Following a list of web security related functionalities that need to be implemented in a typical web application
- channel processing checks - redirect certain requests automatically to https and vice versa.
- maintain a list of urls which will automatically redirect to https
- concurrent session checks - user is not logged in more than once
- Http Session Integration processing - populate security context using http session, remembers prev authentication stored in session
- Logout checks
- Exception Translation checks - handles authentication and access denied exceptions
- Authenication processing - delegates to authentication entry point, filter and finally manager
- Authentication entry points and filters - http basic auth, http form based, http digest, X509 certificates, SiteMinder based
- login form url ; force use of https ; auth failure url ; default url if target url is blank
- Remember me checks - no need to relogin if revisiting website within http session timeout
- Anonymous processing checks - no need to login at all for accessing some resources
- Filter Security Interceptor - delegates to authentication manager and access decision manager
- access decision manager associates url / resources with roles
- Associates url / resources with roles
- authentication manager -> Authentication Providers
- Anonymous DAO based ; LDAP based ; Jaas based ; Remote ; X509 based
No comments:
Post a Comment