Anzeige

Secure JAX-RS

Payara
Payara
14. Jan 2019
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS
Secure JAX-RS

Check these out next

Introduction to Micronaut - JBCNConf 2019
Introduction to Micronaut - JBCNConf 2019
graemerocher
MVC 6 - the new unified Web programming model
MVC 6 - the new unified Web programming model
Alex Thissen
Hands-on Performance Tuning Lab - Devoxx Poland
Hands-on Performance Tuning Lab - Devoxx Poland
C2B2 Consulting
JavaEE Microservices platforms
JavaEE Microservices platforms
Payara
Microservices with Spring Cloud
Microservices with Spring Cloud
Daniel Eichten
Monitoring Oracle SOA Suite
Monitoring Oracle SOA Suite
C2B2 Consulting
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
Markus Eisele
Advanced queries on the Infinispan Data Grid
Advanced queries on the Infinispan Data Grid
C2B2 Consulting
1 von 43

Secure JAX-RS

14. Jan 2019
Downloaden Sie, um offline zu lesen
Technologie

With the rise of micro-services, REST communication is more popular than ever. But the communication between the different parts must also be performed in a secure way. First, we need to know if the user or system is allowed to call the JAX-RS endpoint. For this authentication part, self-contained tokens are the best option to not overload any of our services in the system. JWT which contains the authentication but also can contain the authorization info is ideal for this use-case. And secondly, we need guarantees that the message isn't altered, that we can have message integrity. For that part, we can use signatures as specified in the HTTP signature draft specification.

Payara
Payara
Anzeige
Anzeige
Anzeige

Recomendados

Effective cloud-ready apps with MicroProfileEffective cloud-ready apps with MicroProfile
Effective cloud-ready apps with MicroProfilePayara342 Aufrufe37 Folien
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfileRudy De Busscher254 Aufrufe42 Folien
10 Strategies for Developing Reliable Jakarta EE & MicroProfile Applications ...10 Strategies for Developing Reliable Jakarta EE & MicroProfile Applications ...
10 Strategies for Developing Reliable Jakarta EE & MicroProfile Applications ...Payara351 Aufrufe67 Folien
Sneaking Scala through the Back DoorSneaking Scala through the Back Door
Sneaking Scala through the Back DoorDianne Marsh10.7K Aufrufe35 Folien
JavaCro'15 - Service Discovery in OSGi Beyond the JVM using Docker and Consul...JavaCro'15 - Service Discovery in OSGi Beyond the JVM using Docker and Consul...
JavaCro'15 - Service Discovery in OSGi Beyond the JVM using Docker and Consul...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association1.6K Aufrufe30 Folien
JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native CompanionJakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native Companion
JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native CompanionJakarta_EE48 Aufrufe22 Folien

Más contenido relacionado

Presentaciones para ti(19)

Introduction to Micronaut - JBCNConf 2019Introduction to Micronaut - JBCNConf 2019
Introduction to Micronaut - JBCNConf 2019
graemerocher1.4K Aufrufe
MVC 6 - the new unified Web programming modelMVC 6 - the new unified Web programming model
MVC 6 - the new unified Web programming model
Alex Thissen395 Aufrufe
Hands-on Performance Tuning Lab - Devoxx PolandHands-on Performance Tuning Lab - Devoxx Poland
Hands-on Performance Tuning Lab - Devoxx Poland
C2B2 Consulting2K Aufrufe
JavaEE Microservices platformsJavaEE Microservices platforms
JavaEE Microservices platforms
Payara558 Aufrufe
Microservices with Spring CloudMicroservices with Spring Cloud
Microservices with Spring Cloud
Daniel Eichten750 Aufrufe
Monitoring Oracle SOA SuiteMonitoring Oracle SOA Suite
Monitoring Oracle SOA Suite
C2B2 Consulting3K Aufrufe
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
Markus Eisele6.4K Aufrufe
Advanced queries on the Infinispan Data Grid Advanced queries on the Infinispan Data Grid
Advanced queries on the Infinispan Data Grid
C2B2 Consulting2.2K Aufrufe
Developing Java EE applications with NetBeans and PayaraDeveloping Java EE applications with NetBeans and Payara
Developing Java EE applications with NetBeans and Payara
Payara3.7K Aufrufe
Data stores: beyond relational databasesData stores: beyond relational databases
Data stores: beyond relational databases
Javier García Magna734 Aufrufe
JPA 2.1 on Payara ServerJPA 2.1 on Payara Server
JPA 2.1 on Payara Server
Payara972 Aufrufe
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metrics
Rudy De Busscher447 Aufrufe
Glass fish performance tuning tips from the fieldGlass fish performance tuning tips from the field
Glass fish performance tuning tips from the field
Payara4.9K Aufrufe
8 cloud design patterns you ought to know - Update Conference 20188 cloud design patterns you ought to know - Update Conference 2018
8 cloud design patterns you ought to know - Update Conference 2018
Taswar Bhatti2K Aufrufe
Monitoring Oracle SOA Suite - UKOUG Tech15 2015Monitoring Oracle SOA Suite - UKOUG Tech15 2015
Monitoring Oracle SOA Suite - UKOUG Tech15 2015
C2B2 Consulting3.4K Aufrufe
Micronaut Deep Dive - Codeone 2019Micronaut Deep Dive - Codeone 2019
Micronaut Deep Dive - Codeone 2019
graemerocher293 Aufrufe
Automate your development environment with Jira and SaltstackAutomate your development environment with Jira and Saltstack
Automate your development environment with Jira and Saltstack
NetworkedAssets1.9K Aufrufe
Tokyo azure meetup #8 - Azure Update, AugustTokyo azure meetup #8 - Azure Update, August
Tokyo azure meetup #8 - Azure Update, August
Kanio Dimitrov113 Aufrufe
Control and monitor_microservices_with_microprofileControl and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofile
Rudy De Busscher157 Aufrufe

Similar a Secure JAX-RS(20)

Secure JAX-RSSecure JAX-RS
Secure JAX-RS
Rudy De Busscher436 Aufrufe
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
Zoompf5.3K Aufrufe
Encryption in the enterpriseEncryption in the enterprise
Encryption in the enterprise
Bozhidar Bozhanov1K Aufrufe
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest151 Aufrufe
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
Taswar Bhatti2K Aufrufe
Ip sec and sslIp sec and ssl
Ip sec and ssl
Mohd Arif2.3K Aufrufe
What is tackled in the Java EE Security API (Java EE 8)What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)
Rudy De Busscher18.8K Aufrufe
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
DataArt367 Aufrufe
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by ClouderaBig Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
Caserta 1.7K Aufrufe
Web securityWeb security
Web security
Greater Noida Institute Of Technology155 Aufrufe
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
Maarten Smeets450 Aufrufe
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started
Rudy De Busscher2.2K Aufrufe
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis3K Aufrufe
Web security and OWASPWeb security and OWASP
Web security and OWASP
Isuru Samaraweera1.2K Aufrufe
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
Eryk Budi Pratama680 Aufrufe
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
OWASP211 Aufrufe
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
Gareth Davies25K Aufrufe
Ip sec talkIp sec talk
Ip sec talk
anoean601 Aufrufe
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's Rye
Cale Hoopes1.2K Aufrufe
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applications
NETUserGroupBern20 Aufrufe
Anzeige

Más de Payara(20)

Easy Java Integration Testing with Testcontainers​Easy Java Integration Testing with Testcontainers​
Easy Java Integration Testing with Testcontainers​
Payara77 Aufrufe
Jakarta Concurrency: Present and FutureJakarta Concurrency: Present and Future
Jakarta Concurrency: Present and Future
Payara29 Aufrufe
Securing Microservices with MicroProfile and Auth0v2Securing Microservices with MicroProfile and Auth0v2
Securing Microservices with MicroProfile and Auth0v2
Payara323 Aufrufe
Reactive features of MicroProfile you need to learnReactive features of MicroProfile you need to learn
Reactive features of MicroProfile you need to learn
Payara930 Aufrufe
A step-by-step guide from traditional Java EE to reactive microservice designA step-by-step guide from traditional Java EE to reactive microservice design
A step-by-step guide from traditional Java EE to reactive microservice design
Payara137 Aufrufe
Transactions in MicroservicesTransactions in Microservices
Transactions in Microservices
Payara749 Aufrufe
Fun with Kubernetes and Payara Micro 5Fun with Kubernetes and Payara Micro 5
Fun with Kubernetes and Payara Micro 5
Payara534 Aufrufe
What's new in Jakarta EE and Eclipse GlassFish (May 2019)What's new in Jakarta EE and Eclipse GlassFish (May 2019)
What's new in Jakarta EE and Eclipse GlassFish (May 2019)
Payara303 Aufrufe
Previewing Payara Platform 5.192Previewing Payara Platform 5.192
Previewing Payara Platform 5.192
Payara404 Aufrufe
Gradual Migration to MicroProfileGradual Migration to MicroProfile
Gradual Migration to MicroProfile
Payara700 Aufrufe
Monitor Microservices with MicroProfile MetricsMonitor Microservices with MicroProfile Metrics
Monitor Microservices with MicroProfile Metrics
Payara683 Aufrufe
Java2 days -_be_reactive_and_micro_with_a_microprofile_stackJava2 days -_be_reactive_and_micro_with_a_microprofile_stack
Java2 days -_be_reactive_and_micro_with_a_microprofile_stack
Payara201 Aufrufe
Java2 days 5_agile_steps_to_cloud-ready_appsJava2 days 5_agile_steps_to_cloud-ready_apps
Java2 days 5_agile_steps_to_cloud-ready_apps
Payara150 Aufrufe
Rapid development tools for java ee 8 and micro profile [GIDS] Rapid development tools for java ee 8 and micro profile [GIDS]
Rapid development tools for java ee 8 and micro profile [GIDS]
Payara2.1K Aufrufe
Ondrej mihalyi be reactive and micro with a micro profile stackOndrej mihalyi be reactive and micro with a micro profile stack
Ondrej mihalyi be reactive and micro with a micro profile stack
Payara212 Aufrufe
Bed con Quest for JavaEEBed con Quest for JavaEE
Bed con Quest for JavaEE
Payara223 Aufrufe
Payara Micro from Raspberry Pi to CloudPayara Micro from Raspberry Pi to Cloud
Payara Micro from Raspberry Pi to Cloud
Payara314 Aufrufe
Microprofile and EE4J updateMicroprofile and EE4J update
Microprofile and EE4J update
Payara122 Aufrufe
Elastic and Cloud-ready Applications with Payara MicroElastic and Cloud-ready Applications with Payara Micro
Elastic and Cloud-ready Applications with Payara Micro
Payara84 Aufrufe
Devoxx Easily scale enterprise applications using distributed data gridsDevoxx Easily scale enterprise applications using distributed data grids
Devoxx Easily scale enterprise applications using distributed data grids
Payara163 Aufrufe

Último(20)

How Your Business Can Leverage AI/ML in the Cloud for Competitive Advantage?How Your Business Can Leverage AI/ML in the Cloud for Competitive Advantage?
How Your Business Can Leverage AI/ML in the Cloud for Competitive Advantage?
Kaspar Lavik3 Aufrufe
Java-if-Statement-Activity2.docxJava-if-Statement-Activity2.docx
Java-if-Statement-Activity2.docx
SofiaArquero20 Aufrufe
MRM Presentation-Mar 21 (002).pptxMRM Presentation-Mar 21 (002).pptx
MRM Presentation-Mar 21 (002).pptx
AkberLakhani31 Aufruf
Intelligent Document Processing IDP.pdfIntelligent Document Processing IDP.pdf
Intelligent Document Processing IDP.pdf
JamieDornan20 Aufrufe
DIMT 2023 SG - Hands-on Workshop_ Getting started with Confluent Cloud.pdfDIMT 2023 SG - Hands-on Workshop_ Getting started with Confluent Cloud.pdf
DIMT 2023 SG - Hands-on Workshop_ Getting started with Confluent Cloud.pdf
confluent4 Aufrufe
ELECDG.PDFELECDG.PDF
ELECDG.PDF
ruben230091 Aufruf
National Pharmaceutical Pricing Authority-WPS Office.pptxNational Pharmaceutical Pricing Authority-WPS Office.pptx
National Pharmaceutical Pricing Authority-WPS Office.pptx
Sudipta Roy0 Aufrufe
SOPHIA-The Robot.pptxSOPHIA-The Robot.pptx
SOPHIA-The Robot.pptx
ManjariPorwal0 Aufrufe
What is Taxonomy and Ontology.pdfWhat is Taxonomy and Ontology.pdf
What is Taxonomy and Ontology.pdf
ssuser09bd270 Aufrufe
ictpresentation-201013093225.pdfictpresentation-201013093225.pdf
ictpresentation-201013093225.pdf
ThnhNguynVn970 Aufrufe
TRANSACTION CONCEPTppt.pptxTRANSACTION CONCEPTppt.pptx
TRANSACTION CONCEPTppt.pptx
DummyTest90 Aufrufe
Computer insights.pptxComputer insights.pptx
Computer insights.pptx
AsadKhokhar142 Aufrufe
NLEM.pptxNLEM.pptx
NLEM.pptx
Sudipta Roy0 Aufrufe
7 Alpha Company Profile v1.0.pdf7 Alpha Company Profile v1.0.pdf
7 Alpha Company Profile v1.0.pdf
AusafUrRahman32 Aufrufe
Angiography Imaging Systems.pdfAngiography Imaging Systems.pdf
Angiography Imaging Systems.pdf
RushiDalve0 Aufrufe
Iguana - openSUSE Conf 2023Iguana - openSUSE Conf 2023
Iguana - openSUSE Conf 2023
Ondrej Holecek0 Aufrufe
DIMT '23 Session_Demo_ Latest Innovations Breakout.pdfDIMT '23 Session_Demo_ Latest Innovations Breakout.pdf
DIMT '23 Session_Demo_ Latest Innovations Breakout.pdf
confluent3 Aufrufe
Why should your startup outsource software development.pdfWhy should your startup outsource software development.pdf
Why should your startup outsource software development.pdf
MaryLogan110 Aufrufe
SUBMIT YOUR PAPERS - International Journal of Data Mining & Knowledge Managem...SUBMIT YOUR PAPERS - International Journal of Data Mining & Knowledge Managem...
SUBMIT YOUR PAPERS - International Journal of Data Mining & Knowledge Managem...
IJDKP0 Aufrufe
Storybook, the best friend we all needStorybook, the best friend we all need
Storybook, the best friend we all need
AnnaSala220 Aufrufe
Anzeige

Secure JAX-RS

  1. Secure JAX-RS
  2. • Verify caller • No changed messages • Performant
  3. What You’ll Learn Today • Are all security features built into JAX-RS? • Is HTTPS sufficient • Verify sender with JWT • Message integrity with HTTP Signatures.
  4. Rudy De Busscher • Payara • Service team • JSR-375 • Java EE Security API Expert group member • Committer in Eclipse EE4J groups • Java EE Believer @rdebusscher https://blog.payara.fish/ https://www.atbash.be
  5. AGENDA What is Secure Rest?
  6. SHIFT TO REST
  7. SHIFT TO REST • REST == JSON communication over HTTP (ignoring hyperText) • Why REST? • No special/specific clients and servers • HTTP operations like get, post, delete and URI identified • Simple, lightweight, fast, ...
  8. Information security • Confidentiality : Shield data but also verify the sender • Integrity : Trustworthiness, can data be altered in transit? • Availability : Systems up (but also counter DDOS attacks)
  9. JAX-RS (Rest) SOAP On top of HTTP protocol, lightweight Heavy weight due to metadata Multiple data formats (JSON, XML, ...) XML only Easier, loosely Harder, contract based Security and authorization are part of the protocol
  10. Security within SOAP • WS-security • Confidentiality • Integrity • end-to-end protection of message • process to process • Certificates, SAML, XML Signatures, Encryption, ...
  11. Security with JAX-RS • Only capabilities underlying protocol • HTTPS = Confidentiality + Integrity • Encrypted • Message digest (unaltered in transit) • Few major things are missing
  12. • HTTPS = confidentiality (integrity) • But • Sender verification? • End to end protection? • Server to server only (not the process on the server) Security with JAX-RS
  13. SECURE
 REST GOALS • Verify sender • end-to-end protection • (encryption) -> https
  14. Demo
  15. Why HTTPS not enough
  16. AGENDA Verify Sender End-to-End protection Some loose ends Conclusion
  17. HOW DOES EACH HOP KNOW THE END USER?
  18. using Password? • Basic Auth for each request (stateless!) • 3000 TPS on LDAP • Backend through IP whiteListing? • Each hop • 12000 TPS on LDAP! • DDOS attacks -> LDAP down!
  19. Sessions? • session id = opaque • Backend needs to lookup info • Not LDAP but "idHop" is overloaded
  20. Tokens • Like a long id • Token contains all info (authc, authz) • Signed!! • OpenId Connect - idToken • MicroProfile JWT Auth Token
  21. Token Solution
  22. Token PROTECTION • Token = data + signing • Tamper with data -> signing detects this • token created by Mallory -> Signing not correct
  23. Signing
  24. JWT
  25. Demo
  26. AGENDA Verify Sender End-to-End protection Some loose ends Conclusion
  27. End-To-END PROTECTION • Content protected from Process to Process • No intermediate intervention possible
  28. APPLICATION LAYER 
 SECURITY End-To-End protection
  29. also JWT? • REST payload as JWT Payload?
 • Signed • Created and verified by process -> E2E
 
 • Payload is not easy readable anymore (tracing/routing on server side)
  30. HTTP Signatures • Standard by Internet Engineering Task Force (IETF) • Draft • Signatures variant (Authentication variant exists) • Non 'invasive'
  31. HTTP-Sig How? • Additional Header • Signature : ... • HTTP friendly • Signature : keyId="rsa-key-1",algorithm="rsa- sha256",headers="(request-target) host date digest content- length",signature="Base64(RSA-SHA256(signing string))"
  32. Http-Sig parameters • Headers : What is used in signature 'calculation' • header name of pseudo header (request target = method + URL path) • Digest -> Hash of message body • keyId : Id of the RSA key for Signature • algorithm : What algorithm used for signature • signature : operation result
  33. Demo
  34. AGENDA Verify Sender End-to-End protection Some loose ends Conclusion
  35. Combining with Authc • RSA key for signature • Can be used to identify remote • Use it with Authorization header • Authorization : Signature keyId="... • Or combine it with OAuth2 / OpenId Bearer header • Authorization : Bearer ey... • Signature : keyId="...
  36. JavaScript Frameworks • Can browser/javaScript keep secrets private? • Most experts agree it is not possible • XSS scripts
  37. Web Cryptography API • Good start • Standardised correct code • PRNG and BigInt • No advice on what to use when • Beware of storing keys • Local storage is not safe • Use Password encrypted formats • Not all browsers support it (some only old variants)
  38. AGENDA Verify Sender End-to-End protection Some loose ends Conclusion
  39. Take aways • JAX-RS has no intrinsic security aspects • JWT ideal to keep Authentication / Authorization info • SSL (HTTPS) does not eliminate need for E2E Protection • HTTP signatures ideal for end to end protection of content • Browser (JavaScript) still issue in keeping things private
  40. Code • Webshop • https://github.com/rdebusscher/secure-rest • Http Signature Framework • https://github.com/atbashEE/rest-signatures
  41. Q & A
  42. Thank You Not using the Payara Platform yet? Download the open source software: Payara Server or Payara Micro https://payara.fish/downloads 
 Need support for the Payara Platform? https://payara.fish/support
Anzeige