CBSecurity - Secure all Things
•
0 recomendaciones•323 vistas
The ColdBox cbsecurity module will enhance your ColdBox applications by providing out of the box security in the form of: A security rule engine for validating incoming requests Annotation driven security for validating incoming events to handlers and actions JWT (Json Web Tokens) generator, decoder and authentication services A security service to provide you with functional approaches to security context authorization
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a CBSecurity - Secure all Things
Similar a CBSecurity - Secure all Things (20)
Más de Ortus Solutions, Corp
Más de Ortus Solutions, Corp (20)
Último
Último (20)
CBSecurity - Secure all Things
- 1. cbSecurity Secure All Things By Luis Majano
- 2. @lmajano @ortussolutions Luis Majano Intro • Salvadorean Born! • Imported to the USA • Computer Engineering • CEO of Ortus Solutions • Houston,Texas
- 3. Inspiration Applying security concerns to our web applications is paramount. Every application will need it. Many forms of application security and many levels.
- 4. Agenda What is cbSecurity? Module Composition Authentication Authorization Implementation
- 5. What is cbSecurity ✴ A collection of modules to help secure your applications ✴ Major Areas of Concern: ✴ Security Authentication/Authorization Firewall (cbsecurity) ✴ Incoming event/url ✴ Handler annotations ✴ Security Service for explicit authorizations (cbsecurity) ✴ JWT generator, decoder and authentication services (jwtcfml) ✴ CSRF Protection (cbsrf) ✴ Authentication Manager (cbauth)
- 7. What is needed for security? ✴ Authentication System ✴ Validates user credentials ✴ Logs them in and out ✴ Tracks their session ✴ Authorization System ✴ Validate permissions/roles/etc
- 9. What is cbAuth ✴ Authentication system ✴ Authenticates users ✴ Logs them in and out ✴ Tracks their session (many storages) ✴ Has NO knowledge of your Database/Users ✴ You must provide a UserService and a User object ✴ This is how it knows how to authenticate users ✴ What’s another generic authentication system? ✴ cflogin, cfloginuser
- 10. cbauth() methods ✴ login( user ) ✴ logout() ✴ authenticate( username, password ) ✴ isLoggedIn() ✴ getUser()
- 12. cbauth() - UserService methods ✴ isValidCredentials( username, password ) ✴ retrieveUserByUsername( username ) ✴ retrieveUserById( id )
- 13. cbauth() - User methods ✴ getId()
- 14. Is cbauth Mandatory? ✴ No! ✴ Use cflogin/cfloginuser ✴ Build your own ✴ Use third-party providers (Okta, google, facebook, github, etc) ✴ How will cbsecurity know how to use it? ✴ 1 Object that adheres to IAuthService ✴ Tell cbSecurity settings about that object
- 15. cbauth() IAuthService methods ✴ login( user ) ✴ logout() ✴ authenticate( username, password ) ✴ isLoggedIn() ✴ getUser() Hmmm, seems familiar
- 16. Authorization
- 17. What is authorization? ✴ If an AUTHENTICATED user has access to a resource ✴ How do we grant access => Authorization Indicators ✴ Roles ✴ Permissions ✴ Custom ✴ Where do we store these indicators? ✴ Determined by authentication service ✴ cflogin/cfloginuser provides roles ✴ cbsecurity encourages permissions against the User.hasPermission() ✴ Okta/Windows/AD/ETC
- 18. CBSecurity Validators ✴ How does we validate authorization indicators : VALIDATORS ✴ CFValidator :Verifies using isUserInAnyRole() ✴ CBAuthValidator :Verifies against the User object’s hasPermission( permission ) ✴ JWTService :Validates tokens, token scopes and then validates permissions against the User object’s hasPermission( permission ) ✴ Custom : Validates against whatever you want!
- 19. cbauth() - User methods ✴ getId() ✴ hasPermission( permission ) : boolean
- 20. How do we secure? 1. Security Rules 2. Handler Annotations 3. cbSecurity explicit methods
- 21. Security Rules (Firewall) ✴ Rules are evaluated from top to bottom (Order is important) ✴ Rules secure incoming events/urls (preProcess) ✴ Global rules and Module Rules ✴ Rules can come from: ✴ Config ✴ Database ✴ XML, JSON ✴ Object ✴ Rules are tied to an interceptor instance ✴ You can have MANY security interceptors with many different rules
- 22. Security Rule
- 23. Security Rule
- 25. Handler Annotation Security ✴ Cascading Security ✴ Component ✴ Access to all actions ✴ Actions ✴ Specific action security ✴ secure AnnotationValue ✴ Nothing - Authenticated ✴ List - Authorizations
- 27. cbSecurity Model ✴ Explicit Evaluations ✴ Fluent constructs ✴ cbsecure() mixin (handlers/layouts/views/interceptors) ✴ Injection @cbsecurity (models) ✴ DifferentTypes of Methods: ✴ Blocking : throw a NotAuthorized exception ✴ Action : Functional if statement ✴ Verification :Verify permissions, user, etc. ✴ RequestContext Helpers
- 28. cbSecurity - Blocking Methods secure( permissions, [message] ) secureAll( permissions, [message] ) secureNone( permissions, [message] ) secureWhen( context, [message] )
- 29. cbSecurity - Action Context Methods when( permissions, success, fail ) whenAll( permissions, success, fail ) whenNone( permissions, success, fail )
- 30. cbSecurity - Verification Methods has( permissions ):boolean all( permissions ):boolean none( permissions ):boolean sameUser( user ):boolean
- 31. cbSecurity - Request Context Methods secureView( permissions, successView, failView )
- 32. JWT Security
- 34. Jwt-cfml ✴ https://forgebox.io/view/jwt-cfml ✴ Encode/Decode JSON WebTokens ✴ HS256 ✴ HS384 ✴ HS512 ✴ RS256 ✴ RS384 ✴ RS512 ✴ ES256 ✴ ES384 ✴ ES512
- 35. JWT ✴ JWTService ✴ Acts as a validator ✴ Can also be a helper in your handlers/interceptors: jwt() ✴ Can also be used in your models via injection: JWTService@cbSecurity ✴ Rest and rest-cmvc templates give a full working example
- 36. JWT Storage ✴ VeryVery Important ✴ Invalidate keys ✴ Black list keys ✴ Rotate keys ✴ Storage Drivers ✴ Cachebox : Use any provider ✴ DB : Database ✴ Custom
- 37. JWT - How do we work with it? ✴ Authentication Service √ ✴ Authorization by Permission √ ✴ User Object √ ✴ UserService Object √ ✴ Configure JWT ✴ Update User Object Coding Time!