Embed Size (px)
DESCRIPTION
To make add-ons in Atlassian OnDemand successful with Atlassian Connect, they have to be secure. Learn what security features Connect provides and why. This session will include: • Fun security brain teasers! • Tips on avoiding common pitfalls when Connect add-ons • A sneak peak at future security features we will introduce for Connect
Citation preview
June 3-5, 2014 | Berlin, Germany
Peter Brownlow, Senior Java Developer, Atlassian
Connect Security
Connect add-ons
3.500installs from Marketplace
in-process plugins
1.500.000installs from Marketplace
grow 500xtension between security & usability
overtake in-process plugins
Don’t #@!% the customer.
- Atlassian value
”
“
Questions
Sneak Peeks
Authorization
Authentication
Connect Security
Authentication
who said that?”“
Who sent the letter?
sender
signature
Was the letter tampered with?!!!
tampering “looks wrong”
Was the letter re-sent?
too long ago?
postmark
JSON Web Tokens
host product add-on
params, token
params, token
e.g. https://mycompany.com/awsome?user.key=peter&jwt=…
also “Authorization” HTTP header
JSON Web Tokens
• structured • header JSON • claims JSON • signature
• base-64 encoded
{“typ":"JWT", “alg":"HS256"}
.{“iss”:"myId", “exp":1300819380}
.“signature”
eyJ0eXAiOi12KL98udNfg8z…
JSON Web Tokens
Letter !• sender • signature • changes “look wrong” • postmark date
JWT !
• issuer claim • cryptographic signature • signature, query hash claim • expiry claim
Questions
Sneak Peeks
Authorization
Authentication
Connect Security
Authorization
can you do that?”“
Authorization
Scopes: compare to white-list
Who can see the aliens?
generals interns
Authorization
Authorization“How did that guy get in here?”
How to avoid “security surprise”?
Scopes displayed on installation
!!!
Authorization
Authorization
Personal access changes arbitrarily.
Add-on user permissions
How to accurately allow access?
Authorization
Authorization
Questions
Sneak Peeks
Authorization
Authentication
Connect Security
Sneak Peeks
ideas in motion ”“
• Headers hash
• Body hash
More Custom JWT Claims?
• User loads page
• Goes to lunch
• Comes back, clicks link…
• Expired!
• Secure! But less usable.
JWT expiry improvements
• On click: no expiry • JavaScript API?
• Act as a specified user
• Authorized by users
• Server to server
• 3LA Granted?
• Query parameters
• REST resource
Three Legged Auth
Recap
• Authentication
• Who said that?
• JWT claims
• JWT signature
• Authorization
• Can you do that?
• Scopes (static)
• User permissions (dynamic)
Questions
Sneak Peeks
Authorization
Authentication
Connect Security
Questions?
go.atlassian.com/ac-security
