uw-spring-security

This project is intended to provide a re-usable library that integrates Spring Security with UW's common authentication approach.

The core of the project contains a re-usable extension of Spring's UserDetails called UWUserDetails. This interface (and implementations) provide commonly used user attributes, like PVI, UDDS membership, full name, and email address.

One of the biggest benefits of this project is that the core data model is re-used between:

• a production-ready configuration (using Shibboleth), and
• a local development environment configuration that does not require developers to install a Shibboleth service provider.

Detailed usage documentation can be found at the project wiki..

This project was also the focus of a Lunch and Learn.

Why this?

Spring Security is an incredibly powerful and amazing way to secure your web application. There is arguably no better tool for Spring applications.

Spring Security however is terribly complex to integrate in a project. Read through the 'Hello World' example in Spring Security's reference docs. It's a long read, and when you are done you will be no closer to having Spring Security configured in a manner that's appropriate for use in a UW application.

Enter uw-spring-security. To get Spring Security fully integrated in your project, for both local development and deployed instances behind a Shibboleth Service Provider:

@Configuration
@Import(EverythingRequiresAuthenticationConfiguration.class)
public class MyApplicationConfiguration {
}

That's it! Your application will now be able to call Spring Security's:

SecurityContextHolder.getContext().getAuthentication().getPrincipal()

and get back an instance of UWUserDetails, which looks like this:

{
  pvi: "UW000A000",
  username: "admin",
  password: null,
  fullName: "Amy Administrator",
  emailAddress: "amy.administrator@demo.wisc.edu",
  uddsMembership: [
    "A535900"
  ],
  authorities: [ ],
  accountNonExpired: true,
  accountNonLocked: true,
  credentialsNonExpired: true,
  enabled: true,
  eppn: null,
  emailAddressHash: "b09ed4fa2272feede8b472d1184829dd",
  source: "local-users",
  customLogoutUrl: null,
  isisEmplid: null,
  firstName: null,
  lastName: null,
  displayName: null
}

Adding the dependencies to your project

The following instructions assuming that you have access to the ADI-IA group repositories in Gitlab.

  <repositories>
    <repository>
      <id>adi-ia-libraries</id>
      <url>https://git.doit.wisc.edu/api/v4/groups/15/-/packages/maven</url>
    </repository>
  </repositories>

Add the following dependencies:

  <dependency>
    <groupId>edu.wisc.uwss</groupId>
    <artifactId>uw-spring-security-core</artifactId>
  </dependency>
  <dependency>
    <groupId>edu.wisc.uwss</groupId>
    <artifactId>uw-spring-security-config</artifactId>
  </dependency>

The former, -core, should be a dependency in modules that integrate the user model within your service tier. The latter, -config, depends on -core and should be a dependency of your web application.

The uw-spring-security-sample-war is an example of how to activate the Spring @Configuration classes provided by the -config module in your application. Look at the edu.wisc.uwss.sample.configuration package for more detail.

Release Management

This project follows Semantic Versioning. Releases are published to the Gitlab Maven repository associated with the project.

Add the following group repository to your Maven/Gradle build file:

  <repositories>
    <repository>
        <id>adi-ia-libraries</id>
        <url>https://git.doit.wisc.edu/api/v4/groups/15/-/packages/maven</url>
    </repository>
  </repositories>