SlideShare a Scribd company logo

Secure JAX-RS

Rudy De Busscher
Rudy De Busscher

With the rise of micro-services, REST communication is more popular than ever. But the communication between the different parts must also be performed in a secure way. First, we need to know if the user or system is allowed to call the JAX-RS endpoint. For this authentication part, self-contained tokens are the best option to not overload any of our services in the system. JWT which contains the authentication but also can contain the authorization info is ideal for this use-case. And secondly, we need guarantees that the message isn't altered, that we can have message integrity. For that part, we can use signatures like specified in the HTTP signature draft specification.

Software
1 of 42
Download to read offline
Secure JAX-RS HTTPS://WWW.ATBASH.BE
• Verify caller • No changed messages • Performant
• C4J • Senior Java Web Developer, Java Coach, Architect • Atbash • Open-Source developer - Java EE - Web Application Security - Testing • Java EE Believer @rdebusscher @Atbash_EE https://www.atbash.be http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
What is Secure Rest? A G E N D A
S H I F T T O R E S T
• REST == JSON communication over HTTP (ignoring hyperText) • Why REST? • No special/specific clients and servers • HTTP operations like get, post, delete and URI identified • Simple, lightweight, fast, ... S H I F T T O R E S T
Confidentiality : Shield data but also verify the sender Integrity : Trustworthiness, can data be altered in transit? Availability : Systems up (but also counter DDOS attacks) I N F O R M A T I O N S E C U R I T Y
JAX-RS (Rest) SOAP On top of HTTP protocol, lightweight Heavy weight due to metadata Multiple data formats (JSON, XML, ...) XML only Easier, loosely Harder, contract based Security and authorization are part of the protocol
WS-security • Confidentiality • Integrity • end-to-end protection of message • process to process • Certificates, SAML, XML Signatures, Encryption, ... S E C U R I T Y W I T H I N S O A P
• Only capabilities underlying protocol • HTTPS = Confidentiality + Integrity • Encrypted • Message digest (unaltered in transit) • Few major things are missing S E C U R I T Y W I T H J A X - R S
• HTTPS = confidentiality (integrity) • But • Sender verification? • End to end encryption? • Server to server only (not the process on the server) S E C U R I T Y W I T H J A X - R S
Demo
• Verify sender • end-to-end protection • (encryption) -> https G O A L S SECURE
 REST
W H Y H T T P S N O T E N O U G H
Verify Sender A G E N D A End-to-End protection Some loose ends Conclusion
HOW DOES EACH HOP KNOW THE END USER?
U S I N G P A S S W O R D ? • Basic Auth for each request (stateless!) • 3000 TPS on LDAP • Backend through IP whiteListing? • Each hop • 12000 TPS on LDAP! • DDOS attacks -> LDAP down!
• session id = opaque • Backend needs to lookup info • Not LDAP but "idHop" is overloaded S E S S I O N S ?
T O K E N S • Like a long id • Token contains all info (authc, authz) • Signed!! • OpenId Connect - idToken • MicroProfile JWT Auth Token
T O K E N S O L U T I O N
• Token = data + signing • Tamper with data -> signing detects this • token created by Mallory -> Signing not correct T O K E N P R O T E C T I O N
S I G N I N G
J W T
Demo
End-to-End protection A G E N D A Some loose ends Conclusion Verify sender
• 99% use cases -> guarantee it is not modified • Personal, medical info -> encryption E N C R Y P T I O N V S S I G N I N G
E N D - T O - E N D P R O T E C T I O N - Content protected from Process to Process - No intermediate intervention possible
E N D - T O - E N D P R O T E C T I O N APPLICATION LAYER SECURITY
A L S O J W T ? • REST payload as JWT Payload?
 • Signed • Created and verified by process -> E2E
 
 • Payload is not easy readable anymore (tracing/routing on server side)
H T T P S I G N A T U R E S • Standard by Internet Engineering Task Force (IETF) • Draft • Signatures variant (Authentication variant exists) • Non 'invasive'
H T T P - S I G H O W ? • Additional Header • Signature : ... • HTTP friendly • Signature : keyId="rsa-key-1",algorithm="rsa- sha256",headers="(request-target) host date digest content- length",signature="Base64(RSA-SHA256(signing string))"
H T T P - S I G P A R A M E T E R S • Headers : What is used in signature 'calculation' • header name of pseudo header (request target = method + URL path) • Digest -> Hash of message body • keyId : Id of the RSA key for Signature • algorithm : What algorithm used for signature • signature : operation result
Demo
Some loose ends A G E N D A Conclusion Verify sender End-to-end protection
C O M B I N I N G W I T H A U T H C • RSA key for signature • Can be used to identify remote • Use it with Authorization header • Authorization : Signature keyId="... • Or combine it with OAuth2 / OpenId Bearer header • Authorization : Bearer ey... • Signature : keyId="...
J A V A S C R I P T F R A M E W O R K S Can browser/javaScript keep secrets private? Most experts agree it is not possible XSS scripts
• Good start • Standardised correct code • PRNG and BigInt • No advice on what to use when • Beware of storing keys • Local storage is not safe • Use Password encrypted formats • Not all browsers support it (some only old variants) W E B C R Y P T O G R A P H Y A P I
Conclusion A G E N D A Verify sender End-to-End protection Some loose ends
T A K E A W A Y S • JAX-RS has no intrinsic security aspects • JWT ideal to keep Authentication / Authorization info • SSL (HTTPS) does not eliminate need for encryption • HTTP signatures ideal for end to end protection of content • Browser (JavaScript) still issue in keeping things private
• Webshop • https://github.com/rdebusscher/secure-rest • Http Signature Framework • https://github.com/atbashEE/rest-signatures C O D E
Q & A

Recommended

Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Rudy De Busscher
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene Rudy De Busscher
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 

Recommended

Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Rudy De Busscher
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene Rudy De Busscher
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzerSanjay Gondaliya
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...mfrancis
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArtDataArt
 
Securing Search Data in the Cloud
Securing Search Data in the CloudSecuring Search Data in the Cloud
Securing Search Data in the CloudSearchStax
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnSaloni Shah
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsMartin Toshev
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSPayara
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 

More Related Content

What's hot

Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzerSanjay Gondaliya
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...mfrancis
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArtDataArt
 
Securing Search Data in the Cloud
Securing Search Data in the CloudSecuring Search Data in the Cloud
Securing Search Data in the CloudSearchStax
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnSaloni Shah
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsMartin Toshev
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 

What's hot (20)

Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzer
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
 
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
 
Securing Search Data in the Cloud
Securing Search Data in the CloudSecuring Search Data in the Cloud
Securing Search Data in the Cloud
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack Vectors
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 

Similar to Secure JAX-RS

Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSPayara
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesST_World
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLZoompf
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosOpenCredo
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTAdam Englander
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 

Similar to Secure JAX-RS (20)

Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
LOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFITLOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFIT
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
SSL overview
SSL overviewSSL overview
SSL overview
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David Borsos
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
 

More from Rudy De Busscher

jakarta-integration-testing.pdf
jakarta-integration-testing.pdfjakarta-integration-testing.pdf
jakarta-integration-testing.pdfRudy De Busscher
 
core-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfcore-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfRudy De Busscher
 
MicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfMicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfRudy De Busscher
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupHow Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupRudy De Busscher
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaRudy De Busscher
 
Finally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersFinally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersRudy De Busscher
 
Control and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileControl and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileRudy De Busscher
 
Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Rudy De Busscher
 
Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Rudy De Busscher
 
Monitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsRudy De Busscher
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfileRudy De Busscher
 
From Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsFrom Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsRudy De Busscher
 
What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)Rudy De Busscher
 

More from Rudy De Busscher (14)

jakarta-integration-testing.pdf
jakarta-integration-testing.pdfjakarta-integration-testing.pdf
jakarta-integration-testing.pdf
 
core-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdfcore-profile_jakartaOne2022.pdf
core-profile_jakartaOne2022.pdf
 
MicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdfMicroStream-WithoutDatabase.pdf
MicroStream-WithoutDatabase.pdf
 
Jakarta EE 8 on JDK17
Jakarta EE 8 on JDK17Jakarta EE 8 on JDK17
Jakarta EE 8 on JDK17
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupHow Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
 
Creating a Kubernetes Operator in Java
Creating a Kubernetes Operator in JavaCreating a Kubernetes Operator in Java
Creating a Kubernetes Operator in Java
 
Finally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersFinally, easy integration testing with Testcontainers
Finally, easy integration testing with Testcontainers
 
Control and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileControl and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofile
 
Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)
 
Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)Transactions in micro-services (summer 2019)
Transactions in micro-services (summer 2019)
 
Monitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metrics
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfile
 
From Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained SystemsFrom Monolith to micro-services and back : The Self Contained Systems
From Monolith to micro-services and back : The Self Contained Systems
 
What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)
 

Recently uploaded

%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 

Recently uploaded (20)

%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 

Secure JAX-RS

  • 2. • Verify caller • No changed messages • Performant
  • 3. • C4J • Senior Java Web Developer, Java Coach, Architect • Atbash • Open-Source developer - Java EE - Web Application Security - Testing • Java EE Believer @rdebusscher @Atbash_EE https://www.atbash.be http://jsfcorner.blogspot.be http://javaeesquad.blogspot.be W H O A M I RUDY DE BUSSCHER
  • 4. What is Secure Rest? A G E N D A
  • 5. S H I F T T O R E S T
  • 6. • REST == JSON communication over HTTP (ignoring hyperText) • Why REST? • No special/specific clients and servers • HTTP operations like get, post, delete and URI identified • Simple, lightweight, fast, ... S H I F T T O R E S T
  • 7. Confidentiality : Shield data but also verify the sender Integrity : Trustworthiness, can data be altered in transit? Availability : Systems up (but also counter DDOS attacks) I N F O R M A T I O N S E C U R I T Y
  • 8. JAX-RS (Rest) SOAP On top of HTTP protocol, lightweight Heavy weight due to metadata Multiple data formats (JSON, XML, ...) XML only Easier, loosely Harder, contract based Security and authorization are part of the protocol
  • 9. WS-security • Confidentiality • Integrity • end-to-end protection of message • process to process • Certificates, SAML, XML Signatures, Encryption, ... S E C U R I T Y W I T H I N S O A P
  • 10. • Only capabilities underlying protocol • HTTPS = Confidentiality + Integrity • Encrypted • Message digest (unaltered in transit) • Few major things are missing S E C U R I T Y W I T H J A X - R S
  • 11. • HTTPS = confidentiality (integrity) • But • Sender verification? • End to end encryption? • Server to server only (not the process on the server) S E C U R I T Y W I T H J A X - R S
  • 12. Demo
  • 13. • Verify sender • end-to-end protection • (encryption) -> https G O A L S SECURE
 REST
  • 14. W H Y H T T P S N O T E N O U G H
  • 15.
  • 16. Verify Sender A G E N D A End-to-End protection Some loose ends Conclusion
  • 17. HOW DOES EACH HOP KNOW THE END USER?
  • 18. U S I N G P A S S W O R D ? • Basic Auth for each request (stateless!) • 3000 TPS on LDAP • Backend through IP whiteListing? • Each hop • 12000 TPS on LDAP! • DDOS attacks -> LDAP down!
  • 19. • session id = opaque • Backend needs to lookup info • Not LDAP but "idHop" is overloaded S E S S I O N S ?
  • 20. T O K E N S • Like a long id • Token contains all info (authc, authz) • Signed!! • OpenId Connect - idToken • MicroProfile JWT Auth Token
  • 21. T O K E N S O L U T I O N
  • 22. • Token = data + signing • Tamper with data -> signing detects this • token created by Mallory -> Signing not correct T O K E N P R O T E C T I O N
  • 23. S I G N I N G
  • 24. J W T
  • 25. Demo
  • 26. End-to-End protection A G E N D A Some loose ends Conclusion Verify sender
  • 27. • 99% use cases -> guarantee it is not modified • Personal, medical info -> encryption E N C R Y P T I O N V S S I G N I N G
  • 28. E N D - T O - E N D P R O T E C T I O N - Content protected from Process to Process - No intermediate intervention possible
  • 29. E N D - T O - E N D P R O T E C T I O N APPLICATION LAYER SECURITY
  • 30. A L S O J W T ? • REST payload as JWT Payload?
 • Signed • Created and verified by process -> E2E
 
 • Payload is not easy readable anymore (tracing/routing on server side)
  • 31. H T T P S I G N A T U R E S • Standard by Internet Engineering Task Force (IETF) • Draft • Signatures variant (Authentication variant exists) • Non 'invasive'
  • 32. H T T P - S I G H O W ? • Additional Header • Signature : ... • HTTP friendly • Signature : keyId="rsa-key-1",algorithm="rsa- sha256",headers="(request-target) host date digest content- length",signature="Base64(RSA-SHA256(signing string))"
  • 33. H T T P - S I G P A R A M E T E R S • Headers : What is used in signature 'calculation' • header name of pseudo header (request target = method + URL path) • Digest -> Hash of message body • keyId : Id of the RSA key for Signature • algorithm : What algorithm used for signature • signature : operation result
  • 34. Demo
  • 35. Some loose ends A G E N D A Conclusion Verify sender End-to-end protection
  • 36. C O M B I N I N G W I T H A U T H C • RSA key for signature • Can be used to identify remote • Use it with Authorization header • Authorization : Signature keyId="... • Or combine it with OAuth2 / OpenId Bearer header • Authorization : Bearer ey... • Signature : keyId="...
  • 37. J A V A S C R I P T F R A M E W O R K S Can browser/javaScript keep secrets private? Most experts agree it is not possible XSS scripts
  • 38. • Good start • Standardised correct code • PRNG and BigInt • No advice on what to use when • Beware of storing keys • Local storage is not safe • Use Password encrypted formats • Not all browsers support it (some only old variants) W E B C R Y P T O G R A P H Y A P I
  • 39. Conclusion A G E N D A Verify sender End-to-End protection Some loose ends
  • 40. T A K E A W A Y S • JAX-RS has no intrinsic security aspects • JWT ideal to keep Authentication / Authorization info • SSL (HTTPS) does not eliminate need for encryption • HTTP signatures ideal for end to end protection of content • Browser (JavaScript) still issue in keeping things private
  • 41. • Webshop • https://github.com/rdebusscher/secure-rest • Http Signature Framework • https://github.com/atbashEE/rest-signatures C O D E
  • 42. Q & A