Emmet is designed to provide a simple drop-in solution for authentication, access control and user account management for a public website. The software is based on SpringSecurity with Spring wirings that can be tailored using simple property files as described in the Customizing with Chico page.
Access control for web services (and more generally) is typically split into three problems:
- Authentication takes the steps required to determine the identity of a principal (e.g. a person) making a request. This could entail asking the user for an account name and password, capturing user biometrics or asking a trusted third party service to authenticate the user.
- Authorization determines what authorities (if any) an authenticated principal should be granted.
- Access control determines what information a principal with given authorities is allowed to access, and what actions they should be allowed to perform.
In a SpringSecurity-based architecture, the authentication problem is handled by one or more authentication providers in combination with a user details service that stores the details of known principals. The user details service typically also gives each known principals' authorities. Finally, the access control is handled by implementing application-specific rules based on the web request URI's path or on the objects denoted or selected by the path and query.
In a sense, what we are doing in Emmet is not really different to regular SpringSecurity. This difference is really one of emphasis:
- SpringSecurity focuses on the scenario where a site uses one authentication scheme and one (local or enterprise) user details service. Emmet also provides hybrid schemes that combine multiple authentication schemes and multiple user details services.
- SpringSecurity focuses on configuration of monolithic sites by someone with expertise in the technology. Emmet tries to support component-based sites that are assembled by an integration engineer with little SpringSecurity expertise.
- Emmet components address the user management problem, providing web-based UIs for creating, modifying and deleting local accounts, as well as common self-management functions such as sign-up and resetting of forgotten password.
Authentication
Emmet authentication is really just SpringSecurity authentication. Emmet also provides support for Shibboleth, but we hope that the Spring folks will eventually incorporate our Shibboleth code into the main code-base.
Emmet's hybrid authentication model means that we have some issues to deal with that regular SpringSecurity does not address:
- External authentication services (e.g. OpenID and Shibboleth) manage their own identifiers for users. If you are using multiple authentication services, you potentially need to deal with multiple external identifiers mapping to one local user account.
- External authentication services use different schemas for expressing attributes about users; e.g. names, affiliations, contact details. If we want to use this information in an application, we need to extract the information and map it to a common schema.
- If we want to support externally authenticated users who have no local account, we need to determine "default" user authorization based solely on the external authentication providers and the attributes that they provide.
To support this we have/will implement:
- An extended UserDetailsService interface that supports lookup based on external identifiers.
- A common implementation of the user details and associated classes.
- UserDetailsService wrappers to support the "no local account" use-cases.
- A custom UserDetailsService with a data model that supports users with multiple identifiers, and other features.
The Emmet security wirings are organized as follows:
- The top level of the wirings are the "Emmet-security.xml" file. This simply consists of bean <import> elements to pull in a selected version of each of the "security scheme", "user details" and "site authorization" wirings.
- The "security scheme" wiring files configure the overall authentication scheme and the SpringSecurity components that are required to realize this. The security scheme wirings are defined in the different "Emmet-security-*.xml" files. Each one (apart from the "none" scheme!) defines an appropriate <html> element, an <authentication-manager> element and other beans as required.
- The "user details" wiring files configure the primary user details service to be used. There are currently just two versions; one using a simple in-memory store and the other using a custom store implemented using JDBC. The wiring files are called "Emmet-userDetails-*.xml"
- The "site authorization" wiring files contain the site-specific <intercept-url> lists. The files are called "Emmet-siteAuthorization-*.xml".
The user management side of Emmet is configured by the "Emmet-servlet.xml" and "EmmetWeb-servlet.xml" files.
Common Spring properties are defined in "Emmet-common.xml" and "Emmet-db.xml", and the Chico mechanisms are controlled by the "siteTailoring.xml"
