deciding if a request for a resource by a client should be honored: • Authentication - verify a client’s identity • Authorization - validate a client’s permission to access resource • Access control - deciding to grant access to resource based on state of the system • Most well know architecture implementation is the Apache Web Server • http://docs.oracle.com/cd/E12839_01/web.1111/e10144/security.htm • Implementing AAA correctly is one of the most important aspects of building a secure application • Without Authentication, no effective security decisions can be made since the application won’t know who is accessing it • Without Authorization, even know entities would have access to restricted or private resources (including other user’s accounts) • Without Access Control, building protection wouldn’t be possible 3
a web application usually consists of: • Sign-up/account creation • Account activation • Login and logout • Password management • Account management • Object association • Permission control • Each component requires careful consideration and implementation to ensure that an application is secure 4
to provide some aspects of User Management • Account creation mechanisms (but no sign-up) • Login and logout • Password management • Account management (through ModelForms) • Object association (through Model relationships) • Permission control (through a highly functional permissioning system • Provides a few different classes: • User, AnonymousUser • Group • Permission • Views 5
• last_name • email • password • is_staff • is_active • is_superuser • last_login • date_joined • Has methods for determining if User instance has authenticated • Can manage setting/resetting/changing user password • Provides access to permissions assigned to the User 6
a User • UserManager can create a user • To install Django User management: • Put 'django.contrib.auth' and 'django.contrib.contenttypes' in INSTALLED_APPS in settings.py • Run manage.py syncdb • Create a User using the Django shell: • Change a User’s Password: 7 >>> from django.contrib.auth.models import User >>> user = User.objects.create_user(username='bob', email='[email protected]', password='happytrees') >>> from django.contrib.auth.models import User >>> u = User.objects.get(username__exact='bob') >>> u.set_password('lakes') >>> u.save()
plain text • Never, ever store passwords in plain text • Passwords should be stored using a secure hash and a salt: • This is how *NIX does it! • A hash function is any algorithm or subroutine that maps large data sets of variable length, called keys, to smaller data sets of a fixed length. The values returned by a hash function are called hash values, hash codes, hash sums, checksums or simply hashes.1 • A salt is a string of random bits of data that is appended systematically to a password before hashing and storage remove the ability to use a dictionary attack to break into an account • The salt should be kept private! Not even in GitHub! • The hash function is 1-way, meaning that it is cryptographically secure but cannot be used to get the password from the hashed password 8 hashed_password = hash_function(salt + password) 1. http://en.wikipedia.org/wiki/Hash_function
• Look at the auth_users table in the database • Configure the hashing methods using the PASSWORD_HASHERS setting • Default is sufficiently secure, but be sure to watch for password hacking security fixes on the Django site 9 PASSWORD_HASHERS = ( 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher', # Insecure Hashes 'django.contrib.auth.hashers.MD5PasswordHasher', # Insecure Hashes 'django.contrib.auth.hashers.CryptPasswordHasher', # Insecure Hashes )
used to easily provide login/logout and password management • Views: • login • logout, logout_then_login • password_change, password_change_done • password_reset, password_reset_done, password_reset_confirm, password_reset_complete • To use built in forms, install auth urls and implement templates 10 url(r'^accounts/', include('django.contrib.auth.urls')),
context will have a form variable that must be rendered • login.html • Template allows user to enter username and password to log in • Special next variable in context must be explicitly included in template form • password_reset_form.html • Template allows non-logged in user to generate a password reset email • Requires SMTP API configuration and sites application • password_reset_done.html • Template shown after password reset email is sent • password_reset_confirm.html • Template shown when user clicks on password reset link from email • password_reset_complete.html • Template shown after password is successfully changed after a reset 11
to change password • password_change_done.html • Template shown when user has successfully changed their password • logged_out.html • Template shown when user has explicitly logged out of application 12
sending email is via SMTP • Simple “API” for generating and delivering email on the internet • Easiest and most secure configuration is to send SMTP email via email service - Mandrill • Configure server and login information in settings.py • Configure “email backend” to send email via SMTP server • TLS is a secure email protocol, which usually is configured to run over port 587 • Can re-use MANDRILL_API_KEY for email password EMAIL_HOST = 'smtp.mandrillapp.com' EMAIL_PORT = '587' EMAIL_HOST_USER = '[email protected]' EMAIL_HOST_PASSWORD = MANDRILL_API_KEY EMAIL_USE_TLS = True EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend' DEFAULT_FROM_EMAIL = '[email protected]'
about the URL for the web application, use the built-in sites application • Sites allow Django to find out the URL of the web application, and use that information in views and templates • Usually, Django just uses relative URLs • For links in sent emails, the URL must include a fully qualified domain name • To use the sites application, add django.contrib.sites to installed applications • Configure a SITE_ID, which will be used as the default ID for the web application • Since so many applications depend on the sites application, it is configured by default • Make sure to change the site URL in the Django admin to point to the actual URL or links in emails won’t work! • dev.hatcherydevshop.com 16