Secure all things with CBSecurity 3
0 likes31 views
The document presents an overview of cbsecurity by Luis Majano, emphasizing the importance of security in web applications. It outlines necessary components for application security such as user authentication, permissions validation, and security rules, along with various validation methods and utilities. Additionally, it discusses the implementation of JSON Web Tokens (JWT) and the related security measures like Cross-Site Request Forgery (CSRF) protection.
![secure( permissions, [message] )
secureAll( permissions, [message] )
secureNone( permissions, [message] )
secureSameUser( user, [message])
secureWhen( context, [errorMessage] )
If context = true, then throw a NotAuthorized exception
Blocking Methods
cbSecuriry](https://image.slidesharecdn.com/cbsecurity3-230531132626-99dea5bc/85/Secure-all-things-with-CBSecurity-3-23-320.jpg)
Secure all things with CBSecurity 3
- 1. cbSecurity - Secure All Things LED BY Luis Majano SESSION
- 2. @lmajano @ortussolutions • Salvadorean Born! • Imported to the USA • Computer Engineering • CEO of Ortus Solutions LUIS MAJANO Your Host
- 3. Inspiration Applying security concerns to our web applications is paramount. Every application will need it. Many forms of application security and many levels.
- 6. What is needed for security?
- 7. • Validates user credentials • Logs them in and out • Tracks their security in session, custom storage, or none. • Validates Permissions • Validates Roles • Validates nothing 😜 What is needed for security?
- 8. What is needed for security? • Use ANY auth service: IAuthenticationService • Includes cbauth • Login/Logout • Session Tracking in session/request/cache • You Provide a user service: IUserService • You Provide a user object: IAuthUser • Permission and Role Based • Interfaces: • IAuthUser - Roles and Permissions • IJwtSubject - Jwt Scopes, etc.
- 9. 1. What do we secure? 1. Events 2. URIs 2. How do we secure? 1. Security Rules 2. Handler + Action Annotations 3. JWT Headers 4. cbSecurity explicit methods 3. Who validates? Security Firewall
- 10. V Who validates? ➡ Validators
- 11. • Con fi gured globally or per-module • Determine the type of authentication/authorization services to use • The fi rewall calls the validator for a 👍 or 👎 • Core Validators • Auth: role/permission-based security via IAuthService and IAuthUser interfaces • CFML : Leverages CFML c fl ogin/c fl ogout features • Basic Auth : Prompts users for credentials using HTTP Basic Auth • JWT Validator : Checks headers for a JWT token and refresh token • Custom Validators: ISecurityValidator Validators
- 12. ` Security Rules
- 13. • Rules • are evaluated from top to bottom (Order is important) • secure incoming events/urls via regex patterns • can have white-listed patterns • can have roles and permissions • can have ip, host header restrictions • can be global or per-module • can come from: • Con fi g Inline • Database • XML, JSON • Object Calls Security Rules
- 14. Security Rules
- 15. • Each rule determines what action to occur if the request is not valid: • Redirect to another event/URL • Override the incoming event to another event • Block the request with a 401 Not Authorized • If there is no action in the rule, what happens? • Cascades to module settings ➡ global settings • defaultAuthenticationAction • invalidAuthenticationEvent • defaultAuthorizationAction • invalidAuthorizationEvent Security Rule Actions
- 16. Security Rule
- 17. • Cascading Security • Component • Access to all actions • Actions • Speci fi c action security • Secure Annotation Value • Nothing - Authenticated • List - Authorizations Handler Annotation Security
- 18. Security Rule
- 19. • cbSecurity stores & fl ashes the incoming URL • rc._securedURL • Better login experiences Secured URL
- 20. • Security Helper Object • Fluent constructs • cbsecure() mixin (handlers/layouts/views/interceptors) • Injection @cbsecurity (models) • Different Types of Methods: • Authentication: Verify if logged in, logout, authenticate • Authorization Contexts: Fluent secure block • Blocking: Throw a NotAuthorized exception • Secure Views: Secure rendering of views • Utility: Generating passwords, checking ip, hostnames, etc • Veri fi cation: Verify permissions, etc cbSecurity Model
- 21. getAuthService() getUserService() authenticate( username, password ) getUser() isLoggedIn() logout() Authentication Methods cbSecuriry
- 22. when( permissions, success, fail ) whenAll( permissions, success, fail ) whenNone( permissions, success, fail ) Security Context Methods cbSecuriry
- 23. secure( permissions, [message] ) secureAll( permissions, [message] ) secureNone( permissions, [message] ) secureSameUser( user, [message]) secureWhen( context, [errorMessage] ) If context = true, then throw a NotAuthorized exception Blocking Methods cbSecuriry
- 24. secureView( permissions, successView, failView ) Secure Views Methods cbSecuriry
- 25. createPassword( length:32, letters:true, numbers:true, symbols:true ) getRealIP( trustUpstream:true ) getRealHost( trustUpstream:true ) Utility Methods cbSecuriry
- 26. has( permissions ):boolean all( permissions ):boolean none( permissions ):boolean sameUser( user ):boolean Verification Methods cbSecuriry
- 28. • Visualize all con fi guration settings • Firewall activity • Firewall rules simulator • Security Headers • Can also be secured Security Visualizer
- 29. • Activate fi rewall logging • Firewall > logs Firewall Logs
- 30. • Collection of security best practices • Highly con fi gurable • Several on by default Security Headers
- 33. csrfToken() csrfVerify() csrf() csrfField() csrfRotate() • Leverages the cbcsrf module • Generate & validate tokens • Highly con fi gurable Cross-Site Request Forgery CSRF
- 34. JWT Security
- 37. • https://forgebox.io/view/jwt-cfml • Encode/Decode JSON Web Tokens • HS256 • HS384 • HS512 • RS256 • RS384 • RS512 • ES256 • ES384 • ES512 JWT-CFML
- 39. • Issuer (iss) - The issuer of the token (defaults to the application's base URL) • Issued At (iat) - When the token was issued (unix timestamp) • Subject (sub) - This holds the identi fi er for the token (defaults to user id) • Expiration time (exp) - The token expiry date (unix timestamp) • Unique ID (jti) - A unique identi fi er for the token (md5 of the sub and iat claims) • Scopes (scope) - A space-delimited string of scopes attached to the token • Refresh Token (cbsecurity_refresh) - If you use refresh tokens, this custom claim will be added to the payload. Base Claims
- 40. Base Claims
- 41. • JWTService • Helper: jwtAuth() • Injection: JWTService@cbSecurity • Rest and rest-hmvc templates give a full working example JWT Service
- 42. JWT Service
- 43. JWT Service
- 44. JWT Service
- 45. JWT Service
- 46. JWT Service
- 47. JWT Service
- 48. JWT Service
- 49. JWT Controller
- 50. cbSecurity_onInvalidAuthentication cbSecurity_onInvalidAuthorization Login Interceptions preAuthentication postAuthentication preLogin postLogin preLogout postLogout cbauth Interceptions Jwt Interceptions cbSecurity_onJWTCreation cbSecurity_onJWTInvalidation cbSecurity_onJWTValidAuthentication cbSecurity_onJWTInvalidUser cbSecurity_onJWTInvalidClaims cbSecurity_onJWTExpiration cbSecurity_onJWTStorageRejection cbSecurity_onJWTValidParsing cbSecurity_onJWTInvalidateAllTokens Security Events
- 51. THANK YOU Thanks to our sponsors