Retrofi8ng OAuth 2.0 Security into Exis?ng REST Service [CON1765]



Similar documents
How To Configure The Jasig Casa Single Sign On On A Workstation On Ahtml.Org On A Server On A Microsoft Server On An Ubuntu (Windows) On A Linux Computer On A Raspberry V

OAuth2 Ready or not? Dominick Baier

The Role of Identity Enabled Web Services in Cloud Computing

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL SS. Single Sign-On (SSO) Solution

Architecture of Enterprise Applications III Single Sign-On

Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

Securing ASP.NET Web APIs Dominick Baier

Enterprise Access Control Patterns For REST and Web APIs

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

Single Sign On. SSO & ID Management for Web and Mobile Applications

SIP Authoriza.on Framework Use Cases. Rifaat Shekh- Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13, 2014

Federated Identity and Single Sign-On using CA API Gateway

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Sakai and uportal Integration Options

THE NEW DIGITAL EXPERIENCE

TrustedX: eidas Platform

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Novell Access Manager

OpenLogin: PTA, SAML, and OAuth/OpenID

Web Cloud Architecture

Gyrus: A Framework for User- Intent Monitoring of Text- Based Networked ApplicaAons

THE NEW DIGITAL EXPERIENCE

Lost in Authentication CAS Clients and Best Practices

IBM WebSphere Application Server

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Mastering health IT complexity with Fine-Grained REST APIs

JVA-122. Secure Java Web Development

Gyrus: A Framework for User- Intent Monitoring of Text- Based Networked ApplicaAons

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

Developing an Interoperable Blackboard Proxy Tool

Privileged Administra0on Best Prac0ces :: September 1, 2015

Replacing a commercial integration platform with an open source ESB. Magnus Larsson magnus.larsson@callistaenterprise.se Cadec

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

Apigee Gateway Specifications

Axway API Gateway. Version 7.4.1

Identity Implementation Guide

Mobile Security. Policies, Standards, Frameworks, Guidelines

OAuth Guide Release 6.0

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Globus Auth. Steve Tuecke. The University of Chicago

Mobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems

NextRow - AEM Training Program Course Catalog

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

How To Use Salesforce Identity Features

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

How To Build A Web App

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Final Project Report December 9, Cloud-based Authentication with Native Client Server Applications. Nils Dussart

Creating federated authorisation

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

User Management Interfaces for Earth Observation Services Abstract Test Suite

The Challenges of Web single sign-on

Enable Your Applications for CAC and PIV Smart Cards

Biometrics for Global Web Authentication: an Open Source Java/J2EE-Based Approach

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

Integrating WebPCM Applications into Single Sign On (SSO) Tom Schaefer Better Software Solutions, Inc. UN 4023 V

SAML and OAUTH comparison

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Improving performance for security enabled web services. - Dr. Colm Ó héigeartaigh

Onegini Token server / Web API Platform

BOF2337 Open Source Identity and Access Management Expert Panel, Part II. 23 September :30p Hilton - Golden Gate 6/7/8 San Francisco CA

SAML and OAUTH Technologies WebSphere Application Server

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

OAuth: Where are we going?

API-Security Gateway Dirk Krafzig

UNI. UNIfied identity management. Krzysztof Benedyczak ICM, Warsaw University

A Standards-based Mobile Application IdM Architecture

OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt. Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig

Passwords are for Chumps

NCSU SSO. Case Study

Authen'cator Leakage Through Backup Channels on Android

VoIP Security How to prevent eavesdropping on VoIP conversa8ons. Dmitry Dessiatnikov

Agenda. How to configure

ENTERPRISE MOBILE BACKEND AS A SERVICE EVALUATION CHECKLIST

Interoperable Provisioning in a Distributed World

KBase and Globus Online Nexus. Shreyas Cholia NERSC/LBL

HOL9449 Access Management: Secure web, mobile and cloud access

Lecture 11 Web Application Security (part 1)

Introduction to SAML

Cloud to Cloud Integrations with Force.com. Sandeep Bhanot Developer

Multi Factor Authentication API

This Record of activity confirms that Jonathan Scrase has completed the following courses within the Microsoft Virtual Academy:

Using SAML for Single Sign-On in the SOA Software Platform

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Transcription:

Retrofi8ng OAuth 2.0 Security into Exis?ng REST Service [CON1765] Irena Shaigorodsky Java One, 2014 ishaigorodsky@enservio.com @ishaigorodsky hops://github.com/ishaigor/rest- retro- sample 1

Quick Survey How many Use or plan to use rich REST based UI for sensi?ve informa?on? Know what OAuth is? Use or plan to use rich REST based UI with OAuth? Designed rich REST based UI with OAuth in mind before the audit? Use spring/spring- security/spring- security- Oauth? 2

Agenda Security Cost OAuth 2.0 Sample deep- dive 3

Why My Company Needs Security? Cost of security breach in US [1] $188 per record average size: 28,765 records customer loss Customer driven [1] 2013 Cost of Data Breach Study: Global Analysis by Ponemon Ins?tute sponsored by Symantec 4

OAuth 2.0 An open protocol to allow secure authoriza?on in a simple and standard method from web, mobile and desktop applica?ons. [1] The OAuth 2.0 authoriza?on framework enables a third- party applica?on to obtain limited access to an HTTP service. [1] [1] hop://oauth.net/ 5

OAuth 2.0 Lingo Resource Resource Owner Resource Server OAuth 2.0 scope OAuth 2.0 client Endpoints Authoriza?on Endpoint Token Endpoint Tokens Access Token Refresh Token Authoriza?on Grant 6 hop://wiki.scn.sap.com/wiki/display/security/oauth+2.0+terminology

OAuth 2.0 Flows Authoriza*on Code Grant Flow Google Facebook Resource Owner Password Creden?al Flow Client Creden?al Flow Implicit Grant Flow JavaScript client 7

Securing REST calls: OAuth 2.0 Authoriza?on Code Grant Flow hop://docs.oracle.com/cd/e39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_web_server_flow.png 8

OAuth 2.0 Flows Authoriza?on Code Grant Flow Google Facebook Resource Owner Password Creden*al Flow Client Creden?al Flow Implicit Grant Flow JavaScript client 9

Securing REST calls: OAuth 2.0 Resource Owner Password Creden?al Flow 10 hop://docs.oracle.com/cd/e39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_username_password_flow.png

OAuth 2.0 Flows Authoriza?on Code Grant Flow Google Facebook Resource Owner Password Creden?al Flow Client Creden*al Flow Implicit Grant Flow JavaScript client 11

Securing REST calls: OAuth 2.0 Client Creden?al Flow hop://docs.oracle.com/cd/e39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_client_creden?als_flow.png 12

OAuth 2.0 Flows Authoriza?on Code Grant Flow Google Facebook Resource Owner Password Creden?al Flow Client Creden?al Flow Implicit Grant Flow JavaScript client 13

Securing REST calls: OAuth 2.0 Implicit Grant Flow hop://docs.oracle.com/cd/e39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_user_agent_flow.png 14

Sample deep- dive hops://github.com/ishaigor/rest- retro- sample Unprotected JavaScript Widget Unprotected REST Words Service Spring MVC Legacy protected JSP / JavaScript Widget Spring Security AngularJS Protected Widget Protected service Spring Security OAuth Protected client Spring Security Oauth HTTP Authoriza?on Header Protected gateway Spring Integra?on Customiza?on 15

Meet the unprotected REST Service (Spring MVC) @RestController 16

Meet secure legacy client with unprotected Rich UI (Spring Security, Spring MVC, AngularJS) ng- infinite- scroll AbstractDispatcherServletIni?alizer springsecurityfilterchain WebSecurityConfigurerAdapter @EnableWebSecurity Authen?ca?onManagerBuilder WebSecurity HOpSecurity Persistence Data source Group authori?es by user name 17

Spring Security: User Details 18

Meet secure legacy client with unprotected Rich UI (Spring Security, Spring MVC, AngularJS) cont d <%@ taglib prefix="authz" uri="hop:// www.springframework.org/security/tags"%> <authz:authorize ifallgranted="role_user"> </ authz:authorize> 19

Sample deep- dive hops://github.com/ishaigor/rest- retro- sample Unprotected JavaScript Widget Unprotected REST Words Service Spring MVC Legacy protected JSP / JavaScript Widget Spring Security AngularJS Protected Widget Protected service Spring Security OAuth Protected client Spring Security Oauth HTTP Authoriza?on Header Protected gateway Spring Integra?on Customiza?on 20

Protected Service (Spring Security, Spring MVC) Authoriza?onServerConfigurerAdapter ClientDetailsServiceConfigurer @EnableAuthoriza?onServer Authoriza?onServerEndpointsConfigurer Authoriza?onServerSecurityConfigurer GlobalMethodSecurityConfigura?on @EnableGlobalMethodSecurity OAuth2MethodSecurityExpressionHandler 21

Protected Service (Spring Security, Spring MVC) cont d ResourceServerConfigurerAdapter ResourceServerSecurityConfigurer HOpSecurity.csrf().requireCsrfProtec?onMatcher(new AntPathRequestMatcher("/ oauth/authorize")).disable() Persistence TokenStore ClientTokenServices Authoriza?onCodeServices ApprovalStore ApprovalStoreUserApprovalHandler 22

Protected Service (Spring Security, Spring MVC) cont d 23

Protected Service (Spring Security, Spring MVC): tes?ng @OAuth2ContextConfigura?on BaseOAuth2ProtectedResourceDetails Integra?onTest Integra?onTestHelper 24

Protected client, protected Rich UI (Spring Security, Spring MVC, Spring Security OAuth 2.0) Authen?ca?onManager erasecreden?als Applica?onListener<AbstractAuthen?ca?onEvent> ResourceOwnerPasswordAccessTokenProvider CustomAuthen?ca?onDetailsSource CustomAuthen?ca?onDetails WebAuthen?ca?onDetailsSource 25

Protected service with Spring Limita?ons: Added security overhead No unprotected internal access 26

Sample deep- dive hops://github.com/ishaigor/rest- retro- sample Unprotected JavaScript Widget Unprotected REST Words Service Spring MVC Legacy protected JSP / JavaScript Widget Spring Security AngularJS Protected Widget Protected service Spring Security OAuth Protected client Spring Security Oauth HTTP Authoriza?on Header Protected gateway Spring Integra?on Customiza?on 27

Security Gateway Pass Through with Spring Integra?on int- hop:inbound- gateway int- hop:outbound- gateway int:channel int:annota?on- config int- jmx:mbean- export 28

Security Gateway Pass Through with Spring Integra?on: customiza?on OutboundHeaderMapper RangeEnforcer CustomOAuth2WebSecurityExpressionHandler CustomSecurityExpressionMethods ClientHOpRequestFactory 29

Resources hop://oauth.net/2/ hop://projects.spring.io/spring- security/ hop://projects.spring.io/spring- security- oauth/ hops://github.com/ishaigor/rest- retro- sample hop://binarymuse.github.io/nginfinitescroll/ 30

Security Roadmap OAuth 2.0 Bearer for JavaScript /external REST IdP with SSO WS-Security /SAML for SOAP Digest / Signatures Encryption OAuth 2.0 SAML OAuth 2.0 MAC Address REST Services Exposure Merge user iden??es in a single directory Centralize iden?ty management Build secure APIs with our customers Other enhancements 31

Next steps on the road map: IdP with SSO IdP Iden?ty Provider centralized user directory Iden?ty management services Self- services Light linked iden??es from applica?on side SSO Single Sign On Central Authen?ca?on Service A library of clients for Java,.NET, PHP, Perl, Apache, uportal, and others Integrates with uportal, Sakai, BlueSocket, TikiWiki, Mule, Liferay, Moodle and others 32

33

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information