spring day | identity management with spring security | dave syer
DESCRIPTION
2011-10-31 | 11:00 AM - 11:45 AMApplication and platform security requirements are changing under the influence of standards like OpenID and OAuth2, and the increasing demand for lightweight and multi-language platforms. Everyone used to be happy if they could implement single sign on for their Java web applications. That's still important, but there is a growing demand for more extensive Identity Management services, both in the enterprise and for public web applications. CloudFoundry is a nice use case for this new service model: it has multi-language support and security requirements that go beyond simple single sign on. What does that mean, and what does it mean for Spring Security? Come to this presentation to find out.TRANSCRIPT
![Page 1: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/1.jpg)
Identity Management with Spring Security
Dave Syer, VMware, SpringOne 2011
![Page 2: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/2.jpg)
COPYRIGHT VMWARE, INC, 2011
Overview
● What is Identity Management?● Is it anything to do with Security?● Some existing and emerging standards● Relevant features of Spring Security and other Spring projects● Common use cases● Demo of prototype IDM system
![Page 3: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/3.jpg)
COPYRIGHT VMWARE, INC, 2011
Agenda
● Core domain:● Authentication, identity, trust, delegation, claim, authorization
● SSO● Identity Management● Standards:
● SAML● OpenID● OAuth, OAuth2● OpenID Connect● SCIM● JWT
● Spring Security and other projects● Use cases (Google, Facebook, CloudFoundry) and demos● IDM as a Service
![Page 4: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/4.jpg)
COPYRIGHT VMWARE, INC, 2011
Demo Code
$ git clone git://gist.github.com/1316904.git
![Page 5: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/5.jpg)
COPYRIGHT VMWARE, INC, 2011
Authentication
● You say you are Fred Bloggs? Can you prove it?● Human-human interactions
● Official document (passport, driving licence, etc.)● We actually call it “ID”● Letter of introduction● Word of mouth, friend of a friend
● Machine-human interactions● Something you know, hopefully unguessable, maybe random, e.g.
username/password● Something you have, e.g. one Time Password (OTP) from RSA
hard/soft token● Multifactor authentication
● Machine-machine interactions
![Page 6: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/6.jpg)
COPYRIGHT VMWARE, INC, 2011
Typical System Architecture
APP
DB
User
User details store
“I'm Fred, show me my photos”
![Page 7: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/7.jpg)
COPYRIGHT VMWARE, INC, 2011
Fred Accesses his Photos
![Page 8: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/8.jpg)
COPYRIGHT VMWARE, INC, 2011
Two Apps, No Shared Authentication
DB
User
User details store
APP2
DB
“I'm Fred, can I buy a book?”
APP1
“I'm Fred, show me my photos”
![Page 9: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/9.jpg)
COPYRIGHT VMWARE, INC, 2011
Two Apps, Shared User Details
DB
User
User details store
APP2
“I'm Fred, can I buy a book?”
APP1
“I'm Fred, show me my photos”
![Page 10: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/10.jpg)
COPYRIGHT VMWARE, INC, 2011
Two Apps, Single Sign On
DB
User
User details store
APP2
“I'm Fred, can I buy a book?”
SSO
APP1
“I'm Fred, show me my photos”
![Page 11: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/11.jpg)
COPYRIGHT VMWARE, INC, 2011
Single Sign On: Example Flow All Apps are the same
● Explicit authentication required on first visit
● Avoidable subsequently if App can store token – but then with multiple apps you have distributed state
This is unavoidable
![Page 12: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/12.jpg)
COPYRIGHT VMWARE, INC, 2011
Two Apps, Single Sign On with Separate Authentication
DB
User
User details store
APP2
“I'm Fred, can I buy a book?”
SSO
APP1
“I'm Fred, show me my photos”
AUTH
![Page 13: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/13.jpg)
COPYRIGHT VMWARE, INC, 2011
SSO With Spring Security
● Good support for CAS● Many custom implementations for commercial products like
SiteMinder● Field is fragmented● OpenID...
![Page 14: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/14.jpg)
COPYRIGHT VMWARE, INC, 2011
Trust
● You say you are Fred Bloggs? Can you prove it?● Oh, I remember, Martha said you're alright. Come in...● I trust Martha, USDOT, UKPA, etc, to verify Fred's identity● Why?● Because I know them, and they say they know Fred.
![Page 15: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/15.jpg)
COPYRIGHT VMWARE, INC, 2011
Consumer Trusts Provider
User
User details store
Consumer,Relying Party
Provider
APP
“I'm Fred, show me my photos”
DB
IDP
![Page 16: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/16.jpg)
COPYRIGHT VMWARE, INC, 2011
Simplified User-App-IDP Interaction
![Page 17: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/17.jpg)
COPYRIGHT VMWARE, INC, 2011
So What did we Gain with an Identity Provider?
● App no longer has to do authentication or keep record of secure information about users
● User only has to type secrets into a known trusted site (e.g. Google)
● Separation of concerns● Abstraction always comes at a cost● Increased complexity – more to understand, more to maintain,
more to go wrong● Complexity and Security are uneasy bedfellows● Hence there are standards that cover this interaction
![Page 18: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/18.jpg)
COPYRIGHT VMWARE, INC, 2011
Complexity: Schematic Actual Conversation
![Page 19: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/19.jpg)
COPYRIGHT VMWARE, INC, 2011
Complexity: HTTP Protocol Actual Conversation
![Page 20: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/20.jpg)
COPYRIGHT VMWARE, INC, 2011
Compare: Native Authentication
![Page 21: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/21.jpg)
COPYRIGHT VMWARE, INC, 2011
OpenID
User
User details store
Relying Party
Provider
APP
“I'm Fred, show me my photos”
DB
OpenID
![Page 22: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/22.jpg)
COPYRIGHT VMWARE, INC, 2011
OpenID
● Protocol for attribute exchange● Sits on top of HTTP(S)● Form plus JSONish on back channel (attribute fetch)● Form data and redirects on front channel● Does not specify authentication (up to the Provider)● Does not require pre-registration of Relying Parties (Apps)● Implemented in various languages, e.g. Java->OpenID4J (Google
code)● Support in Spring Security for Relying Party
![Page 23: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/23.jpg)
COPYRIGHT VMWARE, INC, 2011
Spring Security OpenID RP
<http xmlns="http://www.springframework.org/schema/security"> ...
<openid-login login-page="/openid" user-service-ref="registeringUserService" authentication-failure-url="/login_error.jsp"> <attribute-exchange identifier-match=".*"> <openid-attribute name="email" Type="http://schema.openid.net/contact/email" required="true" /> <openid-attribute name="fullname" type="http://schema.openid.net/namePerson" required="true" /> </attribute-exchange> </openid-login>
</http>
![Page 24: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/24.jpg)
COPYRIGHT VMWARE, INC, 2011
SSO with OpenID
User
User details store
Relying Party
Provider
APP1
“I'm Fred, show me my photos”
DB
OpenID
APP2
“I'm Fred, can I buy a book?”
![Page 25: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/25.jpg)
COPYRIGHT VMWARE, INC, 2011
SSO with OpenID
No user input required here if IDP is stateful
![Page 26: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/26.jpg)
COPYRIGHT VMWARE, INC, 2011
Delegation and Client Authorization
● So Fred told you to come and pick up his order?● You say you're Martha? Show me some ID.● And what about some documentation about the order?
Resource Owner
Client(e.g. a service provider) Scope of
responsibility
![Page 27: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/27.jpg)
COPYRIGHT VMWARE, INC, 2011
Delegation and Client Authorization
● An App needs to access Fred's resources on his behalf● Resources live in a protected Resource Server (API)● Fred is the Resource Owner: he can read and write his resources
if he logs into the API himself● But App is the Client of the API service not Fred, and Fred
doesn't want to grant App write access● Resource Server can grant App access to a restricted Scope of
activity● Fred authorizes the App to read his Resources● App gets an Access Token that enables it to act on behalf of Fred● Where does it get the token from? An Authorization Server
![Page 28: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/28.jpg)
COPYRIGHT VMWARE, INC, 2011
Delegation
API
AUTH
APP
“I'm Fred, show me my photos”
Token
Resource Owner
Resource Server
Client
Authorization Server
Token Services
![Page 29: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/29.jpg)
COPYRIGHT VMWARE, INC, 2011
Example Token Services using Shared Storage
DB
Token Store
API
AUTH
APP
“I'm Fred, show me my photos”
Token
Resource Owner
Resource Server
Client
Authorization Server
![Page 30: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/30.jpg)
COPYRIGHT VMWARE, INC, 2011
Delegation Standards
● SAML 1.0, 2.0● XML● back channel● cryptography● Spring Security SAML, Service Provider = Resource Server only
● OAuth 1.0a● plain text● back channel● cryptography● Spring Security OAuth (consumer and provider)
● OAuth 2● JSON (plus optional custom formats)● no back channel in spec (but need token services in practice)● clear text (need SSL), plus extensions● Spring Security OAuth (consumer and provider)
Need key exchange
Nonce and request token
![Page 31: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/31.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2
● Client /app
● Resource Server /apiauthenticated:
unauthenticated:
GET /api/photosAuthorization: Bearer FDSHGK78JH356G
200 OK...
401 UnauthorizedWWW-Authenticate: Bearer realm=”/auth”
![Page 32: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/32.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2 Acquiring an Access Token
● Grant Types● Password● Authorization Code● Refresh Token● Implicit● Client Credentials
● Others allowed as extensions, e.g. SAML assertion
![Page 33: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/33.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2 Grant Type: Password
● Resource Server /api
● Authorization Server /auth● Token Endpoint
GET /auth/token?response_type=password&username=......&...Authorization: Basic asdsdfggghf=
200 OK{ “access_token” : “JAHDGFJH78IOUY”, “token_type” : “bearer”, “expires_in” : “3600”}
Client credentials
![Page 34: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/34.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2: Grant Type Password
![Page 35: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/35.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2 Grant Type: Authorization Code
● Client /app
● Authorization Server /auth● Authorization Endpoint
GET /auth/authorize?response_type=authorization_code&...Authorization: Basic asdsdfggghf=
302 FoundLocation: /app/photos?code=dfjhg
![Page 36: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/36.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2 Grant Type: Authorization Code
● Resource Server /api
● Authorization Server /auth● Token Endpoint
GET /auth/token?grant_type=authorization_code&code=......&...Authorization: Basic asdsdfggghf=
200 OK{ “access_token” : “JAHDGFJH78IOUY”, “token_type” : “bearer”, “expires_in” : “3600”}
![Page 37: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/37.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2 Grant Type: Authorization Code
????
![Page 38: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/38.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2 Grant Type: Authorization Code, Explicit Authorization
The spec doesn't say how this happens, just that it does, e.g:
????
![Page 39: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/39.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2: More Detail and Options
● Grant type● Password – native apps, fixed authentication● Authorization Code – webapps with browser redirects● Refresh Token – optional for tokens issued with Auth Code● Implicit – script clients in webapps, native apps● Client Credentials – service peers● Other, e.g. SAML
● Token type● Bearer● Other, e.g. MAC
● Scope● Arbitrary string. Signifies something to Resource Server about which
resources are available. C.f. “audience” in SAML.● State
![Page 40: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/40.jpg)
COPYRIGHT VMWARE, INC, 2011
Spring Security OAuth: Resource Server /api
<sec:http ...> ... <sec:custom-filter ref="oauth2ServiceFilter" before="EXCEPTION_TRANSLATION_FILTER" /></sec:http>
<oauth:provider id="oauth2ServiceFilter" token-services-ref="tokenServices"> <oauth:resource-server resource-id="api" /></oauth:provider>
![Page 41: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/41.jpg)
COPYRIGHT VMWARE, INC, 2011
Spring Security OAuth: Authorization Server /auth
<sec:http> ...
<sec:custom-filter ref="oauth2ServiceFilter" after="EXCEPTION_TRANSLATION_FILTER" /></sec:http>
<oauth:provider id="oauth2ServiceFilter" token-services-ref="tokenServices"> <oauth:authorization-server client-details-service-ref="clientDetails"> <oauth:authorization-code /> <oauth:implicit /> <oauth:refresh-token /> <oauth:client-credentials /> <oauth:password /> </oauth:authorization-server></oauth:provider>
<oauth:client-details-service id="clientDetails"> <oauth:client clientId="app" authorizedGrantTypes="password,authorization_code,refresh_token" scope="read_photos" authorities="ROLE_GUEST" /></oauth:client-details-service>
![Page 42: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/42.jpg)
COPYRIGHT VMWARE, INC, 2011
Spring Security OAuth: Client /app
<sec:http> ... <sec:custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER"/></sec:http>
<oauth:client id="oauth2ClientFilter" token-services-ref="oauth2TokenServices" />
<bean class="apiRestTemplate" class="org...oauth2.client.OAuth2RestTemplate"> <constructor-arg ref="api" /></bean>
<oauth:resource id="api" type="authorization_code" clientId="app" accessTokenUri="${accessTokenUri}" userAuthorizationUri="${userAuthorizationUri}" scope="read_photos" />
N.B. Spring Social has client support as well (similar approach, convergence will come later)
![Page 43: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/43.jpg)
COPYRIGHT VMWARE, INC, 2011
OpenID Connect
● Similar to OpenID in the role that it plays, but not in any other way related
● Uses OAuth2 as a protocol for attribute exchange● Google, Salesforce, etc. behind spec● OAuth2 endpoints:
● /authorize● /token
● OpenID endpoints are OAuth2 protected resources:● /userinfo● /check_id
● Clients obtain access token with scope=openid● OAuth /token endpoint includes id token in response as well as
access token● Responses in JSON or JWT (=encrypted JSON)● Not implemented in Spring project (yet), SECOAUTH or SEC
![Page 44: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/44.jpg)
COPYRIGHT VMWARE, INC, 2011
OpenID Connect: Token Acquisition
● Resource Server /api
● Authorization Server /auth● Token Endpoint
GET /auth/token?grant_type=authorization_code&code=......&...Authorization: Basic asdsdfggghf=
200 OK{ “access_token” : “JAHDGFJH78IOUY”, “token_type” : “bearer”, “expires_in” : “3600”, “scope” : “openid”, “id_token” : “LKJADSFKHJG8723E”}
![Page 45: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/45.jpg)
COPYRIGHT VMWARE, INC, 2011
OpenID Connect: User Info
● Resource Server /api
● Authorization Server /auth● User Info Endpoint
GET /auth/userinfoAuthorization: Bearer JAHDGFJH78IOUY
200 OK{ “user_id” : “dsyer”, “name” : “Dave Syer”, “email” : “[email protected]”, ...}
![Page 46: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/46.jpg)
COPYRIGHT VMWARE, INC, 2011
SCIM
● Simple Cloud Identity Management● Plain test / JSON standard for provisioning identity systems● Standard endpoints
● /Users – query user accounts● /User – CRUD operations on users● /Groups – CRUD operations on groups
● An OAuth2 authorization service might implement SCIM● Not implemented (yet) in Spring
![Page 47: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/47.jpg)
COPYRIGHT VMWARE, INC, 2011
Spring Security: Project Organization
Spring SecurityWeb
Core
LDAP OpenID ...
Spring Extensions: Security
SAML Kerberos
Spring Security OAuth
OAuth1a OAuth2
● Oauth2 spec not yet final● External lead● 1.0.0.M5 release in pipeline
● 3.1.0 just released● Stable, mature
● 1.0.0 not yet released● Partly external, low-activity
Luke Taylor (VMW), Robert Winch
Ryan Heaton,Dave Syer (VMW),
Vladimir Schaefer,Mike Wiesner (VMW)
Spring Social
Keith Donald (VMW), Craig Walls (VMW)
● 1.0.0 just released● Consumer for well-
known providers
![Page 48: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/48.jpg)
COPYRIGHT VMWARE, INC, 2011
CloudFoundry IDM
CloudController
UAA
Admin Console
“I'm Fred, show me my apps”
Token
Resource Owner
Resource Server
Client
Authorization Server:
OAuth2, OpenID Connect, SCIM
Token Services
Collab Spaces
Access Decision
![Page 49: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/49.jpg)
COPYRIGHT VMWARE, INC, 2011
CloudFoundry IDM
CloudController
UAA
VMC
“I'm Fred, show me my apps”
Token
Resource Owner
Resource Server
Client
Authorization Server:
OAuth2, OpenID Connect, SCIM
Token Services
Collab Spaces
Access Decision
![Page 50: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/50.jpg)
COPYRIGHT VMWARE, INC, 2011
Links
● SECOAUTH: https://github.com/SpringSource/spring-security-oauth
● OpenId4J: http://code.google.com/p/openid4java/● OpenID Connect: http://openid.net/developers/specs/● OAuth2: http://tools.ietf.org/html/draft-ietf-oauth-v2● SCIM: http://www.simplecloud.info● SES (SAML and Kerberos):
http://static.springsource.org/spring-security/site/extensions.html● Demos: http://gist.github.com/1316904
![Page 51: Spring Day | Identity Management with Spring Security | Dave Syer](https://reader033.vdocuments.site/reader033/viewer/2022052823/5555cd8dd8b42aaf158b4b7a/html5/thumbnails/51.jpg)
COPYRIGHT VMWARE, INC, 2011
Overview
● What is Identity Management?● Is it anything to do with Security?● Some existing and emerging standards● Relevant features of Spring Security and other Spring projects● Common use cases● Demo of prototype IDM system