How does Grails handle security, and why should I use a plugin? - security

For 90% of every security-related Grails tutorial, they tell you to store your User objects in a session-scoped variable. That's all nice and easy, but I wonder if it's too good to be true, especially with plugins like Spring Security that offer many times more features.
For the simple, "I am a user and therefore I am entitled to view/edit my own domain objects" applications that I develop, I store my User objects in a session. However, this got me thinking how Grails supports J2EE security and sessions in its own implementation (it does use a temporary session ID in the cookie, right?). Furthermore how vulnerable is it to attacks like cookie injection and cross-site/stray JS?
I don't want to actually invest the time in learning, integrating, and maintaining a plugin for an app that might not need it, so my question is, is Grails's session implementation secure enough for simple applications, and is there a very good reason I should use a security plugin even for these trivial tasks?
On a side-note, if anyone can point me to a good OpenID/Facebook login implementation, that would be terrific.

Regarding security concerns I would always suggest to prefer proven and widely adopted solutions over your own rolled security implementation. Spring Security was founded in 2003 under the name Acegi and brings you more than eight years of experience and development for your security concerns.
As you already pointed to the Grails Spring Security plugin you should have a look at the OpenID plugin Spring Security OpenID which extends the Spring Security Core and brings you the OpenID support.

reason I should use a security plugin even for these trivial tasks?
... on a basic level it's also trivial to use the plugin so what's there to lose? Screencast to get you started

Related

Advantages of using spring security vs custom filters?

This question might be naive but I would like to know what are the advantages of using Spring security (or any other security framework) versus custom filters (#WebFilter) to restrict pages in a web-app. In a custom filter I can check the session of an user, see if an user bean has been mapped within the session and then check if the user bean has the appropriate role to gain access to my restricted area. So what do I gain by using Spring security, surely it's more secure, if so then how? I'm asking because I find it harder to use than using custom filters. Thanks in advance.
Security Principle: Don't roll your own security unless you're an expert.
See https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own
The Spring guys aren't sitting around making work up for themselves. They are solving real problems. You could implement all of Spring Security's features with your filters, but then you'd have Spring Security, wouldn't you?
Are you handling CSRF and making it convenient?
Are you handling session fixation?
Do your filters handle path traversal?
Are you handling RunAs functionality?
Read the docs and decide if you should use it or not.

javafx authorization and authentication concept

Could somebody advice me the best solution about JavaFX (JDK8) and security concept? Under security I mean authorization and authentication. Thank you in advance.
I might be a bit late in answering this, but you are very right Maryan. JavaFx doesn't seem to have good interoperability with any standard security mechanisms.
The only option is to use a 3PP to solve this. Examples are: Spring security, Apache Shiro etc. In order to eliminate the dependencies with a particular 3PP, I encourage you to wrap the 3PP implementation.
Unfortunately, This is just the beginning of a long list of issues(that are yet to come up) for you, even after you implement the security measure, you will still have to come up with ways of storing and managing security tokens(similar to browser cookies) so that your JavaFx client doesn't need to authenticate with server for every call.
If this is only the beginning of your project, I suggest you really think about whether to use JavaFx or go with web based UI.

Spring security substitute for Node.js

Is there a substitute for spring security in Node.js. I know of express and passport, but passport provides authentication only. It does not feature "forgot password", "reset password" or crud operations for User and Role.
In other words, passport lacks of a number of commonly used features that are provided by spring security. Is there any Node.js library that provides these features.
I know it's already mentioned in the question but for anyone else brand new to Node coming here from google and skipping right to the answers like I did:
http://www.passportjs.org
Looks like the most widely used free library that is somewhat comparable to Spring Security, although as the original question points out it is only focused on authentication so it doesn't cover every feature Spring Security has (like role based authorization).
https://auth0.com
https://stormpath.com
and tons of others. Just google "User Managment" node.js
Or at the end of the day write you own. Writing user management is sails takes about an hour and they have integration with things like Mandril for sending forgotten notices.
Although spring security is one of the bests open source security frameworks, the features: "forgot password" and "reset password" aren't implemented by default. You will need to create your views pages and controllers for it. The default User and Role are very basic models of security that are recommended just for a very basic web apps. In most cases you will need to save and manage it in your database and customize all features for reset and forgot password. It can become very complex as you customize your security rules.
For node there are so many options out there, I agree with #KPD the most equivalent of SpringSecurity is passportjs (18.7k stars on github), although it is much simpler than SpringSecurity, sometimes the secret to success lies in simplicity.

What advantages do PHP frameworks provide considering security perspective?

There are many PHP frameworks available for PHP namely -
Zend
CakePHP
CodeIgniter
Symfony
and so on....
Which are the security related issues taken care of by most of the frameworks ?
( As far as i know ( Cross-site scripting (XSS)) vulnerability is handled by most of them if we use there methods. What are the other issues taken care by most of them ? )
Along with usage of framework in a project, what are other security concerns needs to be taken care of ?
EDIT: In my case i am using codeigniter framework.
[spam]
I've created a little overview table a while back: http://matrix.include-once.org/framework/ which includes a few summaries about the basic cornerstones of web app security:
DB escaping / or parameterized SQL (e.g. via ORMs)
input filtering / sanitization
output encoding
authorization hash function (if any)
separation of frontend and admin backend (not completed, mostly n/a)
If I wanted to generalize, the big frameworks do indeed cover a lot of that. So the real issues become logical oversights in the business/processing layer.
Well this is a bit of a vague question as it entirely depends on what framework you are talking about.
All of the frameworks you have listed use a database abstraction layer of some sort, be it a simple query builder or a larger ActiveRecord/ORM implementation. These database abstraction layers will stop SQL injection most of the time.
CodeIgniter provides a Encrypt class which will help you generate passwords and random strings. In your main config file is an "encryption key" which will be specific to your application. This means your application will have a unique salt to another application, so if somebody gets a copy of/access to your database they won't be able to work out the passwords.
There are plenty of other security features specific to each framework, but those are the basics.
No matter how much attention and thought has gone into making sure a PHP framework is secure, the reality is that there is always room for improvement and even though frameworks like Codeigniter provide XSS, input filtering, request validation, database abstraction and other nice things, there will always be bugs and issues.
Never solely rely on a framework's in-built security protection methods. Always read into how a framework does something, understand the logic and then rewrite to meed your needs if you find something isn't as secure as it should be.
However, having said the above, I have been using Codeigniter for a few months and in a couple of high-end, high-trafficked websites and can't say that I have experienced any security issues or breaches. The one true advantage of a framework when it comes to security is that they're probably protecting you from some kind of attack you never knew existed in the first place (which is an awesome bonus).
Read into how Codeigniter and other frameworks solve security issues and protect your applications, you'll find it will strengthen your development knowledge and benefit you in the future when you write large-scale applications that require tough security and high reliability.

Grails security [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Which is the best security solution for grails among acegi, jsecurity and Stark security?
JSecurity actually became an Apache project under the name Apache Ki a while ago and they weren't happy with the name change for some reason and changed it to Apache Shiro soon after that. Also Stark is just a grails plugin wrapper for Spring Security and acegi is the origin of Spring Security project.
So which one to use?
Firstly, Spring Security is a matured security API and already widely used so from stability, support and especially security viewpoint it is a good choice. Shiro unfortunately loses a bit in this since as far as I know, it's still lacking in widespread adoption.
Secondly, they way the security framework actually behaves is quite important, it has to be able to enable you to do your favorite scheme of securing your application. For example while some people like the way Shiro works (see this tutorial, esp. the part under headline "Quickstart.java") others couldn't live without Spring Security's Spring-esque stuff and so on and so forth. Basically you need to try both and figure out if they meet your needs from usability point of view.
Thirdly, be sure of the actual security! Spring Security can be guaranteed to be secure, Shiro is most likely secure because no widespread adoption hides security issues easily, see for example Firefox vulnerabilities to see how increased user base starts to affect the actual security of the application in the long run.
To end this, if I had to choose for you, I would pick Spring Security because it's widely used, it's guaranteed to be secure and already integrated with Grails. JSecurity/Ki/Shiro isn't bad at all and I've used it for a while, but at the moment it's in some sort of limbo state for who knows what reason and for a security framework that's just unacceptable.
Edit: It's been over 1½ years since I answered this, so I felt the need to come back and say that our company recently decided to go with Spring Security due to its high pluggability and its proven functionality. This of course makes me a bit biased but in any case, I'd say that Spring Security is the way to go.
Esko's answer is great and comperehensive. I did an evaluation of the different frameworks a month ago, and chose Shiro as the underlying security framework, despite having previous experience with Spring Security. I needed a solution with ability to create complex authorization requirements. JSecurity's model is very simple, yet very powerful.
What finally convinced me, though, is Nimble plugin, which is a layer of UI on top of Shiro. It allows you to manage users, roles, groups, self-service account creation, email, etc... and is easy to integrate into your application. Not having to write all that code was a huge win for me. It also allows integration with OpenId, facebook, and others.
If Nimble worked for SpringSecurity, I would have probably chosen it, but I saw it as a huge win for me.
I've used both frameworks and love the way Shiro works in comparison to Spring's approach. I don't know why Spring Security is so popular. Unlike Shiro, Spring Security runs wild throughout the application whenever configuration is needed. Isn't security a cross-cutting concern for most applications? If so, wouldn't it be "cleaner code" to isolate it to a single location? My two cents.
Thanks guys for your responses. I actually tried spring security on a grails application. The grails plugin makes it quite easy to use.
regards.
Josh

Resources