Embed Size (px)
Citation preview
Blibli Web Application Security Policy Enforcement Point
Presented by Yudhi Karunia Surtan
Introduction
2
Yudhi Karunia Surtan
Work Code Name : Jon
Email : [email protected]
Competition Achievement :
– Hackathon Bandung 2012, Soft-layer challenge 1st winner.
Professional Experience : 12 Years
Skill Concentration : Performance And Security
Title : Senior Principal Software Development Engineer
Software Security??
3
Software security is an idea implemented to protect software against malicious attack and other hacker risks so that the software continues to function correctly under such potential risks. Security is necessary to provide integrity, authentication and availability.
Our Session Overview
• Blibli IT Department Facts
• Blibli Enterprise Architecture Overview
• Architecture Advantages vs Disadvantages (Security)
• Solution
• Chosen Technology Overview
• How To Combine All Technologies Together
• Authentication And Authorization Architecture
• Behind The Great Idea
• What We at Blibli.com Achieved
• What We at Blibli.com Learned
4
Blibli IT Department Facts
5
• > 80 Micro Services (UI and API) for both internal and external customers
• > 100 Developers• > 20 Teams• 3 Weeks Release Cycle• < 500 ms Application response time goal (Soft Agreement)• < 4 seconds end user response time
Micro Services
Blibli Enterprise Architecture Overview
6
UI B-1
UI A-1
UI B-2
LB
LB
UI A-1
LB
LB
API A-1
API A-2
API B-1
API B-2
The Advantages of Architecture
• Independent Team and development cycle
• Rapid Software Development
• Each Microservices maintain their own data
• Problem and bug isolation
7
The Disadvantages of Architecture (Security)
• Is one user role will be the same across all the UI ?
• Are the user duplicated across all the UI ?
• How each application will check the role ?
• Is that possible to change the role during the runtime ?
• Is the user should login every time they change the UI service?
• Etc… (Anyone saw problems from previous slide?)
8
Solution
• Make an UI Framework which provide the abstraction for authentication and authorization without explicit declaration during development.
• Centralize the user repository for easy maintainability purpose
• Single Sign On and Single Sign Off features
• Developer create roles by functionality point of view, business user will mapping it with their role name
9
Chosen Technology Overview
10
• Spring SecurityA Java/Java EE framework that provides authentication, authorization and other security features for enterprise applications
• Apereo CASThe Central Authentication Service project, more commonly referred to as CAS is an authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user.
• Apache FortressA standards-based access management system, written in Java, that provides role-based access control, delegated administration and password policy services with LDAP.
Combine All the technologies
11
• Apereo CAS will Act as the provider for Single Sign On and Off• Apache Fortress Will Provide Authorization and Whitelist of Security
Policies• Spring Security as the main development framework for put the
logic authentication and authorization mechanism• Create a templating project, so developer can easily setup their
project using those template
Authentication and Authorization Architecture
12
UI ServiceAPI
Service
CAS
FortressLDAP
Delegate AuthenticationRESTFul
User
Http Request
Behind the great idea
There are also another problems :
1. How developer should not statically type the roles in their codes, especially in their javascript/presentation layer for hiding a button
2. How to cut the response by roles, unnecessary information need to be hide from other role
13
What We at Blibli Achieved
14
• Decouple business and application logic from security authorization
• More productive and predictive software
• User Roles Security and Easy Maintainability
• Single user repository for all internal application
What We at Blibli.com learned
15
Any Questions?
16
THANK YOU
17
