wilma - lesson 3. securing a rest api
TRANSCRIPT
PEP Proxy - Wilma GELesson 3 - Securing a REST API
Álvaro Alonso. UPM – DITSecurity Chapter. [email protected], @larsonalonso
Contents
• Checking Authentication• Checking Basic Authorization• Checking Advanced Authorization
Main concepts
• Authentication– Check if a user is a registered user
• Basic Authorization– Check if a user has permissions to access a resource– HTTP verb + resource path
• Advanced Authorization– Check if a user has permissions to access a resource– Custom XACML policies
Main concepts - Authentication
Backend ServiceREST API
HTTP request + TOKEN
Wilma
User
Keyrock GE
TOKEN
OK + user info
Main concepts – Basic Authorization
Backend ServiceREST API
HTTP request + TOKEN
Wilma
User
Keyrock GE
OK + user info
TOKEN
AutZForce GE
roles + verb + path
OK
Main concepts – Advanced Authorization
Backend ServiceREST API
HTTP request + TOKEN
Wilma *
User
Keyrock GE
OK + user info
TOKEN
AutZForce GE
roles + XACML req
OK
Guidelines
• Requests to Wilma
$ curl --header "X-Auth-Token:z2zXk...ANOXvZrmvxvSg"
http://proxy_host
Documentation
• XACML 3.0– http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os
-en.html
• AuthZForce GE– http://catalogue.fiware.org/enablers/authorization-pdp-authzforce
/documentation
PEP Proxy - Wilma GELesson 3 - Securing a REST APIÁlvaro Alonso. UPM – DITSecurity Chapter. [email protected], @larsonalonso