Claire Hunsaker, profile picture
Uploaded byClaire Hunsaker
PDF, PPTX6,957 views

Securing REST APIs

The document outlines best practices for securing REST APIs, focusing on statelessness, authentication, and authorization. It includes recommendations for error representation and HTTP status codes, emphasizing the use of API keys and OAuth for secure access. The content is structured to provide guidelines for ensuring security without sessions while utilizing Apache Shiro for authorization management.

TechnologyDesign
Related topics:
Application Security

Embed presentation

Download as PDF, PPTX
Securing  REST  APIs   Les  Hazlewood   Apache  Shiro  Project  Chair   CTO,  Stormpath  
Topics   •  General  API  Best  Prac:ces   •  Statelessness   •  Authen:ca:on   •  Authoriza:on  (access  control)  
General  REST  API  Best  Prac=ces   •  Base  URL   •  Integer  Version   •  HTTP  vs  HTTPS   •  Nice  Error  Representa:ons  
Base  URL  +  Version   hHps://api.stormpath.com/v1  
Error  Representa=on   •  HTTP  Status  Code   •  Applica:on-­‐specific  Error  Code  (18  4xx,  6  5xx)   •  End-­‐user  Message   •  Developer  Message   •  More  Info  URL  
Error  Representa=on  Example   HTTP/1.1  404  Not  Found     {          "status":  404,          "code":  404,          "message":  "Oops!  That  applica:on  cannot  be  found.",          "developerMessage":  "The  specified  Applica:on  cannot  be  found.     If  you  accessed  this        url  via  a  stale  href  reference,  it  might  be   helpful  to  acquire  the  tenant's  Applica:on  Collec:on  Resource  to   obtain  the  current  list  of  applica:ons.",          "moreInfo":  "hHp://www.stormpath.com/docs/errors/404"   }  
Statelessness   •  No  sessions!   Session  clustering  (and  all  that  it  implies)   •  How  do  you  prevent  sessions?   Your  code?   Framework  code?    
NoSessionCreationFilter [main] … [urls] /v1/** = noSessionCreation, authcBasic, …  
Authen=ca=on   •  What  is  safe?   •  SSL  –  server  vs  client   •  Username/Password,  BASIC  authen:ca:on   •  API  Keys   •  What  is  OAuth?  
HTTP  Basic  Authen=ca=on   [main] … [urls] /v1/** = ssl, noSessionCreation, authcBasic, …  
OAuth   •  Protocol   •  Designed  for  3  par:es,  can  be  used  for  2   •  1.0a  vs  2.0   •  Signature  algorithm  (HMAC)   •  Shiro  &  Scribe  
Authoriza=on   •  Filter   •  Excep:on  handling  
HEpMethodPermissionFilter   [main] rest = org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter [urls] /v1/user = noSessionCreation, authcBasic, rest[user] /v1/** = noSessionCreation, authcBasic
Excep=on  Handler   •  Annota:on  or  asser:on   •  MVC  framework  or  JSP  ‘catch  all’  à  JSON   @RequiresPermission   public  void  doSomething()  {  …}     subject.checkPermission(“user:read”);  

More Related Content

PDF
Super simple application security with Apache Shiro
byMarakana Inc.
 
PPTX
Intro to Apache Shiro
byClaire Hunsaker
 
PPTX
Build A Killer Client For Your REST+JSON API
byStormpath
 
PPTX
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
byDataStax Academy
 
PPTX
Secure Your REST API (The Right Way)
byStormpath
 
PPTX
Token Authentication for Java Applications
byStormpath
 
PDF
Securing Web Applications with Token Authentication
byStormpath
 
PPTX
JWT Authentication with AngularJS
byrobertjd
 
Super simple application security with Apache Shiro
byMarakana Inc.
 
Intro to Apache Shiro
byClaire Hunsaker
 
Build A Killer Client For Your REST+JSON API
byStormpath
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
byDataStax Academy
 
Secure Your REST API (The Right Way)
byStormpath
 
Token Authentication for Java Applications
byStormpath
 
Securing Web Applications with Token Authentication
byStormpath
 
JWT Authentication with AngularJS
byrobertjd
 

What's hot

PPTX
Rest API Security
byStormpath
 
PPTX
Securing Single Page Applications with Token Based Authentication
byStefan Achtsnit
 
PDF
Secure Web Services
byRob Daigneau
 
PPTX
Single-Page-Application & REST security
byIgor Bossenko
 
PPTX
Build a Node.js Client for Your REST+JSON API
byStormpath
 
PDF
Authentication: Cookies vs JWTs and why you’re doing it wrong
byDerek Perkins
 
PDF
Securty Testing For RESTful Applications
bySource Conference
 
PDF
Rest Security with JAX-RS
byFrank Kim
 
PPTX
REST Service Authetication with TLS & JWTs
byJon Todd
 
PDF
From 0 to Spring Security 4.0
byrobwinch
 
PPTX
D@W REST security
byGaurav Sharma
 
PPTX
Token Authentication in ASP.NET Core
byStormpath
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 
PPTX
Access Control Pitfalls v2
byJim Manico
 
PPTX
Building Layers of Defense with Spring Security
byJoris Kuipers
 
PPTX
Securing RESTful Payment APIs Using OAuth 2
byJonathan LeBlanc
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
PDF
Building an API Security Ecosystem
byPrabath Siriwardena
 
PPTX
Api security
byteodorcotruta
 
PPTX
Building Secure User Interfaces With JWTs
byrobertjd
 
Rest API Security
byStormpath
 
Securing Single Page Applications with Token Based Authentication
byStefan Achtsnit
 
Secure Web Services
byRob Daigneau
 
Single-Page-Application & REST security
byIgor Bossenko
 
Build a Node.js Client for Your REST+JSON API
byStormpath
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
byDerek Perkins
 
Securty Testing For RESTful Applications
bySource Conference
 
Rest Security with JAX-RS
byFrank Kim
 
REST Service Authetication with TLS & JWTs
byJon Todd
 
From 0 to Spring Security 4.0
byrobwinch
 
D@W REST security
byGaurav Sharma
 
Token Authentication in ASP.NET Core
byStormpath
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 
Access Control Pitfalls v2
byJim Manico
 
Building Layers of Defense with Spring Security
byJoris Kuipers
 
Securing RESTful Payment APIs Using OAuth 2
byJonathan LeBlanc
 
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
Building an API Security Ecosystem
byPrabath Siriwardena
 
Api security
byteodorcotruta
 
Building Secure User Interfaces With JWTs
byrobertjd
 

Similar to Securing REST APIs

PPTX
Beautiful REST and JSON APIs - Les Hazlewood
byjaxconf
 
ODP
Attacking REST API
bySiddharth Bezalwar
 
PPTX
Secureyourrestapi 140530183606-phpapp02
bySubhajit Bhuiya
 
PDF
When and Why Would I use Oauth2?
byDave Syer
 
ODP
NEPHP '13: Pragmatic API Development
byAndrew Curioso
 
PDF
OAuth Tokens
byn|u - The Open Security Community
 
PPTX
REST API Design for JAX-RS And Jersey
byStormpath
 
PPTX
RESTful Web Services
byGordon Dickens
 
PDF
REST in theory
byAlex Muntada Duran
 
PDF
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
byAdar Weidman
 
PDF
Techniques for securing rest
bySudhakar Anivella
 
PDF
APIs REST Usables con Hypermedia por Javier Ramirez, para codemotion
byjavier ramirez
 
PDF
API SECURITY
byTubagus Rizky Dharmawan
 
PDF
Resource-Oriented Web Services
byBradley Holt
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
PDF
REST 101: An Overview To Representational State Transfer.
byOmar Fernando Zafe
 
PPTX
NEPHP '12: Create a RESTful API
byAndrew Curioso
 
PPTX
Rest presentation
bysrividhyau
 
PPTX
API
byMasters Academy
 
PPTX
Restful api
byAnurag Srivastava
 
Beautiful REST and JSON APIs - Les Hazlewood
byjaxconf
 
Attacking REST API
bySiddharth Bezalwar
 
Secureyourrestapi 140530183606-phpapp02
bySubhajit Bhuiya
 
When and Why Would I use Oauth2?
byDave Syer
 
NEPHP '13: Pragmatic API Development
byAndrew Curioso
 
OAuth Tokens
byn|u - The Open Security Community
 
REST API Design for JAX-RS And Jersey
byStormpath
 
RESTful Web Services
byGordon Dickens
 
REST in theory
byAlex Muntada Duran
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
byAdar Weidman
 
Techniques for securing rest
bySudhakar Anivella
 
APIs REST Usables con Hypermedia por Javier Ramirez, para codemotion
byjavier ramirez
 
API SECURITY
byTubagus Rizky Dharmawan
 
Resource-Oriented Web Services
byBradley Holt
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
REST 101: An Overview To Representational State Transfer.
byOmar Fernando Zafe
 
NEPHP '12: Create a RESTful API
byAndrew Curioso
 
Rest presentation
bysrividhyau
 
API
byMasters Academy
 
Restful api
byAnurag Srivastava
 

Recently uploaded

PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
final.pdf
byomarbishtawi04
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
apidays New York 2025 | AI in Application Security
byapidays
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
final.pdf
byomarbishtawi04
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 

Securing REST APIs

  • 1.
    Securing  REST  APIs   Les  Hazlewood   Apache  Shiro  Project  Chair   CTO,  Stormpath  
  • 2.
    Topics   •  General  API  Best  Prac:ces   •  Statelessness   •  Authen:ca:on   •  Authoriza:on  (access  control)  
  • 3.
    General  REST  API  Best  Prac=ces   •  Base  URL   •  Integer  Version   •  HTTP  vs  HTTPS   •  Nice  Error  Representa:ons  
  • 4.
    Base  URL  +  Version   hHps://api.stormpath.com/v1  
  • 5.
    Error  Representa=on   • HTTP  Status  Code   •  Applica:on-­‐specific  Error  Code  (18  4xx,  6  5xx)   •  End-­‐user  Message   •  Developer  Message   •  More  Info  URL  
  • 6.
    Error  Representa=on  Example   HTTP/1.1  404  Not  Found     {          "status":  404,          "code":  404,          "message":  "Oops!  That  applica:on  cannot  be  found.",          "developerMessage":  "The  specified  Applica:on  cannot  be  found.     If  you  accessed  this        url  via  a  stale  href  reference,  it  might  be   helpful  to  acquire  the  tenant's  Applica:on  Collec:on  Resource  to   obtain  the  current  list  of  applica:ons.",          "moreInfo":  "hHp://www.stormpath.com/docs/errors/404"   }  
  • 7.
    Statelessness   •  No  sessions!   Session  clustering  (and  all  that  it  implies)   •  How  do  you  prevent  sessions?   Your  code?   Framework  code?    
  • 8.
  • 9.
    Authen=ca=on   •  What  is  safe?   •  SSL  –  server  vs  client   •  Username/Password,  BASIC  authen:ca:on   •  API  Keys   •  What  is  OAuth?  
  • 10.
    HTTP  Basic  Authen=ca=on   [main] … [urls] /v1/** = ssl, noSessionCreation, authcBasic, …  
  • 11.
    OAuth   •  Protocol   •  Designed  for  3  par:es,  can  be  used  for  2   •  1.0a  vs  2.0   •  Signature  algorithm  (HMAC)   •  Shiro  &  Scribe  
  • 12.
    Authoriza=on   •  Filter   •  Excep:on  handling  
  • 13.
    HEpMethodPermissionFilter   [main] rest = org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter [urls] /v1/user = noSessionCreation, authcBasic, rest[user] /v1/** = noSessionCreation, authcBasic
  • 14.
    Excep=on  Handler   • Annota:on  or  asser:on   •  MVC  framework  or  JSP  ‘catch  all’  à  JSON   @RequiresPermission   public  void  doSomething()  {  …}     subject.checkPermission(“user:read”);