WAM and the Java Stack

Disclaimer

• Please ask questions• There are hands on labs• Prerequisites:

– Basic Java knowledge– Basic Spring knowledge– LDS Account Integration Training – Part 1

Outline

• WAM (Web Access Management)• WAM integration w/o Spring Security• WAM integration w/ Spring Security

WAM (Web Access Management)

What is WAM?

• WAM stands for Web Access Management• Authentication

– Authentication management– Single Sign-on

• Authorization– Url (course-grained)– Entitlements (fine-grained)

• http://en.wikipedia.org/wiki/Web_Access_Management

Architectural Overview of WAM

• Authentication status triggering request parameters• ?signmein• ?signmeout

Injected Headers

• WAM injected headers:– https://tech.lds.org/wiki/SSO_Injected_Headers

• How the headers map with LDS Account (LDAP) attributes:– https://ldsteams.ldschurch.org/sites/wam/

Implementation%20Details/HTTP%20Headers.aspx• Required headers

– policy-ldsaccountid– policy-cn

Wamulator

• For complete documentation:– http://tech.lds.org/wiki/WAMulator

• WAM Maven plugin provided to start/stop the wamulator– Run within LdsTech IDE

• Right click on Alm module and select Run As -> Run WAM Emulator

– Command line (from within the Alm module)• mvn stack-wam:run

Demo

Stack / WAM integration w/o Spring Security

• https://code.lds.org/maven-sites/stack/module.html?module=lds-account/stack-lds-account-wam/index.html

<filter> <filter-name>wamContextFilter</filter-name> <filter-class>org.lds.stack.wam.filter.WamContextFilter</filter-class> </filter>

<filter-mapping> <filter-name>wamContextFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

WamContext

• Accessed with:

• WamContexts consists of 3 main parts:– LdsAccountDetails object

– WamRequestProvider

– EntitlementService

WamContextHolder.getWamContext();

WamContextHolder.getWamContext().getLdsAccountDetails().getPreferredName();

WamContextHolder.getWamContext().getWamRequestProvider ().getCookieHeader();

WamContextHolder.getWamContext().getEntitlementService()….

Demo

Lab 1

https://tech.lds.org/wiki/WAM_Integration_-_Part_1#Lab_1

WAM and Spring Security

Why WAM and Spring Security?

• Spring Security provides– Full featured authorization system– Abstraction to authentication and authorization– Allows for complex fallback authentication systems– Facilitates proxy support

WAM Spring Security Integration

• WAM Authentication Provider<lds-account:wam> <lds-account:intercept-url access="hasRole('ROLE_ADMIN')" pattern="/secure/**" /> <lds-account:intercept-url access="isAuthenticated()" pattern="**" /> <lds-account:access-denied-handler error-page="/errors/accessDenied" /> <lds-account:logout /></lds-account:wam>

<sec:authentication-manager> <sec:authentication-provider ref="ldsAccountAuthenticationProvider" /></sec:authentication-manager>

Demo

Spring Security and WAM authorization

• Spring provides programming tools– Full featured EL capabilities– Convenient annotations– Management central to the application

• Advantages to both WAM authorizations and Spring Security authorizations

Spring Security EntryPoint

• Simplifies WAM configuration / management• Utilizes WAM for authentication

– User details injected if authenticated• Allows course grained authorization to be

managed within the application

Spring Integration

Demo

Lab 2

https://tech.lds.org/wiki/WAM_Integration_-_Part_1#Lab_2

Conclusion

• The Stack provides full featured integration with WAM– With or without Spring Security

• Facilitate authorization in WAM, but has been made easy with Spring Security

Credit Where Credit is Due

• http:// http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html

• http://en.wikipedia.org/wiki/