Retrofi8ng OAuth 2.0 Security into Exis?ng REST Service [CON1765]

Size: px

Start display at page:

Download "Retrofi8ng OAuth 2.0 Security into Exis?ng REST Service [CON1765]"

Loren Cain
10 years ago
Views:

1 Retrofi8ng OAuth 2.0 Security into Exis?ng REST Service [CON1765] Irena Shaigorodsky Java One, hops://github.com/ishaigor/rest- retro- sample 1

2 Quick Survey How many Use or plan to use rich REST based UI for sensi?ve informa?on? Know what OAuth is? Use or plan to use rich REST based UI with OAuth? Designed rich REST based UI with OAuth in mind before the audit? Use spring/spring- security/spring- security- Oauth? 2

3 Agenda Security Cost OAuth 2.0 Sample deep- dive 3

4 Why My Company Needs Security? Cost of security breach in US [1] $188 per record average size: 28,765 records customer loss Customer driven [1] 2013 Cost of Data Breach Study: Global Analysis by Ponemon Ins?tute sponsored by Symantec 4

5 OAuth 2.0 An open protocol to allow secure authoriza?on in a simple and standard method from web, mobile and desktop applica?ons. [1] The OAuth 2.0 authoriza?on framework enables a third- party applica?on to obtain limited access to an HTTP service. [1] [1] hop://oauth.net/ 5

applica?ons. [1] The OAuth 2.0 authoriza?

6 OAuth 2.0 Lingo Resource Resource Owner Resource Server OAuth 2.0 scope OAuth 2.0 client Endpoints Authoriza?on Endpoint Token Endpoint Tokens Access Token Refresh Token Authoriza?on Grant 6 hop://wiki.scn.sap.com/wiki/display/security/oauth+2.0+terminology

on Endpoint Token Endpoint Tokens Access Token Refresh Token

7 OAuth 2.0 Flows Authoriza*on Code Grant Flow Google Facebook Resource Owner Password Creden?al Flow Client Creden?al Flow Implicit Grant Flow JavaScript client 7

8 Securing REST calls: OAuth 2.0 Authoriza?on Code Grant Flow hop://docs.oracle.com/cd/e39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_web_server_flow.png 8

9 OAuth 2.0 Flows Authoriza?on Code Grant Flow Google Facebook Resource Owner Password Creden*al Flow Client Creden?al Flow Implicit Grant Flow JavaScript client 9

10 Securing REST calls: OAuth 2.0 Resource Owner Password Creden?al Flow 10 hop://docs.oracle.com/cd/e39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_username_password_flow.png

11 OAuth 2.0 Flows Authoriza?on Code Grant Flow Google Facebook Resource Owner Password Creden?al Flow Client Creden*al Flow Implicit Grant Flow JavaScript client 11

12 Securing REST calls: OAuth 2.0 Client Creden?al Flow hop://docs.oracle.com/cd/e39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_client_creden?als_flow.png 12

13 OAuth 2.0 Flows Authoriza?on Code Grant Flow Google Facebook Resource Owner Password Creden?al Flow Client Creden?al Flow Implicit Grant Flow JavaScript client 13

14 Securing REST calls: OAuth 2.0 Implicit Grant Flow hop://docs.oracle.com/cd/e39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_user_agent_flow.png 14

15 Sample deep- dive hops://github.com/ishaigor/rest- retro- sample Unprotected JavaScript Widget Unprotected REST Words Service Spring MVC Legacy protected JSP / JavaScript Widget Spring Security AngularJS Protected Widget Protected service Spring Security OAuth Protected client Spring Security Oauth HTTP Authoriza?on Header Protected gateway Spring Integra?on Customiza?on 15

Spring MVC Legacy protected JSP / JavaScript Widget Spring Security AngularJS Protected

16 Meet the unprotected REST Service (Spring 16

17 Meet secure legacy client with unprotected Rich UI (Spring Security, Spring MVC, AngularJS) ng- infinite- scroll AbstractDispatcherServletIni?alizer springsecurityfilterchain Authen?ca?onManagerBuilder WebSecurity HOpSecurity Persistence Data source Group authori?es by user name 17

alizer springsecurityfilterchain WebSecurityConfigurerAdapter @EnableWebSecurity

18 Spring Security: User Details 18

19 Meet secure legacy client with unprotected Rich UI (Spring Security, Spring MVC, AngularJS) cont d <%@ taglib prefix="authz" uri="hop:// <authz:authorize ifallgranted="role_user"> </ authz:authorize> 19

prefix="authz" uri="hop:// www.springframework.

20 Sample deep- dive hops://github.com/ishaigor/rest- retro- sample Unprotected JavaScript Widget Unprotected REST Words Service Spring MVC Legacy protected JSP / JavaScript Widget Spring Security AngularJS Protected Widget Protected service Spring Security OAuth Protected client Spring Security Oauth HTTP Authoriza?on Header Protected gateway Spring Integra?on Customiza?on 20

21 Protected Service (Spring Security, Spring MVC) Authoriza?onServerConfigurerAdapter Authoriza?onServerEndpointsConfigurer Authoriza?onServerSecurityConfigurer OAuth2MethodSecurityExpressionHandler 21

22 Protected Service (Spring Security, Spring MVC) cont d ResourceServerConfigurerAdapter ResourceServerSecurityConfigurer HOpSecurity.csrf().requireCsrfProtec?onMatcher(new AntPathRequestMatcher("/ oauth/authorize")).disable() Persistence TokenStore ClientTokenServices Authoriza?onCodeServices ApprovalStore ApprovalStoreUserApprovalHandler 22

23 Protected Service (Spring Security, Spring MVC) cont d 23

24 Protected Service (Spring Security, Spring MVC): BaseOAuth2ProtectedResourceDetails Integra?onTest Integra?onTestHelper 24

25 Protected client, protected Rich UI (Spring Security, Spring MVC, Spring Security OAuth 2.0) Authen?ca?onManager erasecreden?als Applica?onListener<AbstractAuthen?ca?onEvent> ResourceOwnerPasswordAccessTokenProvider CustomAuthen?ca?onDetailsSource CustomAuthen?ca?onDetails WebAuthen?ca?onDetailsSource 25

26 Protected service with Spring Limita?ons: Added security overhead No unprotected internal access 26

27 Sample deep- dive hops://github.com/ishaigor/rest- retro- sample Unprotected JavaScript Widget Unprotected REST Words Service Spring MVC Legacy protected JSP / JavaScript Widget Spring Security AngularJS Protected Widget Protected service Spring Security OAuth Protected client Spring Security Oauth HTTP Authoriza?on Header Protected gateway Spring Integra?on Customiza?on 27

28 Security Gateway Pass Through with Spring Integra?on int- hop:inbound- gateway int- hop:outbound- gateway int:channel int:annota?on- config int- jmx:mbean- export 28

29 Security Gateway Pass Through with Spring Integra?on: customiza?on OutboundHeaderMapper RangeEnforcer CustomOAuth2WebSecurityExpressionHandler CustomSecurityExpressionMethods ClientHOpRequestFactory 29

30 Resources hop://oauth.net/2/ hop://projects.spring.io/spring- security/ hop://projects.spring.io/spring- security- oauth/ hops://github.com/ishaigor/rest- retro- sample hop://binarymuse.github.io/nginfinitescroll/ 30

31 Security Roadmap OAuth 2.0 Bearer for JavaScript /external REST IdP with SSO WS-Security /SAML for SOAP Digest / Signatures Encryption OAuth 2.0 SAML OAuth 2.0 MAC Address REST Services Exposure Merge user iden??es in a single directory Centralize iden?ty management Build secure APIs with our customers Other enhancements 31

32 Next steps on the road map: IdP with SSO IdP Iden?ty Provider centralized user directory Iden?ty management services Self- services Light linked iden??es from applica?on side SSO Single Sign On Central Authen?ca?on Service A library of clients for Java,.NET, PHP, Perl, Apache, uportal, and others Integrates with uportal, Sakai, BlueSocket, TikiWiki, Mule, Liferay, Moodle and others 32

33 33

How To Configure The Jasig Casa Single Sign On On A Workstation On Ahtml.Org On A Server On A Microsoft Server On An Ubuntu 7.5.3 (Windows) On A Linux Computer On A Raspberry V

How To Configure The Jasig Casa Single Sign On On A Workstation On Ahtml.Org On A Server On A Microsoft Server On An Ubuntu 7.5.3 (Windows) On A Linux Computer On A Raspberry V Configuring CAS-based SSO with ActiveVOS on Apache Tomcat Technical Note Version: 1.3 Dated: August 2013 2013 Informatica Corporation ActiveVOS is a trademark of Informatica, Inc. All other company and