For a recent project a friend of mine and I have been working on, we want to build a RESTful web API for client application usage. I believe that I have a fairly good grasp of the top-down picture after reading this, but am fairly clueless when it comes to security issues.
I know of OAuth and plan on implementing it, but are there any other concerns we should address first thing? I would hate to spend a large amount of time developing these features to find out later that we've left the site open for malicious attack.
Thanks.
If you are looking for general information on Web security, check out OWASP Ruby on Rails Security Guide V.2. (There's also a first edition which I read back in the day.) Check out OWASP's web site for more security related information.
A few more resources for you:
Great walkthrough of common web attacks and how to deal with them in rails
https://www.honeybadger.io/blog/guides/2013/03/09/ruby-security-tutorial-and-rails-security-guide
Rails insecure defaults
http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults
All about sql injection, goes beyond the simple examples
http://rails-sqli.org
New security issues are listed at
Related
I am creating a new React SPA. Users of a legacy app need be able to use the new app without re-authenticating. So I need to support SSO.
It's important to note that it is also required that users of other (currently unspecified) apps should also be able to use the new app without re-authenticating, so whatever approach I take needs to be sufficiently decoupled to potentially allow this.
The legacy app supports authentication via Shibboleth, the new app currently has no authentication method, but uses JWT for authorisation.
I'm wondering if anyone has any experience of such a scenario? It seems to me that I probably need to be create an OAuth2 authorisation server for the new app to talk to and I need to somehow bring Shibboleth into the mix for the authentication, maybe with the authorisation service acting as a Shibboleth Service Provider. Googling around hasn't revealed much useful info.
Is what I've described along the right lines? I know it's very high level and woolly, but I'm really not sure of the approach to take. Any advice, information or experience in this area would be gratefully received!
GOALS
It's a little bit of a subjective question, but the main goals are usually as follows:
Focus on building your UI and API security in a future facing manner
Also provide good Login Usability
Also deliver on non functional requirements such as availability / reliability
AUTHORIZATION SERVER
On the first point, the modern option is to integrate UIs and APIs with an Authorization Server - perhaps as in My Tutorial. Your architecture is then good, but the migration is not trivial.
FEDERATING TO SHIBBOLETH
The Authorization Server can then redirect to Shibboleth and talk SAML2.0 to achieve Single Sign On, as you suggest. It is a complex solution though, and may be a backwards step in some ways.
AVAILABILITY
This is usually a big concern, and most companies use a cloud provider such as Azure / AWS due to its high availability / low maintenance / low cost. Would this be a better option for you?
I created a Rails API application, that is currently do his job awesomely, but I realized that is missing the most important part, a login from the React application and at the same time the authentication from a python application I developed that should consume those API as well.
Now, looking at the various offering, seems all fuzzy, at least from my prospective and I would like to have an advice that is not from 2016 or before but that is actual today.
Many solutions on the net, was getting dirty the main ApplicationController, that didn't make sense to me.
So I thought that a 'modern' way or let's say, 'a way' is to use doorkeep and devise.
I thought about Doorkeep because allow me to have the 'Applications' therefore I can delegate to applications the authentication in the proper way while using the JWT for the SPA application, but honestly I don't know from where to start deciding :)
I wanted to share here also the link of a blog post that inspired this question: https://www.vic-l.com/jwt-with-refresh-token-using-devise-and-doorkeeper-without-authorization/
Sadly something I found still, without an answer, at the moment, is Setting up DoorKeeper with multiple Rails/React applications?
Now, I can use doorkeeper to manage the JWT for the SPA and the applications for the client in Python ?
Thanks in advance!
I have spent the past three days researching OAuth 2.0 and I understood how OAuth can be used to interact with a service provided by a heavy weight such as Google or Facebook. However, I'm struggling to see how someone without a team of tech wizards (aka Me) goes about protecting their API with the protocol.
I have a number of questions and was wondering if someone with some experience can help me.
Here goes nothing...
Is there a clear cut leader in terms of an OAuth Authorization Server implementation (Java)? If yes, is there any good resource out there to teach me how to use it?
Its my understanding that I would need to either build an authorization server or leverage a library to dish out client secrets/tokens.
Should I even be thinking about a library or should I be building my own implementation?
Is OAuth still relevant? From what I can see, it seems like the hype around the technology has leveled off or diminished since 2010. I also saw an article where the spec lead disassociated himself from the protocol.
I appreciate any advice or help, I can't find many resources on this topic that address it clearly (tons of Powerpoints, no code). There seems to be a bunch of talk about how it works, yet no book or article can give a solid tutorial. The documentation for the providers I have found is also very spotty at best. I'm just really starting to question whether this is a legitimate undertaking for someone looking to protect their own simple API. Thanks ahead of time.
Take a look at the Libraries on the OpenID Connect developer pages here: http://openid.net/developers/libraries/
I don't think there's a clear cut leading Java implementation yet
I would not recommend implementing the Authorization Server part on your own, that is the complex part and details matter because this is about security; the client part is easier and should be possible to build even without a library
OAuth is very relevant as it is the only standard out there for securing REST APIs; the hype is over, and now it is common technology; just take a look at all big vendors/SaaS out there, they all use it (starting with Google, Microsoft, Facebook, Twitter etc.)
I feel a bit overwhelmed right now with how to approach building an SSO solution for a project I'm taking on. I understand that I need a centralized login site, but, I'd like input on what framework I should be using to achieve this. I've been reading a bit about Windows Identity Foundation (WIF), but, the lack of documentation and code samples is quite disappointing. DotNotOpenAuth sounds like it has much more usage by the community than WIF, but, I'm not sure if that's the right framework for me to use given that I am not going to be letting third-party accounts be used for logging in.
There are multiple user data stores to take into account as well; active directory and a SQL Server database.
I really don't care what framework I use so long as it's simple and intuitive; I don't want an overly complex solution. Documentation and samples are also a plus! I already have experience with creating custom role providers and membership providers; those were a breeze and easy to do.
Here is a very quick visual of the structure I'm dealing with:
Refer: Claims Based Identity & Access Control Guide and Identity Developer Training Kit. There's WIF samples there.
In terms of what you want to achieve, ADFS v2.0 will get you most of the way but it can only authenticate against AD. For SQL server, use IdentityServer and then federate ADFS and IdentityServer.
Have a look at SAML. It is designed to address SSO. You may also want to look into OpenID.
There are enterprise products out there, such as CA Site Minder or IBM Tivoli for this kind if thing. They are not cheap because building a custom solution for this will be quite a feat.
If you are .NET based - then .NET 4.5 (which includes WIF) is the way to go.
But the framework will be you simplest problem. Building that kind of security infrastructure is hard. Have a look at both the book and idenitity server from nzpcmad's answer as a starting point.
As far as cross-platform goes, SAML tends to lead the pack. There are many implementations (java, php, perl). As Dominick (#leastprivilege) mentioned, if every application is .Net based, WS-Fed via WIF is the way to go. (btw, Dominick is the man when it comes to WIF - definitely hit his blog and forums up if you plan on exploring that route)
OpenId and OAuth are alternatives that you will hear about. They are somewhat less secure (the trust is in the user, rather than the infrastructure) and you will find that you will have to build a provider in order to support sign-in using your own user store.
Regardless of the route you choose, be prepared to do a lot of reading and learning. Check out the wikipedia articles above for a nice overview of how these technologies work, and don't be afraid to ask questions..
What security measures should a Rails enterprise app have?
Examples of few security measures:
Admin area authenticated and IP restricted
No User added CSS, because of some old browsers can run JavaScript in CSS
Should User information in database be encrypted?
I would suggest looking over the Rails Security Guide which should go over the common pitfalls that you would usually encounter. Also check out the additional resources that they list on the guide:
The security landscape shifts and it is important to keep up to date,
because missing a new vulnerability can be catastrophic. You can find
additional resources about (Rails) security here:
The Ruby on Rails security project posts security news regularly:
http://www.rorsecurity.info
Subscribe to the Rails security mailing list
Keep up to date on the other application layers (they have a weekly
newsletter, too)
A good security blog including the Cross-Site scripting Cheat Sheet
There are a lot of essential security precautions such as a strong authentication system, validating user input to mitigate XSS and SQL injection attacks and escaping HTML at the views.
You can find information about common Ruby on Rails application vulnerabilities and their countermeasures at the Zen Rails Security Checklist.