Wednesday, May 9, 2012

Securing your RESTful service


There are different options to secure your web service:
Authentication:
      Identify who the user is using the web service.
      PKI, Active Directory is used for authentication.

Authorization:
    What the user can do with the web service.
     authorization service, LDAP is used for authorization.

There are several implementation solution to ecure the web service. Below is a list:
OAuth 1.0  is vulnerable to a session-fixation attack and could result in an attacker stealing the identity of an API end-user.
OAuth is secure API authorization in a simpleand standard. See the specification of OAuth at http://tools.ietf.org/html/rfc5849.


Good to know that HTTPS and HTTP authorization schemes based on HMAC (hash-based message authentication code) are used by Amazon S3 or Windows Azure are some of the measures for greater security.

If your API is free and read only you can use single key-based authentication.

Interesting article about Oauth and security to be read at http://hueniverse.com/oauth/guide/security/.

Read also what NSA say about implementation of RestFul service:
http://www.nsa.gov/ia/_files/support/guidelines_implementation_rest.pdf

More readings:
Http Authentication - http://docs.oracle.com/javase/6/docs/technotes/guides/net/http-auth.html
certificate based authority: http://docs.oracle.com/cd/E19316-01/820-2765/gdzeb/index.html

For Apache Shiro working with RestFul service check the blog:
http://blog.xebia.com/2011/04/18/apache-shiro/

Shiro integrating with Spring:
http://shiro.apache.org/spring.html

You can as well take a look at mo_security with Apache.
Oracle has a document on security:
http://www.oracle.com/us/products/middleware/identity-management/059410.pdf
And from Google:
http://lcsd05.cs.tamu.edu/slides/keynote.pdf

From Java.net:
http://weblogs.java.net/blog/gmurray71/archive/2006/08/restricting_acc.html

See how Amazon use Rest Security:
http://docs.amazonwebservices.com/AmazonSimpleDB/latest/DeveloperGuide/HMACAuth.html?r=6357
http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/

Tomcat Realm and JASS
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html

Also http://www.modsecurity.org/

  • Negative Security Model - looks for known bad, malicious requests. This method is effective at blocking a large number of automated attacks, however it is not the best approach for identifying new attack vectors. Using too many negative rules may also negatively impact performance.
  • Positive Security Model - When positive security model is deployed, only requests that are known to be valid are accepted, with everything else rejected. This approach works best with applications that are heavily used but rarely updated.
  • Virtual Patching - Its rule language makes ModSecurity an ideal external patching tool. External patching is all about reducing the window of opportunity. Time needed to patch application vulnerabilities often runs to weeks in many organizations. With ModSecurity, applications can be patched from the outside, without touching the application source code (and even without any access to it), making your systems secure until a proper patch is produced.
  • Extrusion Detection Model - ModSecurity can also monitor outbound data and identify and block information disclosure issues such as leaking detailed error messages or Social Security Numbers or Credit Card Numers.



1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete