Open Source Security: March 2019

Friday, March 29, 2019

HTTP Signature support in Apache CXF

Apache CXF provides support for the HTTP Signatures draft spec since the 3.3.0 release. Up to this point, JAX-RS message payloads could be signed using either XML Security or else using JOSE. In particular, the JOSE functionality can be used to also sign HTTP headers. However it doesn't allow the possibility to sign the HTTP method and Path, something that HTTP Signature supports. In this post we'll look at how to use HTTP Signatures with Apache CXF.

I uploaded a sample project to github to see how HTTP Signature can be used with CXF:

cxf-jaxrs-httpsig: This project contains a test that shows how to use the HTTP Signature functionality in Apache CXF to sign a message to/from a JAX-RS service.

1) Client configuration

The client configuration to both sign the outbound request and verify the service response is configured in the test code:

	List<Object> providers = new ArrayList<>();
	providers.add(new CreateSignatureInterceptor());
	providers.add(new VerifySignatureClientFilter());
	String address = "http://localhost:" + PORT + "/doubleit/services";
	WebClient client = WebClient.create(address, providers, busFile.toString());
	client = client.type("application/xml");

	Map<String, Object> properties = new HashMap<String, Object>();
	properties.put("rs.security.signature.out.properties", "client.httpsig.properties");
	properties.put("rs.security.signature.in.properties", "service.httpsig.properties");
	WebClient.getConfig(client).getRequestContext().putAll(properties);

view raw gistfile1.txt hosted with ❤ by GitHub

Two JAX-RS providers are added - CreateSignatureInterceptor creates a signature on the outbound request, and VerifySignatureClientFilter verifies a signature on the response. The keys used to sign the request and verify the response are configured in properties files, that are referenced via the "rs.security.signature.out.properties" and "rs.security.signature.in.properties" configuration tags:

	rs.security.keystore.type=jks
	rs.security.keystore.password=cspass
	rs.security.keystore.alias=myclientkey
	rs.security.keystore.file=clientstore.jks
	rs.security.key.password=ckpass
	rs.security.http.signature.key.id=client-key-id

view raw gistfile1.txt hosted with ❤ by GitHub

Here we can see that a keystore is being used to retrieve the private key for signing the outbound request. If you wish to retrieve keys from some other source, then instead of using configuration properties it's best to configure the MessageSigner class directly on the CreateSignatureInterceptor.

By default CXF will add all HTTP headers to the signature. In addition, a client will also include the HTTP method and path using the "(request-target)" header. Also if the payload is not empty, it will be digested with the digest added to a "Digest" HTTP header, which is also signed. This provides payload integrity. By default, the signature algorithm is "rsa-sha256", of course it is possible to configure this. A secured request using HTTP signature looks like the following:

2) Service configuration

The service configuration is defined in spring. Two different JAX-RS providers are used on the service side - VerifySignatureFilter is used to verify a signature on the client request, and CreateSignatureInterceptor is used to sign the response message as per the client request.

	<jaxrs:server address="http://localhost:${testutil.ports.Server}/doubleit">
	<jaxrs:serviceBeans>
	<ref bean="serviceBean"/>
	</jaxrs:serviceBeans>
	<jaxrs:providers>
	<bean class="org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureFilter" />
	<bean class="org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureInterceptor" />
	</jaxrs:providers>
	<jaxrs:properties>
	<entry key="rs.security.signature.in.properties"
	value="client.httpsig.properties" />
	<entry key="rs.security.signature.out.properties"
	value="service.httpsig.properties" />
	</jaxrs:properties>
	</jaxrs:server>

view raw gistfile1.txt hosted with ❤ by GitHub

For more information on how to use HTTP Signatures with Apache CXF, refer to the CXF documentation.

Thursday, March 21, 2019

Using authorization with JWT tokens in Apache CXF

JSON Web Tokens (JWT) have been covered extensively on this blog (for example here). In this post we will cover how JWT tokens can be used for authorization when sent to a JAX-RS web service in Apache CXF. In particular, we will show how Apache CXF 3.3.0 supports claims based access control with JWT tokens.

1) JWT with RBAC

JWT tokens can be used for the purpose of authentication in a web service context, by verifying the signature on the token and taking the "sub" claim as the authenticated principal. This assumes no proof of possession of the token, something we will revisit in a future blog post. Once this is done we have the option of performing an authorization check on the authenticated principal. This can be done easily via RBAC by using a claim in the token to represent a role.

Apache CXF has a SimpleAuthorizingInterceptor class, which can map web service operations to role names. If the authenticated principal is not associated with the role that is required to access the operation, then an exception is thrown. Here is an example of how to configure a JAX-RS web service in CXF with the SimpleAuthorizingInterceptor for JWT:

	<bean id="serviceBean" class="org.apache.coheigea.cxf.jaxrs.json.common.DoubleItJWTAuthenticationService"/>

	<bean id="jackson" class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider"/>

	<bean id="jwtFilter" class="org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationFilter">
	<property name="roleClaim" value="role"/>
	</bean>

	<bean id="authorizationInterceptor"
	class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
	<property name="methodRolesMap">
	<map>
	<entry key="doubleIt" value="boss"/>
	</map>
	</property>
	</bean>

	<jaxrs:server address="http://localhost:${testutil.ports.Server}/doubleit">
	<jaxrs:serviceBeans>
	<ref bean="serviceBean"/>
	</jaxrs:serviceBeans>
	<jaxrs:providers>
	<ref bean="jackson"/>
	<ref bean="jwtFilter"/>
	</jaxrs:providers>
	<jaxrs:inInterceptors>
	<ref bean="authorizationInterceptor"/>
	</jaxrs:inInterceptors>
	<jaxrs:properties>
	<entry key="rs.security.keystore.type" value="jks" />
	<entry key="rs.security.keystore.alias" value="myclientkey"/>
	<entry key="rs.security.keystore.password" value="cspass"/>
	<entry key="rs.security.keystore.file" value="clientstore.jks" />
	<entry key="rs.security.signature.algorithm" value="RS256" />
	</jaxrs:properties>
	</jaxrs:server>

view raw server.xml hosted with ❤ by GitHub

Here the JwtAuthenticationFilter has been configured with a "roleClaim" property of "role". It then extracts the configured claim from the authenticated token and uses it for the RBAC authorization decision. To see this functionality in action, look at the corresponding test-case in my github repo.

2) JWT with CBAC

Since CXF 3.3.0, we can also use the Claims annotations in CXF (that previously only worked with SAML tokens) to perform authorization checks on requests that contain JWT tokens. This allows us to specify more fine-grained authorization requirements on the token, as opposed to the RBAC approach above. For example, we can annotate our service endpoint as follows:

	@Path("/services")
	public class DoubleItJWTClaimsAuthenticationService {

	@POST
	@Produces("application/json")
	@Consumes("application/json")
	@Claim(name = "role", value = {"boss", "ceo"})
	public Number doubleIt(Number numberToDouble) {
	...
	}

	}

view raw DoubleItJWTClaimsAuthenticationService.java hosted with ❤ by GitHub

Here we can see a "role" claim is required which must match either the value "boss" or "ceo". We can enable claims based authorization by adding the ClaimsAuthorizingFilter as a provider of the endpoint, with the "securedObject" parameter being the service implementation:

	<bean id="jackson" class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider"/>

	<bean id="claimsServiceBean"
	class="org.apache.coheigea.cxf.jaxrs.jwt.authorization.DoubleItJWTClaimsAuthenticationService" />

	<bean id="claimsHandler" class="org.apache.cxf.jaxrs.security.ClaimsAuthorizingFilter">
	<property name="securedObject" ref="claimsServiceBean"/>
	</bean>

	<jaxrs:server address="http://localhost:${testutil.ports.Server}/doubleitclaims">
	<jaxrs:serviceBeans>
	<ref bean="claimsServiceBean"/>
	</jaxrs:serviceBeans>
	<jaxrs:providers>
	<ref bean="jackson"/>
	<bean class="org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationFilter" />
	<ref bean="claimsHandler"/>
	</jaxrs:providers>
	<jaxrs:properties>
	<entry key="rs.security.keystore.type" value="jks" />
	<entry key="rs.security.keystore.alias" value="myclientkey"/>
	<entry key="rs.security.keystore.password" value="cspass"/>
	<entry key="rs.security.keystore.file" value="clientstore.jks" />
	<entry key="rs.security.signature.algorithm" value="RS256" />
	</jaxrs:properties>
	</jaxrs:server>

view raw server-claims.xml hosted with ❤ by GitHub

We can specify multiple claims annotations and combine them in different ways, please see the CXF webpage for more information. To see this functionality in action, look at the corresponding test-case in my github repo.