SlideShare a Scribd company logo

RESTful Security

Download as KEY, PDF
Jim Siegienski
Jim Siegienski

This document provides resources related to password strength, encryption, and authentication standards. It includes links to sites about password checking, installing unlimited strength Java encryption, the Bouncy Castle cryptography library, and stateless client-side session management. It also contains a table comparing different authentication protocols, listing their name, description, date created, and key aspects.

Technology
1 of 35
Resources • Great password strength check: http://www.passwordmeter.com • User higher encryption rates are stronger (note Java blocks 256bit encryption out of the box due to US export regulations!) To use unlimited strength encryption you need to download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your version of Java: • http://www.oracle.com/technetwork/java/javase/tech/index- jsp-136007.html#UnlimitedDownload • http://www.oracle.com/technetwork/java/javase/downloads/index.html • http://www.oracle.com/technetwork/java/archive-139210.html • Bouncy Castle: http://www.bouncycastle.org/ • Stateless: http://www.isecpartners.com/files/web-session-management.pdf (section 5D has a good client-side session  mechanism)
AD Active Directory http://en.wikipedia.org/wiki/ 2000 Microsoft specific implementation of LDAP, based on Novell eDirectory.  Active_Directory Utilizes Kerberos-based authentication. CAS Centralized http://en.wikipedia.org/wiki/ 2004 Centralized nature.  Potentially unstable - 36 releases on Jasig CAS in the Authentication Central_Authentication_Service last 2 years (2/09 - 12/10) Service" GSSAPI Generic Security http://en.wikipedia.org/wiki/ 1993 An API API that is honored by other technologies.  Anticipating new Services Generic_Security_Services_Applicati security mechanisms, the GSSAPI includes a negotiating pseudo on_Program_Interface mechanism, SPNEGO, that can discover and use new mechanisms not present when the original application was built. HTTP Auth HTTP http://en.wikipedia.org/wiki/ 1996 Basic access authentication is a method designed to allow a web browser, Authentication HTTP_authentication or other client program, to provide credentials – in the form of a user name and password – when making a request.  Open, but most browsers support via pop-up.
HTTPS HTTP Secure http://en.wikipedia.org/wiki/Https 1994 A combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server. JAAS Java Authentication http://en.wikipedia.org/wiki/ 2001 JAAS defines a framework for subject-based authentication and and Authorization Java_Authentication_and_Authorizatio authorization in a pluggable manner, decoupling applications from underlying Service n_Service security implementations.  Java specific. Kerberos Kerberos http://en.wikipedia.org/wiki/Kerberos_ 1980's Created by MIT.  Key aim is for trusted computers on an untrusted network.  %28protocol%29 Both User and Server identity are handled. Centralized nature.
LDAP Lightweight http://en.wikipedia.org/wiki/Ldap 1980's Flexible data store.  Originally an alternate protocol to access X.500 directory Directory Access services. This is a heavyweight with a complex data structure. Protocol NTLM NT Lan Manager http://en.wikipedia.org/wiki/NTLM 1980's Microsoft specific, weak encryption.  While Kerberos has replaced NTLM as the default authentication protocol in an Active Directory based single sign-on scheme, NTLM is still widely used in situations where a domain controller is not available or is unreachable. OAuth Open Authorization http://en.wikipedia.org/wiki/Oauth 2006 OAuth lets you authorize one website – the consumer – to access your data from another website – the provider.  Open standard for authorization. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically username and password.  Worth watching as major players are investing in this, though there is some controversy to be explored.  On April 23, 2009, a security flaw in the 1.0 protocol was announced.  Facebook's new Graph API only supports OAuth 2.0.  Oauth 2.0 is currently not final.
OpenID OpenID http://en.wikipedia.org/wiki/Openid 2005 Open Id gives you one login for multiple sites.  An open standard that describes how users can be authenticated in a decentralized manner, obviating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities.  Providers include AOL, BBC,Facebook, Google,IBM, MySpace, Orange, PayPal, VeriSign, LiveJournal, Yandex, Ustream and Yahoo!. PAM Pluggable http://en.wikipedia.org/wiki/ 1996 Fragmented, each implementation has gone in a different direction.  The Authentication Pluggable_Authentication_Modules XSSO standard differs from both the original RFC, and from the Linux and Modules Sun APIs — from most other implementations.   Despite PAM being part of the X/Open Single Sign-on (XSSO) standard, PAM on its own cannot implement Kerberos, the most common type of SSO used in Unix environments. SAML Security Assertion http://en.wikipedia.org/wiki/Saml 2002 SOAP-based standard for exchanging authentication and authorization data Markup Language between security domains. Bloated and is specified in terms of implementation details.
SASL" Simple http://en.wikipedia.org/wiki/ 1997 A framework for authentication and data security in Internet protocols.  Authentication and Simple_Authentication_and_Security_L Provides a layer for authentication, on top of which an application protocol Security Layer ayer (e.g. XMPP) can operate.  XML-based standard for exchanging authentication and authorization data between security domains SPNEGO Simple and http://en.wikipedia.org/wiki/SPNEGO 1996 SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication Protected GSSAPI extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and Negotiation provided single sign-on capability later marketed as Integrated Windows Mechanism Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory. Spring FKA Acegi http://en.wikipedia.org/wiki/ 2004 (Originally released as Acegi) Client oriented framework supporting most Spring_Security protocols listed here, extensible to support any desired provider.  Open, but specific to Java. SSPI Security Support http://en.wikipedia.org/wiki/SSPI 1995 An API API mechanism.  Used to dynamically support access to various Provider Interface implementations.  SSPI is a proprietary variant of GSSAPI with extensions and very Windows-specific data types.
RESTful Security

Recommended

Websphere Portal V6.1 Security Overview
Websphere Portal V6.1 Security OverviewWebsphere Portal V6.1 Security Overview
Websphere Portal V6.1 Security Overview
Munish Gupta
 
McAfee Foundstone Update
McAfee Foundstone UpdateMcAfee Foundstone Update
McAfee Foundstone Update
webhostingguy
 
Implementing Application Security
Implementing Application SecurityImplementing Application Security
Implementing Application Security
Information Technology
 
Making Sense Of Web Services
Making Sense Of Web ServicesMaking Sense Of Web Services
Making Sense Of Web Services
Jorgen Thelin
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)
Jeremiah Grossman
 
Password Synchronization
Password SynchronizationPassword Synchronization
Password Synchronization
PortalGuard dba PistolStar, Inc.
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
Marco Morana
 
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationSoa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
Jaipal Naidu
 

Recommended

Websphere Portal V6.1 Security Overview
Websphere Portal V6.1 Security OverviewWebsphere Portal V6.1 Security Overview
Websphere Portal V6.1 Security Overview
Munish Gupta
 
McAfee Foundstone Update
McAfee Foundstone UpdateMcAfee Foundstone Update
McAfee Foundstone Update
webhostingguy
 
Implementing Application Security
Implementing Application SecurityImplementing Application Security
Implementing Application Security
Information Technology
 
Making Sense Of Web Services
Making Sense Of Web ServicesMaking Sense Of Web Services
Making Sense Of Web Services
Jorgen Thelin
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)
Jeremiah Grossman
 
Password Synchronization
Password SynchronizationPassword Synchronization
Password Synchronization
PortalGuard dba PistolStar, Inc.
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
Marco Morana
 
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationSoa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
Jaipal Naidu
 
Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and Shibboleth
Andrew Petro
 
Ces70 salesforce2 connectorguide
Ces70 salesforce2 connectorguideCes70 salesforce2 connectorguide
Ces70 salesforce2 connectorguide
Kalpesh More
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Marco Morana
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
achettih
 
Soa Security Testing
Soa Security TestingSoa Security Testing
Soa Security Testing
Jaipal Naidu
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud Computing
Rahul Roshan
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing on
guest648519
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
Ismael Costa
 
Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To Kerberos
Ishan A B Ambanwela
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Ipsec
IpsecIpsec
Ipsec
Baidyanath Dutta
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
IP Security
IP SecurityIP Security
IP Security
Keshab Nath
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersApache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
DataWorks Summit
 
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectIntroduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Michael J Geiser
 
Enable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointEnable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePoint
CA API Management
 
CamelOne 2013 Karaf A-MQ Camel CXF Security
CamelOne 2013 Karaf A-MQ Camel CXF SecurityCamelOne 2013 Karaf A-MQ Camel CXF Security
CamelOne 2013 Karaf A-MQ Camel CXF Security
Kenneth Peeples
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
David Sweigert
 
Layered Security Defense
Layered Security DefenseLayered Security Defense
Layered Security Defense
Jeff Erickson
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 

More Related Content

What's hot

Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and Shibboleth
Andrew Petro
 
Ces70 salesforce2 connectorguide
Ces70 salesforce2 connectorguideCes70 salesforce2 connectorguide
Ces70 salesforce2 connectorguide
Kalpesh More
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Marco Morana
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
achettih
 
Soa Security Testing
Soa Security TestingSoa Security Testing
Soa Security Testing
Jaipal Naidu
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud Computing
Rahul Roshan
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing on
guest648519
 

What's hot (7)

Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and Shibboleth
 
Ces70 salesforce2 connectorguide
Ces70 salesforce2 connectorguideCes70 salesforce2 connectorguide
Ces70 salesforce2 connectorguide
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
 
Soa Security Testing
Soa Security TestingSoa Security Testing
Soa Security Testing
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud Computing
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing on
 

Viewers also liked

OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
Ismael Costa
 
Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To Kerberos
Ishan A B Ambanwela
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Ipsec
IpsecIpsec
Ipsec
Baidyanath Dutta
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
IP Security
IP SecurityIP Security
IP Security
Keshab Nath
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 

Viewers also liked (8)

OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
 
Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To Kerberos
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Ipsec
IpsecIpsec
Ipsec
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
IP Security
IP SecurityIP Security
IP Security
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 

Similar to RESTful Security

Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersApache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
DataWorks Summit
 
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectIntroduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Michael J Geiser
 
Enable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointEnable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePoint
CA API Management
 
CamelOne 2013 Karaf A-MQ Camel CXF Security
CamelOne 2013 Karaf A-MQ Camel CXF SecurityCamelOne 2013 Karaf A-MQ Camel CXF Security
CamelOne 2013 Karaf A-MQ Camel CXF Security
Kenneth Peeples
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
David Sweigert
 
Layered Security Defense
Layered Security DefenseLayered Security Defense
Layered Security Defense
Jeff Erickson
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
Sesame in a nutshell
Sesame in a nutshellSesame in a nutshell
Sesame in a nutshell
harinisanthosh
 
FS_Usage_Scenarios
FS_Usage_ScenariosFS_Usage_Scenarios
FS_Usage_Scenarios
Kevin Kao
 
Linux quick reference
Linux quick reference Linux quick reference
Linux quick reference
Alessandro Grandi
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
wensheng wei
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013
STO STRATEGY
 
All about Oracle Security Developer Tools
All about Oracle Security Developer ToolsAll about Oracle Security Developer Tools
All about Oracle Security Developer Tools
sophina_dillard
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
Joseph Holbrook, Chief Learning Officer (CLO)
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013
STO STRATEGY
 
Open Stack Cloud Services
Open Stack Cloud ServicesOpen Stack Cloud Services
Open Stack Cloud Services
Saurabh Gupta
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
David Sweigert
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013
STO STRATEGY
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
webhostingguy
 
Understanding Platform as a Service
Understanding Platform as a ServiceUnderstanding Platform as a Service
Understanding Platform as a Service
Paul Fremantle
 

Similar to RESTful Security (20)

Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersApache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
 
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectIntroduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS Project
 
Enable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointEnable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePoint
 
CamelOne 2013 Karaf A-MQ Camel CXF Security
CamelOne 2013 Karaf A-MQ Camel CXF SecurityCamelOne 2013 Karaf A-MQ Camel CXF Security
CamelOne 2013 Karaf A-MQ Camel CXF Security
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
 
Layered Security Defense
Layered Security DefenseLayered Security Defense
Layered Security Defense
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Sesame in a nutshell
Sesame in a nutshellSesame in a nutshell
Sesame in a nutshell
 
FS_Usage_Scenarios
FS_Usage_ScenariosFS_Usage_Scenarios
FS_Usage_Scenarios
 
Linux quick reference
Linux quick reference Linux quick reference
Linux quick reference
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013
 
All about Oracle Security Developer Tools
All about Oracle Security Developer ToolsAll about Oracle Security Developer Tools
All about Oracle Security Developer Tools
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013
 
Open Stack Cloud Services
Open Stack Cloud ServicesOpen Stack Cloud Services
Open Stack Cloud Services
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
Understanding Platform as a Service
Understanding Platform as a ServiceUnderstanding Platform as a Service
Understanding Platform as a Service
 

Recently uploaded

Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Zilliz
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 

Recently uploaded (20)

Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 

RESTful Security

  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29. Resources • Great password strength check: http://www.passwordmeter.com • User higher encryption rates are stronger (note Java blocks 256bit encryption out of the box due to US export regulations!) To use unlimited strength encryption you need to download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your version of Java: • http://www.oracle.com/technetwork/java/javase/tech/index- jsp-136007.html#UnlimitedDownload • http://www.oracle.com/technetwork/java/javase/downloads/index.html • http://www.oracle.com/technetwork/java/archive-139210.html • Bouncy Castle: http://www.bouncycastle.org/ • Stateless: http://www.isecpartners.com/files/web-session-management.pdf (section 5D has a good client-side session  mechanism)
  • 30. AD Active Directory http://en.wikipedia.org/wiki/ 2000 Microsoft specific implementation of LDAP, based on Novell eDirectory.  Active_Directory Utilizes Kerberos-based authentication. CAS Centralized http://en.wikipedia.org/wiki/ 2004 Centralized nature.  Potentially unstable - 36 releases on Jasig CAS in the Authentication Central_Authentication_Service last 2 years (2/09 - 12/10) Service" GSSAPI Generic Security http://en.wikipedia.org/wiki/ 1993 An API API that is honored by other technologies.  Anticipating new Services Generic_Security_Services_Applicati security mechanisms, the GSSAPI includes a negotiating pseudo on_Program_Interface mechanism, SPNEGO, that can discover and use new mechanisms not present when the original application was built. HTTP Auth HTTP http://en.wikipedia.org/wiki/ 1996 Basic access authentication is a method designed to allow a web browser, Authentication HTTP_authentication or other client program, to provide credentials – in the form of a user name and password – when making a request.  Open, but most browsers support via pop-up.
  • 31. HTTPS HTTP Secure http://en.wikipedia.org/wiki/Https 1994 A combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server. JAAS Java Authentication http://en.wikipedia.org/wiki/ 2001 JAAS defines a framework for subject-based authentication and and Authorization Java_Authentication_and_Authorizatio authorization in a pluggable manner, decoupling applications from underlying Service n_Service security implementations.  Java specific. Kerberos Kerberos http://en.wikipedia.org/wiki/Kerberos_ 1980's Created by MIT.  Key aim is for trusted computers on an untrusted network.  %28protocol%29 Both User and Server identity are handled. Centralized nature.
  • 32. LDAP Lightweight http://en.wikipedia.org/wiki/Ldap 1980's Flexible data store.  Originally an alternate protocol to access X.500 directory Directory Access services. This is a heavyweight with a complex data structure. Protocol NTLM NT Lan Manager http://en.wikipedia.org/wiki/NTLM 1980's Microsoft specific, weak encryption.  While Kerberos has replaced NTLM as the default authentication protocol in an Active Directory based single sign-on scheme, NTLM is still widely used in situations where a domain controller is not available or is unreachable. OAuth Open Authorization http://en.wikipedia.org/wiki/Oauth 2006 OAuth lets you authorize one website – the consumer – to access your data from another website – the provider.  Open standard for authorization. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically username and password.  Worth watching as major players are investing in this, though there is some controversy to be explored.  On April 23, 2009, a security flaw in the 1.0 protocol was announced.  Facebook's new Graph API only supports OAuth 2.0.  Oauth 2.0 is currently not final.
  • 33. OpenID OpenID http://en.wikipedia.org/wiki/Openid 2005 Open Id gives you one login for multiple sites.  An open standard that describes how users can be authenticated in a decentralized manner, obviating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities.  Providers include AOL, BBC,Facebook, Google,IBM, MySpace, Orange, PayPal, VeriSign, LiveJournal, Yandex, Ustream and Yahoo!. PAM Pluggable http://en.wikipedia.org/wiki/ 1996 Fragmented, each implementation has gone in a different direction.  The Authentication Pluggable_Authentication_Modules XSSO standard differs from both the original RFC, and from the Linux and Modules Sun APIs — from most other implementations.   Despite PAM being part of the X/Open Single Sign-on (XSSO) standard, PAM on its own cannot implement Kerberos, the most common type of SSO used in Unix environments. SAML Security Assertion http://en.wikipedia.org/wiki/Saml 2002 SOAP-based standard for exchanging authentication and authorization data Markup Language between security domains. Bloated and is specified in terms of implementation details.
  • 34. SASL" Simple http://en.wikipedia.org/wiki/ 1997 A framework for authentication and data security in Internet protocols.  Authentication and Simple_Authentication_and_Security_L Provides a layer for authentication, on top of which an application protocol Security Layer ayer (e.g. XMPP) can operate.  XML-based standard for exchanging authentication and authorization data between security domains SPNEGO Simple and http://en.wikipedia.org/wiki/SPNEGO 1996 SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication Protected GSSAPI extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and Negotiation provided single sign-on capability later marketed as Integrated Windows Mechanism Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory. Spring FKA Acegi http://en.wikipedia.org/wiki/ 2004 (Originally released as Acegi) Client oriented framework supporting most Spring_Security protocols listed here, extensible to support any desired provider.  Open, but specific to Java. SSPI Security Support http://en.wikipedia.org/wiki/SSPI 1995 An API API mechanism.  Used to dynamically support access to various Provider Interface implementations.  SSPI is a proprietary variant of GSSAPI with extensions and very Windows-specific data types.

Editor's Notes

  1. \n\n
  2. \n\n
  3. \n\n
  4. \n\n
  5. \n\n
  6. \n\n
  7. \n\n
  8. \n\n
  9. \n\n
  10. \n\n
  11. \n\n
  12. \n\n
  13. \n\n
  14. \n\n
  15. \n\n
  16. \n\n
  17. \n\n
  18. \n\n
  19. \n\n
  20. \n\n
  21. \n\n
  22. \n\n
  23. \n\n
  24. \n\n
  25. \n\n
  26. \n\n
  27. \n\n
  28. \n\n
  29. \n\n
  30. \n\n
  31. \n\n
  32. \n\n
  33. \n\n
  34. \n\n
  35. \n\n