Successfully reported this slideshow.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Pyramid Security

  1. 1. Pyramid Security
  2. 2. Who are you? 村岡友介 MURAOKA Yusuke @jbking Self Contractor pylons-ja pypy-ja django-ja
  3. 3. Agenda Security Basics Authentication Authorization Advanced
  4. 4. Before dive into... http://bit.ly/PyramidSecurity-
  5. 5. What about Security applicatio csrf, n injections, Tons of topics we xss could discuss identifier, framework authn, Can be categorized authz into some layers poisoning, infra- structure sniffing, We focus today “framework”layer ddos shoulder social hack
  6. 6. No Security Pyramid development.ini production.ini proj/templates/mytemplate.pt proj/models.py proj/views.py proj/scripts proj/scripts/initializedb.py proj/scripts/__init__.py proj/__init__.py proj/tests.py small starting...
  7. 7. No Security Pyramid development.ini Configuration production.ini proj/templates/mytemplate.pt proj/models.py MV of MVC proj/views.py proj/scripts proj/scripts/initializedb.py proj/scripts/__init__.py proj/__init__.py Make WSGI app proj/tests.py small starting...
  8. 8. Security
  9. 9. Basics Authentication /etc/passwd Authorization ls -l . -rw-r--r-- 1 yusuke staff
  10. 10. Basics
  11. 11. Basics
  12. 12. Easy enough?
  13. 13. How to Enable Security # in bootstrap authentication_policy = AnAuthenticationPolicy() authorization_policy = AnAuthorizationPolicy() config = Configurator(settings=settings) config.set_authentication_policy(authentication_policy) config.set_authorization_policy(authorization_policy) # in views @view_config(permission=’...’, ...) def logout(request): headers = forget(request) ...
  14. 14. Authentication in Usage authenticated_userid(request) unauthenticated_userid(request) effective_principals(request) forget(request) remember(request, principal, **kw)
  15. 15. Authentication in Usage authenticated_userid(request) unauthenticated_userid(request) effective_principals(request) forget(request) Response remember(request, principal, **kw) Headers
  16. 16. Authentication Policy interface IAuthenticationPolicy authenticated_userid(request) unauthenticated_userid(request) effective_principals(request) remember(request, principal, **kw) forget(request)
  17. 17. Authentication Policy interface IAuthenticationPolicy authenticated_userid(request) unauthenticated_userid(request) Principals effective_principals(request) remember(request, principal, **kw) Response forget(request) Headers
  18. 18. Bundled Authentication Policy AuthTktAuthenticationPolicy RemoteUserAuthenticationPolicy RepozeWho1AuthenticationPolic y
  19. 19. Authorization in Usage has_permission(permission, context, request) principals_allowed_by_permission(context, permission) view_execution_permitted(context, permission, name=’’)
  20. 20. Authorization in Usage Check has_permission(permission, context, request) Permissio n principals_allowed_by_permission(context, permission) view_execution_permitted(context, permission, name=’’)
  21. 21. Authorization Policy interface IAuthorizationPolicy principals_allowed_by_permission(context, permission) permits(context, principals, permission)
  22. 22. Authorization Policy interface IAuthorizationPolicy principals_allowed_by_permission(context, permission) Check permits(context, principals, permission) Permissio n
  23. 23. Bundled Authorization Policy ACLAuthorizationPolic
  24. 24. Any Question?
  25. 25. Advanced
  26. 26. Security Pyramid development.ini production.ini proj/templates/mytemplate.pt proj/models.py proj/views.py proj/resources.py proj/authentication.py proj/authorization.py ...
  27. 27. Security Pyramid development.ini production.ini proj/templates/mytemplate.pt proj/models.py proj/views.py proj/resources.py Find Resource proj/authentication.py Custom Security proj/authorization.py ...
  28. 28. Typical Stack # in bootstrap authentication_policy = CustomAuthTktAuthenticationPolicy('seekrit') authorization_policy = ACLAuthorizationPolicy() config.add_route(..., ..., factory=resources.find_object) # in resources def find_object(request): obj = ... assert getattr(obj, ‘__acl__’, None) is not None return obj # in models class Model: __acl__ = [(Allow, Authenticated, ‘view’)]
  29. 29. Always Tom Authentication class AlwaysTomPolicy(CallbackAuthenticationPolicy): def unauthenticated_userid(self, request): return ‘tom’ def remember(self, request, principal, **kw): return [] def forget(self, request): return []
  30. 30. LDAP? Other Authn? pip search repoze.who
  31. 31. Any Question again?
  32. 32. Thanks :)

Editor's Notes

  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • ×