The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
4. #RESTSecurity @otaviojava @tomitribe
ODCTour18LAD
“Lo mejor de los standares es que terminas
teniendo muchas opciones por escogerThe nice
thing about standards is
you have so many to choose from.”
- Andrew S. Tanenbaum
48. #RESTSecurity @otaviojava @tomitribe
ODCTour18LAD Nuevo Access Token
∙ header (JSON > Base64 URL Encoded)
∙ Describe como la firma (signature) del token puede ser
verificada
∙ payload (JSON > Base64 URL Encoded)
∙ Json map de información que desees incluir
∙ Campo estándar como el de Expiración
∙ signature (Binary > Base64 URL Encoded)
∙ La firma digital
∙ Hecha exclusivamente por el endpoint: /oauth2/token
∙ Si es RSA puede ser verificado por cualquier persona
76. #RESTSecurity @otaviojava @tomitribe
ODCTour18LAD
MicroProfile
∙ Comunidad Open-Source de la fundación Eclipse
∙ Enfocada en Microservicios bajo JavaEE
∙ Generadora de: Specificaciones, API y TCK.
∙ Implementado por diferentes entidades
http://microprofile.io/