I see the following link that explains how rest api needs to be secured. (Using public key and a HMAC(hash) of request parameters and private key).
http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
I also see this link in stackoverflow which talks about rest api security using spring
combining spring security 3 with jersey rest api
I see this link in oracle weblogic website that talks about restful api security using web.xml or security context etc
http://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm
Are these approaches distinct or related? I also couldn't find any code that actually does handshake etc. I am totally confused. Please help.
Second and third approaches are related in that they secure the web context for certain users, groups or roles.
First approach talks about encrypting URL parameters so that sensitive request parameters sent through GET method are protected.
Both of the above are independent and are needed for different reasons. (message level security vs access control).
Related
I have a Jersey based server that I want to secure with OAuth 2.0. There are two paths that I've seen as common:
Oltu - Is compatible with Jersey and seems to be supported, although not as well as Spring Security. This 2012 question seems to suggest this is the way to go, but I want confirmation on a 2016 context so I son't implement something not as well supported anymore.
Spring Security - It seems to be very popular, but this path implies changing the server into a Spring based MVC. I don't know if that is something recommendable based on the benefits of using something as widely supported as Spring and the cost of the refactoring.
With support I mean a project that is in continous development, well established community with tutorials, materials and some libraries for clients (web, mobile, server) already available.
Which one is a stronger option? Is there another option or options?
In any case. Is there a good reference material or tutorial to start implementing this?
UPDATE
After few hours of reading and understanding about both the OAuth Providers I had mentioned, I feel Apache Oltu's documentation did not guide me much as there are key components that aren't documented yet, but an example gave me a better picture on how Oltu must be implemented. On the other hand, going through Spring Security's material I got to know that it can still be built on a non-Spring MVC based java project. But there is a limited exposure of implementations/tutorials on Spring Security on a non-Spring based project.
Another approach:
I came up with an architecture that might be more stable and would not care about the implementation details of the inner server(the one already implemented using Jersey). Having a server that is dedicated for security purpose (authorizing, authenticating, storing tokens in its own database, etc) in the middle that acts like a gateway between the outside world and the inner server. It essentially acts a relay and routes the calls, back and forth and ensures that the client knows nothing about the inner server and both the entities communicate with the security server only. I feel this would be the path to move forward as
Replacing with another security provider just means plugging out the security server implemetation and adding the new one.
The security server cares nothing about the inner server implementation and the calls would still follow the RESTful standards.
I appreciate your suggestions or feedbacks on this approach.
Apache Oltu supports OpenID Connect but its architecture is bad. For example, OpenIdConnectResponse should not be a descendant of OAuthAccessTokenResponse because an OpenID Connect response does not always contain an access token. In addition, the library weirdly contains a GitHub-specific class, GitHubTokenResponse.
Spring Security is famous, but I'm afraid it will never be able to support OpenID Connect. See Issue 619 about the big hurdle for OpenID Connect support.
java-oauth-server and java-resource-server are good examples of Jersey + OAuth 2.0, but they use a commercial backend service, Authlete. (I'm the author of them.)
OpenAM, MITREid Connect, Gluu, Connect2id, and other OAuth 2.0 + OpenID Connect solutions are listed in Libraries, Products, and Tools page of OpenID Foundation.
**UPDATE** for the update of the question
RFC 6749 (The OAuth 2.0 Authorization Framework) distinguishes an authorization server from a resource server. In short, an authorization server is a server that issues an access token, and a resource server is a server that responds to requests which come along with an access token.
For a resource server, API Gateway is one of the recent design patterns. Amazon, CA Technologies, IBM, Oracle and other companies provide API Gateway solutions. API Gateway architecture may be close to your idea. Some API Gateway solutions verify access tokens in their own ways (because the solutions issue access tokens by themselves) and other solutions just delegate access token verification to an external server (because the solutions don't have a mechanism to issue access tokens). For example, Amazon API Gateway is an example that delegates access token verification to an external server, which Amazon has named custom authorizer. See the following for further information about custom authorizer.
Introducing custom authorizers in Amazon API Gateway (AWS Blog)
Enable Amazon API Gateway Custom Authorization (AWS Document)
Amazon API Gateway Custom Authorizer + OAuth (Authlete article)
If an authorization server provides an introspection API (such as RFC 7662) that you can use query information about an access token, your resource server implementation may be able to replace (plug-out and add) an authorization server to refer to comparatively easily.
For an athorization server, gateway-style solutions are rare. It's because such a solution must expose all the functionalities required to implement an authorization server as Web APIs. Authlete is such a solution but I don't know others.
I think, it's far simplier to use the oauth connectors that are implemented inside jersey itself!
Have you considered using jersey own OAuth (already linked inside jersey) server / client ?
https://eclipse-ee4j.github.io/jersey.github.io/documentation/latest/security.html#d0e13146
Please take a look to :
16.3.2. OAuth 2 Support
hope helped. :)
I am studying for the Spring core certification and I have some doubts related how REST web service and I am studying it to apply to Spring framework.
So I have some doubt related to this question founded on my study material but I can't find an answer.
So the questions are (I don't know it these questiona are related each other):
Is REST secure? What can you do to secure it?
Does REST work with transport layer security (TLS)?
I have understand how a REST webservice works and I know that it use the Http method to access resources and implement CRUD operation but what means asking if REST is secure? What is meant by secure in this specific case?
And what exactly is a TSL in REST?
1. Is REST secure? What can you do to secure it?
REST is a paradigm. It's not a finished protocol or an implementation.
There are mechanisms to secure RESTful webservices (one would be TLS), but by default REST doesn't say anything about it.
The OWASP gives a good overview over REST security topics and how to secure a RESTful webservice:
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
What is security?:
Please note that there are different security objectives in information security:
confidentiality
integrity
availability
All would need different security measures. Some can not be handled by the webservice (REST) alone. (e.g. availability would mean that the server itself is secured and you have security measure agains dDoS attacks.)
It's not really well defined what REST is in detail, it's not a official standard or a specification. I would say that REST per se is not secure. There are mechanisms you can build around it to secure it (like TLS, token authentication). Many of these measure have nothing to do with REST directly.
2. Does REST work with transport layer security (TLS)?
Yes. Transport Layer Security can encrypt the communication to a RESTful Webservice and authenticate the server to a client. (confidentiality and to some extend integrity)
1. It depends. Security is about tradeoffs, not a simple yes/no question. REST is not inherently secure or insecure; it depends on how you implement it. One example is SQL injection attacks: the use of REST has no bearing on whether the system prevents them. Another example is authorizing access: REST does not inherently limit access to the resources it exposes. If you need a guarantee that those resources can only be accessed locally, using REST will make it harder to ensure that.
2. Generally yes. Off-the-shelf servers support TLS, but a completely written-from-scratch program using REST to communicate might not implement TLS code (this is a rather unrealistic scenario, but I'm including it for the sake of completeness).
Starting a new project to create a restful Web Service that requires callers to be Authenticated by Kerberos (Active Directory).
The web service will be hosted by Tomcat and I was planning to use JAX-RS with JAAS but I'm not finding much information on this, does anyone have information or experience on getting this to work?
Should I be looking at Spring and Spring Security instead?
Apache provides good documentation for using JAXRS with kerberos. Here is the link:
http://cxf.apache.org/docs/jaxrs-kerberos.html
I have the same issue. I googled extensively and not found a good answer.
The problem is that the issue has several layers and most answers point to (usually vague) solutions for only one layer.
And there is not a single complete and clear example for the end-to-end solution.
LAYERS
Client call to rest service using kerberos/windows logged in credentials.
Answers usually show how to use kerberos to authenticate but fail to say how to use it to pass the logged in credentials to the REST service.
Both Spring REST client functionality and native Java seem capable of doing this but it is not clear how.
Processing by the REST service of the authentication request by the client that is authenticating via windows/kerberos.
Spring REST service functionality appears to be the easiest way to implement it but again it is not clear how to tell the REST service to expect that authentication method.
Either forwarding the client kerberos credentials to whatever resource the REST service is trying to access, or get a success/failure and then the REST service uses kerberos/windows authentication itself (different credentials from the clients) to access a resource.
I hope this clarification of the issue helps in producing a good answer.
In Kerberos there are two severs url involved authentication server and the other ticketing server. If you go to browser console under ticketing server response parameter you can see a cookie that you can utilise to authenticate your rest api by utilising it as a request parameters.
That’s the only solution to authenticate your rest api.
I'm pretty new to REST and am currently developing an API with JAX-RS Jersey. I am curious on what is the easiest way to implement a user Management. I.e. users must log in and have restricted access to different resources depending on their role. From what I understand, using OAuth 2.0 is the current standard. Can I implement that with Jersey? Does anyone have a few links for me to get me started (examples, tutorials)? Or would you suggest another approach?
Thanks a lot
There are multiple ways to achieve that, let me point few of them:
HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifier and login pages. Rather, HTTP Basic authentication uses static, standard HTTP headers which means that no handshakes have to be done in anticipation.
Role based access control for J2EE applications using realm
OAuth with REST:
There's an OAuth 1.0 contrib for Jersey # https://wikis.oracle.com/display/Jersey/OAuth
Works great for me. OAuth 2 is not really a standard yet as it's not finished and there's still a lot of debate and interoperability issues around it.
I am currently trying to implement a single sign on solution across multiple JVM based (Grails, Servlets) web applications currently all deployed in the same servlet container (currently Tomcat, but don't want to limit my solution to just Tomcat). All web applications share a common database.
I've looked at various options from using CAS or other third party libraries to creating a new web service to handle Single Sign On, but none seem to really satisfy the business. My current implementation involves creating a new jar library which has a common implementation of AuthenticationProviders, and Pre-Authentication Filters based on Spring Security.
In this approach I have multiple AuthenticationProviders (currently Active Directory, and Database) for the application to authenticate against. Upon successful authentication a row would be inserted in a session table that contains the user, an expiration time, and a token. The token would be also stored as a cookie on the user's machine and that would be used to validate they have a current session in the Pre-Authentication Filters.
Having never done this before I want to make sure I'm not creating a huge security problem, and I'd also like to know what I would need to create the token? At this point a simple GUID seems to be sufficent?
Currently we are working on Spring Security 3.0.x, and haven't upgraded to 3.1 yet.
Thanks in advance.
I ended up solving this problem by doing the following:
I created a AuthenticationSuccessHandler which would add a cookie to the user's session which had identifying information as well as the hostname to try to secure it as much as possible. (The application was running internally at most customer sites so the risks here were determined to be minimal, but be careful about cookie jacking.)
Then on each application that needed to have SSO I implemented a AbstractPreAuthenticatedProcessingFilter, and placed in before the authentication filter which would pull the cookie out and create an Authentication object. Lastly I created an AuthenticationProvider which validated the information from the cookie.
Hopefully that helps someone else in the future for this type of request.
There are extensions available for KERBEROS, OAuth and SAML available on the Spring Security Extensions website. Here is the blog entry which provides an example: SpringSource Blog
If you are using NTLM as your SSO Provider, take a look at the jespa-spring project.
Or you might want to look at the Java Open Single Sign-On Project