JAX RS Security CZJUG Short

8/10/2019 JAX RS Security CZJUG Short

1/48

Securing JAX-RS RESTfulservices

Miroslav Fuksa (software developer)Michal Gajdo ! (software developer)


2/48

Copyright 2012, Oracle and/or its affiliates. All rights reserved.2

The following is intended to outline our general product direction. It is intended

for information purposes only, and may not be incorporated into any contract.It is not a commitment to deliver any material, code, or functionality, and shouldnot be relied upon in making purchasing decisions. The development, release,and timing of any features or functionality described for Oracle s productsremains at the sole discretion of Oracle.


3/48


Program Agenda

! Introduction to JAX-RS and Security! Declarative Security and Entity Filtering! Client Security!

OAuth 1! OAuth 2


4/48


Introduction to JAX-RS andsecurity


5/48


6/48Copyright 2012, Oracle and/or its affiliates. All rights reserved.6

Introduction

@Path("student")

public class StudentResource {

@Produces("application/json")@GET

@Path("{id}")

public Student get(@PathParam("id") String id) {

return StudentService.getStudentById(id);

}

@POST

public Student post(Student student) {

return StudentService.addStudent(student);

}

}

GET http://my-univeristy.com/api/st

POST http://my-univeristy.com/api/stu

http://my-univeristy.com/api/s


7/48


8/48


Introduction

! Authentication HTTP Basic Authentication (BASE64 encoded username and passwo

SSL)

HTTP Digest Authentication (password is used only for signature, M! Authorization

Security


9/48


Servlet Container Security

Secure JAX-RS services using Servlet Container

/*

admin

BASIC

my-realm


10/48




/student/*

POST

admin

/student/*

GET


11/48



! Advantages Independent on JAX-RS implementation managed by servlet container

! Disadvantages

only for servlet containers fragile, verbose, bad maintenance

Pre-matching filters



12/48


Pre-matching filters

Pre-matchingfilter

PUT http://my-univeristy.com/api/student

POST http://my-univeristy.com/api/student


13/48


JAX-RS Security Context

javax.ws.rs.core. SecurityContext

public interface SecurityContext {

public Principal getUserPrincipal();

public boolean isUserInRole(String role);

public boolean isSecure();

public String getAuthenticationScheme();

}


14/48


JAX-RS Security Context

Secure method programmatically using SecurityContext

@Path("student") public class StudentResource {

@Context

private SecurityContext securityContext;

@GET

@Path("{id}")

public Student get(@PathParam("id") String id) {if ( !securityContext.isUserInRole("admin") ) {

throw new WebApplicationException(You dont have privileges to access this resource.", 403);

}

return StudentService.getStudentById(id)

}

}


15/48


Authorization in Jersey 2.x:Security annotations


16/48


Authorization Security annotations.

! Define the access to resources based on the user groups.! Security annotations from javax.annotation.security

@PermitAll , @DenyAll , @RolesAllowed SecurityContext

! RolesAllowedDynamicFeature .

Means in Jersey 2.x


17/48



@ApplicationPath(api) public class MyApplication extends ResourceConfig {

public MyApplication() {

packages(my.application);

register(RolesAllowedDynamicFeature.class);

}

}

Example: Register RolesAllowedDynamicFeature.


18/48



@Path("/resource")@PermitAll

public class Resource {

@GET

public String get() { return "GET"; }

@RolesAllowed("admin")

@POST

public String post(String content) { return content; }

}

Example: Define access restrictions on Resource.


19/48


Authorization in Jersey 2.x:Entity Filtering Feature


20/48


Feature: Entity Filtering

! Exposing only part of domain model for input/output.! Reduce the amount of data exchanged over the wire.! Define own filtering rules based on current context.

Resource method.! Assign security access rules to properties.

! Faster prototyping and development. One model and one place for defining the rules.

Idea and Motivation


21/48



! @EntityFiltering meta-annotation. Create filtering annotations to define context. Create filtering annotations with custom meaning to define context.

! Security annotations from javax.annotation.security @PermitAll , @DenyAll , @RolesAllowed SecurityContext

Means in Jersey 2.3+ / MOXy 2.5.0


22/48



! Define dependencies on extension and media modules.! Register SecurityEntityFilteringFeature in Jersey Ap! Annotate Resources and Domain Model with security annotations.! Enjoy!

Putting it all together.


23/48



! Have: JAX-RS Application with security user roles.

! Want: Define access to resources.

Restrict access to entities / entity members for different user roles.

Example: Goal.


24/48


25/48



public class RestrictedEntity {

private String simpleField;

private String denyAll;

private RestrictedSubEntity mixed;

// getters and setters

}

Example: Model. public class RestrictedSubEntity {

private String managerField;

private String userField;

// getters and setters

}


26/48



public class RestrictedEntity {

public String getSimpleField() { ... }

@DenyAll

public String getDenyAll() { ... }

@RolesAllowed({"manager", "user"})

public RestrictedSubEntity getMixed() {}

}

Example: Annotated Domain Model. public class RestrictedSubEntity {

@RolesAllowed("manager")

public String getManagerField

@RolesAllowed("user")

public String getUserField() {

}


27/48



@Path("unrestricted-resource")@Produces("application/json")

public class UnrestrictedResource {

@GET

public RestrictedEntity getRestrictedEntity() { ... }

}

Example: JAX-RS Un-Restricted Resource.


28/48



@Path("restricted-resource")@Produces("application/json")

public class RestrictedResource {

@GET @Path(denyAll")

@DenyAll

public RestrictedEntity denyAll() { ... }

@GET @Path("rolesAllowed")

@RolesAllowed({"manager"})

public RestrictedEntity rolesAllowed() { ... }

}

Example: JAX-RS Restricted Resource.


29/48


JAX-RS Client Security

l


30/48


Client Security

! JAX-RS 2.0 defines support for SSL configuration! javax.ws.rs.client.ClientBuilder

KeyStore, TrustStore, SSLContext! Jersey provides SslConfigurator to create SSLContext

SSL with JAX-RS support

Cli S i


31/48


Client Security

SslConfigurator sslConfig = SslConfigurator.newInstance()

.trustStoreFile("./truststore_client")

.trustStorePassword("pwds65df4")

.keyStoreFile("./keystore_client")

.keyPassword("sf564fsds");

SSLContext sslContext = sslConfig.createSSLContext();

Client client = ClientBuilder.newBuilder()

.sslContext( sslContext ) .build();

SslConfigurator

Cli S i


32/48


Client Security

! ClientRequestFilter and ClientResponseFilter! Jersey HttpAuthenticationFeature

Basic, Digest, Universal

Http Authentication

HttpAuthenticationFeature basicAuth = HttpAuthenticationFeature.basic("username,"1234Client client = ClientBuilder.newBuilder() .register(basicAuth) .newClient();

Student michal = client.target("http://my-university.com/student/michal").request().get(Student.class);


33/48


OAuth 1

OA th i t d ti


34/48


OAuth: introduction

username/password

Consumer

Resourceowner

OA th


35/48


OAuth

!

I want to give an access to my account to consumer (3rd

application)! Give Consumer my password

Revoking access Password change

Limit access (different authorization rules) Trust

Motivation

OAuth: introduction


36/48


OAuth: introduction

username/password

Consumer

Resourceowner

OAuth


37/48


OAuth

!

OAuth No resource owners password sharing Resource owner can revoke an access at any time

Limited access User friendly process of issuing tokens (Authorization Process/Flow

Motivation

OAuth1


38/48


OAuth1

!

IETF OAuth 1.0 (RFC 5849) Previous community version 1.0 and 1.0a

! Signatures added to requests (HMAC-SHA1, RSA-SHA1) based osecret keys

! Authorization process (flow) Process of granting access to the consumer

! Authenticated requests Consumer calls REST APIs using OAuth signatures

Details

OAuth1: Authorization flow


39/48


OAuth1: Authorization flow

1

1 Request Toke2 Authorization3 Resource ow4 Authorization5 Access Token

2

3

4

5

Consumer

Resourceowner

OAuth1: Authenticated requests


40/48


OAuth1: Authenticated requests

Consumer

Resourceowner

Access Token

OAuth1


41/48


OAuth1

!

Secure Signatures Secret keys (consumer secret, request and access token secret)

nonce, timestamp! Complex for implementation

Summary


42/48


OAuth 2

OAuth 2


43/48


OAuth 2

!

WRAP (Web Resource Authorization Protocol)! OAuth 2.0 (IETF, RFC 6749), released in October 2012! Not backward compatible, framework (not protocol)! Does not require signatures (bearer token), SSL! Authorization flows

Authorization Code Grant (refresh token) Implicit Grant (eg. Javascript client), Resource Owner Password

Credentials Grant (user name + password), Client Credentials Grant app authentication)

Introduction


44/48

OAuth


45/48


OAuth

! OAuth 1.0a: client and server

! OAuth 2: client (Authorization Code Grant)! Client OAuth support:

Authorization Flow: standalone utility Authenticated requests (Features => Filters)

Jersey and OAuth

OAuth 2


46/48


OAuth 2

! server application that uses JAX-RS client to get and show Googletasks of any user that authorizes the application

Demo

Resources


47/48


Resources

! Securing JAX-RS Resources

https://jersey.java.net/documentation/latest/security.html#d0e8866!

Entity Filtering in Jersey https://jersey.java.net/documentation/latest/entity-filtering.html

https://github.com/jersey/jersey/tree/master/examples/entity-filtering ! OAuth specification

http://tools.ietf.org/html/rfc5849

http://tools.ietf.org/html/rfc6749 ! OAuth 2 sample

https://github.com/jersey/jersey/tree/master/examples/oauth2-client-google-webapp! Jersey

http:// jersey.java.net


48/48


Questions & Answers

Documents

JAX RS Security CZJUG Short