Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS5220 Advanced Topics in Web Programming Secure REST API

Published byOlivia Siitonen Modified over 5 years ago

Similar presentations

Presentation on theme: "CS5220 Advanced Topics in Web Programming Secure REST API"— Presentation transcript:

1 CS5220 Advanced Topics in Web Programming Secure REST API
Chengyu Sun California State University, Los Angeles

2 Web Application Security
Client Server request who are you? Authentication username/password (Access Control) Authorization you’re not authorized to access Connection Security

3 HTTP Secure (HTTPS) HTTP over SSL/TLS
Configure SSL in Tomcat -

4 Basic Security Implementation
Database Server Client /login ?? users /api/user/1 ?? ?? How to store passwords properly?? What happens if authentication is successful?? How does the server authenticate/authorize subsequent requests??

5 Storing Passwords … Hash stored passwords
Why?? How?? Encryption vs Hashing?? How to check against hashed passwords?? Common attack on hashed passwords Brute force and some variations Dictionary

6 … Storing Passwords Common defenses Long and random passwords
Make cryptographic hash functions slower Salt

7 Cryptographic Hash Function…
String of arbitrary length  n bits digest Properties Given a hash value, it’s virtually impossible to find a message that hashes to this value Given a message, it’s virtually impossible to find another message that hashes to the same value It’s virtually impossible to find two messages that hash to the same value A.K.A. One-way hashing, message digest, digital fingerprint

8 …Cryptographic Hash Function
Common usage Store passwords, software checksum … Popular algorithms Good for password hashing: Argon2, PBKDF2, scrypt, bcrypt Not good for password hashing: MD5 (broken), SHA and variants

9 bcrypt hash Example abcd
$2a$10$aol3r6 … kH/mkyO zB06fcQQOQa … U5.r3rSZI6 128 bit salt encoded in 22 characters 184 bit hash encoded in 31 characters Cost parameter Algorithm version

10 bcrypt Libraries BcryptPasswordEncoder in org.springframework.security:spring-security-crypto jBcrypt – org.mindrot:jbcrypt

11 Session-Based Security
Database Server Client /login ?? users /api/user/1 ?? What happens if authentication is successful?? What does the server authenticate/authorize subsequent requests?? Why is it not suitable for RESTful web service??

12 Security without Session
What’s wrong with sending username and password in every request? How about using a access key / token instead? Issues need to be considered: access control, performance, expiration, revocation

13 JSON Web Token (JWT) JWT = JSON object + Signature Example
The JSON object contains the identity and authorization of a user, a.k.a. claims The actual content of JSON is up to the application The signature is the hash of the JSON object and a secret key (that only the server knows) Example JSON: { “username”: “john”, “role”: “admin” } Signature: HS256( JSON, “some secrete” )

14 How JWT Works … Login on the server Receives username and password
Loads user information from database Creates a JWT Sends the JWT to client

15 … How JWT Works In subsequent requests
Client includes JWT in each request Header E.g. Authorization: Bearer <token> Request parameter Cookie Server verifies the signature in JWT (How??) If signature is valid, server grants access based on JWT (no need to access database again)

16 More About JWT https://jwt.io/ Header, payload, and signature
Predefined claims in payload sub: subject exp: expiration time iat: Issued at JWT does not provide a way to revoke tokens

17 Implementation Strategy …
Create and verify token using Java JWT Extract token from request header, parameter, or cookie (easily done with Spring controller methods) HttpServletRequest @RequestHeader @RequestParam @CookieValue

18 … Implementation Strategy
Use Servlet Filter, or Spring Handler Interceptor, Verify token, and create a User object from the token if the signature is valid Pass the User object to controller methods as a request attribute

19 Servlet Filter Intercept, examine, and/or modify request and response
Servlet/JSP

20 Servlet Filter Example
web.xml <filter> and <filter-mapping> Modify request Modify response

21 Spring Handler Interceptor
Serve the same purpose as servlet filter Configured as Spring beans, i.e. support dependency injection Handler Interceptor request response Controller

22 Implement a Handler Interceptor
Implement HandlerInterceptor or inherits from HandlerInterceptorAdapter preHandle() – called before the controller method is invoked postHandle() – called after the controller method is invoked (but before view is generated) afterCompletion() – called after the request processing is completed (i.e. after view is generated)

23 URL Mapping for Handler Interceptor
<mvc:interceptors> <mvc:interceptor> <mvc:mapping path="/api/**" /> <bean class=“some.Interceptor"></bean> </mvc:interceptor> </mvc:interceptors>

24 Use Model Methods in @ControllerAdvice
Model Methods can that are used by subsequent controller methods @ControllerAdvice public class SomeAdvice { @ModelAttribute(“currentUser”) public User getUserFromJwt( … ) { … } @ModelAttribute public void addMultipleAttributes( ModelMap models ) {…} }

Download ppt "CS5220 Advanced Topics in Web Programming Secure REST API"

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.

>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Cryptography 101 Frank Hecker

Cryptography 101 Frank Hecker
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Remotely authenticating against the Service Framework.

Remotely authenticating against the Service Framework.
Chapter 5 Java Servlets. Objectives Explain the nature of a servlet and its operation Use the appropriate servlet methods in a web application Code the.

Chapter 5 Java Servlets. Objectives Explain the nature of a servlet and its operation Use the appropriate servlet methods in a web application Code the.
Web Database Programming Week 7 Session Management & Authentication.

Web Database Programming Week 7 Session Management & Authentication.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.

PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.

Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.

Similar presentations

Ads by Google