance based security (ACLs) WS-Security (via Spring Web Services) Flow Authorization (via Spring Web Flow) Localization Entry Points Authentication Providers Authentication Managers SecurityContext Users Service Filters Decision Managers Expression-Based Access Control Annotations Aspects Domain Object Security JSP Tags Servlet Container Web User Security Interceptor Spring Container Filter Chain Filter 1 Filter 3 Filter 4 Filter 5 Filter 2 Filter X Servlet Filter What it does Integration Filter responsible for retrieving a stored authentication so that it will be ready for other filters to Process Authentication Processing determine if the request is an AuthN request. If so, the user credentials is passed on to the AuthN Manager Exception Translation Filter translates exceptions, for AuthenticationException request will be sent to an entry point, for AccessDeniedException returns HTTP 403 to the browser Filter Security Interceptor examine the request and determine whether the user has the necessary privileges to access the secured resource. Integration Filter Authentication Processing Filter Exception Translation Filter Filter Security Interceptor Secured Web Resource Request Response Security Interceptor Authentication Manager Access Decision Manager Run-As Manager After-Invocation Manager Authentication Manager Provider Manager* CAS Authentication Provider DAO Authentication Provider JAAS Authentication Provider X.509 Authentication Provider LDAP Authentication Provider Pre-Authentication LDAP JAAS CAS X.509 Authentication Run-As JDBC Access decision manager How it decides to grant/deny access Affirmative Based Allows access if at least one voter votes to grant access Consensus Based Allows access if a consensus of voters vote to grant access Unanimous Based Allows access if all voters vote to grant access <authz:authorize ifAllGranted="ROLE_PRESIDENT,ROLE_CEO"> Welcome Leader!<br/> <a href="j_acegi_logout">Logoff</a> </authz:authorize> <authz:authorize ifAnyGranted="ROLE_PRESIDENT,VICE_PRESIDENT"> Welcome!<br/> <a href="j_acegi_logout">Logoff</a> </authz:authorize> <authz:authorize ifNotGranted="ROLE_ANONYMOUS"> <p>This is super-secret content that anonymous users aren't allowed to see.</p> </authz:authorize> <authz:authorize ifAllGranted="ROLE_PRESIDENT“ ifAnyGranted="ROLE_VIP,ROLE_AWESOME“ ifNotGranted="ROLE_ADMIN"> <p>Only special users see this content.</p> </authz:authorize> @Secured(“ROLE_ADMIN”) @Secured(“ROLE_REGISTRAR”) public void enrollStudentInCourse(final Course course, final Student student) throws CourseException { …… } @Secured(“ROLE_STUDENT”) Public List<Course> showCourses() { } <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/services/*</url-pattern> </filter-mapping> <?xml version="1.0" encoding="UTF-8"?> <beans xmlns=“http://www.springframework.org/schema/beans” xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p=http://www.springframework.org/schema/p” xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <sec:http entry-point-ref="casProcessingFilterEntryPoint" auto-config="true"> <sec:intercept-url pattern=”/loggedout.html” filters="none" /> <sec:intercept-url pattern="/**" access=”ROLE_ADMIN" /> <sec:logout logout-url=”/logout.html” logout-success-url=”/loggedOut.html" /> <sec:custom-filter ref="casProcessingFilter" after="CAS_FILTER" /> </sec:http> <sec:authentication-manager alias="casAuthenticationManager"> <sec:authentication-provider ref="casAuthenticationProvider" /> </sec:authentication-manager> <sec:http entry-point-ref="casProcessingFilterEntryPoint" auto-config="true"> <sec:intercept-url pattern=”/loggedout.html” filters="none" /> <sec:intercept-url pattern="/**" access=”ROLE_ADMIN" /> <sec:logout logout-url=”/logout.html” logout-success-url=”/loggedOut.html" /> <sec:custom-filter ref="casProcessingFilter" after="CAS_FILTER" /> </sec:http> <sec:authentication-manager alias="casAuthenticationManager"> <sec:authentication-provider ref="casAuthenticationProvider" /> </sec:authentication-manager> <bean id="serviceProperties” class="org.springframework.security.cas.ServiceProperties” p:service=”https://s.com/services/cas_check” /> <bean id="casProcessingFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter" p:authenticationManager-ref="casAuthenticationManager” p:filterProcessesUrl="/services/cas_check"> <property name="authenticationSuccessHandler"> <bean class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler” p:alwaysUseDefaultTargetUrl="true” p:defaultTargetUrl="/services/manage.html" /> </property> <property name="authenticationFailureHandler"> <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <constructor-arg index="0" value="/authorizationFailure.html" /> </bean> </property> </bean> <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint" p:loginUrl="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}" p:serviceProperties-ref="serviceProperties" /> <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider" p:key="my_password_for_this_auth_provider_only" p:serviceProperties-ref="serviceProperties" p:userDetailsService-ref="userDetailsService"> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <constructor-arg index="0" value="${cas.securityContext.ticketValidator.casServerUrlPrefix}" /> </bean> </property> </bean> </beans> Spring Expression Language (SpEL) Additional fine-grained configuration around authentication and access successes and failures, Enhanced capabilities of method access declaration Fine-grained management of session access and concurrency control using the security namespace Major revisions to the ACL module Support for OpenID Attribute Exchange New Kerberos and SAML single sign-on support via the Spring Security Extensions project Major Configuration Changes to XML Namespace Package, Class Renaming <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint" p:loginUrl="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}" p:serviceProperties-ref="serviceProperties" /> <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider" p:key="my_password_for_this_auth_provider_only" p:serviceProperties-ref="serviceProperties" p:userDetailsService-ref="userDetailsService"> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <constructor-arg index="0" value="${cas.securityContext.ticketValidator.casServerUrlPrefix}" /> </bean> </property> </bean> </beans> <bean id="serviceProperties” class="org.springframework.security.cas.ServiceProperties” p:service=”https://s.com/services/cas_check” /> <bean id="casProcessingFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter" p:authenticationManager-ref="casAuthenticationManager” p:filterProcessesUrl="/services/cas_check"> <property name="authenticationSuccessHandler"> <bean class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler” p:alwaysUseDefaultTargetUrl="true” p:defaultTargetUrl="/services/manage.html" /> </property> <property name="authenticationFailureHandler"> <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <constructor-arg index="0" value="/authorizationFailure.html" /> </bean> </property> </bean> <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint" p:loginUrl="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}" p:serviceProperties-ref="serviceProperties" /> <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider" p:key="my_password_for_this_auth_provider_only" p:serviceProperties-ref="serviceProperties" p:userDetailsService-ref="userDetailsService"> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <constructor-arg index="0" value="${cas.securityContext.ticketValidator.casServerUrlPrefix}" /> </bean> </property> </bean> </beans> Spring Expression Language (SpEL) Additional fine-grained configuration around authentication and access successes and failures, Enhanced capabilities of method access declaration Fine-grained management of session access and concurrency control using the security namespace Major revisions to the ACL module Support for OpenID Attribute Exchange New Kerberos and SAML single sign-on support via the Spring Security Extensions project Major Configuration Changes to XML Namespace Package, Class Renaming Biggest Changes for Migrating Changes to packages and jars needed Changes to <sec> namespace Spring Security Web Site http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity.html Spring Security Sample Applications Spring Security Forums Spring Security is a Powerful Product Recent Changes Make it Easier than Ever It supports a Jasig Project! Spring Security Web Site http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity.html Spring Security Sample Applications Spring Security Forums Biggest Changes for Migrating Changes to packages and jars needed Changes to <sec> namespace Spring Security Web Site http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity.html Spring Security Sample Applications Spring Security Forums Spring Security is a Powerful Product Recent Changes Make it Easier than Ever It supports a Jasig Project!
. yes . Chris No . . this is about Spring Security three . hopefully you're on the ready room . um um team like the midst changing slide Themes every presentation I gave enhances their lineout to Iraq research amazing . . sign on . . so I I work for Irish . my official title is application of meddling convince those call ups aisle examine some projects because no one ever must correctly . . I used to the and the trunk as OpenRegistry . I can it's a Spring Security every top and when someone complains that the CAS support Spring can . and I detected two new and upcoming Spring Security three but UPMC take off like to do This presentation will see that xsi works . I'm so the Uses Spring skating . I Works What are new Features in Spring Security three . I'm sentimental . only now I'm not going to go into terribly in-depth information on that . Kaz is it into the cement of new stuff . I didn't I see Spring Street easy impl . How do I be seeking to hear it as his by the reviewing OS . . . so this Integrated with the Migrating from Spring Security two . and then I will conclude . and I assume they can clean Questions . . so I do we actually care about app pieces to carry on . basically crucial to your applications I don't know too many App cases and we declare Rutgers that we don't actually secured some bashing . um . if you let people Steering correctly but it will be that three other story . . it also one of those things that transcends is that all the application functionality . MC They don't want the application . securing itself you know why inject eighteen year Mac aides call the security no call the security method becase political YouTube hours to get to college carry method . I'm Betty pre that . so the soon to is a huge security concerns separate from all the other application concerns on is a common theme was songs the White login and security are two major ones on Easily is one also Easy Delhomme people to forget to do these things . . status in society that Spring Security . what Is Spring Security . my status Code from some I don't remember where spin state however flexible security solution for enterprise software with them to do emphasis on applications that use Spring . I'm considering how will I be nice because Spring scary us tonight again from the Spring Source Website . and ten minutes major Features is excited security for your Spring based applications for the most part you're either using Annotations or XML Configuration . I was the son you're not doing any direct ties java calls it in your code the Seine Spring Security API . except for some instances we have no other way of getting at information on Enhancements for handling authentication and authorization . on the taste for avenge of the dependency injection and aspect oriented techniques in the Spring Framework are mostly had with people who Use Spring . OK so you're unfamiliar and future of that . . so I was in xsi related to Spring . Louis not related to Spring . other than the fact Anyware constrained in his car . CG I believe . s that badly and I guess How was side pronouncements friends told . Really You're Ever cases . every other letter . in the alphabet up to five . I don't quite know why they did that . . and this is one that wanted the team is Spring Source supported project of the country and three download onto . we disagree with other Spring Source projects including Web Flow . almond fun things like that . two isn't it . because It's a lot chore easy would is in the morning when xsi dads . Firewall It's not about to Serious audience using sanctions system . his operation of resistance he's not in it is not JVM security delay can work with the JS . um . so who's actually using it and he says six twenty O because I was to be easy to find new ones and no one's Content bothered xsi checking there . . the Dow rose some SourceForge over two and are thousand of them . it really enhance overall release is on the least twenty thousand per release . on December fourteen thousand posts in the community forum . I'm sure that the IDM has nine lives probably been Entities in a manner that close . and if we did pretty good eye on the Spring Security Forums by answering questions in South . so she's in many Spring when she is everywhere our large banks and businesses are using it government seizing it . defense contractors defense our nucleus the like and that's not one . . Ulysses Easily a Rutgers is a big user of it which is why and here . . Barney has suffered menus using it isn't true the numbers saying a number of open source projects open there and that's OAJ Roller AtLeap . we actually use it being patterns to secure our services management or weeks and talks to CAS it's a big circle . he Web just looking at in OpenRegistry which is an image easy projects . I'm so kind of a chance . so that they nicely with . on user the duties of my personal favorites CAS . I'm not release him . the bias there . we knew support probably see other things like SiteMinder for ninety using the cover this . on another Ametys aide that instance you can read that I don't need to also be the team . so is xsi deal . Authentication has the mental before . he Web URL authorization seeking a authorization decisions based on the URL that people acts against you . I'm method invocation authorization suing Methods cost you can make a determine whether the answer is authorizes do that . I one thing I don't have under the dot to show that ways you can actually do . authorization checks on portions of the JSP ph . to display or not this place and items . example he wants Display Lott ally telling consumers actually lived in on the to do things like that . Porsche's or even notice new details use the income Easy with a red URL authorization is not to actually show you hours we are not allowed to use . I'm kind one was making a million things . I mean Integrates with this tremendous services for the US security . I haven't actually done that still was a scene that works well . . because Integrated with the Spring Web trial . . I really tried many other than just securing a Web Flow in South Palm this in the ACL stuff for and I securing Engine instances in Spring three including remain for the most part from Spring to sell things is Bliss . I did place a borderline Uses Phnom pre sure it was just about useless . and use that as we get the baby demos to eighteen in Spring three . the scary thing . adresses was localization in their messages and things like that for people who who have to display Multiple in his . nice to just make sure my team is a clock on so . . . I can write notes Use I'm going seen them I . my friends other a non they can time the my watch is out and be sure the timing is a needs call home . so . I'll also just confuses this conference . I said if you win Concepts from their Spring Security . M . yet to name the to the next is the interface is there the main classes on with the German cities throughout Changes to just two weeks when he entry points these was Spring Security is considered highly nine to be you know it's really application on the eight years using it in password augmentation instance can redirect you to writing TGT a few using Ties to reject each week as login he's is also resistant to do that that met nothing away should be dealing if you haven't login yet on the disease Authentication riders in managers would essentially . Kendall the Authentication component . I'm SecurityContext use . the information about the person who's been robbed and I'm teaching these include things with Thread vocals to get that information in areas where your we will be able to get to that . I'm which is pretty good for applications where you can it's quite easy API to work with what you need any Easily to get that information . user Services in is the concept of loading up information about a person . I've included few Depot Weinstein wrote in a canal that the CBC News interface or a hero and I'm still scary Let's filters . I'm three months the entire Web based authorization Authentication learning is based on filters on to the UN and admission to filters to probably an aversion to Spring Security . . Decision Managers or xsi was he's to make the Authorization decisions I going to live in webapp Valley where the dilemma and you know we Decision be someone you're authenticated authorized things . it would be answered about things like that . I'm . combined with Add a Spring three Dave be done a lot with that . thank you showing me the US Spring Security three cousins were Spring three Add again with us a Spring three Does it seem and then Spring scary actually . I'm expressing those access control you can go out with guns Spring Yao special English town to come up with with all its own learned is to end and unify the out that tied Live We can comment the things that to make decisions . I'm . good night Annotations now for a for scaring Methods . and there's a standard for and forgot the number now at opening Members than the number for this Kerry Annotations . the CIA memo that on ease remember . . did it lead the Islanders authorized on Aspects CDs I guess project . I'd to handle some of the fact they were Separating out these Authentication offers ease concerns from the actual world class of themselves . I'm at an ACLU news in the United Security they see all staff and is also the JSP Tags for for doing stuff on the actions is keep ease themselves for Authentication authorization . and also that later . so this isn't the only guy who and I key findings Spring Security reference many well . and as a guy with the ease with a guide and to say guys how this thing works . site copied this thing on him creation that anonymous configure how Spring Security with these summits . . decision the things link together so it's pretty uses to us but I fear show because It's the leading in the Manual . so . so this lady were little you saw . . this is not I'm . but in the eyes edit those those Arab things . presentation where I forgot three was designed . . sexy and those not going to . I'm so sensory had the highest level happens is you when you read these it comes in the TICE axis of peace . . this brings the to the Spring shelters . of the way this works is that there's a Filter proxy . I'm in Spring . on the Spring Framework itself . DC eight and ID abducted Tuesday night East Filter said he can continue doing that you configure any of the of the other Spring . I mean in any of the other Spring beans . so that is that it defines this chain of weeks for the Committee on what the actual all filters are they going to see this set of filters in the Saudi as before . and when I wasn't speaking about the moving of the Anyware will do so with that and Additional Filter Zaidi need to run get executed and then . not since present see what everybody knew that she intended to access . . so Security probably includes a lot of overhead over just not having escaped the country sure that ways . Adding is scared . . well we'll see to new lows services and that instead Filter Chain . . press come in and went edit an angle I can see it . I'm the first thing that gets you used Integration Filter . which is essentially . it use to edit it you don't often skin of reading here probably a year staff is probably in the session . so the first aid as is presented session and put it somewhere where things can access it . not terribly useful from security perspective and in reaching out connectors things in the consists in place . the next thing it does is it defines that there's some form of credentials . ECB into the case Managers Texas right now Davis Kansas City case of the CAS authentication does it attempts to get into the top ten include updates to taken out here to do that edit the text . and you posted throughout forum with these new passwords can then call it we continue to do that Pending . this is essentially if a former Apollo happening in Saudi No you're not . he Authentication the data need to make that this the Exception Translation Filter captures it . the Madison CAS that fees which our plea deal . it just a Interceptor does most of the Authorization checking future year privileges to to do any of this up . said And a pretty good job of separating yards out and wearing them seeking do you can combine a lot of this stuff together the in shape a twenty you can customize in my hero and in-flight paying with the provided doesn't mean you needs . and then immensely your access to whatever you intended to access . so with us to leap even better than the one that Spring Security xsi provides . Susan Move aren't able . I'm and I'm actually is an actual as well . understated so tough for me to tell you that this instance . we should be beaten in all . . . June CIO I hear all these him . . so ERP that Italian . so Clinton is integration of all the different types of filters and that Spring Security provides on the twenty displaying his words are you can see some of the stuff that it gives you . you can see that as of Wednesday still be considered idea seventy two Filter says in that the mechanisms you can use to authenticate . on the ID conceded they had switched user filters . was hierarchy a run and someone else . ten seeded PT . but . we know that's easy to reference I don't know how good or Oh and that it works . on is probably due instances where it's it's useful . . on this witness to the other ones tonight and hopefully not for you too much on the other one in the second Filter from the spotlight interesting to some people . should that person only has one session with being the system . so fewer than one Web browser and lived in the New another Web browsing trying login . if you can begin that you can say coming sessions the connection open the cap teaching . I'm . for people who are concerned about what to think . the Bees are new meaning the documentation in java toxin things like that the coming hours pre is unstable . . so just to read write and how this hurts inside we felt that he did add job . I'm in the in the documentation the ease . what Is says and see who the room . How It is interesting that the disease . is he Check your authentication and you make sure that a Your Honor France's are fine . minutes of the dual any form of access decision that he needs No . and when the US and Cuba and you have the right roles inside that . . they can then do so in a Jesus which was running . many as a Total us to that and then it does some stuff after that . Tennessee don't member has been Ever axes they made use of boxing's be there . . . Dr Features in Spring Security and we Spring skate the ugliness the stuff that we don't even touch . so innocent relate specific East use of command . . so those so that when you call eleven station manager . it's a CNN call is the ticker item energies and directly this I was closer a minute of Provider managers interface . Thompson said Nancy write in my notes with the star men . Nestle West accused of the things I did Ed . he Authentication Provider the CAS Authentication Provider knee X five nine . and he a good always had to be easy to configure any advantage Manager based on the type of credentials that he from Idaho call the appropriate I'm Provider intends to see what educate you on your flu late as this things with Texas' City Reviewer for Mailing . the lake as Works where we have nothing to get taxis call this evening authentication and I'm not sure which one of the Silicon the other . . Necessity had a strange looking than the list as a pinch iTunesU . Steering Jackson when we needed this is because thousand instances where you are to play multiple forms of not Authentication the new system . blue are things you are done . information Ever as you Networking on the news and respected his cassified on the few I mean you get to tax the sleepy eyes also received to date difficult see it as a five year RESTful API is if the US was to be access by using the bison as soon as a continued as the cigar what's romancing Suites Al that . on Sunday the few weeks . so who's basically that she configure and therefore ways of authenticated . for different sections of the application . . so and he died and when you re just about are many I really another slide . I know you made seventy selected to and we didn't is because what it means is . Leahy said that Spring Security doesn't have a nickname UI include already feel that he value in doing it a certain length . and what do is to induce things he can do is they can actually be from me . Ramon User header on seventy were using Apache to something the new operator Mode user is true I are on that a few lines of the riots . King Do any of the standard al that CAS X five nine . JS JDBC . the company's a minor knock which are riding with an on air . atheists because a new meaning them will lead six to two is I need to really drive that home . so then how what is the core so how works . Susan when we have some indication needs actually e Mason decision about whether you want them to access resources . you say that it's interface HRaccess Decision Managers knows that of the men seen in a hairy one in the ease of an abstract ones . so when you do then is the and the group and a number of voters . they can get that its things and then you can have . he Decision Manager implementations is her was viewed as lawyers . so that three that included . I have heard so one of these . he's notice the eleven inning . . one is . it is a Consensus of voters the granted some form of access memory name . and then this could all lose out in the last eight of ten . let the Navy and the reason they have the Phillies even xsi the voters can do . yes no and I don't really know so don't so SAP and steamy . . which is right is a Consensus in Unanimous analyst is saying that actually are . . I . so this Indexing treaties and four of the one time . OK . I'm actually speaking CAS and funny with this is could be API for going under . . Susan the ways just was a serious issues JSP Based Authorization a comedian enterprise standard here . . so as soon Science eighty three different ways . to a new to say if so the wind always privileges . do this thing we did in the eighties that was existing in a handing granted they don't have any privilege is doing this thing . you can cover . you combine all three into one thing which our noses confuse anyone that tries to re . . so if they . good to have the president for all . and the runner the other two been denied in millions . right to freeze decision to example that copied that from some routes . . so to do so user Easily nerd neither what's Easy GDP using the only reason easier for see things on display somewhere slides information about people who lived in close to a showing a high bean things like URL certainly not the laws do . I'm . twenty second example it says welcome . and then there's a lot out point on the allied in minutes . but really only the maze present in the present and can now ride out . UBS handling two This may not be good example of . other than showing how access . . so easy . we example . . today we importing class they need to have secured . I'm . says Ruiz and to reduce eight they have . we haven't had a role in Andorra for women decide . Kennedy No I to execute is this message . we'll show what's in with their stated allowed to see . there ought to uses method of any means and measures are not allowed to sue courses . I'm very willing to endure student . as again I would actually use these and you know what that they demonstrate what we need . this is actually using combination with . I'm . AspectJ A Doria taxi secured this stuff . people here from the year if aspect oriented programming . we had a few guesses and if you notice on the northern go off changing . is that there are these concerns in your application that are assisting cost cutting . and in fact everything and they're not they're not New Business logic so that it into the good things up on these hours to eighteen . I'm . the login . in transactions ten to fall in June is also to lose ease the Spring let's AspectJ a bean and when the when the Jiscmail ruling uses these days . we Define listings call point cuts would essentially say . How beans . this Aspects to be caught . I was simplifying a little bit becase and use of copper may have . . this do you View Add these boycotts and and what of that what it feels even Define as a point of use . given the team with at secured call this piece of code essentially says it doesn't Spring scary doesn't it it in a down . it says OK to as amended and that has App at secured on it . call close security peace and information . and that was like the e . short probably not best definition that's project of weakness has made if anyone's actually interested in more about it . so I bought myself twelve billion in Spring Security three NATO lot with making it much easier to configure Iran . he applications using the media but showed everyone how how how will the XML to do these things now . Gruden XML he on your screen turns out the lots lights . so this is broken down over that five or six five nineteen Brown is used in is actually very low XML code if you copy to file . and so does Ed mentioned earlier in this is the what is the simple Let X now . Easier New and that's enough money Spring City is the complete with the team doctor proxy which essentially says I can forgive my Filter in Spring . twenty US and here is can the updated is caught . many say What You wanna see what direction one is secure . said And . so exciting need of . Spring is the US is not terribly exciting . Haley I said that since two . Mike or stop trying to turn me into your thousands of highly click on them in my power point presentation . I assume just for ten days no things are links and actually clapping everything else . . this is the use the start of a e . on the Spring configuration file . if people are from a restraint on the list of the from the with the beans . within defined as a number of . I'm these cases some of them and it's some in the spring specific to the weekend that he is the one the second set as I dream is to me because security from U call your name if you wanted in the as a matter . this is the numbers that they're this team and for the shorter Spring Configuration Spring Security Configuration . I'm . so this actually . I we would protect . your application is actually more slide something this is all what I said Oh well then again you know we're with more than just one slide with the South . said And attorney Java . I wish you a look like before they do this but I a winning run out of slides probably . multiplied by four or five members size of these to show this and that would be the old configuration . . as a nation Process said she to use the site of some of the state Configuration whether the acts of the season entry point referenced . which basically that in this case as . I will eat sometimes the up close and authenticated send them to make as entry point which in Spring Security will send them to the Add to login ph . article FutureWho dismissing uses a bunch of coaches that needs be configured to we don't need any custom staff says is presenting in them yourself title cannot them . the next two items essentially are . . we're authorization for iron Web your hours . on ease of use a Interceptor surrounding the patterns . I believe . I'm a using it . pattern matching but I'm not sure of my head . and a defined how you are in this case Anderson to have to have rolling in . you can define some of that he outlined with Stephen there's UI things like that . this vessels in fact if you if you don't want something to be actually had a bean done to him by Springsteen C nine . notes on my guess is you probably know waiting or filtered nine and . otherwise still have problems . he doesn't really does is it just as the entire chain as its continued its up on the few want to kill and coaches to a new needed to seize that . they can ride out for you which is usually just trying to session in clearing out any information on this and see configure your effort to watch Superman goes to slash ride out that it Skin up Spring Street why not look eighteen deaths in Iraq out of the Redirect since is another page . and this is all the news brings to three Some facts . so what Is is the Dean Well Configuration is on is not CAS for some reason I don't quite know why I would think they would . citizens need to quickly measure and that of the initial page . on ease CAS . this Filter and I'm into the outside we need to know about it . . . so it's a since . . the most right now to the economy helpful mantra stacks on is that isn't what and when she does happen you can and and essentially says when there to do it . I'm CAS Filter sentence as to where you expect us to show up on . you could the Friday after . the UN There is a before one also . . the screening . . Oh and let's wish I hadn't than that . the SEC's learned is the Authentication Manager that . screen Uses Spring Security is again a key dropping the scary part of it being one of them actually here they probably don't need . . says mostly is indeed calling people up within UK stores and Jackson doing that . he says the SEC authentication year . How would be baked mean generated being very Authentication Manager . my family Science Unit these very specific CAS Authentication Manager name not your life . . and Rensselaer will you tell us about cats . . is the user to Providers by using this unpack SA seven . come again and time . . like so two bytes to see position the United and has to do and sometimes . . so some of the seven who doesn't have a special syntax Grouper conceding it service properties we do that . topping his alleged mole . . CAS specific IDM seven instances the generic name means using . they don't really have of course and that's the way it . so just to be getting on the knee in this instance . defines a service to our eye endpoint . that the city on is the actual chasm integration content that is for the most part don't have special syntax for a . I'm Configuration than a just a generic Spring bean . . on ease in the can see peace and acts of anyone's play with that that and Spring . appeal in a Use Spring seen before . a couple people on TGT Spring to most of the hour Authentication filters . How to property waiting pages specify in the fall Target you out . it seems that to me is something that is a little Extensible . I'm so here Upgrading and you a bit about Migrating big not too much . I later on . ladies I mean the idea that this the fault of your our hours is on the Authentication filter e two two three s it s handler which will then continue the file type you up to in some instances Indian rights and suburban Entities said backing terms of not any additional Configuration into the mix . Lou I think it's an improvement . I'm sitting with that guy handler here . if you're familiar with the old version . find changing and he does it change colors to in the same time zones like Eugene font sizes . the Sunnis in the actual entry point auto race as is . it is the Iraqi New out . and down goes the and his to reference the servers properties . the agency know that I dream but probably still is from . . the cad SecurityContext and XML . . so in the UK you can't even hear of the year properties external to the at the configuration file with a weapon in seniority in . properties file . we can from listening JNDI records . and so that Enable is and you can see that . in an intense doing . I'm . authenticated by data go quickly becase . we don't need to go through all that one fund . isn't Spring State is pretty good about this day we will ever AJAX UI made seven Remaining Stephen thousand you'll see references to the JC CAS Client . he'll see that stuff without him . Sam on things like that too . . so she's Using Spring Training . . on support for this great special and least . I don't have easy and whether that would have been a good things the way . ZAHN So we slides one can ready for conference and the driver approached about three hundred slides says something's got I . so this a special line with a defense a works like the AHL . I'm which is why has he on the end it on the new TV is a ghost those I lost was that that may have a couple matches themselves and you can use like you know has IP address the reason this ad network things like that you can call reprimand and a new to put these little Extensions if you want to . . I demonstrated that she . he's Edition all I can only screen making me my finger shows of over here . . he's the Middleware sensibility to the TV on to the project when Now if you want to change what happens when there's a contest . you have more options than has Redirect into a rout . we can argue whether that is an improvement are not since the nature XML Configuration Bedework . he has three billion method access declaration which means they have the Annotations the US and informed the UN Annotations and they conform to that . the ones that are new standards will use . JS I Members the looting me on . I don't know I . . so they have Binary measures session access and Casey . he said And Ito a lot of the seventy needed to do . and this is in general saying even on to remind that such a session access is convincing others that you he's doing Spring through . we not be part of that compacts nicely with the syntax believe that in a lot of that into the . I'm namespace and tax Mode one of the demos in session access and currency . M . I get to the site giving you now XML so wasn't an issue you marks in on that . and as examples of that . BCE on the New documentation . the reason Major revisions to the ACL module . I that could be presentation in of itself slide to states and significant improvement over the e e over Spring Street to said You are avoiding the ACL seven Spring Street e because It's up to reroute your own . UI Why wasn't the one isn't Spring scary thing . the eighty nine and Spring streets today how to open ninety support . they actually edit support for that to be Exchange . the people of the year ago frankly . were things about is used is the basic protocol with Eminem and Extensions to edit on essentially the the basic . . IRC four has built an ocean and Adding an of extending it by a season one run is actually Exchange . and in this portlet . as far Spring Security three . they've edit is on the ocean and Spring Street Extensions project because a live using the euro it's not affected Spring is to have this other Spring not too Is . when People in what kinds of stuff that was and they can see in quite a ladies' Flow . I'm in a sense these engines project is recognizing things that are part of the core of what could be probably pretty slow . I'm Add as a baby Adding the saddle in there and they also have progress . and I think the coast of is mostly around . I like Windows log on type stuff . as a nation in the Major Configuration Changes in the XML . I'm namespace in anyone's really intense in M3 should probably find that Spring Security two in Spring Security one configurations . and that we season can compare them to Spring Street today . I don't really recommend you just trust me that they need major changes there for that . Oh and that's maven Spring Street in a run around and tried to rationalize their Package structure and a class Themes um . a lot of the packages had certain reference to a as I module is being played make sense to mid-on to NBC be done on that . . slide of selling JVM to Migrating to train down . it's not actually . it Easier right attorney and how much the use I'm . customized it . CAS will use it all you've done is essentially Continue psychiatry way . . Configuration season Use the New South . he's using pretty ID such as . probably eclipse or and tell Jacqueline downturns housing and China clips . it doesn't really agree with Ed the namespace that doesn't match the new stuff and you can you can quickly fixing . . a bunch of packages means to you . it's name . it means in Changes easy to find a new package . if anyone change you need to know in their new meaning to mention two ways that and what Is Amber was re-signed Processing Filter is the being around authentication builders still winds and would be the CAS Processing Filter is now the CAS authentication folder . not include all for free air three invasion Process Philippines have to have the job adopt open in Search for the new class of the league's you once or project . . . so the other things we'll as I mentioned before already experiencing sensibility which means that . um . things that were . when she properties on the meeting class is . the UN the UN those as quickly zero for the good and I key that can parse that and then on to someone of completion for you on properties in South on sister Laura of this screen is . Fiji's mostly just out with the XML Configuration . Bill be a slight pain bacon I needs to show you where . he's and that's in Spring Security three . I'm in the sprawling easy as investors weighed in Migrating from to three and only then Configuration SAP AG the of the ACL stuff Hodges Michigan lot . . that that may soon you'll skin and . we had seen the job done . Groups . because they sober so that address . in Spring Security to we actually wrote custom seven Rutgers writer name in music . I don't know if our custom stuff is any better . um they perform to a veteran and Mealamu logical sense . on the Friday revisiting some of that step as we it is applications uses the ACL Model is is a lot better . so this see probably a sheet you not born yet here and in your Some ranks ago about Spring Security . in this but defended their Diagram stock in their reference guide directories that is actually I'm pretty good prepare app on combining that with these other dots project in the newly not lead for anyone on duty at most of the stuff . also they've including number of Sample Applications . so if you look at those the identities and again this is not not a subliminal played for cad Spring is the one I'm most often work with the UN example Africa as it needs no idea that you can look in the sense Labs the this is the configuration that entire number of different lines and its probably one of the best ways to learn the specific configuration on . so area looking for . Seattle had the deputies e t need to see some more intense configurations . AGU of the search for . open source project opened their this Spring Security Configuration probably show single all for being here in every use . I might also recommend we have one for OpenRegistry which these two differing authentication methods that . . no one see that much more . . this basically forms and actually pretty good team having Questions . they're pretty responsive on and isn't . and also the book that helped record he apparently . as part in his right on Main the bookkeeping very active on the forum said oh he probably knows a lot and ten a light dusting as the snow . um . Entities likely help on the for under that Event was on the forum on the seven al list that screen that's deadly . I don't think this diary that nature you avoid that . . because It's not the new helpful to him . . so . concluding . in that history has placed carry that out for private I don't think my one Broad point here is going to show you that or convince you that . and we'll forty dollars teaching the configuration and options have demonstrated that it's a complete Screenshots runs a with their EU meeting a it does lead as a preview job of keeping . South out of your application . . I miss my projects million entries made until recently some changes direction Easier said fewer of its good that's lieutenants . maybe some of these configuration options or it's that insanity in and . and ACL support a thought better in three now recommends . I'm a to look at it also exposed is in product so . the hearing . so datacenter that uses questions but on Easy to anyone has any questions . we . . twelve minutes . we just two minutes tested and I wanted me . with how I've four eighteen am I . . fourteen in second is the new bits are . he . question use . all is lost or . yes indeed . room not . isn't there . yes . while the . many see as their wings I thought they were in the reference manual they may not be . Kelley . . . this is anyone has any additional question How Intel of . Sergio . we don't want to search the word . . . three are quite is Spring Framework traded at this point . when Spring Security still . I mean Works to three . I would Spring take . I . the US of finding new love . ease Spring Web Flow . Spring Web slow to does not work very well with Spring Framework three just in random side for anyone that's . using that . it works well as for the buying to List . when we see this . . there . . said Julie . . the case looms . . . I don't let it all about . . I want to get that . the race . the radio . three . . so Exchange . . but all we went seven edit to find them . and I'll also deny Winky in the insights and then up was the slides . and we can become the party resource for where the . as simple apps hour . . that's eating Spring Security three . . Oh . Wade . many CEOs or she ID me . Morrison's . but . he gets consistent . . do you mean you ACL step is using . we seem to notice that in the . beyond easy . Does . and using it . his son's remains sound idea was this intensity yet . . a concern about its performance when we . we try we an use it . M . Qazi were using it for our . and . Green system which would call it class roster which a new treaty list of people . and or it would profound . the goal is to Define into something we need to Filter employed you can sing . I'm in there to be missing the Dean seems be running All at official on the day . . Does anyone considering Using Spring scary thing . and Robson Questions to some ease . prompting . . still leading in the second seeded Puerta at all . . Myers area and in a Denver . . there's . sure we are on one of them . certainly . . I'm sure builders . we're not . . . present on this . . . NBC miniseries twenty get so we can tell to time . CAS . . . . . . Bogut is lower . . Using Spring the Spring Training Spring Security thing . so Works What was . . . . he says . if he catches you is where we'll end it foundation for the future releases show . which I get all the major changes in late spring one over . I will air once . and in command Swiss Radio at the . I'm the TGT new projects . it's great he made plays Spring skating . I will say go right now and rewrite all year applications Using Spring Security two to namespace a Spring skate me just that today because the new shiny ones up on Spring Security is rock solid the few bothered to configure the Mehdi is really no point in and changing over Leicester Adding New Functionality which app these new and there . or there's something that's in Spring Security three that you need . like some of the stuff about the IP address of . ladies hold for some people . Rice using it . we do emergency he . tax minification and Tony one of the A Rod the rules now is unless you eight people doc dot of emergency . Set education by text message . that rule teams are some not really sure where it came from . I would imagine were using . ditto and decency to call back to application but they don't really want a light authenticated . so as easy Spring Security to to restrict the . the IP address . . because they deem one x easy Authentication . standards honorees Maintenance intelligence license . let's is demanding an answer there making these reasons . . we know we're so was the play seven minutes . we'll have begun all time high Tuesday you got me out here so . you can see anything from us anything . this is what we were . small pieces . the only or no . . we did . look until three GT jump in here it is a auto we'd use it for just about every application . I many demanding from authorization . I'm cookie reasons . it's good to to be consistent . I mean and we all wanted to . this one is the size service when as this thing to think when you listen we is this for getting that means we can have people jumping team on applications . I'm also not familiar with seeing many other things and doing a job on authorization . . he Security night . I'm a be on that I don't know of any . . he of most most integration Kingsley if you get there to catch clients and partners again mentioning CAS you know Iraq as client do that is Authentication which is all well and good . even small applications for the most part need some form authorization . honestly I do something . they are this is where we're from the time . well all . all right . show all its own . why . he presentation . or you why you control over the Execution . . it's provides that slide over it . it's and there . job well and get that . so is her . and it's the from the application . is this bridge . . . one US is module once . XML already done for the most part my niece using the Red are many routes you can just copy a CD new Iran . and you something that in just copied from one application to the other on for the longest time with when we are getting Using Spring Security to Southend in the loaded before before they had a good namespace support . I haven't original Configuration Obie OSGi had a configure several gunshots my app just doing their that they not in learning what to do and this you probably an unlikely applications . so I wouldn't I . five Who's of all sizes . we repeat the the difference application is a small application eagerly Spring Security . Michaela close to Clinton wrong to the kids are learning something new though right . once you've got a you can get up in like five ten minutes . the CBC Configuration to season Sunday as a starting point . I've no problem using any of fifteen properties in or out . . right to form in Santa screen . . we OS . but I certainly is . so we'll work with all my answers . we'll M Cordova Questions . . remember what the context of the answer was . . we should probably find out though his . . . since . that should and I guess we're would and when I was a slides art empty buying the way to I miss him provocations in Code in that twenty one that suggested our life I will get to opposing them and so all probably tomorrow morning or so . IBM's needed sleep or something . for that . . has the Spring Security question . Tito did not . I need to raise I do . citizens need pretty much anything goes at the to the bodies . Maven I do not using for everyone some dancing happening . . in the end the weekend the moment . a mob in the beginning sometimes related stocks . I'm Jimmy navigation of Maine she rated staff on Monday he has to do the area in the right CAS server heads down Development probably on . he added I know you're interested in . I'm like of the hour right to exist . the seedings anything to do something you said sitting in JVM helping with that a good time to sit with us and say hello in this with the best we do it on you can also just in listening to Let's talk about the surge UI were more about it on is not related and for if he had been we seem to be the previous UN isn't a problem . yes and a further step has to happen on the kind user management says I is that that's not the property of farm for that . and essentially he project and people like light rain on is going to happen there . the idea for new projects on Duke live with people in and bring it integration . and it's useful for that we're in the Guineas and OpenRegistry staff . if you're interested in that . Judy is its probably a bit better for people who . why do slide . to mind dumping in Davis feedback and set the is Reduce the Synopsis and things like that . for that Pete is this the more that needs to be up and in addition to goes for taxes can be more architecture and in Enhanced and development staff and then that is new for all staff that I really doing can you portal site . . that answered your question that nobody had seen her the question of . . OK thank you . the the the . Cumani .