SlideShare a Scribd company logo
Deconstructing and Evolving
REST Security
David Blevins
@dblevins
tomitribe.com
#Hashtag
#RESTSecurity @dblevins @tomitribe
“The nice thing about standards is
you have so many to choose from.”
- Andrew S. Tanenbaum
#RESTSecurity @dblevins @tomitribe
Focus Areas
• Beyond Basic Auth
• Theory of OAuth 2.0
• Introduc?on of JWT
• Google/Facebook style API security
• Stateless vs Stateful Architecture
• HTTP Signatures
• Amazon EC2 style API security
#RESTSecurity @dblevins @tomitribe
Baseline Architecture
1000 users
x 3 TPS
4 hops
3000 TPS
frontend
12000 TPS
backend
#RESTSecurity @dblevins @tomitribe
Basic Auth
(and its problems)
#RESTSecurity @dblevins @tomitribe
Basic Auth Message
POST /painter/color/object HTTP/1.1
Host: localhost:8443
Authorization: Basic c25vb3B5OnBhc3M=
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 45
{"color":{"b":255,"g":0,"name":"blue","r":0}}
#RESTSecurity @dblevins @tomitribe
Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
(no auth)
3000 TPS
(LDAP)
12000 TPS
(HTTP)
#RESTSecurity @dblevins @tomitribe
Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
username+password
Base64
15000 TPS
(LDAP)
Password Sent
12000 TPS
(HTTP)
#RESTSecurity @dblevins @tomitribe
Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
IP
whitelis?ng
3000 TPS
(LDAP)
12000 TPS
(HTTP)
#RESTSecurity @dblevins @tomitribe
“Hey, give me all
of Joe’s salary
information.”
“I don’t know
who you are,
…
but sure!”
#RESTSecurity @dblevins @tomitribe
Latveria Attacks
#RESTSecurity @dblevins @tomitribe
Basic Auth - Attacks
Valid
Password Sent
3000 TPS
(HTTP+SSL) IP
whitelis?ng
9000 TPS
(LDAP)
12000 TPS
(HTTP)
Invalid
Password Sent
6000 TPS
(HTTP+SSL)
#RESTSecurity @dblevins @tomitribe
OAuth 2.0
(and its problems)
#RESTSecurity @dblevins @tomitribe
#RESTSecurity @dblevins @tomitribe
#RESTSecurity @dblevins @tomitribe
#RESTSecurity @dblevins @tomitribe
#RESTSecurity @dblevins @tomitribe
OAuth 2 - Password Grant
(LDAP)
(Token Store)
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
}
Verify
Password
Generate
Token
#RESTSecurity @dblevins @tomitribe
OAuth 2.0 Message
POST /painter/color/object HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 45
{"color":{"r":0,"g":0,"b":255,"name":"blue"}}
#RESTSecurity @dblevins @tomitribe
OAuth 2.0 Message
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 45
{"color":{"r":0,"g":255,"b":0,"name":"green"}}
#RESTSecurity @dblevins @tomitribe
OAuth 2.0 Message
POST /painter/color/select HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 44
{"color":{"r":255,"g":0,"b":0,"name":"red"}}
#RESTSecurity @dblevins @tomitribe
OAuth 2.0 Message
POST /painter/color/fill HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 49
{"color":{"r":0,"g":255,"b":255,"name":"yellow"}}
#RESTSecurity @dblevins @tomitribe
OAuth 2.0 Message
POST /painter/color/stroke HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 49
{"color":{"r":255,"g":200,"b":255,"name":"orange"}}
#RESTSecurity @dblevins @tomitribe
401
#RESTSecurity @dblevins @tomitribe
OAuth 2 - Refresh Grant
(LDAP)
(Token Store)
Verify
Password
Generate
Token
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"6Fe4jd7TmdE5yW2q0y6W2w",
"expires_in":3600,
"refresh_token":"hyT5rw1QNh5Ttg2hdtR54e",
}
#RESTSecurity @dblevins @tomitribe
Old pair
• Access Token 2YotnFZFEjr1zCsicMWpAA
• Refresh Token tGzv3JOkF0XG5Qx2TlKWIA
New pair
• Access Token 6Fe4jd7TmdE5yW2q0y6W2w
• Refresh Token hyT5rw1QNh5Ttg2hdtR54e
#RESTSecurity @dblevins @tomitribe
OAuth 2.0 Message
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 46
{"color":{"r":0,"g":255,"b":0,"name":"green"}}
#RESTSecurity @dblevins @tomitribe
OAuth 2.0 Message
POST /painter/color/select HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 44
{"color":{"r":255,"g":0,"b":0,"name":"red"}}
#RESTSecurity @dblevins @tomitribe
OAuth 2.0 Message
POST /painter/color/fill HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 49
{"color":{"r":0,"g":255,"b":255,"name":"yellow"}}
#RESTSecurity @dblevins @tomitribe
What have we achieved?
#RESTSecurity @dblevins @tomitribe
You have more passwords
(at least your devices do)
#RESTSecurity @dblevins @tomitribe
Term Alert
• Password Grant???
• Logging in
• Token?
• Slightly less crappy password
• Equally crappy HTTP Session ID
#RESTSecurity @dblevins @tomitribe
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelis?ng
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend
#RESTSecurity @dblevins @tomitribe
#RESTSecurity @dblevins @tomitribe
“Who the heck
is
6Fe4jd7TmdE5y
W2q0y6W2w
???????”
“No idea, dude.
Ask the token
server.”
#RESTSecurity @dblevins @tomitribe
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelis?ng
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
12000 TPS
(token checks)
8 hops
24000 TPS
backend
#RESTSecurity @dblevins @tomitribe
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelis?ng
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
12000 TPS
(token checks)
8 hops
24000 TPS
backend
55% of all traffic
#RESTSecurity @dblevins @tomitribe
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelis?ng
0 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
0 TPS
(token checks)
0 hops
0 TPS
backend
#RESTSecurity @dblevins @tomitribe
OAuth 2
Pointer Pointer
State
#RESTSecurity @dblevins @tomitribe
Access Token
Access Pointer?
Access Primary Key?
#RESTSecurity @dblevins @tomitribe
OAuth 2.0
High Frequency Password
Exchange Algorithm?
#RESTSecurity @dblevins @tomitribe
Hashing and Signing
Symmetric and Asymmetric
#RESTSecurity @dblevins @tomitribe
Hashing Data
#RESTSecurity @dblevins @tomitribe
01010000010001000011011011101000110101001001100001010011110000
00111010101111111111111111000101111101001110111000100010000000000
111111101011100001001100100000101011111001101111111100111011000011
111011001101100100000101011110011001100001011011110101110110001
#RESTSecurity @dblevins @tomitribe
01010000010001000011011011101000110101001001100001010011110000
00111010101111111111111111000101111101001110111000100010000000000
111111101011100001001100100000101011111001101111111100111011000011
111011001101100100000101011110011001100001011011110101110110001
#RESTSecurity @dblevins @tomitribe
More Bits the Better
#RESTSecurity @dblevins @tomitribe
Morocco victorious 2 to 0!
#RESTSecurity @dblevins @tomitribe
Morocco victorious 2 to 0!
#RESTSecurity @dblevins @tomitribe
Morocco victorious 1 to 0?!
#RESTSecurity @dblevins @tomitribe
Protecting the Hash
HMAC (Symmetric)
RSA (Asymmetric)
abc123 abc123
private
public
#RESTSecurity @dblevins @tomitribe
Encoding a Hash or Signature
Binary 0010100011010111110000011011000100101000110011100111010010001000
0100011011011010000000100011110100111111010100011000100011010001
1101101001010101111100010011111110100000001001100010000000010111
0000000000100101000010110011000100001001011011010111101111101101
Hex 8af5c1468a399708b12d205e7ec588c52dd547fe0232027400526846485bef5b
Base64 ivXBRoo5lwixLSBefsWIxS3VR_4CMgJ0AFJoRkhb71s
Base85 MY4eTME."/Yq7))I`7,^/_*Aj!sh!!)dK"86bOe~
#RESTSecurity @dblevins @tomitribe
OAuth 2.0
+
JSon Web Tokens (JWT)
#RESTSecurity @dblevins @tomitribe
JSon Web Token
• Pronounced “JOT”
• Fancy JSON map
• Base64 URL Encoded
• Digitally Signed (RSA-SHA256, HMAC-SHA512, etc)
• Built-in expira?on
#RESTSecurity @dblevins @tomitribe
Access Token Previously
• 6Fe4jd7TmdE5yW2q0y6W2w
#RESTSecurity @dblevins @tomitribe
Access Token Now
• eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlb
i10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJ
zbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJod
HRwczovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoMi90b2t
lbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0L
WZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6MTQ
3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.
DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz
8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOE
UwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh
VDaiqmhct098ocefuv08TdzRxqYoEqYNo
#RESTSecurity @dblevins @tomitribe
Access Token Now
• header (JSON > Base64 URL Encoded)
• describes how the token signature can be checked
• payload (JSON > Base64 URL Encoded)
• Basically a map of whatever you want to put in it
• Some standard entries such as expira?on
• signature (Binary > Base64 URL Encoded
• The actual digital signature
• made exclusively by the /oauth2/token endpoint
• If RSA, can be checked by anyone
#RESTSecurity @dblevins @tomitribe
• { "alg": “RS256", "typ": “JWT" }
• {
"token-type": "access-token",
"username": "snoopy",
"animal": "beagle",
"iss": "https://demo.superbiz.com/oauth2/token",
"scopes": [
“twitter”, "mans-best-friend"
],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
• DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32f
v0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZv
zlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
#RESTSecurity @dblevins @tomitribe
Subtle But High Impact
Architectural Change
#RESTSecurity @dblevins @tomitribe
What we had
(quick recap)
#RESTSecurity @dblevins @tomitribe
(LDAP)
Pull User Info
From IDP
#RESTSecurity @dblevins @tomitribe
(LDAP)
Generate an
Access Token
(pointer)
#RESTSecurity @dblevins @tomitribe
(LDAP)
Insert both
into DB
#RESTSecurity @dblevins @tomitribe
(LDAP)
Send Access Token (pointer)
to client
#RESTSecurity @dblevins @tomitribe
Results
Client Holds Pointer Server Holds State
#RESTSecurity @dblevins @tomitribe
What we can do now
(Hello JWT!)
#RESTSecurity @dblevins @tomitribe
(LDAP)
Pull User Info
From IDP
#RESTSecurity @dblevins @tomitribe
(LDAP)
Format the data
as JSON
#RESTSecurity @dblevins @tomitribe
(LDAP)
RSA-SHA 256
sign JSON private
#RESTSecurity @dblevins @tomitribe
(LDAP)
Insert only
pointer
into DB
(for revocation)
#RESTSecurity @dblevins @tomitribe
(LDAP)
Send Access Token (state)
to client
#RESTSecurity @dblevins @tomitribe
Client Holds State Server Holds Pointer
Desired
Results
#RESTSecurity @dblevins @tomitribe
#RESTSecurity @dblevins @tomitribe
OAuth 2 - Password Grant
(LDAP)
(Token ID Store)
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
Verify
Password
Generate
Signed
Token
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoM
i90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0
LWZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6M
TQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ
9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8
OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaO
EUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh
VDaiqmhct098ocefuv08TdzRxqYoEqYNo",
"expires_in":3600,
"refresh_token":"eyJhbGctGzv3JOkF0XG5Qx2TlKWIAkF0X.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL",
}
#RESTSecurity @dblevins @tomitribe
OAuth 2.0 Message with JWT
POST /painter/color/palele HTTP/1.1

Host: api.superbiz.io

Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXR
va2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJ
iaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy
ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl
6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ
vzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
User-Agent: curl/7.43.0

Accept: */*

Content-Type: applica?on/json

Content-Length: 46



{"color":{"b":0,"g":255,"r":0,"name":"green"}}
#RESTSecurity @dblevins @tomitribe
OAuth 2 + JWT
Tokens Sent
3000 TPS
(HTTP+SSL)
0.55 TPS
(refresh token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend
3000 TPS
(signature verifica?on)
12000 TPS
(signature verifica?on)
#RESTSecurity @dblevins @tomitribe
“Hey, give me all
of Joe’s salary
information.”
“Not a chance!”
#RESTSecurity @dblevins @tomitribe
“Hey, give me all
of Joe’s salary
information.”
“Sure thing!”
Every Microservice Has the Gateway's Public Key
#RESTSecurity @dblevins @tomitribe
Latveria Attacks
(again)
#RESTSecurity @dblevins @tomitribe
OAuth 2 + JWT
Valid
Tokens Sent
3000 TPS
(HTTP+SSL)
0.55 TPS
(refresh token checks)
Password Sent
1000/daily
(HTTP+SSL)
(LDAP)
4 hops
12000 TPS
backend
9000 TPS
(signature verifica?on)
12000 TPS
(signature verifica?on)
Invalid
Tokens Sent
6000 TPS
(HTTP+SSL)
#RESTSecurity @dblevins @tomitribe
HTTP Signatures
(Amazon EC2 style API Security)
#RESTSecurity @dblevins @tomitribe
HTTP Signatures
• No “secret” ever hits the wire
• Signs the message itself
• Proves iden?ty
• Prevents message tampering
• Symmetric or Asymmetric signatures
• IETF Drat
• hlps://tools.ieu.org/html/drat-cavage-hlp-signatures
• Extremely simple
• Does NOT eliminate benefits of JWT
#RESTSecurity @dblevins @tomitribe
Signature Message
POST /painter/color/palele HTTP/1.1

Host: api.superbiz.io

Authoriza?on: Signature keyId=“my-key-name",
algorithm="hmac-sha256",
headers="content-length host date (request-target)”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="

Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*

Content-Type: applica?on/json

Content-Length: 46



{"color":{"b":0,"g":255,"r":0,"name":"green"}}
#RESTSecurity @dblevins @tomitribe
Signature closeup
Signature
keyId=“my-key-name",
algorithm="hmac-sha256",
headers="content-length host date (request-target)”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=
#RESTSecurity @dblevins @tomitribe
Signature Auth
Password Sent
0 TPS
(HTTP)
Signature (no auth)
3000 TPS
(LDAP or Keystore)
12000 TPS
(HTTP)
#RESTSecurity @dblevins @tomitribe
Signature Auth
Password Sent
0 TPS
(HTTP)
Signature Signature
3000 TPS
(LDAP or Keystore)
12000 TPS
(HTTP)
#RESTSecurity @dblevins @tomitribe
“Hey, give me all
of Joe’s salary
information.”
“Hey, Larry!
Sure!”
Issue Returns
(bad)
#RESTSecurity @dblevins @tomitribe
OAuth 2.0 Proof-of-Possession
(JWT + HTTP Signatures)
#RESTSecurity @dblevins @tomitribe
Key Value
Iden?ty Informa?on
(JWT)
Key ID
Proof Of Iden?ty
(HTTP Signature)
#RESTSecurity @dblevins @tomitribe
{ "alg": “RS256", "typ": “JWT" }
{ "token-type": "access-token",
"username": "snoopy",
"iss": "hlps://demo.superbiz.com/oauth2/token",
"scopes": ["twiler”, "mans-best-friend"],
"exp": 1474280963,
"iat": 1474279163,
"j?": "66881b068b249ad9"
}
DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc
0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFX
GDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Access Token
#RESTSecurity @dblevins @tomitribe
{ "alg": “RS256", "typ": “JWT" }
{ "token-type": "pop",
"cnf":{ "kid": "green-1234" }
"username": "snoopy",
"iss": "hlps://demo.superbiz.com/oauth2/token",
"scopes": ["twiler”, "mans-best-friend"],
"exp": 1474280963,
"iat": 1474279163,
"j?": "66881b068b249ad9"
}
DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc
0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFX
GDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Access Token
#RESTSecurity @dblevins @tomitribe
OAuth 2 - Password Grant
(LDAP)
(Token ID Store)
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
Verify
Password
Generate
Signed
Token
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc
3MiOiJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsImV4cCI6M
TMxMTI4MTk3MCwiaWF0IjoxMzExMjgwOTcwLCJjbmYiOnsia2",
"token_type":"pop",
"expires_in":3600,
"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc
3MiOiJodHRwczovL2FzZGZhc2RzZGZzZXJ2ZXIuZXhhbXBsZS5
jb20iLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3M",
"key":"eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ
2UteXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1
MFdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZWlS
ci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQRVd5W
WFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53NXhzczhOajZ
PeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2NidkRocmFzMzljd
2ZzIiwiYWxnIjoiSFMyNTYifQ"
}
Generate
HMAC
Key
(Key Store)
#RESTSecurity @dblevins @tomitribe
JSON Web Key (encoded)
eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ2Ute
XlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1MF
dNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZWlS
ci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQRVd
5WWFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53NXhzc
zhOajZPeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2NidkRo
cmFzMzljd2ZzIiwiYWxnIjoiSFMyNTYifQ
#RESTSecurity @dblevins @tomitribe
JSON Web Key (decoded)
{ "kty": "oct",
"use": "sig",
"kid": "orange-1234",
"k": "VZ-0QGLZ2P_RPUSW10CIu0WMyXq-ND2pmDYzA0OTKW
THlp5iac5K4VeiRr-_BOoXJ4X2fSTt4nHwo_quta7j
JJKT4PEWyYanBSFsi0DW7owT-HExAGDyJtHUtNw5xs
s8Nj6OxNPv6rROE-kevhL2wB9cqgdIscbvDhras39c
wfs",
"alg": "HS256"
}
#RESTSecurity @dblevins @tomitribe
Signed OAuth 2.0 Message
POST /painter/color/palele HTTP/1.1

Host: api.superbiz.io

Authoriza?on: Signature keyId=“orange-1234", algorithm="hmac-sha256",
headers="content-length host date (request-target)”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
Bearer: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5h
bWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL2
9hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQyO
DA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdY
O1GMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaE
lxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo

Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*

Content-Type: applica?on/json

Content-Length: 46



{"color":{"b":0,"g":255,"r":0,"name":"green"}}
#RESTSecurity @dblevins @tomitribe
OAuth 2 + JWT + Signatures
Tokens Sent
3000 TPS
(HTTP+SSL)
0.55 TPS
(refresh token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend
3000 TPS
(signature verifica?on)
12000 TPS
(signature verifica?on)
#RESTSecurity @dblevins @tomitribe
hlps://tools.ieu.org/html/drat-ieu-oauth-pop-key-distribu?on
Specification Reference
#RESTSecurity @dblevins @tomitribe
Observations
• HTTP Signatures the only HTTP friendly approach
• Signatures does not solve the “Iden?ty Load” problem
• OAuth 2 with JWT significantly improves IDP load
• Plain OAuth 2
• HTTP Session-like implica?ons
• OAuth 2 with JWT
• Signed cookie
• Signing key to the future
Thank You
Slides & Gateway Sign-up
https://tribestream.io/devoxx-ma
#RESTSecurity

More Related Content

What's hot

2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
César Hernández
 
Side-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesSide-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and Defenses
Tom Van Goethem
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfile
Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfileDublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfile
Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfile
Jean-Louis MONTEIRO
 
crypto2ssh
crypto2sshcrypto2ssh
crypto2ssh
Hasan Sharif
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackops
Dan Kaminsky
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
Arun Modi
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminsky
Dan Kaminsky
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Otávio Santana
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES
Otavio Santana
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - Mexico
Otávio Santana
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
A 5 security x line platform
A 5 security x line platformA 5 security x line platform
A 5 security x line platform
LINE Corporation
 
DNS over HTTPS
DNS over HTTPSDNS over HTTPS
DNS over HTTPS
Daniel Stenberg
 
ZN27112015
ZN27112015ZN27112015
ZN27112015
Denis Kolegov
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0:  Introducing the Domain Key InfrastructurePhreebird Suite 1.0:  Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Dan Kaminsky
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
Dan Kaminsky
 
Let's go HTTPS
Let's go HTTPSLet's go HTTPS
Let's go HTTPS
Codemotion
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
amiable_indian
 

What's hot (20)

2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
 
Side-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesSide-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and Defenses
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfile
Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfileDublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfile
Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfile
 
crypto2ssh
crypto2sshcrypto2ssh
crypto2ssh
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackops
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminsky
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - Guatemala
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - Mexico
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
A 5 security x line platform
A 5 security x line platformA 5 security x line platform
A 5 security x line platform
 
DNS over HTTPS
DNS over HTTPSDNS over HTTPS
DNS over HTTPS
 
ZN27112015
ZN27112015ZN27112015
ZN27112015
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0:  Introducing the Domain Key InfrastructurePhreebird Suite 1.0:  Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
 
Let's go HTTPS
Let's go HTTPSLet's go HTTPS
Let's go HTTPS
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
 

Similar to 2017 Devoxx MA Deconstructing and Evolving REST Security

2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST Security2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST Security
David Blevins
 
2018 Denver JUG Deconstructing and Evolving REST Security
2018 Denver JUG Deconstructing and Evolving REST Security2018 Denver JUG Deconstructing and Evolving REST Security
2018 Denver JUG Deconstructing and Evolving REST Security
David Blevins
 
2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security
David Blevins
 
2018 Boulder JUG Deconstructing and Evolving REST Security
2018 Boulder JUG Deconstructing and Evolving REST Security2018 Boulder JUG Deconstructing and Evolving REST Security
2018 Boulder JUG Deconstructing and Evolving REST Security
David Blevins
 
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
César Hernández
 
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security
David Blevins
 
Deconstructing and Evolving REST Security
Deconstructing and Evolving REST SecurityDeconstructing and Evolving REST Security
Deconstructing and Evolving REST Security
Roberto Cortez
 
Seguridad en microservicios via micro profile jwt
Seguridad en microservicios via micro profile jwtSeguridad en microservicios via micro profile jwt
Seguridad en microservicios via micro profile jwt
César Hernández
 
gRPC vs REST: let the battle begin!
gRPC vs REST: let the battle begin!gRPC vs REST: let the battle begin!
gRPC vs REST: let the battle begin!
Alex Borysov
 
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Positive Hack Days
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
Jean-Baptiste Trystram
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
webhostingguy
 
Python tools for testing web services over HTTP
Python tools for testing web services over HTTPPython tools for testing web services over HTTP
Python tools for testing web services over HTTP
Mykhailo Kolesnyk
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPF
Cynthia Thomas
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
MUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystMUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration Analyst
Fajar Nugroho
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
 
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
Jan Löffler
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
Guy Podjarny
 

Similar to 2017 Devoxx MA Deconstructing and Evolving REST Security (20)

2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST Security2018 SDJUG Deconstructing and Evolving REST Security
2018 SDJUG Deconstructing and Evolving REST Security
 
2018 Denver JUG Deconstructing and Evolving REST Security
2018 Denver JUG Deconstructing and Evolving REST Security2018 Denver JUG Deconstructing and Evolving REST Security
2018 Denver JUG Deconstructing and Evolving REST Security
 
2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security
 
2018 Boulder JUG Deconstructing and Evolving REST Security
2018 Boulder JUG Deconstructing and Evolving REST Security2018 Boulder JUG Deconstructing and Evolving REST Security
2018 Boulder JUG Deconstructing and Evolving REST Security
 
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
 
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security
 
Deconstructing and Evolving REST Security
Deconstructing and Evolving REST SecurityDeconstructing and Evolving REST Security
Deconstructing and Evolving REST Security
 
Seguridad en microservicios via micro profile jwt
Seguridad en microservicios via micro profile jwtSeguridad en microservicios via micro profile jwt
Seguridad en microservicios via micro profile jwt
 
gRPC vs REST: let the battle begin!
gRPC vs REST: let the battle begin!gRPC vs REST: let the battle begin!
gRPC vs REST: let the battle begin!
 
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
 
Python tools for testing web services over HTTP
Python tools for testing web services over HTTPPython tools for testing web services over HTTP
Python tools for testing web services over HTTP
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPF
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
MUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration AnalystMUM Middle East 2016 - System Integration Analyst
MUM Middle East 2016 - System Integration Analyst
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
 

More from David Blevins

DevNexus 2020 - Jakarta Messaging 3.x, Redefining JMS
DevNexus 2020 - Jakarta Messaging 3.x, Redefining JMSDevNexus 2020 - Jakarta Messaging 3.x, Redefining JMS
DevNexus 2020 - Jakarta Messaging 3.x, Redefining JMS
David Blevins
 
2019 JJUG CCC Stateless Microservice Security with MicroProfile JWT
2019 JJUG CCC Stateless Microservice Security with MicroProfile JWT2019 JJUG CCC Stateless Microservice Security with MicroProfile JWT
2019 JJUG CCC Stateless Microservice Security with MicroProfile JWT
David Blevins
 
2017 JCP EC: Configuration JSR
2017 JCP EC: Configuration JSR2017 JCP EC: Configuration JSR
2017 JCP EC: Configuration JSR
David Blevins
 
2015 JavaOne EJB/CDI Alignment
2015 JavaOne EJB/CDI Alignment2015 JavaOne EJB/CDI Alignment
2015 JavaOne EJB/CDI Alignment
David Blevins
 
JavaOne 2013 - Apache TomEE, Java EE Web Profile {and more} on Tomcat
JavaOne 2013 - Apache TomEE, Java EE Web Profile {and more} on TomcatJavaOne 2013 - Apache TomEE, Java EE Web Profile {and more} on Tomcat
JavaOne 2013 - Apache TomEE, Java EE Web Profile {and more} on Tomcat
David Blevins
 
2011 JavaOne EJB with Meta Annotations
2011 JavaOne EJB with Meta Annotations2011 JavaOne EJB with Meta Annotations
2011 JavaOne EJB with Meta Annotations
David Blevins
 
2011 JavaOne Apache TomEE Java EE 6 Web Profile
2011 JavaOne Apache TomEE Java EE 6 Web Profile2011 JavaOne Apache TomEE Java EE 6 Web Profile
2011 JavaOne Apache TomEE Java EE 6 Web Profile
David Blevins
 
2011 JavaOne Fun with EJB 3.1 and OpenEJB
2011 JavaOne Fun with EJB 3.1 and OpenEJB2011 JavaOne Fun with EJB 3.1 and OpenEJB
2011 JavaOne Fun with EJB 3.1 and OpenEJB
David Blevins
 

More from David Blevins (8)

DevNexus 2020 - Jakarta Messaging 3.x, Redefining JMS
DevNexus 2020 - Jakarta Messaging 3.x, Redefining JMSDevNexus 2020 - Jakarta Messaging 3.x, Redefining JMS
DevNexus 2020 - Jakarta Messaging 3.x, Redefining JMS
 
2019 JJUG CCC Stateless Microservice Security with MicroProfile JWT
2019 JJUG CCC Stateless Microservice Security with MicroProfile JWT2019 JJUG CCC Stateless Microservice Security with MicroProfile JWT
2019 JJUG CCC Stateless Microservice Security with MicroProfile JWT
 
2017 JCP EC: Configuration JSR
2017 JCP EC: Configuration JSR2017 JCP EC: Configuration JSR
2017 JCP EC: Configuration JSR
 
2015 JavaOne EJB/CDI Alignment
2015 JavaOne EJB/CDI Alignment2015 JavaOne EJB/CDI Alignment
2015 JavaOne EJB/CDI Alignment
 
JavaOne 2013 - Apache TomEE, Java EE Web Profile {and more} on Tomcat
JavaOne 2013 - Apache TomEE, Java EE Web Profile {and more} on TomcatJavaOne 2013 - Apache TomEE, Java EE Web Profile {and more} on Tomcat
JavaOne 2013 - Apache TomEE, Java EE Web Profile {and more} on Tomcat
 
2011 JavaOne EJB with Meta Annotations
2011 JavaOne EJB with Meta Annotations2011 JavaOne EJB with Meta Annotations
2011 JavaOne EJB with Meta Annotations
 
2011 JavaOne Apache TomEE Java EE 6 Web Profile
2011 JavaOne Apache TomEE Java EE 6 Web Profile2011 JavaOne Apache TomEE Java EE 6 Web Profile
2011 JavaOne Apache TomEE Java EE 6 Web Profile
 
2011 JavaOne Fun with EJB 3.1 and OpenEJB
2011 JavaOne Fun with EJB 3.1 and OpenEJB2011 JavaOne Fun with EJB 3.1 and OpenEJB
2011 JavaOne Fun with EJB 3.1 and OpenEJB
 

Recently uploaded

Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 

Recently uploaded (11)

Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 

2017 Devoxx MA Deconstructing and Evolving REST Security