WebService

Securing the RESTful Web Services

Leave a comment

Securing the RESTful Web Services

Recap:

Authentication: To ensure the person is who they say they are e.g using an username and password.

Authorization: To ensure that the person has the relevant permissions to do what they are trying to do e.g. accessing/adding resources

Different Authentication Methods:

a) Basic Authentication:

Using HTTP, send in the username and password which is Base64 encoded to the server via a form input. Very basic. Very simple. Very insecure. Anyone can hack this. Better to use the HTTPS instead of HTTP

b) Digest Authentication:

The passwords are encrypted using one of the hashing algorithms and stored. There is no way to get the passwords back. So when the client sends the password during their login session, it is hashed and checked against the one stored. If the client forgets his/her password, a temporary one is created and they are asked to change it.

c) Client Cert Authentication:

The client applies for a certificate to the CA (Certifying Authority). The CA issues the certificate which has the user information along with other credentials (public key). During login, the client sends the certificate. It is validated through the CA to ensure it is a genuine one. HTTPS is used to send the certificate across for secure transmission.

d) API Key Authentication:

Used by Google, FourSpace, Twitter etc when you want to use their RESTful APIs. They provide a Key and a Secret key (mostly called as Client ID and Client Secret). The user details are stored in their database and for every request when the client ID and secret key is passed to them, they authenticate the user across their entries. The client ID and the secret are some random encoded string and are not easy to decode.

 How to do it:

a) web.xml

Use the security-constraint, login-config, security-role etc in the web.xml

e.g.

sec1

b) Security Context

Use javax.ws.rs.core.SecurityContext in the code

The Principal object will have the user information and is used for authentication methods related to BASIC_AUTH, FORM_AUTH, and CLIENT_CERT_AUTH

e.g.

@GET
        @Produces("text/plain;charset=UTF-8")
        @Path("/hello")
        public String sayHello(@Context SecurityContext sc) {
                if (sc.isUserInRole("admin"))  return "Hello World!";
                throw new SecurityException("User is unauthorized.");
        }

c) Annotations

Use the annotations defined in javax.annotations.security packages like @DenyAll, @PermitAll, @DeclareRoles, @RunAs, @DeclareRoles etc

DeclareRoles Declares roles.
DenyAll Specifies that no security roles are allowed to invoke the specified methods.
PermitAll Specifies that all security roles are allowed to invoke the specified methods.
RolesAllowed Specifies the list of security roles that are allowed to invoke the methods in the application.
RunAs Defines the identity of the application during execution in a J2EE container.

e.g.

@Path("/helloworld")
@RolesAllowed({"ADMIN", "ORG1"})
public class helloWorld {

   @GET
   @Path("sayHello")  
   @Produces("text/plain")
   @RolesAllows("ADMIN")
   public String sayHello() {
      return "Hello World!";
   }
}

References:
https://docs.oracle.com/cd/E24329_01/web.1211/e24983/toc.htm
http://howtodoinjava.com/security/restful-web-services-security-guide/

Leave a comment