0
June 3-5, 2014 | Berlin, Germany
Peter Brownlow, Senior Java Developer, Atlassian
Connect Security
Connect add-ons
3.500
installs from Marketplace
in-process plugins
1.500.000
installs from Marketplace
grow 500x
tension between security & usability
overtake in-process plugins
Don’t #@!% the customer.
- Atlassian value
”
“
Questions
Sneak Peeks
Authorization
Authentication
Connect Security
Authentication
who said that?
”“
Who sent the letter?
sender
signature
Was the letter tampered with?
!!!
tampering
“looks wrong”
Was the letter re-sent?
too long ago?
postmark
JSON Web Tokens
host product add-on
params, token
params, token
e.g. https://mycompany.com/awsome?user.key=peter&jwt=…
als...
JSON Web Tokens
• structured
• header JSON
• claims JSON
• signature
• base-64 encoded
{“typ":"JWT", “alg":"HS256"}
.

{“i...
JSON Web Tokens
Letter
!
• sender
• signature
• changes “look wrong”
• postmark date
JWT
!
• issuer claim
• cryptographic ...
Questions
Sneak Peeks
Authorization
Authentication
Connect Security
Authorization
can you do that?
”“
Authorization
Scopes: compare to white-list
Who can see the aliens?
generals interns
Authorization
Authorization
“How did that guy get in here?”
How to avoid “security surprise”?
Scopes displayed on installation
!!!
Authorization
Authorization
Personal access changes arbitrarily.
Add-on user permissions
How to accurately
allow access?
Authorization
Authorization
Questions
Sneak Peeks
Authorization
Authentication
Connect Security
Sneak Peeks
ideas in motion
”“
• Headers hash
• Body hash
More Custom JWT Claims?
• User loads page
• Goes to lunch
• Comes back, clicks link…
• Expired!
• Secure! But less usable.
JWT expiry improvements...
• Act as a specified user
• Authorized by users
• Server to server
• 3LA Granted?
• Query parameters
• REST resource
Three ...
Recap
• Authentication
• Who said that?
• JWT claims
• JWT signature
• Authorization
• Can you do that?
• Scopes (static)
...
Questions
Sneak Peeks
Authorization
Authentication
Connect Security
Questions?
go.atlassian.com/ac-security
AtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect Security
Upcoming SlideShare
Loading in...5
×

AtlasCamp 2014: Connect Security

1,038

Published on

To make add-ons in Atlassian OnDemand successful with Atlassian Connect, they have to be secure. Learn what security features Connect provides and why. This session will include:

• Fun security brain teasers!
• Tips on avoiding common pitfalls when Connect add-ons
• A sneak peak at future security features we will introduce for Connect

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,038
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "AtlasCamp 2014: Connect Security"

  1. 1. June 3-5, 2014 | Berlin, Germany
  2. 2. Peter Brownlow, Senior Java Developer, Atlassian Connect Security
  3. 3. Connect add-ons 3.500 installs from Marketplace
  4. 4. in-process plugins 1.500.000 installs from Marketplace
  5. 5. grow 500x tension between security & usability overtake in-process plugins
  6. 6. Don’t #@!% the customer. - Atlassian value ” “
  7. 7. Questions Sneak Peeks Authorization Authentication Connect Security
  8. 8. Authentication who said that? ”“
  9. 9. Who sent the letter? sender signature
  10. 10. Was the letter tampered with? !!! tampering “looks wrong”
  11. 11. Was the letter re-sent? too long ago? postmark
  12. 12. JSON Web Tokens host product add-on params, token params, token e.g. https://mycompany.com/awsome?user.key=peter&jwt=… also “Authorization” HTTP header
  13. 13. JSON Web Tokens • structured • header JSON • claims JSON • signature • base-64 encoded {“typ":"JWT", “alg":"HS256"} .
 {“iss”:"myId", “exp":1300819380} .
 “signature” eyJ0eXAiOi12KL98udNfg8z…
  14. 14. JSON Web Tokens Letter ! • sender • signature • changes “look wrong” • postmark date JWT ! • issuer claim • cryptographic signature • signature, query hash claim • expiry claim
  15. 15. Questions Sneak Peeks Authorization Authentication Connect Security
  16. 16. Authorization can you do that? ”“
  17. 17. Authorization Scopes: compare to white-list Who can see the aliens? generals interns
  18. 18. Authorization
  19. 19. Authorization “How did that guy get in here?” How to avoid “security surprise”? Scopes displayed on installation !!!
  20. 20. Authorization
  21. 21. Authorization Personal access changes arbitrarily. Add-on user permissions How to accurately allow access?
  22. 22. Authorization
  23. 23. Authorization
  24. 24. Questions Sneak Peeks Authorization Authentication Connect Security
  25. 25. Sneak Peeks ideas in motion ”“
  26. 26. • Headers hash • Body hash More Custom JWT Claims?
  27. 27. • User loads page • Goes to lunch • Comes back, clicks link… • Expired! • Secure! But less usable. JWT expiry improvements • On click: no expiry • JavaScript API?
  28. 28. • Act as a specified user • Authorized by users • Server to server • 3LA Granted? • Query parameters • REST resource Three Legged Auth
  29. 29. Recap • Authentication • Who said that? • JWT claims • JWT signature • Authorization • Can you do that? • Scopes (static) • User permissions (dynamic)
  30. 30. Questions Sneak Peeks Authorization Authentication Connect Security
  31. 31. Questions? go.atlassian.com/ac-security
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×