Presentation is loading. Please wait.

Presentation is loading. Please wait.

REST Security with JAX-RS

Published byJosef Wheller Modified over 9 years ago

Similar presentations

Presentation on theme: "REST Security with JAX-RS"— Presentation transcript:

1 REST Security with JAX-RS
JavaOne 2013

2 About Frank Kim SANS Institute Curriculum Lead, Application Security
Author, Secure Coding in Java

3 Outline Authentication Encryption Validation Wrap Up

4 Authentication Process of establishing and verifying an identity
Can be based on three factors Something you know Something you have Something you are

5 Java EE Authentication
Configuration in web.xml 1 <security-constraint> 2 <web-resource-collection> <web-resource-name>Example</web-resource-name> <url-pattern>/*</url-pattern> 5 </web-resource-collection> 6 7 <auth-constraint> <role-name>user</role-name> <role-name>admin</role-name> </auth-constraint> 11 </security-constraint> 12 13 <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginerror.jsp</form-error-page> </form-login-config> 19 </login-config>

6 JAX-RS SecurityContext
getAuthenticationScheme() Returns String authentication scheme used to protect the resource BASIC, FORM, CLIENT_CERT getUserPrincipal() Returns Principal object containing the username isUserInRole(String role) Returns a boolean indicating if the user has the specified logical role

7 Photo Sharing Site Demo

8 Photo Sharing Site API { "photos" : [ { "id":"1" , "name":"photo1.jpg" } , { "id":"3" , "name":"photo3.jpg" } , { "id":"5" , "name":"photo5.jpg" }] }

9 Issues Userid/password authentication is fine
If the API is used only by your site But what if your API needs to be used by Other web apps Mobile apps Native apps Do you want these apps to Have your password? Have full access to your account?

10

11 OAuth Way to authenticate a service
Valet key metaphor coined by Eran Hammer-Lahav Authorization token with limited rights You agree which rights are granted You can revoke rights at any time Can gracefully upgrade rights if needed

12 OAuth Roles Client User Server - Photo printing service called Tonr
- Photo sharing service called Sparklr - Also known as the "resource server" - Person using the app - Also known as the "resource owner"

13 Simplified OAuth Flow Client User Server
- Photo printing service called Tonr 2) Tonr needs pictures to print and redirects you to Sparklr's log in page User Server 1) You log in to Tonr - Photo sharing service called Sparklr 3) You log in to Sparklr directly

14 Simplified OAuth Flow Client User Server
- Photo printing service called Tonr 5) Tonr stores the "access token" with your account User Server 6) You are happy printing and viewing your pictures - Photo sharing service called Sparklr 4) Sparklr returns an OAuth "access token"

15 Photo Printing Site Demo

16 Detailed OAuth Flow Via browser: Tonr starts OAuth process
Once you click the "Authorize" button client_id=tonr&redirect_uri= tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T

17 Detailed OAuth Flow Via browser: Tonr starts OAuth process
Once you click the "Authorize" button client_id=tonr&redirect_uri= tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T The "response_type" parameter can be: "code" for requesting the authorization code grant type "token" for the implicit grant or a registered extension type

18 Detailed OAuth Flow 2) Via browser: Sparklr redirects back to Tonr
code=cOuBX6&state=92G53T "code" is the authorization code received from the Server (i.e. Sparklr)

19 Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri= Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}

20 Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri= Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"} dG9ucjpzZWNyZXQ= is the string tonr:secret

21 Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri= Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}

22 Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri= Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"} expires_in value in seconds

23 Detailed OAuth Flow 4) Via "Client": Tonr gets pictures from Sparklr
All Requests include: Authorization: Bearer 5881ce86-3ed a6b-42aef1068dfb

24 When to Use OAuth Use OAuth for consuming APIs from
Third-party web apps Mobile apps Native apps Don't need to use OAuth If API is only consumed by the user within the same web app If APIs are only consumed server to server

25 Benefits No passwords shared between web apps
No passwords stored on mobile devices Limits impact of security incidents If Tonr gets hacked Sparklr revokes OAuth access If Sparklr gets hacked you change your Sparklr password but don't have to do anything on Tonr If you lose your mobile device you revoke the access Sparklr gave to the Tonr mobile app

26 OAuth Versions 1.0 1.0a 2.0 Version Comments
- Has a security flaw related to session fixation - Don’t use it 1.0a - Stable and well understood - Uses a signature to exchange credentials and signs every request - Signatures are more of a pain than it seems 2.0 - Spec is final with good support

27 OAuth 2.0 Authorization Grant Types
Description Authorization Code - Optimized for confidential clients - Uses a authorization code from the Server - User doesn't see the access token Implicit Grant - Optimized for script heavy web apps - Does not use an authorization code from the Server - User can see the access token Resource Owner Password Credentials - Use in cases where the User trusts the Client - Exposes User credentials to the Client Client Credentials - Client gets an access token based on Client credentials only

28 OAuth 2.0 Access Token Types
Bearer Large random token Need SSL to protect it in transit Server needs to store it securely hashed like a user password Mac Uses a nonce to prevent replay Does not require SSL OAuth 1.0 only supported a mac type token

29 Outline Authentication Encryption Validation Wrap Up

30 Session Hijacking 1) Victim goes to mybank.com via HTTP Internet
Public WiFi Network Victim 1) Victim goes to mybank.com via HTTP Attacker

31 Session Hijacking 2) Attacker sniffs the public wifi network and
Internet mybank.com Public WiFi Network Victim 2) Attacker sniffs the public wifi network and steals the JSESSIONID Attacker

32 Session Hijacking 3) Attacker uses the stolen JSESSIONID
Internet mybank.com Public WiFi Network Victim 3) Attacker uses the stolen JSESSIONID to access the victim's session Attacker

33 Enable SSL in web.xml 1 <security-constraint> 2 <web-resource-collection> 3 <web-resource-name>Example</web-resource-name> 4 <url-pattern>/*</url-pattern> 5 </web-resource-collection> <user-data-constraint> 10 <transport-guarantee> 11 CONFIDENTIAL 12 </transport-guarantee> 13 </user-data-constraint> 14 </security-constraint>

34 JAX-RS SecurityContext
iSecure() Returns a boolean indicating whether the request was made via HTTPS

35 Secure Flag Ensures that the Cookie is only sent via SSL
Configure in web.xml as of Servlet 3.0 <session-config>    <cookie-config>      <secure>true</secure>    </cookie-config> </session-config> Programmatically Cookie cookie = new Cookie("mycookie", "test"); cookie.setSecure(true);

36 Strict-Transport-Security
Tells browser to only talk to the server via HTTPS First time your site accessed via HTTPS and the header is used the browser stores the certificate info Subsequent requests to HTTP automatically use HTTPS Supported browsers Implemented in Firefox and Chrome Defined in RFC 6797 Strict-Transport-Security: max-age=seconds [; includeSubdomains]

37 Outline Authentication Encryption Validation Wrap Up

38 Restrict Input Restrict to POST Restrict the Content-Type
annotation Restrict the Content-Type Invalid Content-Type results in HTTP 415 Unsupported Media Type Restrict to Ajax if applicable Check X-Requested-With:XMLHttpRequest header Restrict response types Check Accept header for valid response types

39 Cross-Site Request Forgery (CSRF)
Victim browser 1) Victim signs on to mybank 2) Victim visits attacker.com mybank.com attacker.com 3) Page contains CSRF code 4) Browser sends <form action= method=POST> <input name=recipient value=attacker> <input name=amount value=1000> </form> <script>document.forms[0].submit()</script> the request to mybank POST /transfer.jsp HTTP/1.1 Cookie: <mybank authentication cookie> recipient=attacker&amount=1000

40 CSRF and OAuth 2.0 How can an attacker use CSRF to take over your account? Many sites allow logins from third-party identity providers like Facebook Many identity providers use OAuth Attacker can automatically associate your account with an attacker controlled Facebook account

41 OAuth CSRF Research Accounts at many sites could be taken over using OAuth CSRF Stack Exchange, woot.com, IMDB, Goodreads, SoundCloud, Pinterest, Groupon, Foursquare, SlideShare, Kickstarter, and others Research by Rich Lundeen Prior research by Stephen Sclafani

42 OAuth CSRF Attack Flow Create attacker controlled Facebook account
Victim is signed on to provider account (i.e. Stack Exchange) Lure victim into visiting an evil site with OAuth CSRF code CSRF code sends OAuth authorization request 4) Attacker's Facebook account now controls victim provider account

43 Linking Stack Exchange with an Evil Facebook Account
Image from

44 CSRF Protection Spec defines a "state" parameter that must be included in the redirect to the Client Value must be non-guessable and tied to session Client sends "state" to Server: client_id=tonr&redirect_uri= tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T Server sends "state" back to Client after authorization: code=cOuBX6&state=92G53T

45 OAuth CSRF Protection Demo

46 OWASP 1-Liner Deliberately vulnerable application More information at
Intended for demos and training Created by John More information at

47 JSON CSRF Demo

48 Normal JSON Message {"id":0,"nickName":"John", "oneLiner":"I LOVE Java!", "timestamp":" T17:04:23"}

49 Forged JSON Message {"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//=dummy

50 CSRF Attack Form <form id="target" method="POST" action=" enctype="text/plain" style="visibility:hidden"> <input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//' value="dummy" /> <input type="submit" value="Go" /> </form>

51 CSRF Attack Form <form id="target" method="POST" action=" enctype="text/plain" style="visibility:hidden"> <input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//' value="dummy" /> <input type="submit" value="Go" /> </form>

52 Forged JSON Message {"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//=dummy

53 CSRF Defense Must include something random in the request
Use an anti-CSRF token OWASP CSRFGuard Written by Eric Can inject anti-CSRF token using JSP Tag library - for manual, fine grained protection JavaScript DOM manipulation - for automated protection requiring minimal effort Filter that intercepts requests and validates tokens

54 CSRFGuard JSP Tags Tags for token name and value
<form name="test1" action="protect.html"> <input type="text" name="text" value="text"/> <input type="submit" name="submit" value="submit"/> <input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value/>"/> </form> Tag for name/value pair (delimited with "=") <a href="protect.html?<csrf:token/>">protect.html</a> Convenience tags for forms and links as well <csrf:form> and <csrf:a> Examples from

55 CSRFGuard DOM Manipulation
Include JavaScript in every page that needs CSRF protection <script src="/securish/JavaScriptServlet"></script> JavaScript used to hook the open and send methods XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open; XMLHttpRequest.prototype.open = function(method, url, async, user, pass) { // store a copy of the target URL this.url = url; this._open.apply(this, arguments); } XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send; XMLHttpRequest.prototype.send = function(data) { if(this.onsend != null) { // call custom onsend method to modify the request this.onsend.apply(this, arguments); this._send.apply(this, arguments);

56 Protecting XHR Requests
CSRFGuard sends two HTTP headers XMLHttpRequest.prototype.onsend = function(data) { if(isValidUrl(this.url)) { this.setRequestHeader("X-Requested-With", "OWASP CSRFGuard Project") this.setRequestHeader("OWASP_CSRFTOKEN", "EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV"); } }; If X-Requested-With is passed then CSRFGuard will verify the OWASP_CSRFTOKEN HTTP header. If X-Requested-With does not exist then CSRFGuard will look for the token in HTTP parameters.

57 JSON CSRF Protection Demo

58 Outline Authentication Encryption Validation Wrap Up

59 Summary Authentication Encryption Validation
Can use userid/password for services consumed by your app Use OAuth for third-party web apps and mobile apps Encryption Use SSL Use Secure flag Use Strict-Transport-Security header Validation Restrict input Protect your apps against CSRF

60 Thanks! Frank Kim @sansappsec

61

62 References JAX-RS 2.0 OAuth 2.0 Specification Spring Security OAuth
OAuth 2.0 Specification Spring Security OAuth OAuth: The Big Picture OAuth CSRF issues OWASP 1-Liner CSRFGuard

Download ppt "REST Security with JAX-RS"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
By Loukik Purohit & Rohit Ghatol

By Loukik Purohit & Rohit Ghatol
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:
1Proprietary and Confidential AirVantage API – Getting started David SCIAMMA – June 13th 2014.

1Proprietary and Confidential AirVantage API – Getting started David SCIAMMA – June 13th 2014.
Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.

Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.
Cryptography and Network Security

Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead

Similar presentations

Ads by Google