Presentation is loading. Please wait.

Presentation is loading. Please wait.

REST Security with JAX-RS

Similar presentations


Presentation on theme: "REST Security with JAX-RS"— Presentation transcript:

1 REST Security with JAX-RS
JavaOne 2013

2 About Frank Kim SANS Institute Curriculum Lead, Application Security
Author, Secure Coding in Java

3 Outline Authentication Encryption Validation Wrap Up

4 Authentication Process of establishing and verifying an identity
Can be based on three factors Something you know Something you have Something you are

5 Java EE Authentication
Configuration in web.xml 1 <security-constraint> 2 <web-resource-collection> <web-resource-name>Example</web-resource-name> <url-pattern>/*</url-pattern> 5 </web-resource-collection> 6 7 <auth-constraint> <role-name>user</role-name> <role-name>admin</role-name> </auth-constraint> 11 </security-constraint> 12 13 <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginerror.jsp</form-error-page> </form-login-config> 19 </login-config>

6 JAX-RS SecurityContext
getAuthenticationScheme() Returns String authentication scheme used to protect the resource BASIC, FORM, CLIENT_CERT getUserPrincipal() Returns Principal object containing the username isUserInRole(String role) Returns a boolean indicating if the user has the specified logical role

7 Photo Sharing Site Demo

8 Photo Sharing Site API { "photos" : [ { "id":"1" , "name":"photo1.jpg" } , { "id":"3" , "name":"photo3.jpg" } , { "id":"5" , "name":"photo5.jpg" }] }

9 Issues Userid/password authentication is fine
If the API is used only by your site But what if your API needs to be used by Other web apps Mobile apps Native apps Do you want these apps to Have your password? Have full access to your account?

10

11 OAuth Way to authenticate a service
Valet key metaphor coined by Eran Hammer-Lahav Authorization token with limited rights You agree which rights are granted You can revoke rights at any time Can gracefully upgrade rights if needed

12 OAuth Roles Client User Server - Photo printing service called Tonr
- Photo sharing service called Sparklr - Also known as the "resource server" - Person using the app - Also known as the "resource owner"

13 Simplified OAuth Flow Client User Server
- Photo printing service called Tonr 2) Tonr needs pictures to print and redirects you to Sparklr's log in page User Server 1) You log in to Tonr - Photo sharing service called Sparklr 3) You log in to Sparklr directly

14 Simplified OAuth Flow Client User Server
- Photo printing service called Tonr 5) Tonr stores the "access token" with your account User Server 6) You are happy printing and viewing your pictures - Photo sharing service called Sparklr 4) Sparklr returns an OAuth "access token"

15 Photo Printing Site Demo

16 Detailed OAuth Flow Via browser: Tonr starts OAuth process
Once you click the "Authorize" button client_id=tonr&redirect_uri=http://www.tonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T

17 Detailed OAuth Flow Via browser: Tonr starts OAuth process
Once you click the "Authorize" button client_id=tonr&redirect_uri=http://www.tonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T The "response_type" parameter can be: "code" for requesting the authorization code grant type "token" for the implicit grant or a registered extension type

18 Detailed OAuth Flow 2) Via browser: Sparklr redirects back to Tonr
code=cOuBX6&state=92G53T "code" is the authorization code received from the Server (i.e. Sparklr)

19 Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}

20 Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"} dG9ucjpzZWNyZXQ= is the string tonr:secret

21 Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}

22 Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"} expires_in value in seconds

23 Detailed OAuth Flow 4) Via "Client": Tonr gets pictures from Sparklr
All Requests include: Authorization: Bearer 5881ce86-3ed a6b-42aef1068dfb

24 When to Use OAuth Use OAuth for consuming APIs from
Third-party web apps Mobile apps Native apps Don't need to use OAuth If API is only consumed by the user within the same web app If APIs are only consumed server to server

25 Benefits No passwords shared between web apps
No passwords stored on mobile devices Limits impact of security incidents If Tonr gets hacked Sparklr revokes OAuth access If Sparklr gets hacked you change your Sparklr password but don't have to do anything on Tonr If you lose your mobile device you revoke the access Sparklr gave to the Tonr mobile app

26 OAuth Versions 1.0 1.0a 2.0 Version Comments
- Has a security flaw related to session fixation - Don’t use it 1.0a - Stable and well understood - Uses a signature to exchange credentials and signs every request - Signatures are more of a pain than it seems 2.0 - Spec is final with good support

27 OAuth 2.0 Authorization Grant Types
Description Authorization Code - Optimized for confidential clients - Uses a authorization code from the Server - User doesn't see the access token Implicit Grant - Optimized for script heavy web apps - Does not use an authorization code from the Server - User can see the access token Resource Owner Password Credentials - Use in cases where the User trusts the Client - Exposes User credentials to the Client Client Credentials - Client gets an access token based on Client credentials only

28 OAuth 2.0 Access Token Types
Bearer Large random token Need SSL to protect it in transit Server needs to store it securely hashed like a user password Mac Uses a nonce to prevent replay Does not require SSL OAuth 1.0 only supported a mac type token

29 Outline Authentication Encryption Validation Wrap Up

30 Session Hijacking 1) Victim goes to mybank.com via HTTP Internet
Public WiFi Network Victim 1) Victim goes to mybank.com via HTTP Attacker

31 Session Hijacking 2) Attacker sniffs the public wifi network and
Internet mybank.com Public WiFi Network Victim 2) Attacker sniffs the public wifi network and steals the JSESSIONID Attacker

32 Session Hijacking 3) Attacker uses the stolen JSESSIONID
Internet mybank.com Public WiFi Network Victim 3) Attacker uses the stolen JSESSIONID to access the victim's session Attacker

33 Enable SSL in web.xml 1 <security-constraint> 2 <web-resource-collection> 3 <web-resource-name>Example</web-resource-name> 4 <url-pattern>/*</url-pattern> 5 </web-resource-collection> <user-data-constraint> 10 <transport-guarantee> 11 CONFIDENTIAL 12 </transport-guarantee> 13 </user-data-constraint> 14 </security-constraint>

34 JAX-RS SecurityContext
iSecure() Returns a boolean indicating whether the request was made via HTTPS

35 Secure Flag Ensures that the Cookie is only sent via SSL
Configure in web.xml as of Servlet 3.0 <session-config>    <cookie-config>      <secure>true</secure>    </cookie-config> </session-config> Programmatically Cookie cookie = new Cookie("mycookie", "test"); cookie.setSecure(true);

36 Strict-Transport-Security
Tells browser to only talk to the server via HTTPS First time your site accessed via HTTPS and the header is used the browser stores the certificate info Subsequent requests to HTTP automatically use HTTPS Supported browsers Implemented in Firefox and Chrome Defined in RFC 6797 Strict-Transport-Security: max-age=seconds [; includeSubdomains]

37 Outline Authentication Encryption Validation Wrap Up

38 Restrict Input Restrict to POST Restrict the Content-Type
annotation Restrict the Content-Type Invalid Content-Type results in HTTP 415 Unsupported Media Type Restrict to Ajax if applicable Check X-Requested-With:XMLHttpRequest header Restrict response types Check Accept header for valid response types

39 Cross-Site Request Forgery (CSRF)
Victim browser 1) Victim signs on to mybank 2) Victim visits attacker.com mybank.com attacker.com 3) Page contains CSRF code 4) Browser sends <form action=https://mybank.com/transfer.jsp method=POST> <input name=recipient value=attacker> <input name=amount value=1000> </form> <script>document.forms[0].submit()</script> the request to mybank POST /transfer.jsp HTTP/1.1 Cookie: <mybank authentication cookie> recipient=attacker&amount=1000 the request to mybank. POST /transfer.jsp HTTP/1.1. Cookie: recipient=attacker&amount=1000.", "width": "800" }

40 CSRF and OAuth 2.0 How can an attacker use CSRF to take over your account? Many sites allow logins from third-party identity providers like Facebook Many identity providers use OAuth Attacker can automatically associate your account with an attacker controlled Facebook account

41 OAuth CSRF Research Accounts at many sites could be taken over using OAuth CSRF Stack Exchange, woot.com, IMDB, Goodreads, SoundCloud, Pinterest, Groupon, Foursquare, SlideShare, Kickstarter, and others Research by Rich Lundeen Prior research by Stephen Sclafani

42 OAuth CSRF Attack Flow Create attacker controlled Facebook account
Victim is signed on to provider account (i.e. Stack Exchange) Lure victim into visiting an evil site with OAuth CSRF code CSRF code sends OAuth authorization request 4) Attacker's Facebook account now controls victim provider account

43 Linking Stack Exchange with an Evil Facebook Account
Image from

44 CSRF Protection Spec defines a "state" parameter that must be included in the redirect to the Client Value must be non-guessable and tied to session Client sends "state" to Server: client_id=tonr&redirect_uri=http://www.eviltonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T Server sends "state" back to Client after authorization: code=cOuBX6&state=92G53T

45 OAuth CSRF Protection Demo

46 OWASP 1-Liner Deliberately vulnerable application More information at
Intended for demos and training Created by John More information at https://www.owasp.org/index.php/OWASP_1-Liner

47 JSON CSRF Demo

48 Normal JSON Message {"id":0,"nickName":"John", "oneLiner":"I LOVE Java!", "timestamp":" T17:04:23"}

49 Forged JSON Message {"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//=dummy

50 CSRF Attack Form <form id="target" method="POST" action="https://local.1-liner.org:8444/ws/vulnerable/oneliners" enctype="text/plain" style="visibility:hidden"> <input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//' value="dummy" /> <input type="submit" value="Go" /> </form>

51 CSRF Attack Form <form id="target" method="POST" action="https://local.1-liner.org:8444/ws/vulnerable/oneliners" enctype="text/plain" style="visibility:hidden"> <input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//' value="dummy" /> <input type="submit" value="Go" /> </form>

52 Forged JSON Message {"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//=dummy

53 CSRF Defense Must include something random in the request
Use an anti-CSRF token OWASP CSRFGuard Written by Eric Can inject anti-CSRF token using JSP Tag library - for manual, fine grained protection JavaScript DOM manipulation - for automated protection requiring minimal effort Filter that intercepts requests and validates tokens

54 CSRFGuard JSP Tags Tags for token name and value
<form name="test1" action="protect.html"> <input type="text" name="text" value="text"/> <input type="submit" name="submit" value="submit"/> <input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value/>"/> </form> Tag for name/value pair (delimited with "=") <a href="protect.html?<csrf:token/>">protect.html</a> Convenience tags for forms and links as well <csrf:form> and <csrf:a> Examples from https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection

55 CSRFGuard DOM Manipulation
Include JavaScript in every page that needs CSRF protection <script src="/securish/JavaScriptServlet"></script> JavaScript used to hook the open and send methods XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open; XMLHttpRequest.prototype.open = function(method, url, async, user, pass) { // store a copy of the target URL this.url = url; this._open.apply(this, arguments); } XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send; XMLHttpRequest.prototype.send = function(data) { if(this.onsend != null) { // call custom onsend method to modify the request this.onsend.apply(this, arguments); this._send.apply(this, arguments); JavaScript used to hook the open and send methods. XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open; XMLHttpRequest.prototype.open = function(method, url, async, user, pass) { // store a copy of the target URL. this.url = url; this._open.apply(this, arguments); } XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send; XMLHttpRequest.prototype.send = function(data) { if(this.onsend != null) { // call custom onsend method to modify the request. this.onsend.apply(this, arguments); this._send.apply(this, arguments);", "width": "800" }

56 Protecting XHR Requests
CSRFGuard sends two HTTP headers XMLHttpRequest.prototype.onsend = function(data) { if(isValidUrl(this.url)) { this.setRequestHeader("X-Requested-With", "OWASP CSRFGuard Project") this.setRequestHeader("OWASP_CSRFTOKEN", "EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV"); } }; If X-Requested-With is passed then CSRFGuard will verify the OWASP_CSRFTOKEN HTTP header. If X-Requested-With does not exist then CSRFGuard will look for the token in HTTP parameters.

57 JSON CSRF Protection Demo

58 Outline Authentication Encryption Validation Wrap Up

59 Summary Authentication Encryption Validation
Can use userid/password for services consumed by your app Use OAuth for third-party web apps and mobile apps Encryption Use SSL Use Secure flag Use Strict-Transport-Security header Validation Restrict input Protect your apps against CSRF

60 Thanks! Frank Kim @sansappsec

61

62 References JAX-RS 2.0 OAuth 2.0 Specification Spring Security OAuth
https://jax-rs-spec.java.net/nonav/2.0/apidocs OAuth 2.0 Specification Spring Security OAuth OAuth: The Big Picture OAuth CSRF issues OWASP 1-Liner https://www.owasp.org/index.php/OWASP_1-Liner CSRFGuard https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project


Download ppt "REST Security with JAX-RS"

Similar presentations


Ads by Google