Re: [ANN] clojure-sec

2013-11-18 Thread wm . mark . lee
This list seems somewhat inactive, which I find a bit surprising, but I am 
very interested in one particular aspect of security when I build Clojure 
apps.

Right now my interest is in building REST web services and web applications 
backed by a relational database with something like Angular or Backbone at 
the front-end. I'm therefore interested in applying best practices in 
securing web applications for the public internet.

I don't have a deep background in security, but as a seasoned Java 
developer I have a good idea of some of the security considerations for web 
applications, and I agree with another post here that OWASP is a very 
useful resource. My specific interests in security are mainly mitigations 
against:

1. SQL injection;
2. Cross-site scripting;
3. Request forgery.

When it comes to the many libraries available for Clojure I struggle to 
find good information on these topics, so I'm unsure what is my 
responsibility as an app developer and what is being provided by those 
libraries for me.

For example, based on Clojure tutorials I have built a Compojure web 
application that:

1. Accepts JSON from a client;
2. Inserts a database record based on the JSON (using the official JDBC 
wrappers).

This is implemented in the most simple way possible: the JSON map is 
basically passed directly to the function that inserts that map in the 
database. I don't even name database columns and I don't filter text to 
mitigate against attacks. 

In my equivalent Java web application, I'd know to white-list keys for my 
JSON unmarshalling, I'd name explicit columns in my database operations, 
and I'd run the submitted user text through filters to strip out any 
malicious scripts or whatever, or escape the text when reading data back.

I would have no confidence hosting this web application on the public 
internet in its current state.

Now, admittedly my Clojure experience is limited (at time of writing I have 
about three part-time days of experience!), so these things may be obvious 
to others here, but right now this is the sort of thing I simply don't know 
how to do with Clojure and the third party libraries I'm using.

By the way, I do use Friend already and I am finding it really useful.

On Friday, 14 December 2012 17:36:57 UTC, Chas Emerick wrote:

 Some recent discussions related to my development of Friend have prompted 
 me to create a new group: 

 https://groups.google.com/group/clojure-sec 
 Dedicated to discussing security issues affecting those building 
 applications with Clojure and its variants. 

 I'm sure many of us are building applications that have security 
 considerations.  I think it would be helpful at this point if there were a 
 dedicated place for discussions around addressing those considerations; 
 thus, clojure-sec. 

 We'll see what people actually want to talk about, but I'd be happy if any 
 of these classes of topics become common: 

 * usage and design of particular security-related libraries and tools 
 * security-related tech available in the various host environments that we 
 can leverage from Clojure(Script/.CLR/-py/c/etc) 
 * Clojure-specific concerns (e.g. untrusted code evaluation / jailing) 
 * issues or weaknesses in particular Clojure implementations, libraries, 
 etc. 
 * discussion of more general-interest security topics that nevertheless 
 impinge upon our work in Clojure 
 * more, more, more 

 I'm looking forward to learning. 

 Cheers, 

 - Chas 

 -- 
 http://cemerick.com 
 [Clojure Programming from O'Reilly](http://www.clojurebook.com) 



-- 
-- 
You received this message because you are subscribed to the Google
Groups Clojure group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your 
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
--- 
You received this message because you are subscribed to the Google Groups 
Clojure group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to clojure+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


Friend roles stored in a database table

2013-11-17 Thread wm . mark . lee
Hello,

As a long-time Java web developer, I've now been doing clojure for a few 
days so there's a lot I don't get yet, but I do have an end-to-end working 
Compojure web application with a UI, JSON web services, and working 
form-based authentication using Friend - originally using the in-memory 
users 'database' from the demos.

So what I am doing now is trying to get user name and password validation 
going against a database table.

I actually managed to get this integrated and working as a Friend 
credential-fn.

The state my application in right now is that username and password 
combinations are properly validated against my database table. So I can 
authenticate, or not, correctly.

The only piece that is not yet working is to get role authorisations 
working according to the roles in my database table.

I just can't see how I'm supposed to map one or more namespaced roles to 
either a roles column value, or a roles join table in the database. 

The examples for Friend show roles like ::admin, ::user, and I use 
similar roles from more than one namespace - so what should I persist in 
the database to load those roles via my credential-fn, and how should I 
populate the :roles property from the result-set?

I feel like I'm really close to getting this fully working, but I've hit a 
road-block so any pointers would be greatly appreciated.

Regards,

-M.

PS

This tutorial was very helpful, so thanks to @ddellacosta

[1] https://github.com/ddellacosta/friend-interactive-form-tutorial

-- 
-- 
You received this message because you are subscribed to the Google
Groups Clojure group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your 
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
--- 
You received this message because you are subscribed to the Google Groups 
Clojure group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to clojure+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


Re: Friend roles stored in a database table

2013-11-17 Thread wm . mark . lee
Hello, some inline-comments...

On Sunday, 17 November 2013 11:25:38 UTC, David Della Costa wrote:

As far as actually storing the roles in the database, they are simply a 
 stringified set of namespace-qualified keywords, like so: 

 #{:my-app-ns/user} 
 #{:my-app-ns/admin :my-app-ns/some-other-role} 


This was the piece I was missing.

I hope this helps, definitely let me know if I didn't answer one of your 
 questions. 


It definitely helps.

I think the last part of my problem is a language problem rather than 
anything else due to my lack of Clojure experience...

Presumably when I read my user record from the database I need to 
de-stringify the roles from the database column to an actual set for the 
:roles rather than a string, so how do I do that for a string like this?

 #{:my-app-ns/admin :my-app-ns/some-other-role} 
 

 And I'm very happy to hear the tutorial helped you get going, by the way! 


It really was the most useful information I found on this subject, thank 
you!

-- 
-- 
You received this message because you are subscribed to the Google
Groups Clojure group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your 
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
--- 
You received this message because you are subscribed to the Google Groups 
Clojure group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to clojure+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


Re: Friend roles stored in a database table

2013-11-17 Thread wm . mark . lee
Sometimes you can't see the wood for the trees I guess, I have it working 
with this trivial change:

(defn credential-fn [username]
  (update-in (read-user username) [:roles] read-string))

Still learning the basics...

On Sunday, 17 November 2013 17:04:27 UTC, wm.ma...@gmail.com wrote:

 Presumably when I read my user record from the database I need to 
 de-stringify the roles from the database column to an actual set for the 
 :roles rather than a string, so how do I do that for a string like this?

  #{:my-app-ns/admin :my-app-ns/some-other-role} 


-- 
-- 
You received this message because you are subscribed to the Google
Groups Clojure group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your 
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
--- 
You received this message because you are subscribed to the Google Groups 
Clojure group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to clojure+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.