Skip to main content

Home/ SoftwareEngineering/ Group items tagged subject

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
kuni katsuya

Access control - Wikipedia, the free encyclopedia - 0 views

en.wikipedia.org/...Access_control

security models authentication authorization

shared by kuni katsuya on 31 Aug 12 - No Cached
  • Computer security
  • authentication, authorization and audit
  • In any access control model, the entities that can perform actions in the system are called subjects, and the entities representing resources to which access may need to be controlled are called objects
  • ...39 more annotations...
  • Principle of least privilege
  • object-capability model, any software entity can potentially act as both a subject and object
  • Access control models used by current systems tend to fall into one of two classes:
  • those based on capabilities
  • those based on access control lists (ACLs)
  • Both capability-based and ACL-based models have mechanisms to allow access rights to be granted to all members of a group of subjects (often the group is itself modeled as a subject)
  • identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in; authorization determines what a subject can do; accountability identifies what a subject (or all subjects associated with a user) did.
  • Authorization determines what a subject can do on the system
  • Authorization
  • Access control models
  • categorized as either discretionary or non-discretionary
  • three most widely recognized models are
  • Discretionary Access Control (DAC)
  • Mandatory Access Control (MAC)
  • Role Based Access Control (RBAC)
  • Attribute-based access control
  • Discretionary access control
  • Discretionary access control (DAC) is a policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have.
  • Every object in the system has an owner
  • access policy for an object is determined by its owner
  • DAC systems, each object's initial owner is the subject that caused it to be created
  • Mandatory access control
  • Mandatory access control refers to allowing access to a resource
  • if and only if rules exist
  • that allow a given user to access the resource
  • Management is often simplified (over what can be required) if the information can be protected using
  • hierarchical access control
  • or by implementing sensitivity labels.
  • Sensitivity labels
  • A subject's sensitivity label specifies its
  • level of trust
  • level of trust required for access
  • subject must have a sensitivity level equal to or higher than the requested object
  • Role-based access control
  • Role-based access control (RBAC) is an
  • access policy
  • determined by the system
  • not the owner
  • Access control
kuni katsuya

Subject | Apache Shiro - 0 views

shiro.apache.org/subject.html

security ApacheShiro subject documentation

shared by kuni katsuya on 23 Sep 12 - No Cached
  • Understanding Subjects in Apache Shiro
  • 'Subject'
  • is just a security term that means a
  • ...8 more annotations...
  • security-specific 'view'
  • of an application user
  • Subject instance represents both security state and operations for
  • a single application user
  • in the security world, the term 'Subject' is actually the recognized nomenclature
  • Subject currentUser = SecurityUtils.getSubject();
  • obtain the currently executing Subject by using org.apache.shiro.SecurityUtils:
  • Subject based on user data associated with current thread or incoming request.
kuni katsuya

AuthorizingRealm (Apache Shiro 1.2.1 API) - 0 views

shiro.apache.org/...AuthorizingRealm.html

security ApacheShiro authorization AuthorizingRealm realm

shared by kuni katsuya on 09 Sep 12 - No Cached
  • perform all role and permission checks automatically
  • getAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) method returns an AuthorizationInfo
  • subclasses do not have to write this logic
  • ...11 more annotations...
  • If caching is enabled and if any authorization data for an account is changed at runtime, such as adding or removing roles and/or permissions, the subclass implementation should clear the cached AuthorizationInfo for that account via the
  • clearCachedAuthorizationInfo method
  • getAuthorizationInfo
  • AuthorizingRealm
  • AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals)
  • Returns an account's authorization-specific information for the specified principals, or null if no account could be found
  • This implementation obtains the actual AuthorizationInfo object
  • from the subclass's implementation of doGetAuthorizationInfo
  • and then caches it for efficient reuse if caching is enabled
  • clearCachedAuthorizationInfo(PrincipalCollection principals)
  • Clears out the AuthorizationInfo cache entry for the specified account.
kuni katsuya

Application Security With Apache Shiro - 0 views

www.infoq.com/...apache-shiro

security ApacheShiro

shared by kuni katsuya on 08 Aug 12 - No Cached
  • previously known as the JSecurity project
  • The word Subject is a security term that basically means "the currently executing user"
  • Core Concepts: Subject, SecurityManager, and Realms
  • ...12 more annotations...
  • Subject
  • 'Subject' can mean a human being, but also a 3rd party process, daemon account, or anything similar. It simply means 'the thing that is currently interacting with the software'
  • Subject currentUser = SecurityUtils.getSubject();
  • SecurityManager
  • SecurityManager manages security operations for all users
  • Realms
  • Realm acts as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. That is, when it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.
  • Realm is essentially a security-specific DAO
  • Shiro provides out-of-the-box Realms to connect to a number of security data sources (aka directories) such as LDAP, relational databases (JDBC), text configuration sources like INI and properties files, and more
  • Authorization
  • A permission is a raw statement of functionality, for example ‘open a door’, ‘create a blog entry’, ‘delete the ‘jsmith’ user’, etc. By having permissions reflect your application’s raw functionality, you only need to change permission checks when you change your application’s functionality. In turn, you can assign permissions to roles or to users as necessary at runtime.
  • “Run As” support for assuming the identity of another Subject
kuni katsuya

Architecture | Apache Shiro - 0 views

shiro.apache.org/architecture.html

apache shiro architecture

shared by kuni katsuya on 15 Aug 12 - No Cached
  • Realm is essentially a security-specific DAO
  • 3 primary concepts:
  • Subject
  • ...51 more annotations...
  • SecurityManager
  • Realms
  • High-Level Overview
  • Subject
  • essentially a security specific 'view' of the the currently executing user
  • Subject
  • instances are all bound to (and require) a
  • SecurityManager
  • When you interact with a Subject, those interactions translate to subject-specific interactions with the SecurityManager
  • SecurityManager
  • 'umbrella’ object that coordinates its internal security components that together form an object graph
  • Realms
  • ‘connector’ between Shiro and your
  • application’s security data
  • Shiro looks up many of these things from one or more Realms configured for an application
  • Subject
  • SecurityManager
  • Authenticator
  • Authorizer
  • component responsible determining users' access control in the application
  • if a user is allowed to do something or not
  • SessionManager
  • knows how to create and manage user
  • Session
  • lifecycles
  • Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available
  • Shiro will use
  • an existing session mechanism
  • if available, (e.g. Servlet Container)
  • if there isn't one, such as in a standalone application or non-web environment, it will use its
  • built-in enterprise session management
  • SessionDAO
  • exists to allow any datasource to be used to
  • persist sessions
  • SessionDAO
  • performs Session persistence (CRUD) operations on behalf of the SessionManager
  • allows any data store to be plugged in to the Session Management infrastructure
  • CacheManager
  • creates and manages Cache instance lifecycles used by other Shiro components
  • improve performance while using these data source
  • Cryptography
  • Realms
  • ‘connector’ between Shiro and your application’s security data
  • Realms
  • Realms
  • Realms
  • ‘connector’ between Shiro and your application’s security data
  • ‘connector’ between Shiro and your application’s security data
  • ‘connector’ between Shiro and your application’s security data
  • ‘connector’ between Shiro and your application’s security data
  • ‘connector’ between Shiro and your application’s security data
kuni katsuya

Testing | Apache Shiro - 0 views

shiro.apache.org/testing.html

security ApacheShiro testing

shared by kuni katsuya on 22 Sep 12 - No Cached
  • Testing with Apache Shiro
  • how to enable Shiro in unit tests.
  • Subject
  • ...14 more annotations...
  • is security-specific view of the
  • 'currently executing' user
  • and that Subject instances are always bound to a thread to ensure we know who is executing logic at any time during the thread's execution
  • Subject instance must be created
  • Subject instance must be bound to the currently executing thread
  • Subject must be unbound to ensure that the thread remains 'clean' in any thread-pooled environment
  • Shiro has architectural components that perform this bind/unbind logic automatically
  • root Shiro Filter performs this logic when filtering a request
  • after creating a Subject instance, it must be bound to thread
  • Test Setup
  • 'setup' and 'teardown'
  • can be used in both unit testing and integration testing
  • AbstractShiroTest
  • abstract class AbstractShiroTest
kuni katsuya

AuthorizingRealm (Apache Shiro :: Core 1.1.0 API) - 0 views

127.0.0.1/...AuthorizingRealm.html

security ApacheShiro Realm AuthorizingRealm authorization

shared by kuni katsuya on 03 Sep 12 - No Cached
  • Class AuthorizingRealm
  • An AuthorizingRealm extends the AuthenticatingRealm's capabilities by adding Authorization (access control) support
  • perform all role and permission checks automatically (and subclasses do not have to write this logic) as long as the getAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) method returns an AuthorizationInfo
  • ...3 more annotations...
  • AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals)
  • Returns an account's authorization-specific information for the specified principals, or null if no account could be found
  • automatically perform access control checks for the corresponding Subject
kuni katsuya

Session Management | Apache Shiro - 0 views

shiro.apache.org/session-management.html

java security authentication authorization ApacheShiro SessionManagement session

shared by kuni katsuya on 04 Oct 12 - No Cached
  • available in any application,
  • regardless of container.
  • even if you deploy your application in a Servlet or EJB container, there are still compelling reasons to use Shiro's Session support instead of the container's
  • ...40 more annotations...
  • Easy Custom Session Storage
  • POJO/J2SE based (IoC friendly)
  • Container-Independent Clustering!
  • Heterogeneous Client Access
  • Event Listeners
  • listen to lifecycle events during a session's lifetime
  • Host Address Retention
  • retain the IP address or host name of the host from where the session was initiated
  • Inactivity/Expiration Support
  • can be prolonged via a touch() method to keep them 'alive' if desired
  • Transparent Web Use
  • can use Shiro sessions in existing web applications and you
  • don't need to change any of your existing web cod
  • Can be used for SSO
  • easily stored in any data source
  • can be
  • 'shared'
  • across applications if needed
  • 'poor man's SSO'
  • simple sign-on experience since the shared session can retain authentication state
  • interface-based and implemented with POJOs
  • allows you to easily configure all session components with any JavaBeans-compatible configuration format, like JSON, YAML
  • easily extend
  • customize session management functionality
  • session data can be easily stored in any number of data sources
  • easily clustered using any of the readily-available networked caching products
  • no matter what container you deploy to, your sessions will be clustered the same way
  • No need for container-specific configuration!
  • Shiro sessions can be 'shared' across various client technologies
  • listen for these events and react to them for custom application behavior
  • SecurityUtils.getSubject()
  • currentUser.getSession()
  • If the Subject already has a Session, the boolean argument is ignored and the Session is returned immediately
  • If the Subject does not yet have a Session and the create boolean argument is true,
  • a new session will be created
  • and returned.
  • If the Subject does not yet have a Session and the create boolean argument is false, a new session will not be created and null is returned.
  • Suject.getSession(boolean create)
  • method functions the same way as the
  • HttpServletRequest.getSession(boolean create) method:
    • kuni katsuya
      kuni katsuya on 04 Oct 12
kuni katsuya

JAAS Reference Guide - 0 views

docs.oracle.com/...JAASRefGuide.html

JavaAuthenticationAndAuthorizationService JAAS java security authentication authorization reference guide documentation

shared by kuni katsuya on 31 Aug 12 - No Cached
  • JavaTM Authentication and Authorization Service (JAAS) Reference Guide
  • Common Classes Subject Principals Credentials
  • Authentication Classes and Interfaces
  • ...7 more annotations...
  • Authorization Classes Policy AuthPermission PrivateCredentialPermission
  • Subject
  • Principals
  • Credentials
  • Authorization Classes
  • Policy
  • AuthPermission
kuni katsuya

Realm | Apache Shiro - 0 views

shiro.apache.org/realm.html

Shiro Realm

shared by kuni katsuya on 09 Aug 12 - No Cached
  • A Realm is a component that can access application-specific security data such as users, roles, and permissions. The Realm translates this application-specific data into a format that Shiro understands so Shiro can in turn provide a single easy-to-understand Subject programming API no matter how many data sources exist or how application-specific your data might be.
  • A Realm is essentially a security-specific DAO
kuni katsuya

Supported Place Types - Google Places API (Experimental) - Google Developers - 0 views

developers.google.com/...supported_types

DDD DomainDrivenDesign DomainModel UbiquitousLanguage

shared by kuni katsuya on 14 Dec 12 - No Cached
  • Place Types
  • Google Places API
  • supported types for Place searches and Place adds
  • ...30 more annotations...
  • Additional types listed in table #2 can be used when searching for a Place,
  • but not when adding a Place
    • kuni katsuya
      kuni katsuya on 14 Dec 12
       
      so, not treated as a 'full-blown' place type(?) in cube domain model, would this be similar to relationship between hotel ('primary' subject type) and neighborhood ('secondary' subject type, since content can be attached to it, but it would never 'drive' of this relationship)
  • airport
  • amusement_park
  • art_gallery
  • shopping_mall
  • restaurant
  • museum
  • night_club
  • place_of_worship
  • train_station
  • lodging
  • hospital
  • These types cannot be used when adding a new Place
  • floor
  • geocode
  • intersection
  • locality
  • neighborhood
  • point_of_interest
  • postal_code
  • postal_code_prefix
  • route
  • street_address
  • street_number
  • sublocality
  • subpremise
  • country
  • administrative_area_level_1 administrative_area_level_2 administrative_area_level_3
  • premise
kuni katsuya

Collaboration Best Practices - 3 Reasons Interruptions are Hurting Your Team's Producti... - 0 views

blogs.atlassian.com/...nterruptions-hurt-productivity

agile productivity anti-patterns

shared by kuni katsuya on 01 Nov 12 - No Cached
  • Interruptions Hurt Your Team’s Productivity
  • Productivity is futile in the face of constant interruptions
  • work is scattered through shared network drives, hard drives, and email
    • kuni katsuya
      kuni katsuya on 01 Nov 12
       
      or sharepoint, confluence, jira, word docs, pdf docs, spreadsheets, walled post-it notes, emails... not universally or easily searchable. arghhh...
  • ...17 more annotations...
  • Charging towards a common goal is difficult when:
  • center on meetings alone.
  • When disorganization and uncertainty is the norm, clarification and re-clarification is needed to regularly keep a team focused and working together
  •  waste A LOT of your time
  • Information isn’t located in a centralized place so it isn’t easily accessible to everyone.
  • It’s just easier to ask someone else because they are a Subject Matter Expert (SME). Both.
  • 2. Interruptions encourage multi-tasking, which is bad
  • 1. Most interruptions are trivial and could be avoided
  • it takes most people 16 minutes to refocus after sending an email while doing other work
    • kuni katsuya
      kuni katsuya on 01 Nov 12
       
      it takes most software engineers *at least* 20-30 minutes to get back into 'the zone' following an unrelated distraction
  • No wonder people like to work from home!
  • To perform at your productive best, you need your best focus, something that’s unachievable when you’re constantly interrupted
  • 3. Recovering from interruptions takes longer than you think
  • Between email, meetings, and interruptions (both active and passive),
  • there’s hardly time to get any work done while you’re actually at work.
  • Pro-Tip: Only turn on email and instant message when you need to use them
    • kuni katsuya
      kuni katsuya on 01 Nov 12
       
      ie. never?  ;) though then, you end up with 5,932 unread emails in your inbox and 113 angry co-workers!
  • To combat such interruption, check these tools 3 times a day – when you first get into the office in the morning, around lunch, and before going home for the night – and turn them off otherwise.
  • reduce the rate at which interruptions occur
kuni katsuya

Authorization | Apache Shiro - 0 views

shiro.apache.org/authorization.html

ApacheShiro authorization RBAC Role Permission Subject

shared by kuni katsuya on 31 Aug 12 - No Cached
  • PermissionResolver
  • use the PermissionResolver to convert the string into a Permission instance, and perform the check that way
  • All Shiro Realm implementations default to an internal
  • ...26 more annotations...
  • WildcardPermissionResolver
  • which assumes Shiro's
  • WildcardPermission
  • String format.
  • Authorization Sequence
  • what happens inside Shiro whenever an authorization call is made.
  • invokes any of the Subject hasRole*, checkRole*, isPermitted*, or checkPermission*
  • securityManager implements the org.apache.shiro.authz.Authorizer interface
  • delegates to the application's SecurityManager by calling the securityManager's nearly identical respective hasRole*, checkRole*, isPermitted*, or checkPermission* method variants
  • relays/delegates to its internal org.apache.shiro.authz.Authorizer instance by calling the authorizer's respective hasRole*, checkRole*, isPermitted*, or checkPermission* method
  • Realm's own respective hasRole*, checkRole*, isPermitted*, or checkPermission* method is called
  • Authorization Sequence
  • Authorization Sequence
  • Authorization Sequence
  • Implicit Roles:
    • kuni katsuya
      kuni katsuya on 23 Sep 12
       
      BAD! do not use. prefer explicit (see below)
  • implies a set of behaviors (i.e. permissions) based on a role name only
  • Excplict Roles
  • named collection of actual permission statements
  • your realm is what will tell Shiro whether or not roles or permissions exist
  • Each Realm interaction functions as follows:
  • key difference with a RolePermissionResolver however is that the input String is a role name, and not a permission string.
  • Configuring a global RolePermissionResolver
  • RolePermissionResolver has the ability to represent Permission instances needed by a Realm to perform permission checks.
  • translate a role name into a concrete set of Permission instances
  • globalRolePermissionResolver = com.foo.bar.authz.MyPermissionResolver ... securityManager.authorizer.rolePermissionResolver = $globalRolePermissionResolver
  • shiro.ini
kuni katsuya

Session Management | Apache Shiro - 1 views

shiro.apache.org/session-management.html

ApacheShiro SessionManagement SessionClustering clustering

shared by kuni katsuya on 08 Nov 12 - No Cached
  • Session Clustering
  • can cluster Subject sessions natively and never need to worry again about how to cluster sessions based on your container environment
  • if you configure a cluster-capable SessionDAO, the DAO can interact with a clustering mechanism and Shiro's SessionManager never needs to know about clustering concerns
  • ...8 more annotations...
  • Therefore enabling Session clustering in Shiro is
  • as simple as configuring Shiro to use a distributed cache
  • Ehcache+TerraCotta
  • When Shiro initializes the
  • SessionDAO implements the CacheManagerAware interface
  • call the
  • setCacheManager
  • Ehcache + Terracotta
kuni katsuya

Java Persistence/ManyToMany - Wikibooks, open books for an open world - 0 views

en.wikibooks.org/...ManyToMany

java JPA many-to-many @ManyToMany wikibooks book

shared by kuni katsuya on 23 Oct 12 - Cached
  • Bi-directional Many to Many
  • object model can choose if it will be mapped in both directions
  • in which direction it will be mapped
  • ...9 more annotations...
  • one direction must be defined as the owner and the other must use the mappedBy attribute to define its mapping
  • you will end up getting duplicate rows
  • If the mappedBy is not used, then the persistence provider will assume there are two independent relationships
  • As with all bi-directional relationships it is your object model's and application's responsibility to maintain the relationship in both direction
  • Mapping a Join Table with Additional Columns
  • solution is to create a class that models the join table
  • requires a composite primary key
  • To make your life simpler, I would recommend adding a generated Id attribute to the association class
  • Another usage is if you have a Map relationship between two objects, with a third unrelated object or data representing the Map key
    • kuni katsuya
      kuni katsuya on 23 Oct 12
       
      eg. map key = AuthorizationContext, map value = {Subject,Role}
kuni katsuya

Principle of least privilege - Wikipedia, the free encyclopedia - 0 views

en.wikipedia.org/...Principle_of_least_privilege

security models LeastPrivilege authorization

shared by kuni katsuya on 31 Aug 12 - Cached
  • Principle of least privilege
  • requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to
  • access only the information and resources that are necessary for its legitimate purpose
kuni katsuya

AuthorizationInfo (Apache Shiro :: Core 1.1.0 API) - 0 views

127.0.0.1/...AuthorizationInfo.html

security ApacheShiro authorization AuthorizationInfo

shared by kuni katsuya on 03 Sep 12 - No Cached
  • Interface AuthorizationInfo
  • AuthorizationInfo represents a single Subject's stored authorization data (roles, permissions, etc) used during authorization (access control) checks only
  • Roles are represented as a Collection of Strings (Collection<String>)
  • ...3 more annotations...
  • Permissions are provided in two ways: A Collection of Strings, where each String can usually be converted into Permission objects by a Realm's PermissionResolver A Collection of Permission objects
  • most Realms store both sets of data for a Subject
  • a Realm implementation to utilize an implementation of the Account interface instead, which is a convenience interface that combines both AuthenticationInfo and AuthorizationInfo
kuni katsuya

Chapter 12. ActionScript 3 Reflection API - 0 views

www.graniteds.org/...graniteds.reflection.html

graniteds ActionScript3 reflection api

shared by kuni katsuya on 14 Sep 12 - No Cached
  •  ActionScript 3 Reflection API
  • describeType
  • method returns
  • ...5 more annotations...
  • XML data
    • kuni katsuya
      kuni katsuya on 14 Sep 12
       
      why gawd, whhhhhhhhhyyy...
  • describing its parameter object and is therefore not type-safe and its use is subject to many syntax errors.
  • GraniteDS provides a Java-like reflection API that encapsulates describeType calls and offers a type-safe, object-oriented, set of reflection classes and methods
  • caches its results for better performance
  • supports advanced features such as ApplicationDomain and namespaces
kuni katsuya

java - Getting confused with Apache Shiro and Custom Authorizing Realms - Stack Overflow - 0 views

stackoverflow.com/...-and-custom-authorizing-realms

security ApacheShiro realm RealmSecurityManager SecurityManager authorization AuthorizationInfo

shared by kuni katsuya on 22 Sep 12 - No Cached
  • getRealms()
  • RealmSecurityManager
  • authorization is effectively disabled due to the default doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) implementation returning null
1 - 20 of 21 Next ›
Showing 20 items per page