greptilian logo

IRC log for #rest, 2015-04-06

#rest on freenode has been logged here from May 2014 until end of July 2018 but logging has been suspended because the channel has been riddled with spam since August 2018 with no end in site. See the following blog posts about the problem:

Until the spam problem has been dealt with and logging can resume, please visit our wiki at https://trygvis.io/rest-wiki/

Thanks.

| Channels | #rest index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

All times shown according to UTC.

Time S Nick Message
00:38 HighBit joined #rest
00:41 shrink0r_ joined #rest
03:49 lemur joined #rest
06:12 ewalti joined #rest
06:59 scflode joined #rest
06:59 scflode joined #rest
08:19 ewalti joined #rest
08:29 _ollie joined #rest
08:50 ewalti joined #rest
08:55 quimrstorres joined #rest
09:03 quimrstorres joined #rest
10:00 scflode joined #rest
10:06 rosstuck joined #rest
10:33 scflode joined #rest
11:09 Left_Turn joined #rest
11:18 quimrstorres joined #rest
11:54 quimrstorres joined #rest
12:28 CentaurWarchief joined #rest
12:30 _ollie joined #rest
12:52 scflode joined #rest
12:58 shrink0r joined #rest
13:54 scflode joined #rest
13:54 quimrstorres joined #rest
13:55 _ollie joined #rest
13:55 ekroon joined #rest
13:55 dkm joined #rest
13:55 Guest18878 joined #rest
13:56 HighBit joined #rest
13:56 fumanchu_ joined #rest
13:56 asm89 joined #rest
13:56 prologic joined #rest
13:56 EnergyCoffee joined #rest
13:57 saml joined #rest
13:58 CentaurWarchief joined #rest
13:58 Left_Turn joined #rest
13:58 Davey joined #rest
13:58 StatelessCat joined #rest
13:58 asdf` joined #rest
13:58 blahdeblah joined #rest
13:58 StatelessCat joined #rest
14:01 saml joined #rest
14:01 saml joined #rest
14:23 nkoza joined #rest
14:55 scflode joined #rest
15:51 quimrstorres joined #rest
15:57 jackalista Thanks wartung and pdurbin.  yeah, XACML is a little complex, as usual, you pay for the abstraction somehow
15:58 jackalista so what is better if you need fine grained authorization for data?
15:58 trygvis seems like most people are away on easter vacation
15:58 jackalista lol
15:58 jackalista I just got back
15:58 jackalista :)
15:59 trygvis I handle all authentication/authorization stuff with "normal" security within the application
16:00 trygvis at work we use spring security or just simple shared users/passwords in nginx
16:00 trygvis the former for stuff used by clients, the latter for internal stuff or testing
16:00 trygvis but we also only have a single application
16:01 trygvis well, single deployment. it's getting so big that it can be drawn up as different apps
16:03 pdurbin trygvis: your "normal" security is hand rolled within the app, sounds like
16:03 pdurbin or maybe you're saying you use Spring Security
16:04 trygvis yes, spring security for authentication and hibernate listeners to check that the current user has access to the object being loaded
16:04 trygvis that covers 95% of the normal cases, there is always some special stuff for signup and stuff
16:10 pdurbin ok. I should try Spring Security I guess.
16:12 trygvis I don't know if you want to use that unless you're already on the spring wagon
16:13 trygvis if you want something more generic I think this is pretty good: http://shiro.apache.org/
16:13 trygvis I haven't used it myself, but heard plenty of good stuff about it from good people
16:21 jackalista spring security is good shit fotr a single web app
16:21 jackalista i have used it many times
16:21 jackalista but we are looking at api mgmt platforms
16:21 pdurbin jackalista: even if I'm not on the Spring bandwagon?
16:21 jackalista and I am looking at how to move as muchg as possible onto these pltforms
16:21 jackalista well, spring sec is a *very* good impl
16:21 jackalista better than jaas by a lonbg shot, IMO
16:22 jackalista and it can be used outside of a sppring app
16:22 jackalista but you should have a reason to go to the trouble, if not in spring
16:22 jackalista you know?
16:22 jackalista don't make life difficult for yourself for no reason I mean
16:22 pdurbin well, it's some trouble to write you own auth
16:23 jackalista so anyway, I'm looking for what the future holds in fine grained authz
16:23 jackalista and seeing how much can be moved out of the service endpoints
16:23 jackalista it's too hard to manage and over see that way
16:23 jackalista too hard to audit
16:23 jackalista I'm in a financial services firm
16:23 lemur joined #rest
16:23 jackalista audit is best friend
16:23 jackalista all tx's must be auditable!
16:24 jackalista yes, what we want to do is saay to our clients that we use XYZ best of breed tools, ABC best practices, etc.
16:24 jackalista not "trust me, we rolled our own"!, lol
16:25 jackalista not that we couldn't but in our industry, we shouldn't
16:25 trygvis to be honest, externalizing security like that is a recipe for a total clusterfuck
16:25 jackalista I'[m finding that some platforms, say akana/soa software uses stuff like ws-policy... I was surprised to see that
16:25 trygvis if you're thinking of placing some kind of generic stuff in front of your apps
16:26 jackalista well, you wpould rather have hundreds of services with endpoint based security?
16:26 jackalista at the very least, identity needs to be centralized
16:26 jackalista authz is harder to say
16:27 pdurbin trygvis: do you consider using Shiro a case of externalizing security?
16:27 trygvis no, that would still run inside the application and be configured with the application
16:27 pdurbin ok. phew :)
16:28 trygvis jackalista: authentication can be externalized, and you could probably gain from doing so
16:29 jackalista authn will definitely be cedntrailziedc and excternalk
16:29 jackalista centralized and external
16:29 jackalista lol
16:29 trygvis when I worked in finance the network/ops people deployed apache/big ip in front to take care of load balancing, ssl termination, client certificate checks (where applicable), IP-based access control (where application)
16:29 trygvis that combination worked quite good
16:30 trygvis they could also have some basic filtering of allowed methods to certain paths, so if some apps where totally read-only they could allow just GET and HEAD
16:30 jackalista we have something similar, but are looking at what to do for fine grained access control.  we have some interesting needs along those lines.  this goes beyond what a BIG IP can get you, it's more like entitlment mgmt
16:31 trygvis that shop was a java shop, so we had some jar files with 'useful security stuff', stuff like servlet filters that could be configured
16:32 trygvis but every app has its own requirements and domain model so it just doesn't make sense to make something central checking. to me at least :)
16:32 jackalista trygvis: yeah, the api mgmt platforms have a pretty good story for that via oauth and scopes, can easily associate scopes that allow for one role just a GET but for another, a PUT, POST or DELETE
16:32 trygvis having a central registry of "stuff a client has access to" is probably useful, like client "abc" can "transfer money"
16:34 jackalista yeah, that's correct, and we are trying to take a closer look.  not just xfrer $, but so and so can xfter $ for this client and that project/account/etc
16:35 jackalista at first blush xacml looks pretty good, but not enough adoption
16:35 quimrsto_ joined #rest
16:35 jackalista is shiro usefulk for this sort of stuff, or is it j7ust for usualy web app sort of stuff?
16:35 trygvis well, I wouldn't even try to make it generic
16:36 trygvis shiro is the same kind of stuff as spring security. just not "tied" to spring
16:36 trygvis probably a bit more low level
16:36 jackalista does it integrate with things like  OAuth2 nicely?
16:36 trygvis dunno, haven't used it myself
16:37 jackalista ah, k, thx anyway
16:37 jackalista we have needs for RBAC and ABAC and would like to tie both to data, essentially, in the most forward looking way possible
16:37 jackalista not clear just yet what that is
16:38 jackalista was surprised to see a vendor using ws-policy, and not sure that is the right way to go, at leaqst for us
16:40 trygvis I just don't see the need for extra stuff to support it
16:41 trygvis is this thing going to be a filter in front of your app or something your app queries per request?
16:41 jackalista well, we have a semi large number of apps, and will have an even larger number of services feeding those apps
16:42 jackalista yes, it's a means of presenting an API front compoent of sorts
16:42 jackalista all API traffic goes over it
16:43 whartung jackalista: fine grain security is, and always will be, a pain. There's simply no way around it. Best practices don't actaull really even "help" here.
16:44 jackalista lol
16:44 jackalista yeah, I've been feelin' that
16:44 jackalista in that light, xacml doesn't look so bad!  :P
16:45 jackalista still not sure about ws-policy tho, shit
16:45 whartung because the simple truth is, that "security" need not be more "complicated" than "isUserInRole(xxx)". But that hides SO much complexity, it's not even funny.
16:47 trygvis yes, and then you could define credit limits as a business thing and stick it in your application. yay!
16:47 jackalista lol
16:48 jackalista that's not really our problem.  imagine we have a half million contract workers that today, get access to XYZ enterprise and ABC of their projects
16:48 jackalista imagine that one can work for > 1 enterprise concurrently, but can'ty share info across them
16:49 jackalista we have basic role based problem space but need to tighten with attributes
16:49 * fumanchu_ hands one of them a usb stick
16:49 jackalista they aren't rteally invested too much in that sort of thing
16:49 whartung now, see, you can express your rights as "role and attributes". JEE just has "roles", because any menagerie of "roles and attributes" can be flattened in to a single role namespace.
16:50 jackalista but we need to keep our end tight, we can't control what we can't control, etc.
16:50 jackalista yes but it's more efficient with roles and attr's, otherwise you get a shitload of roles
16:51 jackalista not any eqasier from an adm9in perspective
16:51 whartung the other problem is that most apps focus on access to VIEWS rather than so much access to DATA.
16:51 jackalista API stuff here
16:51 jackalista apps will also have app level sec
16:51 jackalista but tjhey're all fgeediong from services
16:51 jackalista feeding
16:53 tieTYT2 joined #rest
16:53 whartung the task is how to project all of your criteria, and then how to manage all that criteria. In the end, each invdividual user has a potentually unique set of rights.
16:53 jackalista a role in an app will also haver a corresponnding oauth token wityh similar authz
16:53 jackalista exactly
16:53 jackalista how most effeciently
16:53 jackalista efficiently
16:53 jackalista dang
16:55 whartung and what you'll find is that the more detail that you check for, the more detail you have to manage. Beacuse it all comes down to bits of information. The simplest system has 1 bit: can or can't access. As you add bits (roles, rights, attributes), the problem geometrically explodes.
16:55 jackalista what also makes this interesting is that th3ese 500,000 contract workers have temporary access to what data they can access
16:55 whartung yay -- time windows
16:55 whartung those are fun too
16:55 jackalista yep
16:55 whartung UTC, of course.
16:56 jackalista people get rolled on and off of projects, so access follows that, nothing too tricky
16:56 whartung "Well,…uhmmm… see they work 9 to 5 PDT but we're on the east coast, and is it DST their now? Math is hard."
16:56 quimrstorres joined #rest
16:59 jackalista the tool I need would say that for project ABC for company XYZ, let so and so *view* the data about stuff that wqs brought, etc., or let them *edit* the bought stuff to add an item, etc.
17:00 whartung yea, and see here's the rub.
17:00 whartung Nobody has that tool
17:00 jackalista if u imagined that these were spoftware contractors, that's close enough for rock and roll
17:00 whartung because at that level, everyone like to manage this stuff their own way
17:01 jackalista haha
17:01 whartung they think "how hard can this be"
17:01 jackalista yeah, well, if true, we will soon :)
17:01 jackalista it's hard
17:01 jackalista I already know that
17:01 whartung they find that they can abstract 80% of the bits
17:01 jackalista rtry8ing to keep our investment in tool making minimal here :)
17:01 whartung in to groups, departments, applications, whatever.
17:01 jackalista the api mgmt platforms are not bad dude, 80% already abstracted
17:01 whartung but you still have to manage all of the bits.
17:02 whartung it's the 20% that kills you
17:02 jackalista 80% done for me for the most part
17:02 jackalista exactly on the 20%
17:02 jackalista that's why the questions
17:03 whartung well the answer is, there is no answer.
17:03 whartung the 20% is where the rubber meets the road
17:03 whartung and where folks diverge
17:03 whartung so -- that 20% is on you.
17:03 jackalista yeah, just wondering what you guys had seen, used, etc.
17:03 jackalista been here before, many times
17:03 jackalista the tools ever change and the questions stay the same :)
17:04 whartung I've done this several times, it always sucks
17:04 whartung no magic bullet here
17:04 jackalista no magic needed, but some things will have better legs than others
17:05 mezod joined #rest
17:05 whartung yea, there you go deluding yourself again
17:06 whartung some things may have better legs FOR YOU, but that's remote. It's a universal problem without a unviversal solution.
17:06 jackalista well, of courtse, I'm not doing it for you ;)
17:13 jackalista agree, no magic soln here.  for the context of the place I work, there are some solutions that will be better than others, as is nearly always the case, considering context
17:14 jackalista that's what makes this shit fun, dude!
17:16 quimrsto_ joined #rest
17:37 quimrstorres joined #rest
18:00 quimrstorres joined #rest
18:24 jcromartie joined #rest
18:40 quimrstorres joined #rest
18:41 quimrstorres joined #rest
19:31 quimrstorres joined #rest
19:49 quimrstorres joined #rest
19:52 shrink0r joined #rest
20:24 shrink0r_ joined #rest
20:26 shrink0r joined #rest
20:28 shrink0r_ joined #rest
20:34 tieTYT2 joined #rest
21:49 zama joined #rest
22:02 fumanchu joined #rest
22:16 quimrstorres joined #rest
23:13 huckleberry78 joined #rest

| Channels | #rest index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

#rest on freenode has been logged here from May 2014 until end of July 2018 but logging has been suspended because the channel has been riddled with spam since August 2018 with no end in site. See the following blog posts about the problem:

Until the spam problem has been dealt with and logging can resume, please visit our wiki at https://trygvis.io/rest-wiki/

Thanks.