SlideShare una empresa de Scribd logo

Beveiliging en REST services

Descargar como PPTX, PDF
Maurice De Beijer [MVP]
Maurice De Beijer [MVP]

Beveiliging en REST services tijdens Engineering World 2012.

TecnologíaEmpresariales
1 de 22
Maurice de Beijer
Waar gaan we het over hebben  Waarom beveiligen we REST services  HTTP Security  Token based security
Wie ben ik  Maurice de Beijer.  The Problem Solver.  Microsoft CSD MVP.  DevelopMentor instructor.  Twitter: @mauricedb of @HTML5SupportNL  Blog: http://msmvps.com/blogs/ theproblemsolver/default.aspx  Web: http://www.HTML5Support.nl  E-mail: mauricedb@computer.org
Authentication Authentication is the act of confirming the truth of an attribute of a datum or entity.
Authorization Authorization is the function of specifying access rights to resources
Confidentiality Confidentiality is an ethical principle. In ethics some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to third parties.
HTTP Security  HTTPS en SSL/TLS  Basic Authentication  Forms Authentication  Integrated Windows Authentication
HTTPS en SSL/TLS  Zorgt er alleen voor dat het transport veilig is  Point to Point  Zegt niets over de client of server  Hoe veilig is https://ƤayƤal.com?
Basic Authentication  Een van de meest eenvoudige HTTP standaards  Maar wel effectief!  Usernaam en wachtwoord staat in de header van het request  Base64 encoded => gebruik HTTPS! GET /private/index.html HTTP/1.1 Host: localhost Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Forms Authentication  Werkt met een Forms Authentication Cookie  Het cookie gaat mee met elk HTTP request  Hou rekening met HTTP Session hijacking  Gebruik HTTPS bij elk request!  Niet alleen bij het inloggen
Integrated Windows Authentication  Single Sign On  Werkt net als in een website  Perfect voor gebruik binnen een AD domain  Maar lastig met gebruikers daar buiten
Token based security  OAuth  Amazon's S3 Authentication  Federated security
Three legged OAuth  Populair bij veel consumer sites  Twitter  Google  Facebook  Er zijn 3 entiteiten bij betrokken  Zelden nuttig bij B2B
Three legged Oauth flow
Two legged Oauth flow
Amazon's S3 Authentication  Gebruikt een HMAC  Hash Message Authentication Code  Wordt berekend over het request met een secret key  De server berekent dezelfde HMAC  Zowel voor authentication als message tampering  Gebruik HTTPS voor confidentiality GET /photos/puppy.jpg HTTP/1.1 Host: johnsmith.s3.amazonaws.com Date: Mon, 26 Mar 2007 19:37:58 +0000 Authorization: AWS AKIAIOSFODNN7EXAMPLE:frJIUN8DYpKDtOLCwo//yllqDzg=
S3 Authentication - Client
S3 Authentication - Server
Federated security  Maakt gebruik van Security Token Service (STS)  De STS doet de authenticatie van de gebruiker  De service ziet alleen de tokens van de STS  Kan bv met Windows Azure Access Control Service  Er worden Simple Web Tokens (SWT) gebruikt  Werkt prima samen met Windows Identity Foundation (WIF)
Federated security
Conclusie  HTTP Security  Eenvoudig en in veel gevallen voldoende  Werkt samen met de beveiliging van een website  Token based security  OAuth is vaak niet nodig bij B2B  Federated security kan met SWT tokens  Bijvoorbeeld via ACS en WIF
Vragen? mauricedb@computer.org

Recomendados

JUG Nederland - Presentatie SSL Certificaten - Hoe, waarom & waarmee.
JUG Nederland - Presentatie SSL Certificaten - Hoe, waarom & waarmee.JUG Nederland - Presentatie SSL Certificaten - Hoe, waarom & waarmee.
JUG Nederland - Presentatie SSL Certificaten - Hoe, waarom & waarmee.Wilco Alsemgeest
 
Webinar Identity en Apparatenbeheer
Webinar Identity en ApparatenbeheerWebinar Identity en Apparatenbeheer
Webinar Identity en ApparatenbeheerDelta-N
 
Webinar de balans tussen security en gebruiksvriendelijkheid
Webinar de balans tussen security en gebruiksvriendelijkheidWebinar de balans tussen security en gebruiksvriendelijkheid
Webinar de balans tussen security en gebruiksvriendelijkheidDelta-N
 
Block chain
Block chainBlock chain
Block chainJordy Van Meenen
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platformsTwobo Technologies
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherTwobo Technologies
 

Recomendados

JUG Nederland - Presentatie SSL Certificaten - Hoe, waarom & waarmee.
JUG Nederland - Presentatie SSL Certificaten - Hoe, waarom & waarmee.JUG Nederland - Presentatie SSL Certificaten - Hoe, waarom & waarmee.
JUG Nederland - Presentatie SSL Certificaten - Hoe, waarom & waarmee.Wilco Alsemgeest
 
Webinar Identity en Apparatenbeheer
Webinar Identity en ApparatenbeheerWebinar Identity en Apparatenbeheer
Webinar Identity en ApparatenbeheerDelta-N
 
Webinar de balans tussen security en gebruiksvriendelijkheid
Webinar de balans tussen security en gebruiksvriendelijkheidWebinar de balans tussen security en gebruiksvriendelijkheid
Webinar de balans tussen security en gebruiksvriendelijkheidDelta-N
 
Block chain
Block chainBlock chain
Block chainJordy Van Meenen
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platformsTwobo Technologies
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherTwobo Technologies
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuthTwobo Technologies
 
Designing an API
Designing an APIDesigning an API
Designing an APITwobo Technologies
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldTwobo Technologies
 
#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino Developers#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino DevelopersDominopoint - Italian Lotus User Group
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012Twobo Technologies
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo Technologies
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security StackTwobo Technologies
 
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteThe JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteTwobo Technologies
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
Azure ad join met windows 10
Azure ad join met windows 10Azure ad join met windows 10
Azure ad join met windows 10Ngi-NGN Online
 
Hoe bouw je een enterprise blockchain?
Hoe bouw je een enterprise blockchain?Hoe bouw je een enterprise blockchain?
Hoe bouw je een enterprise blockchain?Robert van Mölken
 
The power of powershell in Office 365 - TechDays 2015
The power of powershell in Office 365 - TechDays 2015The power of powershell in Office 365 - TechDays 2015
The power of powershell in Office 365 - TechDays 2015Delta-N
 
Security audit van een Drupal site
Security audit van een Drupal siteSecurity audit van een Drupal site
Security audit van een Drupal siteMaurits Lawende
 
Cs net beveiligdberichtenverkeer
Cs net beveiligdberichtenverkeerCs net beveiligdberichtenverkeer
Cs net beveiligdberichtenverkeerHDN
 
CSNet beveiligdberichtenverkeer
CSNet beveiligdberichtenverkeerCSNet beveiligdberichtenverkeer
CSNet beveiligdberichtenverkeerHDN
 
Factsheet+Gebruik+tweefactorauthenticatie
Factsheet+Gebruik+tweefactorauthenticatieFactsheet+Gebruik+tweefactorauthenticatie
Factsheet+Gebruik+tweefactorauthenticatieWijnanda Benneker
 
2012 03-27 developers e-commercedag presentatie5 ssl
2012 03-27 developers e-commercedag presentatie5 ssl2012 03-27 developers e-commercedag presentatie5 ssl
2012 03-27 developers e-commercedag presentatie5 sslCombell NV
 
Web Application Security; Hacking your way in!
Web Application Security; Hacking your way in!Web Application Security; Hacking your way in!
Web Application Security; Hacking your way in!Peter Schuler
 
Samen betrouwbaar online - Eefje van der Harst - HO-link 2014
Samen betrouwbaar online - Eefje van der Harst - HO-link 2014Samen betrouwbaar online - Eefje van der Harst - HO-link 2014
Samen betrouwbaar online - Eefje van der Harst - HO-link 2014HOlink
 
Webinar stapsgewijs naar een moderne werkplek
Webinar stapsgewijs naar een moderne werkplekWebinar stapsgewijs naar een moderne werkplek
Webinar stapsgewijs naar een moderne werkplekDelta-N
 
kennissessie blockchain - Wat is Blockchain en smart contracts @Conclusion
kennissessie blockchain - Wat is Blockchain en smart contracts @Conclusion kennissessie blockchain - Wat is Blockchain en smart contracts @Conclusion
kennissessie blockchain - Wat is Blockchain en smart contracts @Conclusion Getting value from IoT, Integration and Data Analytics
 

Más contenido relacionado

Destacado

Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldTwobo Technologies
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012Twobo Technologies
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo Technologies
 
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteThe JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteTwobo Technologies
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 

Destacado (10)

Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuth
 
Designing an API
Designing an APIDesigning an API
Designing an API
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
 
#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino Developers#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino Developers
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFS
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
 
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteThe JSON-based Identity Protocol Suite
The JSON-based Identity Protocol Suite
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure API
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
 

Similar a Beveiliging en REST services

Azure ad join met windows 10
Azure ad join met windows 10Azure ad join met windows 10
Azure ad join met windows 10Ngi-NGN Online
 
Hoe bouw je een enterprise blockchain?
Hoe bouw je een enterprise blockchain?Hoe bouw je een enterprise blockchain?
Hoe bouw je een enterprise blockchain?Robert van Mölken
 
The power of powershell in Office 365 - TechDays 2015
The power of powershell in Office 365 - TechDays 2015The power of powershell in Office 365 - TechDays 2015
The power of powershell in Office 365 - TechDays 2015Delta-N
 
Security audit van een Drupal site
Security audit van een Drupal siteSecurity audit van een Drupal site
Security audit van een Drupal siteMaurits Lawende
 
Cs net beveiligdberichtenverkeer
Cs net beveiligdberichtenverkeerCs net beveiligdberichtenverkeer
Cs net beveiligdberichtenverkeerHDN
 
CSNet beveiligdberichtenverkeer
CSNet beveiligdberichtenverkeerCSNet beveiligdberichtenverkeer
CSNet beveiligdberichtenverkeerHDN
 
Factsheet+Gebruik+tweefactorauthenticatie
Factsheet+Gebruik+tweefactorauthenticatieFactsheet+Gebruik+tweefactorauthenticatie
Factsheet+Gebruik+tweefactorauthenticatieWijnanda Benneker
 
2012 03-27 developers e-commercedag presentatie5 ssl
2012 03-27 developers e-commercedag presentatie5 ssl2012 03-27 developers e-commercedag presentatie5 ssl
2012 03-27 developers e-commercedag presentatie5 sslCombell NV
 
Web Application Security; Hacking your way in!
Web Application Security; Hacking your way in!Web Application Security; Hacking your way in!
Web Application Security; Hacking your way in!Peter Schuler
 
Samen betrouwbaar online - Eefje van der Harst - HO-link 2014
Samen betrouwbaar online - Eefje van der Harst - HO-link 2014Samen betrouwbaar online - Eefje van der Harst - HO-link 2014
Samen betrouwbaar online - Eefje van der Harst - HO-link 2014HOlink
 
Webinar stapsgewijs naar een moderne werkplek
Webinar stapsgewijs naar een moderne werkplekWebinar stapsgewijs naar een moderne werkplek
Webinar stapsgewijs naar een moderne werkplekDelta-N
 
Caesar blockchain whitepaper blockchain de hype voorbij v1.0 - online print
Caesar blockchain whitepaper blockchain de hype voorbij v1.0 - online printCaesar blockchain whitepaper blockchain de hype voorbij v1.0 - online print
Caesar blockchain whitepaper blockchain de hype voorbij v1.0 - online printRick Bouter
 
SURFconext introductie
SURFconext introductieSURFconext introductie
SURFconext introductieSURFevents
 
SSL In De Suwi Keten
SSL In De Suwi KetenSSL In De Suwi Keten
SSL In De Suwi KetenDirk Temme
 
Sijmen Ruwhof - Geautomatiseerd website vulnerability management
Sijmen Ruwhof - Geautomatiseerd website vulnerability managementSijmen Ruwhof - Geautomatiseerd website vulnerability management
Sijmen Ruwhof - Geautomatiseerd website vulnerability managementPFCongres
 

Similar a Beveiliging en REST services (18)

Azure ad join met windows 10
Azure ad join met windows 10Azure ad join met windows 10
Azure ad join met windows 10
 
Hoe bouw je een enterprise blockchain?
Hoe bouw je een enterprise blockchain?Hoe bouw je een enterprise blockchain?
Hoe bouw je een enterprise blockchain?
 
The power of powershell in Office 365 - TechDays 2015
The power of powershell in Office 365 - TechDays 2015The power of powershell in Office 365 - TechDays 2015
The power of powershell in Office 365 - TechDays 2015
 
Security audit van een Drupal site
Security audit van een Drupal siteSecurity audit van een Drupal site
Security audit van een Drupal site
 
Cs net beveiligdberichtenverkeer
Cs net beveiligdberichtenverkeerCs net beveiligdberichtenverkeer
Cs net beveiligdberichtenverkeer
 
CSNet beveiligdberichtenverkeer
CSNet beveiligdberichtenverkeerCSNet beveiligdberichtenverkeer
CSNet beveiligdberichtenverkeer
 
Factsheet+Gebruik+tweefactorauthenticatie
Factsheet+Gebruik+tweefactorauthenticatieFactsheet+Gebruik+tweefactorauthenticatie
Factsheet+Gebruik+tweefactorauthenticatie
 
2012 03-27 developers e-commercedag presentatie5 ssl
2012 03-27 developers e-commercedag presentatie5 ssl2012 03-27 developers e-commercedag presentatie5 ssl
2012 03-27 developers e-commercedag presentatie5 ssl
 
Web Application Security; Hacking your way in!
Web Application Security; Hacking your way in!Web Application Security; Hacking your way in!
Web Application Security; Hacking your way in!
 
Samen betrouwbaar online - Eefje van der Harst - HO-link 2014
Samen betrouwbaar online - Eefje van der Harst - HO-link 2014Samen betrouwbaar online - Eefje van der Harst - HO-link 2014
Samen betrouwbaar online - Eefje van der Harst - HO-link 2014
 
Webinar stapsgewijs naar een moderne werkplek
Webinar stapsgewijs naar een moderne werkplekWebinar stapsgewijs naar een moderne werkplek
Webinar stapsgewijs naar een moderne werkplek
 
kennissessie blockchain - Wat is Blockchain en smart contracts @Conclusion
kennissessie blockchain - Wat is Blockchain en smart contracts @Conclusion kennissessie blockchain - Wat is Blockchain en smart contracts @Conclusion
kennissessie blockchain - Wat is Blockchain en smart contracts @Conclusion
 
HTML5 Overview
HTML5 OverviewHTML5 Overview
HTML5 Overview
 
Caesar blockchain whitepaper blockchain de hype voorbij v1.0 - online print
Caesar blockchain whitepaper blockchain de hype voorbij v1.0 - online printCaesar blockchain whitepaper blockchain de hype voorbij v1.0 - online print
Caesar blockchain whitepaper blockchain de hype voorbij v1.0 - online print
 
SURFconext introductie
SURFconext introductieSURFconext introductie
SURFconext introductie
 
SSL In De Suwi Keten
SSL In De Suwi KetenSSL In De Suwi Keten
SSL In De Suwi Keten
 
Sijmen Ruwhof - Geautomatiseerd website vulnerability management
Sijmen Ruwhof - Geautomatiseerd website vulnerability managementSijmen Ruwhof - Geautomatiseerd website vulnerability management
Sijmen Ruwhof - Geautomatiseerd website vulnerability management
 
Blokchain
BlokchainBlokchain
Blokchain
 

Más de Maurice De Beijer [MVP]

Practice TypeScript Techniques Building React Server Components App
Practice TypeScript Techniques Building React Server Components AppPractice TypeScript Techniques Building React Server Components App
Practice TypeScript Techniques Building React Server Components AppMaurice De Beijer [MVP]
 
A foolproof Way to Estimate a Software Project
A foolproof Way to Estimate a Software ProjectA foolproof Way to Estimate a Software Project
A foolproof Way to Estimate a Software ProjectMaurice De Beijer [MVP]
 
Surati Tech Talks 2022 / Build reliable Svelte applications using Cypress
Surati Tech Talks 2022 / Build reliable Svelte applications using CypressSurati Tech Talks 2022 / Build reliable Svelte applications using Cypress
Surati Tech Talks 2022 / Build reliable Svelte applications using CypressMaurice De Beijer [MVP]
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressMaurice De Beijer [MVP]
 
Building Reliable Applications Using React, .NET & Azure
Building Reliable Applications Using React, .NET & AzureBuilding Reliable Applications Using React, .NET & Azure
Building Reliable Applications Using React, .NET & AzureMaurice De Beijer [MVP]
 
Concurrent Rendering Adventures in React 18
Concurrent Rendering Adventures in React 18Concurrent Rendering Adventures in React 18
Concurrent Rendering Adventures in React 18Maurice De Beijer [MVP]
 
Building reliable applications with React, C#, and Azure
Building reliable applications with React, C#, and AzureBuilding reliable applications with React, C#, and Azure
Building reliable applications with React, C#, and AzureMaurice De Beijer [MVP]
 
Building large and scalable mission critical applications with React
Building large and scalable mission critical applications with ReactBuilding large and scalable mission critical applications with React
Building large and scalable mission critical applications with ReactMaurice De Beijer [MVP]
 
Building Reliable Applications Using React, .NET & Azure
Building Reliable Applications Using React, .NET & AzureBuilding Reliable Applications Using React, .NET & Azure
Building Reliable Applications Using React, .NET & AzureMaurice De Beijer [MVP]
 
Building reliable web applications using Cypress
Building reliable web applications using CypressBuilding reliable web applications using Cypress
Building reliable web applications using CypressMaurice De Beijer [MVP]
 
Getting started with React Suspense and concurrent rendering
Getting started with React Suspense and concurrent renderingGetting started with React Suspense and concurrent rendering
Getting started with React Suspense and concurrent renderingMaurice De Beijer [MVP]
 
React suspense, not just for Alfred Hitchcock
React suspense, not just for Alfred HitchcockReact suspense, not just for Alfred Hitchcock
React suspense, not just for Alfred HitchcockMaurice De Beijer [MVP]
 
From zero to hero with the Reactive extensions for JavaScript
From zero to hero with the Reactive extensions for JavaScriptFrom zero to hero with the Reactive extensions for JavaScript
From zero to hero with the Reactive extensions for JavaScriptMaurice De Beijer [MVP]
 
From zero to hero with the reactive extensions for JavaScript
From zero to hero with the reactive extensions for JavaScriptFrom zero to hero with the reactive extensions for JavaScript
From zero to hero with the reactive extensions for JavaScriptMaurice De Beijer [MVP]
 
Create flexible React applications using GraphQL apis
Create flexible React applications using GraphQL apisCreate flexible React applications using GraphQL apis
Create flexible React applications using GraphQL apisMaurice De Beijer [MVP]
 

Más de Maurice De Beijer [MVP] (20)

Practice TypeScript Techniques Building React Server Components App
Practice TypeScript Techniques Building React Server Components AppPractice TypeScript Techniques Building React Server Components App
Practice TypeScript Techniques Building React Server Components App
 
A foolproof Way to Estimate a Software Project
A foolproof Way to Estimate a Software ProjectA foolproof Way to Estimate a Software Project
A foolproof Way to Estimate a Software Project
 
Surati Tech Talks 2022 / Build reliable Svelte applications using Cypress
Surati Tech Talks 2022 / Build reliable Svelte applications using CypressSurati Tech Talks 2022 / Build reliable Svelte applications using Cypress
Surati Tech Talks 2022 / Build reliable Svelte applications using Cypress
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using Cypress
 
Building Reliable Applications Using React, .NET & Azure
Building Reliable Applications Using React, .NET & AzureBuilding Reliable Applications Using React, .NET & Azure
Building Reliable Applications Using React, .NET & Azure
 
Concurrent Rendering Adventures in React 18
Concurrent Rendering Adventures in React 18Concurrent Rendering Adventures in React 18
Concurrent Rendering Adventures in React 18
 
Building reliable applications with React, C#, and Azure
Building reliable applications with React, C#, and AzureBuilding reliable applications with React, C#, and Azure
Building reliable applications with React, C#, and Azure
 
Building large and scalable mission critical applications with React
Building large and scalable mission critical applications with ReactBuilding large and scalable mission critical applications with React
Building large and scalable mission critical applications with React
 
Building Reliable Applications Using React, .NET & Azure
Building Reliable Applications Using React, .NET & AzureBuilding Reliable Applications Using React, .NET & Azure
Building Reliable Applications Using React, .NET & Azure
 
Why I am hooked on the future of React
Why I am hooked on the future of ReactWhy I am hooked on the future of React
Why I am hooked on the future of React
 
Building reliable web applications using Cypress
Building reliable web applications using CypressBuilding reliable web applications using Cypress
Building reliable web applications using Cypress
 
Getting started with React Suspense and concurrent rendering
Getting started with React Suspense and concurrent renderingGetting started with React Suspense and concurrent rendering
Getting started with React Suspense and concurrent rendering
 
React suspense, not just for Alfred Hitchcock
React suspense, not just for Alfred HitchcockReact suspense, not just for Alfred Hitchcock
React suspense, not just for Alfred Hitchcock
 
From zero to hero with the Reactive extensions for JavaScript
From zero to hero with the Reactive extensions for JavaScriptFrom zero to hero with the Reactive extensions for JavaScript
From zero to hero with the Reactive extensions for JavaScript
 
Why I am hooked on the future of React
Why I am hooked on the future of ReactWhy I am hooked on the future of React
Why I am hooked on the future of React
 
The new React
The new React The new React
The new React
 
From zero to hero with the reactive extensions for JavaScript
From zero to hero with the reactive extensions for JavaScriptFrom zero to hero with the reactive extensions for JavaScript
From zero to hero with the reactive extensions for JavaScript
 
Why I am hooked on the future of React
Why I am hooked on the future of ReactWhy I am hooked on the future of React
Why I am hooked on the future of React
 
I am hooked on React
I am hooked on ReactI am hooked on React
I am hooked on React
 
Create flexible React applications using GraphQL apis
Create flexible React applications using GraphQL apisCreate flexible React applications using GraphQL apis
Create flexible React applications using GraphQL apis
 

Beveiliging en REST services

  • 2. Waar gaan we het over hebben  Waarom beveiligen we REST services  HTTP Security  Token based security
  • 3. Wie ben ik  Maurice de Beijer.  The Problem Solver.  Microsoft CSD MVP.  DevelopMentor instructor.  Twitter: @mauricedb of @HTML5SupportNL  Blog: http://msmvps.com/blogs/ theproblemsolver/default.aspx  Web: http://www.HTML5Support.nl  E-mail: mauricedb@computer.org
  • 4. Authentication Authentication is the act of confirming the truth of an attribute of a datum or entity.
  • 5. Authorization Authorization is the function of specifying access rights to resources
  • 6. Confidentiality Confidentiality is an ethical principle. In ethics some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to third parties.
  • 7. HTTP Security  HTTPS en SSL/TLS  Basic Authentication  Forms Authentication  Integrated Windows Authentication
  • 8. HTTPS en SSL/TLS  Zorgt er alleen voor dat het transport veilig is  Point to Point  Zegt niets over de client of server  Hoe veilig is https://ƤayƤal.com?
  • 9. Basic Authentication  Een van de meest eenvoudige HTTP standaards  Maar wel effectief!  Usernaam en wachtwoord staat in de header van het request  Base64 encoded => gebruik HTTPS! GET /private/index.html HTTP/1.1 Host: localhost Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
  • 10. Forms Authentication  Werkt met een Forms Authentication Cookie  Het cookie gaat mee met elk HTTP request  Hou rekening met HTTP Session hijacking  Gebruik HTTPS bij elk request!  Niet alleen bij het inloggen
  • 11. Integrated Windows Authentication  Single Sign On  Werkt net als in een website  Perfect voor gebruik binnen een AD domain  Maar lastig met gebruikers daar buiten
  • 12. Token based security  OAuth  Amazon's S3 Authentication  Federated security
  • 13. Three legged OAuth  Populair bij veel consumer sites  Twitter  Google  Facebook  Er zijn 3 entiteiten bij betrokken  Zelden nuttig bij B2B
  • 16. Amazon's S3 Authentication  Gebruikt een HMAC  Hash Message Authentication Code  Wordt berekend over het request met een secret key  De server berekent dezelfde HMAC  Zowel voor authentication als message tampering  Gebruik HTTPS voor confidentiality GET /photos/puppy.jpg HTTP/1.1 Host: johnsmith.s3.amazonaws.com Date: Mon, 26 Mar 2007 19:37:58 +0000 Authorization: AWS AKIAIOSFODNN7EXAMPLE:frJIUN8DYpKDtOLCwo//yllqDzg=
  • 19. Federated security  Maakt gebruik van Security Token Service (STS)  De STS doet de authenticatie van de gebruiker  De service ziet alleen de tokens van de STS  Kan bv met Windows Azure Access Control Service  Er worden Simple Web Tokens (SWT) gebruikt  Werkt prima samen met Windows Identity Foundation (WIF)
  • 21. Conclusie  HTTP Security  Eenvoudig en in veel gevallen voldoende  Werkt samen met de beveiliging van een website  Token based security  OAuth is vaak niet nodig bij B2B  Federated security kan met SWT tokens  Bijvoorbeeld via ACS en WIF