Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Language-based Security for the Web - Security in MyTimetable

Mark Janssen
December 09, 2015
Education
0
410

Language-based Security for the Web - Security in MyTimetable

Guest lecture for CS4105: Software Security (TU Delft / UTwente)

Mark Janssen

December 09, 2015
Tweet

Other Decks in Education

See All in Education
インターアクトクラブについて:国際ロータリー第2720地区インターアクト委員会 委員長・大分東ロータリークラブ 阿部 克哉 氏
2720japanoke
0
660
@ngrx/signals
yannickbaron
0
130
Dolce and Gabbana Light Blue Perfume
vicjon
0
390
情報Iの「縦糸」と「横糸」を意識したプログラム教育の実践
asial_edu
0
200
令和6年度 無料トライアルキャンペーン説明会
asial_edu
0
590
Best Wedding day perfume
vicjon
0
260
Pre-enrollment Information for UTokyo International Students
utokyoissr2360
0
4.8k
Information Architectures - Lecture 2 - Next Generation User Interfaces (4018166FNR)
signer
PRO
0
1.1k
生成AIを活用できる大学教職員になる-基本と実践-
gmoriki
0
290
千葉県印西市立・原山小学校における新たな学び「情報探究の時間」実践報告』
codeforeveryone
1
680
墓までもっていくはずだった話
takuro_nakajima
PRO
0
1.3k
Avoin jakaminen ja Creative Commons -lisenssit
matleenalaakso
0
1.1k

Featured

See All Featured
Music & Morning Musume
bryan
41
5.6k
The Language of Interfaces
destraynor
151
23k
Teambox: Starting and Learning
jrom
128
8.4k
Rails Girls Zürich Keynote
gr2m
91
13k
Navigating Team Friction
lara
177
13k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
Code Reviewing Like a Champion
maltzj
513
39k
Thoughts on Productivity
jonyablonski
57
3.8k
Designing the Hi-DPI Web
ddemaree
276
33k
Statistics for Hackers
jakevdp
789
220k
Bash Introduction
62gerente
604
210k
Creatively Recalculating Your Daily Design Routine
revolveconf
209
11k

Transcript

  1. 1 Language-based Security for the Web Security in MyTimetable Mark

    Janssen @praseodym 9 December 2015

  2. 2 About me • Student at TU Delft – MSc

    Embedded Systems • Graduate intern at Riscure – Software reverse engineering and deobfuscation • Developer at Eveoh – We create MyTimetable

  3. 3 About MyTimetable • Platform for publishing timetables (frontend) •

    >25 institutions – Including TU Delft and UTwente • >350.000 students • Developed in Java https://mytimetable.net/

  4. 4 http://actualtimetables.tudelft.nl/

  5. 5 MyTimetable Architecture View • Google Web Toolkit (GWT) •

    HTML+JavaScript • JSON Controller • Web endpoints • Mobile API • REST API • External calendar push Service • Timetables • User profiles Model • Timetable backend (API or database) • User profile storage

  6. 6 Customisation • Different configuration for each institution – Naming

    (course, subject, module: same thing) – Authentication – Authorisation • Modularisation – Different timetable backends – Optional features (e.g. external calendar push) • How to prevent code fragmentation?

  7. 7 Inversion of Control (IoC) • “Don’t call us, we

    call you” – Container initialises your objects (beans/POJOs) • Dependency Injection (DI) – Any classes you depend on are provided (“wired”) by container • Loose coupling – Contracts (interfaces) separate from implementation http://docs.spring.io/spring/docs/current/spring-framework-reference/html/beans.html#beans-basics

  8. 8

  9. 9

  10. 10 http://docs.spring.io/spring/docs/current/spring-framework-reference/html/overview.html

  11. 11 https://spring.io/platform

  12. 12 Security: Authentication • Remembering a student’s timetable • Linking

    with student information systems – Can provide list of enrolled courses – Present a full, preset timetable to student • Authentication standards – SAML 2.0, LDAP, Active Directory, CAS, ...

  13. 13 https://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/

  14. 14 https://www.samltool.com/generic_sso_req.php

  15. 15 https://www.samltool.com/generic_sso_res.php

  16. 16 Spring Security Architecture http://www.slideshare.net/fredondo/javacro2014-springsecurity

  17. 17

  18. 18 Authorisation • What pages (URLs) can a user access?

    – /admin only for administrators – Maybe require login for entire app • Which business objects? – Teacher timetables – Concept timetable • Or which parts of business objects (fields)? – Teacher names private

  19. 19

  20. 20

  21. 21 http://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html

  22. 22 https://docs.spring.io/spring-security/site/docs/current/reference/html/el-access.html

  23. 26 Aspect-Oriented Programming (AOP) CourseService StudentService MiscService Security Transactions Audit

  24. 27 Aspect-Oriented Programming (2) http://docs.spring.io/spring/docs/current/spring-framework-reference/html/aop.html

  25. 28 http://docs.spring.io/spring/docs/current/spring-framework-reference/html/aop.html

  26. 29 Aspect Oriented Programming (3) • Separation of concerns: Decoupling

    security logic from business logic – Easily change security configuration – Better testability of business logic • Some disadvantages – Needs AOP container or compiler (e.g. AspectJ) – Possible to break security without noticing (so test!) – Proxies cause slight overhead

  27. 30 CSRF protection • Core feature of Spring Security •

    Enabled by default • Requires POST/PATCH/DELETE (!GET) to have valid anti-CSRF token • Token is easily included

  28. 31 https://github.com/rwinch/spring-security-0-to-4.0

  29. 32 Thanks to Rob Winch https://github.com/rwinch/spring-security-hands-on-4.1

  30. 33 Bonus: OAuth2 • Spring Security OAuth module

  31. 34 https://github.com/spring-projects/spring-security-oauth

  32. 35 Bonus: Testability • Because security is decoupled, testing becomes

    easy • Can remove security for functional testing • Built-in helpers for security testing

  33. 36 https://github.com/spring-projects/spring-security-oauth

  34. 37 Alternative frameworks • Java: Apache Shiro, JBoss PicketLink, HDIV

    • .NET: ASP.NET Identity 2.0, Rhino Security • Rails: Devise, Warden • Node.js: Passport, MustBe • PHP: Symfony, Zend Framework

  35. 38 Conclusions • Apply design patterns • Use a security

    framework • Be sure to thoroughly test • Stay up to date

  36. 39