Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Pyramid Security
Who are you?村岡友介MURAOKA Yusuke@jbkingSelf Contractorpylons-japypy-jadjango-ja
AgendaSecurityBasicsAuthenticationAuthorizationAdvanced
Before dive into... http://bit.ly/PyramidSecurity-
What about Security                      applicatio     csrf,                           n     injections,Tons of topics we...
No Security Pyramid  development.ini  production.ini  proj/templates/mytemplate.pt  proj/models.py  proj/views.py  proj/sc...
No Security Pyramid  development.ini                                   Configuration  production.ini  proj/templates/mytemp...
Security
BasicsAuthentication  /etc/passwdAuthorization  ls -l .  -rw-r--r-- 1 yusuke staff
Basics
Basics
Easy enough?
How to Enable Security# in bootstrapauthentication_policy = AnAuthenticationPolicy()authorization_policy = AnAuthorization...
Authentication in     Usageauthenticated_userid(request)unauthenticated_userid(request)effective_principals(request)forget...
Authentication in     Usageauthenticated_userid(request)unauthenticated_userid(request)effective_principals(request)forget...
Authentication Policy  interface IAuthenticationPolicy    authenticated_userid(request)    unauthenticated_userid(request)...
Authentication Policy  interface IAuthenticationPolicy    authenticated_userid(request)    unauthenticated_userid(request)...
BundledAuthentication Policy   AuthTktAuthenticationPolicy   RemoteUserAuthenticationPolicy   RepozeWho1AuthenticationPoli...
Authorization in Usagehas_permission(permission, context, request)principals_allowed_by_permission(context, permission)vie...
Authorization in Usage                                               Checkhas_permission(permission, context, request) Per...
Authorization Policyinterface IAuthorizationPolicy  principals_allowed_by_permission(context, permission)  permits(context...
Authorization Policyinterface IAuthorizationPolicy  principals_allowed_by_permission(context, permission)                 ...
Bundled Authorization       Policy      ACLAuthorizationPolic
Any Question?
Advanced
Security Pyramiddevelopment.iniproduction.iniproj/templates/mytemplate.ptproj/models.pyproj/views.pyproj/resources.pyproj/...
Security Pyramiddevelopment.iniproduction.iniproj/templates/mytemplate.ptproj/models.pyproj/views.pyproj/resources.py     ...
Typical Stack# in bootstrapauthentication_policy = CustomAuthTktAuthenticationPolicy(seekrit)authorization_policy = ACLAut...
Always Tom          Authenticationclass AlwaysTomPolicy(CallbackAuthenticationPolicy):  def unauthenticated_userid(self, r...
LDAP? Other Authn?   pip search repoze.who
Any Question again?
Thanks :)
Upcoming SlideShare
Loading in …5
×

Pyramid Security

4,789 views

Published on

Introducing what's the stack pyramid has.

Published in: Technology, News & Politics
  • Be the first to comment

Pyramid Security

  1. 1. Pyramid Security
  2. 2. Who are you?村岡友介MURAOKA Yusuke@jbkingSelf Contractorpylons-japypy-jadjango-ja
  3. 3. AgendaSecurityBasicsAuthenticationAuthorizationAdvanced
  4. 4. Before dive into... http://bit.ly/PyramidSecurity-
  5. 5. What about Security applicatio csrf, n injections,Tons of topics we xsscould discuss identifier, framework authn,Can be categorized authzinto some layers poisoning, infra- structure sniffing,We focus today“framework”layer ddos shoulder social hack
  6. 6. No Security Pyramid development.ini production.ini proj/templates/mytemplate.pt proj/models.py proj/views.py proj/scripts proj/scripts/initializedb.py proj/scripts/__init__.py proj/__init__.py proj/tests.py small starting...
  7. 7. No Security Pyramid development.ini Configuration production.ini proj/templates/mytemplate.pt proj/models.py MV of MVC proj/views.py proj/scripts proj/scripts/initializedb.py proj/scripts/__init__.py proj/__init__.py Make WSGI app proj/tests.py small starting...
  8. 8. Security
  9. 9. BasicsAuthentication /etc/passwdAuthorization ls -l . -rw-r--r-- 1 yusuke staff
  10. 10. Basics
  11. 11. Basics
  12. 12. Easy enough?
  13. 13. How to Enable Security# in bootstrapauthentication_policy = AnAuthenticationPolicy()authorization_policy = AnAuthorizationPolicy()config = Configurator(settings=settings)config.set_authentication_policy(authentication_policy)config.set_authorization_policy(authorization_policy)# in views@view_config(permission=’...’, ...)def logout(request): headers = forget(request) ...
  14. 14. Authentication in Usageauthenticated_userid(request)unauthenticated_userid(request)effective_principals(request)forget(request)remember(request, principal, **kw)
  15. 15. Authentication in Usageauthenticated_userid(request)unauthenticated_userid(request)effective_principals(request)forget(request) Responseremember(request, principal, **kw) Headers
  16. 16. Authentication Policy interface IAuthenticationPolicy authenticated_userid(request) unauthenticated_userid(request) effective_principals(request) remember(request, principal, **kw) forget(request)
  17. 17. Authentication Policy interface IAuthenticationPolicy authenticated_userid(request) unauthenticated_userid(request) Principals effective_principals(request) remember(request, principal, **kw) Response forget(request) Headers
  18. 18. BundledAuthentication Policy AuthTktAuthenticationPolicy RemoteUserAuthenticationPolicy RepozeWho1AuthenticationPolic y
  19. 19. Authorization in Usagehas_permission(permission, context, request)principals_allowed_by_permission(context, permission)view_execution_permitted(context, permission, name=’’)
  20. 20. Authorization in Usage Checkhas_permission(permission, context, request) Permissio nprincipals_allowed_by_permission(context, permission)view_execution_permitted(context, permission, name=’’)
  21. 21. Authorization Policyinterface IAuthorizationPolicy principals_allowed_by_permission(context, permission) permits(context, principals, permission)
  22. 22. Authorization Policyinterface IAuthorizationPolicy principals_allowed_by_permission(context, permission) Check permits(context, principals, permission) Permissio n
  23. 23. Bundled Authorization Policy ACLAuthorizationPolic
  24. 24. Any Question?
  25. 25. Advanced
  26. 26. Security Pyramiddevelopment.iniproduction.iniproj/templates/mytemplate.ptproj/models.pyproj/views.pyproj/resources.pyproj/authentication.pyproj/authorization.py...
  27. 27. Security Pyramiddevelopment.iniproduction.iniproj/templates/mytemplate.ptproj/models.pyproj/views.pyproj/resources.py Find Resourceproj/authentication.py Custom Securityproj/authorization.py...
  28. 28. Typical Stack# in bootstrapauthentication_policy = CustomAuthTktAuthenticationPolicy(seekrit)authorization_policy = ACLAuthorizationPolicy()config.add_route(..., ..., factory=resources.find_object)# in resourcesdef find_object(request): obj = ... assert getattr(obj, ‘__acl__’, None) is not None return obj# in modelsclass Model: __acl__ = [(Allow, Authenticated, ‘view’)]
  29. 29. Always Tom Authenticationclass AlwaysTomPolicy(CallbackAuthenticationPolicy): def unauthenticated_userid(self, request): return ‘tom’ def remember(self, request, principal, **kw): return [] def forget(self, request): return []
  30. 30. LDAP? Other Authn? pip search repoze.who
  31. 31. Any Question again?
  32. 32. Thanks :)

×