D@W REST security
-
Upload
gaurav-sharma -
Category
Documents
-
view
275 -
download
1
Transcript of D@W REST security
![Page 1: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/1.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 1
REST web services Security
Gaurav Sharma, Principal Member Technical StaffOWSM – Oracle Web Services ManagerOctober 5th, 2015
![Page 2: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/2.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 2
Agenda• REST web services security• Need of Web Security• TLS/SSL - https• Basic Authentication• Token based authentication• Authorization• OWSM security policies for REST security• Security Vulnerabilities
![Page 3: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/3.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 3
REST /RESTful web services • Based on Representational State Transfer (REST)
architectural style • Lightweight alternative to mechanisms like RPC (Remote
Procedure Calls) and SOAP, very commonly used to create APIs for applications accessible over web/mobile.
• Uses HTTP as the underlying protocol• REST revolves around resources that are accessed by a
common interface using HTTP standard methods – GET/PUT/POST/DELETE
• REST offers no built-in security features, encryption, session management, QoS guarantees, etc.
![Page 4: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/4.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 4
Why we need Web Security ?• Online transactions – banking , credit card (travel,
shopping etc).
• Social identity – posting messages, friend requests, sharing pictures with selected friend circle.
• Avoid Spams (Unwanted email, viruses, adwares)
Internet is so easily accessible to anyone, it can be a dangerous place.
![Page 5: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/5.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 5
Some high profile attacks • Ebay attack (2014) - personal records of 233 million
users. including usernames, passwords, phone numbers and physical addresses compromised.
• icloud attack (2014) – private pictures of USA celebrities were compromised.
• Gmail attack (2007) – filter redirected incoming emails to different address
• Twitter (2009) – allowed changing one’s status • ING (2008) – vulnerability attack that allowed transfer
of funds by creating fake accounts.
![Page 6: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/6.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 6
Web Security ??
DMZ
Intranet
Internet
![Page 7: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/7.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 7
Security – at all layers
We will focus on REST services security
![Page 8: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/8.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 8
REST Services – Application perspective
Internet
DMZ
Intranet
Service1(REST)
Service n(REST)
Service 2(REST)
Front end/View
Middleware(SOA/OSB)
Database
![Page 9: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/9.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 9
REST security - aspects• Transport Layer security – securing the communication
channel ensuring confidentiality and integrity and ensuring service identification
Let’s deal with these
• Authentication and Authorization – Exposing REST services to authentic and authorized users/applications
![Page 10: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/10.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | [email protected]
Internet REST service
http
Client
Confidentiality and Integrity - Anyone can see the data, modify it and send to service.
![Page 11: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/11.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | [email protected]
Internethttp
Client
Identification – no way to know if you are talking to authentic website.
REST service
![Page 12: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/12.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | [email protected]
Internethttp
Client
Fraudservice
Identification – no way to know if you are talking to authentic website.
Web site itself might be fraud.
![Page 13: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/13.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 13
Solution - > https - http over SSL
• URL’s beginning with https indicates that the connection is encrypted using SSL
• SSL uses certificates that are issued by a Certifying Authority (CA) such as verisign, Digicert.
• Certificates asserts the identity of web site provider e.g.
Facebook =
• Certificates also encrypts data that flows to and fro from the web site keeping it secure from outsiders.
![Page 14: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/14.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | [email protected]
Internet REST service
Client
https
https – ensures confidentiality, integrity and service identification
![Page 15: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/15.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 15
Authentication and Authorization
![Page 16: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/16.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | [email protected]
Internet REST servicehttps
Security concern - no way to know if user dealing with service is authentic and authorized.
Add security to your service
![Page 17: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/17.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 17
Basic Authentication
• When you enable basic authentication the user is forced to prove her or his identity by entering a username and password.
• Client credentials are sent in a base 64 encoding in HTTP headers.
GET http://localhost/html5/ HTTP/1.1
Authorization: Basic bm86aXdvdWxkbnRkb3RoYXQh
![Page 18: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/18.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 18
Issues with Passwords/basic auth
Service1
Service 2
Service n
Password
Password
Password
![Page 19: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/19.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 19
Token based authentication – login once
Service 1
Service 2
Service n
Directory
Access Management
IdentityManagement
Token
Token
Token
Token
User/Password
Login Once
Trust
Services
• Several implementations exists - SAML, OAM token, OAuth2
![Page 20: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/20.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 20
Advantages of tokens• Stateless, easier to scale - token contains all the
information to identify the user, eliminating the need for the session state.
• Reusability - can have many separate servers, running on multiple platforms and domains, reusing the same token for authenticating the user.
• Mobile ready – integrate with mobile clients• Security – Protects against CORS and CSRF• Tokens work across different programming languages.
![Page 21: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/21.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 21
Token Based authorization - OAuth2• Useful in scenarios when another application access REST APIs
instead of actual user. e.g. travel app accessing REST APIs exposed by an airline service, YouTube accessing facebook APIs,
• End user may/may not exist.
![Page 22: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/22.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Is there any product for securing my REST services?
22
![Page 23: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/23.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 23
OWSM Agent to secure REST client/services
Internet
DMZ
Intranet
Service1
Service 2
Service n
Services
Front end/View
Middleware(SOA/OSB)
Database
Application
![Page 24: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/24.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
REST security using OWSM
24
• OWSM – de-facto standard for securing Web services within Oracle Fusion Middleware and Oracle Public cloud.
• Provides out of the box security policies for REST services and clients.
• Provides security policies for various use cases e.g. basic authentication, OAuth2, SAML etc.
• Avoids the need for developers to understand security specifications and security implementation details
• Monitor run time security events such as failed authentication or authorization.
• Global and direct policy attachment.
![Page 25: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/25.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 25
OWSM – REST security policies
![Page 26: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/26.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 26
Example - Securing SOA REST service using OWSM security policies
![Page 27: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/27.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 27
You can choose the required security policies from the available pre defined policies
![Page 28: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/28.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 28
Security Vulnerabilities ?• XSS – cross site injection
• Denial of Service attack – attacker sends thousands of messages to the host server and bring its network down.
• CSRF – cross site request forgery
• Phishing• man in middle
• and many more• SQL Injection
![Page 29: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/29.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 29
How to deal with it ?
• Stay informed about existing vulnerabilities, stay updated about new vulnerabilities
• Build secure applications – use tools and standards to enforce and check for security holes
• OWASP - online community dedicated to web application security.
![Page 30: D@W REST security](https://reader036.fdocuments.us/reader036/viewer/2022062522/587e120c1a28abbc2e8b48ed/html5/thumbnails/30.jpg)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 30
Questions ??
Email : [email protected] blog: http://technotesgaurav.blogspot.in