CBSecurity 3 - Secure Your ColdBox Applications

1. Secure All Things By Luis Majano www.intothebox.org

2. @lmajano @ortussolutions Luis Majano • Salvadorean Born! • Imported to the USA • Computer Engineering • CEO of Ortus Solutions

3. Inspiration Applying security concerns to our web applications is paramount. Every application will need it. Many forms of application security and many levels.

4. What is cbSecurity? https://coldbox-

5. Module Composition

6. What is needed for security? ✴ Validates user credentials ✴ Logs them in and out ✴ Tracks their security in session, custom storage, or none. ✴ Validates Permissions ✴ Validates Roles ✴ Validates nothing 😜

7. What is needed for security? ✴ Use ANY auth service: IAuthenticationService ✴ Includes cbauth ✴ Login/Logout ✴ Session Tracking in session/request/cache ✴ You Provide a user service: IUserService ✴ You Provide a user object: IAuthUser ✴ Permission and Role Based ✴ Interfaces: ✴ IAuthUser - Roles and Permissions ✴ IJwtSubject - Jwt Scopes, etc.

8. Security Firewall 1. What do we secure? 1. Events 2. URIs 2. How do we secure? 1. Security Rules 2. Handler + Action Annotations 3. JWT Headers 4. cbSecurity explicit methods 3. Who validates?

9. Who Validates? ➡ Validators V

10. Validators ✴ Configured globally or per-module ✴ Determine the type of authentication/authorization services to use ✴ The firewall calls the validator for a 👍 or 👎 ✴ Core Validators ✴ Auth : role/permission-based security via IAuthService and IAuthUser interfaces ✴ CFML : Leverages CFML cflogin/cflogout features ✴ Basic Auth : Prompts users for credentials using HTTP Basic Auth ✴ JWT Validator : Checks headers for a JWT token and refresh token ✴ Custom Validators: ISecurityValidator

11. ` Security Rules

12. Security Rules ✴ Rules ✴ are evaluated from top to bottom (Order is important) ✴ secure incoming events/urls via regex patterns ✴ can have white-listed patterns ✴ can have roles and permissions ✴ can have ip, host header restrictions ✴ can be global or per-module ✴ can come from: ✴ Config Inline ✴ Database ✴ XML, JSON ✴ Object Calls

13. Security Rules

14. Security Rule Actions ✴ Each rule determines what action to occur if the request is not valid: ✴ Redirect to another event/URL ✴ Override the incoming event to another event ✴ Block the request with a 401 Not Authorized ✴ If there is no action in the rule, what happens? ✴ Cascades to module settings ➡ global settings ✴ defaultAuthenticationAction ✴ invalidAuthenticationEvent ✴ defaultAuthorizationAction ✴ invalidAuthorizationEvent

15. Security Rule

16. Handler Annotation Security ✴ Cascading Security ✴ Component ✴ Access to all actions ✴ Actions ✴ Specific action security ✴ Secure Annotation Value ✴ Nothing - Authenticated ✴ List - Authorizations

17. Security Rule

18. Secured URL ✴ cbSecurity stores & flashes the incoming URL ✴ rc._securedURL ✴ Better login experiences

19. cbSecurity Model ✴ Security Helper Object ✴ Fluent constructs ✴ cbsecure() mixin (handlers/layouts/views/interceptors) ✴ Injection @cbsecurity (models) ✴ Different Types of Methods: ✴ Authentication: Verify if logged in, logout, authenticate ✴ Authorization Contexts: Fluent secure block ✴ Blocking: Throw a NotAuthorized exception ✴ Secure Views: Secure rendering of views ✴ Utility: Generating passwords, checking ip, hostnames, etc ✴ Verification: Verify permissions, etc

20. cbSecurity - Authentication Methods getAuthService() getUserService() authenticate( username, password ) getUser() isLoggedIn() logout()

21. cbSecurity - Authorization Context Methods when( permissions, success, fail ) whenAll( permissions, success, fail ) whenNone( permissions, success, fail )

22. cbSecurity - Blocking Methods secure( permissions, [message] ) secureAll( permissions, [message] ) secureNone( permissions, [message] ) secureSameUser( user, [message]) secureWhen( context, [errorMessage] ) If context = true, then throw a NotAuthorized exception

23. cbSecurity - Secure Views Methods secureView( permissions, successView, failView )

24. cbSecurity - Utility Methods createPassword( length:32, letters:true, numbers:true, symbols:true ) getRealIP( trustUpstream:true ) getRealHost( trustUpstream:true )

25. cbSecurity - Verification Methods has( permissions ):boolean all( permissions ):boolean none( permissions ):boolean sameUser( user ):boolean

26. Security Visualizer

27. Security Visualizer ✴ Visualize all configuration settings ✴ Firewall activity ✴ Firewall rules simulator ✴ Security Headers ✴ Can also be secured

28. Firewall Logs ✴ Activate firewall logging ✴ Firewall > logs

29. ✴ Collection of security best practices ✴ Highly configurable ✴ Several on by default Security Headers

30. CSRF Cross-Site Request Forgery

31. CSRF Cross-Site Request Forgery

32. csrfToken() csrfVerify() csrf() csrfField() csrfRotate() CSRF Cross-Site Request Forgery ✴ Leverages the cbcsrf module ✴ Generate & validate tokens ✴ Highly configurable

33. JWT Security

34. JWT Security https://jwt.io/introduction/

35. Jwt-cfml ✴ https://forgebox.io/view/jwt-cfml ✴ Encode/Decode JSON Web Tokens ✴ HS256 ✴ HS384 ✴ HS512 ✴ RS256 ✴ RS384 ✴ RS512 ✴ ES256 ✴ ES384 ✴ ES512

36. Settings Database CacheBox WireBox ID IJwtStorage

37. Base Claims ✴ Issuer (iss) - The issuer of the token (defaults to the application's base URL) ✴ Issued At (iat) - When the token was issued (unix timestamp) ✴ Subject (sub) - This holds the identifier for the token (defaults to user id) ✴ Expiration time (exp) - The token expiry date (unix timestamp) ✴ Unique ID (jti) - A unique identifier for the token (md5 of the sub and iat claims) ✴ Scopes (scope) - A space-delimited string of scopes attached to the token ✴ Refresh Token (cbsecurity_refresh) - If you use refresh tokens, this custom claim will be added to the payload.

38. Base Claims

39. JWT SERVICE ✴ JWTService ✴ Helper: jwtAuth() ✴ Injection: JWTService@cbSecurity ✴ Rest and rest-hmvc templates give a full working example

40. JWT SERVICE

41. JWT SERVICE

42. JWT SERVICE

43. JWT SERVICE

44. JWT SERVICE

45. JWT SERVICE

46. JWT Routes

47. JWT Controller

48. Security Events cbSecurity_onInvalidAuthentication cbSecurity_onInvalidAuthorization Login Interceptions preAuthentication postAuthentication preLogin postLogin preLogout postLogout cbauth Interceptions Jwt Interceptions cbSecurity_onJWTCreation cbSecurity_onJWTInvalidation cbSecurity_onJWTValidAuthentication cbSecurity_onJWTInvalidUser cbSecurity_onJWTInvalidClaims cbSecurity_onJWTExpiration cbSecurity_onJWTStorageRejection cbSecurity_onJWTValidParsing cbSecurity_onJWTInvalidateAllTokens

49. GET AN EXTRA 10% OFF I N T O T H E B O X Offer ends Monday March 20th at 12:00 am Code: Early10 WWW.INTOTHEBOX.ORG Limited offer: 2 Days Only Early bird tickets

CBSecurity 3 - Secure Your ColdBox Applications

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

CBSecurity 3 - Secure Your ColdBox Applications

Plus De Contenu Connexe

Similaire à CBSecurity 3 - Secure Your ColdBox Applications (20)

Plus par Ortus Solutions, Corp (20)

Plus récents (20)