Download as KEY, PPTX
![Typical Stack
# in bootstrap
authentication_policy =
CustomAuthTktAuthenticationPolicy('seekrit')
authorization_policy = ACLAuthorizationPolicy()
config.add_route(..., ..., factory=resources.find_object)
# in resources
def find_object(request):
obj = ...
assert getattr(obj, ‘__acl__’, None) is not None
return obj
# in models
class Model:
__acl__ = [(Allow, Authenticated, ‘view’)]](https://image.slidesharecdn.com/pyramidsecurity-120915092455-phpapp02/75/Pyramid-Security-28-2048.jpg)
![Always Tom
Authentication
class AlwaysTomPolicy(CallbackAuthenticationPolicy):
def unauthenticated_userid(self, request):
return ‘tom’
def remember(self, request, principal, **kw):
return []
def forget(self, request):
return []](https://image.slidesharecdn.com/pyramidsecurity-120915092455-phpapp02/75/Pyramid-Security-29-2048.jpg)
Uploaded byYusuke Muraoka
Pyramid Security
The document provides an overview of security concepts in Pyramid including authentication, authorization, and implementing a security pyramid. It discusses authentication basics like authenticated_userid and remember/forget. Authorization basics like has_permission and principals_allowed_by_permission are also covered. The document then demonstrates how to enable authentication and authorization policies in Pyramid. Common bundled policies like AuthTktAuthenticationPolicy are described. More advanced topics covered include implementing custom authentication and authorization as well as using ACLs and resources to control access.
Pyramid Security
- 1.
- 2. Who are you? 村岡友介 MURAOKAYusuke @jbking Self Contractor pylons-ja pypy-ja django-ja
- 3.
- 4. Before dive into... http://bit.ly/PyramidSecurity-
- 5. What about Security applicatio csrf, n injections, Tons of topics we xss could discuss identifier, framework authn, Can be categorized authz into some layers poisoning, infra- structure sniffing, We focus today “framework”layer ddos shoulder social hack
- 6. No Security Pyramid development.ini production.ini proj/templates/mytemplate.pt proj/models.py proj/views.py proj/scripts proj/scripts/initializedb.py proj/scripts/__init__.py proj/__init__.py proj/tests.py small starting...
- 7. No Security Pyramid development.ini Configuration production.ini proj/templates/mytemplate.pt proj/models.py MV of MVC proj/views.py proj/scripts proj/scripts/initializedb.py proj/scripts/__init__.py proj/__init__.py Make WSGI app proj/tests.py small starting...
- 8.
- 9. Basics Authentication /etc/passwd Authorization ls -l . -rw-r--r-- 1 yusuke staff
- 10.
- 11.
- 12.
- 13. How to EnableSecurity # in bootstrap authentication_policy = AnAuthenticationPolicy() authorization_policy = AnAuthorizationPolicy() config = Configurator(settings=settings) config.set_authentication_policy(authentication_policy) config.set_authorization_policy(authorization_policy) # in views @view_config(permission=’...’, ...) def logout(request): headers = forget(request) ...
- 14. Authentication in Usage authenticated_userid(request) unauthenticated_userid(request) effective_principals(request) forget(request) remember(request, principal, **kw)
- 15. Authentication in Usage authenticated_userid(request) unauthenticated_userid(request) effective_principals(request) forget(request) Response remember(request, principal, **kw) Headers
- 16. Authentication Policy interface IAuthenticationPolicy authenticated_userid(request) unauthenticated_userid(request) effective_principals(request) remember(request, principal, **kw) forget(request)
- 17. Authentication Policy interface IAuthenticationPolicy authenticated_userid(request) unauthenticated_userid(request) Principals effective_principals(request) remember(request, principal, **kw) Response forget(request) Headers
- 18. Bundled Authentication Policy AuthTktAuthenticationPolicy RemoteUserAuthenticationPolicy RepozeWho1AuthenticationPolic y
- 19. Authorization in Usage has_permission(permission,context, request) principals_allowed_by_permission(context, permission) view_execution_permitted(context, permission, name=’’)
- 20. Authorization in Usage Check has_permission(permission, context, request) Permissio n principals_allowed_by_permission(context, permission) view_execution_permitted(context, permission, name=’’)
- 21. Authorization Policy interface IAuthorizationPolicy principals_allowed_by_permission(context, permission) permits(context, principals, permission)
- 22. Authorization Policy interface IAuthorizationPolicy principals_allowed_by_permission(context, permission) Check permits(context, principals, permission) Permissio n
- 23. Bundled Authorization Policy ACLAuthorizationPolic
- 24.
- 25.
- 26.
- 27. Security Pyramid development.ini production.ini proj/templates/mytemplate.pt proj/models.py proj/views.py proj/resources.py Find Resource proj/authentication.py Custom Security proj/authorization.py ...
- 28. Typical Stack # inbootstrap authentication_policy = CustomAuthTktAuthenticationPolicy('seekrit') authorization_policy = ACLAuthorizationPolicy() config.add_route(..., ..., factory=resources.find_object) # in resources def find_object(request): obj = ... assert getattr(obj, ‘__acl__’, None) is not None return obj # in models class Model: __acl__ = [(Allow, Authenticated, ‘view’)]
- 29. Always Tom Authentication class AlwaysTomPolicy(CallbackAuthenticationPolicy): def unauthenticated_userid(self, request): return ‘tom’ def remember(self, request, principal, **kw): return [] def forget(self, request): return []
- 30. LDAP? Other Authn? pip search repoze.who
- 31.
- 32.