State of Securing Restful APIs s12gx2015

R
robwinch
SPRINGONE2GX WASHINGTON, DC Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ The State of Securing RESTful APIs with Spring By Rob Winch @rob_winch
State of Securing Restful APIs s12gx2015
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication 3
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Naïve approach… 4 https://api.example.com? username=rob&password=secret
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ “ Come on Bender. It's up to you to make your own decisions in life. That's what's separates people and robots from animals .. and animal robots! Fry Futurama 5
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ RFC-7231 Sensitive Information 6 “ Authors of services ought to avoid GET- based forms for the submission of sensitive data … - RFC-7231: Section 9.4
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Basic Authentication 7
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Basic Authentication 8
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Digest Authentication 9
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Digest Authentication 10
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Digest Authentication 11
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Transport Layer Security (TLS) •  Confidentiality •  Integrity 12
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 13 13
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Checking TLS https://www.ssllabs.com/ssltest/ https://shaaaaaaaaaaaaa.com/ 14
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TLS Performance •  Computational overhead •  Latency overhead •  Cache 15
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16 “On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead. -  Adam Langley, Google https://goo.gl/IYJrqv
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17 “We have found that modern software-based TLS implementations running on commodity CPUs are fast enough to handle heavy HTTPS traffic load without needing to resort to dedicated cryptographic hardware. -  Doug Beaver, Facebook https://goo.gl/pf8Xwh
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 18 “HTTP keepalives and session resumption mean that most requests do not require a full handshake, so handshake operations do not dominate our CPU usage. - Jacob Hoffman-Andrews, Twitter https://goo.gl/Re0ijb
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TLS Optimize •  TLS Resumption •  Latency •  Online Certificate Status Protocol (OCSP) •  Cloudflare 19
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Optimizing TLS Is TLS Fast Yet.com 20
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ HTTP Basic over HTTPS? 21 oclHashcat Hash Type Speed SHA1 42.408 Bh/s SHA256 16.904 Bh/s SHA512 5.2 Bh/s Ubuntu 14.04, 64 bit ForceWare 346.29 X NVidia Titan X
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Introduce Session 22 username=winch&name=Rob+Winch
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Encrypting the Session 23 Base64(IV, 
 aes_cbc(k,IV,plainText))
 •  k – a secret key only known to server •  aes_cbc – encrypts the plainText using AES/CBC with the provided IV •  plainText – format of username=winch&name=Rob+Winch
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Your handwriting is atrocious, not encrypted 24
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Introduce Session username=winch&name=Rob+Winch username=admin&name=Rob+Winch Can change [1] properly encrypted value below: To have the following Plaintext 25 [1] https://goo.gl/2Uio0W
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 26 2:03 PM - 27 Jul 2015 https://goo.gl/Hs383Z
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 27 10:54 AM - 28 May 2015 https://goo.gl/ZbP9Yp
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ JWT Header {"alg":"HS256","typ":"JWT"} 28
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ “… each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. - Roy Fielding, Architectural Styles and the Design of Network-based Software Architectures http://goo.gl/MzVy0V 30
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Representational STATE transfer “… session state can be transferred by the server to another service such as a database to maintain a persistent state for a period and allow authentication -  Wikipedia http://goo.gl/bd33t7 31
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 32
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Code Slide 33 public interface HttpSession { … }
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 34
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Customizing the Cookie 35 <session-config>
 <cookie-config> <name>SESSION</name> </cookie-config> </session-config>
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Session 36 @Configuration @EnableRedisHttpSession public class Config { @Bean public JedisConnectionFactory connectionFactory() { return new JedisConnectionFactory(); } }
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Session 37 public class Initializer extends AbstractHttpSessionApplicationInitializer { public Initializer() { super(Config.class); } }
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Session 38 public class Initializer extends AbstractHttpSessionApplicationInitializer { public Initializer() { super(Config.class); } }
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Session 39 <filter> <filter-name> springSessionRepositoryFilter </filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSessionRepositoryFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 40
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DEMO Spring Session 41
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ SessionRepositoryFilter 42 public void doFilter(ServletRequest req, 
 ServletResponse resp, FilterChain chain { ServletRequest request = new SessionRepositoryRequestWrapper(req); … chain.doFilter(request, response); }
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ SessionRepositoryRequestWrapper 43 public HttpSession getSession() { // return custom HttpSession }
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OAuth 2.0? •  When working within a sandbox •  Limiting liability 44
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 45
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ http .authorizeRequests() .antMatchers("/public/**").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") .anyRequest().authenticated() Authorization 46
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authorization 47 @PostAuthorize("returnObject?.to?.id == principal.id") Message findOne(Long id);
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authorization 48 @PreAuthorize("#message?.from?.id == principal.id") <S extends Message> S save(Message message);
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Permissions 49 @PostAuthorize("hasPermission(returnObject,'read')") Message findOne(Long id);
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Permissions 50 @PreAuthorize("hasPermission(#message,’write')") <S extends Message> S save(Message message);
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 51 public interface PermissionEvaluator … { boolean hasPermission(Authentication authentication, 
 Object targetDomainObject,
 Object permission); boolean hasPermission(Authentication authentication,
 Serializable targetId,
 String targetType, 
 Object permission); }
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Queries? 52 @Query("select m from Message m where m.to.id = ? #{principal.id}")
 Iterable<Message> inbox();
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Queries? 53 @Query("select m from Message m where m.to.id = ? #{principal.id}")
 Page<Message> inbox(Pageable pageable);
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Future Work? 54 @EnableAclSecurity
 public interface SecuredMessageRepository 
 extends MessageRepository {} // Vote for it! DATACMNS-293 SEC-2409
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DEMO CSRF 55
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 56
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 57
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 58
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection “When do I use CSRF protection? 59
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection “... but my application uses JSON 60
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 61 <form ... method="post" enctype="text/plain"> <input type='hidden' name=’{"summary":"Hi", … "ignore_me":"' value='test"}' 
 /> </form>
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 62 {
 "summary": "Hi", "message": "New Message", "to": "luke@example.com", "ignore_me": "=test" }
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection “… but my application is stateless 63
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 64
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection “…and I use a custom header for authentication and ignore cookies 65
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection •  Use proper HTTP Verbs •  Configure CSRF Protection •  Include the CSRF Token 66
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Including the CSRF Token 67 @RequestMapping("/csrf”)
 public CsrfToken csrf(CsrfToken token) { return token; }
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DEMO Clickjacking 68
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Security HTTP Response Headers 69
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Security HTTP Response Headers 70
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Security HTTP Response Headers 71
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Related Talks •  Hands on Spring Security 4.1 – Wed at 8:30am •  Spring MVC 4.2: New and Noteworthy – Wed at 10:30am •  A How to Guide to Security in the PAAS Cloud – Wed at 4:30pm •  Securing Microservices with Spring Cloud Security – Thurs at 10:30am 72
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Learn More. Stay Connected. •  Use TLS •  Authentication Should Have State •  Use Proper Authorization •  Use a Framework Because Individuals Cannot Provide Good Security Twitter: @rob_winch YouTube: spring.io/video LinkedIn: spring.io/linkedin Google Plus: spring.io/gplus 73
1 of 73

State of Securing Restful APIs s12gx2015

Download to read offline
Software

The many benefits of a RESTful architecture has made it the standard way in which to design web based APIs. For example, the principles of REST state that we should leverage standard HTTP verbs which helps to keep our APIs simple. Server components that are considered RESTFul should be stateless which help to ensure that they can easily scale. We can leverage caching to gain further performance and scalability benefits. However, the best practices of REST and security often seem to clash. How should a user be authenticated in a stateless application? How can a secured resource also support caching? Securing RESTful endpoints is further complicated by the the fact that security best practices evolve so rapidly. In this talk Rob will discuss how to properly secure your RESTful endpoints. Along the way we will explore some common pitfalls when applying security to RESTful APIs. Finally, we will see how the new features in Spring Security can greatly simplify securing your RESTful APIs.

R
robwinch

Recommended

Reactive Web Applications by
Reactive Web ApplicationsReactive Web Applications
Reactive Web ApplicationsRossen Stoyanchev
9K views52 slides
Intro To Reactive Programming by
Intro To Reactive ProgrammingIntro To Reactive Programming
Intro To Reactive ProgrammingRossen Stoyanchev
1.3K views81 slides
Resource Handling in Spring MVC 4.1 by
Resource Handling in Spring MVC 4.1Resource Handling in Spring MVC 4.1
Resource Handling in Spring MVC 4.1Rossen Stoyanchev
14.1K views45 slides
Reactor 3.0, a reactive foundation for java 8 and Spring by
Reactor 3.0, a reactive foundation for java 8 and SpringReactor 3.0, a reactive foundation for java 8 and Spring
Reactor 3.0, a reactive foundation for java 8 and SpringStéphane Maldini
6.9K views90 slides
Introduction to Reactive Streams and Reactor 2.5 by
Introduction to Reactive Streams and Reactor 2.5Introduction to Reactive Streams and Reactor 2.5
Introduction to Reactive Streams and Reactor 2.5Stéphane Maldini
1.4K views40 slides
Intro to Reactive Programming by
Intro to Reactive ProgrammingIntro to Reactive Programming
Intro to Reactive ProgrammingStéphane Maldini
16.5K views81 slides

More Related Content

What's hot

High performance stream processing by
High performance stream processingHigh performance stream processing
High performance stream processingGlenn Renfro
224 views62 slides
Reactive frontends with RxJS and Angular by
Reactive frontends with RxJS and AngularReactive frontends with RxJS and Angular
Reactive frontends with RxJS and AngularVMware Tanzu
1.3K views44 slides
Under the Hood of Reactive Data Access (1/2) by
Under the Hood of Reactive Data Access (1/2)Under the Hood of Reactive Data Access (1/2)
Under the Hood of Reactive Data Access (1/2)VMware Tanzu
359 views27 slides
Under the Hood of Reactive Data Access (2/2) by
Under the Hood of Reactive Data Access (2/2)Under the Hood of Reactive Data Access (2/2)
Under the Hood of Reactive Data Access (2/2)VMware Tanzu
167 views33 slides
Data Migration at Scale with RabbitMQ and Spring Integration by
Data Migration at Scale with RabbitMQ and Spring IntegrationData Migration at Scale with RabbitMQ and Spring Integration
Data Migration at Scale with RabbitMQ and Spring IntegrationAlvaro Videla
2.4K views53 slides
Building Highly Scalable Spring Applications using In-Memory Data Grids by
Building Highly Scalable Spring Applications using In-Memory Data GridsBuilding Highly Scalable Spring Applications using In-Memory Data Grids
Building Highly Scalable Spring Applications using In-Memory Data GridsJohn Blum
493 views48 slides

What's hot(20)

High performance stream processing by Glenn Renfro
High performance stream processingHigh performance stream processing
High performance stream processing
Glenn Renfro224 views
Reactive frontends with RxJS and Angular by VMware Tanzu
Reactive frontends with RxJS and AngularReactive frontends with RxJS and Angular
Reactive frontends with RxJS and Angular
VMware Tanzu1.3K views
Under the Hood of Reactive Data Access (1/2) by VMware Tanzu
Under the Hood of Reactive Data Access (1/2)Under the Hood of Reactive Data Access (1/2)
Under the Hood of Reactive Data Access (1/2)
VMware Tanzu359 views
Under the Hood of Reactive Data Access (2/2) by VMware Tanzu
Under the Hood of Reactive Data Access (2/2)Under the Hood of Reactive Data Access (2/2)
Under the Hood of Reactive Data Access (2/2)
VMware Tanzu167 views
Data Migration at Scale with RabbitMQ and Spring Integration by Alvaro Videla
Data Migration at Scale with RabbitMQ and Spring IntegrationData Migration at Scale with RabbitMQ and Spring Integration
Data Migration at Scale with RabbitMQ and Spring Integration
Alvaro Videla2.4K views
Building Highly Scalable Spring Applications using In-Memory Data Grids by John Blum
Building Highly Scalable Spring Applications using In-Memory Data GridsBuilding Highly Scalable Spring Applications using In-Memory Data Grids
Building Highly Scalable Spring Applications using In-Memory Data Grids
John Blum493 views
P to V to C: The Value of Bringing “Everything” to Containers by VMware Tanzu
P to V to C: The Value of Bringing “Everything” to ContainersP to V to C: The Value of Bringing “Everything” to Containers
P to V to C: The Value of Bringing “Everything” to Containers
VMware Tanzu250 views
New in Spring Framework 5.0: Functional Web Framework by VMware Tanzu
New in Spring Framework 5.0: Functional Web FrameworkNew in Spring Framework 5.0: Functional Web Framework
New in Spring Framework 5.0: Functional Web Framework
VMware Tanzu242 views
Modern messaging with RabbitMQ, Spring Cloud and Reactor by acogoluegnes
Modern messaging with RabbitMQ, Spring Cloud and ReactorModern messaging with RabbitMQ, Spring Cloud and Reactor
Modern messaging with RabbitMQ, Spring Cloud and Reactor
acogoluegnes148 views
Developing rich multimedia applications with Kurento: a tutorial for Java Dev... by Luis Lopez
Developing rich multimedia applications with Kurento: a tutorial for Java Dev...Developing rich multimedia applications with Kurento: a tutorial for Java Dev...
Developing rich multimedia applications with Kurento: a tutorial for Java Dev...
Luis Lopez7.6K views
Consumer Driven Contracts and Your Microservice Architecture by VMware Tanzu
Consumer Driven Contracts and Your Microservice ArchitectureConsumer Driven Contracts and Your Microservice Architecture
Consumer Driven Contracts and Your Microservice Architecture
VMware Tanzu531 views
RDBMS and Apache Geode Data Movement: Low Latency ETL Pipeline By Using Cloud... by VMware Tanzu
RDBMS and Apache Geode Data Movement: Low Latency ETL Pipeline By Using Cloud...RDBMS and Apache Geode Data Movement: Low Latency ETL Pipeline By Using Cloud...
RDBMS and Apache Geode Data Movement: Low Latency ETL Pipeline By Using Cloud...
VMware Tanzu1.1K views
WebRTC infrastructures in the large (with experiences on real cloud deployments) by Luis Lopez
WebRTC infrastructures in the large (with experiences on real cloud deployments)WebRTC infrastructures in the large (with experiences on real cloud deployments)
WebRTC infrastructures in the large (with experiences on real cloud deployments)
Luis Lopez2.5K views
Reactive Applications on Apache Tomcat and Servlet 3.1 containers by VMware Tanzu
Reactive Applications on Apache Tomcat and Servlet 3.1 containersReactive Applications on Apache Tomcat and Servlet 3.1 containers
Reactive Applications on Apache Tomcat and Servlet 3.1 containers
VMware Tanzu4.7K views
Implementing a WebRTC endpoint in GStreamer: challenges, problems and perspec... by Luis Lopez
Implementing a WebRTC endpoint in GStreamer: challenges, problems and perspec...Implementing a WebRTC endpoint in GStreamer: challenges, problems and perspec...
Implementing a WebRTC endpoint in GStreamer: challenges, problems and perspec...
Luis Lopez5.4K views
WebRTC/Kurento/NUBOMEDIA Hackathon at IETF’96 by Boni García
WebRTC/Kurento/NUBOMEDIA Hackathon at IETF’96WebRTC/Kurento/NUBOMEDIA Hackathon at IETF’96
WebRTC/Kurento/NUBOMEDIA Hackathon at IETF’96
Boni García532 views
Implementing Raft in RabbitMQ by VMware Tanzu
Implementing Raft in RabbitMQImplementing Raft in RabbitMQ
Implementing Raft in RabbitMQ
VMware Tanzu4.6K views
NUBOMEDIA Webinar by Boni García
NUBOMEDIA WebinarNUBOMEDIA Webinar
NUBOMEDIA Webinar
Boni García431 views
8 pre launch steps to go with the web rtc based application development by MoonTechnolabsPvtLtd
8 pre launch steps to go with the web rtc based application development8 pre launch steps to go with the web rtc based application development
8 pre launch steps to go with the web rtc based application development
MoonTechnolabsPvtLtd58 views
NUBOMEDIA: an Elastic PaaS Enabling the Convergence of Real-Time and Big Data... by Boni García
NUBOMEDIA: an Elastic PaaS Enabling the Convergence of Real-Time and Big Data...NUBOMEDIA: an Elastic PaaS Enabling the Convergence of Real-Time and Big Data...
NUBOMEDIA: an Elastic PaaS Enabling the Convergence of Real-Time and Big Data...
Boni García188 views

Viewers also liked

Container sig#1 ansible-container by
Container sig#1 ansible-containerContainer sig#1 ansible-container
Container sig#1 ansible-containerNaoya Hashimoto
2.9K views22 slides
楽しくて病みつきになるゲームジャムのススメ by
楽しくて病みつきになるゲームジャムのススメ楽しくて病みつきになるゲームジャムのススメ
楽しくて病みつきになるゲームジャムのススメHiroki Omae
22.4K views45 slides
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA by
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
6.4K views89 slides
Linux Kernel Booting Process (1) - For NLKB by
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBshimosawa
12.5K views73 slides
Spring Framework - Web Flow by
Spring Framework - Web FlowSpring Framework - Web Flow
Spring Framework - Web FlowDzmitry Naskou
8.3K views58 slides

Viewers also liked(20)

Container sig#1 ansible-container by Naoya Hashimoto
Container sig#1 ansible-containerContainer sig#1 ansible-container
Container sig#1 ansible-container
Naoya Hashimoto2.9K views
楽しくて病みつきになるゲームジャムのススメ by Hiroki Omae
楽しくて病みつきになるゲームジャムのススメ楽しくて病みつきになるゲームジャムのススメ
楽しくて病みつきになるゲームジャムのススメ
Hiroki Omae22.4K views
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA by Will Tran
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Will Tran6.4K views
スペクトル分布(白熱電球、蛍光灯、LED照明) by 施設の省エネ 電気料金削減節電方法をわかりやすく解説するブログ|ゼロエネルギー支援グログ
スペクトル分布(白熱電球、蛍光灯、LED照明)スペクトル分布(白熱電球、蛍光灯、LED照明)
スペクトル分布(白熱電球、蛍光灯、LED照明)
施設の省エネ 電気料金削減節電方法をわかりやすく解説するブログ|ゼロエネルギー支援グログ21.5K views
Linux Kernel Booting Process (1) - For NLKB by shimosawa
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKB
shimosawa12.5K views
Spring Framework - Web Flow by Dzmitry Naskou
Spring Framework - Web FlowSpring Framework - Web Flow
Spring Framework - Web Flow
Dzmitry Naskou8.3K views
HTTP2 時代の Web - web over http2 by Jxck Jxck
HTTP2 時代の Web - web over http2HTTP2 時代の Web - web over http2
HTTP2 時代の Web - web over http2
Jxck Jxck48.1K views
Servlet 4.0 at GeekOut 2015 by Edward Burns
Servlet 4.0 at GeekOut 2015Servlet 4.0 at GeekOut 2015
Servlet 4.0 at GeekOut 2015
Edward Burns19.3K views
Kafka Security by DataWorks Summit/Hadoop Summit
Kafka SecurityKafka Security
Kafka Security
DataWorks Summit/Hadoop Summit2.6K views
Consumer Driven Contracts and Your Microservice Architecture @ Warsaw JUG by Marcin Grzejszczak
Consumer Driven Contracts and Your Microservice Architecture @ Warsaw JUGConsumer Driven Contracts and Your Microservice Architecture @ Warsaw JUG
Consumer Driven Contracts and Your Microservice Architecture @ Warsaw JUG
Marcin Grzejszczak1.2K views
Spring by NarayanaMurthy Ganashree
SpringSpring
Spring
NarayanaMurthy Ganashree277 views
FiNC DDD第一回勉強会 by 裕紀 重村
FiNC DDD第一回勉強会FiNC DDD第一回勉強会
FiNC DDD第一回勉強会
裕紀 重村12.3K views
Resilience with Hystrix by Uwe Friedrichsen
Resilience with HystrixResilience with Hystrix
Resilience with Hystrix
Uwe Friedrichsen21.8K views
Spring Framework - Spring Security by Dzmitry Naskou
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
Dzmitry Naskou23.5K views
親に知ってほしい受験勉強 by Tomoaki Nishikawa
親に知ってほしい受験勉強親に知ってほしい受験勉強
親に知ってほしい受験勉強
Tomoaki Nishikawa195K views
MMORPGで考えるレベルデザイン by Katsumi Mizushima
MMORPGで考えるレベルデザインMMORPGで考えるレベルデザイン
MMORPGで考えるレベルデザイン
Katsumi Mizushima53.9K views
Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3 by Toshiaki Maki
Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3
Event Driven Microservices with Spring Cloud Stream #jjug_ccc #ccc_ab3
Toshiaki Maki18.3K views
大規模データに対するデータサイエンスの進め方 #CWT2016 by Cloudera Japan
大規模データに対するデータサイエンスの進め方 #CWT2016大規模データに対するデータサイエンスの進め方 #CWT2016
大規模データに対するデータサイエンスの進め方 #CWT2016
Cloudera Japan19.5K views
API_Extended_Catalog_EN by Leser UK
API_Extended_Catalog_ENAPI_Extended_Catalog_EN
API_Extended_Catalog_EN
Leser UK649 views
最新のデータベース技術の方向性で思うこと by Masayoshi Hagiwara
最新のデータベース技術の方向性で思うこと最新のデータベース技術の方向性で思うこと
最新のデータベース技術の方向性で思うこと
Masayoshi Hagiwara6.5K views

Similar to State of Securing Restful APIs s12gx2015

Lattice: A Cloud-Native Platform for Your Spring Applications by
Lattice: A Cloud-Native Platform for Your Spring ApplicationsLattice: A Cloud-Native Platform for Your Spring Applications
Lattice: A Cloud-Native Platform for Your Spring ApplicationsMatt Stine
2.2K views53 slides
Spring Cloud Gateway - Stéphane Maldini by
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniVMware Tanzu
885 views57 slides
Spring Cloud Gateway by
Spring Cloud GatewaySpring Cloud Gateway
Spring Cloud GatewayStéphane Maldini
308 views57 slides
Cloud-Native Streaming Platform: Running Apache Kafka on PKS (Pivotal Contain... by
Cloud-Native Streaming Platform: Running Apache Kafka on PKS (Pivotal Contain...Cloud-Native Streaming Platform: Running Apache Kafka on PKS (Pivotal Contain...
Cloud-Native Streaming Platform: Running Apache Kafka on PKS (Pivotal Contain...VMware Tanzu
475 views93 slides
Zuul @ Netflix SpringOne Platform by
Zuul @ Netflix SpringOne PlatformZuul @ Netflix SpringOne Platform
Zuul @ Netflix SpringOne PlatformMikey Cohen - Hiring Amazing Engineers
32.8K views72 slides
Implementing microservices tracing with spring cloud and zipkin (spring one) by
Implementing microservices tracing with spring cloud and zipkin (spring one)Implementing microservices tracing with spring cloud and zipkin (spring one)
Implementing microservices tracing with spring cloud and zipkin (spring one)Reshmi Krishna
20.7K views55 slides

Similar to State of Securing Restful APIs s12gx2015(20)

Lattice: A Cloud-Native Platform for Your Spring Applications by Matt Stine
Lattice: A Cloud-Native Platform for Your Spring ApplicationsLattice: A Cloud-Native Platform for Your Spring Applications
Lattice: A Cloud-Native Platform for Your Spring Applications
Matt Stine2.2K views
Spring Cloud Gateway - Stéphane Maldini by VMware Tanzu
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane Maldini
VMware Tanzu885 views
Spring Cloud Gateway by Stéphane Maldini
Spring Cloud GatewaySpring Cloud Gateway
Spring Cloud Gateway
Stéphane Maldini308 views
Cloud-Native Streaming Platform: Running Apache Kafka on PKS (Pivotal Contain... by VMware Tanzu
Cloud-Native Streaming Platform: Running Apache Kafka on PKS (Pivotal Contain...Cloud-Native Streaming Platform: Running Apache Kafka on PKS (Pivotal Contain...
Cloud-Native Streaming Platform: Running Apache Kafka on PKS (Pivotal Contain...
VMware Tanzu475 views
Zuul @ Netflix SpringOne Platform by Mikey Cohen - Hiring Amazing Engineers
Zuul @ Netflix SpringOne PlatformZuul @ Netflix SpringOne Platform
Zuul @ Netflix SpringOne Platform
Mikey Cohen - Hiring Amazing Engineers32.8K views
Implementing microservices tracing with spring cloud and zipkin (spring one) by Reshmi Krishna
Implementing microservices tracing with spring cloud and zipkin (spring one)Implementing microservices tracing with spring cloud and zipkin (spring one)
Implementing microservices tracing with spring cloud and zipkin (spring one)
Reshmi Krishna20.7K views
Cloud Native Java with Spring Cloud Services by VMware Tanzu
Cloud Native Java with Spring Cloud ServicesCloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud Services
VMware Tanzu2.1K views
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve... by cornelia davis
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...
cornelia davis1.6K views
Securing Microservices with Spring Cloud Security by Will Tran
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud Security
Will Tran1.7K views
Spring Cloud Gateway - Ryan Baxter by VMware Tanzu
Spring Cloud Gateway - Ryan BaxterSpring Cloud Gateway - Ryan Baxter
Spring Cloud Gateway - Ryan Baxter
VMware Tanzu420 views
Spring Cloud Gateway - Ryan Baxter by VMware Tanzu
Spring Cloud Gateway - Ryan BaxterSpring Cloud Gateway - Ryan Baxter
Spring Cloud Gateway - Ryan Baxter
VMware Tanzu393 views
S1P: Spring Cloud on PKS by Mauricio (Salaboy) Salatino
S1P: Spring Cloud on PKSS1P: Spring Cloud on PKS
S1P: Spring Cloud on PKS
Mauricio (Salaboy) Salatino1K views
SpringOne2GX 2014 Splunk Presentation by Damien Dallimore
SpringOne2GX 2014 Splunk PresentationSpringOne2GX 2014 Splunk Presentation
SpringOne2GX 2014 Splunk Presentation
Damien Dallimore1.1K views
It’s a Multi-Cloud World, But What About The Data? by VMware Tanzu
It’s a Multi-Cloud World, But What About The Data?It’s a Multi-Cloud World, But What About The Data?
It’s a Multi-Cloud World, But What About The Data?
VMware Tanzu280 views
SpringOnePlatform2017 recap by minseok kim
SpringOnePlatform2017 recapSpringOnePlatform2017 recap
SpringOnePlatform2017 recap
minseok kim65 views
Continuous Delivery for Microservice Architectures with Concourse & Cloud Fou... by VMware Tanzu
Continuous Delivery for Microservice Architectures with Concourse & Cloud Fou...Continuous Delivery for Microservice Architectures with Concourse & Cloud Fou...
Continuous Delivery for Microservice Architectures with Concourse & Cloud Fou...
VMware Tanzu1.3K views
Connecting All Abstractions with Istio by VMware Tanzu
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with Istio
VMware Tanzu2.3K views
Developing Real-Time Data Pipelines with Apache Kafka by Joe Stein
Developing Real-Time Data Pipelines with Apache KafkaDeveloping Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache Kafka
Joe Stein2.7K views
12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve... by VMware Tanzu
12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps - What EXACTLY Does that Mean for Spring Deve...
VMware Tanzu2.2K views
Living on the Edge With Spring Cloud Gateway - Cora Iberkleid by VMware Tanzu
Living on the Edge With Spring Cloud Gateway - Cora IberkleidLiving on the Edge With Spring Cloud Gateway - Cora Iberkleid
Living on the Edge With Spring Cloud Gateway - Cora Iberkleid
VMware Tanzu518 views

Recently uploaded

Generic or specific? Making sensible software design decisions by
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsBert Jan Schrijver
6 views60 slides
ShortStory_qlora.pptx by
ShortStory_qlora.pptxShortStory_qlora.pptx
ShortStory_qlora.pptxpranathikrishna22
5 views10 slides
Agile 101 by
Agile 101Agile 101
Agile 101John Valentino
9 views20 slides
EV Charging App Case by
EV Charging App Case EV Charging App Case
EV Charging App Case iCoderz Solutions
8 views1 slide
FIMA 2023 Neo4j & FS - Entity Resolution.pptx by
FIMA 2023 Neo4j & FS - Entity Resolution.pptxFIMA 2023 Neo4j & FS - Entity Resolution.pptx
FIMA 2023 Neo4j & FS - Entity Resolution.pptxNeo4j
12 views26 slides
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with... by
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...sparkfabrik
8 views46 slides

Recently uploaded(20)

Generic or specific? Making sensible software design decisions by Bert Jan Schrijver
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
Bert Jan Schrijver6 views
ShortStory_qlora.pptx by pranathikrishna22
ShortStory_qlora.pptxShortStory_qlora.pptx
ShortStory_qlora.pptx
pranathikrishna225 views
Agile 101 by John Valentino
Agile 101Agile 101
Agile 101
John Valentino9 views
EV Charging App Case by iCoderz Solutions
EV Charging App Case EV Charging App Case
EV Charging App Case
iCoderz Solutions8 views
FIMA 2023 Neo4j & FS - Entity Resolution.pptx by Neo4j
FIMA 2023 Neo4j & FS - Entity Resolution.pptxFIMA 2023 Neo4j & FS - Entity Resolution.pptx
FIMA 2023 Neo4j & FS - Entity Resolution.pptx
Neo4j12 views
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with... by sparkfabrik
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
sparkfabrik8 views
Introduction to Maven by John Valentino
Introduction to MavenIntroduction to Maven
Introduction to Maven
John Valentino6 views
Using Qt under LGPL-3.0 by Burkhard Stubert
Using Qt under LGPL-3.0Using Qt under LGPL-3.0
Using Qt under LGPL-3.0
Burkhard Stubert12 views
The Era of Large Language Models.pptx by AbdulVahedShaik
The Era of Large Language Models.pptxThe Era of Large Language Models.pptx
The Era of Large Language Models.pptx
AbdulVahedShaik7 views
predicting-m3-devopsconMunich-2023.pptx by Tier1 app
predicting-m3-devopsconMunich-2023.pptxpredicting-m3-devopsconMunich-2023.pptx
predicting-m3-devopsconMunich-2023.pptx
Tier1 app7 views
WebAssembly by Jens Siebert
WebAssemblyWebAssembly
WebAssembly
Jens Siebert52 views
360 graden fabriek by info33492
360 graden fabriek360 graden fabriek
360 graden fabriek
info33492138 views
Introduction to Git Source Control by John Valentino
Introduction to Git Source ControlIntroduction to Git Source Control
Introduction to Git Source Control
John Valentino5 views
HarshithAkkapelli_Presentation.pdf by harshithakkapelli
HarshithAkkapelli_Presentation.pdfHarshithAkkapelli_Presentation.pdf
HarshithAkkapelli_Presentation.pdf
harshithakkapelli12 views
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action by Márton Kodok
Gen Apps on Google Cloud PaLM2 and Codey APIs in ActionGen Apps on Google Cloud PaLM2 and Codey APIs in Action
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action
Márton Kodok11 views
SAP FOR TYRE INDUSTRY.pdf by Virendra Rai, PMP
SAP FOR TYRE INDUSTRY.pdfSAP FOR TYRE INDUSTRY.pdf
SAP FOR TYRE INDUSTRY.pdf
Virendra Rai, PMP27 views
Dev-HRE-Ops - Addressing the _Last Mile DevOps Challenge_ in Highly Regulated... by TomHalpin9
Dev-HRE-Ops - Addressing the _Last Mile DevOps Challenge_ in Highly Regulated...Dev-HRE-Ops - Addressing the _Last Mile DevOps Challenge_ in Highly Regulated...
Dev-HRE-Ops - Addressing the _Last Mile DevOps Challenge_ in Highly Regulated...
TomHalpin96 views
Programming Field by thehardtechnology
Programming FieldProgramming Field
Programming Field
thehardtechnology5 views
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx by animuscrm
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
animuscrm15 views
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P... by NimaTorabi2
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...
NimaTorabi215 views

State of Securing Restful APIs s12gx2015

  • 1. SPRINGONE2GX WASHINGTON, DC Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ The State of Securing RESTful APIs with Spring By Rob Winch @rob_winch
  • 3. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication 3
  • 4. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Naïve approach… 4 https://api.example.com? username=rob&password=secret
  • 5. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ “ Come on Bender. It's up to you to make your own decisions in life. That's what's separates people and robots from animals .. and animal robots! Fry Futurama 5
  • 6. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ RFC-7231 Sensitive Information 6 “ Authors of services ought to avoid GET- based forms for the submission of sensitive data … - RFC-7231: Section 9.4
  • 7. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Basic Authentication 7
  • 8. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Basic Authentication 8
  • 9. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Digest Authentication 9
  • 10. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Digest Authentication 10
  • 11. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Digest Authentication 11
  • 12. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Transport Layer Security (TLS) •  Confidentiality •  Integrity 12
  • 13. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 13 13
  • 14. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Checking TLS https://www.ssllabs.com/ssltest/ https://shaaaaaaaaaaaaa.com/ 14
  • 15. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TLS Performance •  Computational overhead •  Latency overhead •  Cache 15
  • 16. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16 “On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead. -  Adam Langley, Google https://goo.gl/IYJrqv
  • 17. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17 “We have found that modern software-based TLS implementations running on commodity CPUs are fast enough to handle heavy HTTPS traffic load without needing to resort to dedicated cryptographic hardware. -  Doug Beaver, Facebook https://goo.gl/pf8Xwh
  • 18. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 18 “HTTP keepalives and session resumption mean that most requests do not require a full handshake, so handshake operations do not dominate our CPU usage. - Jacob Hoffman-Andrews, Twitter https://goo.gl/Re0ijb
  • 19. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TLS Optimize •  TLS Resumption •  Latency •  Online Certificate Status Protocol (OCSP) •  Cloudflare 19
  • 20. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Optimizing TLS Is TLS Fast Yet.com 20
  • 21. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ HTTP Basic over HTTPS? 21 oclHashcat Hash Type Speed SHA1 42.408 Bh/s SHA256 16.904 Bh/s SHA512 5.2 Bh/s Ubuntu 14.04, 64 bit ForceWare 346.29 X NVidia Titan X
  • 22. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Introduce Session 22 username=winch&name=Rob+Winch
  • 23. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Encrypting the Session 23 Base64(IV, 
 aes_cbc(k,IV,plainText))
 •  k – a secret key only known to server •  aes_cbc – encrypts the plainText using AES/CBC with the provided IV •  plainText – format of username=winch&name=Rob+Winch
  • 24. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Your handwriting is atrocious, not encrypted 24
  • 25. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Introduce Session username=winch&name=Rob+Winch username=admin&name=Rob+Winch Can change [1] properly encrypted value below: To have the following Plaintext 25 [1] https://goo.gl/2Uio0W
  • 26. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 26 2:03 PM - 27 Jul 2015 https://goo.gl/Hs383Z
  • 27. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 27 10:54 AM - 28 May 2015 https://goo.gl/ZbP9Yp
  • 28. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ JWT Header {"alg":"HS256","typ":"JWT"} 28
  • 29. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
  • 30. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ “… each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. - Roy Fielding, Architectural Styles and the Design of Network-based Software Architectures http://goo.gl/MzVy0V 30
  • 31. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Representational STATE transfer “… session state can be transferred by the server to another service such as a database to maintain a persistent state for a period and allow authentication -  Wikipedia http://goo.gl/bd33t7 31
  • 32. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 32
  • 33. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Code Slide 33 public interface HttpSession { … }
  • 34. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 34
  • 35. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Customizing the Cookie 35 <session-config>
 <cookie-config> <name>SESSION</name> </cookie-config> </session-config>
  • 36. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Session 36 @Configuration @EnableRedisHttpSession public class Config { @Bean public JedisConnectionFactory connectionFactory() { return new JedisConnectionFactory(); } }
  • 37. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Session 37 public class Initializer extends AbstractHttpSessionApplicationInitializer { public Initializer() { super(Config.class); } }
  • 38. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Session 38 public class Initializer extends AbstractHttpSessionApplicationInitializer { public Initializer() { super(Config.class); } }
  • 39. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Session 39 <filter> <filter-name> springSessionRepositoryFilter </filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSessionRepositoryFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
  • 40. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 40
  • 41. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DEMO Spring Session 41
  • 42. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ SessionRepositoryFilter 42 public void doFilter(ServletRequest req, 
 ServletResponse resp, FilterChain chain { ServletRequest request = new SessionRepositoryRequestWrapper(req); … chain.doFilter(request, response); }
  • 43. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ SessionRepositoryRequestWrapper 43 public HttpSession getSession() { // return custom HttpSession }
  • 44. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OAuth 2.0? •  When working within a sandbox •  Limiting liability 44
  • 45. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 45
  • 46. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ http .authorizeRequests() .antMatchers("/public/**").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") .anyRequest().authenticated() Authorization 46
  • 47. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authorization 47 @PostAuthorize("returnObject?.to?.id == principal.id") Message findOne(Long id);
  • 48. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authorization 48 @PreAuthorize("#message?.from?.id == principal.id") <S extends Message> S save(Message message);
  • 49. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Permissions 49 @PostAuthorize("hasPermission(returnObject,'read')") Message findOne(Long id);
  • 50. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Permissions 50 @PreAuthorize("hasPermission(#message,’write')") <S extends Message> S save(Message message);
  • 51. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 51 public interface PermissionEvaluator … { boolean hasPermission(Authentication authentication, 
 Object targetDomainObject,
 Object permission); boolean hasPermission(Authentication authentication,
 Serializable targetId,
 String targetType, 
 Object permission); }
  • 52. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Queries? 52 @Query("select m from Message m where m.to.id = ? #{principal.id}")
 Iterable<Message> inbox();
  • 53. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Queries? 53 @Query("select m from Message m where m.to.id = ? #{principal.id}")
 Page<Message> inbox(Pageable pageable);
  • 54. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Future Work? 54 @EnableAclSecurity
 public interface SecuredMessageRepository 
 extends MessageRepository {} // Vote for it! DATACMNS-293 SEC-2409
  • 55. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DEMO CSRF 55
  • 56. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 56
  • 57. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 57
  • 58. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 58
  • 59. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection “When do I use CSRF protection? 59
  • 60. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection “... but my application uses JSON 60
  • 61. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 61 <form ... method="post" enctype="text/plain"> <input type='hidden' name=’{"summary":"Hi", … "ignore_me":"' value='test"}' 
 /> </form>
  • 62. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 62 {
 "summary": "Hi", "message": "New Message", "to": "luke@example.com", "ignore_me": "=test" }
  • 63. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection “… but my application is stateless 63
  • 64. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 64
  • 65. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection “…and I use a custom header for authentication and ignore cookies 65
  • 66. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection •  Use proper HTTP Verbs •  Configure CSRF Protection •  Include the CSRF Token 66
  • 67. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Including the CSRF Token 67 @RequestMapping("/csrf”)
 public CsrfToken csrf(CsrfToken token) { return token; }
  • 68. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DEMO Clickjacking 68
  • 69. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Security HTTP Response Headers 69
  • 70. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Security HTTP Response Headers 70
  • 71. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Security HTTP Response Headers 71
  • 72. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Related Talks •  Hands on Spring Security 4.1 – Wed at 8:30am •  Spring MVC 4.2: New and Noteworthy – Wed at 10:30am •  A How to Guide to Security in the PAAS Cloud – Wed at 4:30pm •  Securing Microservices with Spring Cloud Security – Thurs at 10:30am 72
  • 73. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Learn More. Stay Connected. •  Use TLS •  Authentication Should Have State •  Use Proper Authorization •  Use a Framework Because Individuals Cannot Provide Good Security Twitter: @rob_winch YouTube: spring.io/video LinkedIn: spring.io/linkedin Google Plus: spring.io/gplus 73