SlideShare uma empresa Scribd logo

Securing Data Instances with ERBAC

Transferir como ODP, PDF
K
kaosko

Security systems have traditionally had a high level of support for Role-Based Access Control (RBAC) but typically fail at providing more than programmatic checks for instance-level access control. Come and see how Entity-Relationship Based Access Control (ERBAC) allows you to declaratively secure instances of data by using their association with the currently executing subject. Kalle Korhonen will be presenting an overview of several add-on modules he's built on top of Apache Shiro to provide comprehensive security framework for modern web applications using Apache Tapestry 5 and JPA.

TecnologiaEstilo de vida
1 de 14
Securing data instances with ERBAC Kalle Korhonen tynamo.org - Apache Tapestry - Apache Shiro
Me and open source • Founder of Tynamo.org • a full web stack suite for Tapestry 5 • successor to Trails Framework, one of the original Ruby on Rails wannabes for Java • Committer to Apache Tapestry, Apache Shiro tynamo.org - Apache Tapestry - Apache Shiro
Tynamo.org • Some stats : • 5 active committers, 13 all time • similar in size with Apache Shiro • 22 individual modules + sub modules • tapestry-model the bread and butter: the most customizable CRUD framework for Java • recently more JPA modules tynamo.org - Apache Tapestry - Apache Shiro
Security related modules • tapestry-security, Apache Shiro integration for Tapestry 5 • tynamo-federatedaccounts, account federation with remote authentication providers (Facebook, Twitter, Google, LDAP, etc.) • tapestry-editablecontent, poor man's CMS, currently JPA only • - tynamo-federatedaccounts- rollingtokens, rememberme authentication based on rolling tokens tynamo.org - Apache Tapestry - Apache Shiro
tapestry-editablecontent tynamo.org - Apache Tapestry - Apache Shiro
tynamo-federatedaccounts • Oauth: Facebook, Twitter, ... • OpenID • Not protocol specific public static void bind(ServiceBinder binder) { binder.bind(FederatedAccountService.class, DefaultHibernateFederatedAccountServiceImpl.class); } public static void contributeFederatedAccountService(MappedConfiguration<String, Object> configuration) { configuration.add("*", User.class); configuration.add("facebook.id", "facebookId"); } public static void contributeApplicationDefaults(MappedConfiguration<String, String> configuration) { configuration.add(FacebookRealm.FACEBOOK_CLIENTID, "<client id>"); configuration.add(FacebookRealm.FACEBOOK_CLIENTSECRET, "<client secret>"); } tynamo.org - Apache Tapestry - Apache Shiro
tapestry-security • started out as a thin layer • replaced (Ini)ShiroFilter • replaced ini configuration with Tapestry's all-in-java contributions • replaced shiro's built-in filters with our own base classes • proving ground for new stuff (e.g. logical operator first existed in tapestry-security) tynamo.org - Apache Tapestry - Apache Shiro
Security check points • secure views (url-based, annotations) • secure method invocations (role- type) • secure data - how? • how do I declare that user can only edit his profile? tynamo.org - Apache Tapestry - Apache Shiro
Current approach.. @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); info.addStringPermission("account:update:1"); } // page template... <t:security.haspermission permission="editEntityPermission"> ... </t:security> // page class (controller) public String getEditEntityPermission() { return "account:edit:" + entityId; } tynamo.org - Apache Tapestry - Apache Shiro
What if you could just do.. @Entity @RequiresAssociation(value = "owner", operations = Operation.UPDATE) public class Account { @OneToOne private User owner; } tynamo.org - Apache Tapestry - Apache Shiro
ERBAC • Entity-Relationship Based Access Control • Initial concept 5 years ago with Hibernate ! • find out how the data is associated with the currently executing subject • secure entities with annotations • role-based security is easy • allow limiting scope to a specific CRUD operation (CREATE, READ, UPDATE, DELETE) tynamo.org - Apache Tapestry - Apache Shiro
EntityManager operations • SecureEntityManager used automatically when Subject is bound • find -> READ (separate service for lists) • merge (INSERT if doesn't exist) • persist (update -> remove + insert) • remove • create*query() operations are unprotected • takes care of 80% of instance security needs tynamo.org - Apache Tapestry - Apache Shiro
What next? • same model would work for Hibernate, JDO.. • push to Shiro? • at least annotations ... anything more is difficult because Shiro is persistence agnostic tynamo.org - Apache Tapestry - Apache Shiro
Thank you! For more information, visit : http://tynamo.org/tapestry- security-jpa+guide What do You think? tynamo.org - Apache Tapestry - Apache Shiro

Recomendados

Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerXavier Mertens
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...Dan Vasile
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Vasile
 
Webscraping with asyncio
Webscraping with asyncioWebscraping with asyncio
Webscraping with asyncioJose Manuel Ortega Candel
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityMicah Hoffman
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
La cartographie indoor sur OpenStreetMap
La cartographie indoor sur OpenStreetMapLa cartographie indoor sur OpenStreetMap
La cartographie indoor sur OpenStreetMapAntoine Riche
 

Recomendados

Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerXavier Mertens
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...Dan Vasile
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Vasile
 
Webscraping with asyncio
Webscraping with asyncioWebscraping with asyncio
Webscraping with asyncioJose Manuel Ortega Candel
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityMicah Hoffman
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
La cartographie indoor sur OpenStreetMap
La cartographie indoor sur OpenStreetMapLa cartographie indoor sur OpenStreetMap
La cartographie indoor sur OpenStreetMapAntoine Riche
 
Building Deep Learning Applications with TensorFlow and Amazon SageMaker
Building Deep Learning Applications with TensorFlow and Amazon SageMakerBuilding Deep Learning Applications with TensorFlow and Amazon SageMaker
Building Deep Learning Applications with TensorFlow and Amazon SageMakerAmazon Web Services
 
AWS Machine Learning Week SF: Amazon SageMaker & TensorFlow
AWS Machine Learning Week SF: Amazon SageMaker & TensorFlowAWS Machine Learning Week SF: Amazon SageMaker & TensorFlow
AWS Machine Learning Week SF: Amazon SageMaker & TensorFlowAmazon Web Services
 
Build Deep Learning Applications with TensorFlow & SageMaker
Build Deep Learning Applications with TensorFlow & SageMakerBuild Deep Learning Applications with TensorFlow & SageMaker
Build Deep Learning Applications with TensorFlow & SageMakerAmazon Web Services
 
Build Deep Learning Applications with TensorFlow & SageMaker: Machine Learnin...
Build Deep Learning Applications with TensorFlow & SageMaker: Machine Learnin...Build Deep Learning Applications with TensorFlow & SageMaker: Machine Learnin...
Build Deep Learning Applications with TensorFlow & SageMaker: Machine Learnin...Amazon Web Services
 
Build Deep Learning Applications with TensorFlow and Amazon SageMaker
Build Deep Learning Applications with TensorFlow and Amazon SageMakerBuild Deep Learning Applications with TensorFlow and Amazon SageMaker
Build Deep Learning Applications with TensorFlow and Amazon SageMakerAmazon Web Services
 
Workshop: Build Deep Learning Applications with TensorFlow and SageMaker
Workshop: Build Deep Learning Applications with TensorFlow and SageMakerWorkshop: Build Deep Learning Applications with TensorFlow and SageMaker
Workshop: Build Deep Learning Applications with TensorFlow and SageMakerAmazon Web Services
 
Joomla plugin & module develpment - Presented at Sydney JUG 09/04/2013
Joomla plugin & module develpment - Presented at Sydney JUG 09/04/2013Joomla plugin & module develpment - Presented at Sydney JUG 09/04/2013
Joomla plugin & module develpment - Presented at Sydney JUG 09/04/2013Tim Plummer
 
Django Overview
Django OverviewDjango Overview
Django OverviewBrian Tol
 
Django deployment with PaaS
Django deployment with PaaSDjango deployment with PaaS
Django deployment with PaaSAppsembler
 
Tajo Seoul Meetup-201501
Tajo Seoul Meetup-201501Tajo Seoul Meetup-201501
Tajo Seoul Meetup-201501Jinho Kim
 
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...Databricks
 
End-to-end Data Governance with Apache Avro and Atlas
End-to-end Data Governance with Apache Avro and AtlasEnd-to-end Data Governance with Apache Avro and Atlas
End-to-end Data Governance with Apache Avro and AtlasDataWorks Summit
 
Apache Eagle: Secure Hadoop in Real Time
Apache Eagle: Secure Hadoop in Real TimeApache Eagle: Secure Hadoop in Real Time
Apache Eagle: Secure Hadoop in Real TimeDataWorks Summit/Hadoop Summit
 
Apache Eagle at Hadoop Summit 2016 San Jose
Apache Eagle at Hadoop Summit 2016 San JoseApache Eagle at Hadoop Summit 2016 San Jose
Apache Eagle at Hadoop Summit 2016 San JoseHao Chen
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityRaffael Marty
 
Robert Meyer- pypet
Robert Meyer- pypetRobert Meyer- pypet
Robert Meyer- pypetPyData
 
PyFilesystem
PyFilesystemPyFilesystem
PyFilesystemAndreas Jung
 
Introduction to Apache NiFi 1.11.4
Introduction to Apache NiFi 1.11.4Introduction to Apache NiFi 1.11.4
Introduction to Apache NiFi 1.11.4Timothy Spann
 
DSpace 4.2 Transmission: Import/Export
DSpace 4.2 Transmission: Import/ExportDSpace 4.2 Transmission: Import/Export
DSpace 4.2 Transmission: Import/ExportDuraSpace
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Mais conteúdo relacionado

Semelhante a Securing Data Instances with ERBAC

Building Deep Learning Applications with TensorFlow and Amazon SageMaker
Building Deep Learning Applications with TensorFlow and Amazon SageMakerBuilding Deep Learning Applications with TensorFlow and Amazon SageMaker
Building Deep Learning Applications with TensorFlow and Amazon SageMakerAmazon Web Services
 
AWS Machine Learning Week SF: Amazon SageMaker & TensorFlow
AWS Machine Learning Week SF: Amazon SageMaker & TensorFlowAWS Machine Learning Week SF: Amazon SageMaker & TensorFlow
AWS Machine Learning Week SF: Amazon SageMaker & TensorFlowAmazon Web Services
 
Build Deep Learning Applications with TensorFlow & SageMaker
Build Deep Learning Applications with TensorFlow & SageMakerBuild Deep Learning Applications with TensorFlow & SageMaker
Build Deep Learning Applications with TensorFlow & SageMakerAmazon Web Services
 
Build Deep Learning Applications with TensorFlow & SageMaker: Machine Learnin...
Build Deep Learning Applications with TensorFlow & SageMaker: Machine Learnin...Build Deep Learning Applications with TensorFlow & SageMaker: Machine Learnin...
Build Deep Learning Applications with TensorFlow & SageMaker: Machine Learnin...Amazon Web Services
 
Build Deep Learning Applications with TensorFlow and Amazon SageMaker
Build Deep Learning Applications with TensorFlow and Amazon SageMakerBuild Deep Learning Applications with TensorFlow and Amazon SageMaker
Build Deep Learning Applications with TensorFlow and Amazon SageMakerAmazon Web Services
 
Workshop: Build Deep Learning Applications with TensorFlow and SageMaker
Workshop: Build Deep Learning Applications with TensorFlow and SageMakerWorkshop: Build Deep Learning Applications with TensorFlow and SageMaker
Workshop: Build Deep Learning Applications with TensorFlow and SageMakerAmazon Web Services
 
Joomla plugin & module develpment - Presented at Sydney JUG 09/04/2013
Joomla plugin & module develpment - Presented at Sydney JUG 09/04/2013Joomla plugin & module develpment - Presented at Sydney JUG 09/04/2013
Joomla plugin & module develpment - Presented at Sydney JUG 09/04/2013Tim Plummer
 
Django Overview
Django OverviewDjango Overview
Django OverviewBrian Tol
 
Django deployment with PaaS
Django deployment with PaaSDjango deployment with PaaS
Django deployment with PaaSAppsembler
 
Tajo Seoul Meetup-201501
Tajo Seoul Meetup-201501Tajo Seoul Meetup-201501
Tajo Seoul Meetup-201501Jinho Kim
 
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...Databricks
 
End-to-end Data Governance with Apache Avro and Atlas
End-to-end Data Governance with Apache Avro and AtlasEnd-to-end Data Governance with Apache Avro and Atlas
End-to-end Data Governance with Apache Avro and AtlasDataWorks Summit
 
Apache Eagle at Hadoop Summit 2016 San Jose
Apache Eagle at Hadoop Summit 2016 San JoseApache Eagle at Hadoop Summit 2016 San Jose
Apache Eagle at Hadoop Summit 2016 San JoseHao Chen
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityRaffael Marty
 
Robert Meyer- pypet
Robert Meyer- pypetRobert Meyer- pypet
Robert Meyer- pypetPyData
 
Introduction to Apache NiFi 1.11.4
Introduction to Apache NiFi 1.11.4Introduction to Apache NiFi 1.11.4
Introduction to Apache NiFi 1.11.4Timothy Spann
 
DSpace 4.2 Transmission: Import/Export
DSpace 4.2 Transmission: Import/ExportDSpace 4.2 Transmission: Import/Export
DSpace 4.2 Transmission: Import/ExportDuraSpace
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 

Semelhante a Securing Data Instances with ERBAC (20)

Building Deep Learning Applications with TensorFlow and Amazon SageMaker
Building Deep Learning Applications with TensorFlow and Amazon SageMakerBuilding Deep Learning Applications with TensorFlow and Amazon SageMaker
Building Deep Learning Applications with TensorFlow and Amazon SageMaker
 
AWS Machine Learning Week SF: Amazon SageMaker & TensorFlow
AWS Machine Learning Week SF: Amazon SageMaker & TensorFlowAWS Machine Learning Week SF: Amazon SageMaker & TensorFlow
AWS Machine Learning Week SF: Amazon SageMaker & TensorFlow
 
Build Deep Learning Applications with TensorFlow & SageMaker
Build Deep Learning Applications with TensorFlow & SageMakerBuild Deep Learning Applications with TensorFlow & SageMaker
Build Deep Learning Applications with TensorFlow & SageMaker
 
Build Deep Learning Applications with TensorFlow & SageMaker: Machine Learnin...
Build Deep Learning Applications with TensorFlow & SageMaker: Machine Learnin...Build Deep Learning Applications with TensorFlow & SageMaker: Machine Learnin...
Build Deep Learning Applications with TensorFlow & SageMaker: Machine Learnin...
 
Build Deep Learning Applications with TensorFlow and Amazon SageMaker
Build Deep Learning Applications with TensorFlow and Amazon SageMakerBuild Deep Learning Applications with TensorFlow and Amazon SageMaker
Build Deep Learning Applications with TensorFlow and Amazon SageMaker
 
Workshop: Build Deep Learning Applications with TensorFlow and SageMaker
Workshop: Build Deep Learning Applications with TensorFlow and SageMakerWorkshop: Build Deep Learning Applications with TensorFlow and SageMaker
Workshop: Build Deep Learning Applications with TensorFlow and SageMaker
 
Joomla plugin & module develpment - Presented at Sydney JUG 09/04/2013
Joomla plugin & module develpment - Presented at Sydney JUG 09/04/2013Joomla plugin & module develpment - Presented at Sydney JUG 09/04/2013
Joomla plugin & module develpment - Presented at Sydney JUG 09/04/2013
 
Django Overview
Django OverviewDjango Overview
Django Overview
 
Django deployment with PaaS
Django deployment with PaaSDjango deployment with PaaS
Django deployment with PaaS
 
Tajo Seoul Meetup-201501
Tajo Seoul Meetup-201501Tajo Seoul Meetup-201501
Tajo Seoul Meetup-201501
 
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
 
End-to-end Data Governance with Apache Avro and Atlas
End-to-end Data Governance with Apache Avro and AtlasEnd-to-end Data Governance with Apache Avro and Atlas
End-to-end Data Governance with Apache Avro and Atlas
 
Apache Eagle: Secure Hadoop in Real Time
Apache Eagle: Secure Hadoop in Real TimeApache Eagle: Secure Hadoop in Real Time
Apache Eagle: Secure Hadoop in Real Time
 
Apache Eagle at Hadoop Summit 2016 San Jose
Apache Eagle at Hadoop Summit 2016 San JoseApache Eagle at Hadoop Summit 2016 San Jose
Apache Eagle at Hadoop Summit 2016 San Jose
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Robert Meyer- pypet
Robert Meyer- pypetRobert Meyer- pypet
Robert Meyer- pypet
 
PyFilesystem
PyFilesystemPyFilesystem
PyFilesystem
 
Introduction to Apache NiFi 1.11.4
Introduction to Apache NiFi 1.11.4Introduction to Apache NiFi 1.11.4
Introduction to Apache NiFi 1.11.4
 
DSpace 4.2 Transmission: Import/Export
DSpace 4.2 Transmission: Import/ExportDSpace 4.2 Transmission: Import/Export
DSpace 4.2 Transmission: Import/Export
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 

Último

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Securing Data Instances with ERBAC

  • 1. Securing data instances with ERBAC Kalle Korhonen tynamo.org - Apache Tapestry - Apache Shiro
  • 2. Me and open source • Founder of Tynamo.org • a full web stack suite for Tapestry 5 • successor to Trails Framework, one of the original Ruby on Rails wannabes for Java • Committer to Apache Tapestry, Apache Shiro tynamo.org - Apache Tapestry - Apache Shiro
  • 3. Tynamo.org • Some stats : • 5 active committers, 13 all time • similar in size with Apache Shiro • 22 individual modules + sub modules • tapestry-model the bread and butter: the most customizable CRUD framework for Java • recently more JPA modules tynamo.org - Apache Tapestry - Apache Shiro
  • 4. Security related modules • tapestry-security, Apache Shiro integration for Tapestry 5 • tynamo-federatedaccounts, account federation with remote authentication providers (Facebook, Twitter, Google, LDAP, etc.) • tapestry-editablecontent, poor man's CMS, currently JPA only • - tynamo-federatedaccounts- rollingtokens, rememberme authentication based on rolling tokens tynamo.org - Apache Tapestry - Apache Shiro
  • 5. tapestry-editablecontent tynamo.org - Apache Tapestry - Apache Shiro
  • 6. tynamo-federatedaccounts • Oauth: Facebook, Twitter, ... • OpenID • Not protocol specific public static void bind(ServiceBinder binder) { binder.bind(FederatedAccountService.class, DefaultHibernateFederatedAccountServiceImpl.class); } public static void contributeFederatedAccountService(MappedConfiguration<String, Object> configuration) { configuration.add("*", User.class); configuration.add("facebook.id", "facebookId"); } public static void contributeApplicationDefaults(MappedConfiguration<String, String> configuration) { configuration.add(FacebookRealm.FACEBOOK_CLIENTID, "<client id>"); configuration.add(FacebookRealm.FACEBOOK_CLIENTSECRET, "<client secret>"); } tynamo.org - Apache Tapestry - Apache Shiro
  • 7. tapestry-security • started out as a thin layer • replaced (Ini)ShiroFilter • replaced ini configuration with Tapestry's all-in-java contributions • replaced shiro's built-in filters with our own base classes • proving ground for new stuff (e.g. logical operator first existed in tapestry-security) tynamo.org - Apache Tapestry - Apache Shiro
  • 8. Security check points • secure views (url-based, annotations) • secure method invocations (role- type) • secure data - how? • how do I declare that user can only edit his profile? tynamo.org - Apache Tapestry - Apache Shiro
  • 9. Current approach.. @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); info.addStringPermission("account:update:1"); } // page template... <t:security.haspermission permission="editEntityPermission"> ... </t:security> // page class (controller) public String getEditEntityPermission() { return "account:edit:" + entityId; } tynamo.org - Apache Tapestry - Apache Shiro
  • 10. What if you could just do.. @Entity @RequiresAssociation(value = "owner", operations = Operation.UPDATE) public class Account { @OneToOne private User owner; } tynamo.org - Apache Tapestry - Apache Shiro
  • 11. ERBAC • Entity-Relationship Based Access Control • Initial concept 5 years ago with Hibernate ! • find out how the data is associated with the currently executing subject • secure entities with annotations • role-based security is easy • allow limiting scope to a specific CRUD operation (CREATE, READ, UPDATE, DELETE) tynamo.org - Apache Tapestry - Apache Shiro
  • 12. EntityManager operations • SecureEntityManager used automatically when Subject is bound • find -> READ (separate service for lists) • merge (INSERT if doesn't exist) • persist (update -> remove + insert) • remove • create*query() operations are unprotected • takes care of 80% of instance security needs tynamo.org - Apache Tapestry - Apache Shiro
  • 13. What next? • same model would work for Hibernate, JDO.. • push to Shiro? • at least annotations ... anything more is difficult because Shiro is persistence agnostic tynamo.org - Apache Tapestry - Apache Shiro
  • 14. Thank you! For more information, visit : http://tynamo.org/tapestry- security-jpa+guide What do You think? tynamo.org - Apache Tapestry - Apache Shiro