MTAT.03.229Enterprise System Integration

Lecture 12: REST Security

Marlon Dumas

University of Tartu

Based on s l ides by Luc iano Garc ía -Bañuelos

The picture• Security is a critical concern to

take into account during the development of enterprise software◦ Should be considered during the

entire application lifecycle

◦ Concerns not only firewalls, encryption, etc., but should also be embedded throughout the software architecture

• We will focus only on application security, relying on the use of Spring Security provided tools

SECURITY LUCIANO GARCÍA-BAÑUELOS 1

Ente

rpri

se s

oft

war

e

Presentation

Application logic

Data access

Integration layer

Presentation

Application logic

Data access

Security

SECURITY LUCIANO GARCÍA-BAÑUELOS 2

•Security is a family of non-functional requirements

•We need to determine which specific security requirements are relevant to a given project

• Internal projects:

◦ Authentication

◦ Authorization

Confidentiality, Data Integrity, Availability

• External projects:

◦ Message integrity

◦ Non-repudiation

◦ Legally binding identity assertion and signature

Authentication

SECURITY LUCIANO GARCÍA-BAÑUELOS 3

Site engineer

Login

Works engineer

Logout

Unauthenticated user

Authenticateuser

Authentication service

Database authentication

service

LDAPservice

Singlesign-onservice

• Process of identifying an individual, usually based on a username and password (a.k.a. credentials)

• Authentication object◦ Principal

(user name)

◦ Authority (role)

How it works? • If an authenticated request arrives for a restricted resource, server

returns HTTP 401: Unauthorized status with WWW-Authenticateheader indicating required authenticationmethod (e.g. Basic)

• Client requests username and password. Concatenates them as: username:password

• Encodes them using base64 method for example

◦ Note that base64 is reversible, so very insecure

◦ Several methods exist to negotiate credentials securely, one of the simpler ones being Digest access authentication

• Encoded credential is sent in an HTTP request header

• Credential is validated on the server side by an authentication provider in the application server

SECURITY LUCIANO GARCÍA-BAÑUELOS 4

Authorization

SECURITY LUCIANO GARCÍA-BAÑUELOS 5

<< create >>Create

<< update >>Modify

Site engineer

Update rejected PHR

Extend rental period

<< show/list >>Query

<< update >>Review

Reject

Accept

Works engineer

<<include>>

<<include>>

Rendered data depends on the

user identity

• Process of giving individuals access to system objects based on their identity

• Role-based access control◦ Site engineer: Create

PHRs, extend rental period, etc.

◦ Works engineer: Accept/reject PHRs, etc.

Securing Spring MVC applications

SECURITY LUCIANO GARCÍA-BAÑUELOS 6

Accessing a restricted resource (1/2)

SECURITY LUCIANO GARCÍA-BAÑUELOS 7

Web Server

GET /pos/123

/login(form)

Spring MVC container

Client

Dispatcher Controller

ViewView

resolver

Handlermapping

URL

AuthenticationManager

Auth. ContextAccess DecisionManager

Interc. Interc. ...

1

Anonymous

Accessing a restricted resource (2/2)

SECURITY LUCIANO GARCÍA-BAÑUELOS 8

Web Server

POST /login

<purchaseOrder><startDate>…<startDate><endDate>…<endDate>...

</purchaseOrder>

Spring MVC container

Client

Dispatcher Controller

ViewView

resolver

Handlermapping

URL

AuthenticationManager

Auth. ContextAccess DecisionManager

Interc. Interc. ...

1

Anonymous

{ “username”: “luciano”,“password”: “password” }

user: lucianoauth.: ROLE_SITE_ENG

Implementation in Spring BootStep-by-step tutorial:

• http://kodu.ut.ee/~dumas/esi2019/lecture12.html

Code of tutorial:

• https://bitbucket.org/lgbanuelos/esi2018-rbac/

SECURITY LUCIANO GARCÍA-BAÑUELOS 9

Client-Side Authentication (VueJS)• http://kodu.ut.ee/~dumas/esi2019/practical12.html

SECURITY LUCIANO GARCÍA-BAÑUELOS 10