As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Which is the best security solution for grails among acegi, jsecurity and Stark security?
JSecurity actually became an Apache project under the name Apache Ki a while ago and they weren't happy with the name change for some reason and changed it to Apache Shiro soon after that. Also Stark is just a grails plugin wrapper for Spring Security and acegi is the origin of Spring Security project.
So which one to use?
Firstly, Spring Security is a matured security API and already widely used so from stability, support and especially security viewpoint it is a good choice. Shiro unfortunately loses a bit in this since as far as I know, it's still lacking in widespread adoption.
Secondly, they way the security framework actually behaves is quite important, it has to be able to enable you to do your favorite scheme of securing your application. For example while some people like the way Shiro works (see this tutorial, esp. the part under headline "Quickstart.java") others couldn't live without Spring Security's Spring-esque stuff and so on and so forth. Basically you need to try both and figure out if they meet your needs from usability point of view.
Thirdly, be sure of the actual security! Spring Security can be guaranteed to be secure, Shiro is most likely secure because no widespread adoption hides security issues easily, see for example Firefox vulnerabilities to see how increased user base starts to affect the actual security of the application in the long run.
To end this, if I had to choose for you, I would pick Spring Security because it's widely used, it's guaranteed to be secure and already integrated with Grails. JSecurity/Ki/Shiro isn't bad at all and I've used it for a while, but at the moment it's in some sort of limbo state for who knows what reason and for a security framework that's just unacceptable.
Edit: It's been over 1½ years since I answered this, so I felt the need to come back and say that our company recently decided to go with Spring Security due to its high pluggability and its proven functionality. This of course makes me a bit biased but in any case, I'd say that Spring Security is the way to go.
Esko's answer is great and comperehensive. I did an evaluation of the different frameworks a month ago, and chose Shiro as the underlying security framework, despite having previous experience with Spring Security. I needed a solution with ability to create complex authorization requirements. JSecurity's model is very simple, yet very powerful.
What finally convinced me, though, is Nimble plugin, which is a layer of UI on top of Shiro. It allows you to manage users, roles, groups, self-service account creation, email, etc... and is easy to integrate into your application. Not having to write all that code was a huge win for me. It also allows integration with OpenId, facebook, and others.
If Nimble worked for SpringSecurity, I would have probably chosen it, but I saw it as a huge win for me.
I've used both frameworks and love the way Shiro works in comparison to Spring's approach. I don't know why Spring Security is so popular. Unlike Shiro, Spring Security runs wild throughout the application whenever configuration is needed. Isn't security a cross-cutting concern for most applications? If so, wouldn't it be "cleaner code" to isolate it to a single location? My two cents.
Thanks guys for your responses. I actually tried spring security on a grails application. The grails plugin makes it quite easy to use.
regards.
Josh
Related
For 90% of every security-related Grails tutorial, they tell you to store your User objects in a session-scoped variable. That's all nice and easy, but I wonder if it's too good to be true, especially with plugins like Spring Security that offer many times more features.
For the simple, "I am a user and therefore I am entitled to view/edit my own domain objects" applications that I develop, I store my User objects in a session. However, this got me thinking how Grails supports J2EE security and sessions in its own implementation (it does use a temporary session ID in the cookie, right?). Furthermore how vulnerable is it to attacks like cookie injection and cross-site/stray JS?
I don't want to actually invest the time in learning, integrating, and maintaining a plugin for an app that might not need it, so my question is, is Grails's session implementation secure enough for simple applications, and is there a very good reason I should use a security plugin even for these trivial tasks?
On a side-note, if anyone can point me to a good OpenID/Facebook login implementation, that would be terrific.
Regarding security concerns I would always suggest to prefer proven and widely adopted solutions over your own rolled security implementation. Spring Security was founded in 2003 under the name Acegi and brings you more than eight years of experience and development for your security concerns.
As you already pointed to the Grails Spring Security plugin you should have a look at the OpenID plugin Spring Security OpenID which extends the Spring Security Core and brings you the OpenID support.
reason I should use a security plugin even for these trivial tasks?
... on a basic level it's also trivial to use the plugin so what's there to lose? Screencast to get you started
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 12 years ago.
I'm building a web app and starting to feel the pain developing slick UI features -- I tried iPhone/Android programming and it's so damn simple. Why is it that everyone still settles for the hacked-together tools that comprise web programming, instead of gravitating towards RIAs?
I want to program the app with an RIA but...the most popular websites are suspiciously not using them.
Thanks!
There's a couple of drawbacks to RIA... I'm mostly speaking to Flash/Silverlight and the like, as Ajax RIA is a bit different. The drawbacks:
Vendor lockin... once you develop a platform using RIA you are locked into whichever vendor supports the RIA. You are at the mercy of their support, upgrade paths, etc. Using standard web technologies you won't fall into this.
Search engine indexing... Search indexing of RIA is relatively new, so there might be issues getting your content known.
Performance/interoperability issues... Everyone knows about Apple's rejection of Flash. Writing your web application adhering to the standards guarantees your application is accessible to any standards compliant browser. A company like Apple can't just pull the plug on you.
Accessibility issues... It might not be as easy to program for 508 compliance using Flash/Silverlight as it would be with plain-old HTML. 508 compliance is a must for any big website.
You mentioned phones... (Android/iOS) Obviously people don't target mobile phones using Flash/Silverlight for the aforementioned reasons. For phones, generally it makes more sense to create a mobile application as you get more native features then you would if you were creating a mobile website. However, creating a mobile website requires you to write your application once whereas you would need to write your application for each phone you wish to target if you went the mobile application route.
Flex feels slow and non-native.
RIAs running on the desktop generally have to feel native on at least two very different operating systems. You then have to deal with issues on the users machine and the whole nightmare of versioning and upgrades. Web apps only have to work on your server configuration.
RIAs running in the browser feel even slower because all that slickness has to be transferred to the client. They also break the way people expect websites to work.
They are useful for some applications, but normal HTML/JS/AJAX serves most web applications better.
Phones are a different environment entirely and make more sense for the RIA model in many ways.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
What are the best practices for securing a coldfusion webpage from malicious users? (including, but not limited to, sql injection attacks)
Is cfqueryparam enough?
I use a modified portcullis, and filter all incoming var scopes (URL,FORM,COOKIE) onRequestStart.
http://portcullis.riaforge.org/
Pete Freitag has an awesome blog, especially this post on Hardening ColdFusion
Never trust the client.
The most ColdFusion specific "set and forget" is following server administrator hardening guidelines noted above, keeping the server up-to-date, and following ColdFusion on twitter to learn about any new issues immediately.
For app security, which is common across all languages, you should validate every piece of information that touches your server from the client. Forms are are obvious areas of tight control, but don't forget about URL parameters that you might use for application state management or control. Something like &startRow=10&tag=security which isn't "supposed" to be touched by the user is user input. Even if your application could never break with invalid data, you might not know how that data will be used in the future. Validation could be as simple as ensuring that someone isn't entering a 100 character long first name and doesn't contain programming characters or ensuring that &startRow is always a number. These are the little things that application developers sometimes skip because everything works OK as long as you are using the software as expected.
I believe you can look at the Sony Playstation hacking as an example. Unfortunately, they didn't expect someone to hack the client (playstation console) and manipulate the PlayStation console software to hack the server. The server trusted the client.
Never trust the client.
I would say best practices for ColdFusion are similar to those for programming web applications in any language.
I recently read Essential PHP Security Chris Shiflett and the majority of issues discussed affect ColdFusion as well, though the syntax for dealing with them may be slightly different. I expect there are other (possibly better) language agnostic books which contain principles which can easily be altered for use in ColdFusion.
Although using a prebuilt solution will work, I recommend knowing all the possible issues that must be protected. Check out Hack Proofing ColdFusion at Amazon.
Another great place to learn about security (and all kinds of other topics) is to check out Charlie Arehart's massive list of recorded user group presentations: http://www.carehart.org/ugtv/
Here is information on a good tool that can be used to prevent XSS.
https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
http://www.petefreitag.com/item/760.cfm
Fairly easy to implement and Java based.
I recommend you the excellent talk by Justin McLean "ColdFusion Security and
Risk Management". It includes a case study.
PDF presentation http://cdn.classsoftware.com/talks/CFMeetupSecurity.pdf
Video streaming: http://experts.adobeconnect.com/p22718297
CfQueryParam is very important, but not nearly enough.
There is a boxed solution we use at my work: http://foundeo.com/security/. It covers most of the bases. And even if you don't want to buy it, you can take a look at it's feature set and get an idea of the things you should be considering.
You may like to check -
http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSe61e35da8d3185183e145c0d1353e31f559-8000.html
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I am interested in learning about how hackers find and exploit vulnerabilities. Specifically about windows hacking and web hacking i.e. I’m NOT interested in linux/unix stuff.
Are there any good websites with technical articles about specifically how to find, exploit and block vulnerabilities with code samples and tools used.
I can do a quick search and there are a load of sites but i'm looking for something with a little more quality geared towards an audience with a programming and web background.
Even a good book but only if it's windows/web specific
Thanks a lot
Smashing the Stack for Fun and Profit is the classic Phrack article on writing buffer overflow exploits.
A good starting point for a web developper would be the Open Web Application Security Project (OWASP). They have a lot of ressources on the subject of Web Application Security and on some on application security in general. You can get some of the wisdom of that side in book form.
Try Simpson Garfinkel's book on web security first.
I highly recommend:
Hacking: The Art of Exploitation
Gray Hat Hacking, Second Edition: The Ethical Hacker's Handbook
I liked the Web Security Testing Cookbook. Some non-Windows stuff in there. The focus is on testing and using tools to find problems.
Subscribe to Schneier on Security. It's a great security blog.
For web hacking I recommend reading the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (very good book with lots of examples. It also shows you the tools which will get you started).
Also for web hacking I recommend completing and understanding all the challenges you can solve by downloading the WebGoat
See the top 100 network security tools list at http://sectools.org/.
Don't get me wrong but if you really want to understand security stuff, Linux is really the way to go. There, you'll really learn the fundamental, i.e. things that is important everywhere (encryption, ASM, programming, protocols, [etc]). However, on Linux, you'll be able to read real code and use/find real exploit (and of course, send bug fix). You'll also find a lot more documentation and a really nice community.
I know I'm biased toward Linux and you'll probably think I completely missed your question. However, I know friends of mine who asked me the same question and I told them what I've just told you.
Once you know the base, you can easily find the documentation you want (reading RFC, learning new languages, architectures, tools, source code, etc..) This is by far better then to know a procedure to execute an exploit without understanding why it exists.
One last thing, the best hacker does't find exploit by guessing.. they have a perfect understanding on the underlying structure and see something wrong. Then, some exploit it, other send a patch to fix it - this is not the right place to argue about it - however, they are both experts in this domain.
I think what you'll need would be to join some hackers community which would provide many missions where you'd have to find the exploits yourself....
understand that if you have learn hacking you'd have to hack something......
www.enigmagroup.org would be an useful one...
www.securitytube.net from here you can get videos on almost every security related issue...
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
It would seem to me that many large enterprises already have robust directory services such as Active Directory and it would be silly to constantly duplicate users in an application-specific store.
Even if you require duplicating the user store, you can provide a mechanism to authenticate against Active Directory. Alternatively, you could support a standards-based SSO mechanism that leverages SAML.
Support for the XACML protocol. Duplicating information on roles and entitlements is equally insidious.
Support for the SPML protocol. Many enterprise leverage identity management toolkits and would at least like out of the box integration in terms of centralized management and provisioning.
So, why aren't open source projects considering this type of functionality as a default to getting on the radar within an enterprise context?
Lots of reasons, but one of the biggest is that there's less convergence on what the right or best methods really are than you seem to believe.
Active Directory, for example, is kind of notorious for presenting implementation difficulties to non-Microsoft developers.
There are probably a half dozen competing single-sign-on "standards".
It's very difficult to reconcile different roles/privileges models -- hell, Sun has trouble reconciling the models of Solaris Trusted Extensions with the Java model.
Solving those problems isn't a lot of "fun" and so FOSS developers are attracted to other issues.
I think that Charlie nailed it:
solving security problems is hard and generally not a whole lot of fun
OSS developers tend to be all about enjoying what they are working on. I work on a number of "enterprise class" efforts as part of my professional life and I will agree that they are not a whole lot of fun. However, this is one of my never ending griefs with OSS components... we have trouble using them in our solutions because they do not meet our customers needs.
I think that the general reasons are:
universities tend to ignore this aspect of "enterprise development"
too many standards to choose from
no clear market leader
the different security providers are difficult to configure and test
the entire application security paradigm requires a lot of expertise before you can even start trying to integrate
Personally, I blame the first one. Most engineers do not even consider how an application can be used in a larger context. They are interested in solving the problem at hand and not at all interested in providing a usable solution. Most FOSS solutions are very much an interesting solution to an interesting problem. A corporate entity normally comes along and provides the commercial packaging that makes the FOSS solution actually usable in a real environment. Of course, this packaging comes with a price tag attached.
Open ID is a start towards providing an "authentication" solution. (To the best of my knowledge, it has no "provisioning" mechanism, though. You have to trust the external authority to identify an account, then add your site's / app's version of that account using your own devices)
If anybody knows of some kind of open "authorization" solution to centralize the management of roles, that would be interesting as well. That sounds like the sort of thing you would do in-house, though, with roles that have a defined meaning in your organization. I'm sure IBM or Oracle would be happy to take a big chunk of change and make something for you, though :-)
You may not want to have your active directory / LDAP contains the role of all your users for all your applications. If you have a lot of movement in your structure, you may have a lot of daily modification going on.
Also, the information in the user store may be quite specific, and may not have its place in a global repository.
Least, the notion of role can be quite variable. We have three application that possess the notion of "mananger", each one having a slightly different definition of what is a manager and who he/she is managing.
regards,
Guillaume