Tuesday, April 7, 2015

Securing your REST web service

Securing your REST web service
  • Authentication for Identity Verification
  • Authorization
  • Encryption

  • Userid/Pwd can be used for services consumed by your mobile app for authentication or Oauth can be used for third-party web apps/mobile apps
  • SSL or Secure flag can be used in web.xml in encrypted form for further security measures
  • @context SecurityContext

Authentication:Configure web.xml
<login-config>
 <auth-method>BASIC</auth-method>
  <realm-name>admin</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
….
<auth-constraint>
<description>only let admin login</description>
<role-name>admin</role-name>
</auth-constraint>

Login-config:
Defines how HTTP requests should be authenticated
Auth-method:
BASIC,DIGEST or CLIENT_CERT correspond to basic, digest and client certificate authentication respectively
Realm-name:
Name for database for user id groups that identify valid users of a web application
Security constraint:
Defines access priveleges to collection of resources
url-pattern:
URL pattern you want to secure
http-method:
Methods to be protected
Auth-constraint:
Names the roles authorized to access URL patterns and HTTP methods declared by this security constraint. Authentication by providing security-role which lists all of security roles used in application

Encryption : Configure web.xml
<security-constraint>
    <user-data-constraint>
   <description>SSL</description>
    <transport-guarantee>CONFIDENTIAL</transport-guarentee>
     </user-data-constraint>
</security-constraint>

user-data-constraint: NONE,INTEGRAL or CONFIDENTIAL to imply how the data will be transported between client and server

Authorization Annotations
  • @RolesAllowed({“Admin”,”Customer”}) //roles permitted to execute operation
  • @PermitAll//permitting any authenticated user
  • @DenyAll// to deny all users

JAX-RS Security Context 
public interface SecurityContext { 
public Principal getUserPrincipal();  //Determine the identity of user
public boolean isUserInRole(String role); //check whether user belongs to certain role
public boolean isSecure(); //whether this request was made using a secure channel
public String getAuthenticationScheme(); 
}
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)