Skip to main content

Home/ SoftwareEngineering/ Group items tagged security

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
kuni katsuya

Realm | Apache Shiro - 0 views

shiro.apache.org/realm.html

Shiro Realm

shared by kuni katsuya on 09 Aug 12 - No Cached
  • A Realm is a component that can access application-specific security data such as users, roles, and permissions. The Realm translates this application-specific data into a format that Shiro understands so Shiro can in turn provide a single easy-to-understand Subject programming API no matter how many data sources exist or how application-specific your data might be.
  • A Realm is essentially a security-specific DAO
kuni katsuya

Permissions | Apache Shiro - 0 views

shiro.apache.org/permissions.html

security Shiro permissions authorization

shared by kuni katsuya on 07 Aug 12 - No Cached
  • Permission as a statement that defines an explicit behavior or action
  • lowest-level constructs in security polices
  • explicitly define only "what" the application can do
  • ...69 more annotations...
  • do not at all describe "who" is able to perform the action(s)
  • Multiple Parts
  • Wildcard Permissions support the concept of multiple levels or parts. For example, you could restructure the previous simple example by granting a user the permission printer:query
  • Multiple Values Each part can contain multiple values. So instead of granting the user both the "printer:print" and "printer:query" permissions, you could simply grant them one: printer:print,query
  • All Values What if you wanted to grant a user all values in a particular part? It would be more convenient to do this than to have to manually list every value. Again, based on the wildcard character, we can do this. If the printer domain had 3 possible actions (query, print, and manage), this: printer:query,print,manage
  • simply becomes this: printer:*
  • Using the wildcard in this way scales better than explicitly listing actions since, if you added a new action to the application later, you don't need to update the permissions that use the wildcard character in that part.
  • Finally, it is also possible to use the wildcard token in any part of a wildcard permission string. For example, if you wanted to grant a user the "view" action across all domains (not just printers), you could grant this: *:view Then any permission check for "foo:view" would return true
  • Instance-Level Access Control
  • instance-level Access Control Lists
  • Checking Permissions
  • SecurityUtils.getSubject().isPermitted("printer:print:lp7200")
  • printer:*:*
  • all actions on a single printer
  • printer:*:lp7200
    • kuni katsuya
      kuni katsuya on 03 Sep 12
       
      note: wildcard * usage for 'actions' part
  • missing parts imply that the user has access to all values corresponding to that part
  • printer:print is equivalent to printer:print:*
  • Missing Parts
  • rule of thumb is to
  • use the most specific permission string possible
  • when performing permission checks
  • first part is the
  • domain
    • kuni katsuya
      kuni katsuya on 03 Sep 12
       
      aka 'resource'
  • that is being operated on (printer)
  • second part is the
  • action
  • (query) being performed
  • There is no limit to the number of parts that can be used
  • three parts - the first is the
  • domain
  • the second is the
  • action(s)
  • third is the
  • instance(s)
  • allow access to
  • all actions
  • all printers
  • can only leave off parts from the end of the string
  • Performance Considerations
  • runtime implication logic must execute for
  • each assigned Permission
  • implicitly using Shiro's default
  • WildcardPermission
  • which executes the necessary implication logic
  • When using permission strings like the ones shown above, you're
  • Shiro's default behavior for Realm
  • for every permission check
  • all of the permissions assigned to that user
  • need to be checked individually for implication
  • as the number of permissions assigned to a user or their roles or groups increase, the time to perform the check will necessarily increase
  • If a Realm implementor has a
  • more efficient way of checking permissions and performing this implication logic
  • Realm isPermitted* method implementations
  • should implement that as part of their
  • implies
  • user:*:12345
  • user:update:12345
  • printer
  • implies
  • printer:print
  • Implication, not Equality
  • permission
  • checks
  • are evaluated by
  • implication
  • logic - not equality checks
  • the former implies the latter
  • superset of functionality
  • implication logic can be executed at runtime
kuni katsuya

The New RBAC: Resource-Based Access Control | Stormpath - 0 views

www.stormpath.com/...-resource-based-access-control

RBAC Shiro authorization

shared by kuni katsuya on 07 Aug 12 - No Cached
kuni katsuya

Authentication Cheat Sheet - OWASP - 0 views

www.owasp.org/...Authentication_Cheat_Sheet

security authentication CheatSheet

shared by kuni katsuya on 09 Aug 12 - No Cached
  • Authentication Cheat Sheet
  • Sessions should be
  • unique per user
  • ...26 more annotations...
  • computationally very difficult to predict
  • "strong" password policy
  • Secure Password Recovery Mechanism
  • Require re-authentication for Sensitive Features
  • Authentication and Error Messages
  • can be used for the purposes of user ID and password enumeration
  • Incorrectly implemented error messages
  • generic manner
  • respond with a generic error message regardless if the user ID or password was incorrect
  • give no indication to the status of an existing account
  • Authentication responses
  • Invalid user ID or password"
  • does not indicate if the user ID or password is the incorrect parameter
  • Transmit Passwords Only Over TLS
  • login page
  • all subsequent authenticated pages
  • must be exclusively accessed over TLS
  • unencrypted session ID
  • credentials
  • Implement Account Lockout
  • lock out an account if more than a preset number of unsuccessful login attempts are made
  • can produce a result that locks out entire blocks of application users accounts
    • kuni katsuya
      kuni katsuya on 21 Sep 12
       
      somewhat of a denial-of-service attack, since legitimate users can no longer access their accounts/services
  • sensible strategy
  • is to lockout accounts for a number of hours
  • Password lockout mechanisms have a logical weakness
  • Session Management General Guidelines
kuni katsuya

trevmex/EnvJasmine · GitHub - 0 views

github.com/EnvJasmine

javascript headless testing jasmine testframeworks

shared by kuni katsuya on 07 Jun 12 - No Cached
  • EnvJasmine: Jasmine test runner for EnvJS. EnvJasmine allows you to run headless JavaScript tests.
kuni katsuya

Testing | Apache Shiro - 0 views

shiro.apache.org/testing.html

security ApacheShiro testing

shared by kuni katsuya on 22 Sep 12 - No Cached
  • Testing with Apache Shiro
  • how to enable Shiro in unit tests.
  • Subject
  • ...14 more annotations...
  • is security-specific view of the
  • 'currently executing' user
  • and that Subject instances are always bound to a thread to ensure we know who is executing logic at any time during the thread's execution
  • Subject instance must be created
  • Subject instance must be bound to the currently executing thread
  • Subject must be unbound to ensure that the thread remains 'clean' in any thread-pooled environment
  • Shiro has architectural components that perform this bind/unbind logic automatically
  • root Shiro Filter performs this logic when filtering a request
  • after creating a Subject instance, it must be bound to thread
  • Test Setup
  • 'setup' and 'teardown'
  • can be used in both unit testing and integration testing
  • AbstractShiroTest
  • abstract class AbstractShiroTest
kuni katsuya

AllPermission (Apache Shiro 1.2.1 API) - 0 views

shiro.apache.org/...AllPermission.html

security ApacheShiro authorization AllPermission

shared by kuni katsuya on 23 Sep 12 - No Cached
  • AllPermission
  • always implies any other permission
    • kuni katsuya
      kuni katsuya on 23 Sep 12
       
      equivalent to *:*, ie. all actions on all resource types
  • implies method
  • ...2 more annotations...
  • always returns true
  • have the ability to do anything
kuni katsuya

RolePermissionResolver (Apache Shiro 1.2.1 API) - 0 views

shiro.apache.org/...RolePermissionResolver.html

security ApacheShiro authorization RolePermissionResolver

shared by kuni katsuya on 23 Sep 12 - No Cached
  • RolePermissionResolver
  • resolves a String value and converts it into a Collection of Permission instances
  •  Collection<Permission> resolvePermissionsInRole(String roleString)
  • ...2 more annotations...
  • role name to resolve
  • Collection of Permissions
kuni katsuya

Edit Permissions - VFM Leonardo JIRA - 0 views

jira.vfmltech.com/...EditPermissions!default.jspa

shared by kuni katsuya on 18 Jan 13 - No Cached
  • Edit Issues
  • Administer Projects
  • Schedule Issues
    • kuni katsuya
      kuni katsuya on 18 Jan 13
       
      required for: - ranking issues (in backlog) https://confluence.atlassian.com/display/GH060/Ranking+an+Issue
  • ...25 more annotations...
  • Administer Projects
  • Administer Projects
  • Project Role (Product Owner)
  • Project Role (Scrum Master)
  • Project Role (Scrum Master)
  • Project Role (Product Owner)
  • Project Role (Scrum Master)
  • Project Role (Scrum Master)
  • Project Role (Scrum Master)
  • Project Role (Scrum Master)
  • Project Role (Scrum Master)
  • Project Role (Scrum Master)
  • Single User (anton.marinov)
  • Single User (felix.zhuang)
  • Single User (jason.ibele)
  • Single User (cuneyt.tuna)
  • Project Role (Product Owner)
  • Project Role (Scrum Master)
  • Project Role (Scrum Master) (
  • Project Role (Scrum Master)
  • Single User (parth.upadhye)
  • Project Role (Scrum Master)
  • Project Role (Product Owner)
  • Project Role (Product Owner)
  • Project Role (Scrum Master)
« First ‹ Previous 61 - 80 of 148 Next › Last »
Showing 20 items per page