Ayende @ Rahien

Hi!
My name is Oren Eini
Founder of Hibernating Rhinos LTD and RavenDB.
You can reach me by phone or email:

ayende@ayende.com

+972 52-548-6969

, @ Q c

Posts: 6,125 | Comments: 45,492

filter by tags archive

The pitfalls of transparent security

time to read 2 min | 299 words

A long time ago, I needed to implement a security subsystem for an application. I figured that it was best to make the entire security subsystem transparent to the developer, under the assumption that if the infrastructure would take care of security, it would make a lot more sense than relying on the developer to remember to add the security calls.

It took me a long while to realize how wrong that decision was. Security is certainly important, but security doesn’t apply to the system itself. In other words, while a specific user may not be allowed to read/write to the audit log, actions that the user made should be written to that log. That is probably the simplest case, but that are a lot of similar ones.

Ever since then, I favored using an explicit approach:

var books = session.CreateQuery("from Books")
                        .ThatUserIsAllowedToRead(CurrentUser)
                        .List<Book>();

This also help you implement more interesting features, such as “on behalf of”. And yes, it does put the onus of security on the developer, but considering the alternative, that is a plus.


Comments

Stefan Wenig

Sure, that' easier to handle. And I'm sure for some systems, that's the way to go. But make one critical mistake in a multi-tenant system hosting mutual competitors, and you're done.

Transparent security works, you just need to be able to opt out. Sometimes you forget to opt out, this will result in an exception and will hopefully be caught during testing. If not, an unhandled security exception in production is still better than information disclosure.

Another potential advantage: You might want to control who's able to opt out.

Ryan Roberts

Transparently adding a default deny at least might be a good idea

Graeme

I see what you're saying, and it can sometimes be misleading that if the developer queries for books it only returns a subset of the books. This method is most obvious to the programmer. However, I usually use transparent security with the ability to opt out for the reasons Stefan stated.

Comment preview

Comments have been closed on this topic.

FUTURE POSTS

  1. RavenDB 3.5 Whirlwind tour: I need to be free to explore my data - 2 hours from now
  2. RavenDB 3.5 whirl wind tour: I'll have the 3+1 goodies to go, please - 3 days from now
  3. The design of RavenDB 4.0: Voron has a one track mind - 4 days from now
  4. RavenDB 3.5 whirl wind tour: Digging deep into the internals - 5 days from now
  5. The design of RavenDB 4.0: Separation of indexes and documents - 6 days from now

And 11 more posts are pending...

There are posts all the way to May 30, 2016

RECENT SERIES

  1. The design of RavenDB 4.0 (14):
    05 May 2016 - Physically segregating collections
  2. RavenDB 3.5 whirl wind tour (14):
    04 May 2016 - I’ll find who is taking my I/O bandwidth and they SHALL pay
  3. Tasks for the new comer (2):
    15 Apr 2016 - Quartz.NET with RavenDB
  4. Code through the looking glass (5):
    18 Mar 2016 - And a linear search to rule them
  5. Find the bug (8):
    29 Feb 2016 - When you can't rely on your own identity
View all series

Syndication

Main feed Feed Stats
Comments feed   Comments Feed Stats