Dev objecttives-2015 auth-auth-fine-grained-slides
0 likes324 views
This document discusses authentication, authorization, and fine-grained access control. It introduces different levels of authorization from anonymous access to fine-grained control varying across users and resources. It provides examples of implementing fine-grained security using annotations and services. API security is also discussed, combining authentication with authorization annotations. Pattern languages are presented as a way to discuss difficult technical concepts using consistent terminology.
![USERS & ROLES
Anonymous : No security necessary.
Single User : one step beyond "anonymous". Address this situation by using the @Secured
annotation (provided by the spring-security-core plugin) to secure controller actions.
Multipe Users : As soon as you've secured an application you'll discover you can do things
with the knowledge of who's logged in. Things like audit logging are possible (who did
what/when.)
Multipe Users / Multiple Roles
@Secured(["isFullyAuthenticated()"])](https://image.slidesharecdn.com/gogaualmti285whdrbib-signature-e847456c6a6f52f4d0f0f7669a8f77f77a8ca5cc3daa63de0a00591556073525-poli-150518152321-lva1-app6892/85/Dev-objecttives-2015-auth-auth-fine-grained-slides-23-320.jpg)
![USERS & ROLES
Multipe Users / Multiple Roles: With multiple users you'll find that you want to allow some
users to do somethings and other users to do other things. This too can be handled with the
@Secured annotation
@Secured(["ROLE_SUPERUSER"])
defrmMinusRStar(Stringpathname){
...
}
@Secured(["ROLE_MOM"])
defmakeGoodCookies(Integercount){
(count*2).times{
...
}
}](https://image.slidesharecdn.com/gogaualmti285whdrbib-signature-e847456c6a6f52f4d0f0f7669a8f77f77a8ca5cc3daa63de0a00591556073525-poli-150518152321-lva1-app6892/85/Dev-objecttives-2015-auth-auth-fine-grained-slides-24-320.jpg)
![@Secured(["isFullyAuthenticated()"])
defshow(Projectorg){
...
}](https://image.slidesharecdn.com/gogaualmti285whdrbib-signature-e847456c6a6f52f4d0f0f7669a8f77f77a8ca5cc3daa63de0a00591556073525-poli-150518152321-lva1-app6892/85/Dev-objecttives-2015-auth-auth-fine-grained-slides-30-320.jpg)
![@Secured(["isFullyAuthenticated()"])
@Authorized(clazz=Project,idParam="id",permission="VIEWER")
defshow(Projectorg){
...
}](https://image.slidesharecdn.com/gogaualmti285whdrbib-signature-e847456c6a6f52f4d0f0f7669a8f77f77a8ca5cc3daa63de0a00591556073525-poli-150518152321-lva1-app6892/85/Dev-objecttives-2015-auth-auth-fine-grained-slides-31-320.jpg)
![usage example: instance level authorization
@Authorized(clazz=Project,idParam="id",permission="OWNER")
defedit(Projectproject){
rendertemplate:"edit",model:[project:project]
}
@Authorized(clazz=Project,idParam="id",permission="OWNER")
defupdate(Projectproject){
...
}](https://image.slidesharecdn.com/gogaualmti285whdrbib-signature-e847456c6a6f52f4d0f0f7669a8f77f77a8ca5cc3daa63de0a00591556073525-poli-150518152321-lva1-app6892/85/Dev-objecttives-2015-auth-auth-fine-grained-slides-37-320.jpg)
![usage example: list of authorized instances
deflist(){
defuser=springSecurityService.currentUser
defprojectList=authorizationService.authorizedInstances(
user?.id,
Project,
params
)
defprojectTotal=authorizationService.authorizedInstanceCount(
user?.id,
Project
)
[projectList:projectList,projectTotal:projectTotal,]
}](https://image.slidesharecdn.com/gogaualmti285whdrbib-signature-e847456c6a6f52f4d0f0f7669a8f77f77a8ca5cc3daa63de0a00591556073525-poli-150518152321-lva1-app6892/85/Dev-objecttives-2015-auth-auth-fine-grained-slides-38-320.jpg)
![@Secured(["IS_AUTHENTICATED_ANONYMOUSLY"])
@SecuredApi
defapiGet(StringprojectCode){
....
}](https://image.slidesharecdn.com/gogaualmti285whdrbib-signature-e847456c6a6f52f4d0f0f7669a8f77f77a8ca5cc3daa63de0a00591556073525-poli-150518152321-lva1-app6892/85/Dev-objecttives-2015-auth-auth-fine-grained-slides-42-320.jpg)
Dev objecttives-2015 auth-auth-fine-grained-slides
- 1. AUTHENTICATION, AUTHORIZATION, AND FINE-GRAINED ACCESS CONTROL AndyMiller| | |amiller@objectpartners.com @opiamiller www.objectpartners.com
- 4. HAVE YOU EVER SEEN AN OLD PHOTO OF YOURSELF... ...AND BEEN EMBARRASSED AT THE WAY YOU LOOKED?
- 5. HAVE YOU LOOKED AT OLD CODE YOU WROTE... ... what the ****? | PROGRAMMAIN | SUBROUTINESUB1(X,DUMSUB) INTEGERN,X | INTEGERN,X EXTERNALSUB1 | EXTERNALDUMSUB COMMON/GLOBALS/N | COMMON/GLOBALS/N X=0 | IF(X.LT.N)THEN PRINT*,'Enternumberofrepeats' | X=X+1 READ(*,*)N | PRINT*,'x=',X CALLSUB1(X,SUB1) | CALLDUMSUB(X,DUMSUB) END | ENDIF | END |
- 6. HAVE YOU LOOKED AT OLD PROJECT PLANS AND BUDGETS... ...AND BEEN EMBARRASSED AT HOW MUCH MONEY YOU SPENT ON THE THINGS THAT TODAY ARE SO EASY?
- 7. THE TRUTH IS WE SPENT ENTIRE PROJECT BUDGETS ON WHAT, THEN, WAS HARD STUFF... figuring out how to organize source code figuring out dependency management figuring out build automation figuring out how to save data in a database figuring out test automation ... Looking back, it's amazing we had time (or money) left over to work on the important things... LIKE WHAT THE SOFTWARE WAS ACTUALLY SUPPOSED TO DO!
- 8. WHEN BUILDING A SYSTEM...
- 17. WE'VE "SOLVED" SOME STUFF... structuring the vertical slice organizing source code dependency management build automation persistence schema evolution test automation
- 18. BUT SOME THINGS ARE STILL HARD... Requirements management Integrating with other systems Asynchronous processing Application security Batch processing Functional testing Working with money ...
- 19. SOME THINGS ARE JUST "HARD"... Requirements management Integrating with other systems Asynchronous processing APPLICATION SECURITY Batch processing Functional testing Working with money ...
- 20. APPLICATION SECURITY 0. anonymous (no security) 1. authentication of multiple users 2. authentication of multiple tenants 3. user authentication AND user authorization 4. fine grained user authorization varying across resources 5. data security (at the query level) 6. api security
- 21. These are complex, multi-dimensional problems. Cool! I like complex problems, but they're only fun to solve once (or maybe two or three times.) So let's look a little deeper...
- 22. PATTERN LANGUAGE security anonymous | authorized | restricted | unrestricted secured | unsecured authentication | username | password roles/permissions/authorities fine grained security API | API consumer | bearer token
- 23. USERS & ROLES Anonymous : No security necessary. Single User : one step beyond "anonymous". Address this situation by using the @Secured annotation (provided by the spring-security-core plugin) to secure controller actions. Multipe Users : As soon as you've secured an application you'll discover you can do things with the knowledge of who's logged in. Things like audit logging are possible (who did what/when.) Multipe Users / Multiple Roles @Secured(["isFullyAuthenticated()"])
- 24. USERS & ROLES Multipe Users / Multiple Roles: With multiple users you'll find that you want to allow some users to do somethings and other users to do other things. This too can be handled with the @Secured annotation @Secured(["ROLE_SUPERUSER"]) defrmMinusRStar(Stringpathname){ ... } @Secured(["ROLE_MOM"]) defmakeGoodCookies(Integercount){ (count*2).times{ ... } }
- 25. MULTIPLE TENANTS multiple users multiple resources each resource is owned by a single user "OWNER" can grant access to other users Eventually we're going to need to store data for multiple customers/tenants in the same database.
- 26. HOW DO WE HANDLE THIS? Roles are great for implementing details like "Only the superuser can run with scissors" and "Never let Mom touch this feature!" But roles can't capture variation across resources.
- 27. Fine-grained Access Control == Variation of access across users and resources
- 28. FINE-GRAINED ACCESS CONTROL I want a simple way to discuss this with product ownsers ...so let's extend the pattern language. and I want the implementation to be just as simple... no room for stupid coding mistakes! ...so let's build another annotation.
- 29. LEVELS OF AUTHORIZATION Class level authorization: grant users ability to create new instances Instance level authorization: allow users to work with individual domain objects
- 32. WHEN "ROLES" VARY ACROSS MULTIPLE TENANTS 0. anonymous (no security) 1. authentication of multiple clients (bearer tokens to secure a rest api) 2. authentication of multiple users (spring security to restrict access to ctrl/action) 3. user authentication AND user authorization (spring security "authorities" to restrict acces to ctrl/action) 4. user authorization that varies across different data elements == fine grained security 5. data security (at the query level)
- 35. FINE GRAINED SECURITY EXAMPLE 1. I (a user) can create new resources 2. I "own" resources that I've created 3. I am a "VIEWER" for some resources 4. I can grant "OWNER", "VIEWER", and so on to other users
- 36. usage example: class level authorization @Authorized(clazz=Project,permission="OWNER") defcreate(){ ... } @Authorized(clazz=Project,permission="OWNER") defsave(){ ... }
- 37. usage example: instance level authorization @Authorized(clazz=Project,idParam="id",permission="OWNER") defedit(Projectproject){ rendertemplate:"edit",model:[project:project] } @Authorized(clazz=Project,idParam="id",permission="OWNER") defupdate(Projectproject){ ... }
- 38. usage example: list of authorized instances deflist(){ defuser=springSecurityService.currentUser defprojectList=authorizationService.authorizedInstances( user?.id, Project, params ) defprojectTotal=authorizationService.authorizedInstanceCount( user?.id, Project ) [projectList:projectList,projectTotal:projectTotal,] }
- 40. API SECURITY A REST API can be secured with a two part process... 1. authentication is handled with an OATH 2 style process 2. and authorization is handled with @Authorized annotation
- 41. API SECURITY Figure1from sumsitupnicely... Note:Webapphandlesallthreeserver-sideroles. self-issued.info/docs/draft-ietf-oauth-v2-bearer.html +--------+ +---------------+ | |--(A)-AuthorizationRequest->| Resource | | | | Owner | | |<-(B)--AuthorizationGrant---| | | | +---------------+ | | | | +---------------+ | |--(C)--AuthorizationGrant-->|Authorization| |Client| | Server | | |<-(D)-----AccessCode--------| | | | +---------------+ | | | | +---------------+ | |--(E)-----AccessCode------->| Resource | | | | Server | | |<-(F)---ProtectedResource---| | +--------+ +---------------+
- 44. BEARER TOKEN? "authorization" http request header field formatted like... where "bearerb64token" b64token=1*(ALPHA/DIGIT/"-"/"."/"_"/"~"/"+"/"/")*"="
- 46. PATTERN LANGUAGE The words we use to discuss difficult topics should be the same when we talk about requirements, talk about technical concepts, and when we talk about code.
- 47. QUESTIONS? Slides + Src: grails-domain-authorizationplugin magic-task-machine(exampleapp) AndyMiller| | | github.com/onetribeyoyo/dev-objecttives-2015 github.com/onetribeyoyo/grails-domain-authorization github.com/onetribeyoyo/mtm amiller@objectpartners.com @opiamiller