ApplicationSecurity Questions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

ApplicationSecurity Questions

Sean P. DeNigris
Administrator
I'm very excited about this library. I always wished for an off the shelf web
app security solution! Not sure if this is the right ML, but since the
library was announced here…

1. I read that the project was ported to GH. While there is a baseline
there, there is also a configuration on GH, but (the weird part) - it still
points to StHub instead of loading the baseline from GH
2. How does one actually use the library in practice e.g. for a web app with
protected content? The 3 blog posts cover adding a user, but I don't
understand how to tie AS in with say Seaside. Is there an example project
using it or some docs on that?



-----
Cheers,
Sean
--
Sent from: http://forum.world.st/Pharo-Smalltalk-Developers-f1294837.html

Cheers,
Sean
Reply | Threaded
Open this post in threaded view
|

Re: ApplicationSecurity Questions

Sean P. DeNigris
Administrator
I forgot one:
3. It was not clear to me how to get libsodium.dylib, which was not
installed on my Mac. There were some old ML posts about an automatic binary
download mechanism using Dropbox, but the link seemed dead. I ended up
downloading and manually copying into the Pharo VM Plugins folder per [1],
but was a little uneasy about that. It would be good to add "the right way"
to the readme!

1. https://eighty-twenty.org/files/libsodium/libsodium.dylib.gz



-----
Cheers,
Sean
--
Sent from: http://forum.world.st/Pharo-Smalltalk-Developers-f1294837.html

Cheers,
Sean
Reply | Threaded
Open this post in threaded view
|

Re: ApplicationSecurity Questions

hernanmd
In reply to this post by Sean P. DeNigris
Hi Sean

2018-06-05 0:17 GMT-03:00 Sean P. DeNigris <[hidden email]>:
> I'm very excited about this library. I always wished for an off the shelf web
> app security solution! Not sure if this is the right ML, but since the
> library was announced here…
>
> 1. I read that the project was ported to GH. While there is a baseline
> there, there is also a configuration on GH, but (the weird part) - it still
> points to StHub instead of loading the baseline from GH

I just updated the README with the install script. Thanks for reporting.

> 2. How does one actually use the library in practice e.g. for a web app with
> protected content? The 3 blog posts cover adding a user, but I don't
> understand how to tie AS in with say Seaside. Is there an example project
> using it or some docs on that?
>

You can check a project making use of ApplicationSecurity here:
http://www.smalltalkhub.com/#!/~hernan/IGEVET

I still should test in a Pharo 6.x image but there is a Configuration
which could work: ConfigurationOfIGEVETWebSite, it uses Iliad plus
some extensions such as PureCSS, so it could take some time to load.
Maybe I should sit down tomorrow and take some time to write
documentation.

Cheers,

Hernán

>
>
> -----
> Cheers,
> Sean
> --
> Sent from: http://forum.world.st/Pharo-Smalltalk-Developers-f1294837.html
>

Reply | Threaded
Open this post in threaded view
|

Re: ApplicationSecurity Questions

Sean P. DeNigris
Administrator
hernanmd wrote
> You can check a project making use of ApplicationSecurity here:
> http://www.smalltalkhub.com/#!/~hernan/IGEVET
> …it uses Iliad…

I'll check it out. Thanks. Out of curiosity, why Iliad instead of Seaside?
Is Iliad well-supported/maintained? Would that be your
default/recommendation for new web apps?



-----
Cheers,
Sean
--
Sent from: http://forum.world.st/Pharo-Smalltalk-Developers-f1294837.html

Cheers,
Sean
Reply | Threaded
Open this post in threaded view
|

Re: ApplicationSecurity Questions

Sean P. DeNigris
Administrator
In reply to this post by Sean P. DeNigris
You can check a project making use of ApplicationSecurity here:

Pharo 6.1:
- No #development version for Iliad, had to add to ConfigurationOfIliad
- ConfigurationOfNacl - had to comment out #preload, which failed to download libsodium (apparently the dropbox link no longer works). I was able to procure the library elsewhere
- ERROR: DNU #selector from RBParser >>#externalFunctionDeclaration when trying to parse:
apiDeleteDC: aHDC
<apicall: bool 'DeleteDC' (Win32HDC) module:'gdi32.dll'>
^self externalCallFailed

Pharo 5:
- ConfigurationOfNacl - had to comment out #preload, which failed to download libsodium (apparently the dropbox link no longer works). I was able to procure the library elsewhere
- BioFormatters-HernanMoralesDurand.118 complained about missing PMVector, clicked proceed and no more problems

Since I’m not familiar with Iliad, I wasn’t sure how to run the app. I manually executed IGEVETApplication>>#startUp to get the server going, but wasn’t sure what URL to type into the browser. I tried a few things that all returned 404 like:

Also from my previous reply (not sure if you saw it):
Out of curiosity, why Iliad instead of Seaside? Would Iliad be your default/recommendation for new web apps?
Is it well-supported/maintained? It doesn’t seem to have much recent activity unless I’m looking at the wrong repo.

Thanks!

- s
Cheers,
Sean
Reply | Threaded
Open this post in threaded view
|

Re: ApplicationSecurity Questions

hernanmd
In reply to this post by Sean P. DeNigris
Hi Sean,
El 6 jun. 2018, a las 22:37, Sean P. DeNigris <[hidden email]> escribió:

hernanmd wrote
You can check a project making use of ApplicationSecurity here:
http://www.smalltalkhub.com/#!/~hernan/IGEVET
…it uses Iliad…

I'll check it out. Thanks. Out of curiosity, why Iliad instead of Seaside?
Is Iliad well-supported/maintained?

Of course not :)
We are like 10? in the mailing list, you could say it seems like a dead project, but it performed really well for me (some reasons below).
For people who like to feel always safe, Seaside is the best choice. However at some point after some years I felt Seaside uncomfortable, I read that Iliad picked some of the best features of Seaside and Aida, then wanted to gave a try.

Would that be your
default/recommendation for new web apps?

First of all, I should say I'm not super experienced in web apps. Although I appreciate the big efforts behind Smalltalk web frameworks, I didn’t really like any of them, neither page-centric or programmatic. None of them was easily adapted to the emerging web trends for the last years like the appearance of static site generators, adaptive/responsive design, multiple competing JS libraries, semantic web, mobility, etc. not to mention they lack "standard" built-in features such as caching, template, security frameworks. However I cannot complain, we are a small community doing the best we can, and the alternative of coding in a popular PHP framework would be like going to hell... think about matching "objects" to relational table schemas here (single table inheritance).

I really love the Iliad form validation through Formula (easier than Magritte for me), the free Ajax, the simple routing, and it feels lightweight. However there a lot of things missing in Iliad by now: a Zinc adaptor is missing, better CSS integration, more documentation, examples, updated jQuery, etc. For other classic features, there was an old comparison table for Smalltalk web frameworks, a bit outdated but you could check it:

Cheers,

Hernán



Reply | Threaded
Open this post in threaded view
|

Re: ApplicationSecurity Questions

Sean P. DeNigris
Administrator
hernanmd wrote
> (some reasons below).

Thanks! Very informative :)



-----
Cheers,
Sean
--
Sent from: http://forum.world.st/Pharo-Smalltalk-Developers-f1294837.html

Cheers,
Sean
Reply | Threaded
Open this post in threaded view
|

Re: ApplicationSecurity Questions

Sean P. DeNigris
Administrator
In reply to this post by hernanmd
hernanmd wrote
> I really love… However there a lot of things missing

This hints at an issue I've been thinking about a lot lately. It would seem
to be a huge boon if frameworks were designed to be more pluggable. The
driver of my thoughts were the incompatibility of OSProcess and
OSSubprocess, which can't even be loaded at the same time no less plugged in
and out! Imagine if we could use Formulas in Seaside, and plug whatever web
server into Iliad. It's a shame that each one seems to lock one into an
ecosystem - the good with the bad, especially when this kind of stovepiping
was one of the very things Smalltalk aimed to avoid! I wonder if there has
been any research/experimentation/thinking in this direction…



-----
Cheers,
Sean
--
Sent from: http://forum.world.st/Pharo-Smalltalk-Developers-f1294837.html

Cheers,
Sean
Reply | Threaded
Open this post in threaded view
|

Re: ApplicationSecurity Questions

Sean P. DeNigris
Administrator
In reply to this post by Sean P. DeNigris
Now I've fixed the BaselineOfApplicationSecurity
Yes, successfully installed.

I don't have time to try it or support it in Pharo 5 now :(
No problem. I only tried because I failed in Pharo 6 :)

Add an adaptor using the Control Panel then go to:
Ah, yes! Up and running :)

Please let me know how it is going,
Wil do

Cheers,
Sean