際際滷

際際滷Share a Scribd company logo

Securing REST APIs

Claire Hunsaker
Claire Hunsaker

際際滷s from Apache Shiro User Group presentation by Les Hazlewood on API design and RESTful API security using Shiro. Demonstrates design and security principles using Stormpath API.

1 of 14
Securing REST APIs Les Hazlewood Apache Shiro Project Chair CTO, Stormpath
Topics ≒ General API Best Prac:ces ≒ Statelessness ≒ Authen:ca:on ≒ Authoriza:on (access control)
General REST API Best Prac=ces ≒ Base URL ≒ Integer Version ≒ HTTP vs HTTPS ≒ Nice Error Representa:ons
Base URL + Version hHps://api.stormpath.com/v1
Error Representa=on ≒ HTTP Status Code ≒ Applica:on-足speci鍖c Error Code (18 4xx, 6 5xx) ≒ End-足user Message ≒ Developer Message ≒ More Info URL
Error Representa=on Example HTTP/1.1 404 Not Found { "status": 404, "code": 404, "message": "Oops! That applica:on cannot be found.", "developerMessage": "The speci鍖ed Applica:on cannot be found. If you accessed this url via a stale href reference, it might be helpful to acquire the tenant's Applica:on Collec:on Resource to obtain the current list of applica:ons.", "moreInfo": "hHp://www.stormpath.com/docs/errors/404" }
Statelessness ≒ No sessions! Session clustering (and all that it implies) ≒ How do you prevent sessions? Your code? Framework code?
NoSessionCreationFilter [main] [urls] /v1/** = noSessionCreation, authcBasic,
Authen=ca=on ≒ What is safe? ≒ SSL server vs client ≒ Username/Password, BASIC authen:ca:on ≒ API Keys ≒ What is OAuth?
HTTP Basic Authen=ca=on [main] [urls] /v1/** = ssl, noSessionCreation, authcBasic,
OAuth ≒ Protocol ≒ Designed for 3 par:es, can be used for 2 ≒ 1.0a vs 2.0 ≒ Signature algorithm (HMAC) ≒ Shiro & Scribe
Authoriza=on ≒ Filter ≒ Excep:on handling
HEpMethodPermissionFilter [main] rest = org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter [urls] /v1/user = noSessionCreation, authcBasic, rest[user] /v1/** = noSessionCreation, authcBasic
Excep=on Handler ≒ Annota:on or asser:on ≒ MVC framework or JSP catch all JSON @RequiresPermission public void doSomething() { } subject.checkPermission(user:read);

More Related Content

Securing REST APIs

  • 1. Securing REST APIs Les Hazlewood Apache Shiro Project Chair CTO, Stormpath
  • 2. Topics ≒ General API Best Prac:ces ≒ Statelessness ≒ Authen:ca:on ≒ Authoriza:on (access control)
  • 3. General REST API Best Prac=ces ≒ Base URL ≒ Integer Version ≒ HTTP vs HTTPS ≒ Nice Error Representa:ons
  • 4. Base URL + Version hHps://api.stormpath.com/v1
  • 5. Error Representa=on ≒ HTTP Status Code ≒ Applica:on-足speci鍖c Error Code (18 4xx, 6 5xx) ≒ End-足user Message ≒ Developer Message ≒ More Info URL
  • 6. Error Representa=on Example HTTP/1.1 404 Not Found { "status": 404, "code": 404, "message": "Oops! That applica:on cannot be found.", "developerMessage": "The speci鍖ed Applica:on cannot be found. If you accessed this url via a stale href reference, it might be helpful to acquire the tenant's Applica:on Collec:on Resource to obtain the current list of applica:ons.", "moreInfo": "hHp://www.stormpath.com/docs/errors/404" }
  • 7. Statelessness ≒ No sessions! Session clustering (and all that it implies) ≒ How do you prevent sessions? Your code? Framework code?
  • 9. Authen=ca=on ≒ What is safe? ≒ SSL server vs client ≒ Username/Password, BASIC authen:ca:on ≒ API Keys ≒ What is OAuth?
  • 10. HTTP Basic Authen=ca=on [main] [urls] /v1/** = ssl, noSessionCreation, authcBasic,
  • 11. OAuth ≒ Protocol ≒ Designed for 3 par:es, can be used for 2 ≒ 1.0a vs 2.0 ≒ Signature algorithm (HMAC) ≒ Shiro & Scribe
  • 12. Authoriza=on ≒ Filter ≒ Excep:on handling
  • 13. HEpMethodPermissionFilter [main] rest = org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter [urls] /v1/user = noSessionCreation, authcBasic, rest[user] /v1/** = noSessionCreation, authcBasic
  • 14. Excep=on Handler ≒ Annota:on or asser:on ≒ MVC framework or JSP catch all JSON @RequiresPermission public void doSomething() { } subject.checkPermission(user:read);