JAX RS Security CZJUG Short

Securing JAX-RS RESTful
services
Miroslav Fuksa (software developer)
Michal Gajdo (software developer)
The following is intended to outline our general product direction. It is intended

for information purposes only, and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or functionality, and should
not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle s products
remains at the sole discretion of Oracle.
Copyright 2012, Oracle and/or its affiliates. All rights reserved.
Program Agenda
Introduction to JAX-RS and Security
Declarative Security and Entity Filtering
Client Security
OAuth 1
OAuth 2
Introduction to JAX-RS and

security
Introduction
RESTful Web Services
Representation State Transfer
Using HTTP methods GET, POST, DELETE ...
representations (HTML, JSON, XML), URI, caching, stateless
JAX-RS: Java API for RESTful Services
JAX-RS 2.0 (JSR 339): Java EE 7, released in May 2013
Reference implementation: Jersey 2
Introduction
http://my-univeristy.com/api/student/
@Path("student")
public class StudentResource {
@Produces("application/json")
@GET
@Path("{id}")
GET http://my-univeristy.com/api/student/adam
public Student get(@PathParam("id") String id) {

return StudentService.getStudentById(id);
}
@POST
POST http://my-univeristy.com/api/student
public Student post(Student student) {

return StudentService.addStudent(student);
}
}
Introduction
JAX-RS 2.0
JAX-RS 2.0 (JSR 339, part of Java EE 7, released in May 2013)
Client API
Asynchronous processing
Filters
Interceptors
Introduction
Security
Authentication
HTTP Basic Authentication (BASE64 encoded username and password
SSL)
HTTP Digest Authentication (password is used only for signature, MD5)
Authorization
Servlet Container Security

Secure JAX-RS services using Servlet Container
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>my-realm</realm-name>
</login-config>

<url-pattern>/student/*</url-pattern>
<http-method>POST</http-method>
<auth-constraint>
<url-pattern>/student/*</url-pattern>
<http-method>GET</http-method>
<auth-constraint>
</auth-constraint>
<role-name>user</role-name>
</auth-constraint>
http://my-univeristy.com/api/students/{id}
10

Advantages
Independent on JAX-RS implementation
managed by servlet container
Disadvantages
only for servlet containers
fragile, verbose, bad maintenance
Pre-matching filters
11
Pre-matching filters
PUT http://my-univeristy.com/api/student
Pre-matching
filter
POST http://my-univeristy.com/api/student
12
JAX-RS Security Context

javax.ws.rs.core.SecurityContext
public interface SecurityContext {
public Principal getUserPrincipal();
public boolean isUserInRole(String role);
public boolean isSecure();
public String getAuthenticationScheme();
}
13
JAX-RS Security Context

Secure method programmatically using SecurityContext
@Path("student")
public class StudentResource {
@Context
private SecurityContext securityContext;
@GET
@Path("{id}")
public Student get(@PathParam("id") String id) {
if (!securityContext.isUserInRole("admin")) {
throw new WebApplicationException(You dont have privileges to access this resource.", 403);
}
return StudentService.getStudentById(id)
}
}
14
Authorization in Jersey 2.x:

Security annotations
15
Authorization Security annotations.

Means in Jersey 2.x
Define the access to resources based on the user groups.
Security annotations from javax.annotation.security package.
@PermitAll, @DenyAll, @RolesAllowed
SecurityContext
RolesAllowedDynamicFeature.
16

Example: Register RolesAllowedDynamicFeature.
@ApplicationPath(api)
public class MyApplication extends ResourceConfig {
public MyApplication() {
packages(my.application);
register(RolesAllowedDynamicFeature.class);
}
}
17

Example: Define access restrictions on Resource.
@Path("/resource")
@PermitAll
public class Resource {
@GET
public String get() { return "GET"; }
@RolesAllowed("admin")
@POST
public String post(String content) { return content; }
}
18
Authorization in Jersey 2.x:

Entity Filtering Feature
19
Feature: Entity Filtering

Idea and Motivation
Exposing only part of domain model for input/output.
Reduce the amount of data exchanged over the wire.
Define own filtering rules based on current context.
Resource method.
Assign security access rules to properties.

Faster prototyping and development.
One model and one place for defining the rules.
20

Means in Jersey 2.3+ / MOXy 2.5.0
@EntityFiltering meta-annotation.
Create filtering annotations to define context.
Create filtering annotations with custom meaning to define context.
Security annotations from javax.annotation.security package.

@PermitAll, @DenyAll, @RolesAllowed
SecurityContext
21

Putting it all together.
Define dependencies on extension and media modules.
Register SecurityEntityFilteringFeature in Jersey Application.
Annotate Resources and Domain Model with security annotations.
Enjoy!
22

Example: Goal.
Have:
JAX-RS Application with security user roles.
Want:
Define access to resources.
Restrict access to entities / entity members for different user roles.
23

Example: Register Providers in JAX-RS Application.
@ApplicationPath(api)
public class MyApplication extends ResourceConfig {
public MyApplication() {
packages(my.application);
register(SecurityEntityFilteringFeature.class);
}
}
24

Example: Model.
public class RestrictedEntity {
public class RestrictedSubEntity {
private String simpleField;
private String managerField;
private String denyAll;
private String userField;
private RestrictedSubEntity mixed;

// getters and setters
// getters and setters
}
25

Example: Annotated Domain Model.
public class RestrictedEntity {
public class RestrictedSubEntity {
public String getSimpleField() { ... }

@RolesAllowed("manager")
@DenyAll
public String getManagerField() { ... }
public String getDenyAll() { ... }

@RolesAllowed("user")
@RolesAllowed({"manager", "user"})
public RestrictedSubEntity getMixed() {}
}
26
public String getUserField() { ... }

}

Example: JAX-RS Un-Restricted Resource.
@Path("unrestricted-resource")
public class UnrestrictedResource {
@GET
public RestrictedEntity getRestrictedEntity() { ... }
}
27

Example: JAX-RS Restricted Resource.
@Path("restricted-resource")
public class RestrictedResource {
@GET @Path(denyAll")
@DenyAll
public RestrictedEntity denyAll() { ... }
@GET @Path("rolesAllowed")
@RolesAllowed({"manager"})
public RestrictedEntity rolesAllowed() { ... }
}
28
JAX-RS Client Security
29
Client Security
SSL with JAX-RS support
JAX-RS 2.0 defines support for SSL configuration
javax.ws.rs.client.ClientBuilder
KeyStore, TrustStore, SSLContext
Jersey provides SslConfigurator to create SSLContext
30
Client Security
SslConfigurator
SslConfigurator sslConfig = SslConfigurator.newInstance()
.trustStoreFile("./truststore_client")
.trustStorePassword("pwds65df4")
.keyStoreFile("./keystore_client")
.keyPassword("sf564fsds");
SSLContext sslContext = sslConfig.createSSLContext();
Client client = ClientBuilder.newBuilder()
.sslContext(sslContext).build();
31
Client Security
Http Authentication
ClientRequestFilter and ClientResponseFilter
Jersey HttpAuthenticationFeature
Basic, Digest, Universal
HttpAuthenticationFeature basicAuth = HttpAuthenticationFeature.basic("username,"12345");

Client client = ClientBuilder.newBuilder().register(basicAuth).newClient();
Student michal = client.target("http://my-university.com/student/michal")
.request().get(Student.class);
32
OAuth 1
33
OAuth: introduction
username/password
Resource
owner
Consumer
34
Service
Provider
OAuth
Motivation
I want to give an access to my account to consumer (3rd party
application)
Give Consumer my password
Revoking access
Password change
Limit access (different authorization rules)
Trust
35
OAuth: introduction
username/password
Resource
owner
Consumer
36
Service
Provider
OAuth
Motivation
OAuth
No resource owners password sharing
Resource owner can revoke an access at any time
Limited access
User friendly process of issuing tokens (Authorization Process/Flow)
37
OAuth1
Details
IETF OAuth 1.0 (RFC 5849)
Previous community version 1.0 and 1.0a
Signatures added to requests (HMAC-SHA1, RSA-SHA1) based on
secret keys
Authorization process (flow)
Process of granting access to the consumer
Authenticated requests
Consumer calls REST APIs using OAuth signatures
38
OAuth1: Authorization flow

Service
Provider
3
2
4
1
Resource
owner
Consumer
39
1 Request Token
2 Authorization Request
3 Resource owner authorization
4 Authorization Response
5 Access Token
OAuth1: Authenticated requests

Service
Provider
Resource
owner
Consumer
40
Access Token
OAuth1
Summary
Secure
Signatures
Secret keys (consumer secret, request and access token secret)
nonce, timestamp
Complex for implementation
41
OAuth 2
42
OAuth 2
Introduction
WRAP (Web Resource Authorization Protocol)
OAuth 2.0 (IETF, RFC 6749), released in October 2012
Not backward compatible, framework (not protocol)
Does not require signatures (bearer token), SSL
Authorization flows
Authorization Code Grant (refresh token)
Implicit Grant (eg. Javascript client), Resource Owner Password
Credentials Grant (user name + password), Client Credentials Grant (client

app authentication)
43
OAuth 2
Compared to OAuth 1
Easier implementation
OAuth 1.0a is not easy to implement
Security questions
no signature and no secret keys (risk of exposing tokens)
SSL
usage of authorization flows with limited security
44
OAuth
Jersey and OAuth
OAuth 1.0a: client and server
OAuth 2: client (Authorization Code Grant)
Client OAuth support:
Authorization Flow: standalone utility
Authenticated requests (Features => Filters)
45
OAuth 2
Demo
server application that uses JAX-RS client to get and show Google
tasks of any user that authorizes the application
46
Resources
Securing JAX-RS Resources
https://jersey.java.net/documentation/latest/security.html#d0e8866
Entity Filtering in Jersey
https://jersey.java.net/documentation/latest/entity-filtering.html
https://github.com/jersey/jersey/tree/master/examples/entity-filtering
OAuth specification
http://tools.ietf.org/html/rfc5849
http://tools.ietf.org/html/rfc6749
OAuth 2 sample
https://github.com/jersey/jersey/tree/master/examples/oauth2-client-google-webapp
Jersey
http://jersey.java.net
47
Questions & Answers
48

JAX RS Security CZJUG Short

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

JAX RS Security CZJUG Short

Încărcat de

Drepturi de autor:

Formate disponibile

Securing JAX-RS RESTful

The following is intended to outline our general product direction. It is intended

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Introduction to JAX-RS and

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

public Student get(@PathParam("id") String id) {

public Student post(Student student) {

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Servlet Container Security

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Servlet Container Security

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Servlet Container Security

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

JAX-RS Security Context

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

JAX-RS Security Context

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Authorization in Jersey 2.x:

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Authorization Security annotations.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Authorization Security annotations.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Authorization Security annotations.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Authorization in Jersey 2.x:

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Feature: Entity Filtering

Assign security access rules to properties.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Feature: Entity Filtering

Security annotations from javax.annotation.security package.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Feature: Entity Filtering

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Feature: Entity Filtering

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Feature: Entity Filtering

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Feature: Entity Filtering

public class RestrictedSubEntity {

private String simpleField;

private String managerField;

private String denyAll;

private String userField;

private RestrictedSubEntity mixed;

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Feature: Entity Filtering

public class RestrictedSubEntity {

public String getSimpleField() { ... }

public String getManagerField() { ... }

public String getDenyAll() { ... }

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

public String getUserField() { ... }

Feature: Entity Filtering

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Feature: Entity Filtering

Copyright 2012, Oracle and/or its affiliates. All rights reserved.