wilma - lesson 3. securing a rest api
TRANSCRIPT
![Page 1: Wilma - Lesson 3. Securing a REST API](https://reader036.vdocuments.us/reader036/viewer/2022082619/5871e61c1a28ab6a7b8b7053/html5/thumbnails/1.jpg)
PEP Proxy - Wilma GELesson 3 - Securing a REST API
Álvaro Alonso. UPM – DITSecurity Chapter. [email protected], @larsonalonso
![Page 2: Wilma - Lesson 3. Securing a REST API](https://reader036.vdocuments.us/reader036/viewer/2022082619/5871e61c1a28ab6a7b8b7053/html5/thumbnails/2.jpg)
Contents
• Checking Authentication• Checking Basic Authorization• Checking Advanced Authorization
![Page 3: Wilma - Lesson 3. Securing a REST API](https://reader036.vdocuments.us/reader036/viewer/2022082619/5871e61c1a28ab6a7b8b7053/html5/thumbnails/3.jpg)
Main concepts
• Authentication– Check if a user is a registered user
• Basic Authorization– Check if a user has permissions to access a resource– HTTP verb + resource path
• Advanced Authorization– Check if a user has permissions to access a resource– Custom XACML policies
![Page 4: Wilma - Lesson 3. Securing a REST API](https://reader036.vdocuments.us/reader036/viewer/2022082619/5871e61c1a28ab6a7b8b7053/html5/thumbnails/4.jpg)
Main concepts - Authentication
Backend ServiceREST API
HTTP request + TOKEN
Wilma
User
Keyrock GE
TOKEN
OK + user info
![Page 5: Wilma - Lesson 3. Securing a REST API](https://reader036.vdocuments.us/reader036/viewer/2022082619/5871e61c1a28ab6a7b8b7053/html5/thumbnails/5.jpg)
Main concepts – Basic Authorization
Backend ServiceREST API
HTTP request + TOKEN
Wilma
User
Keyrock GE
OK + user info
TOKEN
AutZForce GE
roles + verb + path
OK
![Page 6: Wilma - Lesson 3. Securing a REST API](https://reader036.vdocuments.us/reader036/viewer/2022082619/5871e61c1a28ab6a7b8b7053/html5/thumbnails/6.jpg)
Main concepts – Advanced Authorization
Backend ServiceREST API
HTTP request + TOKEN
Wilma *
User
Keyrock GE
OK + user info
TOKEN
AutZForce GE
roles + XACML req
OK
![Page 7: Wilma - Lesson 3. Securing a REST API](https://reader036.vdocuments.us/reader036/viewer/2022082619/5871e61c1a28ab6a7b8b7053/html5/thumbnails/7.jpg)
Guidelines
• Requests to Wilma
$ curl --header "X-Auth-Token:z2zXk...ANOXvZrmvxvSg"
http://proxy_host
![Page 8: Wilma - Lesson 3. Securing a REST API](https://reader036.vdocuments.us/reader036/viewer/2022082619/5871e61c1a28ab6a7b8b7053/html5/thumbnails/8.jpg)
Documentation
• XACML 3.0– http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os
-en.html
• AuthZForce GE– http://catalogue.fiware.org/enablers/authorization-pdp-authzforce
/documentation
![Page 9: Wilma - Lesson 3. Securing a REST API](https://reader036.vdocuments.us/reader036/viewer/2022082619/5871e61c1a28ab6a7b8b7053/html5/thumbnails/9.jpg)
PEP Proxy - Wilma GELesson 3 - Securing a REST APIÁlvaro Alonso. UPM – DITSecurity Chapter. [email protected], @larsonalonso