Re: [ANN] clojure-sec
This list seems somewhat inactive, which I find a bit surprising, but I am very interested in one particular aspect of security when I build Clojure apps. Right now my interest is in building REST web services and web applications backed by a relational database with something like Angular or Backbone at the front-end. I'm therefore interested in applying best practices in securing web applications for the public internet. I don't have a deep background in security, but as a seasoned Java developer I have a good idea of some of the security considerations for web applications, and I agree with another post here that OWASP is a very useful resource. My specific interests in security are mainly mitigations against: 1. SQL injection; 2. Cross-site scripting; 3. Request forgery. When it comes to the many libraries available for Clojure I struggle to find good information on these topics, so I'm unsure what is my responsibility as an app developer and what is being provided by those libraries for me. For example, based on Clojure tutorials I have built a Compojure web application that: 1. Accepts JSON from a client; 2. Inserts a database record based on the JSON (using the official JDBC wrappers). This is implemented in the most simple way possible: the JSON map is basically passed directly to the function that inserts that map in the database. I don't even name database columns and I don't filter text to mitigate against attacks. In my equivalent Java web application, I'd know to white-list keys for my JSON unmarshalling, I'd name explicit columns in my database operations, and I'd run the submitted user text through filters to strip out any malicious scripts or whatever, or escape the text when reading data back. I would have no confidence hosting this web application on the public internet in its current state. Now, admittedly my Clojure experience is limited (at time of writing I have about three part-time days of experience!), so these things may be obvious to others here, but right now this is the sort of thing I simply don't know how to do with Clojure and the third party libraries I'm using. By the way, I do use Friend already and I am finding it really useful. On Friday, 14 December 2012 17:36:57 UTC, Chas Emerick wrote: Some recent discussions related to my development of Friend have prompted me to create a new group: https://groups.google.com/group/clojure-sec Dedicated to discussing security issues affecting those building applications with Clojure and its variants. I'm sure many of us are building applications that have security considerations. I think it would be helpful at this point if there were a dedicated place for discussions around addressing those considerations; thus, clojure-sec. We'll see what people actually want to talk about, but I'd be happy if any of these classes of topics become common: * usage and design of particular security-related libraries and tools * security-related tech available in the various host environments that we can leverage from Clojure(Script/.CLR/-py/c/etc) * Clojure-specific concerns (e.g. untrusted code evaluation / jailing) * issues or weaknesses in particular Clojure implementations, libraries, etc. * discussion of more general-interest security topics that nevertheless impinge upon our work in Clojure * more, more, more I'm looking forward to learning. Cheers, - Chas -- http://cemerick.com [Clojure Programming from O'Reilly](http://www.clojurebook.com) -- -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Friend roles stored in a database table
Hello, As a long-time Java web developer, I've now been doing clojure for a few days so there's a lot I don't get yet, but I do have an end-to-end working Compojure web application with a UI, JSON web services, and working form-based authentication using Friend - originally using the in-memory users 'database' from the demos. So what I am doing now is trying to get user name and password validation going against a database table. I actually managed to get this integrated and working as a Friend credential-fn. The state my application in right now is that username and password combinations are properly validated against my database table. So I can authenticate, or not, correctly. The only piece that is not yet working is to get role authorisations working according to the roles in my database table. I just can't see how I'm supposed to map one or more namespaced roles to either a roles column value, or a roles join table in the database. The examples for Friend show roles like ::admin, ::user, and I use similar roles from more than one namespace - so what should I persist in the database to load those roles via my credential-fn, and how should I populate the :roles property from the result-set? I feel like I'm really close to getting this fully working, but I've hit a road-block so any pointers would be greatly appreciated. Regards, -M. PS This tutorial was very helpful, so thanks to @ddellacosta [1] https://github.com/ddellacosta/friend-interactive-form-tutorial -- -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: Friend roles stored in a database table
Hello, some inline-comments... On Sunday, 17 November 2013 11:25:38 UTC, David Della Costa wrote: As far as actually storing the roles in the database, they are simply a stringified set of namespace-qualified keywords, like so: #{:my-app-ns/user} #{:my-app-ns/admin :my-app-ns/some-other-role} This was the piece I was missing. I hope this helps, definitely let me know if I didn't answer one of your questions. It definitely helps. I think the last part of my problem is a language problem rather than anything else due to my lack of Clojure experience... Presumably when I read my user record from the database I need to de-stringify the roles from the database column to an actual set for the :roles rather than a string, so how do I do that for a string like this? #{:my-app-ns/admin :my-app-ns/some-other-role} And I'm very happy to hear the tutorial helped you get going, by the way! It really was the most useful information I found on this subject, thank you! -- -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: Friend roles stored in a database table
Sometimes you can't see the wood for the trees I guess, I have it working with this trivial change: (defn credential-fn [username] (update-in (read-user username) [:roles] read-string)) Still learning the basics... On Sunday, 17 November 2013 17:04:27 UTC, wm.ma...@gmail.com wrote: Presumably when I read my user record from the database I need to de-stringify the roles from the database column to an actual set for the :roles rather than a string, so how do I do that for a string like this? #{:my-app-ns/admin :my-app-ns/some-other-role} -- -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.