Académique Documents
Professionnel Documents
Culture Documents
.com
User Management and
Authentication API
Security for your applications
User security workflows
Security best practices
Developer tools, SDKs, libraries
HTTP Authentication...
1. Request
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
2. Challenge Response
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm=name
3. Resubmit Request
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
4. Successful Response
HTTP/1.1 200 OK
Content-Type: application/json
...
{
email: jsmith@gmail.com,
givenName: Joe,
surname: Smith,
...
}
Example: Oauth 2
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: Bearer mF_9.B5f-4.1JqM
Status Codes
401 vs 403
401 Unauthorized really means
Unauthenticated
You need valid credentials for me to respond to
this request
HTTP Authorization
HTTP Authorization
After authc, perform authz
Filter requests before invoking MVC
layer
Blanket security policies
Per-URI customization
Best Practices
API Keys
Entropy
Independence
Speed
Reduced Exposure
Traceability
Rotation
Identifiers
Identifiers
Good
/accounts/x2b4jX3l31uiL
Not So Good
/accounts/1234
Why?
Identifiers
Should be opaque
Secure Random or Random/Time UUID
URL-friendly Base62 encoding
Avoid sequential numbers:
distribute ID generation load
mitigate fusking attacks
Query Injection
Query Injection
String query =
select * from accounts where acct_id = +
request.getParameter(acctId) + ;
Vulnerable URL:
foo.com/accounts?acctId=or1=1
Solution
Use Parameterized Query API
(Prepared Statements).
If not available, escape special chars
TLS
TLS
Use TLS for everything
Once electing to TLS:
Never revert
Never switch back and forth
TLS Contd
Configure your SSL provider to only support
strong (FIPS 140-2 compliant) algorithms
Use Cipher Suites w/ Perfect Forward
Secrecy!
e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256
Configuration
Configuration
Externalize passwords/credentials
Storage
Storage
Thank You!
les@stormpath.com
Twitter: @lhazlewood
https://stormpath.com
.com
Free for developers
Eliminate months of development
Automatic security best practices
Sign Up Now: Stormpath.com