Software plumbing using middleware wrenches
January 18, 2012
JAX-RS, REST, RESTEasy Leave a comment
This is a maitenance release of 2.3.x series.
As always, to download and see documentation follow the links from our website. Take a look at our Jira release notes. You might also want to check out the Migration guide to view what has broken as far as backward compatibility if you’re upgrading from an earlier version.
November 22, 2011
Resteasy 2.3-RC1 has just been released. Please follows links on main resteasy page to see documentation and download links. We do have some backward-incompatibilities, so see the Migration Guide. If you can, please testdrive it! We will be doing a 2.3.GA release in 2 weeks so its up to you to find any critical blocker bugs we might have introduced!
After 2.3 is released we will be starting to work on Resteasy 3.0, a JAX-RS 2.0 implementation. In conjunction we will also be moving source control to github.
September 16, 2011
An online buddy of mine drew my attention to Blizzard’s new Community API for World of Warcraft. For those of you who aren’t familiar with World of Warcraft, it is a massive multi-player online role playing game. They have millions of players. The game is so successful and generates so much cash that Blizzard pays out a dividend to stock holders. Not only do they have millions of players, there’s also a very large community around WoW. The game itself has its own scripting language which you can use to write add-ons. This add-on community is huge with thousand upon thousands of apps written.
There’s also a large variety of third-party sites that provide character and guild management, quest information, gear info, damage simulators, and gear optimization. These types of tools need to access Blizzard’s databases. This is where Blizzard’s new REST-based Community API comes. Originally, a lot of these sites did screen scraping on WoW’s main website to grab information and access character management. Since April, they’ve been developing and publishing a full read and write RESTful interface for their applications. Its seems they picked REST because of the ease of integration between many languages.
In browsing the API documentation here’s a few things that jumped out at me
Document by example
The first thing to note is that the API is documented by example. Here’s the URL pattern you use. This is what the HTTP request looks like. This is the JSON data you should send, and this is what the JSON data looks like. IMO, this is what REST API documentation should look like. No WADL. No schema. Just plain, here’s what you can send, here’s what the request looks like. This is the approach I’ve taken with my API documentation. You gotta remember, the people that are going to be integrating with these APIs don’t come from SOAP-land, WS-*-land, CORBA-land, enterprise programming land. All will understand HTTP and JSON pretty easily. This is what I love about REST: “lightweight” interoperability with a very low barrier to entry.
Signature-based Authentication
Hackers are ruthless when it comes to World of Warcraft. I myself was hacked once and had to get my account restored. Blizzard is very careful about this as it creates a lot of support headaches for them. You can use a soft-token via your smart-phone. Or order and get an RSA-like physical token generator when you log into your game. As for the REST api, you need to acquire a public and private key. Authentication is done by hashing your private key along with the current time, URL, and HTTP method.
UrlPath = <HTTP-Request-URI, from the port to the query string>
StringToSign = HTTP-Verb + "\n" +
Date + "\n" +
UrlPath + "\n";
Signature = Base64( HMAC-SHA1( UTF-8-Encoding-Of( PrivateKey, StringToSign ) ) );
Header = "Authorization: BNET" + " " + PublicKey + ":" + Signature;
Amazon does something very similar for many of it’s public REST apis. While not true a true digital signature (sigs are encrypted hashes and don’t include the private key), its very close, and a lot simpler to use and understand for users.
Not very link driven
Can you imagine this API being explained via a set of link publishings rather than a set of URI patterns? I’ve taken advantage of HATEOAS, especially within the HornetQ REST API, but in many cases, just publishing the URI scheme can be very useful. Maybe its data-publishing vs. interaction? With a data-publishing app (WoW) it makes more sense to publish a URI scheme for your REST interface. With an interactive application (i.e. HornetQ REST), HATEOAS, link-driven interfaces make a lot more sense and give you a lot more flexibility.
Versioning?
On one of the forum posts, the developer talked about how he/she planned to version the API in the future. It seems that they will version using URIs. The latest and greatest will always use the same top-level URI schemes. If you want to tie yourself to an older version of the API, the URI scheme will be predicated ith a version identifier:
New API: /api/wow/realms Old API /api/wow/v1/realm/status"
All and all it will be great to see this API evolve over time. This will be a great public display of a REST API and it will be very interesting to see how Blizzard tackles various issues. There’s a lot we can learn here.
September 15, 2011
I don’t usually make a lot of noise about a beta release, but there’s some new security features I’d like everybody to test drive (along with a bunch of bug fixes). Also, there’s a few backward incompatibilities to be aware of. New features?
As always, to download and see documentation follow the links from our website. Take a look at our Jira release notes. You might also want to check out the Migration guide to view what has broken as far as backward compatibility.
September 1, 2011
I’m catching up on some blog reading. A great blog on REST, if you don’t read it already, is Subbu Allamaraju‘s (in my blog links too). I like to call him Dr. REST. Back in May he wrote about Richardson’s Maturity Model and how measuring your APIs against the model is the wrong thing to do (I think he’s followed it up with a presentation). I can’t agree more. What I like about this model (and other articles like it) is that I like to compare it to my own history of growing my understanding of REST. IMO, what you should do these models and guidelines is read them, examine them, see if they spark any ideas for improving your application. They just might improve your understanding of REST and why certain constraints are good. Don’t try to fit your API to REST. Let REST help you write a better API. Don’t apply REST for the sake of REST. This is primarily why I unplugged myself from the rest-discuss mailing list. If you treated applying REST as a set of guidelines instead of a set of laws you were castigated for it. Wrong approach.
Anyways, as usual, great blog Subbu. BTW, you should check out his book too.
August 30, 2011
flame bait, python 10 Comments
Awhile back I ranted against using dynamic languages like Ruby, Python etc. Recently, I’ve been using Python as a way to test Resteasy’s SMIME integration. It was an extremely frustrating experience that would have been much better if Python was statically typed. Why? Well, take a look at this documentation for doing SMIME with Python and M2Crypto. The problem was is that the examples are interacting with Python’s mail API. I needed to be able to send SMIME over HTTP. So, I needed to understand the M2Crypto API a little bit better. If you look at the example code, you have no idea which additional methods are available, and more frustratingly, when types of objects these methods return. The auto-generated javadoc-like docs for M2Crypto were even less helpful. What I had to end up doing was diving into the M2Crypto codebase to figure out exactly what was going on.
Moral of the story? Programming in dynamic languages can be a lot of fun. But when you run into APIs you’re not familiar you’re pretty much at the mercy of the documentor. If the documentation sucks, you’re pretty much up shit creek and forced to dive into the code to understand what is going on.
August 16, 2011
Over the past 6 months off and on I’ve been researching and prototyping various security related features for Resteasy. One thing I’ve wondered is, is anybody really doing anything with HTTP message signing and encryption? Email seems pretty well rounded in this area with specifications like DOSETA/DKIM and SMIME. You could theoretically apply these specifications to HTTP, and I have, but I could find no examples of people doing so on the Web. Maybe its just that my Google searching skillz are poor.
Another thing I’ve noticed is that the crypto libraries (bouncycastle and python’s M2Crypto) pretty much center around email as the protocol and you have to dive into the codebase a bit to figure out ways to transmit things over HTTP. Bouncycastle relies on javax.mail multipart implementation which is a bit limited and not very lenient on parsing (Didn’t like python’s SMIME output).
Anyways, I hope to do a Resteasy 2.3 beta soon with SMIME support. With it I’ll have examples of Python clients posting to Resteasy services transmitting SMIME formated requests. I’ll post a few blogs on the subject so you can see how to transmit SMIME between M2Crypto and Bouncycastle. (Python and Java).
In the meantime, does anybody have any experience in this area?
August 3, 2011
JAX-RS, REST, RESTEasy Leave a comment
This is just a maintenance release to fix a few minor and critical bugs found by the community. You can download 2.2.2 here. Release notes are here.
Hopefully we can now focus on getting a 2.3 beta out the door. Currently I’m working on S/MIME integration as well as a decentralized auth protocol discussed in previous blogs.
June 23, 2011
June 19, 2011
REST, security, Webservices 6 Comments
Distributed workflow has to be the most complex use case to secure. In it you could have multiple participants being coordinated both synchronously and asynchronously. All forwarding and distributing information and data in between each other. All needing to trust one another. If you could define a relatively scalable and simple solution for workflow, you’d have something that would work in less complex scenarios.
The hub and spoke model that seems to be popular involves a central identity management provider (IDP) that participants ping to authenticate requests and to receive security information. The biggest problem I foresee with this approach is that the IDP becomes a central point of failure. The IDP needs to be available for applications to work. It needs to be on the same network. There’s a lot of extra distributed requests that need to be made.
All these problems bring me to thinking about the stateless principle of REST. RESTful services can have state, but not session state. The idea is that session state travels with the request. Could we do something similar with security information? Sure why not! How could you trust the integrity of such information? Digital Signatures. I’m sure there are protocols out there that have thought of similar ideas, but its cool to think things out for yourself. If your ideas match a particular existing protocol or specification you know you’re on the right track. The idea have have works as follows.
Let’s pretend we have a User named Bill that wants to interact with a Travel Agent service that will buy a ticket for him on an airline, reserve an airport taxi, and reserve a hotel room. So, Bill is interacting with the Travel Agent directly. The Travel Agent is acting on behalf of Bill when it interacts with the airline, taxi, and hotel services. The airline, tax, and hotel have to trust both the travel agent and Bill.
Step 1: Bill authenticates with an IDP saying he wants to interact with the Travel Agent. The IDP returns metadata that specifies both Bill’s and the Travel Agent’s permissions for all the interactions that must take place. It also returns the public keys for Bill and the Agent. The IDP digitally signs all this information using its private key.
Step 2: Bill sends a reservation request to the Travel Agent service. Bill signs the request including the signed permissions and keys provided by the IDP. Here’s what the request might look like:
POST /travel Host: travelagent.com Content-Type: application/reservation+xml Authorization: doseta-auth user=bill;h=Visa:Permissions:Public-Keys:Host;verb=POST;path=/travel;bh=...;b=... Visa: initiator=bill;h=Permissions:Public-Keys;d=idp.com;b=... Permissions: bill="agent hotel airline taxi"; agent="reserve-hotel reserve-taxi reserve-flight" Public-Keys: bill=23412341234;agent=3423412341234 <reservation>...</reservation>
Step 3: The Travel Agent authenticates and authorizes Bill’s request. The Authorization header contains metadata that is signed by Bill. The metadata signed by bill is the HTTP verb and path of the request (POST and /travel), and the hash of the XML posted by the request, as well as the Visa, Permissions, and Public-Key headers included within the request. The Travel Agent verifies this signed metadata by finding and using Bill’s public key in the transmitted Public-Keys header. If the signature passes, then the Travel Agent knows that Bill sent the request. But….It does not know yet if Bill is a trusted identity.
Step 4: How does the Travel Agent know Bill is a valid person? How does it know that Bill is allowed to make a reservation? To answer these questions, the Travel Agent first looks at the transmitted Visa header. What it boils down to is that the Travel Agent only trusts the IDP. The Visa header was generated by the IDP and is a digital signing of the Permissions and Public-Keys header. The IDP through the Visa header tells the Agent the permissions involved with the request and who will participate in the overall interaction. The Agent only needs to know the IDP’s public key prior to the request being initiated. So, the Agent verifies the digital signed Visa header using the stored public key of the IDP. A successful verification also means that the Agent can trust that Bill initiated the request. It can then look at the Permissions header to determine whether or not Bill is allowed to perform the action.
Step 5: Next the Travel Agent needs to interact with the Airline, Hotel and Taxi services on behalf of Bill. Here’s what a request to the Airline might look like.
POST /flights/tickets Host: airline.com Content-Type: application/ticket-purchase+xml Authorization: doseta-auth user=agent;h=Visa:Permissions:Public-Keys:Host;verb=POST;path=/flights/tickets;bh=...;b=... Visa: initiator=bill;h=Permissions:Public-Keys;d=idp.com;b=... Permissions: bill="agent hotel airline taxi"; agent="reserve-hotel reserve-taxi reserve-flight" Public-Keys: bill=23412341234;agent=3423412341234 <purchase>...</purchase>
You’ll notice that the Visa, Permissions, and Public-Keys headers are the same values as the original request made by Bill. The Authorization header is different as the Travel Agent is making the request. The airline services does authentication and authorization of the Agent’s request the same exact way the Agent did for Bill’s request. Again, the key part of this is that only the IDP is trusted and only the IDP’s public key needs to be known ahead of time.
Disclaimer, I’m new to security so dealing and thinking about attacks is new to me. Generally a lot of attacks can be prevented by specifying a timestamp and expiration with each sign piece of data. Services can refuse to honor old requests. Nonces could also be included within signature metadata to avoid replays.
User’s Private Key is compromised
User’s authentication with the IDP doesn’t have to be key based. It could be TOTP based where the user has to login through his browser providing a password along with a device-generated time-based key. The IDP could then return a temporary private key the client uses to sign requests.
IDP’s Private Key is compromised
This is a scary one. Maybe it could be prevented by requiring and acquiring Visa’s from multiple IDPs? A service would verify signatures from two or more IDPs. The probability of more than one IDP’s private key being compromised becomes less and less the more IDPs you have involved with the interadtion.
So here’s a summary of this brainstormed protocol:
This is just a rough outline, but there’s probably other things that could be added. Like nonce’s for instance. Its just a matter of implementing it and getting people to use it. The real question is, is there an existing protocol already out there that does this sort of thing?
