Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CBSecurity - Secure all Things

108 views

Published on

The ColdBox cbsecurity module will enhance your ColdBox applications by providing out of the box security in the form of:

A security rule engine for validating incoming requests

Annotation driven security for validating incoming events to handlers and actions

JWT (Json Web Tokens) generator, decoder and authentication services

A security service to provide you with functional approaches to security context authorization

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CBSecurity - Secure all Things

  1. 1. cbSecurity Secure All Things By Luis Majano
  2. 2. @lmajano @ortussolutions Luis Majano Intro • Salvadorean Born! • Imported to the USA • Computer Engineering • CEO of Ortus Solutions • Houston,Texas
  3. 3. Inspiration Applying security concerns to our web applications is paramount. Every application will need it. Many forms of application security and many levels.
  4. 4. Agenda What is cbSecurity? Module Composition Authentication Authorization Implementation
  5. 5. What is cbSecurity ✴ A collection of modules to help secure your applications ✴ Major Areas of Concern: ✴ Security Authentication/Authorization Firewall (cbsecurity) ✴ Incoming event/url ✴ Handler annotations ✴ Security Service for explicit authorizations (cbsecurity) ✴ JWT generator, decoder and authentication services (jwtcfml) ✴ CSRF Protection (cbsrf) ✴ Authentication Manager (cbauth)
  6. 6. Module Composition
  7. 7. What is needed for security? ✴ Authentication System ✴ Validates user credentials ✴ Logs them in and out ✴ Tracks their session ✴ Authorization System ✴ Validate permissions/roles/etc
  8. 8. Authentication
  9. 9. What is cbAuth ✴ Authentication system ✴ Authenticates users ✴ Logs them in and out ✴ Tracks their session (many storages) ✴ Has NO knowledge of your Database/Users ✴ You must provide a UserService and a User object ✴ This is how it knows how to authenticate users ✴ What’s another generic authentication system? ✴ cflogin, cfloginuser
  10. 10. cbauth() methods ✴ login( user ) ✴ logout() ✴ authenticate( username, password ) ✴ isLoggedIn() ✴ getUser()
  11. 11. cbauth() Object Map
  12. 12. cbauth() - UserService methods ✴ isValidCredentials( username, password ) ✴ retrieveUserByUsername( username ) ✴ retrieveUserById( id )
  13. 13. cbauth() - User methods ✴ getId()
  14. 14. Is cbauth Mandatory? ✴ No! ✴ Use cflogin/cfloginuser ✴ Build your own ✴ Use third-party providers (Okta, google, facebook, github, etc) ✴ How will cbsecurity know how to use it? ✴ 1 Object that adheres to IAuthService ✴ Tell cbSecurity settings about that object
  15. 15. cbauth() IAuthService methods ✴ login( user ) ✴ logout() ✴ authenticate( username, password ) ✴ isLoggedIn() ✴ getUser() Hmmm, seems familiar
  16. 16. Authorization
  17. 17. What is authorization? ✴ If an AUTHENTICATED user has access to a resource ✴ How do we grant access => Authorization Indicators ✴ Roles ✴ Permissions ✴ Custom ✴ Where do we store these indicators? ✴ Determined by authentication service ✴ cflogin/cfloginuser provides roles ✴ cbsecurity encourages permissions against the User.hasPermission() ✴ Okta/Windows/AD/ETC
  18. 18. CBSecurity Validators ✴ How does we validate authorization indicators : VALIDATORS ✴ CFValidator :Verifies using isUserInAnyRole() ✴ CBAuthValidator :Verifies against the User object’s hasPermission( permission ) ✴ JWTService :Validates tokens, token scopes and then validates permissions against the User object’s hasPermission( permission ) ✴ Custom : Validates against whatever you want!
  19. 19. cbauth() - User methods ✴ getId() ✴ hasPermission( permission ) : boolean
  20. 20. How do we secure? 1. Security Rules 2. Handler Annotations 3. cbSecurity explicit methods
  21. 21. Security Rules (Firewall) ✴ Rules are evaluated from top to bottom (Order is important) ✴ Rules secure incoming events/urls (preProcess) ✴ Global rules and Module Rules ✴ Rules can come from: ✴ Config ✴ Database ✴ XML, JSON ✴ Object ✴ Rules are tied to an interceptor instance ✴ You can have MANY security interceptors with many different rules
  22. 22. Security Rule
  23. 23. Security Rule
  24. 24. Handler Annotation Security ✴ Cascading Security ✴ Component ✴ Access to all actions ✴ Actions ✴ Specific action security ✴ secure AnnotationValue ✴ Nothing - Authenticated ✴ List - Authorizations
  25. 25. cbSecurity Model ✴ Explicit Evaluations ✴ Fluent constructs ✴ cbsecure() mixin (handlers/layouts/views/interceptors) ✴ Injection @cbsecurity (models) ✴ DifferentTypes of Methods: ✴ Blocking : throw a NotAuthorized exception ✴ Action : Functional if statement ✴ Verification :Verify permissions, user, etc. ✴ RequestContext Helpers
  26. 26. cbSecurity - Blocking Methods secure( permissions, [message] ) secureAll( permissions, [message] ) secureNone( permissions, [message] ) secureWhen( context, [message] )
  27. 27. cbSecurity - Action Context Methods when( permissions, success, fail ) whenAll( permissions, success, fail ) whenNone( permissions, success, fail )
  28. 28. cbSecurity - Verification Methods has( permissions ):boolean all( permissions ):boolean none( permissions ):boolean sameUser( user ):boolean
  29. 29. cbSecurity - Request Context Methods secureView( permissions, successView, failView )
  30. 30. JWT Security
  31. 31. Jwt-cfml ✴ https://forgebox.io/view/jwt-cfml ✴ Encode/Decode JSON WebTokens ✴ HS256 ✴ HS384 ✴ HS512 ✴ RS256 ✴ RS384 ✴ RS512 ✴ ES256 ✴ ES384 ✴ ES512
  32. 32. JWT ✴ JWTService ✴ Acts as a validator ✴ Can also be a helper in your handlers/interceptors: jwt() ✴ Can also be used in your models via injection: JWTService@cbSecurity ✴ Rest and rest-cmvc templates give a full working example
  33. 33. JWT Storage ✴ VeryVery Important ✴ Invalidate keys ✴ Black list keys ✴ Rotate keys ✴ Storage Drivers ✴ Cachebox : Use any provider ✴ DB : Database ✴ Custom
  34. 34. JWT - How do we work with it? ✴ Authentication Service √ ✴ Authorization by Permission √ ✴ User Object √ ✴ UserService Object √ ✴ Configure JWT ✴ Update User Object Coding Time!

×