d@w rest security
TRANSCRIPT
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 1
REST web services Security
Gaurav Sharma, Principal Member Technical StaffOWSM – Oracle Web Services ManagerOctober 5th, 2015
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 2
Agenda• REST web services security• Need of Web Security• TLS/SSL - https• Basic Authentication• Token based authentication• Authorization• OWSM security policies for REST security• Security Vulnerabilities
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 3
REST /RESTful web services • Based on Representational State Transfer (REST)
architectural style • Lightweight alternative to mechanisms like RPC (Remote
Procedure Calls) and SOAP, very commonly used to create APIs for applications accessible over web/mobile.
• Uses HTTP as the underlying protocol• REST revolves around resources that are accessed by a
common interface using HTTP standard methods – GET/PUT/POST/DELETE
• REST offers no built-in security features, encryption, session management, QoS guarantees, etc.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 4
Why we need Web Security ?• Online transactions – banking , credit card (travel,
shopping etc).
• Social identity – posting messages, friend requests, sharing pictures with selected friend circle.
• Avoid Spams (Unwanted email, viruses, adwares)
Internet is so easily accessible to anyone, it can be a dangerous place.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 5
Some high profile attacks • Ebay attack (2014) - personal records of 233 million
users. including usernames, passwords, phone numbers and physical addresses compromised.
• icloud attack (2014) – private pictures of USA celebrities were compromised.
• Gmail attack (2007) – filter redirected incoming emails to different address
• Twitter (2009) – allowed changing one’s status • ING (2008) – vulnerability attack that allowed transfer
of funds by creating fake accounts.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 6
Web Security ??
DMZ
Intranet
Internet
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 7
Security – at all layers
We will focus on REST services security
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 8
REST Services – Application perspective
Internet
DMZ
Intranet
Service1(REST)
Service n(REST)
Service 2(REST)
Front end/View
Middleware(SOA/OSB)
Database
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 9
REST security - aspects• Transport Layer security – securing the communication
channel ensuring confidentiality and integrity and ensuring service identification
Let’s deal with these
• Authentication and Authorization – Exposing REST services to authentic and authorized users/applications
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | [email protected]
Internet REST service
http
Client
Confidentiality and Integrity - Anyone can see the data, modify it and send to service.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | [email protected]
Internethttp
Client
Identification – no way to know if you are talking to authentic website.
REST service
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | [email protected]
Internethttp
Client
Fraudservice
Identification – no way to know if you are talking to authentic website.
Web site itself might be fraud.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 13
Solution - > https - http over SSL
• URL’s beginning with https indicates that the connection is encrypted using SSL
• SSL uses certificates that are issued by a Certifying Authority (CA) such as verisign, Digicert.
• Certificates asserts the identity of web site provider e.g.
Facebook =
• Certificates also encrypts data that flows to and fro from the web site keeping it secure from outsiders.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | [email protected]
Internet REST service
Client
https
https – ensures confidentiality, integrity and service identification
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 15
Authentication and Authorization
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | [email protected]
Internet REST servicehttps
Security concern - no way to know if user dealing with service is authentic and authorized.
Add security to your service
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 17
Basic Authentication
• When you enable basic authentication the user is forced to prove her or his identity by entering a username and password.
• Client credentials are sent in a base 64 encoding in HTTP headers.
GET http://localhost/html5/ HTTP/1.1
Authorization: Basic bm86aXdvdWxkbnRkb3RoYXQh
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 18
Issues with Passwords/basic auth
Service1
Service 2
Service n
Password
Password
Password
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 19
Token based authentication – login once
Service 1
Service 2
Service n
Directory
Access Management
IdentityManagement
Token
Token
Token
Token
User/Password
Login Once
Trust
Services
• Several implementations exists - SAML, OAM token, OAuth2
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 20
Advantages of tokens• Stateless, easier to scale - token contains all the
information to identify the user, eliminating the need for the session state.
• Reusability - can have many separate servers, running on multiple platforms and domains, reusing the same token for authenticating the user.
• Mobile ready – integrate with mobile clients• Security – Protects against CORS and CSRF• Tokens work across different programming languages.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 21
Token Based authorization - OAuth2• Useful in scenarios when another application access REST APIs
instead of actual user. e.g. travel app accessing REST APIs exposed by an airline service, YouTube accessing facebook APIs,
• End user may/may not exist.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Is there any product for securing my REST services?
22
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 23
OWSM Agent to secure REST client/services
Internet
DMZ
Intranet
Service1
Service 2
Service n
Services
Front end/View
Middleware(SOA/OSB)
Database
Application
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
REST security using OWSM
24
• OWSM – de-facto standard for securing Web services within Oracle Fusion Middleware and Oracle Public cloud.
• Provides out of the box security policies for REST services and clients.
• Provides security policies for various use cases e.g. basic authentication, OAuth2, SAML etc.
• Avoids the need for developers to understand security specifications and security implementation details
• Monitor run time security events such as failed authentication or authorization.
• Global and direct policy attachment.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 25
OWSM – REST security policies
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 26
Example - Securing SOA REST service using OWSM security policies
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 27
You can choose the required security policies from the available pre defined policies
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 28
Security Vulnerabilities ?• XSS – cross site injection
• Denial of Service attack – attacker sends thousands of messages to the host server and bring its network down.
• CSRF – cross site request forgery
• Phishing• man in middle
• and many more• SQL Injection
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 29
How to deal with it ?
• Stay informed about existing vulnerabilities, stay updated about new vulnerabilities
• Build secure applications – use tools and standards to enforce and check for security holes
• OWASP - online community dedicated to web application security.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 30
Questions ??
Email : [email protected] blog: http://technotesgaurav.blogspot.in