MTAT.03.229Enterprise System Integration
Lecture 12: REST Security
Marlon Dumas
University of Tartu
Based on s l ides by Luc iano Garc ía -Bañuelos
The picture• Security is a critical concern to
take into account during the development of enterprise software◦ Should be considered during the
entire application lifecycle
◦ Concerns not only firewalls, encryption, etc., but should also be embedded throughout the software architecture
• We will focus only on application security, relying on the use of Spring Security provided tools
SECURITY LUCIANO GARCÍA-BAÑUELOS 1
Ente
rpri
se s
oft
war
e
Presentation
Application logic
Data access
Integration layer
Presentation
Application logic
Data access
Security
SECURITY LUCIANO GARCÍA-BAÑUELOS 2
•Security is a family of non-functional requirements
•We need to determine which specific security requirements are relevant to a given project
• Internal projects:
◦ Authentication
◦ Authorization
Confidentiality, Data Integrity, Availability
• External projects:
◦ Message integrity
◦ Non-repudiation
◦ Legally binding identity assertion and signature
Authentication
SECURITY LUCIANO GARCÍA-BAÑUELOS 3
Site engineer
Login
Works engineer
Logout
Unauthenticated user
Authenticateuser
Authentication service
Database authentication
service
LDAPservice
Singlesign-onservice
• Process of identifying an individual, usually based on a username and password (a.k.a. credentials)
• Authentication object◦ Principal
(user name)
◦ Authority (role)
How it works? • If an authenticated request arrives for a restricted resource, server
returns HTTP 401: Unauthorized status with WWW-Authenticateheader indicating required authenticationmethod (e.g. Basic)
• Client requests username and password. Concatenates them as: username:password
• Encodes them using base64 method for example
◦ Note that base64 is reversible, so very insecure
◦ Several methods exist to negotiate credentials securely, one of the simpler ones being Digest access authentication
• Encoded credential is sent in an HTTP request header
• Credential is validated on the server side by an authentication provider in the application server
SECURITY LUCIANO GARCÍA-BAÑUELOS 4
Authorization
SECURITY LUCIANO GARCÍA-BAÑUELOS 5
<< create >>Create
<< update >>Modify
Site engineer
Update rejected PHR
Extend rental period
<< show/list >>Query
<< update >>Review
Reject
Accept
Works engineer
<<include>>
<<include>>
Rendered data depends on the
user identity
• Process of giving individuals access to system objects based on their identity
• Role-based access control◦ Site engineer: Create
PHRs, extend rental period, etc.
◦ Works engineer: Accept/reject PHRs, etc.
Accessing a restricted resource (1/2)
SECURITY LUCIANO GARCÍA-BAÑUELOS 7
Web Server
GET /pos/123
/login(form)
Spring MVC container
Client
Dispatcher Controller
ViewView
resolver
Handlermapping
URL
AuthenticationManager
Auth. ContextAccess DecisionManager
Interc. Interc. ...
1
Anonymous
Accessing a restricted resource (2/2)
SECURITY LUCIANO GARCÍA-BAÑUELOS 8
Web Server
POST /login
<purchaseOrder><startDate>…<startDate><endDate>…<endDate>...
</purchaseOrder>
Spring MVC container
Client
Dispatcher Controller
ViewView
resolver
Handlermapping
URL
AuthenticationManager
Auth. ContextAccess DecisionManager
Interc. Interc. ...
1
Anonymous
{ “username”: “luciano”,“password”: “password” }
user: lucianoauth.: ROLE_SITE_ENG
Implementation in Spring BootStep-by-step tutorial:
• http://kodu.ut.ee/~dumas/esi2019/lecture12.html
Code of tutorial:
• https://bitbucket.org/lgbanuelos/esi2018-rbac/
SECURITY LUCIANO GARCÍA-BAÑUELOS 9
Client-Side Authentication (VueJS)• http://kodu.ut.ee/~dumas/esi2019/practical12.html
SECURITY LUCIANO GARCÍA-BAÑUELOS 10