In a recent post we introduced the REST service as an integration option growing in popularity.
Use cases for this type of integration typically include exposing REST services for mobile app consumption and for cloud based/3rd party integrations. The question quickly arises – how can I secure these services? SOAP services have multiple well-defined standards around security such as WS-Security, SAML and even XML dig-sig. Since REST is based on HTTP, it can support basic encryption (SSL) and authentication (BasicAuth), but many enterprise level applications require more flexible and comprehensive security solutions.
Enter DataPower, an appliance built specifically for web services deployments, governance, light integrations and hardened security in a single “drop-in” box. Adding DataPower as a reverse proxy to your REST services in your DMZ you immeditely get the following security benefits:
- Fine grained Au/Az
- Data Validation
- SQL injection
- Throttling
AAA node
The root of DataPower’s security is the AAA node; a flexible security processor that can extract a variety of tokens, authenticate and authorize those tokens against a variety of PDP (Policy Decision Points) and, if required, convert the tokens to different formats for down-stream processing. A typical REST use-case is one where an HTTP Basic-Auth header is sent with the request, validated and authorized against a control server (LDAP for example), a security token transform if required (HTTP Basic-Auth to SAML token), and then the request forwarded to the actual service. With the flexibility of the AAA node each component can be interchanged – OAuth tokens, Tivoli control servers, and more.
JSON-XSD validation including SQL injection
REST services have moved away from XML documents to JSON for it’s easy of client based manipulations. The down side is you are unable to define the data structure of JSON akin to an XSD. DataPower however has a JSON-JSONx built in parser where it takes a valid JSON structure and output’s XML. One can then use a well-defined XSD to validate the data and protect against SQL injections using the in-built filter. A side benefit is you can also transform the JSONx structure to SOAP i.e. DataPower provides a REST/JSON interface to SOAP services.
Rate Limiters/Monitors
Any enterprise exposing services to the internet must protect against the most basic of attacks – a DOS attack. DataPower itself has the ability to throttle requests from different clients based on configurable parameters. For example one can restrict clients to 100 transactions per minute but if exceeded can be throttled or an alerting sub-system called.
Securing REST services unlike SOAP can be a challenge due to a lack of standards. However, using a tool like DataPower an enterprise can build flexible security gateways.
References:
Comment lines: Robert Peterson: High value features of WebSphere DataPower SOA Appliances that you’re probably not using