Java Web Services Security

SOAP 

Different security concern

• Authentication
• Confidentiality  
• Ensuring only receiver of message sees the message and not any hacker. This can be achieved by Encryption/Decription
  
• Integrity
• Non Repudiation
  

Authentication

• Username Token

• Most used ways in SOAP services to authenticate
  
• It defines standard to pass username/password inside soap header
• The root element that wraps <wsse: Security> 
•  <wsse: Security>
      <wsse: UsernameToken>
          <wsse: Username>
          <wsse: Password>
      <wsse: UsernameToken>
  <wsse: Security> 
• Steps to configure
• Configure WSS4JInInterceptor in cxf-servlet.xml for the endpoint
  
• provide a password callback handler which the interceptor will call

Confidentiality

• Private/symmetric key
• Expensive as a private key should be generated for every client
• Public/asymmetric 
•  

Java Keytool(Key and certificate management tool)

• Allows to generate a pair of public/private keys that can be used in encryption/decryption as well as signatures
• Keystore file
  
• It is created when a pair of public/private key is generated. 
• It is place where public/private keys are stored
• It is password protected
• Each private key will have an alias & password
• Public key can be exported into certificate and distribute the certificate across our client apps.
  
• keytool -genkeypair -alias mykey -keypass mykeypass -keystore mykeystore.jks -storepass mystorepass -validity 100 -dname "cn=venkat,ou=vd,o=vd,c=in"
  
• Export public key
• keytool -export -rfc -keystore mykeystore.jks -storepass mystrorepass -alias mykey -file MyCert.cer
• Import certificate
• keytool -import ........
• tructcacerts
• cacerts comes with jdk. so we are adding to it
  

Steps to create keys

• Generate key pairs for provider and client
• Export the public keys into certificate files
• import the certificates into alternate keystores

Integrity(Signature)

• WSSecurity ensures data is not tampered on they way. It is done using Signatures.
  
• It is fixed length value that is calculated using content of message by applying algorithm on it. 
• This is also called hash
• This is sent along with message to provider
• Hash is calculated in server sider and compared with the hash from client

TimeStamp(Non Repudiation) - Replaying attacks

• This can be prevented using Timestamp element that goes into wsSecurity element
• It has time creation and expiry times
• By default it is 300 secs
  

Securing parts of the message

•  

REST

 OAuth concepts

• It is authentication & authorization standard which allows an application to gain access to users data within another application without knowing the users userid/password in another appln.
  
• Process of one application using another application to login/authentication is called Federated authentication eg: using google login to login into worldpress.com
  
• Delegated authorization - User grants access to an application to perform actions on user behalf and application can perform only those actions which the user authorizes to do. eg: Tax site to save the file to google drive
  
• OAuth is a standard that define rules for Federated authentication and delegated authorization
• Why OAuth
• When not to use
• Do not use for simple apps. Rather go for http basic or form based authentication over ssl
  
• Flow for any appln that wants to use OAuth
  
• Appln should register with appln that is providing services
• Appln redirects to user for providing app login page which will redirect after authentication with unique authorization code
  
• Appln will send the authorization and get token back
• Now appln can access the service provide appln on behalf of user

Swagger

• Standard way to document RESTful webservice just by annotating class & methods
  
• This is now call OPENAPI specification
• Swagger UI helps in trying out the RESTful services
• Swagger Specification
• Swagger Editor
• Swagger UI
• Swagger Codegen
• Steps to make swagger work for appln
• Add Maven dependency
• Configure CXF Swagger feature
• Use the Swagger api
• Annotations
• @Api // above the @Path annotation at class level
  

Basic Auth, SAML, Keys, OAuth, JWT and Tokens Quicky

• Basic Auth
• Username, password are sent in each request as server doesn't maintain state
  
•  Base64 the Username, password and send http headers. 
• Base64 encode(username, password) => Basic <authentication token> as value to header key "Authorization "
  
• Token means a something like "dmRlc3VfY21kXzkwODMyZmMzYzNkMjQzMWJhN2I4NDZkYmY"
• Cons: The token can be decoded. Encoding is done primarily to handle non-http compatible charecters
• requires https to secure user/passwd
• subject to replay attacks
• logout is tricky(browser caches)
  
• Authorization Tokens
• Session Tokens -> These are similar to reference tokens. Reference to session maintained in server
  
• Json Web Token -> Value tokens-> Server doesn't maintain session
  
•  
  
• Tokens mean a new credentials 
• Access Token
• Refresh Token
• Authorization Header
• Bearer <Access Token>
  
• SAML(Security Assertion Markup Language)
• XML based
• Mainly used by large corporates
• It talks about Service Provider & Identity provider
• Single sign on
• Complex
• OAuth 2.0
• It is a protocol to provide (an appln or server) temporary access to a resource.
• It is also called Delegation or Authorization protocol
  
• OpenID is a protocol on top of OAuth2.0 inorder to do authentication
• Oauth doesn't talk about authorization
• Doesn't talk about encryption
• JWT Authorization
• Json Web Token
• It is standard way for 2 applns to communicate securely
  
• You pass payload(addln data) apart from security data.
• It uses Authorization header.
  Bearer <Access Token>
• It has Header, Payload, Signature
• It uses HMAC-SHA256 
• It is used for Authentication, secure information exchange
• API Keys
• Which users are using my service
• Statistics and monetize the api

 Tokens

• SAML
• Heavily XML based and cryptographic
• Needs advanced xml stack which is not available in Mobiles. Hence Simple Webtoken was created by MS, Google, Yahoo
• Simple webToken
•  It is too simple and restrictieve.
• It doesn't have without enough cryptographic options like asymmetric signing
• JWT(JSON Web Token)
• It is combination o f SAML & Simple Web Token
• It is simpler than SAML with out need of xml

Highlevel Structure of JWT

• Headers
• {“typ” : “JWT”,
  “Alg”: “HS256”}
• The Header is Base64 encoded
  
• payload
•  {“iss” : “vd”,
  “Exp”: “1300819380”,
  “Name” : “Venkat”,
  “Admin”: true}
• signature
•  Signature contains Header & payload information which are encrypted with secret
•  

 How does OAUTH work

1. invoke Https://accounts.google.com/o/oauth2/v2/auth
   Pass parameters
   Request scope: contacts
   Response type: grant code
   Callback URL
   Client id

 OpenID Connect

• Built on top of Oauth2 used for login/authentication
•  Invoke Https://accounts.google.com/o/oauth2/v2/auth
  Pass parameters
  Request scope: Openid profile email
  Response type: grant code
  Callback URL
  Client id
• The code received by server is exchanged with Google Oauth server for Access token & ID token
•  This ID token has all the details of users profile. This ID token is also called as JSON web token or JWT
• 
  

API Gateway

• It takes care of Security, Authentication & Authorization
• It protects service api from bad requests
• Key features
• Separate out cross cutting concerns & Consolidate all cross cutting concerns
• Authentication
• Authorization
• SSL termination
• DDoS Protection/Throttling
• Replace multiple calls with single api 
• Serving Static content
• Cache
  
• Router & Load balancer
•  Protocol Adapter
• Converting new protocol into older protocol
• Exposed as