Download presentation
1
REST Security with JAX-RS
JavaOne 2013
2
About Frank Kim SANS Institute Curriculum Lead, Application Security
Author, Secure Coding in Java
3
Outline Authentication Encryption Validation Wrap Up
4
Authentication Process of establishing and verifying an identity
Can be based on three factors Something you know Something you have Something you are
5
Java EE Authentication
Configuration in web.xml 1 <security-constraint> 2 <web-resource-collection> <web-resource-name>Example</web-resource-name> <url-pattern>/*</url-pattern> 5 </web-resource-collection> 6 7 <auth-constraint> <role-name>user</role-name> <role-name>admin</role-name> </auth-constraint> 11 </security-constraint> 12 13 <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginerror.jsp</form-error-page> </form-login-config> 19 </login-config>
6
JAX-RS SecurityContext
getAuthenticationScheme() Returns String authentication scheme used to protect the resource BASIC, FORM, CLIENT_CERT getUserPrincipal() Returns Principal object containing the username isUserInRole(String role) Returns a boolean indicating if the user has the specified logical role
7
Photo Sharing Site Demo
8
Photo Sharing Site API { "photos" : [ { "id":"1" , "name":"photo1.jpg" } , { "id":"3" , "name":"photo3.jpg" } , { "id":"5" , "name":"photo5.jpg" }] }
9
Issues Userid/password authentication is fine
If the API is used only by your site But what if your API needs to be used by Other web apps Mobile apps Native apps Do you want these apps to Have your password? Have full access to your account?
11
OAuth Way to authenticate a service
Valet key metaphor coined by Eran Hammer-Lahav Authorization token with limited rights You agree which rights are granted You can revoke rights at any time Can gracefully upgrade rights if needed
12
OAuth Roles Client User Server - Photo printing service called Tonr
- Photo sharing service called Sparklr - Also known as the "resource server" - Person using the app - Also known as the "resource owner"
13
Simplified OAuth Flow Client User Server
- Photo printing service called Tonr 2) Tonr needs pictures to print and redirects you to Sparklr's log in page User Server 1) You log in to Tonr - Photo sharing service called Sparklr 3) You log in to Sparklr directly
14
Simplified OAuth Flow Client User Server
- Photo printing service called Tonr 5) Tonr stores the "access token" with your account User Server 6) You are happy printing and viewing your pictures - Photo sharing service called Sparklr 4) Sparklr returns an OAuth "access token"
15
Photo Printing Site Demo
16
Detailed OAuth Flow Via browser: Tonr starts OAuth process
Once you click the "Authorize" button client_id=tonr&redirect_uri= tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T
17
Detailed OAuth Flow Via browser: Tonr starts OAuth process
Once you click the "Authorize" button client_id=tonr&redirect_uri= tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T The "response_type" parameter can be: "code" for requesting the authorization code grant type "token" for the implicit grant or a registered extension type
18
Detailed OAuth Flow 2) Via browser: Sparklr redirects back to Tonr
code=cOuBX6&state=92G53T "code" is the authorization code received from the Server (i.e. Sparklr)
19
Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri= Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}
20
Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri= Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"} dG9ucjpzZWNyZXQ= is the string tonr:secret
21
Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri= Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}
22
Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri= Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"} expires_in value in seconds
23
Detailed OAuth Flow 4) Via "Client": Tonr gets pictures from Sparklr
All Requests include: Authorization: Bearer 5881ce86-3ed a6b-42aef1068dfb
24
When to Use OAuth Use OAuth for consuming APIs from
Third-party web apps Mobile apps Native apps Don't need to use OAuth If API is only consumed by the user within the same web app If APIs are only consumed server to server
25
Benefits No passwords shared between web apps
No passwords stored on mobile devices Limits impact of security incidents If Tonr gets hacked Sparklr revokes OAuth access If Sparklr gets hacked you change your Sparklr password but don't have to do anything on Tonr If you lose your mobile device you revoke the access Sparklr gave to the Tonr mobile app
26
OAuth Versions 1.0 1.0a 2.0 Version Comments
- Has a security flaw related to session fixation - Don’t use it 1.0a - Stable and well understood - Uses a signature to exchange credentials and signs every request - Signatures are more of a pain than it seems 2.0 - Spec is final with good support
27
OAuth 2.0 Authorization Grant Types
Description Authorization Code - Optimized for confidential clients - Uses a authorization code from the Server - User doesn't see the access token Implicit Grant - Optimized for script heavy web apps - Does not use an authorization code from the Server - User can see the access token Resource Owner Password Credentials - Use in cases where the User trusts the Client - Exposes User credentials to the Client Client Credentials - Client gets an access token based on Client credentials only
28
OAuth 2.0 Access Token Types
Bearer Large random token Need SSL to protect it in transit Server needs to store it securely hashed like a user password Mac Uses a nonce to prevent replay Does not require SSL OAuth 1.0 only supported a mac type token
29
Outline Authentication Encryption Validation Wrap Up
30
Session Hijacking 1) Victim goes to mybank.com via HTTP Internet
Public WiFi Network Victim 1) Victim goes to mybank.com via HTTP Attacker
31
Session Hijacking 2) Attacker sniffs the public wifi network and
Internet mybank.com Public WiFi Network Victim 2) Attacker sniffs the public wifi network and steals the JSESSIONID Attacker
32
Session Hijacking 3) Attacker uses the stolen JSESSIONID
Internet mybank.com Public WiFi Network Victim 3) Attacker uses the stolen JSESSIONID to access the victim's session Attacker
33
Enable SSL in web.xml 1 <security-constraint> 2 <web-resource-collection> 3 <web-resource-name>Example</web-resource-name> 4 <url-pattern>/*</url-pattern> 5 </web-resource-collection> <user-data-constraint> 10 <transport-guarantee> 11 CONFIDENTIAL 12 </transport-guarantee> 13 </user-data-constraint> 14 </security-constraint>
34
JAX-RS SecurityContext
iSecure() Returns a boolean indicating whether the request was made via HTTPS
35
Secure Flag Ensures that the Cookie is only sent via SSL
Configure in web.xml as of Servlet 3.0 <session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config> Programmatically Cookie cookie = new Cookie("mycookie", "test"); cookie.setSecure(true);
36
Strict-Transport-Security
Tells browser to only talk to the server via HTTPS First time your site accessed via HTTPS and the header is used the browser stores the certificate info Subsequent requests to HTTP automatically use HTTPS Supported browsers Implemented in Firefox and Chrome Defined in RFC 6797 Strict-Transport-Security: max-age=seconds [; includeSubdomains]
37
Outline Authentication Encryption Validation Wrap Up
38
Restrict Input Restrict to POST Restrict the Content-Type
annotation Restrict the Content-Type Invalid Content-Type results in HTTP 415 Unsupported Media Type Restrict to Ajax if applicable Check X-Requested-With:XMLHttpRequest header Restrict response types Check Accept header for valid response types
39
Cross-Site Request Forgery (CSRF)
Victim browser 1) Victim signs on to mybank 2) Victim visits attacker.com mybank.com attacker.com 3) Page contains CSRF code 4) Browser sends <form action= method=POST> <input name=recipient value=attacker> <input name=amount value=1000> </form> <script>document.forms[0].submit()</script> the request to mybank POST /transfer.jsp HTTP/1.1 Cookie: <mybank authentication cookie> recipient=attacker&amount=1000
40
CSRF and OAuth 2.0 How can an attacker use CSRF to take over your account? Many sites allow logins from third-party identity providers like Facebook Many identity providers use OAuth Attacker can automatically associate your account with an attacker controlled Facebook account
41
OAuth CSRF Research Accounts at many sites could be taken over using OAuth CSRF Stack Exchange, woot.com, IMDB, Goodreads, SoundCloud, Pinterest, Groupon, Foursquare, SlideShare, Kickstarter, and others Research by Rich Lundeen Prior research by Stephen Sclafani
42
OAuth CSRF Attack Flow Create attacker controlled Facebook account
Victim is signed on to provider account (i.e. Stack Exchange) Lure victim into visiting an evil site with OAuth CSRF code CSRF code sends OAuth authorization request 4) Attacker's Facebook account now controls victim provider account
43
Linking Stack Exchange with an Evil Facebook Account
Image from
44
CSRF Protection Spec defines a "state" parameter that must be included in the redirect to the Client Value must be non-guessable and tied to session Client sends "state" to Server: client_id=tonr&redirect_uri= tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T Server sends "state" back to Client after authorization: code=cOuBX6&state=92G53T
45
OAuth CSRF Protection Demo
46
OWASP 1-Liner Deliberately vulnerable application More information at
Intended for demos and training Created by John More information at
47
JSON CSRF Demo
48
Normal JSON Message {"id":0,"nickName":"John", "oneLiner":"I LOVE Java!", "timestamp":" T17:04:23"}
49
Forged JSON Message {"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//=dummy
50
CSRF Attack Form <form id="target" method="POST" action=" enctype="text/plain" style="visibility:hidden"> <input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//' value="dummy" /> <input type="submit" value="Go" /> </form>
51
CSRF Attack Form <form id="target" method="POST" action=" enctype="text/plain" style="visibility:hidden"> <input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//' value="dummy" /> <input type="submit" value="Go" /> </form>
52
Forged JSON Message {"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//=dummy
53
CSRF Defense Must include something random in the request
Use an anti-CSRF token OWASP CSRFGuard Written by Eric Can inject anti-CSRF token using JSP Tag library - for manual, fine grained protection JavaScript DOM manipulation - for automated protection requiring minimal effort Filter that intercepts requests and validates tokens
54
CSRFGuard JSP Tags Tags for token name and value
<form name="test1" action="protect.html"> <input type="text" name="text" value="text"/> <input type="submit" name="submit" value="submit"/> <input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value/>"/> </form> Tag for name/value pair (delimited with "=") <a href="protect.html?<csrf:token/>">protect.html</a> Convenience tags for forms and links as well <csrf:form> and <csrf:a> Examples from
55
CSRFGuard DOM Manipulation
Include JavaScript in every page that needs CSRF protection <script src="/securish/JavaScriptServlet"></script> JavaScript used to hook the open and send methods XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open; XMLHttpRequest.prototype.open = function(method, url, async, user, pass) { // store a copy of the target URL this.url = url; this._open.apply(this, arguments); } XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send; XMLHttpRequest.prototype.send = function(data) { if(this.onsend != null) { // call custom onsend method to modify the request this.onsend.apply(this, arguments); this._send.apply(this, arguments);
56
Protecting XHR Requests
CSRFGuard sends two HTTP headers XMLHttpRequest.prototype.onsend = function(data) { if(isValidUrl(this.url)) { this.setRequestHeader("X-Requested-With", "OWASP CSRFGuard Project") this.setRequestHeader("OWASP_CSRFTOKEN", "EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV"); } }; If X-Requested-With is passed then CSRFGuard will verify the OWASP_CSRFTOKEN HTTP header. If X-Requested-With does not exist then CSRFGuard will look for the token in HTTP parameters.
57
JSON CSRF Protection Demo
58
Outline Authentication Encryption Validation Wrap Up
59
Summary Authentication Encryption Validation
Can use userid/password for services consumed by your app Use OAuth for third-party web apps and mobile apps Encryption Use SSL Use Secure flag Use Strict-Transport-Security header Validation Restrict input Protect your apps against CSRF
60
Thanks! Frank Kim @sansappsec
62
References JAX-RS 2.0 OAuth 2.0 Specification Spring Security OAuth
OAuth 2.0 Specification Spring Security OAuth OAuth: The Big Picture OAuth CSRF issues OWASP 1-Liner CSRFGuard
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.