of 48 /48
Securing JAX-RS RESTful services Miroslav Fuksa (software developer) Michal Gajdoš (software developer)

Securing JAX-RS RESTful services

  • Upload
    vandang

  • View
    234

  • Download
    4

Embed Size (px)

Citation preview

Page 1: Securing JAX-RS RESTful services

Securing JAX-RS RESTful services Miroslav Fuksa (software developer) Michal Gajdoš (software developer)

Page 2: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 2

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Page 3: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 3

Program Agenda

§  Introduction to JAX-RS and Security

§ Declarative Security and Entity Filtering

§ Client Security

§ OAuth 1

§ OAuth 2

Page 4: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 4

Introduction to JAX-RS and security

Page 5: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 5

Introduction

§ Representation State Transfer § Using HTTP methods GET, POST, DELETE ... §  representations (HTML, JSON, XML), URI, caching, stateless … §  JAX-RS: Java API for RESTful Services § JAX-RS 2.0 (JSR 339): Java EE 7, released in May 2013 § Reference implementation: Jersey 2

RESTful Web Services

Page 6: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 6

Introduction @Path("student")

public class StudentResource {

@Produces("application/json")

@GET

@Path("{id}")

public Student get(@PathParam("id") String id) {

return StudentService.getStudentById(id);

}

@POST

public Student post(Student student) {

return StudentService.addStudent(student);

}

}

GET http://my-univeristy.com/api/student/adam

POST http://my-univeristy.com/api/student

http://my-univeristy.com/api/student/

Page 7: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 7

Introduction

§  JAX-RS 2.0 (JSR 339, part of Java EE 7, released in May 2013) –  Client API –  Asynchronous processing –  Filters –  Interceptors

JAX-RS 2.0

Page 8: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 8

Introduction

§ Authentication –  HTTP Basic Authentication (BASE64 encoded username and password →

SSL) –  HTTP Digest Authentication (password is used only for signature, MD5)

§ Authorization

Security

Page 9: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 9

Servlet Container Security

Secure JAX-RS services using Servlet Container <security-constraint>

<web-resource-collection>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>admin</role-name>

</auth-constraint>

</security-constraint>

<login-config>

<auth-method>BASIC</auth-method>

<realm-name>my-realm</realm-name>

</login-config>

Page 10: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 10

Servlet Container Security

Secure JAX-RS services using Servlet Container <security-constraint>

<web-resource-collection>

<url-pattern>/student/*</url-pattern>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>admin</role-name>

</auth-constraint>

</security-constraint>

<security-constraint>

<web-resource-collection>

<url-pattern>/student/*</url-pattern>

<http-method>GET</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>admin</role-name>

<role-name>user</role-name>

</auth-constraint>

</security-constraint>

http://my-univeristy.com/api/students/{id}

Page 11: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 11

Servlet Container Security

§  Advantages –  Independent on JAX-RS implementation –  managed by servlet container

§ Disadvantages –  only for servlet containers –  fragile, verbose, bad maintenance –  Pre-matching filters

Secure JAX-RS services using Servlet Container

Page 12: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 12

Pre-matching filters

Pre-matching filter

PUT http://my-univeristy.com/api/student

POST http://my-univeristy.com/api/student

Page 13: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 13

JAX-RS Security Context

javax.ws.rs.core.SecurityContext

public interface SecurityContext {

public Principal getUserPrincipal();

public boolean isUserInRole(String role);

public boolean isSecure();

public String getAuthenticationScheme();

}

Page 14: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 14

JAX-RS Security Context

Secure method programmatically using SecurityContext @Path("student")

public class StudentResource {

@Context

private SecurityContext securityContext;

@GET

@Path("{id}")

public Student get(@PathParam("id") String id) {

if (!securityContext.isUserInRole("admin")) {

throw new WebApplicationException(”You don’t have privileges to access this resource.", 403);

}

return StudentService.getStudentById(id)

}

}

Page 15: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 15

Authorization in Jersey 2.x: Security annotations

Page 16: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 16

Authorization – Security annotations.

§ Define the access to resources based on the user groups. § Security annotations from javax.annotation.security package.

–  @PermitAll, @DenyAll, @RolesAllowed –  SecurityContext

§ RolesAllowedDynamicFeature.

Means in Jersey 2.x

Page 17: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 17

Authorization – Security annotations.

@ApplicationPath(“api”)

public class MyApplication extends ResourceConfig {

public MyApplication() {

packages(“my.application”);

register(RolesAllowedDynamicFeature.class);

}

}

Example: Register RolesAllowedDynamicFeature.

Page 18: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 18

Authorization – Security annotations.

@Path("/resource")

@PermitAll

public class Resource {

@GET

public String get() { return "GET"; }

@RolesAllowed("admin")

@POST

public String post(String content) { return content; }

}

Example: Define access restrictions on Resource.

Page 19: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 19

Authorization in Jersey 2.x: Entity Filtering Feature

Page 20: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 20

Feature: Entity Filtering

§ Exposing only part of domain model for input/output. § Reduce the amount of data exchanged over the wire. § Define own filtering rules based on current context.

–  Resource method. § Assign security access rules to properties. § Faster prototyping and development.

–  One model and one place for defining the rules.

Idea and Motivation

Page 21: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 21

Feature: Entity Filtering

§ @EntityFiltering meta-annotation. –  Create filtering annotations to define context. –  Create filtering annotations with custom meaning to define context.

§ Security annotations from javax.annotation.security package. –  @PermitAll, @DenyAll, @RolesAllowed –  SecurityContext

Means in Jersey 2.3+ / MOXy 2.5.0

Page 22: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 22

Feature: Entity Filtering

§ Define dependencies on extension and media modules. § Register SecurityEntityFilteringFeature in Jersey Application. § Annotate Resources and Domain Model with security annotations. § Enjoy!

Putting it all together.

Page 23: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 23

Feature: Entity Filtering

§ Have: –  JAX-RS Application with security user roles.

§ Want: –  Define access to resources. –  Restrict access to entities / entity members for different user roles.

Example: Goal.

Page 24: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 24

Feature: Entity Filtering

@ApplicationPath(“api”)

public class MyApplication extends ResourceConfig {

public MyApplication() {

packages(“my.application”);

register(SecurityEntityFilteringFeature.class);

}

}

Example: Register Providers in JAX-RS Application.

Page 25: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 25

Feature: Entity Filtering

public class RestrictedEntity {

private String simpleField;

private String denyAll;

private RestrictedSubEntity mixed;

// getters and setters

}

Example: Model. public class RestrictedSubEntity {

private String managerField;

private String userField;

// getters and setters

}

Page 26: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 26

Feature: Entity Filtering

public class RestrictedEntity {

public String getSimpleField() { ... }

@DenyAll

public String getDenyAll() { ... }

@RolesAllowed({"manager", "user"})

public RestrictedSubEntity getMixed() {}

}

Example: Annotated Domain Model. public class RestrictedSubEntity {

@RolesAllowed("manager")

public String getManagerField() { ... }

@RolesAllowed("user")

public String getUserField() { ... }

}

Page 27: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 27

Feature: Entity Filtering

@Path("unrestricted-resource")

@Produces("application/json")

public class UnrestrictedResource {

@GET

public RestrictedEntity getRestrictedEntity() { ... }

}

Example: JAX-RS Un-Restricted Resource.

Page 28: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 28

Feature: Entity Filtering

@Path("restricted-resource")

@Produces("application/json")

public class RestrictedResource {

@GET @Path(”denyAll")

@DenyAll

public RestrictedEntity denyAll() { ... }

@GET @Path("rolesAllowed")

@RolesAllowed({"manager"})

public RestrictedEntity rolesAllowed() { ... }

}

Example: JAX-RS Restricted Resource.

Page 29: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 29

JAX-RS Client Security

Page 30: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 30

Client Security

§  JAX-RS 2.0 defines support for SSL configuration §  javax.ws.rs.client.ClientBuilder

–  KeyStore, TrustStore, SSLContext §  Jersey provides SslConfigurator to create SSLContext

SSL with JAX-RS support

Page 31: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 31

Client Security

SslConfigurator sslConfig = SslConfigurator.newInstance()

.trustStoreFile("./truststore_client")

.trustStorePassword("pwds65df4")

.keyStoreFile("./keystore_client")

.keyPassword("sf564fsds");

SSLContext sslContext = sslConfig.createSSLContext();

Client client = ClientBuilder.newBuilder()

.sslContext(sslContext).build();

SslConfigurator

Page 32: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 32

Client Security

§ ClientRequestFilter and ClientResponseFilter §  Jersey HttpAuthenticationFeature

–  Basic, Digest, Universal

Http Authentication

HttpAuthenticationFeature basicAuth = HttpAuthenticationFeature.basic("username”,"12345");

Client client = ClientBuilder.newBuilder().register(basicAuth).newClient();

Student michal = client.target("http://my-university.com/student/michal") .request().get(Student.class);

Page 33: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 33

OAuth 1

Page 34: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 34

OAuth: introduction

username/password

Consumer

Service Provider

Resource owner

Page 35: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 35

OAuth

§  I want to give an access to my account to consumer (3rd party application)

§ Give Consumer my password –  Revoking access –  Password change –  Limit access (different authorization rules) –  Trust

Motivation

Page 36: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 36

OAuth: introduction

username/password

Consumer

Service Provider

Resource owner

Page 37: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 37

OAuth

§ OAuth –  No resource owner’s password sharing –  Resource owner can revoke an access at any time –  Limited access –  User friendly process of issuing tokens (Authorization Process/Flow)

Motivation

Page 38: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 38

OAuth1

§  IETF OAuth 1.0 (RFC 5849) –  Previous community version 1.0 and 1.0a

§ Signatures added to requests (HMAC-SHA1, RSA-SHA1) based on secret keys

§ Authorization process (flow) –  Process of granting access to the consumer

§ Authenticated requests –  Consumer calls REST APIs using OAuth signatures

Details

Page 39: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 39

OAuth1: Authorization flow

1

1 Request Token 2 Authorization Request 3 Resource owner authorization 4 Authorization Response 5 Access Token

2

3

4

5

Consumer

Service Provider

Resource owner

Page 40: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 40

OAuth1: Authenticated requests

Consumer

Service Provider

Resource owner

Access Token

Page 41: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 41

OAuth1

§ Secure –  Signatures –  Secret keys (consumer secret, request and access token secret) –  nonce, timestamp

§ Complex for implementation

Summary

Page 42: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 42

OAuth 2

Page 43: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 43

OAuth 2

§ WRAP (Web Resource Authorization Protocol) § OAuth 2.0 (IETF, RFC 6749), released in October 2012 § Not backward compatible, framework (not protocol) § Does not require signatures (bearer token), SSL § Authorization flows

–  Authorization Code Grant (refresh token) –  Implicit Grant (eg. Javascript client), Resource Owner Password

Credentials Grant (user name + password), Client Credentials Grant (client app authentication)

Introduction

Page 44: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 44

OAuth 2

§ Easier implementation –  OAuth 1.0a is not easy to implement

§ Security questions –  no signature and no secret keys (risk of exposing tokens) –  SSL –  usage of authorization flows with limited security

Compared to OAuth 1

Page 45: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 45

OAuth

§ OAuth 1.0a: client and server § OAuth 2: client (Authorization Code Grant) § Client OAuth support:

–  Authorization Flow: standalone utility –  Authenticated requests (Features => Filters)

Jersey and OAuth

Page 46: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 46

OAuth 2

§  server application that uses JAX-RS client to get and show Google tasks of any user that authorizes the application

Demo

Page 47: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 47

Resources

§  Securing JAX-RS Resources –  https://jersey.java.net/documentation/latest/security.html#d0e8866

§  Entity Filtering in Jersey –  https://jersey.java.net/documentation/latest/entity-filtering.html –  https://github.com/jersey/jersey/tree/master/examples/entity-filtering

§  OAuth specification –  http://tools.ietf.org/html/rfc5849 –  http://tools.ietf.org/html/rfc6749

§  OAuth 2 sample –  https://github.com/jersey/jersey/tree/master/examples/oauth2-client-google-webapp

§  Jersey –  http://jersey.java.net

Page 48: Securing JAX-RS RESTful services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 48

Questions & Answers