Documente Academic
Documente Profesional
Documente Cultură
services
Miroslav Fuksa (software developer)
Michal Gajdo (software developer)
Program Agenda
Introduction to JAX-RS and Security
Declarative Security and Entity Filtering
Client Security
OAuth 1
OAuth 2
Introduction
RESTful Web Services
Representation State Transfer
Using HTTP methods GET, POST, DELETE ...
representations (HTML, JSON, XML), URI, caching, stateless
JAX-RS: Java API for RESTful Services
JAX-RS 2.0 (JSR 339): Java EE 7, released in May 2013
Reference implementation: Jersey 2
Introduction
http://my-univeristy.com/api/student/
@Path("student")
public class StudentResource {
@Produces("application/json")
@GET
@Path("{id}")
GET http://my-univeristy.com/api/student/adam
POST http://my-univeristy.com/api/student
Introduction
JAX-RS 2.0
JAX-RS 2.0 (JSR 339, part of Java EE 7, released in May 2013)
Client API
Asynchronous processing
Filters
Interceptors
Introduction
Security
Authentication
HTTP Basic Authentication (BASE64 encoded username and password
SSL)
HTTP Digest Authentication (password is used only for signature, MD5)
Authorization
<security-constraint>
<web-resource-collection>
<url-pattern>/student/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<role-name>admin</role-name>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
http://my-univeristy.com/api/students/{id}
10
Disadvantages
only for servlet containers
fragile, verbose, bad maintenance
Pre-matching filters
11
Pre-matching filters
PUT http://my-univeristy.com/api/student
Pre-matching
filter
POST http://my-univeristy.com/api/student
12
13
15
RolesAllowedDynamicFeature.
16
17
18
19
20
21
22
Want:
Define access to resources.
Restrict access to entities / entity members for different user roles.
23
24
25
26
27
28
29
Client Security
SSL with JAX-RS support
JAX-RS 2.0 defines support for SSL configuration
javax.ws.rs.client.ClientBuilder
KeyStore, TrustStore, SSLContext
30
Client Security
SslConfigurator
SslConfigurator sslConfig = SslConfigurator.newInstance()
.trustStoreFile("./truststore_client")
.trustStorePassword("pwds65df4")
.keyStoreFile("./keystore_client")
.keyPassword("sf564fsds");
SSLContext sslContext = sslConfig.createSSLContext();
Client client = ClientBuilder.newBuilder()
.sslContext(sslContext).build();
31
Client Security
Http Authentication
ClientRequestFilter and ClientResponseFilter
Jersey HttpAuthenticationFeature
Basic, Digest, Universal
32
OAuth 1
33
OAuth: introduction
username/password
Resource
owner
Consumer
34
Service
Provider
OAuth
Motivation
I want to give an access to my account to consumer (3rd party
application)
Give Consumer my password
Revoking access
Password change
Limit access (different authorization rules)
Trust
35
OAuth: introduction
username/password
Resource
owner
Consumer
36
Service
Provider
OAuth
Motivation
OAuth
No resource owners password sharing
Resource owner can revoke an access at any time
Limited access
User friendly process of issuing tokens (Authorization Process/Flow)
37
OAuth1
Details
IETF OAuth 1.0 (RFC 5849)
Previous community version 1.0 and 1.0a
secret keys
Authorization process (flow)
Process of granting access to the consumer
Authenticated requests
Consumer calls REST APIs using OAuth signatures
38
3
2
4
1
Resource
owner
Consumer
39
1 Request Token
2 Authorization Request
3 Resource owner authorization
4 Authorization Response
5 Access Token
Resource
owner
Consumer
40
Access Token
OAuth1
Summary
Secure
Signatures
Secret keys (consumer secret, request and access token secret)
nonce, timestamp
41
OAuth 2
42
OAuth 2
Introduction
WRAP (Web Resource Authorization Protocol)
OAuth 2.0 (IETF, RFC 6749), released in October 2012
Not backward compatible, framework (not protocol)
Does not require signatures (bearer token), SSL
Authorization flows
Authorization Code Grant (refresh token)
Implicit Grant (eg. Javascript client), Resource Owner Password
OAuth 2
Compared to OAuth 1
Easier implementation
OAuth 1.0a is not easy to implement
Security questions
no signature and no secret keys (risk of exposing tokens)
SSL
usage of authorization flows with limited security
44
OAuth
Jersey and OAuth
OAuth 1.0a: client and server
OAuth 2: client (Authorization Code Grant)
Client OAuth support:
Authorization Flow: standalone utility
Authenticated requests (Features => Filters)
45
OAuth 2
Demo
server application that uses JAX-RS client to get and show Google
46
Resources
Securing JAX-RS Resources
https://jersey.java.net/documentation/latest/security.html#d0e8866
Entity Filtering in Jersey
https://jersey.java.net/documentation/latest/entity-filtering.html
https://github.com/jersey/jersey/tree/master/examples/entity-filtering
OAuth specification
http://tools.ietf.org/html/rfc5849
http://tools.ietf.org/html/rfc6749
OAuth 2 sample
https://github.com/jersey/jersey/tree/master/examples/oauth2-client-google-webapp
Jersey
http://jersey.java.net
47
48