SlideShare una empresa de Scribd logo

JavaOne 2014: Retrofitting OAuth 2.0 Security into Existing REST Services - CON1765

I
ishaigor

Security is unfortunately a low-priority, nonfunctional requirement and is often overlooked as a result. Reworking it in an existing system is a daunting task, especially when it means providing different levels of security for internal and external calls. The whole undertaking is challenging, but it should not be so. Attending this session will show you a fast and easy way of introducing OAuth 2.0 authentication and authorization into any environment with minimal impact on M2M integrations already in place.

Software
1 de 32
Descargar para leer sin conexión
Retrofi8ng OAuth 2.0 Security into Exis?ng REST Service [CON1765] Irena Shaigorodsky Java One, 2014 ishaigorodsky@enservio.com @ishaigorodsky hOps://github.com/ishaigor/rest-­‐retro-­‐sample © 2014 Enservio. All 1 rights reserved.
© 2014 Enservio. All 2 rights reserved. Quick Survey • How many ☐Use or plan to use rich REST based UI for sensi?ve informa?on? ☐Know what OAuth is? Use or plan to use rich REST based UI with OAuth? ☐Use spring/spring-­‐security/spring-­‐security-­‐oauth?
© 2014 Enservio. All Agenda 3 rights reserved. • Security Cost • OAuth 2.0 • Sample deep-­‐dive
© 2014 Enservio. All Why My Company Needs Security? 4 rights reserved. • Cost of security breach in US[1] – $188 per record – average size: 28,765 records – customer loss • Customer driven [1] 2013 Cost of Data Breach Study: Global Analysis by Ponemon Ins?tute© sponsored by Symantec
OAuth 2.0 “An open protocol to allow secure authoriza?on in a simple and standard method from web, mobile and desktop applica?ons.”[1] “The OAuth 2.0 authoriza?on framework enables a third-­‐party applica?on to obtain limited access to an HTTP service.”[1] © 2014 Enservio. All 5 rights reserved. [1] hOp://oauth.net/
© 2014 Enservio. All OAuth 2.0 Lingo 6 rights reserved. • Resource – Resource Owner – Resource Server • OAuth 2.0 scope • OAuth 2.0 client • Endpoints – Authoriza?on Endpoint – Token Endpoint • Tokens – Access Token – Refresh Token • Authoriza?on Grant hOp://wiki.scn.sap.com/wiki/display/Security/OAuth+2.0+Terminology
© 2014 Enservio. All OAuth 2.0 Flows 7 rights reserved. • Authoriza*on Code Grant Flow – Google – Facebook • Resource Owner Password Creden?al Flow • Client Creden?al Flow • Implicit Grant Flow – JavaScript client
© 2014 Enservio. All 8 rights reserved. Securing REST calls: OAuth 2.0 • Authoriza?on Code Grant Flow hOp://docs.oracle.com/cd/E39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_web_server_flow.png
© 2014 Enservio. All OAuth 2.0 Flows 9 rights reserved. • Authoriza?on Code Grant Flow – Google – Facebook • Resource Owner Password Creden*al Flow • Client Creden?al Flow • Implicit Grant Flow – JavaScript client
© 2014 Enservio. All Securing REST calls: OAuth 2.0 10 rights reserved. • Resource Owner Password Creden?al Flow hOp://docs.oracle.com/cd/E39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_username_password_flow.png
© 2014 Enservio. All OAuth 2.0 Flows 11 rights reserved. • Authoriza?on Code Grant Flow – Google – Facebook • Resource Owner Password Creden?al Flow • Client Creden*al Flow • Implicit Grant Flow – JavaScript client
© 2014 Enservio. All Securing REST calls: OAuth 2.0 12 rights reserved. • Client Creden?al Flow hOp://docs.oracle.com/cd/E39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_client_creden?als_flow.png
© 2014 Enservio. All OAuth 2.0 Flows 13 rights reserved. • Authoriza?on Code Grant Flow – Google – Facebook • Resource Owner Password Creden?al Flow • Client Creden?al Flow • Implicit Grant Flow – JavaScript client
© 2014 Enservio. All Securing REST calls: OAuth 2.0 14 rights reserved. • Implicit Grant Flow hOp://docs.oracle.com/cd/E39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_user_agent_flow.png
© 2014 Enservio. All Sample deep-­‐dive 15 rights reserved. hOps://github.com/ishaigor/rest-­‐retro-­‐sample • Unprotected JavaScript Widget – Unprotected REST Words Service • Spring MVC – Legacy protected JSP / JavaScript Widget • Spring Security • AngularJS • Protected Widget – Protected service • Spring Security OAuth – Protected client • Spring Security Oauth – HTTP Authoriza?on Header • Protected gateway – Spring Integra?on – Customiza?on
© 2014 Enservio. All Meet the unprotected REST Service (Spring MVC) 16 rights reserved. • @RestController
Meet secure legacy client with unprotected Rich UI (Spring Security, Spring MVC, AngularJS) © 2014 Enservio. All 17 rights reserved. • ng-­‐infinite-­‐scroll • AbstractDispatcherServletIni?alizer – springSecurityFilterChain • WebSecurityConfigurerAdapter – @EnableWebSecurity – Authen?ca?onManagerBuilder – WebSecurity – HOpSecurity • Persistence – Data source – Group authori?es by user name
© 2014 Enservio. All 18 rights reserved. Spring Security: User Details
Meet secure legacy client with unprotected Rich UI (Spring Security, Spring MVC, AngularJS) –cont’d © 2014 Enservio. All 19 rights reserved. • <%@ taglib prefix="authz" uri="hOp:// www.springframework.org/security/tags"%> • <authz:authorize ifAllGranted="ROLE_USER">…</ authz:authorize>
© 2014 Enservio. All Sample deep-­‐dive 20 rights reserved. hOps://github.com/ishaigor/rest-­‐retro-­‐sample • Unprotected JavaScript Widget – Unprotected REST Words Service • Spring MVC – Legacy protected JSP / JavaScript Widget • Spring Security • AngularJS • Protected Widget – Protected service • Spring Security OAuth – Protected client • Spring Security Oauth – HTTP Authoriza?on Header • Protected gateway – Spring Integra?on – Customiza?on
Protected Service (Spring Security, Spring MVC) © 2014 Enservio. All 21 rights reserved. • Authoriza?onServerConfigurerAdapter – ClientDetailsServiceConfigurer – @EnableAuthoriza?onServer – Authoriza?onServerEndpointsConfigurer – Authoriza?onServerSecurityConfigurer • GlobalMethodSecurityConfigura?on – @EnableGlobalMethodSecurity – OAuth2MethodSecurityExpressionHandler
Protected Service (Spring Security, Spring MVC) – cont’d © 2014 Enservio. All 22 rights reserved. • ResourceServerConfigurerAdapter – ResourceServerSecurityConfigurer – HOpSecurity • .csrf().requireCsrfProtec?onMatcher(new AntPathRequestMatcher("/ oauth/authorize")).disable() • Persistence – TokenStore – ClientTokenServices – Authoriza?onCodeServices – ApprovalStore • ApprovalStoreUserApprovalHandler
Protected Service (Spring Security, Spring MVC) – cont’d © 2014 Enservio. All 23 rights reserved.
Protected Service (Spring Security, Spring MVC): tes?ng © 2014 Enservio. All 24 rights reserved. • @BeforeOAuth2Context • @OAuth2ContextConfigura?on • BaseOAuth2ProtectedResourceDetails • Integra?onTest • Integra?onTestHelper
Protected client, protected Rich UI (Spring Security, Spring MVC, Spring Security OAuth 2.0) © 2014 Enservio. All 25 rights reserved. • Authen?ca?onManager – eraseCreden?als • Applica?onListener<AbstractAuthen?ca?onEvent> – ResourceOwnerPasswordAccessTokenProvider • CustomAuthen?ca?onDetailsSource – CustomAuthen?ca?onDetails – WebAuthen?ca?onDetailsSource
© 2014 Enservio. All Protected service with Spring 26 rights reserved. • Limita?ons: – Added security overhead – No unprotected internal access
© 2014 Enservio. All Sample deep-­‐dive 27 rights reserved. hOps://github.com/ishaigor/rest-­‐retro-­‐sample • Unprotected JavaScript Widget – Unprotected REST Words Service • Spring MVC – Legacy protected JSP / JavaScript Widget • Spring Security • AngularJS • Protected Widget – Protected service • Spring Security OAuth – Protected client • Spring Security Oauth – HTTP Authoriza?on Header • Protected gateway – Spring Integra?on – Customiza?on
Security Gateway Pass Through with Spring Integra?on © 2014 Enservio. All 28 rights reserved. • int-­‐hOp:inbound-­‐gateway • int-­‐hOp:outbound-­‐gateway • int:channel • int:annota?on-­‐config • int-­‐jmx:mbean-­‐export
Security Gateway Pass Through with Spring Integra?on: customiza?on © 2014 Enservio. All 29 rights reserved. • OutboundHeaderMapper • RangeEnforcer • CustomOAuth2WebSecurityExpressionHandler • CustomSecurityExpressionMethods • ClientHOpRequestFactory
© 2014 Enservio. All Resources 30 rights reserved. • hOp://oauth.net/2/ • hOp://projects.spring.io/spring-­‐security/ • hOp://projects.spring.io/spring-­‐security-­‐oauth/ • hOps://github.com/ishaigor/rest-­‐retro-­‐sample • hOp://binarymuse.github.io/ngInfiniteScroll/
© 2014 Enservio. All 31 rights reserved. OAuth 2.0 Bearer for JavaScript /external REST IdP with SSO WS-Security /SAML for SOAP Digest / Signatures Encryption OAuth 2.0 SAML OAuth 2.0 MAC Security Roadmap Address REST Services Exposure Merge user iden??es in a single directory Centralize iden?ty management Build secure APIs with our customers Other enhancements
© 2014 Enservio. All 32 rights reserved.

Recomendados

Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS ApplicationPhilippe De Ryck
 
Az 104 session 2 implement and manage azure webapps and container
Az 104 session 2 implement and manage azure webapps and containerAz 104 session 2 implement and manage azure webapps and container
Az 104 session 2 implement and manage azure webapps and containerAzureEzy1
 
Develop for Azure storage
Develop for Azure storageDevelop for Azure storage
Develop for Azure storageAzureEzy1
 
Az 104 session 3 azure compute
Az 104 session 3 azure compute Az 104 session 3 azure compute
Az 104 session 3 azure compute AzureEzy1
 
AZ-400: Define and implement continuous integration – Part 2
AZ-400: Define and implement continuous integration – Part 2AZ-400: Define and implement continuous integration – Part 2
AZ-400: Define and implement continuous integration – Part 2AzureEzy1
 
AZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
AZ-204: Monitor, Troubleshoot & Optimize Azure SolutionsAZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
AZ-204: Monitor, Troubleshoot & Optimize Azure SolutionsAzureEzy1
 
AZ-400: Define and implement a continuous delivery and release management str...
AZ-400: Define and implement a continuous delivery and release management str...AZ-400: Define and implement a continuous delivery and release management str...
AZ-400: Define and implement a continuous delivery and release management str...AzureEzy1
 
Az 900 session 2-core azure services
Az 900 session 2-core azure servicesAz 900 session 2-core azure services
Az 900 session 2-core azure servicesAzureEzy1
 

Recomendados

Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS ApplicationPhilippe De Ryck
 
Az 104 session 2 implement and manage azure webapps and container
Az 104 session 2 implement and manage azure webapps and containerAz 104 session 2 implement and manage azure webapps and container
Az 104 session 2 implement and manage azure webapps and containerAzureEzy1
 
Develop for Azure storage
Develop for Azure storageDevelop for Azure storage
Develop for Azure storageAzureEzy1
 
Az 104 session 3 azure compute
Az 104 session 3 azure compute Az 104 session 3 azure compute
Az 104 session 3 azure compute AzureEzy1
 
AZ-400: Define and implement continuous integration – Part 2
AZ-400: Define and implement continuous integration – Part 2AZ-400: Define and implement continuous integration – Part 2
AZ-400: Define and implement continuous integration – Part 2AzureEzy1
 
AZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
AZ-204: Monitor, Troubleshoot & Optimize Azure SolutionsAZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
AZ-204: Monitor, Troubleshoot & Optimize Azure SolutionsAzureEzy1
 
AZ-400: Define and implement a continuous delivery and release management str...
AZ-400: Define and implement a continuous delivery and release management str...AZ-400: Define and implement a continuous delivery and release management str...
AZ-400: Define and implement a continuous delivery and release management str...AzureEzy1
 
Az 900 session 2-core azure services
Az 900 session 2-core azure servicesAz 900 session 2-core azure services
Az 900 session 2-core azure servicesAzureEzy1
 
AZ-204 : Implement Azure security
AZ-204 : Implement Azure securityAZ-204 : Implement Azure security
AZ-204 : Implement Azure securityAzureEzy1
 
JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020Matt Raible
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...Puppet
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJSLewis Ardern
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkPriyanka Aash
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesNick Maludy
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vaultHenrik Høegh
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
Creating RESTful API’s with Grails and Spring Security
Creating RESTful API’s with Grails and Spring SecurityCreating RESTful API’s with Grails and Spring Security
Creating RESTful API’s with Grails and Spring SecurityAlvaro Sanchez-Mariscal
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsPuma Security, LLC
 
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionAlfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionFrancesco Corti
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...Nick Maludy
 
Lightning talk owasp_top10in10
Lightning talk owasp_top10in10Lightning talk owasp_top10in10
Lightning talk owasp_top10in10Ben Pick
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServicePuma Security, LLC
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudArun Gupta
 
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...Akeyless
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Puma Security, LLC
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 

Más contenido relacionado

La actualidad más candente

AZ-204 : Implement Azure security
AZ-204 : Implement Azure securityAZ-204 : Implement Azure security
AZ-204 : Implement Azure securityAzureEzy1
 
JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020Matt Raible
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...Puppet
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJSLewis Ardern
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkPriyanka Aash
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesNick Maludy
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vaultHenrik Høegh
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
Creating RESTful API’s with Grails and Spring Security
Creating RESTful API’s with Grails and Spring SecurityCreating RESTful API’s with Grails and Spring Security
Creating RESTful API’s with Grails and Spring SecurityAlvaro Sanchez-Mariscal
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsPuma Security, LLC
 
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionAlfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionFrancesco Corti
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...Nick Maludy
 
Lightning talk owasp_top10in10
Lightning talk owasp_top10in10Lightning talk owasp_top10in10
Lightning talk owasp_top10in10Ben Pick
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServicePuma Security, LLC
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudArun Gupta
 
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...Akeyless
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Puma Security, LLC
 

La actualidad más candente (20)

AZ-204 : Implement Azure security
AZ-204 : Implement Azure securityAZ-204 : Implement Azure security
AZ-204 : Implement Azure security
 
JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJS
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vault
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
Creating RESTful API’s with Grails and Spring Security
Creating RESTful API’s with Grails and Spring SecurityCreating RESTful API’s with Grails and Spring Security
Creating RESTful API’s with Grails and Spring Security
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionAlfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in Action
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
 
Lightning talk owasp_top10in10
Lightning talk owasp_top10in10Lightning talk owasp_top10in10
Lightning talk owasp_top10in10
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
 
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2
 

Similar a JavaOne 2014: Retrofitting OAuth 2.0 Security into Existing REST Services - CON1765

API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Application patterns
Application patternsApplication patterns
Application patternstomi vanek
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Sqreen
 
REST API 20.2 - Appworks Gateway Integration.pptx
REST API 20.2 - Appworks Gateway Integration.pptxREST API 20.2 - Appworks Gateway Integration.pptx
REST API 20.2 - Appworks Gateway Integration.pptxJason452803
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceKevin Gilpin
 
Media mosa architecture - features -10 june 2010
Media mosa architecture - features -10 june 2010Media mosa architecture - features -10 june 2010
Media mosa architecture - features -10 june 2010Andrii Podanenko
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
 
Test and Protect Your API
Test and Protect Your APITest and Protect Your API
Test and Protect Your APISmartBear
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall42Crunch
 
How to build a self-documenting application
How to build a self-documenting applicationHow to build a self-documenting application
How to build a self-documenting applicationconjur_inc
 
Java2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudJava2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudWerner Keil
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesIntuit Developer
 

Similar a JavaOne 2014: Retrofitting OAuth 2.0 Security into Existing REST Services - CON1765 (20)

API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
Application patterns
Application patternsApplication patterns
Application patterns
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)
 
REST API 20.2 - Appworks Gateway Integration.pptx
REST API 20.2 - Appworks Gateway Integration.pptxREST API 20.2 - Appworks Gateway Integration.pptx
REST API 20.2 - Appworks Gateway Integration.pptx
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and Compliance
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
Media mosa architecture - features -10 june 2010
Media mosa architecture - features -10 june 2010Media mosa architecture - features -10 june 2010
Media mosa architecture - features -10 june 2010
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
 
Test and Protect Your API
Test and Protect Your APITest and Protect Your API
Test and Protect Your API
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
 
How to build a self-documenting application
How to build a self-documenting applicationHow to build a self-documenting application
How to build a self-documenting application
 
Java2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudJava2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the Cloud
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 

Último

Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durbanmasabamasaba
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsBert Jan Schrijver
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 

Último (20)

Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 

JavaOne 2014: Retrofitting OAuth 2.0 Security into Existing REST Services - CON1765

  • 1. Retrofi8ng OAuth 2.0 Security into Exis?ng REST Service [CON1765] Irena Shaigorodsky Java One, 2014 ishaigorodsky@enservio.com @ishaigorodsky hOps://github.com/ishaigor/rest-­‐retro-­‐sample © 2014 Enservio. All 1 rights reserved.
  • 2. © 2014 Enservio. All 2 rights reserved. Quick Survey • How many ☐Use or plan to use rich REST based UI for sensi?ve informa?on? ☐Know what OAuth is? Use or plan to use rich REST based UI with OAuth? ☐Use spring/spring-­‐security/spring-­‐security-­‐oauth?
  • 3. © 2014 Enservio. All Agenda 3 rights reserved. • Security Cost • OAuth 2.0 • Sample deep-­‐dive
  • 4. © 2014 Enservio. All Why My Company Needs Security? 4 rights reserved. • Cost of security breach in US[1] – $188 per record – average size: 28,765 records – customer loss • Customer driven [1] 2013 Cost of Data Breach Study: Global Analysis by Ponemon Ins?tute© sponsored by Symantec
  • 5. OAuth 2.0 “An open protocol to allow secure authoriza?on in a simple and standard method from web, mobile and desktop applica?ons.”[1] “The OAuth 2.0 authoriza?on framework enables a third-­‐party applica?on to obtain limited access to an HTTP service.”[1] © 2014 Enservio. All 5 rights reserved. [1] hOp://oauth.net/
  • 6. © 2014 Enservio. All OAuth 2.0 Lingo 6 rights reserved. • Resource – Resource Owner – Resource Server • OAuth 2.0 scope • OAuth 2.0 client • Endpoints – Authoriza?on Endpoint – Token Endpoint • Tokens – Access Token – Refresh Token • Authoriza?on Grant hOp://wiki.scn.sap.com/wiki/display/Security/OAuth+2.0+Terminology
  • 7. © 2014 Enservio. All OAuth 2.0 Flows 7 rights reserved. • Authoriza*on Code Grant Flow – Google – Facebook • Resource Owner Password Creden?al Flow • Client Creden?al Flow • Implicit Grant Flow – JavaScript client
  • 8. © 2014 Enservio. All 8 rights reserved. Securing REST calls: OAuth 2.0 • Authoriza?on Code Grant Flow hOp://docs.oracle.com/cd/E39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_web_server_flow.png
  • 9. © 2014 Enservio. All OAuth 2.0 Flows 9 rights reserved. • Authoriza?on Code Grant Flow – Google – Facebook • Resource Owner Password Creden*al Flow • Client Creden?al Flow • Implicit Grant Flow – JavaScript client
  • 10. © 2014 Enservio. All Securing REST calls: OAuth 2.0 10 rights reserved. • Resource Owner Password Creden?al Flow hOp://docs.oracle.com/cd/E39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_username_password_flow.png
  • 11. © 2014 Enservio. All OAuth 2.0 Flows 11 rights reserved. • Authoriza?on Code Grant Flow – Google – Facebook • Resource Owner Password Creden?al Flow • Client Creden*al Flow • Implicit Grant Flow – JavaScript client
  • 12. © 2014 Enservio. All Securing REST calls: OAuth 2.0 12 rights reserved. • Client Creden?al Flow hOp://docs.oracle.com/cd/E39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_client_creden?als_flow.png
  • 13. © 2014 Enservio. All OAuth 2.0 Flows 13 rights reserved. • Authoriza?on Code Grant Flow – Google – Facebook • Resource Owner Password Creden?al Flow • Client Creden?al Flow • Implicit Grant Flow – JavaScript client
  • 14. © 2014 Enservio. All Securing REST calls: OAuth 2.0 14 rights reserved. • Implicit Grant Flow hOp://docs.oracle.com/cd/E39820_01/doc.11121/gateway_docs/content/images/oauth/oauth_user_agent_flow.png
  • 15. © 2014 Enservio. All Sample deep-­‐dive 15 rights reserved. hOps://github.com/ishaigor/rest-­‐retro-­‐sample • Unprotected JavaScript Widget – Unprotected REST Words Service • Spring MVC – Legacy protected JSP / JavaScript Widget • Spring Security • AngularJS • Protected Widget – Protected service • Spring Security OAuth – Protected client • Spring Security Oauth – HTTP Authoriza?on Header • Protected gateway – Spring Integra?on – Customiza?on
  • 16. © 2014 Enservio. All Meet the unprotected REST Service (Spring MVC) 16 rights reserved. • @RestController
  • 17. Meet secure legacy client with unprotected Rich UI (Spring Security, Spring MVC, AngularJS) © 2014 Enservio. All 17 rights reserved. • ng-­‐infinite-­‐scroll • AbstractDispatcherServletIni?alizer – springSecurityFilterChain • WebSecurityConfigurerAdapter – @EnableWebSecurity – Authen?ca?onManagerBuilder – WebSecurity – HOpSecurity • Persistence – Data source – Group authori?es by user name
  • 18. © 2014 Enservio. All 18 rights reserved. Spring Security: User Details
  • 19. Meet secure legacy client with unprotected Rich UI (Spring Security, Spring MVC, AngularJS) –cont’d © 2014 Enservio. All 19 rights reserved. • <%@ taglib prefix="authz" uri="hOp:// www.springframework.org/security/tags"%> • <authz:authorize ifAllGranted="ROLE_USER">…</ authz:authorize>
  • 20. © 2014 Enservio. All Sample deep-­‐dive 20 rights reserved. hOps://github.com/ishaigor/rest-­‐retro-­‐sample • Unprotected JavaScript Widget – Unprotected REST Words Service • Spring MVC – Legacy protected JSP / JavaScript Widget • Spring Security • AngularJS • Protected Widget – Protected service • Spring Security OAuth – Protected client • Spring Security Oauth – HTTP Authoriza?on Header • Protected gateway – Spring Integra?on – Customiza?on
  • 21. Protected Service (Spring Security, Spring MVC) © 2014 Enservio. All 21 rights reserved. • Authoriza?onServerConfigurerAdapter – ClientDetailsServiceConfigurer – @EnableAuthoriza?onServer – Authoriza?onServerEndpointsConfigurer – Authoriza?onServerSecurityConfigurer • GlobalMethodSecurityConfigura?on – @EnableGlobalMethodSecurity – OAuth2MethodSecurityExpressionHandler
  • 22. Protected Service (Spring Security, Spring MVC) – cont’d © 2014 Enservio. All 22 rights reserved. • ResourceServerConfigurerAdapter – ResourceServerSecurityConfigurer – HOpSecurity • .csrf().requireCsrfProtec?onMatcher(new AntPathRequestMatcher("/ oauth/authorize")).disable() • Persistence – TokenStore – ClientTokenServices – Authoriza?onCodeServices – ApprovalStore • ApprovalStoreUserApprovalHandler
  • 23. Protected Service (Spring Security, Spring MVC) – cont’d © 2014 Enservio. All 23 rights reserved.
  • 24. Protected Service (Spring Security, Spring MVC): tes?ng © 2014 Enservio. All 24 rights reserved. • @BeforeOAuth2Context • @OAuth2ContextConfigura?on • BaseOAuth2ProtectedResourceDetails • Integra?onTest • Integra?onTestHelper
  • 25. Protected client, protected Rich UI (Spring Security, Spring MVC, Spring Security OAuth 2.0) © 2014 Enservio. All 25 rights reserved. • Authen?ca?onManager – eraseCreden?als • Applica?onListener<AbstractAuthen?ca?onEvent> – ResourceOwnerPasswordAccessTokenProvider • CustomAuthen?ca?onDetailsSource – CustomAuthen?ca?onDetails – WebAuthen?ca?onDetailsSource
  • 26. © 2014 Enservio. All Protected service with Spring 26 rights reserved. • Limita?ons: – Added security overhead – No unprotected internal access
  • 27. © 2014 Enservio. All Sample deep-­‐dive 27 rights reserved. hOps://github.com/ishaigor/rest-­‐retro-­‐sample • Unprotected JavaScript Widget – Unprotected REST Words Service • Spring MVC – Legacy protected JSP / JavaScript Widget • Spring Security • AngularJS • Protected Widget – Protected service • Spring Security OAuth – Protected client • Spring Security Oauth – HTTP Authoriza?on Header • Protected gateway – Spring Integra?on – Customiza?on
  • 28. Security Gateway Pass Through with Spring Integra?on © 2014 Enservio. All 28 rights reserved. • int-­‐hOp:inbound-­‐gateway • int-­‐hOp:outbound-­‐gateway • int:channel • int:annota?on-­‐config • int-­‐jmx:mbean-­‐export
  • 29. Security Gateway Pass Through with Spring Integra?on: customiza?on © 2014 Enservio. All 29 rights reserved. • OutboundHeaderMapper • RangeEnforcer • CustomOAuth2WebSecurityExpressionHandler • CustomSecurityExpressionMethods • ClientHOpRequestFactory
  • 30. © 2014 Enservio. All Resources 30 rights reserved. • hOp://oauth.net/2/ • hOp://projects.spring.io/spring-­‐security/ • hOp://projects.spring.io/spring-­‐security-­‐oauth/ • hOps://github.com/ishaigor/rest-­‐retro-­‐sample • hOp://binarymuse.github.io/ngInfiniteScroll/
  • 31. © 2014 Enservio. All 31 rights reserved. OAuth 2.0 Bearer for JavaScript /external REST IdP with SSO WS-Security /SAML for SOAP Digest / Signatures Encryption OAuth 2.0 SAML OAuth 2.0 MAC Security Roadmap Address REST Services Exposure Merge user iden??es in a single directory Centralize iden?ty management Build secure APIs with our customers Other enhancements
  • 32. © 2014 Enservio. All 32 rights reserved.