This presentation shows what are JSON Web Tokens, explaining about the structure, signature, encryption and how we can integrate this with Authentication/Authorization together with Spring Security.
The link for the project in Github is:
https://github.com/BHRother/spring-boot-security-jwt
The example implements JWT + Spring Security in a Spring-Boot project.
"Json Web Token with digital signature. Modern authentication or authorization. Cookies are bad. Avoid Man-in-the-middle-attack. No need to protect against CSRF. Stateless.
What is JWT?
When should you use JSON Web Tokens?
WHAT IS THE JSON WEB TOKEN STRUCTURE?
JWT Process
PROS AND CONS
JWT.IO
Using JSON Web Tokens as API Keys
"Json Web Token with digital signature. Modern authentication or authorization. Cookies are bad. Avoid Man-in-the-middle-attack. No need to protect against CSRF. Stateless.
What is JWT?
When should you use JSON Web Tokens?
WHAT IS THE JSON WEB TOKEN STRUCTURE?
JWT Process
PROS AND CONS
JWT.IO
Using JSON Web Tokens as API Keys
Building a modern API architecture is a constant struggle between ease of development and security. JSON Web Tokens (JWTs) introduce a means of building authentication into JSON objects being transmitted through APIs.
In this session we’ll explore how JWTs work to build verifiable and trusted objects, allowing them to be combined with standards such as OAuth 2 for capturing access tokens, leading to a secure means of JavaScript SDK dev.
I did this presentation for one of my java user groups at work.
Basically, this is a mashed up version of various presentations, slides and images that I gathered over the internet.
I've quoted the sources in the end. Feel free to reuse it as you like.
Using JSON Web Tokens for REST Authentication Mediacurrent
This session will provide an introduction to JSON Web Tokens (JWT) (https://jwt.io/introduction/), advantages over other authentication methods, and how to use it to authenticate requests to Drupal REST resources. After this session, attendees will have a better understanding of how JWTs work and will be able to set up and use JWT for authenticating REST requests in Drupal.
Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management).
And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.
Discussed the general OAuth2 features. Reviewer OAuth2 Roles and Grand Flows
Authorization code grant flow
Implicit grant flow
Resource owner password credentials grant flow
Client credentials grant flow
Reviewed access resource flow and token refresh.
see video: https://www.youtube.com/watch?v=UPsVD-A7gP0
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Stormpath .NET Developer Evangelist, Nate Barbettini, presents Token Authentication with ASP.NET Core. Nate will explain how Token Authentication can be used to secure web applications built with ASP.NET Core, REST APIs, and 'unsafe' clients while supporting security best practices and even improving performance and scale.
The slides from the talk I gave in Java.IL's Apr 2019 session.
These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak
This presentation walks through essential points for developing and working with REST APIs or web services to communicate through various platforms. This also explains HTTP methods.
Building a modern API architecture is a constant struggle between ease of development and security. JSON Web Tokens (JWTs) introduce a means of building authentication into JSON objects being transmitted through APIs.
In this session we’ll explore how JWTs work to build verifiable and trusted objects, allowing them to be combined with standards such as OAuth 2 for capturing access tokens, leading to a secure means of JavaScript SDK dev.
I did this presentation for one of my java user groups at work.
Basically, this is a mashed up version of various presentations, slides and images that I gathered over the internet.
I've quoted the sources in the end. Feel free to reuse it as you like.
Using JSON Web Tokens for REST Authentication Mediacurrent
This session will provide an introduction to JSON Web Tokens (JWT) (https://jwt.io/introduction/), advantages over other authentication methods, and how to use it to authenticate requests to Drupal REST resources. After this session, attendees will have a better understanding of how JWTs work and will be able to set up and use JWT for authenticating REST requests in Drupal.
Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management).
And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.
Discussed the general OAuth2 features. Reviewer OAuth2 Roles and Grand Flows
Authorization code grant flow
Implicit grant flow
Resource owner password credentials grant flow
Client credentials grant flow
Reviewed access resource flow and token refresh.
see video: https://www.youtube.com/watch?v=UPsVD-A7gP0
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Stormpath .NET Developer Evangelist, Nate Barbettini, presents Token Authentication with ASP.NET Core. Nate will explain how Token Authentication can be used to secure web applications built with ASP.NET Core, REST APIs, and 'unsafe' clients while supporting security best practices and even improving performance and scale.
The slides from the talk I gave in Java.IL's Apr 2019 session.
These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak
This presentation walks through essential points for developing and working with REST APIs or web services to communicate through various platforms. This also explains HTTP methods.
The Uniface Lectures are an ongoing series of free monthly technical webinars that cover a wide range of useful topics. In this edition of the Lectures webinar on Application & Infrastructure Security - JSON Web Tokens we cover the following main topics:
• The JWT standard
• Applying JWT to Uniface
• Uniface technology to support JWT
• Sample application of JWT
• And more…
Session video recording is on: youtube.com/unifacesme
Webinar video recording archive: go.uniface.com/Lectures-page
Angular - Chapter 9 - Authentication and AuthorizationWebStackAcademy
Authentication is the process of validating a user on the credentials (username and password)
and provide access to the web application(ex: Email)
Authorization helps you to control access rights by granting or denying specific permissions
to an authenticated user (Ex: User / Manager / Admin).
Quite often when working with JWT we may see libraries mentioning “The signed JWT is validated” in documentation. I have always wondered about the details of this and why this was never covered in the documentation. This talk is a result of that curiosity, to understand how JWT libraries sign and validate tokens.
Basic security principles for information systems development/deployment. Information security is concerned with the confidentiality, integrity, and availability of information. From these three 'pillars', the following principles must be applied when implementing and maintaining an information system: Accountability.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
3. What is JSON Web Token?
u JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact
and self-contained way for securely transmitting information between parties
as a JSON object
u This information can be verified and trusted because it is digitally signed.
u JWTs can be signed using a secret (with the HMAC algorithm) or a
public/private key pair using RSA.
4. What is JSON Web Token?
u Compact: Because of their smaller size, JWTs can be sent through a URL,
POST parameter, or inside an HTTP header. Additionally, the smaller size
means transmission is fast.
Ex:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva
G4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
u Self-contained: The payload contains all the required information about the
user, avoiding the need to query the database more than once.
5. When should you use JSON Web Tokens?
u Authentication: This is the most common scenario for using JWT. Once the
user is logged in, each subsequent request will include the JWT, allowing the
user to access routes, services, and resources that are permitted with that
token. Single Sign On is a feature that widely uses JWT nowadays, because of
its small overhead and its ability to be easily used across different domains.
u Information Exchange: JSON Web Tokens are a good way of securely
transmitting information between parties. Because JWTs can be signed—for
example, using public/private key pairs—you can be sure the senders are who
they say they are.
6. What is the JSON Web Token structure?
u JSON Web Tokens consist of three parts separated by dots (.), which are:
u Header
u Payload
u Signature
Therefore, a JWT typically looks like the following.
u xxxxx.yyyyy.zzzzz
7. What is the JSON Web Token structure?
Header
The header typically consists of two parts: the type of the token, which is JWT,
and the hashing algorithm being used, such as HMAC SHA256 or RSA.
u For example:
u Then, this JSON is Base64Url encoded to form the first part of the JWT.
8. What is the JSON Web Token structure?
Payload
The second part of the token is the payload, which contains the claims.
Claims are statements about an entity (typically, the user) and additional
metadata. There are three types of claims:
u reserved
u public
u private
9. What is the JSON Web Token structure?
Payload
u Reserved claims
These are a set of predefined claims which are not mandatory but recommended, to
provide a set of useful, interoperable claims. Some of them
are: iss (issuer), exp (expiration time), sub(subject), aud (audience), and others.
Notice that the claim names are only three characters long as JWT is meant to be
compact.
10. What is the JSON Web Token structure?
Payload
u Public claims
These can be defined at will by those using JWTs. But to avoid collisions they should
be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a
collision resistant namespace.
11. What is the JSON Web Token structure?
Payload
u Private claims
These are the custom claims created to share information between parties that agree
on using them.
12. What is the JSON Web Token structure?
Payload
u Example
The payload is then Base64Url encoded to form the second part of the JSON Web
Token.
13. What is the JSON Web Token structure?
Signature
To create the signature part you have to take the encoded header, the encoded
payload, a secret, the algorithm specified in the header, and sign that.
u The signature is used to verify that the sender of the JWT is who it says it is
and to ensure that the message wasn't changed along the way.
u For example if you want to use the HMAC SHA256 algorithm, the signature will
be created in the following way:
14. Putting all together
The output is three Base64 strings separated by dots that can be easily passed in HTML and
HTTP environments, while being more compact when compared to XML-based standards
such as SAML.
The following shows a JWT that has the previous header and payload encoded, and it is
signed with a secret.
What is the JSON Web Token structure?
15. u Jwt.io
It is a web page where you can learn
more about JWT and debug a token.
You can also verify the signature.
And download the libraries for
different languages as:
Java, JS, Node.js, Python, .NET, etc.
How to test and see my JWT?
16. How do JSON Web Tokens work?
u In authentication, when the user successfully logs in using their credentials, a
JSON Web Token will be returned and must be saved locally (typically in local
storage, but cookies can be also used).
u Whenever the user wants to access a protected route or resource, the user
agent should send the JWT, typically in the Authorization header using
the Bearer schema. The content of the header should look like the following:
u This is a stateless authentication mechanism as the user state is never saved
in server memory. The server's protected routes will check for a valid JWT in
the Authorization header, and if it's present, the user will be allowed to
access protected resources. As JWTs are self-contained, all the necessary
information is there, reducing the need to query the database multiple times.
17. How do JSON Web Tokens work?
u This allows you to fully rely on data APIs that are stateless and even make
requests to downstream services. It doesn't matter which domains are serving
your APIs, so Cross-Origin Resource Sharing (CORS) won't be an issue as it
doesn't use cookies.
18. JWT Signature and Encryption
u A JWT is usually complemented with a signature or encryption. These are
handled in their own specs as JSON Web Signature (JWS) and JSON Web
Encryption (JWE).
u A signature allows a JWT to be validated against modifications. Encryption, on
the other hand, makes sure the content of the JWT is only readable by
certain parties.
19. Common JWT Signing Algorithms
u Most JWTs in the wild are just signed. The most common algorithms are:
u HMAC + SHA256
u RSASSA-PKCS1-v1_5 + SHA256
u ECDSA + P-256 + SHA256
The specs defines many more algorithms for signing. You can find them all in RFC 7518.
20. Common JWT Signing Algorithms
HMAC algorithms
This is probably the most common algorithm for signed JWTs.
u Hash-Based Message Authentication Codes (HMACs) are a group of algorithms
that provide a way of signing messages by means of a shared key. In the case of
HMACs, a cryptographic hash function is used (for instance SHA256).
u The strength (i.e. how hard it is to forge an HMAC) depends on the hashing
algorithm being used.
u The main objective in the design of the algorithm was to allow the combination
of a key with a message while providing strong guarantees against tampering.
21. Common JWT Signing Algorithms
HMAC algorithms
u HMACs are used with JWTs when you want a simple way for all parties to create
and validate JWTs. Any party knowing the key can create new JWTs. In other
words, with shared keys, it is possible for party to impersonate another one:
HMAC JWTs do not provide guarantees with regards to the creator of the JWT.
Anyone knowing the key can create one.
u For certain use cases, this is too permissive. This is where asymmetric
algorithms come into play.
22. Common JWT Signing Algorithms
RSA and ECDSA algorithms
u Both RSA and ECDSA are asymmetric encryption and digital signature algorithms.
u What asymmetric algorithms bring to the table is the possibility of verifying or
decrypting a message without being able to create a new one.
u This is key for certain use cases.
23. Common JWT Signing Algorithms
RSA and ECDSA algorithms
u Example: Picture a big company where data generated by the sales team needs
to be verified by the accounting team.
u If an HMAC were to be used to sign the data, then both the sales team and the
accounting team would need to know the same key.
u This would allow the sales team to sign data and make it pass as if it were from the
accounting team.
u Although this might seem unlikely, especially in the context of a corporation,
there are times when the ability to verify the creator of a signature is essential.
24. Common JWT Signing Algorithms
RSA and ECDSA algorithms
u The main difference between RSA and ECDSA lies in speed and key size.
u ECDSA requires smaller keys to achieve the same level of security as RSA. This makes
it a great choice for small JWTs once is faster generating keys and signatures..
u RSA, however, is usually faster than ECDSA for signature verification.
u As usual, pick the one that best aligns with your requirements.
25. Conclusion
JWTs are a convenient way of representing authentication and authorization claims
for your application.
u They are easy to parse, human readable and compact. But the killer features are in
the JWS and JWE specs.
u With JWS and JWE all claims can be conveniently signed and encrypted, while
remaining compact enough to be part of every API call
u Solutions such as session-ids and server-side tokens seem old and cumbersome
when compared to the power of JWTs.
27. What is the Spring Security ?
u Spring Security is a framework that focuses on providing both authentication
and authorization to Java applications.
u Like all Spring projects, the real power of Spring Security is found in how
easily it can be extended to meet custom requirements.
u Features:
u Comprehensive and extensible support for both Authentication and Authorization
u Protection against attacks like session fixation, clickjacking, cross site request
forgery, etc.
u Servlet API integration
u Optional integration with Spring Web MVC
u Much more…
28. Fundamentals
u Principal
u User that performs the action
u Authentication
u Confirming truth of credentials
u Authorization
u Define access policy for principal
u GrantedAuthority
u Application-wide permissions granted to a principal
u SecurityContext
u Hold the Authentication and other security information
u SecurityContextHolder
u Provide access to SecurityContext
32. Authentication
u Variants
u Credential-based
u Two-factor or 2FA
u Hardware
u Mechanisms
u Basic
u Form
u Storage
u RDBMS (Relational database managementsystem)
u LDAP
u Custom Storage
33. Core Authentication service
u AuthenticationManager
u Handles authentication requests
u AuthenticationProvider
u Performs authentication
u UserDetailsService
u Responsible for returning an UserDetails object
u UserDetails
u Provides the core user information
38. How to configure the Spring Security?
u The first step is to secure some routes of our application.
u For this demo we will expose the routes:
u / and /login -> to everyone
u /users -> to people whom can provide a valid JWT token.
u
u
u
Once we have updated
the pom.xml file and
imported the new
dependencies, we are ready
to start securing our routes.
Ex: Maven Configuration
39. How to configure the Spring Security?
u First of all, we want to avoid exposing /users to everyone, so we will create a
configuration that restricts its access.
u We will accomplish this by adding a new class called WebSecurityConfig that
extends the WebSecurityConfigurerAdapter class from Spring Security.
40. How to configure the Spring Security?
u Here, we are specifying that
/ and /login are permitAll().
u All other requests are
authenticated and:
u We are filtering login to add
before the filter of users
u Any other endpoint, check
the present of the JWT
Token
41. How to configure the Spring Security?
u We also configure from WHERE we are getting the users, where are 2 options:
u inMemoryAuthentication() – Username and password pre-defined (good for tests).
u userDetailsService() – You can declare a Service class to authenticate/authorize.
Needs to implement UserDetailsService interface.
43. What about securing REST applications?
u The previous examples were normally for web applications, where you
redirect pages, login using page, etc. In REST, we don’t have:
u Login page
u Page to redirect after login
u Page to redirect in failure or unauthorized
u Solution:
u Override AuthenticationFailureHandler to return 401
u Override AuthenticationSuccessHandler to return the JSON object / token.
u Override AuthenticationEntryPoint to always return 401.
u Override LogoutSuccessHandler to return 200.
44. Overriding the AuthenticationEntryPoint
u Class extends org.springframework.security.web.AuthenticationEntryPoint,
and implements only one method, which sends response error (with 401 status
code) in cause of unauthorized attempt.
45. Overriding the AuthenticationSuccessHandler
u The AuthenticationSuccessHandler is responsible of what to do after a
successful authentication, by default it will redirect to an URL, but in our
case we want it to send an HTTP response with data.
46. Overriding the AuthenticationFailureHandler
u The AuthenticationFaillureHandler is responsible of what to after a failed
authentication, by default it will redirect to the login page URL, but in our
case we just want it to send an HTTP response with the 401 UNAUTHORIZED
code.
48. What do we need?
u Filter to intercept the calls, read the token and authenticate.
u Authentication Provider responsible for returning the user.
u Handlers for
u AuthenticationFailure
u AuthenticationSuccess
u EntryPoint
50. How JWT can help ?
u Some Challenges:
u Using asymmetric signature.
u Manage the keys
u If token contains personal information, encrypt before generate the token.