CEPM Spring Security2 Agent [Cisco Policy Enforcement Point]

Table Of Contents

CEPM Spring Security2 Agent Guide

Contents

About This Document

Objective

Audience

Spring Security2 Approach

Steps to Integrate Spring Security2 Agent with a Web Application

Configuring CEPM Spring Security2 Agent with a Sample Spring Application

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

CEPM Spring Security2 Agent Guide

Revised: July 19, 2009, Doc Part No: OL-19570-01

Contents

•About This Document

•Spring Security2 Approach

•Spring Security2 Approach

•Steps to Integrate Spring Security2 Agent with a Web Application

•Configuring CEPM Spring Security2 Agent with a Sample Spring Application

•Documentation Updates

•Related Documentation

•Obtaining Documentation and Submitting a Service Request

About This Document

Objective

This document provides guidelines for using CEPM customized Spring Security 2 authorization solution for applications running in the Spring framework.

Audience

This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.

Spring Security2 Approach

Spring Security provides comprehensive security services for J2EE-based enterprise software applications, particularly applications using the Spring Framework.

Spring Security stipulates the authentication as well as authorization features of an application. In order to make the security cover more explicable and stronger, the security configuration is customized in terms of CEPM functionalities, which will henceforth provide the authorization part assuming that Spring Security still meets the authentication feature.

When a user tries to access a Spring-based security implementation, the authentication of the user is left up to the Spring Security service, whereas CEPM does the user authorization by customizing the accessibility features.

For example, in a banking application protected by Spring Security, user Mary has access to Report6. When Mary tries to access Report6, assuming that the login authentication has already been done by Spring Security, the authorization is delivered by CEPM.

CEPM's Spring Security 2 Agent extends the following classes and methods:

Table 1 Classes and Methods

Class

Method

org.springframework.security.vote.RoleVoter

public int vote (Authentication authentication, Object object, ConfigAttributeDefinition config)

org.springframework.security.vote.AbstractAccessDecisionManager

public void decide (Authentication authentication, Object object, ConfigAttributeDefinition config) throws AccessDeniedException

Where,

•authentication refers to the Authentication object and object refers to the secured object being called.

•config refers to the configuration attributes associated with the secured object being invoked.

Figure 1 shows the typical process of accessing a web resource with CEPM's Spring Security enabled:

Figure 1 CEPM Spring Security2 Framework

1. When the client sends an HTTP request to access an application running in Spring framework, the Spring Security first checks whether the requested resource is secured and then checks for the authentication object. While the user authentication is done by the Spring Security, the authorization is managed by CEPM Spring Security Agent.

2. As a part of the authorization process, the Spring Security bypasses the authentication, resource and configuration objects to the CEPM Spring Security layer.

3. CEPM Decision Manager first checks for the vote of CEPM Role Voter.

–If it votes `ACCESS_ABSTAIN' then the resource will be `Allowed ` or

–If it votes `ACCESS_DENIED', an AccessDenied Exception will be thrown or

–If it votes `ACCESS_GRANTED',then a call to CEPM is done, and based on the permissions returned by CEPM, the resource will be server.

4. If CEPM Role Voter votes `ACCESS_GRANTED',then a call to CEPM is done using the isUserAccessAllowed PEP API.

5. CEPM gives True or False desicion. If the decision is True then access to the specified resource is granted. If decision is False then Access Denied Exception is thrown.

Steps to Integrate Spring Security2 Agent with a Web Application

Step 1 Copy spring_security_rolevoter.jar , spring-security-core-2.0.0.jar, aspectjrt-1.5.4.jar, spring-core-2.0.8.jar, cglib-nodep-2.1_3.jar, pep.jar, CEPM_Commons.jar, and papclient.jar files from SPRING_SECURITY_HOME directory to PROJECTHOME\WEB-INF\lib directory where PROJECTHOME is the root directory of the web application.

Step 2 Edit the pep_config.xml by updating the values of <applicationgroup> and <application> tags to the application group and web-application for which you want to check the permissions, respectively. Modify the URL value of <pdp> to reflect the URL on which the PDP Server is running. Also update the URL value of <api> to reflect the URL on which PAP Server is running.

Step 3 Add CEPM_AGENT_CONFIG, CEPM_DECISION_CACHE_CONFIG, and CEPM_HOME elements to the Java property for specifying the pep_config.xml and jbosscache.xml file path and CEPM application directory respectively.

For example:
-DCEPM_AGENT_CONFIG=$SPRING_SECURITY_HOME\config\pep\pep_config.xml 
-Dlog4j.configuration=$SPRING_SECURITY_HOME\config\logging\logging.xml
-DCEPM_DECISION_CACHE_CONFIG=$SPRING_SECURITY_HOME\config\jbosscache\jbosscache.xml
Step 4 Edit PROJECTHOME\WEB-INF\web.xml and add following filter entries before </web-app> tag.
<filter>
	<filter-name>springSecurityFilterChain</filter-name>
	<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class>
	<init-param>
		<param-name>targetClass</param-name>
		<param-value>org.springframework.security.util.FilterChainProxy</param-value>
		</init-param>
</filter>
<filter-mapping>
	<filter-name>springSecurityFilterChain</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>
Modify the value of <url-pattern> i.e. 'URL_pattern' to the URL pattern to be protected.

Note The Spring Framework makes use of the following filters which form a chain through which every HTTP request passes.

•The HttpSessionContextIntegrationFilter maintains the Authentication object between various requests and passes it around to the AccessDecisionManager when needed.

•The ExceptonTranslationFilter performs the Existing Authentication Check, handles security exceptions, and returns the appropriate HTTP security error code. The ExceptonTranslationFilter depends on the next filter, the FilterSecurityInterceptor, to do its work.

•The FilterSecurityInterceptor manages the Restricted Access Check and the Authorization check. It knows which resources are secured. The FilterSecurityInterceptor uses the AccessDecisionManager to do its work.

Together, the three filters perform the task of securing the application. The three filters are "chained" together by an object called the "filterChainProxy", which in turn creates and starts the three filters.

Step 5 To configure CEPM Spring Security, add the following tags in the Spring configuration file, which is PROJECTHOME\WEB-INF\applicationContext.xml by default. Add the following bean entries between <beans> and </beans> tags.
<bean id="cepmRoleVoter" 
class="com.cisco.epm.agent.springsecurityrolevoter.CepmRoleVoter"/>
<bean id="cepmDecisionManager" 
class="com.cisco.epm.agent.springsecurityrolevoter.CepmDecisionManager">   
<property name="resourceManager"> 
<bean class="com.cisco.epm.agent.springsecurityrolevoter.CepmSecurityResourceManager"/>
</property>
	<property name="decisionVoters">
 	<list>
	<ref local="cepmRoleVoter"/>
 	</list>
</property>
</bean>
Note If no users are available 'Anonymous' will be the consider as the user name.

Step 6 To protect URLs, edit the Spring configurations file, which is PROJECTHOME\WEB-INF\applicationContext.xml by default, as follows:

a. Add the following bean entries between <beans> and </beans> tags:
<bean id="filterChainProxy" 
class="org.springframework.security.util.FilterChainProxy">
 <property name="filterInvocationDefinitionSource">
	<value>
	CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
	PATTERN_TYPE_APACHE_ANT
URL_pattern= 
httpSessionContextIntegrationFilter,exceptionTranslationFilter,filterInvocationInterce
ptor                     
	</value>
</property>
</bean>
<bean id="httpSessionContextIntegrationFilter" 
class="org.springframework.security.context.HttpSessionContextIntegrationFilter"/> 
<bean id="filterInvocationInterceptor" 
class="com.cisco.epm.agent.springsecurityrolevoter.CepmFilterSecurityInterceptor">
     	<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
      	<property name="accessDecisionManager">
<ref local=" cepmDecisionManager"/>
</property>	      
      	       <property name="objectDefinitionSource">
		<value>
                 CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON 
			PATTERN_TYPE_APACHE_ANT			
			URL_pattern=role_allowed
           </value>
      	</property>
  	</bean>  
<bean id="exceptionTranslationFilter" 
class="org.springframework.security.ui.ExceptionTranslationFilter">
	       <property name="authenticationEntryPoint">
		<ref local="authenticationProcessingFilterEntryPoint"/>
	       </property>
	</bean>
<bean id="authenticationManager" 
class="org.springframework.security.providers.ProviderManager">
      	      <property name="providers">
         		<list>
         		    <ref local="anonymousAuthenticationProvider"/>            
         		</list>
      	       </property>
 	 </bean>   
<bean id="anonymousAuthenticationProvider"  
class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvide
r">
	         <property name="key"><value>test</value></property>
</bean>
<bean id="authenticationProcessingFilterEntryPoint"         
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint
">
			<property name="loginFormUrl"><value>/index.jsp</value></property>
	 		<property name="forceHttps"><value>false</value></property>
</bean>
b. Update the following bean entries:

–In the bean entry with id = 'filterChainProxy', replace 'URL_pattern' with the URL pattern to be secured in lower case. For example, /* or /log/portfolio.htm. You can specify multiple 'URL_pattern' as follows:
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/*.htm=httpSessionContextIntegrationFilter,exceptionTranslationFilter,filterInvoca
tionInterceptor
/log/*=httpSessionContextIntegrationFilter,exceptionTranslationFilter,filterInvoca
tionInterceptor
</value>
–In the bean entry with id = 'filterInvocationInterceptor', replace 'URL_pattern' with the URL pattern to be secured in lower case. For example, /* or /log/portfolio.htm. You can specify multiple 'URL_pattern' as follows:
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON 
PATTERN_TYPE_APACHE_ANT 
/*.htm=CEPM_USER
/log/*=CEPM_USER 
</value>
–Replace 'role_allowed' with the role specified in the class which implements the `Authentication' interface. If using sample implementation provided with the agent which is `CepmAuthentication' then the value of 'role_allowed' should be `CEPM_USER'.

–In the bean entry with id = 'authenticationProcessingFilterEntryPoint', update the value of the property 'loginFormUrl' to the URL, which should be displayed, if the user requests a secure HTTP resource but is not authenticated.

Step 7 In order to protect the methods, edit the Spring configurations file, which is (by default) located at PROJECTHOME\WEB-INF\applicationContext.xml in the following way:

a. Add following bean entries after <beans> tags:
<bean id="autoProxyCreator" 
class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
   		<property name="interceptorNames"> 
               <list> 
			<value>Interceptor_Names</value> 
                </list>
           </property>
           <property name="beanNames"> 
               <list> 
                 <value>Bean_Names</value> 
	            </list>
            </property>
            <property name="proxyTargetClass" value="true"/>
   </bean>
<bean id="Interceptor_Name" 
class="com.cisco.epm.agent.springsecurityrolevoter.CepmMethodSecurityInterceptor">	
       <property name="authenticationManager" ref="authenticationManager"/> 
       <property name="accessDecisionManager" ref=" cepmDecisionManager"/>
       <property name="objectDefinitionSource">
           <value>Method=role_allowed</value>      
        </property>
</bean>
Note You can specify multiple Methods. For example: com.devx.tradingapp.web.PortfolioItemBean.getShares=CEPM_USER com.devx.tradingapp.web.PortfolioItemBean.setShares=CEPM_USER

b. Update the following bean entries:

–In the bean entry with id = 'Interceptor_Name', replace 'Method' with the methods to be secured.

For example - com.devx.tradingapp.web.PortfolioItemBean.setGainLoss (or) com.devx.tradingapp.web.PortfolioItemBean.set.

–In the bean entry with id = 'Interceptor_Name', replace of 'role_allowed' with the role specified in the class which implements 'Authentication' interface.

For example, if you are using sample implementation provided with the agent (which is `CepmAuthentication') then the value of 'role_allowed' should be 'CEPM_USER'.

–In the bean entry with id = 'Interceptor_Name', replace 'Interceptor_Name' with any unique name. For example, methodSecurityInterceptor.

–In the bean entry with id = 'autoProxyCreator', replace the 'Interceptor_Names' with the interceptorName/s. (Typically these are bean id values for interceptors, which are to be secured and Bean_Names to its associated bean). For example,

<bean id="portfolioBean"

class="com.devx.tradingapp.web.PortfolioItemBean"></bean>

then update 'Bean_Names' to 'portfolioBean'.

Step 8 If you want to consider the logged-in user of the Spring Application:

a. Add the following code before the return statement in handleRequest() method of the controller, which handles a request coming from the login page.
HttpSession httpSession = ((HttpServletRequest) httpServletRequest).getSession();
//Where httpServletRequest is an object of type HttpServletRequest
org.springframework.security.context.SecurityContext 
sc=org.springframework.security.context.SecurityContextHolder.getContext(); 
sc.setAuthentication(auth);
httpSession.setAttribute("SPRING_SECURITY_CONTEXT", sc);
Where auth is an object of the class which implements the 'Authentication' interface based on the user information coming from login page like username, password etc.

For example,
String name = httpServletRequest.getParameter("username");
CepmAuthentication auth = new CepmAuthentication(name);
Note 'CepmAuthentication' provided with agent requires only the username.

b. If you want to use a Sample controller provided with the agent:

–Edit the SampleSpringSecurityController.java and modify the parameter values as per the instructions given in that file.

–Put servlet.jar, spring-security-core.jar, spring_security_rolevoter.jar files in the classpath and compile it.

–Copy the complied class to the PROJECTHOME\WEB-INF\classes directory.

–Copy SampleSpringSecurity-servlet.xml to PROJECTHOME\WEB-INF directory.

–Edit SampleSpringSecurity-servlet.xml and modify the value of 'key' in <prop> tag to the page starting with '/' which should appear after login.

Step 9 Restart the server and run the web application.

After authentication, when a user tries to access a secured resource, he or she gets the requested resource based on the permissions specified within CEPM or receives the AccessDeniedException which indicates that access has been denied.

Note To create these resources in CEPM, set the <record> tag value to "true" in the pep_config.xml file.

Configuring CEPM Spring Security2 Agent with a Sample Spring Application

To configure and test the countries Spring application using CEPM Spring Secuity to protect `urls' and `methods'.

Step 1 Unpack countries.war, the package structure appears as shown in Figure 2:

Figure 2 Folder Structure

Step 2 Deploy countries.war in your application server.

Step 3 To protect .../main/home.htm, .../main/countries.pdf and .../main/countries.xls URLs, modify applicationContext.xml as follows:
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
      <property name="filterInvocationDefinitionSource">
         <value>
          CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
          PATTERN_TYPE_APACHE_ANT
          
/main/home.htm=httpSessionContextIntegrationFilter,exceptionTranslationFilter,filterInvoca
tionInterceptor
/main/countries.xls=httpSessionContextIntegrationFilter,exceptionTranslationFilter,filterI
nvocationInterceptor
/main/countries.pdf=httpSessionContextIntegrationFilter,exceptionTranslationFilter,filterI
nvocationInterceptor
         <value>
      </property>
</bean>
<bean id="filterInvocationInterceptor" 
class="org.acegisecurity.util.cepmFilterInvocationInterceptor">
      <property name="authenticationManager" ref="authenticationManager"/>
      <property name="accessDecisionManager" ref="cepmDecisionManager"/>
      <property name="objectDefinitionSource"/>
         <value>
          CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
          PATTERN_TYPE_APACHE_ANT
          /main/home.htm=CEPM_USER
          /main/countries.xls=CEPM_USER
          /main/countries.pdf=CEPM_USER
         <value>
      </property>
</bean>
Step 4 To protect methods of
<bean id="countryService" 
class="org.springframework.samples.countries.DefaultCountryService"/>
Modify the applicationContext.xml file as follows:
<bean id="autoProxyCreator" 
class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
      <property name="interceptorNames"
         <list>
             <value>methodSecurityInterceptor</value>
         </list>
      </property>
      <property name="beanNames"
         <list>
             <value>countryService</value>
         </list>
      </property>
      <property name="proxyTargetClass" value="true"/>
</bean>
<bean id="methodSecurityInterceptor" 
class="com.cisco.epm.agent.acegi.CepmMethodSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="cepmDecisionManager"/>
<property name="objectDefinitionSource"/>
             
<value>org.springframework.samples.countries.defaultCountryService.get*=CEPM_USER</value>
</property>
</bean>
Step 5 Edit the pep_config.xml to update applicationgroup and application as follows:
<applicationgroup>Prime group</applicationgroup>
<application>Countries</application>
Step 6 To protect urls and methods the entitlements in CEPM for this application should be:

Figure 3 Policy Creation

Step 7 Run the application using the URL in http://host:port/countries format.

Figure 4 Spring Framework

.

Step 8 Click Main in the left navigation pane.

URL resource .../main/home.htm and Method "getFilteredCountries" will be protected.

Note that for URL resource .../main/home.htm:

•CEPM RoleVoter voted `ACCESS_GRANTED' for the resource Prime group:Countries:main:home.htm.

•Decision for User 'Anonymous' for resource 'Prime group:Countries:main:home.htm' with action 'any' is 'Permit'.

Note that for Method "getFilteredCountries":

•CEPM RoleVoter voted 'ACCESS_ABSTAIN' for the resource : Prime group:Countries:org.springframework.samples.countries.DefaultCountryService:getFilteredCountries. It does not make a call to CEPM and access is given as Abstained (that is, access has been allowed).

Figure 5 Spring Framework Hom e page

Step 9 Click Pdf in the left navigation pane.

Figure 6 shows that the URL resource /main/countries.pdf is protected.CEPM RoleVoter voted ACCESS_DENIED for the resource: Prime group:Countries:main:countries.pdf. and access is denied.

Figure 6 Access Denied Exception

Step 10 Select Excel in the left navigation pane.

Figure 7 shows that the URL resource /main/countries.xls is protected. CEPM RoleVoter voted ACCESS_ABSTAIN for the resource : Prime group:Countries:main:countries.xls. It does not make a call to CEPM, and the access is given as Abstained (that is, access has been allowed).

Figure 7 Country.xls

Step 11 Select country `Andorra' as shown in Figure 8. The method `getCountry' will be protected.

Figure 8 Protected Country and Method

•CEPM RoleVoter voted ACCESS_GRANTED for the resource Prime group:Countries:org:springframework.samples.countries.DefaultCountryService:getCountry.

•The decision for User 'Anonymous' for resource 'Prime group:Countries:org.springframework.samples.countries.DefaultCountryService:getCountry' with action 'any' is 'Deny' and the AccessDenied Exception is thrown as shown in Figure 9.

Figure 9 .AccessDenied Exception

Documentation Updates

Table 2 Updates to CEPM Spring Security2 Agent Guide

Date

Description

July 9, 2009

Minor edits and template/boilerplate updates for publication to Cisco.com

April 3, 2009

Cisco Enterprise Policy Manager (EPM) Release 3.3.0.0

Related Documentation

CEPM_User_Guide_V3.3.0.0.pdf

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Policy Enforcement Point

CEPM Spring Security2 Agent

Hierarchical Navigation

Downloads

Table Of Contents

CEPM Spring Security2 Agent Guide

Contents

About This Document

Objective

Audience

Spring Security2 Approach

Steps to Integrate Spring Security2 Agent with a Web Application

Configuring CEPM Spring Security2 Agent with a Sample Spring Application

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)