State of Securing Restful APIs s12gx2015

SPRINGONE2GX
WASHINGTON, DC
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
The State of Securing RESTful APIs
with Spring
By Rob Winch
@rob_winch

Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Authentication
3

Naïve approach…
4
https://api.example.com?
username=rob&password=secret

“
Come on Bender. It's up to you to
make your own decisions in life.
That's what's separates people and
robots from animals .. and animal
robots!
Fry
Futurama
5

RFC-7231 Sensitive Information
6
“ Authors of services ought to avoid GET-
based forms for the submission of sensitive
data …
- RFC-7231: Section 9.4

Basic Authentication
7

Basic Authentication
8

Digest Authentication
9

10

11

Transport Layer Security (TLS)
•  Conﬁdentiality
•  Integrity
12

13
13

Checking TLS
https://www.ssllabs.com/ssltest/
https://shaaaaaaaaaaaaa.com/
14

TLS Performance
•  Computational overhead
•  Latency overhead
•  Cache
15

Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16
“On our production frontend machines, SSL/TLS
accounts for less than 1% of the CPU load, less
than 10 KB of memory per connection and less than
2% of network overhead.
-  Adam Langley, Google
https://goo.gl/IYJrqv

“We have found that modern software-based TLS
implementations running on commodity CPUs are
fast enough to handle heavy HTTPS traﬃc load
without needing to resort to dedicated
cryptographic hardware.
-  Doug Beaver, Facebook
https://goo.gl/pf8Xwh

“HTTP keepalives and session resumption mean
that most requests do not require a full handshake,
so handshake operations do not dominate our
CPU usage.
- Jacob Hoﬀman-Andrews, Twitter
https://goo.gl/Re0ijb

TLS Optimize
•  TLS Resumption
•  Latency
•  Online Certiﬁcate Status Protocol
(OCSP)
•  Cloudﬂare
19

Optimizing TLS
Is TLS Fast Yet.com
20

HTTP Basic over HTTPS?
21
oclHashcat
Hash Type Speed
SHA1 42.408 Bh/s
SHA256 16.904 Bh/s
SHA512 5.2 Bh/s
Ubuntu 14.04, 64 bit
ForceWare 346.29
X NVidia Titan X

Introduce Session
22
username=winch&name=Rob+Winch

Encrypting the Session
23
Base64(IV,  
aes_cbc(k,IV,plainText)) 
•  k – a secret key only known to server
•  aes_cbc – encrypts the plainText using AES/CBC with the
provided IV
•  plainText – format of username=winch&name=Rob+Winch

Your handwriting is atrocious, not
encrypted
24

Introduce Session
username=winch&name=Rob+Winch
username=admin&name=Rob+Winch
Can change [1] properly encrypted value below:
To have the following Plaintext
25
[1] https://goo.gl/2Uio0W

2:03 PM - 27 Jul 2015
https://goo.gl/Hs383Z

10:54 AM - 28 May 2015
https://goo.gl/ZbP9Yp

JWT Header
{"alg":"HS256","typ":"JWT"}
28

“… each request from client to server must contain
all of the information necessary to understand the
request, and cannot take advantage of any stored
context on the server.
- Roy Fielding, Architectural Styles and
the Design of Network-based Software
Architectures
http://goo.gl/MzVy0V
30

Representational STATE transfer
“… session state can be transferred by the
server to another service such as a database
to maintain a persistent state for a period and
allow authentication
-  Wikipedia
http://goo.gl/bd33t7
31

Code Slide
33
public interface HttpSession {
…
}

Customizing the Cookie
35
<session-config> 
<cookie-config>
<name>SESSION</name>
</cookie-config>
</session-config>

Spring Session
36
@Configuration
@EnableRedisHttpSession
public class Config {
@Bean
public JedisConnectionFactory connectionFactory() {
return new JedisConnectionFactory();
}
}

Spring Session
37
public class Initializer extends
AbstractHttpSessionApplicationInitializer {
public Initializer() {
super(Config.class);
}
}

Spring Session
38
public class Initializer extends
AbstractHttpSessionApplicationInitializer {
public Initializer() {
super(Config.class);
}
}

Spring Session
39
<filter>
<filter-name>
springSessionRepositoryFilter
</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

DEMO
Spring Session
41

SessionRepositoryFilter
42
public void doFilter(ServletRequest req,  
ServletResponse resp,
FilterChain chain {
ServletRequest request =
new SessionRepositoryRequestWrapper(req);
…
chain.doFilter(request, response);
}

SessionRepositoryRequestWrapper
43
public HttpSession getSession() {
// return custom HttpSession
}

OAuth 2.0?
•  When working within a sandbox
•  Limiting liability
44

http
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
Authorization
46

Authorization
47
@PostAuthorize("returnObject?.to?.id == principal.id")
Message findOne(Long id);

Authorization
48
@PreAuthorize("#message?.from?.id == principal.id")
<S extends Message> S save(Message message);

Permissions
49
@PostAuthorize("hasPermission(returnObject,'read')")
Message findOne(Long id);

Permissions
50
@PreAuthorize("hasPermission(#message,’write')")
<S extends Message> S save(Message message);

public interface PermissionEvaluator … {
boolean hasPermission(Authentication authentication,  
Object targetDomainObject, 
Object permission);
boolean hasPermission(Authentication authentication, 
Serializable targetId, 
String targetType,  
Object permission);
}

Queries?
52
@Query("select m from Message m where m.to.id = ?
#{principal.id}") 
Iterable<Message> inbox();

Queries?
53
@Query("select m from Message m where m.to.id = ?
#{principal.id}") 
Page<Message> inbox(Pageable pageable);

Future Work?
54
@EnableAclSecurity 
public interface SecuredMessageRepository  
extends MessageRepository {}
// Vote for it! DATACMNS-293 SEC-2409

DEMO
CSRF
55

CSRF Protection
56

CSRF Protection
57

CSRF Protection
58

CSRF Protection
“When do I use CSRF protection?
59

CSRF Protection
“... but my application uses JSON
60

CSRF Protection
61
<form ... method="post" enctype="text/plain">
<input type='hidden'
name=’{"summary":"Hi", … "ignore_me":"'
value='test"}'  
/>
</form>

CSRF Protection
62
{ 
"summary": "Hi",
"message": "New Message",
"to": "luke@example.com",
"ignore_me": "=test"
}

CSRF Protection
“… but my application is stateless
63

CSRF Protection
64

CSRF Protection
“…and I use a custom header for
authentication and ignore cookies
65

CSRF Protection
•  Use proper HTTP Verbs
•  Configure CSRF Protection
•  Include the CSRF Token
66

Including the CSRF Token
67
@RequestMapping("/csrf”) 
public CsrfToken csrf(CsrfToken token) {
return token;
}

DEMO
Clickjacking
68

Security HTTP Response Headers
69

70

71

Related Talks
•  Hands on Spring Security 4.1 – Wed at 8:30am
•  Spring MVC 4.2: New and Noteworthy – Wed at
10:30am
•  A How to Guide to Security in the PAAS Cloud –
Wed at 4:30pm
•  Securing Microservices with Spring Cloud Security
– Thurs at 10:30am
72

Learn More. Stay Connected.
•  Use TLS
•  Authentication Should Have State
•  Use Proper Authorization
•  Use a Framework Because Individuals
Cannot Provide Good Security
Twitter: @rob_winch
YouTube: spring.io/video
LinkedIn: spring.io/linkedin
Google Plus: spring.io/gplus
73

State of Securing Restful APIs s12gx2015

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to State of Securing Restful APIs s12gx2015 (20)

Recently uploaded (20)

State of Securing Restful APIs s12gx2015