http flic krp9 UQDPM Security Authentication Authorization In

http: //flic. kr/p/9 UQDPM Security: Authentication & Authorization

In the most general terms, what bad things does computer security aim to prevent?

In the most general terms, what bad things does computer security aim to prevent? • Unauthorized access to data • Unauthorized modification of data • Unauthorized control

Two Key Security Concerns Authentication • Who is the user? Authorization • What is the user allowed to do/access?

What methods of authentication are there?

What methods of authentication are there? • • • Passwords Biometrics SMS code Secret question USB key

Browser Where should authentication/author ization go? Ye Olde Internet Rails Router Controller View Model DB

Browser Where should authentication/author ization go? Ye Olde Internet Around here! Rails Router Controller View Model DB

Given stateless nature of HTTP, how to prevent user from reauthenticating with each HTTP request? Browser Ye Olde Internet Rails Router Controller View Model DB

Given stateless nature of HTTP, how to prevent user from reauthenticating with each HTTP request? Browser Ye Olde Internet Sessions/Cookies Rails Router Controller View Model DB

How Cookies Work From: http: //en. wikipedia. org/wiki/HTTP_cookie

A session is a serverside object that stores “conversational state” Browser Ye Olde Internet Rails Router Controller View Model DB

How to do authorization?

Role-Based Access Control Taken from http: //en. wikipedia. org/wiki/Role-based_access_control

Final Note About Authentication and Authorization in Rails • Rails Tutorial (Hartl) does “by hand” • Gems available as well – Devise most popular? Example time! See: https: //github. com/sdflem/auth_skeleton