x509 Authentication with DB Authorization

[605...@gmail.com]

I am trying to implement an OWF security model with X509 authentication as is done in the provided OWFsecurityContext_cert_only.xml file. However, rather than get authorization information from the user.properties file I would like to access it from a database. I was wondering if anyone has done this and could provide any direction. Thanks.

[Tina Coleman]

Shortest answer: the security model is built on top of Spring Security.  LOTS of good examples out there for doing just what you’re looking for, though there’s not an example directly in the OWF security context files. 

 

Loose walkthrough below, with pointers to useful resources:

You’ll see in the OWFsecurityContext_cert_only.xml file that it has a comment that

<!-- the x509 element above automatically adds an AuthenticationProvider so we do not need to specify one -->

 

You’ll want to remove the <sec:x509> header, which will remove your auto-generated authentication provider.  You’ll then need to provide an authentication-provider within the <sec:authentication-manager> block, as you see done in some of the other OWF security context files.  Spring Security provides a jdbc-user-service, which you can see used at http://docs.spring.io/spring-security/site/docs/3.0.x/reference/ns-config.html...  That link also then provides a link to the schema Spring Security expects for users, authorities, and groups. 

 

The book Spring Security 3, by Peter Mularien, Chapter 4 walks through this all in detail, including how to customize the queries for user access, if you’re using non-standard schema.  The following thread on StackOverflow also provides a couple of good examples: http://stackoverflow.com/questions/7171460/using-mysql-database-to-authenticate-users-in-spring-security

 

 

 

Tina Coleman

NEXTCENTURYCORPORATION
7075 Samuel Morse Drive, Suite 250 | Columbia, MD 21046
m 443.545.3100 | f 443.285.0799 |www.nextcentury.com