Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.
22. Apache SHIRO
http://shiro.apache.org/
• Apache Shiro is a powerful and easy to use Java
security framework.
• Offers developers an intuitive yet comprehensive
solution to
authentication, authorization, cryptography, and
session management.
• Built on sound interface-driven design and OO
principles.
• Enables custom behavior.
• Sensible and secure defaults for everything.
23. Solving Real World Access Control Problems
with the Apache Shiro
The Problem
Web Application needs secure access control mechanism
The Solution
if ( currentUser.isPermitted( "lightsaber:wield" ) ) {
log.info("You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters only.");
}
24. Solving Real World Access Control Problems
with the Apache Shiro
The Problem
Web Application needs to secure access to a specific object
The Solution
if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId ) ) {
log.info("You are permitted to 'drive' the 'winnebago' with license plate (id)
'eagle5'. Here are the keys - have fun!");
} else {
log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
}
25. Data Contextual Access Control
Activity / Feature
User
User ID
Activity ID
User Name
Data Type
Data ID
Activity Name
Role
Data Name
Role ID
Role Name
Entitlement / Privilege
User ID
Activity ID
Role ID
Data Type ID
Data Instance Id
26. Please steal and plagiarize this presentation!
GET THE WORD OUT
jim@owasp.org
slideshare.net/jimmanico
Editor's Notes
Frank Piessens
User Joe can execute ViewReport as a manager specific to DataSet 2314