Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

2018 JavaLand Deconstructing and Evolving REST Security

13 mar. 2018
2 j’aime 449 vues
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Prochain SlideShare
2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security
Chargement dans…3
×

Consultez-les par la suite

Application DoS In Microservice Architectures
Scott Behrens
Denis Zhuchinski Ways of enhancing application security
Аліна Шепшелей
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
Jeremiah Grossman
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
2018 SDJUG Deconstructing and Evolving REST Security
David Blevins
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Adam Englander
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
MindShare_kk
Html5 security
tsinghua university
1 sur 109 Publicité

2018 JavaLand Deconstructing and Evolving REST Security

13 mar. 2018
2 j’aime 449 vues

Télécharger pour lire hors ligne

Internet

The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."

As a bonus at the end, we’ll peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.

The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."

As a bonus at the end, we’ll peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.

Internet
Publicité

Suggestions

2018 jPrime Deconstructing and Evolving REST Security
David Blevins
301 vues
114 diapositives
2018 Denver JUG Deconstructing and Evolving REST Security
David Blevins
557 vues
111 diapositives
2018 Boulder JUG Deconstructing and Evolving REST Security
David Blevins
146 vues
111 diapositives
Protecting Web Services from DDOS Attack
Ponraj
7.2k vues
37 diapositives
Elegant Rest Design Webinar
Stormpath
3.6k vues
104 diapositives
Build a Node.js Client for Your REST+JSON API
Stormpath
2.6k vues
58 diapositives
The WAF book intro protection elements v1.0 lior rotkovitch
Lior Rotkovitch
72 vues
69 diapositives
Web application
Eve_Srithong
854 vues
51 diapositives
Publicité

Plus De Contenu Connexe

Diaporamas pour vous (19)

Application DoS In Microservice Architectures
Scott Behrens
451 vues
Denis Zhuchinski Ways of enhancing application security
Аліна Шепшелей
110 vues
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
Jeremiah Grossman
12.7k vues
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
918 vues
2018 SDJUG Deconstructing and Evolving REST Security
David Blevins
398 vues
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Adam Englander
232 vues
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
MindShare_kk
823 vues
Html5 security
tsinghua university
2.3k vues
Introduction to rest.li
Joe Betz
30.3k vues
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
2.8k vues
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
45.5k vues
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
Shreeraj Shah
5.6k vues
WhiteHat Security "Website Security Statistics Report" (Q1'09)
Jeremiah Grossman
3.6k vues
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
Cisco DevNet
1.2k vues
Html5 on mobile
Blueinfy Solutions
1k vues
Web Hacking
Information Technology
13k vues
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon
1.9k vues
From ZERO to REST in an hour
Cisco DevNet
3.1k vues
Configuring kerberos based sso in weblogic
Harihara sarma
654 vues
Application DoS In Microservice Architectures
Scott Behrens
451 vues
64 diapositives
Denis Zhuchinski Ways of enhancing application security
Аліна Шепшелей
110 vues
83 diapositives
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
Jeremiah Grossman
12.7k vues
85 diapositives
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
918 vues
56 diapositives
2018 SDJUG Deconstructing and Evolving REST Security
David Blevins
398 vues
99 diapositives
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Adam Englander
232 vues
62 diapositives

Similaire à 2018 JavaLand Deconstructing and Evolving REST Security (20)

2016 JavaOne Deconstructing REST Security
David Blevins
1k vues
2017 JavaOne Deconstructing and Evolving REST Security
David Blevins
1.1k vues
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
César Hernández
83 vues
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
César Hernández
87 vues
Deconstructing and Evolving REST Security
Roberto Cortez
191 vues
Top Ten Java Defense for Web Applications v2
Jim Manico
37.2k vues
2017 Devoxx MA Deconstructing and Evolving REST Security
David Blevins
1.1k vues
2017 dev nexus_deconstructing_rest_security
David Blevins
1k vues
RESTful web services with Groovy on Grails by Vugar Suleymanov
Vuqar Suleymanov
2k vues
2018 IterateConf Deconstructing and Evolving REST Security
David Blevins
388 vues
Automating Cloud Operations - Everything you wanted to know about cURL and RE...
Revelation Technologies
103 vues
Deconstructing and Evolving REST security
Jonathan Gallimore
198 vues
OpenStack APIs: Present and Future (Beta Talk)
Wade Minter
1.9k vues
Hacking mobile apps
kunwaratul hax0r
92 vues
Understanding gRPC Authentication Methods
Anthony Chow
9.1k vues
Seattle StrongLoop Node.js Workshop
Jimmy Guerrero
1.9k vues
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
642 vues
Spa Secure Coding Guide
Geoffrey Vandiest
147 vues
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Revelation Technologies
47 vues
Stateless Microservice Security via JWT and MicroProfile - ES
Otavio Santana
85 vues
2016 JavaOne Deconstructing REST Security
David Blevins
1k vues
80 diapositives
2017 JavaOne Deconstructing and Evolving REST Security
David Blevins
1.1k vues
99 diapositives
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
César Hernández
83 vues
104 diapositives
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
César Hernández
87 vues
105 diapositives
Deconstructing and Evolving REST Security
Roberto Cortez
191 vues
113 diapositives
Top Ten Java Defense for Web Applications v2
Jim Manico
37.2k vues
67 diapositives
Publicité

Plus par David Blevins (8)

DevNexus 2020 - Jakarta Messaging 3.x, Redefining JMS
David Blevins
81 vues
2019 JJUG CCC Stateless Microservice Security with MicroProfile JWT
David Blevins
333 vues
2017 JCP EC: Configuration JSR
David Blevins
1k vues
2015 JavaOne EJB/CDI Alignment
David Blevins
30.7k vues
JavaOne 2013 - Apache TomEE, Java EE Web Profile {and more} on Tomcat
David Blevins
2.3k vues
2011 JavaOne EJB with Meta Annotations
David Blevins
1.2k vues
2011 JavaOne Apache TomEE Java EE 6 Web Profile
David Blevins
5.7k vues
2011 JavaOne Fun with EJB 3.1 and OpenEJB
David Blevins
1.7k vues
DevNexus 2020 - Jakarta Messaging 3.x, Redefining JMS
David Blevins
81 vues
49 diapositives
2019 JJUG CCC Stateless Microservice Security with MicroProfile JWT
David Blevins
333 vues
48 diapositives
2017 JCP EC: Configuration JSR
David Blevins
1k vues
9 diapositives
2015 JavaOne EJB/CDI Alignment
David Blevins
30.7k vues
31 diapositives
JavaOne 2013 - Apache TomEE, Java EE Web Profile {and more} on Tomcat
David Blevins
2.3k vues
32 diapositives
2011 JavaOne EJB with Meta Annotations
David Blevins
1.2k vues
18 diapositives

Plus récents (20)

CNCF Webinar - Krius.pdf
LibbySchulze1
16 vues
PCD.pptx
ErmiyasBeletew
0 vues
apex-forms-conversion-160980.ppt
alan464442
1 vue
Materi .pptx
panjiramadi
0 vues
Chapter_12.ppt
Suresh Waghmode
0 vues
Lenovo_Legion_7_16ITHg6_Spec.pdf
MichaelRTomadaArbitr
0 vues
Funding Resources Presentation.pptx
AhsanGhafar
17 vues
BigCommerce Designers, BigCommerce Developers, Bigcommerce development company
Dit_India
4 vues
Veille & CURATION - COURS 4
MEULEMAN François
3 vues
Chapter-1-Definition-of-Globalization (1).pptx
LeviAckerman868889
2 vues
Introduction.pptx
MarcoBaldo6
0 vues
ch03.ppt
Raihan9m1
4 vues
ABN Oppa - IT Operations 2023 - EN .pdf
Steven Nguyen
0 vues
_wordpress_development.pdf
sarah david
0 vues
React js developers for hire
AlifiyaMustafa2
0 vues
WT_PHP_PART1.pdf
HambardeAtharva
1 vue
Digital 2022 Global Overview Report Essentials.pdf
WalidMorchid
0 vues
REGULAMENTO PASCOA.pdf
Thays65
45 vues
Internet_Addiction.pptx
ssuserd66a40
0 vues
5Review_of_legislation_relating_to_crimes_with_medical[1].pptx
ErmiyasBeletew
0 vues
CNCF Webinar - Krius.pdf
LibbySchulze1
16 vues
9 diapositives
PCD.pptx
ErmiyasBeletew
0 vues
78 diapositives
apex-forms-conversion-160980.ppt
alan464442
1 vue
6 diapositives
Materi .pptx
panjiramadi
0 vues
48 diapositives
Chapter_12.ppt
Suresh Waghmode
0 vues
27 diapositives
Lenovo_Legion_7_16ITHg6_Spec.pdf
MichaelRTomadaArbitr
0 vues
7 diapositives
Publicité

2018 JavaLand Deconstructing and Evolving REST Security

  1. 1. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Deconstructing REST Security David Blevins Tomitribe
  2. 2. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 “The nice thing about standards is you have so many to choose from.” - Andrew S. Tanenbaum
  3. 3. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Focus Areas • Beyond Basic Auth • Theory of OAuth 2.0 • Introduction of JWT • Google/Facebook style API security • Stateless vs Stateful Architecture • HTTP Signatures • Amazon EC2 style API security
  4. 4. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Baseline 1000 users x 3 TPS 4 hops 3000 TPS frontend 12000 TPS backend
  5. 5. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Basic Auth (and its problems)
  6. 6. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Basic Auth Message POST /painter/color/object HTTP/1.1 Host: localhost:8443 Authorization: Basic c25vb3B5OnBhc3M= User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"b":255,"g":0,"name":"blue","r":0}}
  7. 7. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 (no auth) 3000 TPS (LDAP) 12000 TPS (HTTP)
  8. 8. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 username+password Base64 15000 TPS (LDAP) Password Sent 12000 TPS (HTTP)
  9. 9. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 IP whitelisting 3000 TPS (LDAP) 12000 TPS (HTTP)
  10. 10. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 “Hey, give me all of Joe’s salary information.” “I don’t know who you are, … but sure!”
  11. 11. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Latveria Attacks
  12. 12. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Basic Auth - Attacks Valid Password Sent 3000 TPS (HTTP+SSL) IP whitelisting 9000 TPS (LDAP) 12000 TPS (HTTP) Invalid Password Sent 6000 TPS (HTTP+SSL)
  13. 13. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 (and its problems)
  14. 14. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018
  15. 15. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018
  16. 16. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018
  17. 17. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018
  18. 18. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 - Password Grant (LDAP) (Token Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", } Verify Password Generate Token
  19. 19. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/object HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":0,"b":255,"name":"blue"}}
  20. 20. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":255,"b":0,"name":"green"}}
  21. 21. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}}
  22. 22. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}}
  23. 23. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/stroke HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":255,"g":200,"b":255,"name":"orange"}}
  24. 24. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 401
  25. 25. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 - Refresh Grant (LDAP) (Token Store) Verify Password Generate Token POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"6Fe4jd7TmdE5yW2q0y6W2w", "expires_in":3600, "refresh_token":"hyT5rw1QNh5Ttg2hdtR54e", }
  26. 26. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Old pair • Access Token 2YotnFZFEjr1zCsicMWpAA • Refresh Token tGzv3JOkF0XG5Qx2TlKWIA New pair • Access Token 6Fe4jd7TmdE5yW2q0y6W2w • Refresh Token hyT5rw1QNh5Ttg2hdtR54e
  27. 27. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 46 {"color":{"r":0,"g":255,"b":0,"name":"green"}}
  28. 28. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}}
  29. 29. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}}
  30. 30. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 What have we achieved?
  31. 31. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 You have more passwords (at least your devices do)
  32. 32. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Term Alert • Password Grant??? • Logging in • Token? • Slightly less crappy password • Equally crappy HTTP Session ID
  33. 33. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 3000 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 4 hops 12000 TPS backend
  34. 34. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018
  35. 35. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 “Who the heck is 6Fe4jd7TmdE5y W2q0y6W2w ???????” “No idea, dude. Ask the token server.”
  36. 36. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 3000 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 12000 TPS (token checks) 8 hops 24000 TPS backend
  37. 37. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 3000 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 12000 TPS (token checks) 8 hops 24000 TPS backend 55% of all traffic
  38. 38. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 0 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 0 TPS (token checks) 0 hops 0 TPS backend
  39. 39. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 Pointer Pointer State
  40. 40. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Access Token Access Pointer? Access Primary Key?
  41. 41. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 High Frequency Password Exchange Algorithm?
  42. 42. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Problem: how to detect if a file's contents have changed?
  43. 43. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Hashing and Signing Symmetric and Asymmetric
  44. 44. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Hashing Data
  45. 45. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 01010000010001000011011011101000110101001001100001010011110000 00111010101111111111111111000101111101001110111000100010000000000 111111101011100001001100100000101011111001101111111100111011000011 111011001101100100000101011110011001100001011011110101110110001
  46. 46. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 01010000010001000011011011101000110101001001100001010011110000 00111010101111111111111111000101111101001110111000100010000000000 111111101011100001001100100000101011111001101111111100111011000011 111011001101100100000101011110011001100001011011110101110110001
  47. 47. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 More Bits the Better
  48. 48. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Hashing Data
  49. 49. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Hashing Data
  50. 50. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Hashing Data
  51. 51. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Hashing Data
  52. 52. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Eagles beat Patriots 41 to 33
  53. 53. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Eagles beat Patriots 41 to 33
  54. 54. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Eagles beat Patriots 41 to 34
  55. 55. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Protecting the Hash HMAC (Symmetric) RSA (Asymmetric) abc123 abc123 private public
  56. 56. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 HMAC (Symmetric) Read & Write Read & Write Shared and equal relationship
  57. 57. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 RSA (Asymmetric) Write Read Read Read One side has more authority * the reverse is possible
  58. 58. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Encoding a Hash or Signature Binary 0010100011010111110000011011000100101000110011100111010010001000 0100011011011010000000100011110100111111010100011000100011010001 1101101001010101111100010011111110100000001001100010000000010111 0000000000100101000010110011000100001001011011010111101111101101 Hex 8af5c1468a399708b12d205e7ec588c52dd547fe0232027400526846485bef5b Base64 ivXBRoo5lwixLSBefsWIxS3VR_4CMgJ0AFJoRkhb71s Base85 MY4eTME."/Yq7))I`7,^/_*Aj!sh!!)dK"86bOe~
  59. 59. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 + JSon Web Tokens (JWT)
  60. 60. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 JSon Web Token • Pronounced “JOT” • Fancy JSON map • Base64 URL Encoded • Digitally Signed (RSA-SHA256, HMAC-SHA512, etc) • Built-in expiration
  61. 61. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Access Token Previously • 6Fe4jd7TmdE5yW2q0y6W2w
  62. 62. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Access Token Now • eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi 10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJzb m9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRw czovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoMi90b2tlbiI sInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaW VuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6MTQ3NDI3O TE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMz IIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8 DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1Ta Elxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct0 98ocefuv08TdzRxqYoEqYNo
  63. 63. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 • { "alg": “RS256", "typ": “JWT" } • { "token-type": "access-token", "username": "snoopy", "animal": "beagle", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": [ “twitter”, "mans-best-friend" ], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } • DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv 0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzl LJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
  64. 64. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Access Token Now • header (JSON > Base64 URL Encoded) • describes how the token signature can be checked • payload (JSON > Base64 URL Encoded) • Basically a map of whatever you want to put in it • Some standard entries such as expiration • signature (Binary > Base64 URL Encoded • The actual digital signature • made exclusively by the /oauth2/token endpoint • If RSA, can be checked by anyone
  65. 65. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Subtle But High Impact Architectural Change
  66. 66. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 What we had (quick recap)
  67. 67. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Pull User Info From IDP
  68. 68. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Generate an Access Token (pointer)
  69. 69. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Insert both into DB
  70. 70. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Send Access Token (pointer) to client
  71. 71. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Results Client Holds Pointer Server Holds State
  72. 72. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 What we can do now (Hello JWT!)
  73. 73. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Pull User Info From IDP
  74. 74. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Format the data as JSON
  75. 75. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) RSA-SHA 256 sign JSON private
  76. 76. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Insert only pointer into DB (for revocation)
  77. 77. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 (LDAP) Send Access Token (state) to client
  78. 78. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Client Holds State Server Holds Pointer Desired Results
  79. 79. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 - Password Grant (LDAP) (Token ID Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock Verify Password Generate Signed Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9. eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M iOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoM i90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0 LWZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6M TQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ 9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8 OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaO EUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh VDaiqmhct098ocefuv08TdzRxqYoEqYNo", "expires_in":3600, "refresh_token":"eyJhbGctGzv3JOkF0XG5Qx2TlKWIAkF0X. eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M iOiJodHRwczovL", }
  80. 80. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Message with JWT POST /painter/color/palette HTTP/1.1
 Host: api.superbiz.io
 Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXR va2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJ iaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl 6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ vzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo User-Agent: curl/7.43.0
 Accept: */*
 Content-Type: application/json
 Content-Length: 46
 
 {"color":{"b":0,"g":255,"r":0,"name":"green"}}
  81. 81. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 + JWT Tokens Sent 3000 TPS (HTTP+SSL) 0.55 TPS (refresh token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 4 hops 12000 TPS backend 3000 TPS (signature verification) 12000 TPS (signature verification)(private key) (public key)
  82. 82. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 “Hey, give me all of Joe’s salary information.” “Not a chance!”
  83. 83. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 “Hey, give me all of Joe’s salary information.” “Sure thing!” Every Microservice Has the Gateway's Public Key
  84. 84. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Latveria Attacks (again)
  85. 85. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 + JWT Valid Tokens Sent 3000 TPS (HTTP+SSL) 0.55 TPS (refresh token checks) Password Sent 1000/daily (HTTP+SSL) (LDAP) 4 hops 12000 TPS backend 9000 TPS (signature verification) 12000 TPS (signature verification) Invalid Tokens Sent 6000 TPS (HTTP+SSL) (private key) (public key)
  86. 86. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 HTTP Signatures (Amazon EC2 style API Security)
  87. 87. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 HTTP Signatures • No “secret” ever hits the wire • Signs the message itself • Proves identity • Prevents message tampering • Symmetric or Asymmetric signatures • IETF Draft • https://tools.ietf.org/html/draft-cavage-http-signatures • Extremely simple • Does NOT eliminate benefits of JWT
  88. 88. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signing a Message POST /painter/color/palette HTTP/1.1
 Host: api.superbiz.io
 Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */*
 Content-Type: application/json
 Content-Length: 46
 
 {"color":{"b":0,"g":255,"r":0,"name":"green"}} Take the full http message
  89. 89. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signing a Message POST /painter/color/palette HTTP/1.1
 Host: api.superbiz.io
 Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */*
 Content-Type: application/json
 Content-Length: 46
 
 {"color":{"b":0,"g":255,"r":0,"name":"green"}} Select the parts you want to protect
  90. 90. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signing a Message (request-target): POST /painter/color/palette
 host: api.superbiz.io
 date: Mon, 19 Sep 2016 16:51:35 PDT content-length: 46 Create a Signing String
  91. 91. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signing a Message (request-target): POST /painter/color/palette
 host: api.superbiz.io
 date: Mon, 19 Sep 2016 16:51:35 PDT content-length: 46 Aj2FGgCdGhIp6LFXjxSxBsSwTp9i C7t7nmRZs-hrYcQ Hash the string (sha256 shown)
  92. 92. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signing a Message Aj2FGgCdGhIp6LFXjxSxBsSwTp9i C7t7nmRZs-hrYcQ Encrypt the hash (hmac shown) j050ZC4iWDW40nVx2oVwBEymX zwvsgm+hKBkuw04b+w=
  93. 93. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signing a Message Signature keyId=“orange-1234", algorithm="hmac-sha256", headers="(request-target) host date content-length”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
 Put it all together
  94. 94. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signed Message POST /painter/color/palette HTTP/1.1
 Host: api.superbiz.io
 Authorization: Signature keyId=“orange-1234", algorithm="hmac-sha256", headers="(request-target) host date content-length”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
 Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */*
 Content-Type: application/json
 Content-Length: 46
 
 {"color":{"b":0,"g":255,"r":0,"name":"green"}}
  95. 95. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signature Auth Password Sent 0 TPS (HTTP) Signature (no auth) 3000 TPS (LDAP or Keystore) 12000 TPS (HTTP)
  96. 96. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signature Auth Password Sent 0 TPS (HTTP) Signature Signature 3000 TPS (LDAP or Keystore) 12000 TPS (HTTP)
  97. 97. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 “Hey, give me all of Joe’s salary information.” “Hey, Larry! Sure!” Issue Returns (bad)
  98. 98. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2.0 Proof-of-Possession (JWT + HTTP Signatures)
  99. 99. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Key Value Identity Information (JWT) Key ID Proof Of Identity (HTTP Signature)
  100. 100. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 { "alg": “RS256", "typ": “JWT" } { "token-type": "access-token", "username": "snoopy", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": ["twitter”, "mans-best-friend"], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc 0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo Access Token
  101. 101. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 { "alg": “RS256", "typ": “JWT" } { "token-type": "pop", "cnf":{ "kid": "green-1234" } "username": "snoopy", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": ["twitter”, "mans-best-friend"], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc 0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo Access Token
  102. 102. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 - Password Grant (LDAP) (Token ID Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock Verify Password Generate Signed Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc 3MiOiJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsImV4cCI6M TMxMTI4MTk3MCwiaWF0IjoxMzExMjgwOTcwLCJjbmYiOnsia2", "token_type":"pop", "expires_in":3600, "refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc 3MiOiJodHRwczovL2FzZGZhc2RzZGZzZXJ2ZXIuZXhhbXBsZS5 jb20iLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3M", "key":"eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ 2UteXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1 MFdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZWlS ci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQRVd5W WFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53NXhzczhOajZ PeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2NidkRocmFzMzljd 2ZzIiwiYWxnIjoiSFMyNTYifQ" } Generate HMAC Key (Key Store)
  103. 103. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 JSON Web Key (encoded) eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ2Ut eXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1M FdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZ WlSci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQ RVd5WWFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53N XhzczhOajZPeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2Nid kRocmFzMzljd2ZzIiwiYWxnIjoiSFMyNTYifQ
  104. 104. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 JSON Web Key (decoded) { "kty": "oct", "use": "sig", "kid": "orange-1234", "k": "VZ-0QGLZ2P_RPUSW10CIu0WMyXq-ND2pmDYzA0OTKW THlp5iac5K4VeiRr-_BOoXJ4X2fSTt4nHwo_quta7j JJKT4PEWyYanBSFsi0DW7owT-HExAGDyJtHUtNw5xs s8Nj6OxNPv6rROE-kevhL2wB9cqgdIscbvDhras39c wfs", "alg": "HS256" }
  105. 105. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Signed OAuth 2.0 Message POST /painter/color/palette HTTP/1.1
 Host: api.superbiz.io
 Authorization: Signature keyId=“orange-1234", algorithm="hmac-sha256", headers="content-length host date (request-target)”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=" Bearer: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5h bWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29t L2 9hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQyO DA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdY O1GMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaEl xc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
 Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */*
 Content-Type: application/json
 Content-Length: 46
 
 {"color":{"b":0,"g":255,"r":0,"name":"green"}}
  106. 106. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 OAuth 2 + JWT + Tokens Sent 3000 TPS (HTTP+SSL) 0.55 TPS (refresh token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 4 hops 12000 TPS backend 3000 TPS (signature verification) 12000 TPS (signature verification)
  107. 107. JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution Specification Reference
  108. 108. @dblevins @tomitribe JavaLand #RESTSecurity @dblevins @tomitribetribestream.io/javaland2018 Observations • HTTP Signatures the only HTTP friendly approach • Signatures does not solve the “Identity Load” problem • OAuth 2 with JWT significantly improves IDP load • Plain OAuth 2 • HTTP Session-like implications • OAuth 2 with JWT • Signed cookie • Signing key to the future
  109. 109. Slides & Gateway Sign-up https://tribestream.io/javaland2018 Don't Miss this Talk Securing JAX-RS Today, 17:00 Room Quantum 3+4 Rudy De Busscher #RESTSecurity JavaLand

×