Group items tagged

"strong" password policy

Secure Password Recovery Mechanism

Require re-authentication for Sensitive Features

Authentication and Error Messages

can be used for the purposes of user ID and password enumeration

Incorrectly implemented error messages

generic manner

respond with a generic error message regardless if the user ID or password was incorrect

give no indication to the status of an existing account

Authentication responses

Invalid user ID or password"

does not indicate if the user ID or password is the incorrect parameter

Transmit Passwords Only Over TLS

must be exclusively accessed over TLS

unencrypted session ID

credentials

Implement Account Lockout

lock out an account if more than a preset number of unsuccessful login attempts are made

can produce a result that locks out entire blocks of application users accounts

is to lockout accounts for a number of hours

Session Management General Guidelines

Caching: Spring Security optionally integrates with Spring's Ehcache factory. This flexibility means your database (or other authentication repository) is not repeatedly queried for authentication information when using Spring Security with stateless applications.

Run-as replacement: The system fully supports temporarily replacing the authenticated principal for the duration of the web request or bean invocation. This enables you to build public-facing object tiers with different security configurations than your backend objects.

Tag library support: Your JSP files can use our taglib to ensure that protected content like links and messages are only displayed to users holding the appropriate granted authorities. The taglib also fully integrates with Spring Security's ACL services, and obtaining extra information about the logged-in principal.

User Provisioning APIs: Support for groups, hierarchical roles and a user management API, which all combine to reduce development time and significantly improve system administration.

Enterprise-wide single sign on using CAS 3: Spring Security integrates with JA-SIG's open source Central Authentication Service (CAS)

Principle of least privilege

object-capability model, any software entity can potentially act as both a subject and object

Access control models used by current systems tend to fall into one of two classes:

Both capability-based and ACL-based models have mechanisms to allow access rights to be granted to all members of a group of subjects (often the group is itself modeled as a subject)

identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in; authorization determines what a subject can do; accountability identifies what a subject (or all subjects associated with a user) did.

Authorization determines what a subject can do on the system

Authorization

Access control models

categorized as either discretionary or non-discretionary

three most widely recognized models are

Attribute-based access control

Discretionary access control

Discretionary access control (DAC) is a policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have.

Every object in the system has an owner

access policy for an object is determined by its owner

DAC systems, each object's initial owner is the subject that caused it to be created

Mandatory access control

Mandatory access control refers to allowing access to a resource

that allow a given user to access the resource

Management is often simplified (over what can be required) if the information can be protected using

or by implementing sensitivity labels.

Sensitivity labels

A subject's sensitivity label specifies its

level of trust required for access

subject must have a sensitivity level equal to or higher than the requested object

Role-based access control

Role-based access control (RBAC) is an

access policy

Access control

Authorization Classes Policy AuthPermission PrivateCredentialPermission

Subject

Principals

Credentials

Authorization Classes

Policy

AuthPermission

Step 2 securing some content

create a database that will hold the list of the authorized users along with their password

Create a new directory “auth” and add a new JSP under it, let’s call it “BackOffice.jsp“

enable Shiro into our project by adding a ServletFilter into our Web.xml

 <filter-class>05            org.apache.shiro.web.servlet.IniShiroFilter06        </filter-class>

10    <filter-mapping>11         <filter-name>ShiroFilter</filter-name>12         <url-pattern>/*</url-pattern>13    </filter-mapping>

classpath:shiro.ini

shiro-core

shiro-web

create shiro.ini under resource dir

07ds.jdbcUrl=jdbc:derby://localhost:1527/shiro_schema08ds.username = APP09ds.password = APP

15/auth/** = authcBasic16/** = anon

jdbcRealm.authenticationQuery

jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm

setup the jdbc realm, this is where Shiro will find the authorized users

map the URLs to be protected, all the url under /auth should be authenticated with basic HTTP authentication

All the other URLs should be accessed without authentication

Add a new directory under src let’s call it production we will create a new shiro configuration file compatible with MySQL

06ds.serverName = localhost07ds.user = ADM08ds.password = secret12309ds.databaseName = shiro_schema

jdbcRealm which use a MySQL driver

added the appropriate dependency to maven pom.xml

mysql-connector-java

environment.type

staging

13                <jdbc.user>APP</jdbc.user>14                <jdbc.passwd>APP</jdbc.passwd>15                <jdbc.url>jdbc:derby://localhost:1527/shiro_schema</jdbc.url>16                <jdbc.driver>org.apache.derby.jdbc.ClientDriver</jdbc.driver>

src/main/resources

derbyclient

production

environment.type

45                <jdbc.user>ADM</jdbc.user>46                <jdbc.passwd>secret123</jdbc.passwd>47                <jdbc.ds>com.mysql.jdbc.jdbc2.optional.MysqlDataSource</jdbc.ds>48                <jdbc.serverName>localhost</jdbc.serverName>49                <jdbc.databaseName>shiro_schema</jdbc.databaseName>

src/production/resources

To build and run for staging

To build for production

-Denvironment.type=prod

JdbcRealm

A Realm is a security component that can access application-specific security entities such as users, roles, and permissions to determine authentication and authorization operations

security-specific DAOs

If for some reason you don't want your Realm implementation to perform authentication duties, you should override the supports(org.apache.shiro.authc.AuthenticationToken) method to always return false

does not require you to implement or extend any User, Group or Role interfaces or classes

Shiro tries to maintain a non-intrusive development philosophy

represents data submitted for any given login attempt

implementations represent already-verified and stored account data

Since Shiro sometimes logs authentication operations, please

as these might be viewable to someone reading your logs

listen to lifecycle events during a session's lifetime

retain the IP address or host name of the host from where the session was initiated

can be prolonged via a touch() method to keep them 'alive' if desired

can use Shiro sessions in existing web applications and you

easily stored in any data source

can be

across applications if needed

'poor man's SSO'

simple sign-on experience since the shared session can retain authentication state

interface-based and implemented with POJOs

allows you to easily configure all session components with any JavaBeans-compatible configuration format, like JSON, YAML

easily extend

customize session management functionality

session data can be easily stored in any number of data sources

easily clustered using any of the readily-available networked caching products

no matter what container you deploy to, your sessions will be clustered the same way

No need for container-specific configuration!

Shiro sessions can be 'shared' across various client technologies

listen for these events and react to them for custom application behavior

SecurityUtils.getSubject()

currentUser.getSession()

If the Subject already has a Session, the boolean argument is ignored and the Session is returned immediately

If the Subject does not yet have a Session and the create boolean argument is true,

and returned.

If the Subject does not yet have a Session and the create boolean argument is false, a new session will not be created and null is returned.

method functions the same way as the

HttpServletRequest.getSession(boolean create) method:

always have to include this library in either WEB-INF/lib

support for CDI is included in the library granite-cdi.jar

10.1. Configuration with Servlet 3 On Servlet 3 compliant containers, GraniteDS can use the new APIs to automatically register its own servlets and filters and thus does not need any particular configuration in web.xml. This automatic setup is triggered when GraniteDS finds a class annotated with @FlexFilter in one of the application archives:

@FlexFilter(configProvider=CDIConfigProvider.class) public class GraniteConfig { }  

list of annotation names that enable remote access to CDI beans

@FlexFilter declaration will setup an AMF processor for the specified url pattern

@TideEnabled

@RemoteDestination

always declared by default

10.3.2. Typesafe Remoting with Dependency Injection

It is possible to benefit from even more type safety by using the annotation [Inject] instead of In. When using this annotation, the full class name is used to find the target bean in the CDI context instead of the bean name.

Security

integration between the client RemoteObject credentials and the server-side container security

client-side component named

API to define runtime authorization checks on the Flex UI

bindable property

represents the current authentication state

integrated with server-side role-based security

clear the security cache manually with

other CDI Extensions projects.

container agnostic

different containers get activated via

CDI container integration via

Building Apache DeltaSpike

DeltaSpike-0.3

Release Notes

[DELTASPIKE-62] - Discuss security module

[DELTASPIKE-74] - unit and integration tests for @Secured

 [DELTASPIKE-75] - documentation for @Secured

[DELTASPIKE-78] - review and discuss Authentication API

 [DELTASPIKE-77] - review and discuss Identity API

[DELTASPIKE-79] - review and discuss Authorization API

[DELTASPIKE-81] - review and discuss Identity Management

[DELTASPIKE-82] - review and discuss external authentication

[DELTASPIKE-176] - unit and integration tests for @Transactional

[DELTASPIKE-177] - documentation for @Transactional

 [DELTASPIKE-179] - unit and integration tests for @TransactionScoped

[DELTASPIKE-175] - @Transactional for EntityTransaction

 [DELTASPIKE-178] - @TransactionScoped

 [DELTASPIKE-190] - Create ConfigurableDataSource

[DELTASPIKE-219] - @Transactional for JTA UserTransaction

[DELTASPIKE-230] - Fallback stragtegy for resource bundles and locales

  [DELTASPIKE-223] - Add convention for @MessageResource annotated types.