AAA (authentication, authorization, and audit logging) 22
ABAC (attribute-based access control) 282-293
distributed policy enforcement and XACML 290-291
implementing decisions 285, 288
ABACAccessController class 286, 288
adding new members to Natter space 94-95
avoiding privilege escalation attacks 95-97
sharing capability URIs 317-318
securing HTTPS client configuration 245-247
Access-Control-Allow-Credentials header 150, 166, 180
Access-Control-Allow-Headers header 150
Access-Control-Allow-Methods header 150
Access-Control-Allow-Origin header 150, 154
Access-Control-Expose-Headers header 150
Access-Control-Max-Age header 150
Access-Control-Request-Headers 148
Access-Control-Request-Method header 148
access_token parameter 301, 303, 306
accountability, audit logging for 82-87
ACE-OAuth (Authorization for Constrained Environments using OAuth2) 511-517
ACLs (access control lists) 90-92, 267
actor_token_type parameter 432
add_first_party_caveat method 326
add_third_party_caveat method 329
AEAD (authenticated encryption with associated data) algorithms 202
AES (Advanced Encryption Standard) 196
AES-CCM (Counter with CBC-MAC) constructor 456
afterAfter() method 37, 54, 59
environments and threat models 16-18
mitigating SQL injection with permissions 45-47
access control and authorization 22-23
identification and authentication 21-22
internet of things (IoT) 488-496, 522
authenticating devices 489-496
OAuth2 for constrained environments 511-517
offline access control 518-521
application data transmission phase 397
Application-layer DoS attacks (layer-7) 65
AS (Authorization Server) 386-387, 512
audit logging 19, 23-24, 82-87
authenticate authenticate() method 404
AuthenticatedTokenStore interface 207-208, 323
internet of things (IoT) devices for APIs 489-496
creating password database 72-74
registering users in Natter API 74-75
secure password storage with Scrypt 72
implementing token-based login 112-115
token store abstraction 111-112
authentication, authorization, and audit logging (AAA) 22
authorization code grant 228-238
hardening code exchange with PKCE 236-237
redirect URIs for different types of client 235-236
authorization endpoint 228, 529
Authorization for Constrained Environments using OAuth2 (ACE-OAuth) 511-517
auth-tls-pass-certificate-to-upstream 402
Bearer authentication scheme 160-162
before() method 58, 92, 124, 153, 288, 307
BLE (Bluetooth Low-Energy) 440, 520
browser-based clients, capability URIs for 311-312
brute-force attacks 72, 96, 202
ByteBuffer.allocateDirect() method 483
combining capabilities with identity 314-315
for browser-based clients 311-312
returning capability URIs 305-306
validating capabilities 306-307
capability-based access control 22
capability URIs for browser-based clients 311-312
combining capabilities with identity 314-315
hardening capability URIs 315-318
Hypertext as Engine of Application State (HATEOAS) 308-311
using capability URIs in Natter API 303-307
CapabilityController 304-306, 312, 324
CAs (certificate authorities) 80, 245, 369, 397, 443, 479
CBC (Cipher Block Chaining) 201
CBOR (Concise Binary Object Representation) 469, 496
CBOR Object Signing and Encryption (COSE) 468-474, 496, 499
certificate authorities (CAs) 80, 245, 369, 397, 443, 479
certificate-bound access tokens 410-414
certificate.getEncoded() method 411
CertificateRequest message 398-399
ChaCha20-Poly1305 cipher suites 456
challenge-response protocol 497
Cipher Block Chaining (CBC) 201
for constrained devices 452-457
CLI (command-line interface) 372
client certificate authentication 399-401
client credentials grant 228, 385, 387-388
client_assertion parameter 394-395
client_id parameter 234, 242, 409, 513
authenticating using JWT bearer grant 391-393
capability URIs for browser-based 311-312
managing service credentials 415-428
avoiding long-lived secrets on disk 423-425
key and secret management services 420-422
client_secret_basic method 386
CoAP (Constrained Application Protocol) 442, 499, 509
Command-Query Responsibility Segregation (CQRS) 178
Concise Binary Object Representation (CBOR) 469, 496
ConfidentialTokenStore 207, 304, 323
confused deputy attacks 295, 299
connect() method 449, 460, 462
Constrained Application Protocol (CoAP) 442, 499, 509
building H2 database as 341-345
Content-Security-Policy (CSP) 58, 169
Bearer authentication scheme 160-162
deleting expired tokens 162-163
storing token state in database 155-160
storing tokens in Web Storage 163-166
XSS attacks on Web Storage 167-169
CookieTokenStore method 118-120, 124, 133-134, 136, 159, 171, 208, 315, 317
CORS (cross-origin resource sharing) 105-106
allowing cross-domain requests with 147-154
adding CORS headers to Natter API 151-154
COSE (CBOR Object Signing and Encryption) 468-474, 496, 499
CQRS (Command-Query Responsibility Segregation) 178
createSpace method 34, 40, 44, 50, 77, 91, 102, 104, 142, 163, 278, 305-306, 309, 319
CRLs (certificate revocation lists) 369
CryptoBox algorithm 474, 496, 510
cryptographically bound tokens 130
cryptographically secure hash function 130
cryptographically-secure pseudorandom number generator (CSPRNG) 201
CSP (Content-Security-Policy) 58, 169
CSPRNG (cryptographically-secure pseudorandom number generator) 201
CSRF (Cross-Site Request Forgery) attacks 125-138
double-submit cookies for Natter API 133-138
hash-based double-submit cookies 129-133
DAC (discretionary access control) 223, 267
Database.forDataSource() method 33
storing token state in 155-160
DatabaseTokenStore 155-156, 158-159, 171, 174-175, 177-178, 183, 208, 210-211, 213, 304, 322
Datagram TLS (DTLS) 441-452, 488
DDoS (distributed DoS) attack 64
deleting expired tokens 162-163
device authorization grant 512-516
DeviceIdentityManager class 493
authenticating with TLS connection 492-496
differential power analysis 477
Diffie-Hellman key agreement 485
discretionary access control (DAC) 223, 267
Distinguished Name (DN) 272, 402
distributed DoS (DDoS) attack 64
distributed policy enforcement 290-291
distroless base image, Google 342
DN (Distinguished Name) 272, 402
DNS cache poisoning attack 369
building H2 database as 341-345
document.cookie field 140, 142
domain-specific language (DSL) 285
DoS (denial of service) attacks 13, 21, 24-25, 64
drag ‘n’ drop clickjacking attack 57
DroolsAccessController class 287
DSL (domain-specific language) 285
DTLS (Datagram TLS) 441-452, 488
DtlsDatagramChannel class 448-449, 451, 457, 460
Dynamic client registration endpoint 529
ECB (Electronic Code Book) 196
ECDH (Elliptic Curve Diffie-Hellman) 245, 452, 472
EdDSA (Edwards Curve Digital Signature Algorithm) signatures 255
EEPROM (electrically erasable programmable ROM) 480
effective top-level domains (eTLDs) 128
EJBs (Enterprise Java Beans) 7
electrically erasable programmable ROM (EEPROM) 480
Electronic Code Book (ECB) 196
Elliptic Curve Diffie-Hellman (ECDH) 245, 452, 472
encKey.getEncoded() method 200
encoding headers with end-to-end security 509-510
EncryptedJwtTokenStore 205, 208, 211
EncryptedTokenStore 197-200, 205-206, 208
authenticated encryption with NaCl 198-200
end-to-end authentication 496-510
avoiding replay in REST APIs 506-510
Enterprise Java Beans (EJBs) 7
establish secure defaults principle 74
eTLDs (effective top-level domains) 128
etSupportedVersions() method 460
evaluation version, of ForgeRock Access Management 526-531
eXtensible Access-Control Markup Language (XACML) 290-291
external additional authenticated data 504
first-party caveats 321, 325-328
followRedirects(false) method 365
ForgeRock Access Management 525-531
running evaluation version 526-531
ForgeRock Directory Services 531
form submission, intercepting 104
GCM (Galois Counter Mode) 197, 201, 453
GDPR (General Data Protection Regulation) 4, 224
GeneralCaveatVerifier interface 326
getIdentityManager() method 494
getSecurityParametersConnection() method 495
getSecurityParametersHandshake() method 495
getSupportedCipherSuites() method 464
getSupportedVersions() method 462
client credentials grant 385-388
grant_type parameter 233, 432, 515
-groupname secp256r1 argument 391
building as Docker container 341-345
deploying to Kubernetes 345-349
code exchange with PKCE 236-237
database token storage 170-180
authenticating tokens with HMAC 172-177
hashing database tokens 170-171
protecting sensitive attributes 177-180
hardware security module (HSM) 422, 480-481
hash-based double-submit cookies 129-133
hash-based key derivation function (HKDF) 425, 469
hashing database tokens 170-171
HATEOAS (Hypertext as Engine of Application State) 308-311
encoding with end-to-end security 509-510
specifying key in header 189-190
HKDF (hash-based key derivation function) 425, 469
HKDF_Context_PartyU_nonce attribute 470
authenticating tokens with 172-177
protecting JSON tokens with 183
HmacTokenStore 173, 176, 183-184, 191-193, 197-198, 206, 208, 211, 304, 319, 323
HSM (hardware security module) 422, 480-481
HSTS (HTTP Strict-Transport-Security) 82
HTTP Strict-Transport-Security (HSTS) 82
securing client configuration 245-247
Hypertext as Engine of Application State (HATEOAS) 308-311
IBAC (identity-based access control) 267-293
attribute-based access control (ABAC) 282-293
distributed policy enforcement and XACML 290-291
implementing decisions 285-288
role-based access control (RBAC) 274-281
determining user roles 279-280
mapping roles to permissions 276-277
combining capabilities with 314-315
verifying client identity 402-406
identity-based access control 22
IDS (intrusion detection system) 10
InetAddress.getAllByName() method 363
InfoSec (Information security) 8
ingress controller 375, 377-378
initialization vector (IV) 201, 475
mitigating SQL injection with permissions 45-47
insecure deserialization vulnerability 48
intrusion detection system (IDS) 10
intrusion prevention system (IPS) 10
IoT (Internet of Things) 4, 65
IoT (Internet of Things) APIs 488-522
authenticating devices 489-496
end-to-end authentication 496-510
avoiding replay in REST APIs 506-510
Object Security for Constrained RESTful Environments (OSCORE) 499-506
OAuth2 for constrained environments 511-517
offline access control 518-521
offline user authentication 518-520
IoT (Internet of Things) communications 439-487
misuse-resistant authenticated encryption (MRAE) 475-478
key distribution and management 479-486
key distribution servers 481-482
one-off key provisioning 480-481
post-compromise security 484-486
ratcheting for forward secrecy 482-484
supporting raw PSK cipher suites 463-464
IoT (Internet of Things) communications (continued)
transport layer security (TLS) 440-457
cipher suites for constrained devices 452-457
IPS (intrusion prevention system) 10
IV (initialization vector) 201, 475
Java EE (Java Enterprise Edition) 10
java.net.InetAddress class 363
calling login API from 140-142
calling Natter API from 102-104
java.security.cert.X509Certificate object 402
java.security.egd property 350
java.security.MessageDigest class 411
java.security.SecureRandom 201
javax.crypto.Mac class 174, 320
javax.crypto.SecretKey class 205
javax.crypto.spec.SecretKeySpec class 426
javax.net.ssl.TrustManager 246
JOSE (JSON Object Signing and Encryption) header 188-190
specifying key in header 189-190
JSON Web Signatures (JWS) 185, 469
JsonTokenStore 183, 187, 192, 198, 200, 203, 206, 208-209, 322
JWS (JSON Web Signatures) 185, 469
JWT bearer authentication 384-385
JWTClaimsSet.Builder class 203
JWTs (JSON Web Tokens) 185-194, 389
specifying key in header 189-190
validating access tokens 249-256
choosing signature algorithm 254-256
KDF (key derivation function) 425
key derivation function (KDF) 425
key distribution and management 479-486
key distribution servers 481-482
managing service credentials 420-422
one-off key provisioning 480-481
post-compromise security 484-486
ratcheting for forward secrecy 482-484
retrieving public keys 251-254
specifying in JOSE header 189-190
key distribution servers 481-482
key-driven cryptographic agility 189
KieServices.get().getKieClasspathContainer() method 286
kubectl apply command 346, 377
kubectl command-line application 533
kubectl create secret docker-registry 416
kubectl get namespaces command 346
building H2 database as Docker container 341-345
calling link-preview microservice 357-360
deploying database to Kubernetes 345-349
deploying new microservice 355-357
link-preview microservice 353-354
preventing server-side request forgery (SSRF) attacks 361-365
securing incoming requests 381
securing microservice communications 368-377
locking down network connections 375-377
securing communications with TLS 368-369
using service mesh for TLS 370-374
layer-7 (Application-layer DoS attacks) 65
LDAP (Lightweight Directory Access Protocol) 72, 271
installing directory server 531
link-preview microservice 353-354, 357-360
setting up Java and Maven on 525
building UI for Natter API 138-142
implementing token-based 112-115
login(username, password) function 140
lookupPermissions method 279, 306, 316
MAC (mandatory access control) 223, 267
MAC (message authentication code) 172, 456, 496, 504
MacaroonsBuilder class 326, 329
MacaroonsBuilder.create() method 322
macaroon.serialize() method 322
macKey.getEncoded() method 322
setting up Java and Maven 523-524
MAF (multi-factor authentication) 22
Main class 30, 34, 46, 51, 54, 75-76, 200, 318, 418
main() method 46, 59, 93, 280, 288, 318, 394-395, 418, 493-494
mandatory access control (MAC) 223, 267
man-in-the-middle (MitM) attack 485
message authentication code (MAC) 172, 456, 496, 504
MessageDigest.isEqual method 134-135, 175, 413
microservice APIs in Kubernetes 335-382
deploying Natter on Kubernetes 339-368
building H2 database as Docker container 341-345
calling link-preview microservice 357-360
deploying database to Kubernetes 345-349
deploying new microservice 355-357
link-preview microservice 353-354
preventing server-side request forgery (SSRF) attacks 361-365
securing incoming requests 377-381
securing microservice communications 368-377
locking down network connections 375-377
securing communications with TLS 368-369
using service mesh for TLS 370-374
minikube ip command 345, 360, 368
misuse-resistant authenticated encryption (MRAE) 475-478
MitM (man-in-the-middle) attack 485
mkcert utility 80-81, 246, 379, 400, 402, 406, 451
mode of operation, block cipher 196
model-view-controller (MVC) 34
modern token-based authentication 146-180
allowing cross-domain requests with CORS 147-154
adding CORS headers to Natter API 151-154
hardening database token storage 170-180
authenticating tokens with HMAC 172-177
hashing database tokens 170-171
protecting sensitive attributes 177-180
tokens without cookies 154-169
Bearer authentication scheme 160-162
deleting expired tokens 162-163
storing token state in database 155-160
storing tokens in Web Storage 163-166
XSS attacks on Web Storage 167-169
monotonically increasing counters 497
MRAE (misuse-resistant authenticated encryption) 475-478
mTLS (mutual TLS) 374, 396-414
certificate-bound access tokens 410-414
client certificate authentication 399-401
verifying client identity 402-406
multi-factor authentication (MAF) 22
MVC (model-view-controller) 34
NaCl (Networking and Cryptography Library) 198-200, 473
access control lists (ACLs) 90-92
adding new members to Natter space 94-95
avoiding privilege escalation attacks 95-97
adding CORS headers to 151-154
adding scoped tokens to 220-222
addressing threats with security controls 63-64
audit logging for accountability 82-87
authentication to prevent spoofing 70-77
creating password database 72-74
registering users in Natter API 74-75
secure password storage with Scrypt 72
calling from JavaScript 102-104
deploying on Kubernetes 339-368
building H2 database as Docker container 341-345
calling link-preview microservice 357-360
deploying database to Kubernetes 345-349
deploying new microservice 355-357
link-preview microservice 353-354
preventing server-side request forgery (SSRF) attacks 361-365
double-submit cookies for 133-138
rate-limiting for availability 64-69
using capability URIs in 303-307
returning capability URIs 305-306
validating capabilities 306-307
natter-api namespace 345, 375, 380, 401
natter-api-service.natter-api 367
natter_api_user permissions 73, 84
network connections, locking down 375-377
network policies, Kubernetes 375
Networking and Cryptography Library (NaCl) 198-200, 473
NFRs (non-functional requirements) 14
nginx.ingress.kubernetes.io/auth-tls-error-page 400
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream 400
nginx.ingress.kubernetes.io/auth-tls-secret 400
nginx.ingress.kubernetes.io/auth-tls-verify-client 400
nginx.ingress.kubernetes.io/auth-tls-verify-depth 400
nonce (number-used-once) 201, 262-263, 497
non-functional requirements (NFRs) 14
number-used-once (nonce) 201, 262-263, 497
OAEP (Optimal Asymmetric Encryption Padding) 257
ACE-OAuth (Authorization for Constrained Environments using OAuth2) 511-517
authorization code grant 230-238
hardening code exchange with Proof Key for Code Exchange (PKCE) 236-237
redirect URIs for different types of client 235-236
client credentials grant 385-388
discovering OAuth2 endpoints 229-230
service account authentication 395
mutual TLS (mTLS) with 409-410
passing ID tokens to APIs 264-266
difference between scopes and permissions 223-224
validating access tokens 239-258
securing HTTPS client configuration 245-247
ocaps (object-capability-based security) 296
OCSP (online certificate status protocol) 369
offline access control 518-521
offline user authentication 518-520
OIDC (OpenID Connect) 185, 260-266, 497
passing ID tokens to APIs 264-266
one-off key provisioning 480-481
online certificate status protocol (OCSP) 369
open redirect vulnerability 232, 364-365
Optimal Asymmetric Encryption Padding (OAEP) 257
ORM (object-relational mapper) 45
OSCORE (Object Security for Constrained RESTful Environments) 499-506
implementing protections 58-61
OWL (Web Ontology Language) 281
PAP (Policy Administration Point) 290
path traversal vulnerability 484
PDP (Policy Decision Point) 290
PEM (Privacy Enhanced Mail) 80
PEP (Policy Enforcement Point) 290
difference between scopes and 223-224
mitigating SQL injection attacks with 45-47
permissions table 90, 269, 271, 277-278
personally identifiable information (PII) 24
PII (personally identifiable information) 24
PIP (Policy Information Point) 290
PKCE (Proof Key for Code Exchange) 236-237
PKI (public key infrastructure) 369, 409, 479
POLA (principle of least authority) 45-46, 90, 250, 295
Policy Administration Point (PAP) 290
Policy Decision Point (PDP) 290
Policy Enforcement Point (PEP) 290
Policy Information Point (PIP) 290
PoP (proof-of-possession) tokens 410, 517
post-compromise security 484-486
PRF (pseudorandom function) 475
principle of defense in depth 66
principle of least authority (POLA) 45-46, 90, 250, 295
principle of least privilege 46
principle of separation of duties 84
Privacy Enhanced Mail (PEM) 80
privilege escalation attacks 95-97
processResponse method 242, 413
Proof Key for Code Exchange (PKCE) 236-237
PSK (pre-shared keys) 458-463, 467, 490, 492
supporting raw PSK cipher suites 464
public key encryption algorithms 195
public key infrastructure (PKI) 369, 409, 479
QUIC protocol (Quick UDP Internet Connections) 442
random number generator (RNG) 157
answers to pop quiz questions 25-26
RBAC (role-based access control) 274-281
determining user roles 279-280
mapping roles to permissions 276-277
RCE (remote code execution) 48
read() method 194, 213, 252, 254, 325-326
ReDoS (regular expression denial of service) attack 51
registering users in Natter API 74-75
regular expression denial of service (ReDoS) attack 51
remote code execution (RCE) 48
Remote Method Invocation (RMI) 7
replay attacks 187-188, 496, 498
requested_token_type parameter 432
request.session(false) method 120
request.session(true) method 119-120
requireAuthentication method 92, 138, 162
requirePermission method 270, 276, 279, 283
Resource Owner Password Credentials (ROPC) grant 228
REST (REpresentational State Transfer) 8
capability-based security and 297-302, 318
capability URIs for browser-based clients 311-312
combining capabilities with identity 314-315
hardening capability URIs 315-318
Hypertext as Engine of Application State (HATEOAS) 308-311
using capability URIs in Natter API 303-307
revoke method 182, 203, 239, 248
implementing hybrid tokens 210-213
RMI (Remote Method Invocation) 7
RNG (random number generator) 157
role_permissions table 277, 279
ROPC (Resource Owner Password Credentials) grant 228
row-level security policies 179
rwd (read-write-delete) permissions 309
same-origin policy (SOP) 54, 105-106, 147
difference between scopes and permissions 223-224
SecretBox.encrypt() method 198
secrets management services 420-422
Secure Production Identity Framework for Everyone (SPIFFE) 407-408
SecureRandom class 157-158, 160, 180, 236, 329, 350, 443
SecureTokenStore interface 207-209, 323
Security Information and Event Management (SIEM) 83
access control and authorization 22-23
identification and authentication 21-22
security token service (STS) 432
encrypting sensitive attributes 195-205
authenticated encryption with NaCl 198-200
handling token revocation 209-213
self-contained tokens (continued)
using types for secure API design 206-209
authenticated encryption with NaCl 198-200
server-side request forgery (SSRF) attacks 190, 361-365
client credentials grant 387-388
service-to-service APIs 383-436
API keys and JWT bearer authentication 384-385
managing service credentials 415-428
avoiding long-lived secrets on disk 423-425
key and secret management services 420-422
mutual TLS authentication 396-414
certificate-bound access tokens 410-414
client certificate authentication 399-401
how TLS certificate authentication works 397-398
mutual TLS with OAuth2 409-410
verifying client identity 402-406
OAuth2 client credentials grant 385-388
service API calls in response to user requests 428-435
session cookie authentication 101-145
building Natter login UI 138-142
calling Natter API from JavaScript 102-104
drawbacks of HTTP authentication 108
intercepting form submission 104
serving HTML from same origin 105-108
preventing Cross-Site Request Forgery attacks 125-138
double-submit cookies for Natter API 133-138
hash-based double-submit cookies 129-133
avoiding session fixation attacks 119-120
cookie security attributes 121-123
token-based authentication 109-115
implementing token-based login 112-115
token store abstraction 111-112
avoiding session fixation attacks 119-120
cookie security attributes 121-123
session fixation attacks 119-120
session.fireAllRules() method 286
session.invalidate() method 143
setItem(key, value) method 165
SIEM (Security Information and Event Management) 83
single-page apps (SPAs) 54, 312
SIV (Synthetic Initialization Vector) mode 475
SOP (same-origin policy) 54, 105-106, 147
SpaceController class 34, 36-37, 75, 94, 278, 304
SPAs (single-page apps) 54, 312
SPIFFE (Secure Production Identity Framework for Everyone) 407-408
creating password database 72-74
registering users in Natter API 74-75
secure password storage with Scrypt 72
SQLi (SQL injection) attacks 40, 45-47, 270
ssl-client-cert header 400, 402, 404, 413
ssl-client-issuer-dn header 402
ssl-client-subject-dn header 402
ssl-client-verify header 402, 404, 413
SSLEngine class 443-444, 456-457, 461
sslEngine.beginHandshake() method 446
sslEngine.getHandshakeStatus() method 446
sslEngine.unwrap(recvBuf, appData) 446
sslEngine.wrap(appData, sendBuf) 445
SSRF (server-side request forgery) attacks 190, 361-365
STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) 18
STS (security token service) 432
subject_token_type parameter 432
Synthetic Initialization Vector (SIV) mode 475
System.getenv(String name) method 417
TCP (Transmission Control Protocol) 441
TLS (Transport Layer Security) 9, 79, 440-457
authenticating devices with 492-496
cipher suites for constrained devices 452-457
implementing for client 443-450
implementing for server 450-452
mutual TLS (mTLS) authentication 396-414
certificate-bound access tokens 410-414
client certificate authentication 399-401
verifying client identity 402-406
securing communications with 368-369
using service mesh for 370-374
TLS_DHE_PSK_WITH_AES_128_CCM cipher suite 466
TLS_DHE_PSK_WITH_AES_256_CCM cipher suite 466
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 cipher suite 466
TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 cipher suite 466
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 cipher suite 466
TLS_EMPTY_RENEGOTIATION_INFO_SCSV marker cipher suite 456
TLS_PSK_WITH_AES_128_CCM cipher suite 464
TLS_PSK_WITH_AES_128_CCM_8 cipher suite 464
TLS_PSK_WITH_AES_128_GCM_SHA256 cipher suite 464
TLS_PSK_WITH_AES_256_CCM cipher suite 464
TLS_PSK_WITH_AES_256_CCM_8 cipher suite 464
TLS_PSK_WITH_AES_256_GCM_SHA384 cipher suite 464
TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 cipher suite 464
token store abstraction 111-112
token-based authentication 109-115
implementing token-based login 112-115
allowing cross-domain requests with CORS 147-154
hardening database token storage 170-180
tokens without cookies 154-169
token store abstraction 111-112
TokenController class 177, 194, 200, 209, 315
TokenController interface 113-115, 118, 136
TokenController validateToken() method 124
tokenController.requireScope method 222
TokenController.validateToken method 317
difference between scopes and permissions 223-224
encrypting sensitive attributes 195-205
handling token revocation 209-213
using types for secure API design 206-209
Bearer authentication scheme 160-162
deleting expired tokens 162-163
storing token state in database 155-160
storing tokens in Web Storage 163-166
XSS attacks on Web Storage 167-169
TokenStore interface 111-113, 115, 118, 124, 143-144, 207-208, 243, 303, 322
Transmission Control Protocol (TCP) 441
two-factor authentication (2FA) 22
UDP (User Datagram Protocol) 65, 442
unwrap() method 447-448, 450-451
uri.toASCIIString() method 305
User Datagram Protocol (UDP) 65, 442
UserController class 74, 76, 91, 113, 269, 404, 413
UserController.lookupPermissions method 306
adding new to Natter space 94-95
determining user roles 279-280
Lightweight Directory Access Protocol (LDAP) groups 271-273
verification_uri_complete field 515
version control capabilities 23
virtual private cloud (VPC) 423
VPC (virtual private cloud) 423
WAF (web application firewall) 10
web browsers, session cookie authentication in 102-108
calling Natter API from JavaScript 102-104
drawbacks of HTTP authentication 108
intercepting form submission 104
serving HTML from same origin 105-108
Web Ontology Language (OWL) 281
window.location.hash variable 312
window.referrer variable 301-302
setting up Java and Maven on 525
WWW-Authenticate challenge header 161
XACML (eXtensible Access-Control Markup Language) 290-291
X-Content-Type-Options header 57
X-CSRF-Token header 130, 136, 142, 160, 163, 166
X-Forwarded-Client-Cert header 407-408
XSS (cross-site scripting) attacks 54, 56, 168
3.22.248.208