security,authorization,claims-based-identity,abac,role-based-access-control , Authorization Model: Context of Role?

Authorization Model: Context of Role?


Tag: security,authorization,claims-based-identity,abac,role-based-access-control

I am currently attempting to design an Authorization Model that has the following components:

Privileges - an action that can either be granted or denied to a user/group

Roles - a collection of privileges; roles can be associated with a user or group

Security Objects - the entity to which security is applied

Object Owners - the owner of a security object

Statuses - an attribute that represents the state of a security object

Users - standard consumer of the service; can be denied or granted access to do things

Groups - a collection of users sharing a common thing; roles can be assigned to groups; privileges can be assigned to groups

My questions is as follows: Is there a way to properly model the context of a role with the current components that I presented above?

For instance, let's say i have the current authorization statement:

Tim can see Mary's profile information because Tim is Mary's friend.

I can dissect this statement into the model components:

User: Tim
Security Object: profile information
Object Owner: Mary
Privilege: view
Role: friend
Group: N/A?
Status: N/A

One thing that this dissection does not attribute is that Tim is a friend of Mary

Is there a component that I can add to this model that will capture this context ("of Mary"), or is there a way I can re-represent the privilege statement using my pre-existing auth model components? What is the best practice?


Actually, you should not attempt to implement a new authorization model. There is already a good model called attribute-based access control (or ABAC - see the SO tag and ).

ABAC is an authorization model that:

Let's take your example:

Tim can see Mary's profile information because Tim is Mary's friend.

The authorization requirement would therefore be:

A user can view another user's profile if both users are friends.

In ABAC, you have to identify your attributes. You do this in your question which is great though your analysis is role-biased. Let's take it again. The attributes I see are:

With these attributes, I can rewrite your requirement in a broken-down way:

A user can do the action actionId==view on a resource of type==user profile if profile.owner is in the user's friend list.

You can then use ALFA () to implement the policy in ALFA and then XACML.

namespace com.axiomatics{
     * A user can view another user's profile...
    policy viewProfile{
        target clause actionId=="view" and resourceType=="user profile"
        apply firstApplicable
         * Allow if both users are friends.
        rule allowIfFriends{
            condition stringIsIn(stringOneAndOnly(subjectId), friendList)

The XACML outcome (in XML) is:

<?xml version="1.0" encoding="UTF-8"?>
 <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB ( 
 Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    <xacml3:Description>A user can view another user's profile...</xacml3:Description>
                <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        DataType="">user profile</xacml3:AttributeValue>
        <xacml3:Description>Allow if both users are friends.</xacml3:Description>
        <xacml3:Target />
            <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in" >
                <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only" >


Is a site with html and javascript secure

IF: I write a site in HTML5, Javascript and CSS3. It has no forms or any input other than mouse clicks on links. No logins. No messaging. No comments. Will this site have vulnerabilities? For the 2nd time in a month, I've been notified by my host there are files...

Authentication with OAuth and JWT but without OpenID Connect

I’m wondering if I really need OpenID Connect to provide authentication on top of OAuth2. It seems to me if I generate JWTs (JWE) as my access token and I store user claims, roles/permissions, etc. in the access token, then the OpenID Connect's id token isn't needed. Resource servers can...

how to custom spring-security authentication process with my own mechanism

I'm trying to secure my app with spring security. My understanding about spring security is that they check the loaded password from UserDetails against the password user entered. The thing is my login authentication is inputing username and password into a pl/sql function which will return a result code. So...

Run Golang as www-data

When I run a Node HTTP server app I usually call a custom function function runAsWWW() { try { process.setgid('www-data'); process.setuid('www-data'); } catch (err) { console.error('Cowardly refusal to keep the process alive as root.'); process.exit(1); } } from server.listen(8080,'localhost',null,runAsWWW); so the server is actually running as the www-data user to...

SAML service provider signature verification

This is a basic question about SAML protocol and how it specifies verification of a SAML token. Looking an different diagrams and resources, it looks like the service provider doesn't need to make calls to the Identity Provider (IdP) in order to verify a SAML token. I am interested in...

Android how to handle sensitive data in memory

Please I have the following scenario: the app uses a password to access to some remote webservice over HTTPS; to do so, the app asks the user the password, does NOT store it on the device (and use it in a safe manner to access the webservice). My concern is...

salt created by Java SecureRandom has different getBytes() value [duplicate]

This question already has an answer here: how to convert byte array to string and vice versa 13 answers I use java SecureRandom to create salt to encrypt user. However, when I tried to match user with salt and password, they failed on different machine. The user is created...

Where to apply domain level permissioning

Permissioning/Authorization (not Authentication) is a cross-cutting concern, I think. In an Onion Architecture or Hexagonal Architecture, where should permissioning be performed? Examples of permissioning required would be: Filtering data returned to the front end (UI, API, or otherwise) Validating that a business operation can be performed at all Ideally, via...

Wordpress: Changed HTTP to HTTPS, now security certificate error

I was trying to secure my website and found a blog on wordpress which shows how to change HTTP to HTTPS from the wordpress settings. I did what it said and now my website won't let me navigate further than the home page. I tried logging into the admin page,...

Reverse ^ operator for decryption

I'm trying to reverse the following code in order to provide a function which takes the buffer and decrypts it. void crypt_buffer(unsigned char *buffer, size_t size, char *key) { size_t i; int j; j = 0; for(i = 0; i < size; i++) { if(j >= KEY_SIZE) j = 0;...

Adding authorization to routes

I cannot seem to find a good example for this. I have for example, a TicketController I define a ticket resource in my routes.rb. You only need to be logged in as a customer to GET a ticket, but you must be logged in as an administrator to PUT a...

What damage can a website do?

Now and then I (accidentally) come across websites that my anti-virus warns me about. Out of curiosity, what kind of damage can a website do? I've been working in web development for around 4 years now and can't think of any 'genuine' damage worth warning the user about. Maybe I'm...

What are all the methods to delete local-storage data?

My core question is what are the possible methods to delete window.localStorage data (not window.sessionStorage) from the client's browser. One way that I know is by going to the client's console and type localStorage.clear(). I'm building a web app that uses HTML-local-storage to replace PHP sessions and cookies. I have...

Is client-side java intrinsically less secure than javascript?

Much has been made of a series of bugs and exploits on client side java, leading to the blacklisting of various versions by apple, mozilla, etc. Yet javascript is an even less controlled language without static typing. Today javascript allows for many of the same potential problems: local storage, accessing...

Role concept in the authorization

I'm writing the following public interface SecurityService{ public Error tryLogin(String usr, String psw); public String getRoleCurrentUser(); //Attention here } and of course, there will be a couple implementations. For instance, now I have public SpringSecurityService{ @Autowired AuthenticationManager authenticationManager; public Error tryLogin(String usr, String psw){ //Implementation here } public String getRoleCurrentUser(){...

User process can't see global shared memory created by service

I have a Windows service (running in the system process) and a desktop application that need to share a configuration structure. The data originates in the app, but the user process doesn't have permission to create a global memory object so I create it when the service starts using CreateFileMapping()...

Getting “format not a string literal and no format arguments” warning while using GTK+2

I am getting an error like this: warning: format not a string literal and no format arguments [-Wformat-security] GTK_BUTTONS_OK, (const gchar*)message); ^ because of this function: static void show_message (gchar *message, GtkMessageType type) { GtkWidget *dialog = gtk_message_dialog_new(NULL, 0, type, GTK_BUTTONS_OK, message); gtk_dialog_run(GTK_DIALOG(dialog)); gtk_widget_destroy(dialog); } How can I fix it?...

When a security update is applied as a patch, does the product name change?

When a security update is applied as a patch, does the product name change? I.e. Windows Server 2008 If this server undergoes a patch and/or security update, does it still appear as Windows Server 2008, or does it have to undergo a name change - I.e Windows Server 2008 version...

Hashing passwords even when password is server-generated?

Shall I hash users of my portal when password is generated by server and user cannot change it? Logically: User can't use this passwords anywhere else as it is server-generated. Even when somebody access database illegally, they can change password and see it, but it is useless for them as...

Should i do authorization on my Domain Services?

I have the following domain service: pulic void DeleteCustomer(int customerId, string userIdentity, string userPassword) { //1º Do login operation to verify if the credentials are valid. customerRepository.DeleteById(customerId); } Let's say that I am consuming this code of ASP.NET MVC or Windows Forms application that has a login window. The login...

SMTP ports - SSL vs non-SSL

I was told today by a support rep at that regardless of whether we connect via SSL or non-SSL, the data is secure as if it is going via SSL. I'm no genius, but I'm also not a complete idiot. And I have a strong feeling that this guy...

iptables put all forwarding rules in prerouting

I have a question about security in iptables. Is it safe to give ACCEPT policy to FORWARD chain? I mean, if packet gets there, it has come through PREROUTING table and in PREROUTING you only change destination ip of packet if you "like it". all packets that get in FORWARD...

SELECT within SELECT PDO prepared statement [duplicate]

This question already has an answer here: Are PDO prepared statements sufficient to prevent SQL injection? 7 answers I'm thinking of an example like this one: The request hits a page at an url (by whichever means), with a parameter. It's my understanding that you should do a...

shared memory performance and protection from other processes

I am trying to implement a JIT compiler (I have very geeky hobbies). I would like to have one main process that keeps some persistent variables, and a second process (that has been compiled just-in-time) that does some computation and can access and write on the persistent variables. The second...

searchable row level encryption using java?

I am designing a java app that uses algorithms to import data from other sources into a database. And the app also searches for records in the database. How can I implement row level security in a way that the database does not even know that the data is encrypted,...

tastypie obj_create and authorization

I use tastypie 0.12.2-dev to create API for my django site. I wrote a class authorization (ApprovedLaptopsAuthorization) and used it in my ModelResource (RecordResource) class. The endpoint of RecordResource is http://myserver/book/api/record. HTTP GET Request to that endpoint is working correctly. (permissions are checked in read_list() method of ApprovedLaptopsAuthorization class). Now...

Preventing brute-force login attempts [closed]

I want to prevent hackers to break into my users' accounts. It is often said that: The best approach it to lockout an account temporarily after x failed login attempts. I understand this and it seems like a good idea. Using IP for example is a very bad idea -...

Securing JWT tokens in a AJAX call

Say site A has a piece of javascript that does an ajax call to an endpoint on site B. Site A uses a JWT generated from site B to authenticate the requests. Wouldn't a user be able to get the JWT, simply by inspecting (e.g Chrome) the request and it's...

Configure Apache web server to perform SSL authentication

I'm trying to perform SSL authentication in apache web server, using XAMPP in Linux. After I configure httpd.conf like this, Apache server is failing to start. Can some one help me to fix this ? What is wrong with my configuration ? Alias /bitnami/ "/opt/lampp/apache2/htdocs/" Alias /bitnami "/opt/lampp/apache2/htdocs" <Directory "/opt/lampp/apache2/htdocs">...

Am I safe?? [trying to prevent sql injection] [duplicate]

This question already has an answer here: How can I prevent SQL-injection in PHP? 28 answers I was wondering if I'm safe from SQL injection if I have this in a script: < script> //some stuff var item = <?php echo json_oncode($PHPVAR) ?> item.replace(/"/,'&quot').replace(/'/,'&#39'); //do more script stuff with...

RSA encryption in Android and Java

I would like to encrypt a String with RSA encryption. My public/private keys were generated and stored in DB. In android, I use this code: public static String encryptRSAToString(String text, String strPublicKey) { byte[] cipherText = null; String strEncryInfoData=""; try { KeyFactory keyFac = KeyFactory.getInstance("RSA"); KeySpec keySpec = new X509EncodedKeySpec(Base64.decode(strPublicKey.trim().getBytes(),...

Hide sensitive information from git changes

Is there a way to instruct git to hide my sensitive information. E.g. credentials.php (in local repository). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'password'; credentials.php (in github repository and history). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'xxxxxxxx'; So git automatically hides the information with 'x'. If not via...

How to secure configuration file containing database username and password

Issue In order to connect my PHP code with MySQL database I use PDO way, creating variable, assigning it with new PDO object where arguments contain settings such as server, database, login and password. So in resulting code it could look like this: $DAcess=new PDO("mysql:host=server;dbname=database","login","password"); I don't feel comfortable having...

Can I submit a form with google's recaptcha in it from my app?

I'm writing an app which involves letting users to share comments on a website, which has a comment form with Google's reCAPTCHA embeded. I would like to load this page via HTTP and display CAPTCHA within my app, so that user can post comments from my app. Is it easy...

PHP token security

I wrote a PHP application which requires a login. This application is private so no new users can register. First I used sessions to identify the users but it lead to problems on tablets because they lost their sessions. I think this is because of energy saving operations. Now I...

X509Certificate: what is the difference between getIssuerDN() and getSubjectDN() methods

I'm using X509Certificate class in java, and when I want to get the subject name I try: x509certificate.getIssuerDN().getName(); and x509certificate.getSubjectDN().getName(); both methods have the same result. So what is the difference between them ??...

File security System in java? [on hold]

i'm new to java world.I have a idea about file secure system.When i add a file to the application it will encrypt and store a folder in the installation path.If i need to see the file ,i need to login with my username and password and the file will automatically...

Android encryption and decryption of text fails

I try to encrypt some text (here it is named code) and decrypt it again. For this i use a 4 digit Pin which is salted. After this the text is encrypted, also again some Base64 decoding, so i can safely output the String again. As i understand i have...

PHP: Secure a Rest Service with a Token mixed with Timestamp

I have a rest service that my website calls it and I want to secure it from calling outside of my website as much as possible. I want to create a token mixed with timestamp, so the user can only call the service in 10 minutes (for example) with the...

Protect images download theory

I am a full-time developer but am building a site for my photography hobby. I dont want people to download my images and besides the usual procedures (disable right click, block hotlinks to my images etc.) i was thinking about a solution which would work 99% of the time. The...

How to restrict file copying shared using Content Provider in Android?

Is it possible to forbid making copies of files for third party applications (like adobe reader), that I am using to open pdf files stored in internal memory of my application?

Unsure if website has been hacked with iframe

My website seems to be loading code which doesn't actually exist on my server. I know the problem is server-side because I've tested with other computers... The code seems to load a header and then put's my real website inside an iframe, strangely there are no ads or redirects which...

Headers for security

I've been reading articles about the protection of your website and they say to place these 3 headers: X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff In my website to protect it from Website attacks, but I dont know how to declare it in my header, can someone help me with...

JQuery Add expiration to authentication token stored with HTML5 localStorage?

I am making a mobile game with JQuery Mobile, a multipage template (so all pages in 1 html file, which makes it usable with PhoneGap). Since it is HTML I am using JQuerys $.post function to send data to php scripts such as login.php, register.php, which add/update/delete data from the...

How sanitize and store user input, that contains HTML regex pattern in WordPress

I working on some WordPress plugin that one of its features is ability to store HTML regex pattern, entered by user, to DB and then display it on settings page. My method is actually work but I wonder if that code is secure enough: That's the user entered pattern: <div(.+?)class='sharedaddy...

SonarQube LDAP authentication is not working

Presently, connecting to Apache Directory Server 2.0 from SonarQube 5.0.1. Have given the following entries in file: # LDAP configuration # General Configuration ldap.url=ldap:// # User Configuration ldap.user.baseDn=o=TechMahindra ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login})) ldap.user.realNameAttribute=cn ldap.user.emailAttribute=mail # Group Configuration...

Is it possible for a user to modify site javascript in browser?

I don't know a lot about security, but I'm trying to figure out how to keep my site as safe as possible. I understand that as much stuff that I can handle on the backend the better, but for instances where I'd like to hold some variables on the client,...

Code fails for decrypting without salt or iv in Java

I have a ciphertext and a 256-bit key to decrypt it, using AES. There is no salt or iv. I am using Java. I have implemented many of the solutions online, but they all use salts and input vectors. The following builds fine, but fails at runtime: "Salt not found."...

Placing secure data in Java web application

The question is about security in tomcat, but first consider the following example: Suppose you have apache web server. Then, under www folder, create folder named dist, and under folder dist create folder named bdf23b1c-ddd3-4d5b-8fdf-948693674011. Under this folder create some file with secure information. For example, some private picture you...