AAI … but This talk is about the second 'A': Authorisation.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Chapter 17: WEB COMPONENTS

FI-WARE Testbed Access Control temporary solution.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Multiple Tiers in Action

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Martin Kruliš by Martin Kruliš (v1.0)1.

Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Integrating with UCSF’s Shibboleth system

PAPI Points of Access to Providers of Information.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Creating a User ID (1) User makes any HTTP request

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Otomo End User SSO - TOI March 2014 Otomo 10.5 – End User SSO Support.

OWL Jan How Websites Work. “The Internet” vs. “The Web”?

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

Browser User Certificate Mail Box VOMS-Admin Host Tomcat TR1) Users Trusts “VOMS-Admin” server identity. step1 TR2) User Trusts data (Data1, HTML response)

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

26 July 2007IETF 69 PKIX1 Use of WebDAV for Certificate Publishing and Revocation

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

An Authentication and Authorization Infrastructure: the PAPI System.

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.

Display Page (HTML/CSS)

A Member of StarDyne Technologies Revised on April 7, 2013 Task Manager QUICK REFERENCE FOR AUTHORIZERS.

Konrad Zemek, Łukasz Opioła, Michał Wrzeszcz, Renata G. Słota, Łukasz Dutka, Jacek Kitowski ACC Cyfronet AGH Department of Computer Science, AGH - UST.

Web Login, Cookies Web Login | Old way HTML

Using PIV Cards with NIH Login Chris Leggett NIH Login Technical Lead CIT/NIH.

COOKIES AND SESSIONS.

Secure Mobile Development with NetIQ Access Manager

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.

The LGI Pilot job portal EGI Technical Forum 20 September 2011 Jan Just Keijser Willem van Engen Mark Somers.

1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.

SharePoint Authentication and Authorization

Ask the Experts – Building Login-Based Sites in AEM

NodeJS Security Using PassportJS and HelmetJS:

Security In your webSite.

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

API (Application Program Interface)

Authentication Interact Cloud.

Federation made simple

Third Party Transfers & Attribute URI ideas

DJRA3.1 issues Olle Mulmo.

CAS and Web Single Sign-on at UConn

Jim Fawcett CSE686 – Internet Programming Summer 2005

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

ADVANCED PERSISTENT THREATS (APTs) - Simulation

Addressing the Beast: Single Sign-On II

DCache things Paul Millar … on behalf of the dCache team.

PHP / MySQL Introduction

BY: SHIVI AGRAWAL ( ) CSE-(6)C

IOS SDK v1.0 with NAM 4.2.

Cookies and sessions Saturday, February 23, 2019Saturday, February 23,

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

The Internet and Electronic mail

Security for Science Gateways Initial Design Discussions

[Based in part on SWE 432 and SWE 632 materials by Jeff Offutt, GMU]

eCopy ShareScan Scan to Google Drive Chris Pearce-King

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

AAI … but This talk is about the second 'A': Authorisation.

Quick recap: which is which? Credential Authentication Authorization

Authorisation without authentication? How ? Photo by Alan Cleaver (CC-BY)

Photon Science portal use-case Users Web Brouser User DB LOGIN Authentication dCache Portal Request Download Request Download http WebDAV Redirect Storage Pool Request Download Stream Data Stream Data USER Community Specific Service Stack Data Service

Desired: client downloads directly Users Web Brouser User DB LOGIN Authentication Portal Request Download dCache Redirect Request Download (How to authorize this request ?) http WebDAV Redirect Storage Pool Request Download Stream Data USER Community Specific Service Stack Data Service

Desired: client downloads directly Users Web Brouser User DB LOGIN Authentication dCache Portal Request Download Request Token Redirect T Supply Token T http WebDAV Request Download T Redirect Storage Pool Request Download Stream Data USER Community Specific Service Stack Data Service

What are bearer tokens? Bearer token is something the user presents with a request so the server will authorise it. There's no interaction between client and server. Examples of bearer tokens: HTTP BASIC authn, anything stored as a cookies. Counter-examples: X.509 credential, SAML, Kerberos.

Bearer tokens for download authz Redirection should work without JavaScript, Simple: embed token in redirection URL. (There are nicer ways of embedding the token, but the URL is the only thing we can control) Complete token always sent with the request. What can we do to stop someone stealing this token? … or make the token useless if they steal it. http://webdav.example.org/path/to/file?authz=<TOKEN>

Introducing Macaroons

Macaroon is a bearer token. Macaroon contains zero or more caveats. Macaroons 101 Macaroon is a bearer token. Macaroon contains zero or more caveats. Each caveat limits something: who can use it, or what they do with it. Anyone can add a caveat to a macaroon: Create a new macaroon that is more limited. Nobody can remove a caveat from a macaroon.

Example: 3rd party copy M m M m m m m Portal Reducing Authz Roque Storage Pool Reducing Authz only WRITE, only from <IP addr>, only for 10 minutes. M m M m m Roque Service m Used to authorize Subsequent transfer m Storage Pool

3rd party caveats – extra cool! 1st party caveat can be satisfied by the client. 3rd party caveat requires proof from some other service; e.g. only fred@facebook, only members of VO ATLAS, only if not part of a denial-of-service attack. The proof is another macaroon: a discharge macaroon.

Example: download w/3rd party caveat Limiting Permissions Portal Storage Pool M m M m m Group Service Used to Authenticate Subsequent Transfer m m

The original macaroon is only useful with a valid discharge macaroon. Discharge macaroons The client proves it satisfies a 3rd party caveat by having a discharge macaroon. The original macaroon is only useful with a valid discharge macaroon. The discharge-macaroon can have caveats: Short-lived discharge macaroon can be used to simulate X.509's certificate revocation list. The discharge macaroon can have 3rd-party caveats.

Solution revisited: macaroons Users Web Brouser User DB LOGIN Authentication dCache Portal Request Download Request Token Add Caveat to Macaroon Redirect m Macaroon M http WebDAV Request Download m Redirect Storage Pool Request Download Stream Data USER Community Specific Service Stack Data Service

For what else are macaroons good?

Enabling sharing: a new interface Create a macaroon: Need to know the macaroon to access the file. List macaroons: Facilitate sharing files. Facilitate adding caveats: Purely in-browser or server-side? Third-party caveats? (e.g., member-of-ATLAS caveat) Destroy macaroons: Unclear if this really makes sense.

The END www.dCache.org Further reading : On dCache On macaroons by Google: Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud. Presentation Paper http://research.google.com/pubs/pub41892.html