Scribd
Upload
201 views

426 Spring Security

The document outlines the Spring Security process for authenticating requests in a Tomcat web application using an OE Realm. Upon a successful authentication response, a serialized client principal token is created and stored in the Tomcat session memory using the JSESSIONID cookie to identify the session on subsequent requests. The OE Realm implementation interacts with an AppServer to authenticate users and retrieve user attributes by making calls to methods like GetAttribute, GetUsernames, and ValidatePassword.

Uploaded by

keytasks
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
201 views

426 Spring Security

The document outlines the Spring Security process for authenticating requests in a Tomcat web application using an OE Realm. Upon a successful authentication response, a serialized client principal token is created and stored in the Tomcat session memory using the JSESSIONID cookie to identify the session on subsequent requests. The OE Realm implementation interacts with an AppServer to authenticate users and retrieve user attributes by making calls to methods like GetAttribute, GetUsernames, and ValidatePassword.

Uploaded by

keytasks
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

OE Realm (Form) Security Overview Tomcat (WebApp)

HTTP
Server
Success (HTTP 200) Result Failure

Request
GET Service Intercept-URI Rules
POST
PUT
JSESSIONID Resource URI
DELETE (Cookie) Anonymous
HTTP 500
Extracted
Client-Principal Roles or Yes
Permit All

No

Session Session
No Present Yes Memory AppServer
Matching Role Yes Request

HTTP 302 No [Client-Principal]


AppServerDC
<host> <port>

Spring Security Process OERealmAuthProvider


Login userDetailService
/static/auth/

j_username
POST j_spring_security_check Authenticate RestApplicationAuth OERealmUserDetails
j_password

JSESSIONID [new]
HTTP 403

Session Created
JSESSIONID [blank] Memory Client-Principal
OERealmUserDetailsImpl

ValidateUser
-1 <username>

Delete Session
/static/auth/ >0
GET JSESSIONID j_spring_security_logout
Find
(Cookie) Session realmClass at realmURL
GetAttribute (AppServerDC://<host>:<port>/oerealm)
Logout ATTR_ENABLED

false OE User Realm Class


Implements IHybridRealm
In the event of a successful response from the AppServer true
request, a serialized CP token will be created and stored in
Failed
the Tomcat session memory. This will be identified via the AppServer
JSESSIONID and returned to the browser for reference on
subsequent requests so long as the session has not expired. GetAttribute
Request method public character GetAttribute
true ATTR_LOCKED
method public character GetAttributeNames

false realmTokenFile method public character GetUsernames


(Optional Static CP)
method public character GetUsernamesByQuery

GetAttribute
true ATTR_EXPIRED
method public logical RemoveAttribute

method public logical SetAttribute


false method public logical ValidatePassword

method public integer ValidateUser


GetAttribute
blank ATTR_ROLES

Role List

ValidatePassword
false <password>

true

You might also like