RESTful Java Web Services Security
Table of Contents
RESTful Java Web Services Security
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. Setting Up the Environment
Downloading tools
Downloading links
Creating the base project
First functional example
Testing the example web service
Summary
2. The Importance of Securing Web Services
The importance of security
Security management options
Authorization and authentication
Authentication
Authorization
Access control
Transport layer security
Basic authentication by providing user credentials
Digest access authentication
An example with explanation
Authentication through certificates
API keys
Summary
3. Security Management with RESTEasy
Fine-grained and coarse-grained security
Securing HTTP methods
HTTP method â POST
HTTP method â GET
Fine-grained security implementation through annotations
The @RolesAllowed annotation
The savePerson method
The findById method
The @DenyAll annotation
The @PermitAll annotation
Programmatical implementation of fine-grained security
Summary
4. RESTEasy Skeleton Key
OAuth protocol
OAuth and RESTEasy Skeleton Key
What is RESTEasy Skeleton Key?
OAuth 2.0 authentication framework
Main features
OAuth2 implementation
Updating RESTEasy modules in JBoss
Setting up the configuration in JBoss
Implementing an OAuth client
The oauth-client project
The discstore project
The oauth-server project
webapp/WEB-INF/ jboss-deployment-structure.xml
Running the application
SSO configuration for security management
OAuth token via Basic Auth
Running the application
Custom filters
Server-side filters
Client-side filters
Example usage of filters
Summary
5. Digital Signatures and Encryption of Messages
Digital signatures
Updating RESTEasy JAR files
Applying digital signatures
Testing the functionality
Validating signatures with annotations
Message body encryption
Testing the functionality
Enabling the server with HTTPS
Testing the functionality
Summary
Index
RESTful Java Web Services Security
Copyright © 2014 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: July 2014
Production reference: 1180714
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78398-010-9
www.packtpub.com
Authors
RenĂ© EnrĂquez
Andrés Salazar C.
Reviewers
Erik Azar
Ismail Marmoush
Debasis Roy
Acquisition Editor
Vinay Argekar
Content Development Editor
Adrian Raposo
Technical Editor
Shruti Rawool
Copy Editor
Sayanee Mukherjee
Project Coordinators
Melita Lobo
Harshal Ved
Proofreaders
Simran Bhogal
Paul Hindle
Indexers
Hemangini Bari
Rekha Nair
Graphics
Abhinash Sahu
Production Coordinator
Arvindkumar Gupta
Cover Work
Arvindkumar Gupta
RenĂ© EnrĂquez is currently a software architect for a multinational company headquartered in India. He has previously worked on many projects related to security implementation using frameworks such as JAAS and Spring Security to integrate many platforms based on the Web, BPM, CMS, and web services for government and private sector companies. He is a technology and innovation enthusiast, and he is currently working with several programming languages. He has achieved the following certifications:
- Oracle Certified Professional, Java SE 6 Programmer
- Microsoft Technology Associate
- Cisco Network Operating Systems
Over the past few years, he has worked as a software consultant on various projects for private and government companies and as an instructor of courses to build enterprise and mobile applications. He is also an evangelist of best practices for application development and integration.
Andrés Salazar C. is currently working at one of the most prestigious government companies in Ecuador, performing tasks related to software development and security implementation based on JAAS and digital signatures for secure applications. He also has extensive knowledge of OAuth implementation on web projects. He is a technology and Agile enthusiast, and he has worked on several projects using the JEE technology and TDD. He has achieved the following certifications:
- Oracle Certified Professional, Java SE 6 Programmer
- Certified Scrum Developer
Erik Azar is a professional software developer with over 20 years of experience in the areas of system administration, network engineering and security, development, and architecture. Having worked in diverse positions in companies ranging from start-ups to Fortune 500 companies, he currently works as a REST API architect for Availity, LLC in Jacksonville, FL. He is a dedicated Linux hobbyist who enjoys kernel hacking while experimenting with Raspberry Pi and BeagleBone Black boards. In his spare time, he works on solutions using embedded microprocessor platforms, Bluetooth 4.0, and connects to the cloud using RESTful APIs.
Ismail Marmoush is a Java and Machine Learning Certified Expert. He has published the open source projects RESTful Boilerplates for IAAS and PAAS (GAE), an artificial neural network framework, and crawlers/dataminers and some language code examples. You can find more about him, his work, and his tutorials on his personal blog (http://marmoush.com).
Debasis Roy is working as the Team Lead / Scrum Master of the sports team for Vizrt Bangladesh based at Dhaka. He has 7 years of professional working experience as a software engineer in Java/C++-relevant technologies.
He has been working at Vizrt for the past 5 years. He started his journey here with a product called the Online Suite, also known as Escenic Content Engine/Studio, and he is now continuing with products related to Viz Sports. Vizrt provides real-time 3D graphics, studio automation, sports analysis, and asset management tools for the broadcast industryâinteractive and virtual solutions, animations, maps, weather forecasts, video editing, and compositing tools.
Previously, he...