Download presentation
Presentation is loading. Please wait.
Published byOlivia Siitonen Modified over 5 years ago
1
CS5220 Advanced Topics in Web Programming Secure REST API
Chengyu Sun California State University, Los Angeles
2
Web Application Security
Client Server request who are you? Authentication username/password (Access Control) Authorization you’re not authorized to access Connection Security
3
HTTP Secure (HTTPS) HTTP over SSL/TLS
Configure SSL in Tomcat -
4
Basic Security Implementation
Database Server Client /login ?? users /api/user/1 ?? ?? How to store passwords properly?? What happens if authentication is successful?? How does the server authenticate/authorize subsequent requests??
5
Storing Passwords … Hash stored passwords
Why?? How?? Encryption vs Hashing?? How to check against hashed passwords?? Common attack on hashed passwords Brute force and some variations Dictionary
6
… Storing Passwords Common defenses Long and random passwords
Make cryptographic hash functions slower Salt
7
Cryptographic Hash Function…
String of arbitrary length n bits digest Properties Given a hash value, it’s virtually impossible to find a message that hashes to this value Given a message, it’s virtually impossible to find another message that hashes to the same value It’s virtually impossible to find two messages that hash to the same value A.K.A. One-way hashing, message digest, digital fingerprint
8
…Cryptographic Hash Function
Common usage Store passwords, software checksum … Popular algorithms Good for password hashing: Argon2, PBKDF2, scrypt, bcrypt Not good for password hashing: MD5 (broken), SHA and variants
9
bcrypt hash Example abcd
$2a$10$aol3r6 … kH/mkyO zB06fcQQOQa … U5.r3rSZI6 128 bit salt encoded in 22 characters 184 bit hash encoded in 31 characters Cost parameter Algorithm version
10
bcrypt Libraries BcryptPasswordEncoder in org.springframework.security:spring-security-crypto jBcrypt – org.mindrot:jbcrypt
11
Session-Based Security
Database Server Client /login ?? users /api/user/1 ?? What happens if authentication is successful?? What does the server authenticate/authorize subsequent requests?? Why is it not suitable for RESTful web service??
12
Security without Session
What’s wrong with sending username and password in every request? How about using a access key / token instead? Issues need to be considered: access control, performance, expiration, revocation
13
JSON Web Token (JWT) JWT = JSON object + Signature Example
The JSON object contains the identity and authorization of a user, a.k.a. claims The actual content of JSON is up to the application The signature is the hash of the JSON object and a secret key (that only the server knows) Example JSON: { “username”: “john”, “role”: “admin” } Signature: HS256( JSON, “some secrete” )
14
How JWT Works … Login on the server Receives username and password
Loads user information from database Creates a JWT Sends the JWT to client
15
… How JWT Works In subsequent requests
Client includes JWT in each request Header E.g. Authorization: Bearer <token> Request parameter Cookie Server verifies the signature in JWT (How??) If signature is valid, server grants access based on JWT (no need to access database again)
16
More About JWT https://jwt.io/ Header, payload, and signature
Predefined claims in payload sub: subject exp: expiration time iat: Issued at JWT does not provide a way to revoke tokens
17
Implementation Strategy …
Create and verify token using Java JWT Extract token from request header, parameter, or cookie (easily done with Spring controller methods) HttpServletRequest @RequestHeader @RequestParam @CookieValue
18
… Implementation Strategy
Use Servlet Filter, or Spring Handler Interceptor, Verify token, and create a User object from the token if the signature is valid Pass the User object to controller methods as a request attribute
19
Servlet Filter Intercept, examine, and/or modify request and response
Servlet/JSP
20
Servlet Filter Example
web.xml <filter> and <filter-mapping> Modify request Modify response
21
Spring Handler Interceptor
Serve the same purpose as servlet filter Configured as Spring beans, i.e. support dependency injection Handler Interceptor request response Controller
22
Implement a Handler Interceptor
Implement HandlerInterceptor or inherits from HandlerInterceptorAdapter preHandle() – called before the controller method is invoked postHandle() – called after the controller method is invoked (but before view is generated) afterCompletion() – called after the request processing is completed (i.e. after view is generated)
23
URL Mapping for Handler Interceptor
<mvc:interceptors> <mvc:interceptor> <mvc:mapping path="/api/**" /> <bean class=“some.Interceptor"></bean> </mvc:interceptor> </mvc:interceptors>
24
Use Model Methods in @ControllerAdvice
Model Methods can that are used by subsequent controller methods @ControllerAdvice public class SomeAdvice { @ModelAttribute(“currentUser”) public User getUserFromJwt( … ) { … } @ModelAttribute public void addMultipleAttributes( ModelMap models ) {…} }
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.