Group items tagged

Subject

'Subject' can mean a human being, but also a 3rd party process, daemon account, or anything similar. It simply means 'the thing that is currently interacting with the software'

Subject currentUser = SecurityUtils.getSubject();

SecurityManager

SecurityManager manages security operations for all users

Realms

Realm acts as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. That is, when it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.

Realm is essentially a security-specific DAO

Shiro provides out-of-the-box Realms to connect to a number of security data sources (aka directories) such as LDAP, relational databases (JDBC), text configuration sources like INI and properties files, and more

Authorization

A permission is a raw statement of functionality, for example ‘open a door’, ‘create a blog entry’, ‘delete the ‘jsmith’ user’, etc. By having permissions reflect your application’s raw functionality, you only need to change permission checks when you change your application’s functionality. In turn, you can assign permissions to roles or to users as necessary at runtime.

“Run As” support for assuming the identity of another Subject

High-Level Overview

essentially a security specific 'view' of the the currently executing user

instances are all bound to (and require) a

When you interact with a Subject, those interactions translate to subject-specific interactions with the SecurityManager

'umbrella’ object that coordinates its internal security components that together form an object graph

‘connector’ between Shiro and your

Shiro looks up many of these things from one or more Realms configured for an application

component responsible determining users' access control in the application

if a user is allowed to do something or not

knows how to create and manage user

lifecycles

Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available

Shiro will use

if available, (e.g. Servlet Container)

if there isn't one, such as in a standalone application or non-web environment, it will use its

exists to allow any datasource to be used to

performs Session persistence (CRUD) operations on behalf of the SessionManager

allows any data store to be plugged in to the Session Management infrastructure

creates and manages Cache instance lifecycles used by other Shiro components

improve performance while using these data source

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

‘connector’ between Shiro and your application’s security data

elements of the user interface are displayed to the user based on the user's privilege level

assign permissions to individual objects within the application’s business domain

Permissions

Permissions assigned to user for a given resource in the tree are inherited by other resources

Permissions are inherited

persist user, group and role information in database. JPA implementation is his dream

Security Module Drafts

Identity

interface Identity

login()

logout()

getUser()

Events LoggedInEvent LoginFailedEvent AlreadyLoggedInEvent PreLoggedOutEvent PostLoggedOutEvent PreAuthenticateEvent PostAuthenticateEvent

Object level permission

Grant or revoke permissions

Group management

User/Identity management

identity.hasRole

identity.hasPermission

User, Group and Role

hooks for common IDM or Security operations

Audit and logging for permission and IDM related changes

Event API.

Impersonalization

Impersonalization

control which elements of the user interface are displayed to the user based on their assigned permissions

ask for permission

more advanced security resolution mechanisms

Rules based engine

external services - XACML

TomEE+

OpenEJB

Java API for XML Web Services (JAX-WS) Java API for RESTful Web Services (JAX-RS) Java EE Connector Architecture Java Messaging Service (JMS)

Java Servlets Java ServerPages (JSP) Java ServerFaces (JSF) Java Transaction API (JTA)

Subversion Tagging Plugin — This plugin automatically performs subversion tagging (technically speaking svn copy) on successful build.

ViewVC Plugin — This plugin integrates ViewVC browser interface for CVS and Subversion with Hudson.

Source code management

Build Pipeline Plugin — This plugin creates a pipeline of Hudson\Jenkins jobs and gives a view so that you can visualise it.

Build tools

JBoss Management Plugin — This plugin allows to manage a JBoss Application Server during build procedure

Maven 2 Project Plugin — Jenkin's Maven 2 project type

Phing Plugin — This plugin allows you to use Phing to build PHP projects.

Post build task — This plugin allows the user to execute a shell/batch task depending on the build log output. Java regular expression are allowed.

Promoted Builds Plugin — This plugin allows you to distinguish good builds from bad builds by introducing the notion of 'promotion'.

Publish Over SSH Plugin — Publish files and/or execute commands over SSH (SCP using SFTP)

Selenium AES Plugin — This plugin is for continuous regression test by Selenium Auto Exec Server (AES).

Vagrant Plugin — This plugin allows booting of Vagrant virtual machines, provisioning them and also executing scripts inside of them

Unicorn Validation Plugin — This plugin uses W3C's Unified Validator, which helps improve the quality of Web pages by performing a variety of checks.

Build wrappers

Android Emulator Plugin — Lets you automatically generate, launch and interact with an Android emulator during a build, with the emulator logs being captured as artifacts.

Artifactory Plugin — This plugin allows deploying Maven 2, Maven 3, Ivy and Gradle artifacts and build info to the Artifactory artifacts manager.

AWS Cloudformation Plugin — A plugin that allows for the creation of cloud formation stacks before running the build and the deletion of them after the build is completed.

Build Keeper Plugin — Select a policy for automatically marking builds as "keep forever" to enable long term analysis trending when discarding old builds - or use to protect logs and artifacts from certain builds

Build Name Setter Plugin — This plugin sets the display name of a build to something other than #1, #2, #3, ...

SSH plugin — You can use the SSH Plugin to run shell commands on a remote machine via ssh.

SeleniumRC Plugin — This plugin allows you to create Selenium server instance for each project build.

Vagrant Plugin — This plugin allows booting of Vagrant virtual machines, provisioning them and also executing scripts inside of them

Timestamper — Adds timestamps to the Console Output.

VirtualBox Plugin — This plugin integrates Jenkins with VirtualBox (version 3, 4.0 and 4.1) virtual machine.

Version Number Plugin — This plugin creates a new version number and stores it in the environment variable whose name you specify in the configuration.

VMware plugin — This plugin allows you to start a VMware Virtual Machine before a build and stop it again after the build completes.

AWS Cloudformation Plugin — A plugin that allows for the creation of cloud formation stacks before running the build and the deletion of them after the build is completed.

Desktop Notifier for Jenkins — This is useful for those who are looking for a Desktop Notifier for Jenkins builds to automatically notify you about failed builds directly from their desktops.

Email-ext plugin — This plugin allows you to configure every aspect of email notifications. You can customize when an email is sent, who should receive it, and what the email says.

Google Calendar Plugin — This plugin publishes build records over to Google Calendar

HTML5 Notifier Plugin — Provides W3C Web Notifications support for builds.

Jabber Plugin — Integrates Jenkins with the Jabber/XMPP instant messaging protocol. Note that you also need to install the instant-messaging plugin.

Build reports

Checkstyle Plugin — This plugin generates the trend report for Checkstyle, an open source static code analysis program. 

Clover PHP Plugin — This plugin allows you to capture code coverage reports from PHPUnit. For more information on how to set up PHP projects with Jenkins have a look at the Template for Jenkins Jobs for PHP Projects.

Crap4J Plugin — This plugin reads the "crappy methods" report from Crap4J. Hudson will generate the trend report of crap percentage and provide detailed information about changes.

Dependency Analyzer Plugin — This plugin parses dependency:analyze goal from maven build logs and generates a dependency report

Dependency Graph View Plugin — Shows a dependency graph of the projects using graphviz. Requires a graphviz installation on the server.

FindBugs Plugin — This plugin generates the trend report for FindBugs, an open source program which uses static analysis to look for bugs in Java code. 

Grinder Plugin — This plugin reads output result files from Grinder performance tests, and will generate reports showing test results for every build and trend reports showing performance results across builds.

JSUnit plugin — This plugin allows you publish JSUnit test results

Performance Plugin — This plugin allows you to capture reports from JMeter and JUnit . Hudson will generate graphic charts with the trend report of performance and robustness.

PerfPublisher Plugin — This plugin generates global and trend reports for tests results analysis. Based on an open XML tests results format, the plugin parses the generated files and publish statistics, reports and analysis on the current health of the project.

PMD Plugin — This plugin generates the trend report for PMD, an open source static code analysis program. 

Sonar plugin — Quickly benefit from Sonar, an open-source dashboard based on many analysis tools like Checkstyle, PMD and Cobertura.

testng-plugin — This plugin allows you to publish TestNG results.

Violations — This plug-in generates reports static code violation detectors such as checkstyle, pmd, cpd, findbugs, codenarc, fxcop, stylecop and simian.

xUnit Plugin — This plugin makes it possible to publish the test results of an execution of a testing tool in Jenkins.

Artifact uploaders

ArtifactDeployer Plugin — This plugin makes it possible to copy artifacts to remote locations.

Artifactory Plugin — This plugin allows deploying Maven 2, Maven 3, Ivy and Gradle artifacts and build info to the Artifactory artifacts manager.

Confluence Publisher Plugin — This plugin allows you to publish build artifacts as attachments to an Atlassian Confluence wiki page.

Deploy Plugin — This plugin takes a war/ear file and deploys that to a running remote application server at the end of a build

FTP-Publisher Plugin — This plugin can be used to upload project artifacts and whole directories to an ftp server.

HTML Publisher Plugin

Publish Over FTP Plugin — Publish files over FTP

Publish Over SSH Plugin — Publish files and/or execute commands over SSH (SCP using SFTP)

S3 Plugin — Upload build artifacts to Amazon S3

SCP plugin — This plugin uploads build artifacts to repository sites using SCP (SSH) protocol.

Hudson Helper for Android — Monitor your CI builds right from your Android device.

Hudson Mobi, the iPhone, iPod and Android client for Hudson CI — The iPhone, iPod and iPad client for Hudson CI monitoring on the road.

Hudson Monitor for Android — Monitor and display the status of your builds on your Android™ phone.

External site/tool integrations

ChuckNorris Plugin — Displays a picture of Chuck Norris (instead of Jenkins the butler) and a random Chuck Norris 'The Programmer' fact on each build page.

UI plugins

Active Directory plugin — With this plugin, you can configure Jenkins to authenticate the username and the password through Active Directory.

Audit Trail Plugin — Keep a log of who performed particular Jenkins operations, such as configuring jobs.

JClouds Plugin — This plugin uses JClouds to provide slave launching on most of the currently usable Cloud infrastructures.

Checkstyle Plugin — This plugin generates the trend report for Checkstyle, an open source static code analysis program. 

FindBugs Plugin — This plugin generates the trend report for FindBugs, an open source program which uses static analysis to look for bugs in Java code. 

JIRA Plugin — This plugin integrates Atlassian JIRA to Jenkins.

M2 Release Plugin — This plugin allows you to perform a release build using the maven-release-plugin from within Jenkins.

PMD Plugin — This plugin generates the trend report for PMD, an open source static code analysis program. 

Meme Generator Plugin — Generate Meme images when a build fails (and returns to stable), and post them on the project page.

length must be at least 128 bits (16 bytes)

Session ID Length

Session ID Name Fingerprinting

Session ID Properties

Session ID Entropy

must be unpredictable (random enough) to prevent guessing attacks

good PRNG (Pseudo Random Number Generator) must be used

must provide at least 64 bits of entropy

Session ID Content (or Value)

content (or value) must be meaningless

identifier on the client side

meaning and business or application logic associated to the session ID must be stored on the server side

session objects or in a session management database or repository

create cryptographically strong session IDs through the usage of cryptographic hash functions such as SHA1 (160 bits).

Session Management Implementation

defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID

token expiration date and time

This is one of the reasons why cookies (RFCs 2109 & 2965 & 6265 [1]) are one of the most extensively used session ID exchange mechanisms, offering advanced capabilities not available in other methods

Transport Layer Security

use an encrypted HTTPS (SSL/TLS) connection for the entire web session

process where the user credentials are exchanged.

“Secure” cookie attribute

must be used to ensure the session ID is only exchanged through an encrypted channel

never switch a given session from HTTP to HTTPS, or viceversa

should not mix encrypted and unencrypted contents (HTML pages, images, CSS, Javascript files, etc) on the same host (or even domain - see the “domain” cookie attribute)

should not offer public unencrypted contents and private encrypted contents from the same host

www.example.com over HTTP (unencrypted) for the public contents

secure.example.com over HTTPS (encrypted) for the private and sensitive contents (where sessions exist)

only has port TCP/80 open

only has port TCP/443 open

“HTTP Strict Transport Security (HSTS)” (previously called STS) to enforce HTTPS connections.

Secure Attribute

instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection

HttpOnly Attribute

instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object

Domain and Path Attributes

instructs web browsers to only send the cookie to the specified domain and all subdomains

instructs web browsers to only send the cookie to the specified directory or subdirectories (or paths or resources) within the web application

vulnerabilities in www.example.com might allow an attacker to get access to the session IDs from secure.example.com

Expire and Max-Age Attributes

it will be considered a

and will be stored on disk by the web browser based until the expiration time

use non-persistent cookies for session management purposes, so that the session ID does not remain on the web client cache for long periods of time, from where an attacker can obtain it.

Session ID Life Cycle

Log date and time

Event date and time

Application identifier

Application address

User identity

Type of event

Severity of event

Description

Action

original intended purpose of the request

Object

affected component

Result status

Reason

Extended details

Data to exclude

Access tokens

Session identification values

Sensitive personal data

passwords

Database connection strings

Encryption keys

payment

Information a user has opted out of collection

Synchronize time across all servers and devices

Input validation failures

Which events to log

proportional to the information security risks

Always log:

Authentication successes and failures

Authorization failures

Session management failures

Application errors and system events

Application and related systems start-ups and shut-downs

Use of higher-risk functionality

asks the user for multiple pieces of hard data that should have been

send the password reset information to some

such as a (possibly different) email address or an SMS text number, etc. to be used in Step 3.

Step 2) Verify Security Questions

application verifies that each piece of data is correct for the given username

If anything is incorrect, or if the username is not recognized, the second page displays a generic error message such as “Sorry, invalid data”. If all submitted data is correct, Step 2 should display at least two of the user’s pre-established personal security questions, along with input fields for the answers.

Avoid sending the username as a parameter

Do not provide a drop-down list

server-side session

user's email account may have already been compromised

SQL injection errors occur when:

Data enters a program from an

The data used to

consequences are:

Confidentiality:

sensitive data

Authentication

user names and passwords

Authorization

change this information

Integrity

read sensitive information

changes or even delete this information