Securing JAX-RS RESTful services
Transcript of Securing JAX-RS RESTful services
![Page 1: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/1.jpg)
Securing JAX-RS RESTful services Miroslav Fuksa (software developer) Michal Gajdoš (software developer)
![Page 2: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/2.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 2
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
![Page 3: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/3.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 3
Program Agenda
§ Introduction to JAX-RS and Security
§ Declarative Security and Entity Filtering
§ Client Security
§ OAuth 1
§ OAuth 2
![Page 4: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/4.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 4
Introduction to JAX-RS and security
![Page 5: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/5.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 5
Introduction
§ Representation State Transfer § Using HTTP methods GET, POST, DELETE ... § representations (HTML, JSON, XML), URI, caching, stateless … § JAX-RS: Java API for RESTful Services § JAX-RS 2.0 (JSR 339): Java EE 7, released in May 2013 § Reference implementation: Jersey 2
RESTful Web Services
![Page 6: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/6.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 6
Introduction @Path("student")
public class StudentResource {
@Produces("application/json")
@GET
@Path("{id}")
public Student get(@PathParam("id") String id) {
return StudentService.getStudentById(id);
}
@POST
public Student post(Student student) {
return StudentService.addStudent(student);
}
}
GET http://my-univeristy.com/api/student/adam
POST http://my-univeristy.com/api/student
http://my-univeristy.com/api/student/
![Page 7: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/7.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 7
Introduction
§ JAX-RS 2.0 (JSR 339, part of Java EE 7, released in May 2013) – Client API – Asynchronous processing – Filters – Interceptors
JAX-RS 2.0
![Page 8: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/8.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 8
Introduction
§ Authentication – HTTP Basic Authentication (BASE64 encoded username and password →
SSL) – HTTP Digest Authentication (password is used only for signature, MD5)
§ Authorization
Security
![Page 9: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/9.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 9
Servlet Container Security
Secure JAX-RS services using Servlet Container <security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>my-realm</realm-name>
</login-config>
![Page 10: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/10.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 10
Servlet Container Security
Secure JAX-RS services using Servlet Container <security-constraint>
<web-resource-collection>
<url-pattern>/student/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/student/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
http://my-univeristy.com/api/students/{id}
![Page 11: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/11.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 11
Servlet Container Security
§ Advantages – Independent on JAX-RS implementation – managed by servlet container
§ Disadvantages – only for servlet containers – fragile, verbose, bad maintenance – Pre-matching filters
Secure JAX-RS services using Servlet Container
![Page 12: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/12.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 12
Pre-matching filters
Pre-matching filter
PUT http://my-univeristy.com/api/student
POST http://my-univeristy.com/api/student
![Page 13: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/13.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 13
JAX-RS Security Context
javax.ws.rs.core.SecurityContext
public interface SecurityContext {
public Principal getUserPrincipal();
public boolean isUserInRole(String role);
public boolean isSecure();
public String getAuthenticationScheme();
}
![Page 14: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/14.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 14
JAX-RS Security Context
Secure method programmatically using SecurityContext @Path("student")
public class StudentResource {
@Context
private SecurityContext securityContext;
@GET
@Path("{id}")
public Student get(@PathParam("id") String id) {
if (!securityContext.isUserInRole("admin")) {
throw new WebApplicationException(”You don’t have privileges to access this resource.", 403);
}
return StudentService.getStudentById(id)
}
}
![Page 15: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/15.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 15
Authorization in Jersey 2.x: Security annotations
![Page 16: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/16.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 16
Authorization – Security annotations.
§ Define the access to resources based on the user groups. § Security annotations from javax.annotation.security package.
– @PermitAll, @DenyAll, @RolesAllowed – SecurityContext
§ RolesAllowedDynamicFeature.
Means in Jersey 2.x
![Page 17: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/17.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 17
Authorization – Security annotations.
@ApplicationPath(“api”)
public class MyApplication extends ResourceConfig {
public MyApplication() {
packages(“my.application”);
register(RolesAllowedDynamicFeature.class);
}
}
Example: Register RolesAllowedDynamicFeature.
![Page 18: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/18.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 18
Authorization – Security annotations.
@Path("/resource")
@PermitAll
public class Resource {
@GET
public String get() { return "GET"; }
@RolesAllowed("admin")
@POST
public String post(String content) { return content; }
}
Example: Define access restrictions on Resource.
![Page 19: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/19.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 19
Authorization in Jersey 2.x: Entity Filtering Feature
![Page 20: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/20.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 20
Feature: Entity Filtering
§ Exposing only part of domain model for input/output. § Reduce the amount of data exchanged over the wire. § Define own filtering rules based on current context.
– Resource method. § Assign security access rules to properties. § Faster prototyping and development.
– One model and one place for defining the rules.
Idea and Motivation
![Page 21: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/21.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 21
Feature: Entity Filtering
§ @EntityFiltering meta-annotation. – Create filtering annotations to define context. – Create filtering annotations with custom meaning to define context.
§ Security annotations from javax.annotation.security package. – @PermitAll, @DenyAll, @RolesAllowed – SecurityContext
Means in Jersey 2.3+ / MOXy 2.5.0
![Page 22: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/22.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 22
Feature: Entity Filtering
§ Define dependencies on extension and media modules. § Register SecurityEntityFilteringFeature in Jersey Application. § Annotate Resources and Domain Model with security annotations. § Enjoy!
Putting it all together.
![Page 23: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/23.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 23
Feature: Entity Filtering
§ Have: – JAX-RS Application with security user roles.
§ Want: – Define access to resources. – Restrict access to entities / entity members for different user roles.
Example: Goal.
![Page 24: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/24.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 24
Feature: Entity Filtering
@ApplicationPath(“api”)
public class MyApplication extends ResourceConfig {
public MyApplication() {
packages(“my.application”);
register(SecurityEntityFilteringFeature.class);
}
}
Example: Register Providers in JAX-RS Application.
![Page 25: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/25.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 25
Feature: Entity Filtering
public class RestrictedEntity {
private String simpleField;
private String denyAll;
private RestrictedSubEntity mixed;
// getters and setters
}
Example: Model. public class RestrictedSubEntity {
private String managerField;
private String userField;
// getters and setters
}
![Page 26: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/26.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 26
Feature: Entity Filtering
public class RestrictedEntity {
public String getSimpleField() { ... }
@DenyAll
public String getDenyAll() { ... }
@RolesAllowed({"manager", "user"})
public RestrictedSubEntity getMixed() {}
}
Example: Annotated Domain Model. public class RestrictedSubEntity {
@RolesAllowed("manager")
public String getManagerField() { ... }
@RolesAllowed("user")
public String getUserField() { ... }
}
![Page 27: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/27.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 27
Feature: Entity Filtering
@Path("unrestricted-resource")
@Produces("application/json")
public class UnrestrictedResource {
@GET
public RestrictedEntity getRestrictedEntity() { ... }
}
Example: JAX-RS Un-Restricted Resource.
![Page 28: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/28.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 28
Feature: Entity Filtering
@Path("restricted-resource")
@Produces("application/json")
public class RestrictedResource {
@GET @Path(”denyAll")
@DenyAll
public RestrictedEntity denyAll() { ... }
@GET @Path("rolesAllowed")
@RolesAllowed({"manager"})
public RestrictedEntity rolesAllowed() { ... }
}
Example: JAX-RS Restricted Resource.
![Page 29: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/29.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 29
JAX-RS Client Security
![Page 30: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/30.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 30
Client Security
§ JAX-RS 2.0 defines support for SSL configuration § javax.ws.rs.client.ClientBuilder
– KeyStore, TrustStore, SSLContext § Jersey provides SslConfigurator to create SSLContext
SSL with JAX-RS support
![Page 31: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/31.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 31
Client Security
SslConfigurator sslConfig = SslConfigurator.newInstance()
.trustStoreFile("./truststore_client")
.trustStorePassword("pwds65df4")
.keyStoreFile("./keystore_client")
.keyPassword("sf564fsds");
SSLContext sslContext = sslConfig.createSSLContext();
Client client = ClientBuilder.newBuilder()
.sslContext(sslContext).build();
SslConfigurator
![Page 32: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/32.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 32
Client Security
§ ClientRequestFilter and ClientResponseFilter § Jersey HttpAuthenticationFeature
– Basic, Digest, Universal
Http Authentication
HttpAuthenticationFeature basicAuth = HttpAuthenticationFeature.basic("username”,"12345");
Client client = ClientBuilder.newBuilder().register(basicAuth).newClient();
Student michal = client.target("http://my-university.com/student/michal") .request().get(Student.class);
![Page 33: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/33.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 33
OAuth 1
![Page 34: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/34.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 34
OAuth: introduction
username/password
Consumer
Service Provider
Resource owner
![Page 35: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/35.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 35
OAuth
§ I want to give an access to my account to consumer (3rd party application)
§ Give Consumer my password – Revoking access – Password change – Limit access (different authorization rules) – Trust
Motivation
![Page 36: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/36.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 36
OAuth: introduction
username/password
Consumer
Service Provider
Resource owner
![Page 37: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/37.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 37
OAuth
§ OAuth – No resource owner’s password sharing – Resource owner can revoke an access at any time – Limited access – User friendly process of issuing tokens (Authorization Process/Flow)
Motivation
![Page 38: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/38.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 38
OAuth1
§ IETF OAuth 1.0 (RFC 5849) – Previous community version 1.0 and 1.0a
§ Signatures added to requests (HMAC-SHA1, RSA-SHA1) based on secret keys
§ Authorization process (flow) – Process of granting access to the consumer
§ Authenticated requests – Consumer calls REST APIs using OAuth signatures
Details
![Page 39: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/39.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 39
OAuth1: Authorization flow
1
1 Request Token 2 Authorization Request 3 Resource owner authorization 4 Authorization Response 5 Access Token
2
3
4
5
Consumer
Service Provider
Resource owner
![Page 40: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/40.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 40
OAuth1: Authenticated requests
Consumer
Service Provider
Resource owner
Access Token
![Page 41: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/41.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 41
OAuth1
§ Secure – Signatures – Secret keys (consumer secret, request and access token secret) – nonce, timestamp
§ Complex for implementation
Summary
![Page 42: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/42.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 42
OAuth 2
![Page 43: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/43.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 43
OAuth 2
§ WRAP (Web Resource Authorization Protocol) § OAuth 2.0 (IETF, RFC 6749), released in October 2012 § Not backward compatible, framework (not protocol) § Does not require signatures (bearer token), SSL § Authorization flows
– Authorization Code Grant (refresh token) – Implicit Grant (eg. Javascript client), Resource Owner Password
Credentials Grant (user name + password), Client Credentials Grant (client app authentication)
Introduction
![Page 44: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/44.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 44
OAuth 2
§ Easier implementation – OAuth 1.0a is not easy to implement
§ Security questions – no signature and no secret keys (risk of exposing tokens) – SSL – usage of authorization flows with limited security
Compared to OAuth 1
![Page 45: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/45.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 45
OAuth
§ OAuth 1.0a: client and server § OAuth 2: client (Authorization Code Grant) § Client OAuth support:
– Authorization Flow: standalone utility – Authenticated requests (Features => Filters)
Jersey and OAuth
![Page 46: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/46.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 46
OAuth 2
§ server application that uses JAX-RS client to get and show Google tasks of any user that authorizes the application
Demo
![Page 47: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/47.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 47
Resources
§ Securing JAX-RS Resources – https://jersey.java.net/documentation/latest/security.html#d0e8866
§ Entity Filtering in Jersey – https://jersey.java.net/documentation/latest/entity-filtering.html – https://github.com/jersey/jersey/tree/master/examples/entity-filtering
§ OAuth specification – http://tools.ietf.org/html/rfc5849 – http://tools.ietf.org/html/rfc6749
§ OAuth 2 sample – https://github.com/jersey/jersey/tree/master/examples/oauth2-client-google-webapp
§ Jersey – http://jersey.java.net
![Page 48: Securing JAX-RS RESTful services](https://reader031.fdocuments.in/reader031/viewer/2022021815/586e03191a28ab14178b5c13/html5/thumbnails/48.jpg)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 48
Questions & Answers