OWASP - User contributions [en]

Access Control Cheat Sheet

2016-03-06T07:14:44Z

Adinath,raveendraraj: Starting work on fleshing out this section

=Introduction=

This article is focused on providing clear, simple, actionable guidance for providing access control security in your applications. The objective is to provide guidance to developers, reviewers, designers, architects on designing, creating and maintaining access controls in web applications

==What is Access Control / Authorization?==

Authorization is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication - as these terms and their definitions are frequently confused. Authentication is providing and validating identity. Authorization includes the execution rules that determines what functionality and data the user (or Principal) may access, ensuring the proper allocation of access rights after authentication is successful.

Web applications need access controls to allow users (with varying privileges) to use the application. They also need administrators to manage the applications access control rules and the granting of permissions or entitlements to users and other entities. Various access control design methodologies are available. To choose the most appropriate one, a risk assessment needs to be performed to identify threats and vulnerabilities specific to your application, so that the proper access control methodology is appropriate for your application.

== Access Control Policy ==

Why do we need an access control policy for web development?

The intention of having an access control policy is to ensure that security requirements are described clearly to architects, designers, developers and support team, such that access control functionality is designed and implemented in a consistent manner.

= Role Based Access Control (RBAC) =

In Role-Based Access Control (RBAC), access decisions are based on an individual's roles and responsibilities within the organization or user base.

The process of defining roles is usually based on analyzing the fundamental goals and structure of an organization and is usually linked to the security policy. For instance, in a medical organization, the different roles of users may include those such as doctor, nurse, attendant, nurse, patients, etc. Obviously, these members require different levels of access in order to perform their functions, but also the types of web transactions and their allowed context vary greatly depending on the security policy and any relevant regulations (HIPAA, Gramm-Leach-Bliley, etc.).

An RBAC access control framework should provide web application security administrators with the ability to determine who can perform what actions, when, from where, in what order, and in some cases under what relational circumstances.

The advantages of using this methodology are:
*Roles are assigned based on organizational structure with emphasis on the organizational security policy
*Easy to use
*Easy to administer
*Built into most frameworks
*Aligns with security principles like segregation of duties and least privileges

Problems that can be encountered while using this methodology:
*Documentation of the roles and accesses has to be maintained stringently.
*Multi-tenancy can not be implemented effectively unless there is a way to associate the roles with multi-tenancy capability requirements e.g. OU in Active Directory
*There is a tendency for scope creep to happen e.g. more accesses and privileges can be given than intended for. Or a user might be included in two roles if proper access reviews and subsequent revocation is not performed.
*Does not support data based access control

The areas of caution while using RBAC are:
*Roles must be only be transferred or delegated using strict sign-offs and procedures.
*When a user changes his role to another one, the administrator must make sure that the earlier access is revoked such that at any given point of time, a user is assigned to only those roles on a need to know basis.
*Assurance for RBAC must be carried out using strict access control reviews.

= Discretionary Access Control (DAC) =

Discretionary Access Control (DAC) is a means of restricting access to information based on the identity of users and/or membership in certain groups. Access decisions are typically based on the authorizations granted to a user based on the credentials he presented at the time of authentication (user name, password, hardware/software token, etc.). In most typical DAC models, the owner of information or any resource is able to change its permissions at his discretion (thus the name).

A DAC framework can provide web application security administrators with the ability to implement fine grained access control. This model can be a basis for data based access control implementation

The advantages of using this model are:
*Easy to use
*Easy to administer
*Aligns to the principle of least privileges.
*Object owner has total control over access granted

Problems that can be encountered while using this methodology:
*Documentation of the roles and accesses has to be maintained stringently.
*Multi-tenancy can not be implemented effectively unless there is a way to associate the roles with multi-tenancy capability requirements e.g. OU in Active Directory
*There is a tendency for scope creep to happen e.g. more accesses and privileges can be given than intended for.

The areas of caution while using DAC are:
*While granting trusts

*Assurance for DAC must be carried out using strict access control reviews.

= Mandatory Access Control (MAC) =

Mandatory Access Control (MAC) ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. MAC secures information by assigning sensitivity labels on information and comparing this to the level of sensitivity a user is operating at. MAC is usually appropriate for extremely secure systems including multilevel secure military applications or mission critical data applications.

The advantages of using this methodology are:
* Access to an object is based on the sensitivity of the object
* Access based on need to know is strictly adhered to and scope creep has minimal possibility
* Only an administrator can grant access

Problems that can be encountered while using this methodology:
* Difficult and expensive to implement
* Not agile

The areas of caution while using MAC are:
* Classification and sensitivity assignment at an appropriate and pragmatic level
* Assurance for MAC must be carried out to ensure that the classification of the objects is at the appropriate level.

= Permission Based Access Control =

The key concept in Permission Based Access Control is the abstraction of application actions into a set of ''permissions''. A ''permission'' may be represented simply as a string based name, for example "READ". Access decisions are made by checking if the current user ''has'' the permission associated with the requested application action.

The ''has'' relationship between the user and permission may be satisfied by creating a direct relationship between the user and permission (called a ''grant''), or an indirect one. In the indirect model the permission ''grant'' is to an intermediate entity such as ''user group''. A user is considered a member of a ''user group'' if and only if the user ''inherits'' permissions from the ''user group''. The indirect model makes it easier to manage the permissions for a large number of users, since changing the permissions assigned to the user group affects all members of the user group.

In some Permission Based Access Control systems that provide fine-grained domain object level access control, permissions may be grouped into ''classes''. In this model it is assumed that each domain object in the system can be associated with a ''class'' which determines the permissions applicable to the respective domain object. In such a system a "DOCUMENT" class may be defined with the permissions "READ", "WRITE" and DELETE"; a "SERVER" class may be defined with the permissions "START", "STOP", and "REBOOT".

= Authors and Primary Editors =

Shruti Kulkarni - shruti.kulkarni [at] owasp.org 
Mennouchi Islam Azeddine - azeddine.mennouchi [at] owasp.org 
Jim Manico - jim [at] owasp.org 

= Other Cheatsheets =
{{Cheatsheet_Navigation_Body}}

__NOTOC__ <headertabs />
[[Category:Cheatsheets]]

Java Security Frameworks

2014-11-24T03:21:09Z

Adinath,raveendraraj: Add OACC to list of security frameworks

A list of third party (i.e. not part of Java SE or EE) security frameworks. This page contains a list of Java security libraries and frameworks and indicates which security features each library supports.

==Enterprise==
* [[ESAPI|OWASP Enterprise Security API]] a new OWASP project to provide all essential security services under one roof.
* [http://www.hdiv.org/ HDIV] A web application security framework that provides a number of functions.

== Access Control (Authentication and Authorization) ==
* [http://sourceforge.net/projects/jguard jGuard] - jGuard is written in Java. Its goal is to provide a security framework based on JAAS (Java Authentication and Authorization Security). The framework is written for web and standalone applications, to easily provide solutions for access control problems.
* [http://oaccframework.org/ OACC] - OACC is an application security framework for Java designed for fine grained (object level) access control. OACC uses the abstraction of a ''resource'' for the application objects being secured. This key abstraction enables OACC to provide a rich API that includes grant, revoke and query capabilities for storing and managing the application's security relationships.

== Encryption ==
* [http://www.bouncycastle.org/ Bouncycastle] - Lightweight Java cryptography APIs
* [http://www.jasypt.org/ Jasypt] - Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.

== Cross Site Scripting (XSS) ==
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project] is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies to help Java web developers defend against Cross Site Scripting.
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project OWASP Java HTML Sanitizer Project] is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP Java JSON Sanitizer] is a tool to convert JSON-like content to valid JSON! The OWASP JSON Sanitizer Project is a simple to use Java library that can be attached at either end of a data-pipeline

== Additional Java Security Libraries ==

{| border="1" align="center" width="80%" cellspacing="1" cellpadding="1"
|-
! scope="col" | Name and link 
! scope="col" | Updated 
! scope="col" | AU 
! scope="col" | AC 
! scope="col" | CF 
! scope="col" | CR 
! scope="col" | IV 
! scope="col" | OE 
! scope="col" | SM 
! scope="col" | XM 
! scope="col" | XS 
|-
| [http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project AntiSami] 
| align="center" | 2011 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" |  Y 
| align="center" | Y 
| align="center" | 
| align="center" | 
| align="center" | 
|-
| [http://santuario.apache.org/ Apache Santuarrio] 
| align="center" | 2011 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" |  Y 
| align="center" | 
|-
| [http://shiro.apache.org/ Apache Shiro] 
| align="center" | 2011 
| align="center" | Y 
| align="center" | Y 
| align="center" |  ? 
| align="center" | Y 
| align="center" |  ? 
| align="center" | Y 
| align="center" | Y 
| align="center" |  ? 
| align="center" | Y 
|-
| [http://www.bouncycastle.org/ Bouncy Castle] 
| align="center" | 2011 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | Y 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
|-
| [http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project CSRFGuard] 
| align="center" |  ? 
| align="center" | 
| align="center" | 
| align="center" | Y 
| align="center" | Y 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
|-
| [http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API ESAPI] 
| align="center" | 2010 
| align="center" | Y 
| align="center" | Y 
| align="center" |  ? 
| align="center" | Y 
| align="center" | Y 
| align="center" | Y 
| align="center" |  ? 
| align="center" | 
| align="center" | Y 
|-
| [http://www.jasypt.org/ Jasypt] 
| align="center" | 2010 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | Y 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
|-
| [http://sourceforge.net/projects/jguard/ iGuard] 
| align="center" | 2011 
| align="center" | Y 
| align="center" | Y 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
|-
| [http://oaccframework.org/ OACC] 
| align="center" | 2014 
| align="center" | Y 
| align="center" | Y 
| align="center" | 
| align="center" | Y 
| align="center" | Y 
| align="center" | 
| align="center" |  ? 
| align="center" | 
| align="center" | 
|-
| [http://www.sapia-oss.org/projects/vlad/ Vlad] 
| align="center" |  ? 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | Y 
| align="center" | 
| align="center" | 
| align="center" | 
| align="center" | 
|}

 

== Security Features Key ==

*AU Authentication
*AC Authorization / Access Control
*CF Anti CSRF
*CR Cryptography
*IV Input Validation
*OE Output encoding
*SM Session management
*XM XML security
*XS XSS protection

[[Category:OWASP_Java_Project]]