© Donald F. Ferguson, 2014. All rights reserved. Topics in Computer Science: Modern Internet Service Oriented Application Development Dr. Donald F. Ferguson.

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

SFDC Integration Basics Gerry Winning. Integrating Your Progress App with SFDC Ovid Back Office App is Fully Integrated with SFDC (about two and a half.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.

Database Application Security Models

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.

JavaScript & jQuery the missing manual Chapter 11

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

REST.  REST is an acronym standing for Representational State Transfer  A software architecture style for building scalable web services  Typically,

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.

Chapter 8 Cookies And Security JavaScript, Third Edition.

Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.

12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.

Feedback #2 (under assignments) Lecture Code:

Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Chapter 6 Server-side Programming: Java Servlets

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

INFO1408 Database Design Concepts Week 15: Introduction to Database Management Systems.

BIT 286: Web Applications Lecture 10 : Thursday, February 5, 2015 ASP.Net Form Submission.

Google App Engine Data Store ae-10-datastore

.  A multi layer architecture powered by Spring Framework, ExtJS, Spring Security and Hibernate.  Taken advantage of Spring’s multi layer injection.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.

Saving State on the WWW. The Issue  Connections on the WWW are stateless  Every time a link is followed is like the first time to the server — it has.

Chapter 1 – Introduction Part 4 1. Message Authentication Codes Allows for Alice and Bob to have data integrity, if they share a secret key. Given a message.

© Donald F. Ferguson, All rights reserved. Topics in Modern Internet Application Development: REST Continued, A Little Security, SaaS, Some DB Dr.

1 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Some.

Web2.0 Secure Development Practice Bruce Xia

 Empowers to your customer  Product Rating and its Management in Ecommerce Framework  Product Reviews and Management: Collecting customer opinion about.

1 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Some.

RESTful Web Services What is RESTful?

1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.

Web Services An Introduction Copyright © Curt Hill.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Web Technologies Lecture 6 State preservation. Motivation How to keep user data while navigating on a website? – Authenticate only once – Store wish list.

ASSIGNMENT 2 Salim Malakouti. Ticketing Website  User submits tickets  Admins answer tickets or take appropriate actions.

© Donald F. Ferguson, All rights reserved. Topics in Computer Science: Modern Internet Service Oriented Application Development Lecture 8: IPaaS.

IMS 4212: Constraints & Triggers 1 Dr. Lawrence West, Management Dept., University of Central Florida Stored Procedures in SQL Server.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas.

/16 Final Project Report By Facializer Team Final Project Report Eagle, Leo, Bessie, Five, Evan Dan, Kyle, Ben, Caleb.

START Application Spencer Johnson Jonathan Barella Cohner Marker.

BIT 286: Web Applications Lecture 04 : Thursday, January 15, 2015 ASP.Net MVC -

Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.

© Donald F. Ferguson, All rights reserved. Topics in Computer Science: Modern Internet Service Oriented Application Development Dr. Donald F. Ferguson.

Server Concepts Dr. Charles W. Kann.

Web Systems Development (CSC-215)

Teaching slides Chapter 8.

Back end Development CS Programming Languages for Web Applications

Exploring DOM-Based Cross Site Attacks

Back end Development CS Programming Languages for Web Applications

Presentation transcript:

© Donald F. Ferguson, All rights reserved. Topics in Computer Science: Modern Internet Service Oriented Application Development Dr. Donald F. Ferguson (Admin:

2 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Contents

3 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Contents Introduction –Questions, comments on lecture 1? –A comment on stateless and security. Implementing a REST service –Conceptual datamodel, “the old style of implementation,” and “the new way.” –Collections: primary key, secondary key, query –Relationships/Associations –Iterations –Projection –Update –Asynchronous operations –Events and notification First assignment

4 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Introduction

5 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Questions or comments from lecture 1?

6 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Security of Client Sending State S AliceBob S Eve Mal Eve steals information. Mallory changes information. Alice does not return what Bob sent.

7 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns A Note on Security There are several security considerations. Three important ones are: 1.Authentication: How does Bob know it’s Alice and vice-versa? 2.Privacy: What stops Eve from stealing info, e.g. account numbers? 3.Integrity: –What stops Mal from changing data, e.g. redirecting a deposit to a different account? –What stops Alice from maliciously changing the data? Simple answers (we will cover in more detail later in the semester) –Authentication: –Bob publishes and proves ownership of a digital certification. –Alice sends a user ID and password for logging into Bob. –Privacy: The communication occurs over encrypted HTTPS –Integrity: –Mal cannot read, and hence change, communication (including S) between Bob – Alice. –Alice does decrypt Bob’s responses because she needs to read the data. What stops Alice from being nefarious?

8 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Session Management Only Bob knows the secret.

9 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Comments Let’s assume that –S is string, e.g. serialized JSON object. –Bob may change S, but always returns value on every response. Bob and only Bob –Can encrypt and decrypt any string S with –Some function E(S, k) using the secret key k. Bob return a string S2 = E(S,k), not the actual data, to Alice.  Alice cannot even read the session state let alone modify. Bob can be even more secure …

10 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Bob can … Compute a hash H(S) using some algorithm –That has the property that S1 != S2  Pr[H(S1) = H(S2)] < –Bob can compute H(S) and then E(H(S)) and –Returns {S, E(H(S))} to Alice, which she must return. She can change S and “guess” a change to E(H(S)) but does not know the secret. –Bob recomputes when receiving Alice’s next message containing S1 Bob runs the algorithms –If S1 != S than probably –H(S1) != H(S) and almost certainly –E(H(S1)) != E(H(S)) Bob can use just encrypted hash if he only cares about Integrity. Bob can also salt the data (add a random, big string) to avoid cryptographic attacks that can break messages that –Are short –Have recurring information, e.g. {{user id, PW}, {account, 1234}} The Allies were able to break Enigma partly because –The first message sent with the new key for the day was short and always contained “Hi. This is XXX. Situation is normal.” –And because Enigma was not completely random. Enigma would never map A->A or B->B. –So, if you knew there was a “Crib” C that occurred in the space place in S –You could ignore possible wire/plug settings that would ever result in E(C[i]) = C[i]

11 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Where did this Come From? bin/ssol/DhbtiwfsFOMOeFQaDwqxAh/?p%.5Fr%.5Fid=k0F2vZ4ccAhzbcAg0Ql K4h&p%.5Ft%.5Fid=1&tran%.5B1%.5D%.5Fentry=student&tran%.5B1%.5D%. 5Fterm%.5Fid=20143&tran%.5B1%.5D%.5Fcid=COMSE6998&tran%.5B1%.5 D%.5Fsecid=005&tran%.5B1%.5D%.5Fsch=&tran%.5B1%.5D%.5Fdpt=&tran %.5B1%.5D%.5Fback=&tran%.5B1%.5D%.5Ftran%.5Fname=scrs Some history –Some browsers did not support cookies or handle them consistently –So, putting the session in a cookie (header) was fragile –The alternative was URL rewriting – becamehttp://myapp.me.org/students/21 – –Cookies/headers are most common now.

12 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Implementing a Simple REST Service

13 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Conceptual Datamodel “ Old Way ” “ New Way ”

14 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Database Model are Complex, even examples and samples, e.g. MySql Sakila Sample Database

15 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Customer Information

16 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Movie Information

17 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Stores and Staff

18 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Views and Stored Procedures

19 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Traditional Web Application 7. Select templates based on result, and pass data 8. Generate HTML result. Request Handler BOBO DB 1. HTTP GET/POST/… 2. Parse and validate request 3. Retrieve session context/info 4. Select “business object.verb base on GET/POST data and context info. 5. Access/Update DB through framework 6. Application logic 9. Send HTML response

20 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Traditional Way Develop a set of POJOs that implement core functions, e.g. –Submitting the “create customer form” will –Check for duplicates and conflicts –Determine if this is a new address or a new customer at an existing address –Submitting the “find rentals by telephone number” will –Find all the customers that have the given phone number –Then find all rentals for each of the customers –Merge and return the results The design relies heavily on database functions and a single logical DB, e.g. –A single POJO can find customers by phone number, and then loop through the result one customer at a time to find the rentals. –The database referential integrity constraint will prevent me from deleting an address if there is a customer at the address. –I can use a column in one table to find something in another.

21 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns New Model Service Reference ?

22 © Donald F. Ferguson, All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns New Model We already talked about “coarse-grained” evolving into a –Set of “micro-services” –Implemented with polyglot programming and polyglot persistence So, what are some things we can learn about REST and this scenario –A uniform approach to CRUD on tables was awesome! Life would have been more unpleasant if every table had a different query language. –Linking “things” moves from linking at the DB level to linking across the web. –Exactly how does referential integrity work? –The micro-service for customer information management –Does now know in advance that it will be part of a rental app –And cannot know to “not delete” a customer if the customer has an active rental –Applications surface API for –Manipulating the information and defining the structure of the information. –How does somebody “Alter Table” when apps evolve?