Securing Restful Services With Token Based Authentication Computer Science Essay

Securing Restful go With item Based Authentication Computer Science EssayEnterprises are increasingly deploying relaxing run for two reasons 1) to enable Web 2.0 integrations with data stores and backend systems 2) to allow RPC-style communication between invitee case tissue frameworks like GWT or YUI and backend systems. In addition, t here(predicate) are multiple frameworks to develop these go that are consumed internally and externally by different endpoints in different contexts. Hence, it is vital to provide simple and adaptable auspices that two integrates seamlessly with enterprise gage and brings trademark, federal agency and faithfulness to the go. This paper c everyplaces the pros and cons of various burn upes of restful attend security measure 1) Transport level security (TLS/SSL) provides secure peer-to-peer assay-mark, but this technique is inadequate when requests for authentication are base on delegation (allowing sites to attest on behalf of the u sing upr). 2) The OAuth protocol enables consumers to access serve wells by dint of an API that does non involve consumers to disclose their advantage supplier credentials to access function. This is the most commonly followed approach customd by Google AuthSub, AOL OpenAuth, and the Amazon AWS API. However, not all REST frameworks provide stand out to this protocol. 3) Token- found authentication developed for CA Technologies incorporate Connector Framework (UCF) to expose services over REST or slime combines the advantages of these two without compromise standards and simplicity.IntroductionSince RESTful wind vane services are exposed using standard HTTP protocol and methods, they toilet easily be consumed in multiple ways, such as with direct access from browsers using URLs through programmatic interface using HTTP client libraries and from client side frameworks such as JavaScript,. If enterprise systems provide RESTful access to their data and functionality, the open nature of REST requires a strong security theme to proscribe access by unintended users to prevent sniffers on the network from checking messages and to control the users who are allowed to move with specific services and disallow certain actions for certain users. The question is what should be the strong security solution? The REST protocol itself does not specify any predefined security methods. Many people believe that HTTP security practices can be successfully applied for securing REST services. This can be true, depending on the scenarios where RESTful services are consumed. HTTP security may be adequate if the RESTful services are intended for internal use only. One example is web applications using Ajax frameworks. Since they pick up RPC over HTTP or RESTful services for backend interactions, invocation of services is internal to the UI and transparent to clients who interact with the UI. In such a scenario, HTTP security may be adequate.. However, greater securit y is required when RESTful services are intended for external use, For example, CA Technologies particle accelerator integration platform provides RESTful services that can be consumed by such mechanisms as mashups, ESBs, Ruby scripts, and many more, and requires a higher level of security. Although the security requirements greatly vary for these two scenarios, we ingest a simple and adaptable solution for both. This article describes the commonly used security methods for RESTful services and suggests a solution that mostly fulfills the security requirements for externally published services, including REST, SOAP over JMS, SOAP over HTTP, and other protocols. This approach was developed for and is used in the RESTful services of the Core API of CA Technologies Catalyst integration platform.Commonly purchasable methods for securing RESTful servicesContainer-Managed Authentication and AuthorizationAs RESTful web services are HTTP-centric, the most natural fit for authentication and authorization is container based authentication and authorization. The fancy of realm places a central role in the Tomcat approach. A realm is a sight of resources including web pages and web services, with a designated authentication and authorization facility. The container approach to security also is declarative than programmatic that is expand about the security realm are specified in a configuration file sort of than in code. The container also provides option to enable wire level security. Refer 1 2 for information about configuring realms for authentication and authorization and SSL/TLS for wire level security.The advantages of this method need not be specified explicitly here as they are proven and widely used. However, it has the following limitations when applied to RESTful services for enterprise useWith user credentials based authentication, the security solution is confined to identity silos.It does not birth the Actas scenario. An Actas scenario involves mu lti-tiered systems to authenticate and pass information about identities between the tiers without having to pass this information at the application/business system of logic layer. Mutual AuthenticationHTTPS with client enfranchisement enabled performs two-way authentication. In addition to the client receiving a subscribe digital certification representing the server, the server can receive a certificate that represents and identifies the client. When a client ab initio connects to a server, it exchanges its certificate and the server matches it against its internal store. Once this link is established, there is no further need for user authentication. Mutual authentication is perhaps the most secure way to perform authentication on the Web.This approach has the same drawbacks mentioned in the previous section. Another disadvantage of this approach is the managing of the certificates. The server must shape a unique certificate for each client that wants to connect to the ser vice. From the browser/human perspective, this can be burdensome, as the user has to do some extra configuration to interact with the server.Shared Key based authenticationThis is the common method used by Amazon web services and Microsoft Azure services. In this method initially the client registers with the service provider. As part of registration, the service provider sends the client an rise to power Key ID and a Secret Access Key. When a client wants to invoke services, it prepares the request, performs a hash on the request using its Secret Access Key, attaches the sense of touch (hash) to the request, and forwards it to the service provider. The service provider verifies the signature is a valid hash of the request and, if authenticated, processes the request (3 4). This achieves requester authentication as well as integrity without SSLThe problem with this authentication schemes is that the contents and ordering of the string to sign are different from one service provid er to another service provider. For instance, though Amazons and Azures mechanisms are very similar, their differences exonerate them incompatible.Perhaps due to this issue, the OAuth approach covered in the next section is gaining popularity as a standard security mechanism for RESTful services.OAuthOauth is an open protocol allowing secure API authentication and authorization in a simple and standard method for web applications. OAuth allows users of a service to provide limited access to a third party key of theirs to the service without sharing credentials. OAuth is often exposit as a valet key that users can construct to a service to access their accounts on other services. For example, a user of Flickr (the service provider) would provide Snapfish (the consumer) with read only access to their Flickr account. This lets Snapfish access photos in the users Flickr account so they can order prints. Refer 5 for more details about OAuth specification.OAuth has some distinct advan tagesIt doesnt require certificatesBy choosing the right token format, it can support claims based Token. A claim is a statement about a subject for example, a name, key, group, permission, or capability made by one subject about itself or another subject. Claims are granted one or more values and then packaged in security tokens that are distributed by the issuer.It supports the SAML token. SAML ( protective cover Assertion Markup Language) is a standard for exchanging authorization and authentication data between between an identity provider and a service provider regardless of their platforms or security systems.OAuth with SAML enables federated authentication and authorization.The only drawback is that not all RESTful services frameworks provide native support for dealing with OAuth based authentication. For example, Apache CXF does not support OAuth.Token based AuthenticationCA Technologies Catalyst4 integration platform includes the Unified Connector Framework (UCF) that prov ides a Java-based solution for connectivity and integration among CA and third-party products UCF has distinct security requirementsIt should be able to support Actas scenarios the platform should be able to invoke services from 3rd party providers on the behalf of clientsCatalyst exposes services in several(prenominal) different protocols, including RESTful, SOAP over HTTP, SOAP over JMS, etc. Its security solution should work systemati titley in all the forms of the services.Its security solution should be protractible, simple and adaptable in different scenarios.To go for these requirements, UCF introduced the token based security solution using public Key Infrastructure (PKI) certificate for authentication and authorization of its services. This solution has the following components.Domain Trust security department (DTC) is an X.509 v3 certificate issued by a Certificate Authority (CA) or self write owned by the DomainManager that controls the UCF domain.Trusted Certificate (TC) is a X.509 v3 certificate signed by DTC. A Node is either a service provider or service consumer who owns that TC signed by the DTC.Security Service is available per container2 which hosts several connectors1. This service issues a Token, validates the Token and sets claims retrieved from Token to the context so that they can be used by connectors or other entities in the container for Authorization or Actas scenarios.CertAuthService is an independent entity provides services like signing Certificate Signing Request CSR 5 and providing the DTC public keyToken consists of set of claims signed by security service.Interactions on the Client sideThe client generates a CSR (Certificate Signing Request) using keytool 6 and obtains a X.509 certificate signed by DTC from the CertAuthService. The signed CSR is called a Trusted Certificate (TC) in UCF domain.The client deposits an addTrust() request to the Security Service at the service provider by passing its public key certificate. This step enables the Security Service to validate the certificate and add provided certificate to its trust store. Steps 1 2 are performed only once per client.The client makes a getToken() call with tokenRequest to the Security Service. The tokenRequest consists of claims and a signature computed using the clients private key. If client is using UCF API to make remote calls, then steps 1 2 are transparent to the client at the time of proxy creation to the service endpoint.The client prepares the request and adds the Token to the request header. If client is using the UCF API to make remote calls, then adding the Token to the request header is transparent to the client.The client makes a remote callInteractions on the Service sideThe Security Service is hosted from a Catalyst container so that it is available to both external users and inside the container for security token validations. For addTrust() calls, the Security service validates the provided certificates signature to find whether it is signed by DTC or not. If it is DTC signed then the Service adds the certificate to its trust store.For getToken() calls, the Security service checks the signature against the available keys in its trust store. If it succeeds then a token is prepared and returned to the client. The token consists of claims, lifetime and the signature of the Security service.For all incoming calls to the services available in the Catalyst container, calls are intercepted at CXF handlers and the token is confirm with Security service. If it is from a valid client then claims are extracted out of the token and sets to thread topical anaesthetic context so that it may be used by connector implementation for further authorization or authentication with other service providers. Finally, the call is forwarded to the service. If the Security service is unable to validate the token, an illegitimate exception is returned to the client.Authorization is handled by any provider on service us ing claims.As described above, this solution supports authentication based on X.509 certificate and authorization is done by any provider using claims. The same set of claims is used for Actas scenario. For instance, services running in Catalyst container can use claims to talk to another services or endpoint on the behalf client.ConclusionThe solution described in Section 3 is a better fit for platforms/products like Catalyst that need to make services available in more than one form such as REST, SOAP over HTTP and SOAP over JMS. It is a security solution that works consistently in all forms of services. Also, the solution is extensible to other modes of authentication like user credentials other than certificate based. This solution needs superfluous work to replace custom Token format to SAML based so that tokens can be consumed in third party software which understands SAML. This.AcknowledgmentsThe solution described in Section 3 was contributed by constitutional UCF team whi ch includes Sijelmassi, Rachid, me, GVN, Anila Kumar and Koganti, Naga. .Actas