If you went to my presentations at JUDCon/JBossWorld/RHS 2011 or read my recent blog posting you’ve probably noticed that I’m starting to focus on REST+Security. This will be the start of a series of blogs that attempts to solidify a common vision around Security+REST and spec out what we’re going to do for RESTEasy and JBoss.
Internet Security is A Ghetto
One thing I’ve noticed is what a ghetto Internet security is, or even security in general. There are old and new specifications, various industry collaborations efforts that succeed sort of (OpenID), start to succeed then have mutinies (OAuth), WS-* specs trying to bleed into the Web space (SAML), and promising specs that have had success in the email world (DKIM). That’s just the small list of examples. Its a freakin mess! One common thread seems to be that most of them focus on providing security for the Internet (Internet with a capital ‘I’) and most have their roots in providing security for browser based apps. Enterprise apps, while they can build off of security specs defined for the Internet, can often have very different requirements. Web services can also have different requirements as well as a human (browser) may not be involved with client/server interactions. In summary, I guess what I’m saying is that there are too many specs, no clear winners, too browser focused, and very little Enterprise focused.
What I’m trying to do with this and subsequent blogs is to brainstorm what high-level requirements for security enterprise apps should have, how can we make deployment of a security solution easier, what existing specs are applicable, what existing specs are open to input, what new specs have to be implemented, how can we make the protocols as easy to implement as possible in multiple languages, and finally, how can we design security services to make it as easy as possible to deploy to our Enterprise applications.
If I had to deploy a security solution…
A security solution I’d like to have would take enterprise as well as the difference between browser and non-browser clients in mind. Its gotta balance strong security with ease of deployment, ease of use, and ease of implementation. Many of these will be obvious, but I want to write it down.
- For browser based clients I’d to authenticate using a user password and a one-time-password (OTP) generated by a soft or hard token generator. Plain passwords are just not viable. I myself have had both my GMail and World of Warcraft accounts hacked. A combo of password + random key allows users to have simple to remember passwords yet be secure enough not to get hacked. With smart phones like iPhone and Android, its easy to acquire a soft key generator (or implement one) without paying RSA an arm and a leg.
- After authentication, the browser client should obtain an expirable cookie that it forwards with each request that contains authentication information the server will use to authenticate subsequent requests.
- For non-browser clients, I like the idea of digitally signed requests. Verification of a digitally signed request would be the authentication mechanism. What’s good about this (like the OTP of browser-based clients) is that credentials are different per request in that they are part of the attached signature. A nonce and/or an expiration can be included within the digital signature to avoid replay attacks.
- I foresee the need for non-browser clients to make requests on behalf of other services to other services. Attaching multiple signatures to a request might be the way here.
- It would be really cool to have a decentralized way to to both authenticate and authorize. The hub and spoke approach that Picketlink STS uses creates a bit of a single point of failure and can require extra network round trips. This decentralized mechanism should be able to work in an environment where services are making requests to other services on behalf of one or more identities.
- A user had a really interesting case where they wanted to provide access to content through signed URLs. The idea is that they would generate a signed URL and email it to a user to click on. Very interesting.
Here’s some specs that I thought of off the top of my head that could be useful. If anybody has ideas of others, let me know.
- Time-based One Time Password Algorithm (TOTP). Anil already did some work in Picketlink to implement this protocol. We still need to integrate it as a Authenticator Valve in JBossWeb. There’s also a nice iPhone app that supports TOTP. I actually forked and re-implemented a lot of it on my own when I was learning Objective C a few months ago. We’re looking at creating an Apple App Store account to distributed this forked implementation so we can brand it Red Hat.
- SAML. This may be what we need to do decentralized authorization. I’m not fully versed in the spec, but I have read up on their HTTP bindings. I’m not sure if there is any way to tunnel assertions through an HTTP header. (We don’t want to send SOAP requests). If we can use SAML, we can piggyback off of a lot of the efforts already done in the Picketlink project.
- Doseta. I’ve already blogged about this protocol. Using DNS to distribute keys is a little weird, but cool. I’m asking that working group for this spec to break out Doseta into a few different specifications so that we can re-use the signature calculation algorithm in a standard way and to also make DNS public key publication optional and maybe also to provide an HTTP way to distribute keys.
- Amazon REST Authentication. Specs out how to sign URLs. Maybe this could be standardized at IETF.
- OpenID. OpenID seems interesting for decentralized authentication, but I’m not sure if it can be used as a mechanism to do decentralized authorization. OpenID is also more of a browser-based technology.
- OAuth. OAuth has both browser and non-browser bindings. OAuth 2.0 pretty much leaves out what a token looks like. I also don’t really want a token based system for non-browser clients
Possible Middleware Services
Here’s some ideas for services/integration we would implement.
- HTTP Identity Proxy. While implementing just an HTTP Proxy Cache is boring what might make these feasible is applying Identity to the mix. This would delegate authentication and even authorization to an outside service. Requests would be authenticated/authorized through the proxy, digitally signed, then forwarded to the target service. The target service then only need to verify the signed request using the public key of the proxy. While there’s obvious performance drawbacks, what’s interesting about this is that the application doesn’t have to think much about security and it could possibly be added even after the service is deployed.
- TOTP Authenticator Valve. Nuff said…I tihnk Anil already has this.
- Better Auth integration with JBossWeb and the JBoss Security Domain abstraction. Right now there’s just too many steps to enable things.
- Various auth plugins for JBossWeb to realize our vision here.