View
218
Download
0
Category
Preview:
Citation preview
8/10/2019 JAX RS Security CZJUG Short
1/48
Securing JAX-RS RESTfulservices
Miroslav Fuksa (software developer)Michal Gajdo ! (software developer)
8/10/2019 JAX RS Security CZJUG Short
2/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.2
The following is intended to outline our general product direction. It is intended
for information purposes only, and may not be incorporated into any contract.It is not a commitment to deliver any material, code, or functionality, and shouldnot be relied upon in making purchasing decisions. The development, release,and timing of any features or functionality described for Oracle s productsremains at the sole discretion of Oracle.
8/10/2019 JAX RS Security CZJUG Short
3/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.3
Program Agenda
! Introduction to JAX-RS and Security! Declarative Security and Entity Filtering! Client Security!
OAuth 1! OAuth 2
8/10/2019 JAX RS Security CZJUG Short
4/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.4
Introduction to JAX-RS andsecurity
8/10/2019 JAX RS Security CZJUG Short
5/48
8/10/2019 JAX RS Security CZJUG Short
6/48Copyright 2012, Oracle and/or its affiliates. All rights reserved.6
Introduction
@Path("student")
public class StudentResource {
@Produces("application/json")@GET
@Path("{id}")
public Student get(@PathParam("id") String id) {
return StudentService.getStudentById(id);
}
@POST
public Student post(Student student) {
return StudentService.addStudent(student);
}
}
GET http://my-univeristy.com/api/st
POST http://my-univeristy.com/api/stu
http://my-univeristy.com/api/s
8/10/2019 JAX RS Security CZJUG Short
7/48
8/10/2019 JAX RS Security CZJUG Short
8/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.8
Introduction
! Authentication HTTP Basic Authentication (BASE64 encoded username and passwo
SSL)
HTTP Digest Authentication (password is used only for signature, M! Authorization
Security
8/10/2019 JAX RS Security CZJUG Short
9/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.9
Servlet Container Security
Secure JAX-RS services using Servlet Container
/*
admin
BASIC
my-realm
8/10/2019 JAX RS Security CZJUG Short
10/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.10
Servlet Container Security
Secure JAX-RS services using Servlet Container
/student/*
POST
admin
/student/*
GET
8/10/2019 JAX RS Security CZJUG Short
11/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.11
Servlet Container Security
! Advantages Independent on JAX-RS implementation managed by servlet container
! Disadvantages
only for servlet containers fragile, verbose, bad maintenance
Pre-matching filters
Secure JAX-RS services using Servlet Container
8/10/2019 JAX RS Security CZJUG Short
12/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.12
Pre-matching filters
Pre-matchingfilter
PUT http://my-univeristy.com/api/student
POST http://my-univeristy.com/api/student
8/10/2019 JAX RS Security CZJUG Short
13/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.13
JAX-RS Security Context
javax.ws.rs.core. SecurityContext
public interface SecurityContext {
public Principal getUserPrincipal();
public boolean isUserInRole(String role);
public boolean isSecure();
public String getAuthenticationScheme();
}
8/10/2019 JAX RS Security CZJUG Short
14/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.14
JAX-RS Security Context
Secure method programmatically using SecurityContext
@Path("student") public class StudentResource {
@Context
private SecurityContext securityContext;
@GET
@Path("{id}")
public Student get(@PathParam("id") String id) {if ( !securityContext.isUserInRole("admin") ) {
throw new WebApplicationException(You dont have privileges to access this resource.", 403);
}
return StudentService.getStudentById(id)
}
}
8/10/2019 JAX RS Security CZJUG Short
15/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.15
Authorization in Jersey 2.x:Security annotations
8/10/2019 JAX RS Security CZJUG Short
16/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.16
Authorization Security annotations.
! Define the access to resources based on the user groups.! Security annotations from javax.annotation.security
@PermitAll , @DenyAll , @RolesAllowed SecurityContext
! RolesAllowedDynamicFeature .
Means in Jersey 2.x
8/10/2019 JAX RS Security CZJUG Short
17/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.17
Authorization Security annotations.
@ApplicationPath(api) public class MyApplication extends ResourceConfig {
public MyApplication() {
packages(my.application);
register(RolesAllowedDynamicFeature.class);
}
}
Example: Register RolesAllowedDynamicFeature.
8/10/2019 JAX RS Security CZJUG Short
18/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.18
Authorization Security annotations.
@Path("/resource")@PermitAll
public class Resource {
@GET
public String get() { return "GET"; }
@RolesAllowed("admin")
@POST
public String post(String content) { return content; }
}
Example: Define access restrictions on Resource.
8/10/2019 JAX RS Security CZJUG Short
19/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.19
Authorization in Jersey 2.x:Entity Filtering Feature
8/10/2019 JAX RS Security CZJUG Short
20/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.20
Feature: Entity Filtering
! Exposing only part of domain model for input/output.! Reduce the amount of data exchanged over the wire.! Define own filtering rules based on current context.
Resource method.! Assign security access rules to properties.
! Faster prototyping and development. One model and one place for defining the rules.
Idea and Motivation
8/10/2019 JAX RS Security CZJUG Short
21/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.21
Feature: Entity Filtering
! @EntityFiltering meta-annotation. Create filtering annotations to define context. Create filtering annotations with custom meaning to define context.
! Security annotations from javax.annotation.security @PermitAll , @DenyAll , @RolesAllowed SecurityContext
Means in Jersey 2.3+ / MOXy 2.5.0
8/10/2019 JAX RS Security CZJUG Short
22/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.22
Feature: Entity Filtering
! Define dependencies on extension and media modules.! Register SecurityEntityFilteringFeature in Jersey Ap! Annotate Resources and Domain Model with security annotations.! Enjoy!
Putting it all together.
8/10/2019 JAX RS Security CZJUG Short
23/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.23
Feature: Entity Filtering
! Have: JAX-RS Application with security user roles.
! Want: Define access to resources.
Restrict access to entities / entity members for different user roles.
Example: Goal.
8/10/2019 JAX RS Security CZJUG Short
24/48
8/10/2019 JAX RS Security CZJUG Short
25/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.25
Feature: Entity Filtering
public class RestrictedEntity {
private String simpleField;
private String denyAll;
private RestrictedSubEntity mixed;
// getters and setters
}
Example: Model. public class RestrictedSubEntity {
private String managerField;
private String userField;
// getters and setters
}
8/10/2019 JAX RS Security CZJUG Short
26/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.26
Feature: Entity Filtering
public class RestrictedEntity {
public String getSimpleField() { ... }
@DenyAll
public String getDenyAll() { ... }
@RolesAllowed({"manager", "user"})
public RestrictedSubEntity getMixed() {}
}
Example: Annotated Domain Model. public class RestrictedSubEntity {
@RolesAllowed("manager")
public String getManagerField
@RolesAllowed("user")
public String getUserField() {
}
8/10/2019 JAX RS Security CZJUG Short
27/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.27
Feature: Entity Filtering
@Path("unrestricted-resource")@Produces("application/json")
public class UnrestrictedResource {
@GET
public RestrictedEntity getRestrictedEntity() { ... }
}
Example: JAX-RS Un-Restricted Resource.
8/10/2019 JAX RS Security CZJUG Short
28/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.28
Feature: Entity Filtering
@Path("restricted-resource")@Produces("application/json")
public class RestrictedResource {
@GET @Path(denyAll")
@DenyAll
public RestrictedEntity denyAll() { ... }
@GET @Path("rolesAllowed")
@RolesAllowed({"manager"})
public RestrictedEntity rolesAllowed() { ... }
}
Example: JAX-RS Restricted Resource.
8/10/2019 JAX RS Security CZJUG Short
29/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.29
JAX-RS Client Security
l
8/10/2019 JAX RS Security CZJUG Short
30/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.30
Client Security
! JAX-RS 2.0 defines support for SSL configuration! javax.ws.rs.client.ClientBuilder
KeyStore, TrustStore, SSLContext! Jersey provides SslConfigurator to create SSLContext
SSL with JAX-RS support
Cli S i
8/10/2019 JAX RS Security CZJUG Short
31/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.31
Client Security
SslConfigurator sslConfig = SslConfigurator.newInstance()
.trustStoreFile("./truststore_client")
.trustStorePassword("pwds65df4")
.keyStoreFile("./keystore_client")
.keyPassword("sf564fsds");
SSLContext sslContext = sslConfig.createSSLContext();
Client client = ClientBuilder.newBuilder()
.sslContext( sslContext ) .build();
SslConfigurator
Cli S i
8/10/2019 JAX RS Security CZJUG Short
32/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.32
Client Security
! ClientRequestFilter and ClientResponseFilter! Jersey HttpAuthenticationFeature
Basic, Digest, Universal
Http Authentication
HttpAuthenticationFeature basicAuth = HttpAuthenticationFeature.basic("username,"1234Client client = ClientBuilder.newBuilder() .register(basicAuth) .newClient();
Student michal = client.target("http://my-university.com/student/michal").request().get(Student.class);
8/10/2019 JAX RS Security CZJUG Short
33/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.33
OAuth 1
OA th i t d ti
8/10/2019 JAX RS Security CZJUG Short
34/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.34
OAuth: introduction
username/password
Consumer
Resourceowner
OA th
8/10/2019 JAX RS Security CZJUG Short
35/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.35
OAuth
!
I want to give an access to my account to consumer (3rd
application)! Give Consumer my password
Revoking access Password change
Limit access (different authorization rules) Trust
Motivation
OAuth: introduction
8/10/2019 JAX RS Security CZJUG Short
36/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.36
OAuth: introduction
username/password
Consumer
Resourceowner
OAuth
8/10/2019 JAX RS Security CZJUG Short
37/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.37
OAuth
!
OAuth No resource owners password sharing Resource owner can revoke an access at any time
Limited access User friendly process of issuing tokens (Authorization Process/Flow
Motivation
OAuth1
8/10/2019 JAX RS Security CZJUG Short
38/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.38
OAuth1
!
IETF OAuth 1.0 (RFC 5849) Previous community version 1.0 and 1.0a
! Signatures added to requests (HMAC-SHA1, RSA-SHA1) based osecret keys
! Authorization process (flow) Process of granting access to the consumer
! Authenticated requests Consumer calls REST APIs using OAuth signatures
Details
OAuth1: Authorization flow
8/10/2019 JAX RS Security CZJUG Short
39/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.39
OAuth1: Authorization flow
1
1 Request Toke2 Authorization3 Resource ow4 Authorization5 Access Token
2
3
4
5
Consumer
Resourceowner
OAuth1: Authenticated requests
8/10/2019 JAX RS Security CZJUG Short
40/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.40
OAuth1: Authenticated requests
Consumer
Resourceowner
Access Token
OAuth1
8/10/2019 JAX RS Security CZJUG Short
41/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.41
OAuth1
!
Secure Signatures Secret keys (consumer secret, request and access token secret)
nonce, timestamp! Complex for implementation
Summary
8/10/2019 JAX RS Security CZJUG Short
42/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.42
OAuth 2
OAuth 2
8/10/2019 JAX RS Security CZJUG Short
43/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.43
OAuth 2
!
WRAP (Web Resource Authorization Protocol)! OAuth 2.0 (IETF, RFC 6749), released in October 2012! Not backward compatible, framework (not protocol)! Does not require signatures (bearer token), SSL! Authorization flows
Authorization Code Grant (refresh token) Implicit Grant (eg. Javascript client), Resource Owner Password
Credentials Grant (user name + password), Client Credentials Grant app authentication)
Introduction
8/10/2019 JAX RS Security CZJUG Short
44/48
OAuth
8/10/2019 JAX RS Security CZJUG Short
45/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.45
OAuth
! OAuth 1.0a: client and server
! OAuth 2: client (Authorization Code Grant)! Client OAuth support:
Authorization Flow: standalone utility Authenticated requests (Features => Filters)
Jersey and OAuth
OAuth 2
8/10/2019 JAX RS Security CZJUG Short
46/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.46
OAuth 2
! server application that uses JAX-RS client to get and show Googletasks of any user that authorizes the application
Demo
Resources
8/10/2019 JAX RS Security CZJUG Short
47/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.47
Resources
! Securing JAX-RS Resources
https://jersey.java.net/documentation/latest/security.html#d0e8866!
Entity Filtering in Jersey https://jersey.java.net/documentation/latest/entity-filtering.html
https://github.com/jersey/jersey/tree/master/examples/entity-filtering ! OAuth specification
http://tools.ietf.org/html/rfc5849
http://tools.ietf.org/html/rfc6749 ! OAuth 2 sample
https://github.com/jersey/jersey/tree/master/examples/oauth2-client-google-webapp! Jersey
http:// jersey.java.net
8/10/2019 JAX RS Security CZJUG Short
48/48
Copyright 2012, Oracle and/or its affiliates. All rights reserved.48
Questions & Answers
Recommended