Click here to load reader

Securing JAX-RS RESTful services

  • View
    221

  • Download
    4

Embed Size (px)

Text of Securing JAX-RS RESTful services

  • Securing JAX-RS RESTful services Miroslav Fuksa (software developer) Michal Gajdo (software developer)

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 2

    The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 3

    Program Agenda

    Introduction to JAX-RS and Security

    Declarative Security and Entity Filtering

    Client Security

    OAuth 1

    OAuth 2

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 4

    Introduction to JAX-RS and security

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 5

    Introduction

    Representation State Transfer Using HTTP methods GET, POST, DELETE ... representations (HTML, JSON, XML), URI, caching, stateless JAX-RS: Java API for RESTful Services JAX-RS 2.0 (JSR 339): Java EE 7, released in May 2013 Reference implementation: Jersey 2

    RESTful Web Services

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 6

    Introduction @Path("student")

    public class StudentResource {

    @Produces("application/json")

    @GET

    @Path("{id}")

    public Student get(@PathParam("id") String id) {

    return StudentService.getStudentById(id);

    }

    @POST

    public Student post(Student student) {

    return StudentService.addStudent(student);

    }

    }

    GET http://my-univeristy.com/api/student/adam

    POST http://my-univeristy.com/api/student

    http://my-univeristy.com/api/student/

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 7

    Introduction

    JAX-RS 2.0 (JSR 339, part of Java EE 7, released in May 2013) Client API Asynchronous processing Filters Interceptors

    JAX-RS 2.0

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 8

    Introduction

    Authentication HTTP Basic Authentication (BASE64 encoded username and password

    SSL) HTTP Digest Authentication (password is used only for signature, MD5)

    Authorization

    Security

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 9

    Servlet Container Security

    Secure JAX-RS services using Servlet Container

    /*

    admin

    BASIC

    my-realm

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 10

    Servlet Container Security

    Secure JAX-RS services using Servlet Container

    /student/*

    POST

    admin

    /student/*

    GET

    admin

    user

    http://my-univeristy.com/api/students/{id}

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 11

    Servlet Container Security

    Advantages Independent on JAX-RS implementation managed by servlet container

    Disadvantages only for servlet containers fragile, verbose, bad maintenance Pre-matching filters

    Secure JAX-RS services using Servlet Container

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 12

    Pre-matching filters

    Pre-matching filter

    PUT http://my-univeristy.com/api/student

    POST http://my-univeristy.com/api/student

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 13

    JAX-RS Security Context

    javax.ws.rs.core.SecurityContext

    public interface SecurityContext {

    public Principal getUserPrincipal();

    public boolean isUserInRole(String role);

    public boolean isSecure();

    public String getAuthenticationScheme();

    }

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 14

    JAX-RS Security Context

    Secure method programmatically using SecurityContext @Path("student")

    public class StudentResource {

    @Context

    private SecurityContext securityContext;

    @GET

    @Path("{id}")

    public Student get(@PathParam("id") String id) {

    if (!securityContext.isUserInRole("admin")) {

    throw new WebApplicationException(You dont have privileges to access this resource.", 403);

    }

    return StudentService.getStudentById(id)

    }

    }

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 15

    Authorization in Jersey 2.x: Security annotations

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 16

    Authorization Security annotations.

    Define the access to resources based on the user groups. Security annotations from javax.annotation.security package.

    @PermitAll, @DenyAll, @RolesAllowed SecurityContext

    RolesAllowedDynamicFeature.

    Means in Jersey 2.x

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 17

    Authorization Security annotations.

    @ApplicationPath(api)

    public class MyApplication extends ResourceConfig {

    public MyApplication() {

    packages(my.application);

    register(RolesAllowedDynamicFeature.class);

    }

    }

    Example: Register RolesAllowedDynamicFeature.

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 18

    Authorization Security annotations.

    @Path("/resource")

    @PermitAll

    public class Resource {

    @GET

    public String get() { return "GET"; }

    @RolesAllowed("admin")

    @POST

    public String post(String content) { return content; }

    }

    Example: Define access restrictions on Resource.

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 19

    Authorization in Jersey 2.x: Entity Filtering Feature

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 20

    Feature: Entity Filtering

    Exposing only part of domain model for input/output. Reduce the amount of data exchanged over the wire. Define own filtering rules based on current context.

    Resource method. Assign security access rules to properties. Faster prototyping and development.

    One model and one place for defining the rules.

    Idea and Motivation

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 21

    Feature: Entity Filtering

    @EntityFiltering meta-annotation. Create filtering annotations to define context. Create filtering annotations with custom meaning to define context.

    Security annotations from javax.annotation.security package. @PermitAll, @DenyAll, @RolesAllowed SecurityContext

    Means in Jersey 2.3+ / MOXy 2.5.0

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 22

    Feature: Entity Filtering

    Define dependencies on extension and media modules. Register SecurityEntityFilteringFeature in Jersey Application. Annotate Resources and Domain Model with security annotations. Enjoy!

    Putting it all together.

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 23

    Feature: Entity Filtering

    Have: JAX-RS Application with security user roles.

    Want: Define access to resources. Restrict access to entities / entity members for different user roles.

    Example: Goal.

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 24

    Feature: Entity Filtering

    @ApplicationPath(api)

    public class MyApplication extends ResourceConfig {

    public MyApplication() {

    packages(my.application);

    register(SecurityEntityFilteringFeature.class);

    }

    }

    Example: Register Providers in JAX-RS Application.

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 25

    Feature: Entity Filtering

    public class RestrictedEntity {

    private String simpleField;

    private String denyAll;

    private RestrictedSubEntity mixed;

    // getters and setters

    }

    Example: Model. public class RestrictedSubEntity {

    private String managerField;

    private String userField;

    // getters and setters

    }

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 26

    Feature: Entity Filtering

    public class RestrictedEntity {

    public String getSimpleField() { ... }

    @DenyAll

    public String getDenyAll() { ... }

    @RolesAllowed({"manager", "user"})

    public RestrictedSubEntity getMixed() {}

    }

    Example: Annotated Domain Model. public class RestrictedSubEntity {

    @RolesAllowed("manager")

    public String getManagerField() { ... }

    @RolesAllowed("user")

    public String getUserField() { ... }

    }

  • Copyright 2012, Oracle and/or its affiliates. All rights reserved. 27

    Feature: Entity Filtering

    @Path("unrestricted-resource")

    @Produces("application/json")

    public class UnrestrictedResource {

    @GET

    public RestrictedEntity getRestrictedEntity() { ... }

Search related