Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What - - PowerPoint PPT Presentation

secure web applications with awa
SMART_READER_LITE
LIVE PREVIEW

Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What - - PowerPoint PPT Presentation

Jul 28, 2023 738 likes •1.09k views

Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What is a Web Application Client server program with browser as client Examples: Gmail, Dropbox, Netflix, Zoho,... Server Server Database Client Front Back Browser End

slide-1
SLIDE 1

Secure Web Applications with AWA

Stéphane Carrez FOSDEM 2019

slide-2
SLIDE 2

https://github.com/stcarrez/ada-awa

2

What is a Web Application

  • Client server program with browser as client
  • Examples: Gmail, Dropbox, Netflix, Zoho,...

Javascript HTML, CSS PHP, Javascript, Ruby, Java, ... SQL, NOSQL, ...

Client Browser Server Front End Server Back End Database

slide-3
SLIDE 3

https://github.com/stcarrez/ada-awa

3

Client Browser Server Front End Server Back End Database

Problems with Web Applications

  • Must protect data

2: Authenticate users 1: Validate data 3: Authorize access and protect user’s data

slide-4
SLIDE 4

https://github.com/stcarrez/ada-awa

4

Project history

  • Started in 2011 with already 6 releases
  • Based on experience building SaaS application

(J2EE, Java Server Faces, Hibernate, OAuth)

  • Benefit from several J2EE features but in Ada
  • Build SaaS applications in Ada
slide-5
SLIDE 5

https://github.com/stcarrez/ada-awa

5

Applications using AWA

  • Personal blog: https://blog.vacs.fr
  • Ada France: https://www.ada-france.org

https://github.com/Ada-France/ada-france

  • Atlas demo: https://demo.vacs.fr/atlas

https://github.com/stcarrez/atlas

  • Jason: https://vdo.vacs.fr

https://github.com/stcarrez/jason

slide-6
SLIDE 6

https://github.com/stcarrez/ada-awa

6

AWA Architecture

Ada Web Application Ada Database Objects OpenAPI Ada Ada Server Faces Ada Servlet Ada Wiki Ada EL Ada Security Ada Util Ada Web Server XML/Ada MySQL PostgreSQL SQLite GNU/Linux Windows FreeBSD NetBSD Your Web Application

Dynamo

slide-7
SLIDE 7

https://github.com/stcarrez/ada-awa

7

AWA Features

Comments Counters Votes T ags Changelogs

Users Jobs

Events

Mails Wikis Storages Images Blogs Questions

General purpose components System components Functional components

Permissions

Settings Flotcharts

T rumbowyg

Setup

Workspaces

slide-8
SLIDE 8

https://github.com/stcarrez/ada-awa

8

AWA Request Flow

Servlet Filter Client Server Faces Servlet AWS Module Database Ada Bean

GET Do_Filter Do_Get Set_Value Get_Value Load

slide-9
SLIDE 9

https://github.com/stcarrez/ada-awa

9

Problem 1: Validate Data

  • HTTP parameters are passed as String
  • Must be validated, verified before being used
  • Ada strong typing helps to enforce the validation
slide-10
SLIDE 10

https://github.com/stcarrez/ada-awa

10

Validation in Request Flow

Servlet Filter Client Server Faces Servlet AWS Module Database Ada Bean

GET Do_Filter Do_Get Set_Value Get_Value Load

Request parameter Validation Type: String Strongly typed Types: Enum, Integer, Date, Float, String, ...

slide-11
SLIDE 11

https://github.com/stcarrez/ada-awa

11

Ada Server Faces (Java JSR 344)

  • MVC web framework
  • Render HTML, XML, JSON, Text,…, Ada
  • Validate inputs
  • Uses XML to describe views
slide-12
SLIDE 12

https://github.com/stcarrez/ada-awa

12

Ada Server Faces

  • Facelets: XHTML files with templating
  • Component based interface

<f:metadata> <f:viewParam id=’page’ value=’#{wikiView.name}’/> <f:viewAction action='#{wikiView.load}'/> </f:metadata> <div> <awa:wiki value=”#{wikiView.content}”/> </div> <div class="wiki-page-footer"> <h:outputFormat styleClass="wiki-page-date" value="#{wikiMsg.wiki_page_info_date}"> <f:param value="#{wikiView.date}"/> <f:converter converterId="smartDateConverter"/> </h:outputFormat> </div> Custom UI component: render wiki text Operation called before rendering Standard UI component with custom format\

slide-13
SLIDE 13

https://github.com/stcarrez/ada-awa

13

Ada EL (Java JSR 245)

  • The presentation layer need values from Ada
  • bjects
  • EL is a simple but powerful expression language
  • Java implements EL using introspection

→ security issue

#{wikiView.title} type Wiki_View_Bean is ... Title : Unbounded_String; ... end record; EL expression Ada

slide-14
SLIDE 14

https://github.com/stcarrez/ada-awa

14

Ada Beans: get and set values

  • Get values for the presentation layer (Ada EL)
  • Explicit definition: implement the Bean interface
  • Values represented by Object type

(can hold most Ada types, including Ada Beans)

type Object is private; type Readonly_Bean is limited interface; function Get_Value (From : in Readonly_Bean; Name : in String) return Object is abstract; type Bean is limited interface and Readonly_Bean; procedure Set_Value (From : in out Bean; Name : in String; Value : in Object) is abstract;

slide-15
SLIDE 15

https://github.com/stcarrez/ada-awa

15

Ada Beans: method calls

  • Declare a table of supported operations
  • Implement the Method_Bean interface

type Method_Bean is limited interface; function Get_Methods (From : in Method_Bean) return Method_Binding_Array_Access is abstract; procedure Op_Load (Bean : in out Wiki_Page_Bean; Outcome : in out Unbounded_String); package Binding_Wiki_Page_Bean_3 is new ASF.Events.Faces.Actions.Action_Method.Bind (Bean => Wiki_Page_Bean, Method => Op_Load, Name => "load");

  • Let Dynamo generate the code
slide-16
SLIDE 16

https://github.com/stcarrez/ada-awa

16

Ada Beans: factory

  • Need creation of Ada Beans for a Web request
  • Write function to create the Ada bean instance
  • Register the function under a name
  • Use XML configuration to declare bean names

function Create_Wiki_View_Bean return Util.Beans.Basic.Readonly_Bean_Access; Register.Register (Plugin => Plugin, Name => "AWA.Wikis.Beans.Wiki_View_Bean", Handler => Create_Wiki_View_Bean'Access);

<managed-bean> <description>...</description> <managed-bean-name>wikiView</managed-bean-name> <managed-bean-class>AWA.Wikis.Beans.Wiki_View_Bean</ <managed-bean-scope>request</managed-bean-scope> <managed-property> <property-name>image_prefix</property-name> <property-class>String</property-class> <value>#{contextPath}/images/</value> </managed-property> </managed-bean>

slide-17
SLIDE 17

https://github.com/stcarrez/ada-awa

17

Validation in Request Flow

Servlet Filter Client Server Faces Servlet AWS Module Database Ada Bean

GET Do_Filter Do_Get Set_Value Get_Value Load

3: Raise exception to reject parameter

<f:metadata> <f:viewParam id=’page’ value=’#{wikiView.name}’/> <f:viewAction action='#{wikiView.load}'/> </f:metadata>

1: Verify validity of ‘page’ parameter 2: Create the object 4: Perform work

  • r raise exception
slide-18
SLIDE 18

https://github.com/stcarrez/ada-awa

18

Solution 1: Validate Data

  • Ada Server Faces takes care of data validation:

– By providing controls before conversion, – By converting input to Ada final types

  • Ada beans are explicitly declared
  • Ada bean’s Set_Value called after validation
  • Data is stored and represented using Ada types
slide-19
SLIDE 19

https://github.com/stcarrez/ada-awa

19

Problem 2: Authenticate Users

  • Identify known users
  • Get credentials for these users
  • Registration process for unknown users
slide-20
SLIDE 20

https://github.com/stcarrez/ada-awa

20

AWA Users Module

  • Authenticate users

– with OpenID Connect – with email & password

  • Provide full registration and invitation process
  • Email validation through access key validation
slide-21
SLIDE 21

https://github.com/stcarrez/ada-awa

21

AWA User, Email and Session

slide-22
SLIDE 22

https://github.com/stcarrez/ada-awa

22

Ada Security: OpenID Connect

  • Authentication framework built on top of OAuth2
  • Authenticate users with OpenID Connect

→Google, Facebook, Twitter, ...

slide-23
SLIDE 23

https://github.com/stcarrez/ada-awa

23

Solution 2: Authenticate Users

  • Ada Security provides support for OpenID
  • AWA provides some support for user enrollment

– Online registration – Invitation of users through secure key

slide-24
SLIDE 24

https://github.com/stcarrez/ada-awa

24

Problem 3: Authorize Access

  • Grant access to authorized users
  • Verify before the resource is accessed
  • Deny access to unauthorized users
slide-25
SLIDE 25

https://github.com/stcarrez/ada-awa

25

Authorization in Request Flow

Servlet Filter Client Server Faces Servlet AWS Module Database Ada Bean

GET Do_Filter Do_Get Set_Value Get_Value Load

URL Permission Check Type: String Data access permission check Permission check in views: Hide forbidden operations

slide-26
SLIDE 26

https://github.com/stcarrez/ada-awa

26

Some Security Concepts

  • Policy and policy manager:

– security rules to protect the system or resources

  • Principal:

– the entity that can be authenticated (credentials)

  • Permission:

– Access to a system or resource

slide-27
SLIDE 27

https://github.com/stcarrez/ada-awa

27

Ada Security

  • Security framework to enforce security policies
  • Describe security policies
  • Authorize access to resources based on

security policy and security context

slide-28
SLIDE 28

https://github.com/stcarrez/ada-awa

28

Ada Security Model

slide-29
SLIDE 29

https://github.com/stcarrez/ada-awa

29

Security Policies

  • Security policies are checked by a controller
  • Use existing policies or write your own

type Entity_Controller (Len : Positive) is limited new Security.Controllers.Controller with record Entities : Entity_Type_Array; SQL : String (1 .. Len); end record;

  • verriding

function Has_Permission (Handler : in Entity_Controller; Context : in Security.Contexts.Security_Context'Class; Permission : in Security.Permissions.Permission'Class) return Boolean;

slide-30
SLIDE 30

https://github.com/stcarrez/ada-awa

30

Declaring permissions

  • Instantiate Security.Permissions.Definition

with Security.Permissions; ... package ACL_Create is new Security.Permissions.Definition (“create”);

  • Bind the permission to a security controller (XML)

<role-permission> <name>create</name> <role>admin</role> </role-permission> <entity-permission> <name>create</name> <entity-type>awa_workspace</entity-type> <sql>

SELECT acl.id FROM awa_acl AS acl WHERE acl.entity_type = :entity_type AND acl.user_id = :user_id AND acl.entity_id = :entity_id AND acl.permission = $permission[create]

</sql> </entity-permission>

slide-31
SLIDE 31

https://github.com/stcarrez/ada-awa

31

Checking permissions

  • Checking a permission acts as a barrier
  • Raises the NO_PERMISSION exception

with AWA.Permissions; ... AWA.Permissions.Check (Permission => ACL_Create.Permission);

  • - can proceed if permission is granted
  • Checking a permission in views hides the content

<h:panelGroup rendered="#{auth:hasPermission('create',wikiSpaceId)}"> <!-- rendered if permission is granted → ... </h:panelGroup> with AWA.Permissions; ... AWA.Permissions.Check (Permission => ACL_Create.Permission);

  • - can proceed if permission is granted

with AWA.Permissions; ... AWA.Permissions.Check (Permission => ACL_Create.Permission);

  • - can proceed if permission is granted
slide-32
SLIDE 32

https://github.com/stcarrez/ada-awa

32

Solution 3: Authorize Access

  • Declare a permission in Ada and configure it
  • Check for a permission to block unauthorized

users

  • Hide content when permission is denied
slide-33
SLIDE 33

https://github.com/stcarrez/ada-awa

33

Getting started with Dynamo

  • Creating a project

dynamo create-project myproject ./configure make generate build ./bin/myproject-server

  • Adding a new page
  • Adding a new Ada module

dynamo add-page newpage dynamo add-module mymodule

slide-34
SLIDE 34

https://github.com/stcarrez/ada-awa

34

Conclusion

  • AWA takes care of application security

– By validating user input – By enforcing strong typing in the model – By authenticating users – By authorizing access to resources

  • AWA Programmer’s Guide

– https://ada-awa.readthedocs.io/en/latest/