CSF Security in a non-MITSIS App

Prerequisites

There are some criteria that a non-MITSIS application must fulfill before it can use CSF Security. The app should use:

  • Spring Framework 3.1
  • Spring MVC 3.1
  • Spring Security 3.1
  • Java 6 or higher

Add CSF Security Dependencies to App

CSF Security code is contained in a jar file named "csf-security-x.x.x.jar" where x.x.x is the CSF version number. An example, for CSF version 2.0.20 is csf-security-2.2.20.jar. All CSF jar files are located in the IS&T Maven repository (see https://maven.mit.edu), and they can be downloaded from that web site.

CSF security has further dependencies on CSF Base, and CSF Webservices. These modules are in separate jar files, tagged with a matching release number: csf-base-x.x.x.jar and csf-webservices-x.x.x.jar.

So, to summarize, the app needs access to the following CSF jar files:

  • csf-security-x.x.x.jar
  • csf-base-x.x.x.jar
  • csf-webservices-x.x.x.jar

How these jar files are included in the app depends on the build method of the app.

Maven Builds

For apps using Maven, the following dependency should be added to the app's pom.xml file:

        <dependency>
            <groupId>edu.mit.ist.es.csf</groupId>
            <artifactId>csf-security</artifactId>
            <version>x.x.x</version>
        </dependency>

where x.x.x would be replaced by the CSF version number.

This dependency specification will automatically pull in the csf-base and csf-webservices dependencies.

Ant Builds

For apps using Ant for the build process, you will have to get hold of the three jar files (csf-security, csf-base, and csf-webservices) and copy them to the "lib" folder of your web application. The jar files can be downloaded from https://maven.mit.edu/.

CSF Security Spring Configuration

To configure CSF security, you will need to do some XML configuration.

First, make sure your Spring context is referencing the CSF Spring XML files:

    <import resource="classpath*:applicationContext-csf-security-spring.xml" />
    <import resource="classpath*:applicationContext-csf-base.xml" />
    <import resource="classpath*:applicationContext-csf-webservices.xml" />

Now, assuming you have an XML file controlling your Spring Security configuration, configure these beans:

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
    <constructor-arg>
    	<list>
               <security:filter-chain pattern="/css/**" filters="logoutFilter" />
	           <security:filter-chain pattern="/images/**" filters="logoutFilter" />
	           <security:filter-chain pattern="/js/**" filters="logoutFilter" />
	           <security:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilter,
	           		logoutFilter,
	           		ssoAuthenticationProcessingFilter,
	           		basicAuthenticationProcessingFilter,
	           		exceptionTranslationFilter,
	           		filterSecurityInterceptor"
	           />
	</list>
    </constructor-arg>
</bean>

    <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="accessDecisionManager"/>
        <property name="securityMetadataSource">
            <security:filter-security-metadata-source>
                <security:intercept-url pattern="/index.htm" access="ROLE_EMPLOYEE,ROLE_ADMIN" />
                <security:intercept-url pattern="/allusers/*" access="ROLE_EMPLOYEE,ROLE_ADMIN" />
                <security:intercept-url pattern="/adminonly/*" access="ROLE_ADMIN" />
            </security:filter-security-metadata-source>
        </property>
    </bean>

    <bean id="authorizationService" class="edu.mit.csf.security.service.MultipleAuthorizationsService">
        <property name="combine" value="true" />
        <property name="authorizationServices">
            <list>
                <ref bean="mitRolesAuthorizationService" />
            </list>
        </property>
    </bean>

Properties File

CSF requires some properties to be specified in a flat file outside of the web app. The reason is so that different property values can be specified on different tiers. This allows us, for example, to use the test Roles system in our dev & test tiers while using the production Roles system in production, without having to modify code or the contents of the web app.

The properties file can be named anything you want and located anywhere you want. The contents should look like this (for a developer's local configuration):

roles.function.category=REG
local.authentication=true
local.user.name = <YOURKERBNAME>
local.user.password = <SOMEPASSWORD>
local.authority.domain = OREG

webservices.keyStore=/home/sturner/keys/registrar.jks
webservices.keyStorePassword=<KEYSTOREPASSWORD>
webservices.trustStore=/home/sturner/keys/serverTrustStore.jks
webservices.trustStorePassword=<TRUSTSTOREPASSWORD>

webservices.mitrolesws.proxy.user=REG$TEST
webservices.mitrolesws.url=[https://rolesws-test.mit.edu/rolesws/services/roles]
webservices.mitroles.url=[https://uaws-test.mit.edu/uaws/services/ua]

To get Spring to read the properties and make them available to the CSF Security module, configure this bean in your Spring context:

	<bean id="applicationConfiguration"
		class="edu.mit.csf.base.configuration.ApacheApplicationConfiguration"
		init-method="init">
		<property name="locations">
			<list>
				<!--
					Property files are loaded in the order below.
					First entry	found will set the value. Any "file"
					will be regularly checked for updates and reloaded
					if changed.
				-->
				<value>file:${user.home}/machine.properties</value>
				<value>file:<PATH_TO_YOUR_PROPERTIES_FILE></value>
			</list>
		</property>
	</bean>
  • No labels