Security ideas on mobile

[Bruno Oliveira]

Hi folks,

I would like to have some feedback and new ideas about the best approach to improve mobile authentication/authorization from client to server side using REST resources.

Last week I was digging into DS source code to see how we could provide authentication to endpoints, DS seems to be a promising project but currently in development phase. So, some of the interesting parts like JaasAuthenticator and Idm integration are still under discussion or development, like credentials https://github.com/abstractj/incubator-deltaspike/blob/master/deltaspike/modules/security/impl/src/main/java/org/apache/deltaspike/security/impl/IdentityImpl.java#L246. Of course that's open source and we can contribute, I'm just worried about timeframe.

DS have some ideas to use apache shiro (https://issues.apache.org/jira/browse/DELTASPIKE-62), but if it become true a lot of work to do will come with CDI I guess (http://shiro.apache.org/integration.html). Looking into the sources, they don't have Shiro implemented yet.

SecurityInterceptor (https://github.com/abstractj/incubator-deltaspike/blob/master/deltaspike/modules/security/impl/src/main/java/org/apache/deltaspike/security/impl/SecurityInterceptor.java#L34) could be useful to abstract security layer, but we still be tied to DS using annotations. 

I started to write 3 functional requirements to our project with Jay's review (with our basic needs - https://issues.jboss.org/browse/AEROGEAR-7) and last friday I wrote some thoughts https://github.com/abstractj/aerogear-security/tree/jaas do decouple authentication from MVC (it's just an idea and not a final solution)

I would like to hear suggestions/feedback about it, if somebody know a better way to move forward put your ideas on the table please.

ps: 

- If you don't have access to this repository, just ask for permission with your github credentials.

- The example was focused only in the MVC/security interactions, cryptography must be implemeted/discussed.

- We're open to ideas :)

-- 

"Know the rules well, so you can break them effectively" - Dalai Lama XIV
-
@abstractj
-
Volenti Nihil Difficile

[Pete Muir]

Can you give me access - my github username is pmuir.

[Bruno Oliveira]

Now it's public https://github.com/abstractj/aerogear-security :)

[Pete Muir]

I'm still very strongly in favour of doing this in Deltaspike. Is there a reason we are doing it outside? Timing?

[tec...@gmail.com]

<disclaimer> I've not read through all the threads.  Bruno comment as
well.</disclaimer>

I think the primary concern is about the timing, and that some of the
functionality we're looking for is Phase 3-4, while the discussions
are primarily around design of Phase 1.

Its not been decided one way or another at this point whether it would
be separate.  I think Bruno is primarily looking at PoC, and
integration/tech review.

What Bruno and I have discussed is that depending on how things pan
out one approach may be that we develop in some functionality in
parallel with the intention of contributing that back to to DS.  The
other thought is to discuss how to move DS more quickly to where we
need it (help with impl?).

Bruno also just linked to some information on https://github.com/picketlink/picketlink-rest
which he's looking at.

So lots of moving pieces, hopefully Bruno's research, DS discussions
and other items can jump start this.

On Mar 28, 8:15 am, Pete Muir <pm...@redhat.com> wrote:
> I'm still very strongly in favour of doing this in Deltaspike. Is there a reason we are doing it outside? Timing?
>
> On 27 Mar 2012, at 22:03, Bruno Oliveira wrote:
>
>
>
>
>
>
>

> > Now it's publichttps://github.com/abstractj/aerogear-security:)

>
> > On Tue, Mar 27, 2012 at 1:32 PM, Pete Muir <pm...@redhat.com> wrote:
> > Can you give me access - my github username is pmuir.
>
> > On 26 Mar 2012, at 18:18, Bruno Oliveira wrote:
>
> > > Hi folks,
>
> > > I would like to have some feedback and new ideas about the best approach to improve mobile authentication/authorization from client to server side using REST resources.
>

> > > Last week I was digging into DS source code to see how we could provide authentication to endpoints, DS seems to be a promising project but currently in development phase. So, some of the interesting parts like JaasAuthenticator and Idm integration are still under discussion or development, like credentialshttps://github.com/abstractj/incubator-deltaspike/blob/master/deltasp.... Of course that's open source and we can contribute, I'm just worried about timeframe.

>
> > > DS have some ideas to use apache shiro (https://issues.apache.org/jira/browse/DELTASPIKE-62), but if it become true a lot of work to do will come with CDI I guess (http://shiro.apache.org/integration.html). Looking into the sources, they don't have Shiro implemented yet.
>

> > > SecurityInterceptor (https://github.com/abstractj/incubator-deltaspike/blob/master/deltasp...) could be useful to abstract security layer, but we still be tied to DS using annotations.
>
> > > I started to write 3 functional requirements to our project with Jay's review (with our basic needs -https://issues.jboss.org/browse/AEROGEAR-7) and last friday I wrote some thoughtshttps://github.com/abstractj/aerogear-security/tree/jaasdo decouple authentication from MVC (it's just an idea and not a final solution)

[Bruno Oliveira]

(repost) +1 disclaimer: We're not trying to reinvent the wheel.

We would like to take advantage from the experience of the great tech guys here about security (a huge and complex topic). I won't argue only in favor of timing, but because as tech guys write code/ideas is good to show exactly what we're trying to achieve.

As I said DS is a great project, aerogear-security don't aim to be a revolutionary security framework, but make use of already existent solutions and we're focused on part 3/4 from the DS use cases. 

For this reason I'm tracking it and I would like some opinion/suggestion about mobile use cases scenarios (https://github.com/abstractj/aerogear-security/blob/jaas/README.md). 

I hope to give some back to DS, IMO a minor proof of concept is the best manner to improve mobile use cases and also DS scenarios. 

ps: Should be really valuable some PicketBox team involvement in this discussion. 

- Bruno

[abstractj]

One more disclaimer as well - We're not trying to reinvent the wheel.

We would like to benefit of the experience of the great tech guys
here. Pete I agree with you that DS could solve our problem and I
won't argue only in favor of timing but I believe that write some code/
ideas is the best way to express exactly what we're looking for.

As Jay said we're doing it and tracking DS to contribute back to DS,
part 3/4 of the drafts are our focus to mobile. IMO doing some POC and
test in with real scenarios will be the best way to improve DS use
cases.

I started to write more scenarios/ideas and I would like to share with
you guys: https://github.com/abstractj/aerogear-security/blob/jaas/README.md

On Mar 28, 9:39 am, "tec...@gmail.com" <tec...@gmail.com> wrote:
> <disclaimer> I've not read through all the threads.  Bruno comment as
> well.</disclaimer>
>
> I think the primary concern is about the timing, and that some of the
> functionality we're looking for is Phase 3-4, while the discussions
> are primarily around design of Phase 1.
>
> Its not been decided one way or another at this point whether it would
> be separate.  I think Bruno is primarily looking at PoC, and
> integration/tech review.
>
> What Bruno and I have discussed is that depending on how things pan
> out one approach may be that we develop in some functionality in
> parallel with the intention of contributing that back to to DS.  The
> other thought is to discuss how to move DS more quickly to where we
> need it (help with impl?).
>

> Bruno also just linked to some information onhttps://github.com/picketlink/picketlink-rest

> which he's looking at.
>
> So lots of moving pieces, hopefully Bruno's research, DS discussions
> and other items can jump start this.
>
> On Mar 28, 8:15 am, Pete Muir <pm...@redhat.com> wrote:
>
>
>
>
>
>
>
> > I'm still very strongly in favour of doing this in Deltaspike. Is there a reason we are doing it outside? Timing?
>
> > On 27 Mar 2012, at 22:03, Bruno Oliveira wrote:
>
> > > Now it's publichttps://github.com/abstractj/aerogear-security:)
>
> > > On Tue, Mar 27, 2012 at 1:32 PM, Pete Muir <pm...@redhat.com> wrote:
> > > Can you give me access - my github username is pmuir.
>
> > > On 26 Mar 2012, at 18:18, Bruno Oliveira wrote:
>
> > > > Hi folks,
>
> > > > I would like to have some feedback and new ideas about the best approach to improve mobile authentication/authorization from client to server side using REST resources.
>
> > > > Last week I was digging into DS source code to see how we could provide authentication to endpoints, DS seems to be a promising project but currently in development phase. So, some of the interesting parts like JaasAuthenticator and Idm integration are still under discussion or development, like credentialshttps://github.com/abstractj/incubator-deltaspike/blob/master/deltasp.... Of course that's open source and we can contribute, I'm just worried about timeframe.
>
> > > > DS have some ideas to use apache shiro (https://issues.apache.org/jira/browse/DELTASPIKE-62), but if it become true a lot of work to do will come with CDI I guess (http://shiro.apache.org/integration.html). Looking into the sources, they don't have Shiro implemented yet.
>
> > > > SecurityInterceptor (https://github.com/abstractj/incubator-deltaspike/blob/master/deltasp...) could be useful to abstract security layer, but we still be tied to DS using annotations.
>

> > > > I started to write 3 functional requirements to our project with Jay's review (with our basic needs -https://issues.jboss.org/browse/AEROGEAR-7) and last friday I wrote some thoughtshttps://github.com/abstractj/aerogear-security/tree/jaasdodecouple authentication from MVC (it's just an idea and not a final solution)

[Lincoln Baxter, III]

If you haven't already, you should take a look at two things for potentially securing REST endpoints. URL-based security, which can be implemented using a URLRewriteFilter rules framework like http://ocpsoft.org/rewrite/ (no need to re-invent that wheel.), or what I've prototyped in Seam Security (and am moving to deltaspike as soon as I can find a moment to breathe...) which implements security directly as an interceptor applied to the endpoints themselves. See below.

https://github.com/seam/security/blob/develop/api/src/main/java/org/jboss/seam/security/annotations/SecurityParameterBinding.java

    @SecurityBinding
    public @interface ProjectAdmin
    {
        // empty
    }

    @SecurityParameterBinding
    public @interface ProjectBinding
    {
        // empty
    }

    @PUT("/project/name...")
    @ProjectAdmin
    public void updateName(@ProjectBinding Project p, String name)
    {
       // save project name
    }

    @Secures
    @ProjectAdmin
    public boolean isProjectAdmin(@ProjectBinding Project p, Identity identity)
    {
       if(identity.hasRole("project" + p.getId() + "_admin")
       {
           ...
       }
    }

--
Lincoln Baxter, III
http://ocpsoft.org
"Simpler is better."

[Stephane Epardaud]

This is cool, if there's an API we can use to reuse those sorts of
checks, for example for the automatic injection of Atom links, which
are conditioned to security checks.

--
Stéphane Épardaud

[Jay Balunas]

On Mar 28, 2012, at 8:15 AM, Pete Muir wrote:

I'm still very strongly in favour of doing this in Deltaspike. Is there a reason we are doing it outside? Timing?

<disclaimer> I've not read through all the threads.  Bruno comment as well.</disclaimer>

I think the primary concern is about the timing, and that some of the functionality we're looking for is Phase 3-4, while the discussions are primarily around design of Phase 1. 

Its not been decided one way or another at this point whether it would be separate.  I think Bruno is primarily looking at PoC, and integration/tech review.  

What Bruno and I have discussed is that depending on how things pan out one approach may be that we develop in some functionality in parallel with the intention of contributing that back to to DS.  The other thought is to discuss how to move DS more quickly to where we need it (help with impl?).  

Bruno also just linked to some information on https://github.com/picketlink/picketlink-rest which he's looking at. 

So lots of moving pieces, hopefully Bruno's research, DS discussions and other items can jump start this.

[Pete Muir]

Ok, sounds reasonable. In terms of timings, I think the thing to do is to write to the deltaspike-dev mailing list saying:

(a) these are the use cases you want to address
(b) that your evil boss has given you deadlines for this
(c) that you are aware that DS plans these a bit later on
(d) that you really do want to use DS
(e) that if you provide the manpower to impl, can we accelerate those use cases

[Bruno Oliveira]

- Lincoln 

Thanks a lot. I think that your idea is the way to go.

Do you have jiras for it on DS. Let me know if I can help with something.

- Pete

It's not about pressure, it's about test interactions with mobile devices x security :) We'll never know how it works until write some code.

[Lincoln Baxter, III]

I do.

https://issues.apache.org/jira/browse/DELTASPIKE-126

I'm currently working on committing this as we speak :)

~Lincoln

[Lincoln Baxter, III]

This is just a prototype, so once I commit, I think it will need some "robustness" added to it. E.g. Error messaging when developers screw up on types.

[Bruno Oliveira]

Hi guys, after all the suggestions I was looking at the sources of Lincoln's commit and definitely this is the way to go. I was talking with Lincoln and currently DS doesn't have support to providers like JAAS. (punch me in the face if I'm wrong).

The next steps are:

- Implement what Lincoln's did on DS to aerogear-security (I'm doing it here and must to be finished! https://github.com/abstractj/aerogear-security/tree/deltaspike) 

- Currently DS is using in memory credentials to test. So I'll implement JAAS integration as replacement to in memory credentials.

- I'm receiving 404 error in my integration tests, but DS is up and running. I need to figure out what's happening.

- The last step of this initial phase will be use @SecurityBinding

Useful resources:

- https://github.com/abstractj/aerogear-security/blob/deltaspike/README.md

- https://issues.apache.org/jira/browse/DELTASPIKE-126

- http://ocpsoft.org/opensource/secure-your-applications-url-based-attacks-are-real-and-dangerous/

- Bruno

[Jay Balunas]

Thanks for the writeup Bruno!  I'll get some follow up comments tomorrow, or Monday.  

If anyone else has more to share, concerns, or questions lets talk about it here.  I know that Bruno is talking with Lincoln, and the DS guys on this, so I'm feeling good about the direction.  

As I said I'll review in more detail asap!

[Lincoln Baxter, III]

I have a very large email coming. still needs revision before I send it out. hopefully tomorrow.

---
Lincoln Baxter's Droid

http://ocpsoft.org
"Simpler is better."

[Jason Porter]

Good stuff. Glad to hear that Lincoln's idea will work. I looked through once it was committed and really liked what I saw. Certainly some use cases and poc work will go a long way in getting this done for v0.3 or v0.4 (I would think). We're hoping to start a v0.2 release next week unless there are objections. This would include the current security stuff and also the code Lincoln put in.