Contenu connexe Similaire à State of Securing Restful APIs s12gx2015 (20) State of Securing Restful APIs s12gx20151. SPRINGONE2GX
WASHINGTON, DC
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
The State of Securing RESTful APIs
with Spring
By Rob Winch
@rob_winch
3. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Authentication
3
4. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Naïve approach…
4
https://api.example.com?
username=rob&password=secret
5. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
“
Come on Bender. It's up to you to
make your own decisions in life.
That's what's separates people and
robots from animals .. and animal
robots!
Fry
Futurama
5
6. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
RFC-7231 Sensitive Information
6
“ Authors of services ought to avoid GET-
based forms for the submission of sensitive
data …
- RFC-7231: Section 9.4
7. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Basic Authentication
7
8. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Basic Authentication
8
9. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Digest Authentication
9
10. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Digest Authentication
10
11. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Digest Authentication
11
12. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Transport Layer Security (TLS)
• Confidentiality
• Integrity
12
13. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
13
13
14. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Checking TLS
https://www.ssllabs.com/ssltest/
https://shaaaaaaaaaaaaa.com/
14
15. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
TLS Performance
• Computational overhead
• Latency overhead
• Cache
15
16. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16
“On our production frontend machines, SSL/TLS
accounts for less than 1% of the CPU load, less
than 10 KB of memory per connection and less than
2% of network overhead.
- Adam Langley, Google
https://goo.gl/IYJrqv
17. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17
“We have found that modern software-based TLS
implementations running on commodity CPUs are
fast enough to handle heavy HTTPS traffic load
without needing to resort to dedicated
cryptographic hardware.
- Doug Beaver, Facebook
https://goo.gl/pf8Xwh
18. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 18
“HTTP keepalives and session resumption mean
that most requests do not require a full handshake,
so handshake operations do not dominate our
CPU usage.
- Jacob Hoffman-Andrews, Twitter
https://goo.gl/Re0ijb
19. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
TLS Optimize
• TLS Resumption
• Latency
• Online Certificate Status Protocol
(OCSP)
• Cloudflare
19
20. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Optimizing TLS
Is TLS Fast Yet.com
20
21. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
HTTP Basic over HTTPS?
21
oclHashcat
Hash Type Speed
SHA1 42.408 Bh/s
SHA256 16.904 Bh/s
SHA512 5.2 Bh/s
Ubuntu 14.04, 64 bit
ForceWare 346.29
X NVidia Titan X
22. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Introduce Session
22
username=winch&name=Rob+Winch
23. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Encrypting the Session
23
Base64(IV,
aes_cbc(k,IV,plainText))
• k – a secret key only known to server
• aes_cbc – encrypts the plainText using AES/CBC with the
provided IV
• plainText – format of username=winch&name=Rob+Winch
24. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Your handwriting is atrocious, not
encrypted
24
25. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Introduce Session
username=winch&name=Rob+Winch
username=admin&name=Rob+Winch
Can change [1] properly encrypted value below:
To have the following Plaintext
25
[1] https://goo.gl/2Uio0W
26. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 26
2:03 PM - 27 Jul 2015
https://goo.gl/Hs383Z
27. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 27
10:54 AM - 28 May 2015
https://goo.gl/ZbP9Yp
28. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
JWT Header
{"alg":"HS256","typ":"JWT"}
28
29. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
30. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
“… each request from client to server must contain
all of the information necessary to understand the
request, and cannot take advantage of any stored
context on the server.
- Roy Fielding, Architectural Styles and
the Design of Network-based Software
Architectures
http://goo.gl/MzVy0V
30
31. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Representational STATE transfer
“… session state can be transferred by the
server to another service such as a database
to maintain a persistent state for a period and
allow authentication
- Wikipedia
http://goo.gl/bd33t7
31
32. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 32
33. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Code Slide
33
public interface HttpSession {
…
}
34. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 34
35. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Customizing the Cookie
35
<session-config>
<cookie-config>
<name>SESSION</name>
</cookie-config>
</session-config>
36. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Spring Session
36
@Configuration
@EnableRedisHttpSession
public class Config {
@Bean
public JedisConnectionFactory connectionFactory() {
return new JedisConnectionFactory();
}
}
37. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Spring Session
37
public class Initializer extends
AbstractHttpSessionApplicationInitializer {
public Initializer() {
super(Config.class);
}
}
38. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Spring Session
38
public class Initializer extends
AbstractHttpSessionApplicationInitializer {
public Initializer() {
super(Config.class);
}
}
39. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Spring Session
39
<filter>
<filter-name>
springSessionRepositoryFilter
</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
40. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 40
41. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
DEMO
Spring Session
41
42. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
SessionRepositoryFilter
42
public void doFilter(ServletRequest req,
ServletResponse resp,
FilterChain chain {
ServletRequest request =
new SessionRepositoryRequestWrapper(req);
…
chain.doFilter(request, response);
}
43. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
SessionRepositoryRequestWrapper
43
public HttpSession getSession() {
// return custom HttpSession
}
44. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
OAuth 2.0?
• When working within a sandbox
• Limiting liability
44
45. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 45
46. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
http
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
Authorization
46
47. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Authorization
47
@PostAuthorize("returnObject?.to?.id == principal.id")
Message findOne(Long id);
48. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Authorization
48
@PreAuthorize("#message?.from?.id == principal.id")
<S extends Message> S save(Message message);
49. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Permissions
49
@PostAuthorize("hasPermission(returnObject,'read')")
Message findOne(Long id);
50. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Permissions
50
@PreAuthorize("hasPermission(#message,’write')")
<S extends Message> S save(Message message);
51. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 51
public interface PermissionEvaluator … {
boolean hasPermission(Authentication authentication,
Object targetDomainObject,
Object permission);
boolean hasPermission(Authentication authentication,
Serializable targetId,
String targetType,
Object permission);
}
52. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Queries?
52
@Query("select m from Message m where m.to.id = ?
#{principal.id}")
Iterable<Message> inbox();
53. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Queries?
53
@Query("select m from Message m where m.to.id = ?
#{principal.id}")
Page<Message> inbox(Pageable pageable);
54. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Future Work?
54
@EnableAclSecurity
public interface SecuredMessageRepository
extends MessageRepository {}
// Vote for it! DATACMNS-293 SEC-2409
55. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
DEMO
CSRF
55
56. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
CSRF Protection
56
57. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
CSRF Protection
57
58. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
CSRF Protection
58
59. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
CSRF Protection
“When do I use CSRF protection?
59
60. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
CSRF Protection
“... but my application uses JSON
60
61. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
CSRF Protection
61
<form ... method="post" enctype="text/plain">
<input type='hidden'
name=’{"summary":"Hi", … "ignore_me":"'
value='test"}'
/>
</form>
62. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
CSRF Protection
62
{
"summary": "Hi",
"message": "New Message",
"to": "luke@example.com",
"ignore_me": "=test"
}
63. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
CSRF Protection
“… but my application is stateless
63
64. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
CSRF Protection
64
65. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
CSRF Protection
“…and I use a custom header for
authentication and ignore cookies
65
66. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
CSRF Protection
• Use proper HTTP Verbs
• Configure CSRF Protection
• Include the CSRF Token
66
67. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Including the CSRF Token
67
@RequestMapping("/csrf”)
public CsrfToken csrf(CsrfToken token) {
return token;
}
68. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
DEMO
Clickjacking
68
69. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Security HTTP Response Headers
69
70. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Security HTTP Response Headers
70
71. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Security HTTP Response Headers
71
72. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Related Talks
• Hands on Spring Security 4.1 – Wed at 8:30am
• Spring MVC 4.2: New and Noteworthy – Wed at
10:30am
• A How to Guide to Security in the PAAS Cloud –
Wed at 4:30pm
• Securing Microservices with Spring Cloud Security
– Thurs at 10:30am
72
73. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Learn More. Stay Connected.
• Use TLS
• Authentication Should Have State
• Use Proper Authorization
• Use a Framework Because Individuals
Cannot Provide Good Security
Twitter: @rob_winch
YouTube: spring.io/video
LinkedIn: spring.io/linkedin
Google Plus: spring.io/gplus
73