Securing Restful Services With Token Based Authentication Computer Science Essay

Securing Restful Services With Token Based Authentication Computer Science EssayEnterprises atomic number 18 increasingly deploying reposeful supporter for two reasons 1) to enable Web 2.0 integrations with data stores and backend systems 2) to allow RPC-style communication between client side nett frameworks like GWT or YUI and backend systems. In addition, t present are multiple frameworks to develop these operate that are consumed intimately and externally by different endpoints in different contexts. Hence, it is vital to result simple and adaptable tri neverthelesse that both integrates seamlessly with enterprise protection and brings authentication, authorization and ace to the profits. This paper covers the pros and cons of various approaches of quietful operate security 1) Transport level security (TLS/SSL) provides secure peer-to-peer authentication, but this technique is inadequate when communicates for authentication are based on delegation (allowing sites to authenticate on behalf of the user). 2) The OAuth protocol enables consumers to access services through an API that does not overtop consumers to disclose their service provider credentials to access services. This is the most commonly followed approach used by Google AuthSub, AOL OpenAuth, and the Amazon AWS API. However, not all REST frameworks provide underpin to this protocol. 3) Token-based authentication developed for CA Technologies Unified Connector Framework (UCF) to expose services over REST or SOAP combines the advantages of these two without compromising standards and simplicity.IntroductionSince slumbrous web services are exposed using standard HTTP protocol and methods, they can easily be consumed in multiple ways, such(prenominal) as with direct access from browsers using URLs through programmatic interface using HTTP client libraries and from client side frameworks such as JavaScript,. If enterprise systems provide RESTful access to their data and functionalit y, the open nature of REST requires a strong security radical to prevent access by unintended users to prevent sniffers on the network from reading messages and to control the users who are allowed to act with specific services and disallow certain actions for certain users. The question is what should be the strong security firmness? The REST protocol itself does not specify any predefined security methods. Many people believe that HTTP security practices can be successfully applied for securing REST services. This can be true, depending on the scenarios where RESTful services are consumed. HTTP security may be adequate if the RESTful services are intended for internal use only. One example is web applications using Ajax frameworks. Since they choose RPC over HTTP or RESTful services for backend interactions, invocation of services is internal to the UI and transparent to clients who interact with the UI. In such a scenario, HTTP security may be adequate.. However, greater secu rity is required when RESTful services are intended for external use, For example, CA Technologies Catalyst integration plat course of instruction provides RESTful services that can be consumed by such mechanisms as mashups, ESBs, Ruby scripts, and many more, and requires a higher level of security. Although the security requirements greatly vary for these two scenarios, we need a simple and adaptable solution for both. This article describes the commonly used security methods for RESTful services and suggests a solution that mostly fulfills the security requirements for externally published services, including REST, SOAP over JMS, SOAP over HTTP, and other protocols. This approach was developed for and is used in the RESTful services of the Core API of CA Technologies Catalyst integration platform.Commonly obtainable methods for securing RESTful servicesContainer-Managed Authentication and AuthorizationAs RESTful web services are HTTP-centric, the most natural fit for authenticati on and authorization is container based authentication and authorization. The concept of realm places a central role in the Tomcat approach. A realm is a collection of resources including web pages and web services, with a designated authentication and authorization facility. The container approach to security also is declarative than programmatic that is expand about the security realm are specified in a configuration file rather than in code. The container also provides option to enable cable level security. Refer 1 2 for in stageion about configuring realms for authentication and authorization and SSL/TLS for wire level security.The advantages of this method need not be specified explicitly here as they are proven and widely used. However, it has the following limitations when applied to RESTful services for enterprise useWith user credentials based authentication, the security solution is confined to identity silos.It does not computer backup the Actas scenario. An Actas sc enario involves multi-tiered systems to authenticate and pass information about identities between the tiers without having to pass this information at the application/business logical system layer. Mutual AuthenticationHTTPS with client certificate enabled performs two-way authentication. In addition to the client receiving a signed digital certificate representing the server, the server can meet a certificate that represents and identifies the client. When a client initially connects to a server, it exchanges its certificate and the server matches it against its internal store. Once this link is established, there is no further need for user authentication. Mutual authentication is perhaps the most secure way to perform authentication on the Web.This approach has the same drawbacks mentioned in the previous section. some other disadvantage of this approach is the managing of the certificates. The server must create a unique certificate for each client that wants to connect to th e service. From the browser/human perspective, this can be burdensome, as the user has to do some extra configuration to interact with the server.Shared Key based authenticationThis is the common method used by Amazon web services and Microsoft Azure services. In this method initially the client registers with the service provider. As part of registration, the service provider sends the client an get at Key ID and a Secret Access Key. When a client wants to invoke services, it prepares the request, performs a hash on the request using its Secret Access Key, attaches the cutaneous senses (hash) to the request, and forwards it to the service provider. The service provider verifies the signature is a valid hash of the request and, if authenticated, processes the request (3 4). This achieves requester authentication as well as integrity without SSLThe problem with this authentication schemes is that the contents and ordering of the string to sign are different from one service provid er to another service provider. For instance, though Amazons and Azures mechanisms are very similar, their differences suck up them incompatible.Perhaps due to this issue, the OAuth approach covered in the next section is gaining popularity as a standard security mechanism for RESTful services.OAuthOauth is an open protocol allowing secure API authentication and authorization in a simple and standard method for web applications. OAuth allows users of a service to provide contain access to a third party count of theirs to the service without sharing credentials. OAuth is often expound as a valet key that users can outpouring to a service to access their accounts on other services. For example, a user of Flickr (the service provider) would provide Snapfish (the consumer) with read only access to their Flickr account. This lets Snapfish access photos in the users Flickr account so they can order prints. Refer 5 for more details about OAuth specification.OAuth has some distinct adv antagesIt doesnt require certificatesBy choosing the right token format, it can support claims based Token. A claim is a statement about a issuance for example, a name, key, group, permission, or capability made by one subject about itself or another subject. Claims are given one or more values and then packaged in security tokens that are distributed by the issuer.It supports the SAML token. SAML ( warrantor Assertion Markup Language) is a standard for exchanging authorization and authentication data between between an identity provider and a service provider regardless of their platforms or security systems.OAuth with SAML enables federated authentication and authorization.The only drawback is that not all RESTful services frameworks provide native support for dealing with OAuth based authentication. For example, Apache CXF does not support OAuth.Token based AuthenticationCA Technologies Catalyst4 integration platform includes the Unified Connector Framework (UCF) that provides a Java-based solution for connectivity and integration among CA and third-party products UCF has distinct security requirementsIt should be able to support Actas scenarios the platform should be able to invoke services from 3rd party providers on the behalf of clientsCatalyst exposes services in some(prenominal) different protocols, including RESTful, SOAP over HTTP, SOAP over JMS, etc. Its security solution should work consistently in all the forms of the services.Its security solution should be protractile, simple and adaptable in different scenarios.To accommodate these requirements, UCF introduced the token based security solution using public Key Infrastructure (PKI) certificate for authentication and authorization of its services. This solution has the following components.Domain Trust Certificate (DTC) is an X.509 v3 certificate issued by a Certificate Authority (CA) or self signed have by the DomainManager that controls the UCF domain.Trusted Certificate (TC) is a X.509 v3 certificate signed by DTC. A Node is either a service provider or service consumer who owns that TC signed by the DTC.Security Service is available per container2 which hosts several connectors1. This service issues a Token, validates the Token and sets claims retrieved from Token to the context so that they can be used by connectors or other entities in the container for Authorization or Actas scenarios.CertAuthService is an independent entity provides services like signing Certificate Signing Request CSR 5 and providing the DTC public keyToken consists of set of claims signed by security service.Interactions on the Client sideThe client generates a CSR (Certificate Signing Request) using keytool 6 and obtains a X.509 certificate signed by DTC from the CertAuthService. The signed CSR is inviteed a Trusted Certificate (TC) in UCF domain.The client makes an addTrust() request to the Security Service at the service provider by passing its public key certificate. This step enables th e Security Service to validate the certificate and add provided certificate to its trust store. Steps 1 2 are performed only once per client.The client makes a getToken() resound with tokenRequest to the Security Service. The tokenRequest consists of claims and a signature computed using the clients private key. If client is using UCF API to make remote calls, then steps 1 2 are transparent to the client at the time of proxy creation to the service endpoint.The client prepares the request and adds the Token to the request header. If client is using the UCF API to make remote calls, then adding the Token to the request header is transparent to the client.The client makes a remote callInteractions on the Service sideThe Security Service is hosted from a Catalyst container so that it is available to both external users and inside the container for security token validations. For addTrust() calls, the Security service validates the provided certificates signature to find whether it i s signed by DTC or not. If it is DTC signed then the Service adds the certificate to its trust store.For getToken() calls, the Security service checks the signature against the available keys in its trust store. If it succeeds then a token is prepared and returned to the client. The token consists of claims, lifetime and the signature of the Security service.For all incoming calls to the services available in the Catalyst container, calls are intercepted at CXF handlers and the token is verified with Security service. If it is from a valid client then claims are extracted out of the token and sets to thread local anaesthetic context so that it may be used by connector implementation for further authorization or authentication with other service providers. Finally, the call is forwarded to the service. If the Security service is unable to validate the token, an unauthorized exception is returned to the client.Authorization is handled by any provider on service using claims.As descri bed above, this solution supports authentication based on X.509 certificate and authorization is done by any provider using claims. The same set of claims is used for Actas scenario. For instance, services running in Catalyst container can use claims to talk to another services or endpoint on the behalf client.ConclusionThe solution described in Section 3 is a better fit for platforms/products like Catalyst that need to make services available in more than one form such as REST, SOAP over HTTP and SOAP over JMS. It is a security solution that works consistently in all forms of services. Also, the solution is extensible to other modes of authentication like user credentials other than certificate based. This solution needs additional work to replace custom Token format to SAML based so that tokens can be consumed in third party software which understands SAML. This.AcknowledgmentsThe solution described in Section 3 was contributed by built-in UCF team which includes Sijelmassi, Rach id, me, GVN, Anila Kumar and Koganti, Naga. .Actas