SlideShare a Scribd company logo

Secure JAX-RS

Rudy De Busscher
Rudy De Busscher

With the rise of micro-services, REST communication is more popular than ever. But the communication between the different parts must also be performed in a secure way. First, we need to know if the user or system is allowed to call the JAX-RS endpoint. For this authentication part, self-contained tokens are the best option to not overload any of our services in the system. JWT which contains the authentication but also can contain the authorization info is ideal for this use-case. And secondly, we need guarantees that the message isn't altered, that we can have message integrity. For that part, we can use signatures like specified in the HTTP signature draft specification.

Software
1 of 42
Download to read offline
Secure JAX-RS HTTPS://WWW.ATBASH.BE
• Verify caller • No changed messages • Performant
• C4J • Senior Java Web Developer, Java Coach, Architect • Atbash • Open-Source developer - Java EE - Web Application Security - Testing • Java EE Believer @rdebusscher @Atbash_EE https://www.atbash.be http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
What is Secure Rest? A G E N D A
S H I F T T O R E S T
• REST == JSON communication over HTTP (ignoring hyperText) • Why REST? • No special/specific clients and servers • HTTP operations like get, post, delete and URI identified • Simple, lightweight, fast, ... S H I F T T O R E S T
Confidentiality : Shield data but also verify the sender Integrity : Trustworthiness, can data be altered in transit? Availability : Systems up (but also counter DDOS attacks) I N F O R M A T I O N S E C U R I T Y
JAX-RS (Rest) SOAP On top of HTTP protocol, lightweight Heavy weight due to metadata Multiple data formats (JSON, XML, ...) XML only Easier, loosely Harder, contract based Security and authorization are part of the protocol
WS-security • Confidentiality • Integrity • end-to-end protection of message • process to process • Certificates, SAML, XML Signatures, Encryption, ... S E C U R I T Y W I T H I N S O A P
• Only capabilities underlying protocol • HTTPS = Confidentiality + Integrity • Encrypted • Message digest (unaltered in transit) • Few major things are missing S E C U R I T Y W I T H J A X - R S
• HTTPS = confidentiality (integrity) • But • Sender verification? • End to end encryption? • Server to server only (not the process on the server) S E C U R I T Y W I T H J A X - R S
Demo
• Verify sender • end-to-end protection • (encryption) -> https G O A L S SECURE
 REST
W H Y H T T P S N O T E N O U G H
Verify Sender A G E N D A End-to-End protection Some loose ends Conclusion
HOW DOES EACH HOP KNOW THE END USER?
U S I N G P A S S W O R D ? • Basic Auth for each request (stateless!) • 3000 TPS on LDAP • Backend through IP whiteListing? • Each hop • 12000 TPS on LDAP! • DDOS attacks -> LDAP down!
• session id = opaque • Backend needs to lookup info • Not LDAP but "idHop" is overloaded S E S S I O N S ?
T O K E N S • Like a long id • Token contains all info (authc, authz) • Signed!! • OpenId Connect - idToken • MicroProfile JWT Auth Token
T O K E N S O L U T I O N
• Token = data + signing • Tamper with data -> signing detects this • token created by Mallory -> Signing not correct T O K E N P R O T E C T I O N
S I G N I N G
J W T
Demo
End-to-End protection A G E N D A Some loose ends Conclusion Verify sender
• 99% use cases -> guarantee it is not modified • Personal, medical info -> encryption E N C R Y P T I O N V S S I G N I N G
E N D - T O - E N D P R O T E C T I O N - Content protected from Process to Process - No intermediate intervention possible
E N D - T O - E N D P R O T E C T I O N APPLICATION LAYER SECURITY
A L S O J W T ? • REST payload as JWT Payload?
 • Signed • Created and verified by process -> E2E
 
 • Payload is not easy readable anymore (tracing/routing on server side)
H T T P S I G N A T U R E S • Standard by Internet Engineering Task Force (IETF) • Draft • Signatures variant (Authentication variant exists) • Non 'invasive'
H T T P - S I G H O W ? • Additional Header • Signature : ... • HTTP friendly • Signature : keyId="rsa-key-1",algorithm="rsa- sha256",headers="(request-target) host date digest content- length",signature="Base64(RSA-SHA256(signing string))"
H T T P - S I G P A R A M E T E R S • Headers : What is used in signature 'calculation' • header name of pseudo header (request target = method + URL path) • Digest -> Hash of message body • keyId : Id of the RSA key for Signature • algorithm : What algorithm used for signature • signature : operation result
Demo
Some loose ends A G E N D A Conclusion Verify sender End-to-end protection
C O M B I N I N G W I T H A U T H C • RSA key for signature • Can be used to identify remote • Use it with Authorization header • Authorization : Signature keyId="... • Or combine it with OAuth2 / OpenId Bearer header • Authorization : Bearer ey... • Signature : keyId="...
J A V A S C R I P T F R A M E W O R K S Can browser/javaScript keep secrets private? Most experts agree it is not possible XSS scripts
• Good start • Standardised correct code • PRNG and BigInt • No advice on what to use when • Beware of storing keys • Local storage is not safe • Use Password encrypted formats • Not all browsers support it (some only old variants) W E B C R Y P T O G R A P H Y A P I
Conclusion A G E N D A Verify sender End-to-End protection Some loose ends
T A K E A W A Y S • JAX-RS has no intrinsic security aspects • JWT ideal to keep Authentication / Authorization info • SSL (HTTPS) does not eliminate need for encryption • HTTP signatures ideal for end to end protection of content • Browser (JavaScript) still issue in keeping things private
• Webshop • https://github.com/rdebusscher/secure-rest • Http Signature Framework • https://github.com/atbashEE/rest-signatures C O D E
Q & A

Recommended

Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Rudy De Busscher
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene Rudy De Busscher
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 

Recommended

Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Rudy De Busscher
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene Rudy De Busscher
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzerSanjay Gondaliya
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...mfrancis
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArtDataArt
 
Securing Search Data in the Cloud
Securing Search Data in the CloudSecuring Search Data in the Cloud
Securing Search Data in the CloudSearchStax
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnSaloni Shah
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsMartin Toshev
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSPayara
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 

More Related Content

What's hot

Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzerSanjay Gondaliya
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...mfrancis
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArtDataArt
 
Securing Search Data in the Cloud
Securing Search Data in the CloudSecuring Search Data in the Cloud
Securing Search Data in the CloudSearchStax
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnSaloni Shah
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsMartin Toshev
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 

What's hot (20)

Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzer
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
 
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
 
Securing Search Data in the Cloud
Securing Search Data in the CloudSecuring Search Data in the Cloud
Securing Search Data in the Cloud
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack Vectors
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 

Similar to Secure JAX-RS

Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSPayara
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesST_World
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLZoompf
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosOpenCredo
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTAdam Englander
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 

Similar to Secure JAX-RS (20)

Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
LOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFITLOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFIT
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
SSL overview
SSL overviewSSL overview
SSL overview
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David Borsos
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
 

More from Rudy De Busscher

jakarta-integration-testing.pdf
jakarta-integration-testing.pdfjakarta-integration-testing.pdf
jakarta-integration-testing.pdfRudy De Busscher
 
core-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfcore-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfRudy De Busscher
 
MicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfMicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfRudy De Busscher
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupHow Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupRudy De Busscher
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaRudy De Busscher
 
Finally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersFinally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersRudy De Busscher
 
Control and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileControl and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileRudy De Busscher
 
Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Rudy De Busscher
 
Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Rudy De Busscher
 
Monitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsRudy De Busscher
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfileRudy De Busscher
 
From Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsFrom Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsRudy De Busscher
 
What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)Rudy De Busscher
 

More from Rudy De Busscher (14)

jakarta-integration-testing.pdf
jakarta-integration-testing.pdfjakarta-integration-testing.pdf
jakarta-integration-testing.pdf
 
core-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfcore-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdf
 
MicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfMicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdf
 
Jakarta EE 8 on JDK17
Jakarta EE 8 on JDK17Jakarta EE 8 on JDK17
Jakarta EE 8 on JDK17
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupHow Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in Java
 
Finally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersFinally, easy integration testing with Testcontainers
Finally, easy integration testing with Testcontainers
 
Control and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileControl and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofile
 
Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)
 
Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)
 
Monitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metrics
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfile
 
From Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsFrom Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained Systems
 
What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)
 

Recently uploaded

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 

Recently uploaded (20)

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 

Secure JAX-RS

  • 2. • Verify caller • No changed messages • Performant
  • 3. • C4J • Senior Java Web Developer, Java Coach, Architect • Atbash • Open-Source developer - Java EE - Web Application Security - Testing • Java EE Believer @rdebusscher @Atbash_EE https://www.atbash.be http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
  • 4. What is Secure Rest? A G E N D A
  • 5. S H I F T T O R E S T
  • 6. • REST == JSON communication over HTTP (ignoring hyperText) • Why REST? • No special/specific clients and servers • HTTP operations like get, post, delete and URI identified • Simple, lightweight, fast, ... S H I F T T O R E S T
  • 7. Confidentiality : Shield data but also verify the sender Integrity : Trustworthiness, can data be altered in transit? Availability : Systems up (but also counter DDOS attacks) I N F O R M A T I O N S E C U R I T Y
  • 8. JAX-RS (Rest) SOAP On top of HTTP protocol, lightweight Heavy weight due to metadata Multiple data formats (JSON, XML, ...) XML only Easier, loosely Harder, contract based Security and authorization are part of the protocol
  • 9. WS-security • Confidentiality • Integrity • end-to-end protection of message • process to process • Certificates, SAML, XML Signatures, Encryption, ... S E C U R I T Y W I T H I N S O A P
  • 10. • Only capabilities underlying protocol • HTTPS = Confidentiality + Integrity • Encrypted • Message digest (unaltered in transit) • Few major things are missing S E C U R I T Y W I T H J A X - R S
  • 11. • HTTPS = confidentiality (integrity) • But • Sender verification? • End to end encryption? • Server to server only (not the process on the server) S E C U R I T Y W I T H J A X - R S
  • 12. Demo
  • 13. • Verify sender • end-to-end protection • (encryption) -> https G O A L S SECURE
 REST
  • 14. W H Y H T T P S N O T E N O U G H
  • 15.
  • 16. Verify Sender A G E N D A End-to-End protection Some loose ends Conclusion
  • 17. HOW DOES EACH HOP KNOW THE END USER?
  • 18. U S I N G P A S S W O R D ? • Basic Auth for each request (stateless!) • 3000 TPS on LDAP • Backend through IP whiteListing? • Each hop • 12000 TPS on LDAP! • DDOS attacks -> LDAP down!
  • 19. • session id = opaque • Backend needs to lookup info • Not LDAP but "idHop" is overloaded S E S S I O N S ?
  • 20. T O K E N S • Like a long id • Token contains all info (authc, authz) • Signed!! • OpenId Connect - idToken • MicroProfile JWT Auth Token
  • 21. T O K E N S O L U T I O N
  • 22. • Token = data + signing • Tamper with data -> signing detects this • token created by Mallory -> Signing not correct T O K E N P R O T E C T I O N
  • 23. S I G N I N G
  • 24. J W T
  • 25. Demo
  • 26. End-to-End protection A G E N D A Some loose ends Conclusion Verify sender
  • 27. • 99% use cases -> guarantee it is not modified • Personal, medical info -> encryption E N C R Y P T I O N V S S I G N I N G
  • 28. E N D - T O - E N D P R O T E C T I O N - Content protected from Process to Process - No intermediate intervention possible
  • 29. E N D - T O - E N D P R O T E C T I O N APPLICATION LAYER SECURITY
  • 30. A L S O J W T ? • REST payload as JWT Payload?
 • Signed • Created and verified by process -> E2E
 
 • Payload is not easy readable anymore (tracing/routing on server side)
  • 31. H T T P S I G N A T U R E S • Standard by Internet Engineering Task Force (IETF) • Draft • Signatures variant (Authentication variant exists) • Non 'invasive'
  • 32. H T T P - S I G H O W ? • Additional Header • Signature : ... • HTTP friendly • Signature : keyId="rsa-key-1",algorithm="rsa- sha256",headers="(request-target) host date digest content- length",signature="Base64(RSA-SHA256(signing string))"
  • 33. H T T P - S I G P A R A M E T E R S • Headers : What is used in signature 'calculation' • header name of pseudo header (request target = method + URL path) • Digest -> Hash of message body • keyId : Id of the RSA key for Signature • algorithm : What algorithm used for signature • signature : operation result
  • 34. Demo
  • 35. Some loose ends A G E N D A Conclusion Verify sender End-to-end protection
  • 36. C O M B I N I N G W I T H A U T H C • RSA key for signature • Can be used to identify remote • Use it with Authorization header • Authorization : Signature keyId="... • Or combine it with OAuth2 / OpenId Bearer header • Authorization : Bearer ey... • Signature : keyId="...
  • 37. J A V A S C R I P T F R A M E W O R K S Can browser/javaScript keep secrets private? Most experts agree it is not possible XSS scripts
  • 38. • Good start • Standardised correct code • PRNG and BigInt • No advice on what to use when • Beware of storing keys • Local storage is not safe • Use Password encrypted formats • Not all browsers support it (some only old variants) W E B C R Y P T O G R A P H Y A P I
  • 39. Conclusion A G E N D A Verify sender End-to-End protection Some loose ends
  • 40. T A K E A W A Y S • JAX-RS has no intrinsic security aspects • JWT ideal to keep Authentication / Authorization info • SSL (HTTPS) does not eliminate need for encryption • HTTP signatures ideal for end to end protection of content • Browser (JavaScript) still issue in keeping things private
  • 41. • Webshop • https://github.com/rdebusscher/secure-rest • Http Signature Framework • https://github.com/atbashEE/rest-signatures C O D E
  • 42. Q & A