State of Securing Restful APIs s12gx2015

1. SPRINGONE2GX WASHINGTON, DC Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ The State of Securing RESTful APIs with Spring By Rob Winch @rob_winch

2. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication 3

3. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Naïve approach… 4 https://api.example.com? username=rob&password=secret

4. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ “ Come on Bender. It's up to you to make your own decisions in life. That's what's separates people and robots from animals .. and animal robots! Fry Futurama 5

5. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ RFC-7231 Sensitive Information 6 “ Authors of services ought to avoid GET- based forms for the submission of sensitive data … - RFC-7231: Section 9.4

6. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Basic Authentication 7

7. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Basic Authentication 8

8. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Digest Authentication 9

11. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Transport Layer Security (TLS) •  Conﬁdentiality •  Integrity 12

12. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 13 13

13. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Checking TLS https://www.ssllabs.com/ssltest/ https://shaaaaaaaaaaaaa.com/ 14

14. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TLS Performance •  Computational overhead •  Latency overhead •  Cache 15

15. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16 “On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead. -  Adam Langley, Google https://goo.gl/IYJrqv

16. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17 “We have found that modern software-based TLS implementations running on commodity CPUs are fast enough to handle heavy HTTPS traﬃc load without needing to resort to dedicated cryptographic hardware. -  Doug Beaver, Facebook https://goo.gl/pf8Xwh

17. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 18 “HTTP keepalives and session resumption mean that most requests do not require a full handshake, so handshake operations do not dominate our CPU usage. - Jacob Hoﬀman-Andrews, Twitter https://goo.gl/Re0ijb

18. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TLS Optimize •  TLS Resumption •  Latency •  Online Certiﬁcate Status Protocol (OCSP) •  Cloudﬂare 19

19. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Optimizing TLS Is TLS Fast Yet.com 20

20. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ HTTP Basic over HTTPS? 21 oclHashcat Hash Type Speed SHA1 42.408 Bh/s SHA256 16.904 Bh/s SHA512 5.2 Bh/s Ubuntu 14.04, 64 bit ForceWare 346.29 X NVidia Titan X

21. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Introduce Session 22 username=winch&name=Rob+Winch

22. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Encrypting the Session 23 Base64(IV,   aes_cbc(k,IV,plainText))  •  k – a secret key only known to server •  aes_cbc – encrypts the plainText using AES/CBC with the provided IV •  plainText – format of username=winch&name=Rob+Winch

23. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Your handwriting is atrocious, not encrypted 24

24. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Introduce Session username=winch&name=Rob+Winch username=admin&name=Rob+Winch Can change [1] properly encrypted value below: To have the following Plaintext 25 [1] https://goo.gl/2Uio0W

25. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 26 2:03 PM - 27 Jul 2015 https://goo.gl/Hs383Z

26. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 27 10:54 AM - 28 May 2015 https://goo.gl/ZbP9Yp

27. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ JWT Header {"alg":"HS256","typ":"JWT"} 28

28. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/

29. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ “… each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. - Roy Fielding, Architectural Styles and the Design of Network-based Software Architectures http://goo.gl/MzVy0V 30

30. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Representational STATE transfer “… session state can be transferred by the server to another service such as a database to maintain a persistent state for a period and allow authentication -  Wikipedia http://goo.gl/bd33t7 31

31. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 32

32. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Code Slide 33 public interface HttpSession { … }

34. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Customizing the Cookie 35 <session-config>  <cookie-config> <name>SESSION</name> </cookie-config> </session-config>

35. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Session 36 @Configuration @EnableRedisHttpSession public class Config { @Bean public JedisConnectionFactory connectionFactory() { return new JedisConnectionFactory(); } }

36. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Session 37 public class Initializer extends AbstractHttpSessionApplicationInitializer { public Initializer() { super(Config.class); } }

37. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Session 38 public class Initializer extends AbstractHttpSessionApplicationInitializer { public Initializer() { super(Config.class); } }

38. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Session 39 <filter> <filter-name> springSessionRepositoryFilter </filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSessionRepositoryFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

40. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DEMO Spring Session 41

41. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ SessionRepositoryFilter 42 public void doFilter(ServletRequest req,   ServletResponse resp, FilterChain chain { ServletRequest request = new SessionRepositoryRequestWrapper(req); … chain.doFilter(request, response); }

42. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ SessionRepositoryRequestWrapper 43 public HttpSession getSession() { // return custom HttpSession }

43. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ OAuth 2.0? •  When working within a sandbox •  Limiting liability 44

45. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ http .authorizeRequests() .antMatchers("/public/**").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") .anyRequest().authenticated() Authorization 46

46. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authorization 47 @PostAuthorize("returnObject?.to?.id == principal.id") Message findOne(Long id);

47. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authorization 48 @PreAuthorize("#message?.from?.id == principal.id") <S extends Message> S save(Message message);

48. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Permissions 49 @PostAuthorize("hasPermission(returnObject,'read')") Message findOne(Long id);

49. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Permissions 50 @PreAuthorize("hasPermission(#message,’write')") <S extends Message> S save(Message message);

50. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 51 public interface PermissionEvaluator … { boolean hasPermission(Authentication authentication,   Object targetDomainObject,  Object permission); boolean hasPermission(Authentication authentication,  Serializable targetId,  String targetType,   Object permission); }

51. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Queries? 52 @Query("select m from Message m where m.to.id = ? #{principal.id}")  Iterable<Message> inbox();

52. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Queries? 53 @Query("select m from Message m where m.to.id = ? #{principal.id}")  Page<Message> inbox(Pageable pageable);

53. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Future Work? 54 @EnableAclSecurity  public interface SecuredMessageRepository   extends MessageRepository {} // Vote for it! DATACMNS-293 SEC-2409

54. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DEMO CSRF 55

55. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 56

58. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection “When do I use CSRF protection? 59

59. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection “... but my application uses JSON 60

60. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 61 <form ... method="post" enctype="text/plain"> <input type='hidden' name=’{"summary":"Hi", … "ignore_me":"' value='test"}'   /> </form>

61. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection 62 {  "summary": "Hi", "message": "New Message", "to": "luke@example.com", "ignore_me": "=test" }

62. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection “… but my application is stateless 63

64. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection “…and I use a custom header for authentication and ignore cookies 65

65. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ CSRF Protection •  Use proper HTTP Verbs •  Configure CSRF Protection •  Include the CSRF Token 66

66. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Including the CSRF Token 67 @RequestMapping("/csrf”)  public CsrfToken csrf(CsrfToken token) { return token; }

67. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ DEMO Clickjacking 68

68. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Security HTTP Response Headers 69

71. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Related Talks •  Hands on Spring Security 4.1 – Wed at 8:30am •  Spring MVC 4.2: New and Noteworthy – Wed at 10:30am •  A How to Guide to Security in the PAAS Cloud – Wed at 4:30pm •  Securing Microservices with Spring Cloud Security – Thurs at 10:30am 72

72. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Learn More. Stay Connected. •  Use TLS •  Authentication Should Have State •  Use Proper Authorization •  Use a Framework Because Individuals Cannot Provide Good Security Twitter: @rob_winch YouTube: spring.io/video LinkedIn: spring.io/linkedin Google Plus: spring.io/gplus 73

State of Securing Restful APIs s12gx2015

Estás leyendo una previsualización.

Eche un vistazo a continuación

State of Securing Restful APIs s12gx2015

Más Contenido Relacionado

Presentaciones para usted (20)

A los espectadores también les gustó (20)

Similares a State of Securing Restful APIs s12gx2015 (20)

Más reciente (20)