Authentication

Spring Security

The jWebSocket propossed authentication mechanism is based on Spring Security.

Spring Security provides comprehensive security services for J2EE-based enterprise software applications. There is a particular emphasis on supporting projects built using The Spring Framework, which is the leading J2EE solution for enterprise software development. If you're not using Spring for developing enterprise applications, we warmly encourage you to take a closer look at it. Some familiarity with Spring - and in particular dependency injection principles - will help you get up to speed with Spring Security more easily.

At an authentication level, Spring Security supports a wide range of authentication models. Most of these authentication models are either provided by third parties, or are developed by relevant standards bodies such as the Internet Engineering Task Force. In addition, Spring Security provides its own set of authentication features. Specifically, Spring Security currently supports authentication integration with all of these technologies: Read more...

jWebSocket integration with Spring Security

jWebSocket benefits from Spring by re-using the authentication models, specifically those components that implements the following interfaces:

A jWebSocket core plug-in called "SystemPlugIn" who process the "login" and "logout" operations, uses an AuthenticationProvider to authenticate a user given the "username" and "password". Once the authentication is successfully done against the AuthenticationProvider, some valuable arguments are stored in the user session:

  • uuid: The user unique identifier, commonly the username or the user id
  • username: The username value
  • is_authenticated: A flag indicating that the user is authenticated
  • authorities: The list of authorities that the user have

However a developer can access the UserDetailsService used by the AuthenticationProvider to get more information of the authenticated user. See section "The UserDetailsService interface" below.

Example code accessing the user session information

// Getting the session
Map<String, Object> lSession = aConnector.getSession().getStorage();
// Getting the username
String lUsername = lSession.get(SystemPlugIn.USERNAME).toString();
// Getting the Unique User Identifier
String lUUID = lSession.get(SystemPlugIn.UUID).toString();
// Getting the is_authenticated flag
Boolean lIsAuthenticated = (Boolean)(lSession.get(SystemPlugIn.IS_AUTHENTICATED));
// Getting the authorities list
List<String> lAuthorities = Tools.parseStringArrayToList( lSession.get( SystemPlugIn.AUTHORITIES ).toString().split(" ")));

Configuration

The SystemPlugIn configuration is located in the $JWEBSOCKET_HOME/conf/SystemPlugIn/system.xml file, wish contains the beans definitions that assambly the AuthenticationProvider called "authManager" required by the SystemPlugIn to execute the authentication process.

The authManager bean definition

                        

The staticAuthProvider bean definition

                      

The staticAuthUserDetailsService bean definition:

                  guest=084e0343a0486ff05530df6c705c8bb4, ROLE_ADMIN_ROOT, enabled       user=ee11cbb19052e40b07aac0ca060c23ee, ROLE_EXTERNAL, ROLE_ADMIN_ROOT, enabled       root=63a9f0ea7bb98050796b649e85481845, ROLE_ADMIN_ROOT, enabled       admin=21232f297a57a5a743894a0e4a801fc3, ROLE_ADMIN_MAINTENANCE, enabled		          	 

The authPasswordEncoderMD5 bean definition


Calling "logon" and "logoff" from a JavaScript client

JavaScript client example code

//Creating the client instance
lWSC = new jws.jWebSocketJSONClient();
//lWSC.open...

//Calling logon operation
lWSC.login("username", "password", {
  OnSuccess: function(aResponse){
  },
  OnFailure: function(aResponse){
  }
});

//Calling logoff operation
lWSC.logout({
  OnSuccess: function(aResponse){
  },
  OnFailure: function(aResponse){
  }
});

Securing the server-side plug-ins

The plug-ins in jWebSocket represents the "controller" layer in a server application, so a plug-in generally contains methods that support part of the client requirements. Developers should use the "hasAuthority" method to check security restrictions inside the plug-ins. See the following example for more details:

/**
 * Some operation...
 * 
 * The client require to be authenticated 
 * The client require to have the authority "USER"
 * ...
 */
void someOperation(WebSocketConnector aConnector, Token aToken) {
  if (hasAuthority("USER")){
    //The user is authenticated and has the authority "USER"
    //...
  } else {
    getServer().sendToken(aConnector, lServer.createErrorToken(aToken, -1, "Not authorized!"));
  }
}

The UserDetailsService interface

Components that implements the UserDetailsService acts like a "user data repository" where the AuthenticationProvider search for the user information.

Most authentication providers take advantage of the UserDetails and UserDetailsService interfaces. Recall that the contract for UserDetailsService is a single method:

UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;

The returned UserDetails is an interface that provides getters that guarantee non-null provision of authentication information such as the username, password, granted authorities and whether the user account is enabled or disabled. Most authentication providers will use a UserDetailsService, even if the username and password are not actually used as part of the authentication decision.
Given UserDetailsService is so simple to implement, it should be easy for users to retrieve authentication information using a persistence strategy of their choice. Having said that, Spring Security does include a couple of useful base implementations, which we'll look at below. Read more...

Static (InMemory)

Is easy to use create a custom UserDetailsService implementation that extracts information from a persistence engine of choice, but many applications do not require such complexity. This is particularly true if you're building a prototype application or just starting integrating Spring Security, when you don't really want to spend time configuring databases or writing UserDetailsService implementations. Read more...

 

                  guest=084e0343a0486ff05530df6c705c8bb4, ROLE_ADMIN_ROOT, enabled       user=ee11cbb19052e40b07aac0ca060c23ee, ROLE_EXTERNAL, ROLE_ADMIN_ROOT, enabled       root=63a9f0ea7bb98050796b649e85481845, ROLE_ADMIN_ROOT, enabled       admin=21232f297a57a5a743894a0e4a801fc3, ROLE_ADMIN_MAINTENANCE, enabled		          	 

JDBC

Spring Security also includes a UserDetailsService that can obtain authentication information from a JDBC data source. Internally Spring JDBC is used, so it avoids the complexity of a fully-featured object relational mapper (ORM) just to store user details. If your application does use an ORM tool, you might prefer to write a custom UserDetailsService to reuse the mapping files you've probably already created. Returning to JdbcDaoImpl, an example configuration is shown below:

             

     

See database schema appendix Read more...

LDAP Authentication

LDAP is often used by organizations as a central repository for user information and as an authentication service. It can also be used to store the role information for application users.

There are many different scenarios for how an LDAP server may be configured so Spring Security's LDAP provider is fully configurable. It uses separate strategy interfaces for authentication and role retrieval and provides default implementations which can be configured to handle a wide range of situations. Read more...

Spring Bean Configuration

A typical configuration for LDAP authentication, might look like this:

          

                          uid={0},ou=people                                           

Read more...

 

 

Publications

Learn more about WebSockets in general, get background information and gain deeper insight!

Join jWebSocket

Wether developer, designer or translator – join the jWebSocket team and grow together with our success!

Copyright © 2013 Innotrade GmbH. All rights reserved.