index

A

A128CBC-HS256 method 203

AAA (authentication, authorization, and audit logging) 22

ABAC (attribute-based access control) 282-293

best practices for 291-293

combining decisions 284

distributed policy enforcement and XACML 290-291

implementing decisions 285, 288

ABACAccessController class 286, 288

Accept header 57

acceptable inputs 50

access control 22-23, 87-97

adding new members to Natter space 94-95

avoiding privilege escalation attacks 95-97

enforcing 92-94

enforcing authentication 89

offline 520-521

sharing capability URIs 317-318

access log 87

access tokens 239-258

JWTs 249-256

letting AS decrypt tokens 258

securing HTTPS client configuration 245-247

token introspection 239-244

token revocation 248

Access-Control-Allow-Credentials header 150, 166, 180

Access-Control-Allow-Headers header 150

Access-Control-Allow-Methods header 150

Access-Control-Allow-Origin header 150, 154

Access-Control-Expose-Headers header 150

Access-Control-Max-Age header 150

Access-Control-Request-Headers 148

Access-Control-Request-Method header 148

access_denied status code 516

access_token parameter 301, 303, 306

accountability, audit logging for 82-87

ACE-OAuth (Authorization for Constrained Environments using OAuth2) 511-517

ACLs (access control lists) 90-92, 267

acr claim 262

acr_values parameter 262

act claim 431, 433

active field 241

actor_token parameter 432

actor_token_type parameter 432

add_first_party_caveat method 326

addMember method 94-96, 278

add_third_party_caveat method 329

admin role 275

AEAD (authenticated encryption with associated data) algorithms 202

AES (Advanced Encryption Standard) 196

AES-CCM (Counter with CBC-MAC) constructor 456

after filter 37

afterAfter() method 37, 54, 59

alg attribute 189

alg header 188-189, 201

algorithm header 188-189

allow lists 50, 210

allowPrivilegeEscalation 347

ambient authority 299

amr claim 262

API keys 384-385

API security 3-26

analogy for 4-6

defined 6-8

elements of 12-18

assets 13-14

environments and threat models 16-18

security goals 14-16

injection attacks 39-47

mitigating SQL injection with permissions 45-47

preventing 43-45

input validation 47-51

Natter API 27-33

implementation 29

initializing database 32-33

overview 28-29

setting up project 30-31

producing safe output 53-61

exploiting XSS Attacks 54-57

implementing protections 58

preventing XSS 58

REST API 34-35

creating new space 34-35

wiring up endpoints 36-39

secure development 27-61

security areas 8-12

security mechanisms 19-26

access control and authorization 22-23

audit logging 23-24

encryption 20

identification and authentication 21-22

rate-limiting 24-26

styles 7-8

typical deployment 10-12

APIs

internet of things (IoT) 488-496, 522

authenticating devices 489-496

end-to-end authentication 510

OAuth2 for constrained environments 511-517

offline access control 518-521

passing ID tokens to 264-266

apiVersion attribute 345

App class 30

appData buffer 445

application data transmission phase 397

application server 10

application/json 37

Application-layer DoS attacks (layer-7) 65

AppTest class 30

ARP spoofing attack 369

AS (Authorization Server) 386-387, 512

decrypting tokens 258

installing 525-531

assertion parameter 395

assertions 391

assets 13-14

associated data 496

asymmetric cryptography 250

at rest encryption 20

at_hash claim 263

AtomicInteger class 508

attributes, sensitive

encrypting 195-205

protecting 177-180

aud claim 187, 191, 253, 394

audience parameter 432

audit logging 19, 23-24, 82-87

audit logs, defined 6

AuditController interface 114

auditRequestEnd method 84

auditRequestStart method 84

authenticate authenticate() method 404

authenticate() method 269

authenticated encryption 197

AuthenticatedTokenStore interface 207-208, 323

authentication 21-22

defined 19

enforcing 89

factors 21-22

internet of things (IoT) devices for APIs 489-496

device certificates 492

identifying devices 489-492

with TLS connection 492-496

offline user 518-520

to prevent spoofing 70-77

authenticating users 75-77

creating password database 72-74

HTTP Basic authentication 71

registering users in Natter API 74-75

secure password storage with Scrypt 72

token-based 109-115

implementing token-based login 112-115

modern 146-180

token store abstraction 111-112

authentication, authorization, and audit logging (AAA) 22

authorization 19, 22

authorization code grant 228-238

hardening code exchange with PKCE 236-237

redirect URIs for different types of client 235-236

refresh tokens 237-238

authorization endpoint 228, 529

Authorization for Constrained Environments using OAuth2 (ACE-OAuth) 511-517

Authorization header 88, 163

authorization_pending 516

auth_time claim 262

auth-tls-pass-certificate-to-upstream 402

availability 14, 64-69

azp claim 262, 265

B

-b option 125

badRequest method 53

base image 341-342

batch attack 202

BcTlsCrypto 460, 462

Bearer authentication scheme 160-162

bearer token 160

before filter 89

before() method 58, 92, 124, 153, 288, 307

biometric factors 21

BLE (Bluetooth Low-Energy) 440, 520

block cipher 196

blocking URLs 363

blocklist 50, 210

boolean argument 116, 283

botnets 64

browser-based clients, capability URIs for 311-312

brute-force attacks 72, 96, 202

buffer overflow attacks 48

buffer overrun 48

BUFFER_OVERFLOW 448

BUFFER_UNDERFLOW 448

build section 349

By field 407

ByteBuffer.allocateDirect() method 483

C

-c option 124

- -cacert option 81

Cache-Control header 58

capabilities 22, 295, 347

capability URIs

combining capabilities with identity 314-315

defined 300

for browser-based clients 311-312

hardening 315-318

in Natter API 303-307

returning capability URIs 305-306

validating capabilities 306-307

REST APIs and 299-302

capability-based access control 22

capability-based security 331

macaroons 319-330

contextual caveats 321

first-party caveats 325-328

macaroon token store 322-324

third-party caveats 328-330

REST and 297-318

capabilities as URIs 299-302

capability URIs for browser-based clients 311-312

combining capabilities with identity 314-315

hardening capability URIs 315-318

Hypertext as Engine of Application State (HATEOAS) 308-311

using capability URIs in Natter API 303-307

CapabilityController 304-306, 312, 324

CAs (certificate authorities) 80, 245, 369, 397, 443, 479

CAT (Crypto Auth Tokens) 428

cat command 295

caveats

contextual 321

first-party 325-328

third-party 328-330

answers to exercises 330

creating 329-330

CBC (Cipher Block Chaining) 201

CBOR (Concise Binary Object Representation) 469, 496

CBOR Object Signing and Encryption (COSE) 468-474, 496, 499

CCM mode 455

Cert field 407

certificate authorities (CAs) 80, 245, 369, 397, 443, 479

certificate chain 370, 397

Certificate message 397

certificate-bound access tokens 410-414

CertificateFactory 402

certificate.getEncoded() method 411

CertificateRequest message 398-399

certificates 80, 397

CertificateVerify message 398

cert-manager 381

ChaCha20-Poly1305 cipher suites 456

Chain field 407

chain key 483

chaining key 483

challenge-response protocol 497

c_hash claim 263

checkDecision method 288

checking URLs 363

checkPermitted method 286

Chooser API 297

chosen ciphertext attack 197

CIA Triad 14

Cipher Block Chaining (CBC) 201

Cipher object 421

cipher suites

for constrained devices 452-457

supporting raw PSK 463-464

ciphers 195

ciphertext 195

claims, authenticating 21

Class.getResource() method 33

CLI (command-line interface) 372

client certificate authentication 399-401

client credentials 227

client credentials grant 228, 385, 387-388

client secrets 227

client_assertion parameter 394-395

client_credentials grant 386

client_id parameter 234, 242, 409, 513

clients

authenticating using JWT bearer grant 391-393

capability URIs for browser-based 311-312

implementing DTLS 443-450

managing service credentials 415-428

avoiding long-lived secrets on disk 423-425

key and secret management services 420-422

key derivation 425-428

Kubernetes secrets 415-420

of PSK 462-463

redirect URIs for 235-236

types of 227-228

client_secret_basic method 386

close-notify alert 449

closeOutbound() method 449

cnf claim 411

cnf field 412

CoAP (Constrained Application Protocol) 442, 499, 509

code challenge 236

code parameter 234

collision domains 368

collision resistance 130

Command-Query Responsibility Segregation (CQRS) 178

Common Context 499

compareAndSet method 508

Concise Binary Object Representation (CBOR) 469, 496

confidential clients 227

confidentiality 14

ConfidentialTokenStore 207, 304, 323

confirmation key 411

confirmation method 411

confused deputy attacks 295, 299

connect() method 449, 460, 462

connected channels 448-449

connected TVs 512

constant time 477

Constrained Application Protocol (CoAP) 442, 499, 509

constrained devices 440

Consumer IoT 440

container images 341

container, Docker

building H2 database as 341-345

Content-Security-Policy (CSP) 58, 169

Content-Type header 57

contextual caveats 321

control plane 371-372

controller objects 34

Cookie header 115

cookies

security attributes 121-123

tokens without 154-169

Bearer authentication scheme 160-162

deleting expired tokens 162-163

storing token state in database 155-160

storing tokens in Web Storage 163-166

updating CORS filter 166

XSS attacks on Web Storage 167-169

CookieTokenStore method 118-120, 124, 133-134, 136, 159, 171, 208, 315, 317

CORS (cross-origin resource sharing) 105-106

allowing cross-domain requests with 147-154

adding CORS headers to Natter API 151-154

CORS headers 150-151

preflight requests 148

defined 147

updating filter 166

COSE (CBOR Object Signing and Encryption) 468-474, 496, 499

Counter Mode (CTR) 196

cp command 295

CQRS (Command-Query Responsibility Segregation) 178

create method 239

CREATE USER command 46

createSpace method 34, 40, 44, 50, 77, 91, 102, 104, 142, 163, 278, 305-306, 309, 319

createUri method 305

credentials attribute 21, 103

credentials field 153

CRLs (certificate revocation lists) 369

cross-origin requests 106

Crypto Auth Tokens (CAT) 428

CryptoBox algorithm 474, 496, 510

cryptographic agility 188-189

cryptographically bound tokens 130

cryptographically secure hash function 130

cryptographically-secure pseudorandom number generator (CSPRNG) 201

cryptography 9

Crypto.hash() method 462

CSP (Content-Security-Policy) 58, 169

CSPRNG (cryptographically-secure pseudorandom number generator) 201

CSRF (Cross-Site Request Forgery) attacks 125-138

double-submit cookies for Natter API 133-138

hash-based double-submit cookies 129-133

SameSite cookies 127-129

csrfToken cookie 141-142, 164

CTR (Counter Mode) 196

cut utility 327

D

DAC (discretionary access control) 223, 267

data encryption key (DEK) 421

data plane 372

Database object 33-34, 37

Database.forDataSource() method 33

databases

for passwords 72-74

initializing Natter API 32-33

storing token state in 155-160

DatabaseTokenStore 155-156, 158-159, 171, 174-175, 177-178, 183, 208, 210-211, 213, 304, 322

dataflow diagrams 17

Datagram TLS (DTLS) 441-452, 488

DatagramChannel 447, 449, 451

DataSource interface 33, 46

DDoS (distributed DoS) attack 64

Decision class 283-284, 287

decision global variable 288

decodeCert method 413

decrypt() method 478

decryptToString() method 198

default permit strategy 284

defense in depth 66

DEK (data encryption key) 421

delegated authorization 223

delegation semantics 431

DELETE methods 289

deleting expired tokens 162-163

denial of service 18

deny() method 284, 286, 288

description property 354

developer portal 384

device authorization grant 512-516

Device class 491

device code 513

device flow grant 228, 512

device onboarding 490

DeviceIdentityManager class 493

devices

authenticating with TLS connection 492-496

device certificates 492

identifiers 489-492

dictionary attacks 72, 96

differential power analysis 477

Diffie-Hellman key agreement 485

DirectDecrypter 204

DirectEncrypter object 203

discharge macaroons 328

discretionary access control (DAC) 223, 267

Distinguished Name (DN) 272, 402

distributed DoS (DDoS) attack 64

distributed policy enforcement 290-291

distroless base image, Google 342

DN (Distinguished Name) 272, 402

-dname option 391

DNS (Domain Name System) 64

DNS amplification attacks 64

DNS cache poisoning attack 369

DNS field 407

DNS rebinding attacks 366-368

Docker

containers

building H2 database as 341-345

installing 525

Docker registry secret 416

Dockerfile 342

doc.location() method 354

document.cookie field 140, 142

document.domain field 165

Domain attribute 121

Domain Name System (DNS) 64

domain-specific language (DSL) 285

DOM-based XSS attacks 54, 169

DoS (denial of service) attacks 13, 21, 24-25, 64

drag ‘n’ drop clickjacking attack 57

DroolsAccessController class 287

DROP TABLE command 42, 47

DSL (domain-specific language) 285

DTLS (Datagram TLS) 441-452, 488

DTLSClientProtocol 462

DtlsDatagramChannel class 448-449, 451, 457, 460

DTLSServerProtocol 461

DTLSTransport 461-462

Duration argument 303

duty officer 275

Dynamic client registration endpoint 529

dynamic groups 272

dynamic roles 280-281

E

ECB (Electronic Code Book) 196

ECDH (Elliptic Curve Diffie-Hellman) 245, 452, 472

ECDHE-RSA-AES256-SHA384 452

ECDSA signatures 255

ECPrivateKey type 391

EdDSA (Edwards Curve Digital Signature Algorithm) signatures 255

EEPROM (electrically erasable programmable ROM) 480

effective top-level domains (eTLDs) 128

egress 375

EJBs (Enterprise Java Beans) 7

EK (Endorsement Key) 481

electrically erasable programmable ROM (EEPROM) 480

Electronic Code Book (ECB) 196

elevation of privilege 18, 95

Elliptic Curve Diffie-Hellman (ECDH) 245, 452, 472

EmptyResultException 51

enc header 189, 201

encKey.getEncoded() method 200

encoding headers with end-to-end security 509-510

encrypt() method 478

EncryptedJWT object 203

EncryptedJwtTokenStore 205, 208, 211

EncryptedTokenStore 197-200, 205-206, 208

encryption 19-20, 63, 203

OSCORE message 504-506

private data 78-82

enabling HTTPS 80-81

strict transport security 82

sensitive attributes 195-205

authenticated encryption 197

authenticated encryption with NaCl 198-200

encrypted JWTs 200-202

Encrypt-then-MAC (EtM) 197

enctype attribute 55

Endorsement Key (EK) 481

endpoints, OAuth2 229-230

end-to-end authentication 496-510

avoiding replay in REST APIs 506-510

OSCORE 499-506

deriving context 500-503

encrypting message 504-506

generating nonces 503-504

end-to-end security 467-478

alternatives to COSE 472-474

COSE 468-472

MRAE 475-478

enforcePolicy method 288

Enterprise Java Beans (EJBs) 7

entity authentication 497

Entity Tag (ETag) header 507

entropy 157

ENTRYPOINT command 342

EnumSet class 92

envelope encryption 421

environments 16-18

equest.pathInfo() method 307

ES256 algorithm 391

establish secure defaults principle 74

ETag (Entity Tag) header 507

eTLDs (effective top-level domains) 128

EtM (Encrypt-then-MAC) 197

etSupportedVersions() method 460

eval() function 40

evaluation version, of ForgeRock Access Management 526-531

exfiltration 167

exp claim 187, 191, 394

exp field 242

expired_token 516

Expires attribute 122

Expires header 58

eXtensible Access-Control Markup Language (XACML) 290-291

external additional authenticated data 504

extract-and-expand method 426

F

fault attack 477

federation protocol 72

fetchLinkPreview method 359

file descriptors 295

file exposure 420

findMessages method 310, 326

findOptional method 491

fingerprint 411

FINISHED status 447

firewalls 10

first-party caveats 321, 325-328

first-party clients 111

followRedirects(false) method 365

ForgeRock Access Management 525-531

running evaluation version 526-531

setting up host alias 526

ForgeRock Directory Services 531

form submission, intercepting 104

forward secrecy 246

PSK with 465-467

ratcheting for 482-484

freshness 497

FROM command 341-342

- -from-file 416

future secrecy 484

G

GCM (Galois Counter Mode) 197, 201, 453

GDPR (General Data Protection Regulation) 4, 224

GeneralCaveatVerifier interface 326

generic secrets 416

getCookie function 142, 166

getDelegatedTask() method 447

getEncoded() method 460, 502

getHint() method 494

getIdentityManager() method 494

getItem(key) method 165

getrandom() method 157

getSecurityParametersConnection() method 495

getSecurityParametersHandshake() method 495

getSupportedCipherSuites() method 464

getSupportedVersions() method 462

GIDs (group IDs) 343, 350

GRANT command 46, 277

grants

client credentials grant 385-388

client authentication 391-393

generating 393-395

grant_type parameter 233, 432, 515

-groupname secp256r1 argument 391

groupOfNames class 272

groupOfUniqueNames class 272

groupOfURLs class 272

groups 268-273

Guava, rate-limiting with 66

H

H2 database

building as Docker container 341-345

deploying to Kubernetes 345-349

halt() method 151

handshake 245, 397

hardening

capability URIs 315-318

code exchange with PKCE 236-237

database token storage 170-180

authenticating tokens with HMAC 172-177

hashing database tokens 170-171

protecting sensitive attributes 177-180

OIDC 263-264

hardware security module (HSM) 422, 480-481

Hash field 407

hash function 130

hash-based double-submit cookies 129-133

hash-based key derivation function (HKDF) 425, 469

hashing database tokens 170-171

hash.substring(1) method 312

HATEOAS (Hypertext as Engine of Application State) 308-311

headers

encoding with end-to-end security 509-510

JOSE 188-190

algorithm header 188-189

specifying key in header 189-190

headless JWTs 188

HKDF (hash-based key derivation function) 425, 469

HKDF_Context_PartyU_nonce attribute 470

HKDF-Expand method 426

HKDF.expand() method 501

HMAC (hash-based MAC)

authenticating tokens with 172-177

generating key 176-177

trying it out 177

protecting JSON tokens with 183

HmacKeyStore 177

HMAC-SHA256 algorithm 172

HmacTokenStore 173, 176, 183-184, 191-193, 197-198, 206, 208, 211, 304, 319, 323

holder-of-key tokens 410

host alias 526

host name 147

__Host prefix 123, 130

host-only cookie 121

HS256 algorithm 191

HSM (hardware security module) 422, 480-481

HSTS (HTTP Strict-Transport-Security) 82

HTML 105-108

HTTP Basic authentication

drawbacks of 108

preventing spoofing with 71

HTTP OPTIONS request 148

HTTP Strict-Transport-Security (HSTS) 82

HttpOnly attribute 121

HTTPS 9

enabling 80-81

securing client configuration 245-247

hybrid tokens 210-213

Hypertext as Engine of Application State (HATEOAS) 308-311

I

iat claim 187

IBAC (identity-based access control) 267-293

attribute-based access control (ABAC) 282-293

best practices for 291

combining decisions 284

distributed policy enforcement and XACML 290-291

implementing decisions 285-288

role-based access control (RBAC) 274-281

determining user roles 279-280

dynamic roles 280-281

mapping roles to permissions 276-277

static roles 277-278

users and groups 268-273

ID tokens 260-262, 264-266

idempotent operations 506

identification 21-22

identity

combining capabilities with 314-315

verifying client identity 402-406

identity-based access control 22

idle timeouts 211

IDS (intrusion detection system) 10

IIoT (industrial IoT) 440

IllegalArgumentException 51

image property 354

img tag 167

impersonation 431

implicit grant 228

implicit nonces 453

import statement 287

in transit encryption 20

inactivity logout 211

indistinguishability 15

industrial IoT (IIoT) 440

Inet6Address class 363

InetAddress.getAllByName() method 363

information disclosure 18

InfoSec (Information security) 8

ingress controller 375, 377-378

init container 338

InitialDirContext 272

initialization vector (IV) 201, 475

injection attacks 39-47

mitigating SQL injection with permissions 45-47

preventing 43-45

.innerHTML attribute 169

input validation 47-51

InputStream argument 421

insecure deserialization vulnerability 48

- -insecure option 81

INSERT statement 41-42, 46

insert() method 286

insufficient_scope 221

int value 61

integrity 14

intermediate CAs 246, 369-370

Introspection endpoint 529

intrusion detection system (IDS) 10

intrusion prevention system (IPS) 10

invalid curve attacks 455

IoT (Internet of Things) 4, 65

IoT (Internet of Things) APIs 488-522

authenticating devices 489-496

device certificates 492

identifying devices 489-492

with TLS connection 492-496

end-to-end authentication 496-510

avoiding replay in REST APIs 506-510

Object Security for Constrained RESTful Environments (OSCORE) 499-506

OAuth2 for constrained environments 511-517

offline access control 518-521

offline authorization 520-521

offline user authentication 518-520

IoT (Internet of Things) communications 439-487

end-to-end security 467-478

alternatives to COSE 472-474

COSE 468-472

misuse-resistant authenticated encryption (MRAE) 475-478

key distribution and management 479-486

key distribution servers 481-482

one-off key provisioning 480-481

post-compromise security 484-486

ratcheting for forward secrecy 482-484

pre-shared keys (PSK) 458-467

clients 462-463

implementing servers 460-461

supporting raw PSK cipher suites 463-464

with forward secrecy 465-467

IoT (Internet of Things) communications (continued)

transport layer security (TLS) 440-457

cipher suites for constrained devices 452-457

Datagram TLS 441-452

IPS (intrusion prevention system) 10

isAfter method 326

isBlockedAddress 364

isInboundDone() method 450

isMemberOf attribute 273

iss claim 187, 253, 393, 395

Istio Gateway 408

IV (initialization vector) 201, 475

ivLength argument 502

J

Java 523-531

installing

Authorization Server 525-531

Docker 525

LDAP directory server 531

setting up 523-525

Linux 525

macOS 523-524

Windows 525

Java EE (Java Enterprise Edition) 10

java.net.InetAddress class 363

java.net.URI class 303

JavaScript

calling login API from 140-142

calling Natter API from 102-104

java.security package 133

java.security.cert.X509Certificate object 402

java.security.egd property 350

java.security.MessageDigest class 411

java.security.SecureRandom 201

javax.crypto.Mac class 174, 320

javax.crypto.SecretKey class 205

javax.crypto.spec.SecretKeySpec class 426

javax.net.ssl.TrustManager 246

JdbcConnectionPool object 33

jku header 190

JOSE (JSON Object Signing and Encryption) header 188-190

algorithm header 188-189

specifying key in header 189-190

jq utility 327

JSESSIONID cookie 141

JSON Web Algorithms (JWA) 185

JSON Web Encryption (JWE) 185

JSON Web Key (JWK) 185, 189

JSON Web Signatures (JWS) 185, 469

JSONException 51

JsonTokenStore 183, 187, 192, 198, 200, 203, 206, 208-209, 322

jti claim 187, 394

JWA (JSON Web Algorithms) 185

JWE (JSON Web Encryption) 185

JWEHeader object 203

JWK (JSON Web Key) 185, 189

jwk header 190

JWK Set URI 529

JWKSet.load method 392

jwks_uri field 252

JWS (JSON Web Signatures) 185, 469

JWS Compact Serialization 185

JWSAlgorithm object 191

JWSSigner object 191

JWSVerifier object 191, 193

JWT bearer authentication 384-385

JWT ID (jti) claim 211

JwtBearerClient class 391

JWTClaimsSet.Builder class 203

JWTs (JSON Web Tokens) 185-194, 389

client authentication 391-393

generating 393-395

encrypted 200-202, 256

generating standard 190-193

JOSE header 188-190

algorithm header 188-189

specifying key in header 189-190

standard claims 187-188

using library 203-205

validating access tokens 249-256

choosing signature algorithm 254-256

retrieving public key 254

validating signed 193-194

K

-k option 81

KDF (key derivation function) 425

KEK (key encryption key) 421

Kerckhoff’s Principle 195

key derivation function (KDF) 425

key distribution and management 479-486

derivation 425-428

generating for HMAC 176-177

key distribution servers 481-482

managing service credentials 420-422

one-off key provisioning 480-481

post-compromise security 484-486

ratcheting for forward secrecy 482-484

retrieving public keys 251-254

specifying in JOSE header 189-190

key distribution servers 481-482

key encryption key (KEK) 421

key hierarchy 421

Key ID (KID) header 504

key management 415

Key object 174, 460

key rotation 189-190

key-driven cryptographic agility 189

KeyManager 443

KeyManagerFactory 450

keys 22

keys attribute 251

keys field 393

KeyStore object 246, 421

keytool command 199, 391

KID (Key ID) header 504

kid header 190, 428

KieServices.get().getKieClasspathContainer() method 286

kit-of-parts design 186

KRACK attacks 475

kty attribute 189

kubectl apply command 346, 377

kubectl command-line application 533

kubectl create secret docker-registry 416

kubectl create secret tls 416

kubectl describe pod 417

kubectl get namespaces command 346

Kubernetes

deploying Natter on 339-368

building H2 database as Docker container 341-345

calling link-preview microservice 357-360

deploying database to Kubernetes 345-349

deploying new microservice 355-357

DNS rebinding attacks 366-368

link-preview microservice 353-354

preventing server-side request forgery (SSRF) attacks 361-365

microservice APIs on 336

secrets 380, 415-420

securing incoming requests 381

securing microservice communications 368-377

locking down network connections 375-377

securing communications with TLS 368-369

using service mesh for TLS 370-374

setting up 532-534

Linux 533-534

MacOS 532-533

Windows 534

L

LANGSEC movement 48

lateral movement 375

layer-7 (Application-layer DoS attacks) 65

LDAP (Lightweight Directory Access Protocol) 72, 271

groups 271-273

installing directory server 531

Linkerd 372-374

linkerd annotation 372

linkerd check command 372

link-local IP address 363

link-preview microservice 353-354, 357-360

LinkPreviewer class 367

links field 358

Linux

setting up Java and Maven on 525

setting up Kubernetes 533-534

Minikube 534

VirtualBox 534

List objects 403

list_files scope 224

load balancer 10

load event 104

load() method 421

localStorage object 164

login

building UI for Natter API 138-142

implementing token-based 112-115

login(username, password) function 140

logout 143-145

long-lived secrets 423-425

lookupPermissions method 279, 306, 316

loopback address 363

M

MAC (mandatory access control) 223, 267

MAC (message authentication code) 172, 456, 496, 504

macaroons 319-330

contextual caveats 321

first-party caveats 325-328

macaroon token store 322-324

third-party caveats 328-330

answers to exercises 330

creating 329-330

MacaroonsBuilder class 326, 329

MacaroonsBuilder.create() method 322

macaroon.serialize() method 322

MacaroonsVerifier 323

MacaroonTokenStore 324

macKey 192, 324

macKey.getEncoded() method 322

macOS

setting up Java and Maven 523-524

setting up Kubernetes 532-533

Minikube 533

VirtualBox 532-533

MACSigner class 192

MACVerifier class 192-193

MAF (multi-factor authentication) 22

Main class 30, 34, 46, 51, 54, 75-76, 200, 318, 418

main() method 46, 59, 93, 280, 288, 318, 394-395, 418, 493-494

mandatory access control (MAC) 223, 267

man-in-the-middle (MitM) attack 485

marker interfaces 207

Maven 523, 531

installing

Authorization Server 525-531

Docker 525

LDAP directory server 531

setting up

Linux 525

macOS 523-524

Windows 525

max-age attribute 82, 122

max_time parameter 262

member attribute 272

member role 278

- -memory flag 344

message authentication 497

message authentication code (MAC) 172, 456, 496, 504

Message class 358

MessageDigest class 133

MessageDigest.equals 180

MessageDigest.isEqual method 134-135, 175, 413

messages table 32

microservice APIs in Kubernetes 335-382

deploying Natter on Kubernetes 339-368

building H2 database as Docker container 341-345

calling link-preview microservice 357-360

deploying database to Kubernetes 345-349

deploying new microservice 355-357

DNS rebinding attacks 366-368

link-preview microservice 353-354

preventing server-side request forgery (SSRF) attacks 361-365

securing incoming requests 377-381

securing microservice communications 368-377

locking down network connections 375-377

securing communications with TLS 368-369

using service mesh for TLS 370-374

microservices 3, 335

microservices architecture 8

Minikube

Linux 534

MacOS 533

Windows 534

minikube ip command 345, 360, 368

misuse-resistant authenticated encryption (MRAE) 475-478

MitM (man-in-the-middle) attack 485

mkcert utility 80-81, 246, 379, 400, 402, 406, 451

mode of operation, block cipher 196

model-view-controller (MVC) 34

modern token-based authentication 146-180

allowing cross-domain requests with CORS 147-154

adding CORS headers to Natter API 151-154

CORS headers 150-151

preflight requests 148

hardening database token storage 170-180

authenticating tokens with HMAC 172-177

hashing database tokens 170-171

protecting sensitive attributes 177-180

tokens without cookies 154-169

Bearer authentication scheme 160-162

deleting expired tokens 162-163

storing token state in database 155-160

storing tokens in Web Storage 163-166

updating CORS filter 166

XSS attacks on Web Storage 167-169

monotonically increasing counters 497

MRAE (misuse-resistant authenticated encryption) 475-478

mTLS (mutual TLS) 374, 396-414

certificate-bound access tokens 410-414

client certificate authentication 399-401

using service mesh 406-409

verifying client identity 402-406

with OAuth2 409-410

multicast delivery 441

multi-factor authentication (MAF) 22

multistage build, Docker 342

MVC (model-view-controller) 34

N

-n option 415

NaCl (Networking and Cryptography Library) 198-200, 473

name constraints 370

namespace 345

Natter API 27-33, 62-97

access control 87-97

access control lists (ACLs) 90-92

adding new members to Natter space 94-95

avoiding privilege escalation attacks 95-97

enforcing 92-94

enforcing authentication 89

adding CORS headers to 151-154

adding scoped tokens to 220-222

addressing threats with security controls 63-64

audit logging for accountability 82-87

authentication to prevent spoofing 70-77

authenticating users 75-77

creating password database 72-74

HTTP Basic authentication 71

registering users in Natter API 74-75

secure password storage with Scrypt 72

building login UI 138-142

calling from JavaScript 102-104

deploying on Kubernetes 339-368

building H2 database as Docker container 341-345

calling link-preview microservice 357-360

deploying database to Kubernetes 345-349

deploying new microservice 355-357

DNS rebinding attacks 366-368

link-preview microservice 353-354

preventing server-side request forgery (SSRF) attacks 361-365

double-submit cookies for 133-138

encrypting private data 78-82

enabling HTTPS 80-81

strict transport security 82

implementation 29

initializing database 32-33

overview 28-29

rate-limiting for availability 64-69

setting up project 30-31

using capability URIs in 303-307

returning capability URIs 305-306

validating capabilities 306-307

natter-api namespace 345, 375, 380, 401

natter-api-service 367

natter-api-service.natter-api 367

natter_api_user permissions 73, 84

natter-tls namespace 380

nbf claim 187

NEED_TASK 447

NEED_UNWRAP 446

NEED_UNWRAP_AGAIN 447

NEED_WRAP 447

network connections, locking down 375-377

network policies, Kubernetes 375

network segmentation 368

Networking and Cryptography Library (NaCl) 198-200, 473

network-level DoS attack 64

nextBytes() method 158

NFRs (non-functional requirements) 14

nginx.ingress.kubernetes.io/auth-tls-error-page 400

nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream 400

nginx.ingress.kubernetes.io/auth-tls-secret 400

nginx.ingress.kubernetes.io/auth-tls-verify-client 400

nginx.ingress.kubernetes.io/auth-tls-verify-depth 400

nodePort attribute 352

nodes, Kubernetes 337

nonce (number-used-once) 201, 262-263, 497

nonce() method 504

nonces 503-504

non-functional requirements (NFRs) 14

non-repudiation 14

NOT_HANDSHAKING 447

number-used-once (nonce) 201, 262-263, 497

O

OAEP (Optimal Asymmetric Encryption Padding) 257

OAuth2 217-266

ACE-OAuth (Authorization for Constrained Environments using OAuth2) 511-517

authorization code grant 230-238

hardening code exchange with Proof Key for Code Exchange (PKCE) 236-237

redirect URIs for different types of client 235-236

refresh tokens 237-238

client credentials grant 385-388

introducing 226-230

authorization grants 228-229

discovering OAuth2 endpoints 229-230

types of clients 227-228

client authentication 391-393

generating 393-395

service account authentication 395

mutual TLS (mTLS) with 409-410

OpenID Connect (OIDC) 260-266

hardening 263-264

ID tokens 260-262

passing ID tokens to APIs 264-266

OAuth2 (continued)

scoped tokens 218-224

adding to Natter 220-222

difference between scopes and permissions 223-224

single sign-on (SSO) 258-259

token exchange 431-435

validating access tokens 239-258

encrypted JWT 256

JWTs 249-256

letting AS decrypt tokens 258

securing HTTPS client configuration 245-247

token introspection 239-244

token revocation 248

OAuth2TokenStore 243, 248

Object array 272

object-oriented (OO) 296

ocaps (object-capability-based security) 296

OCSP (online certificate status protocol) 369

off-heap memory 483

offline access control 518-521

offline authorization 520-521

offline user authentication 518-520

OIDC (OpenID Connect) 185, 260-266, 497

hardening 263-264

ID tokens 260-262

passing ID tokens to APIs 264-266

onboarding 489

one-off key provisioning 480-481

online certificate status protocol (OCSP) 369

OO (object-oriented) 296

open redirect vulnerability 232, 364-365

Optimal Asymmetric Encryption Padding (OAEP) 257

Optional class 112

Optional.empty() method 117

optional_no_ca option 414

OR operator 135

ORM (object-relational mapper) 45

OSCORE (Object Security for Constrained RESTful Environments) 499-506

deriving context 500-503

encrypting message 504-506

generating nonces 503-504

Oscore class 502, 504

output

exploiting XSS Attacks 54-57

implementing protections 58-61

preventing XSS 57-58

producing safe 53-61

OWL (Web Ontology Language) 281

owner field 77

owner role 278

P

package statement 287

padding oracle attack 202

PAP (Policy Administration Point) 290

PartyU 470

PASETO 186

password hashing algorithm 72

passwords

creating database for 72-74

storage with Scrypt 72

Path attribute 121

path traversal 420

path traversal vulnerability 484

PDP (Policy Decision Point) 290

PEM (Privacy Enhanced Mail) 80

PEP (Policy Enforcement Point) 290

perfect forward secrecy 453

permissions 90

difference between scopes and 223-224

mapping roles to 276-277

mitigating SQL injection attacks with 45-47

permissions table 90, 269, 271, 277-278

permit() method 284, 286

perms attribute 307

persistent cookie 122

personally identifiable information (PII) 24

phantom token pattern 429-431

PII (personally identifiable information) 24

PIP (Policy Information Point) 290

PKCE (Proof Key for Code Exchange) 236-237

PKI (public key infrastructure) 369, 409, 479

pods 337

podSelector 375

POLA (principle of least authority) 45-46, 90, 250, 295

Policy Administration Point (PAP) 290

Policy Decision Point (PDP) 290

Policy Enforcement Point (PEP) 290

Policy Information Point (PIP) 290

policy sets 290

PoP (proof-of-possession) tokens 410, 517

post-compromise security 484-486

postMessage operation 280

- -pre argument 372

preflight requests 148

prepared statements 43-44

pre-shared keys 455

.preventDefault() method 104

PRF (pseudorandom function) 475

principle of defense in depth 66

principle of least authority (POLA) 45-46, 90, 250, 295

principle of least privilege 46

principle of separation of duties 84

Privacy Enhanced Mail (PEM) 80

private-use IP address 363

privilege escalation attacks 95-97

privilege separation 341

processResponse method 242, 413

prompt=login parameter 262

prompt=none parameter 262

Proof Key for Code Exchange (PKCE) 236-237

property attribute 354

PROTECTED header 470

pseudorandom function 425

PSK (pre-shared keys) 458-463, 467, 490, 492

clients 462-463

implementing servers 460-461

supporting raw PSK cipher suites 464

with forward secrecy 465-467

PskClient 494

pskId variable 494

PskServer 493

PSKTlsClient 462, 464

PSKTlsServer class 460, 495

public clients 227

public key encryption algorithms 195

public key infrastructure (PKI) 369, 409, 479

public keys 251-254

public suffix list 128

pw_hash column 73

Q

query language 8

QueryBuilder class 270

QUIC protocol (Quick UDP Internet Connections) 442

quotas 24

R

rainbow table 75

random number generator (RNG) 157

ratcheting 482-484

RateLimiter class 67

rate-limiting 19, 24-26

answers to pop quiz questions 25-26

for availability 64-69

raw PSK cipher suites 463-464

raw public keys 455

RBAC (role-based access control) 274-281

determining user roles 279-280

dynamic roles 280-281

mapping roles to permissions 276-277

static roles 277-278

RCE (remote code execution) 48

read() method 194, 213, 252, 254, 325-326

readMessage method 359

read-only memory (ROM) 480

readOnlyRootFileSystem 347

realms 277

receive() method 446

Recipient Context 499

Recipient object 470

recvBuf 446

redirect URIs 235-236

redirect_uri parameter 234

ReDoS (regular expression denial of service) attack 51

Referrer-Policy header 301

reflection attacks 188, 471

refresh tokens 237-238

registerable domain 127

registering users in Natter API 74-75

regular expression denial of service (ReDoS) attack 51

remote attestation 481

remote code execution (RCE) 48

Remote Method Invocation (RMI) 7

Remote Procedure Call (RPC) 7

RemoteJWKSet class 252-253

removeItem(key) method 165

replay 506-510

replay attacks 187-188, 496, 498

repudiation 18

request object 34, 509

requested_token_type parameter 432

request.session() method 116

request.session(false) method 120

request.session(true) method 119-120

requireAuthentication method 92, 138, 162

requirePermission method 270, 276, 279, 283

requireRole filter 276

requireScope method 221

resource owner (RO) 227

Resource Owner Password Credentials (ROPC) grant 228

resource parameter 432

resource server (RS) 227

resources 14, 282

Response object 34

response_type parameter 231

REST (REpresentational State Transfer) 8

REST APIs 34-35

avoiding replay in 506-510

capability-based security and 297-302, 318

capability URIs for browser-based clients 311-312

combining capabilities with identity 314-315

hardening capability URIs 315-318

Hypertext as Engine of Application State (HATEOAS) 308-311

using capability URIs in Natter API 303-307

creating new space 34-35

wiring up endpoints 36-39

Retry-After header 67, 96

reverse proxy 10

Revocation endpoint 529

REVOKE command 46

revoke method 182, 203, 239, 248

revoking tokens 209-213

access tokens 248

implementing hybrid tokens 210-213

RMI (Remote Method Invocation) 7

RNG (random number generator) 157

RO (resource owner) 227

role_permissions table 277, 279

@RolesAllowed annotation 276

ROM (read-only memory) 480

root CA 369, 397

ROPC (Resource Owner Password Credentials) grant 228

routes 36

row-level security policies 179

RowMapper method 85

RPC (Remote Procedure Call) 7

RS (resource server) 227

RtlGenRandom() method 157

runAsNonRoot 346

rwd (read-write-delete) permissions 309

S

salt 75

same-origin policy (SOP) 54, 105-106, 147

SameSite attribute 121

SameSite cookies 127-129, 152

SameSite=lax 129

SameSite=strict 129

sandboxing 347

satisfyExact method 325

Saver API 297

scope claim 254

scope field 242

scope parameter 432, 514

scoped tokens 218-224

adding to Natter 220-222

difference between scopes and permissions 223-224

scopes 219

Scrypt 72

search method 272

secret key cryptography 195

SecretBox class 198-200, 490

SecretBox.encrypt() method 198

SecretBox.key() method 200

secretName 380

secrets management services 420-422

Secure attribute 121

secure element chip 477

__Secure prefix 123

Secure Production Identity Framework for Everyone (SPIFFE) 407-408

Secure Socket Layer (SSL) 79

secure() method 81, 350, 392

SecureRandom class 157-158, 160, 180, 236, 329, 350, 443

SecureTokenStore interface 207-209, 323

security areas 8-12

security domain 277

security goals 14-16

Security Information and Event Management (SIEM) 83

security mechanisms 19-26

access control and authorization 22-23

audit logging 23-24

encryption 20

identification and authentication 21-22

rate-limiting 24-26

security token service (STS) 432

securityContext 346

SecurityParameters class 495

SELECT statement 46

selectFirst method 354

selectors 346

self-contained tokens 181-214

encrypting sensitive attributes 195-205

authenticated encryption 197

authenticated encryption with NaCl 198-200

encrypted JWTs 200-202

using JWT library 203-205

handling token revocation 209-213

JWTs 185-194

generating standard 190-193

JOSE header 188-190

standard claims 187-188

validating signed 193-194

self-contained tokens (continued)

using types for secure API design 206-209

self-signed certificate 80

Sender Context 499

sensitive attributes

encrypting 195-205

authenticated encryption 197

authenticated encryption with NaCl 198-200

encrypted JWTs 200-202

using JWT library 203-205

protecting 177-180

separation of duties 84

Serializable framework 48

serialize() method 191, 203

servers

implementing DTLS 450-452

implementing PSK for 460-461

server-side request forgery (SSRF) attacks 190, 361-365

service accounts

client credentials grant 387-388

service API calls 428-435

OAuth2 token exchange 431-435

phantom token pattern 429-431

service mesh

for TLS 370-374

mutual TLS (mTLS) 406-409

services, Kubernetes 338-339

service-to-service APIs 383-436

API keys and JWT bearer authentication 384-385

client authentication 391-393

generating JWTs 393-395

managing service credentials 415-428

avoiding long-lived secrets on disk 423-425

key and secret management services 420-422

key derivation 425-428

Kubernetes secrets 415-420

mutual TLS authentication 396-414

certificate-bound access tokens 410-414

client certificate authentication 399-401

how TLS certificate authentication works 397-398

mutual TLS with OAuth2 409-410

using service mesh 406-409

verifying client identity 402-406

OAuth2 client credentials grant 385-388

service API calls in response to user requests 428-435

OAuth2 token exchange 431-435

phantom token pattern 429-431

session cookie authentication 101-145

building Natter login UI 138-142

implementing logout 143-145

in web browsers 102-108

calling Natter API from JavaScript 102-104

drawbacks of HTTP authentication 108

intercepting form submission 104

serving HTML from same origin 105-108

preventing Cross-Site Request Forgery attacks 125-138

double-submit cookies for Natter API 133-138

hash-based double-submit cookies 129-133

SameSite cookies 127-129

session cookies 115-125

avoiding session fixation attacks 119-120

cookie security attributes 121-123

validating 123-125

token-based authentication 109-115

implementing token-based login 112-115

token store abstraction 111-112

session cookies 115-125

avoiding session fixation attacks 119-120

cookie security attributes 121-123

validating 123-125

session fixation attacks 119-120

session.fireAllRules() method 286

session.invalidate() method 143

sessionStorage object 164

Set-Cookie header 115

setItem(key, value) method 165

setSSLParameters() method 456

SHA-256 hash function 133

sha256() method 171

side channels 477

sidecar container 338

SIEM (Security Information and Event Management) 83

signature algorithms 254-256

Signature object 421

SignedJwtAccessToken 265

SignedJwtAccessTokenStore 252

SignedJwtTokenStore 192, 208

single logout 260

single sign-on (SSO) 258-259

single-page apps (SPAs) 54, 312

site-local IPv6 addresses 363

SIV (Synthetic Initialization Vector) mode 475

SIV-AES 475

slow_down 516

smart TVs 512

SOP (same-origin policy) 54, 105-106, 147

SpaceController class 34, 36-37, 75, 94, 278, 304

spaceId 41

space_id field 277

:spaceId parameter 92

spaces 34-35

spaces database 35

spaces table 32, 90

Spark route 36

Spark.exception() method 51

SPAs (single-page apps) 54, 312

SPIFFE (Secure Production Identity Framework for Everyone) 407-408

sponge construction 473

spoofing prevention 70-77

authenticating users 75-77

creating password database 72-74

HTTP Basic authentication 71

registering users in Natter API 74-75

secure password storage with Scrypt 72

SQLi (SQL injection) attacks 40, 45-47, 270

src attribute 167

SSL (Secure Socket Layer) 79

SSL offloading 10

SSL passthrough 379

SSL re-encryption 10

SSL termination 10

ssl-client-cert header 400, 402, 404, 413

ssl-client-issuer-dn header 402

ssl-client-subject-dn header 402

ssl-client-verify header 402, 404, 413

SSLContext 444, 450

SSLContext.init() method 443

SSLEngine class 443-444, 456-457, 461

sslEngine.beginHandshake() method 446

sslEngine.getHandshakeStatus() method 446

SSLEngine.unwrap() method 447

sslEngine.unwrap(recvBuf, appData) 446

sslEngine.wrap(appData, sendBuf) 445

SSLParameters 456

SSLSocket class 443-444

SSO (single sign-on) 258-259

SSRF (server-side request forgery) attacks 190, 361-365

state parameter 232, 263

stateless interactions 115

static groups 272

static roles 277-278

staticFiles directive 106

sticky load balancing 505-506

Storage interface 165

strict transport security 82

STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) 18

String equals method 134

STROBE framework 473

STS (security token service) 432

styles, API security 7-8

sub claim 187, 191, 393, 395

sub field 242

sub-domain hijacking 122

sub-domain takeover 122

subject attribute 123, 282

Subject field 407

subject_token_type parameter 432

.svc.cluster.local filter 367

Synthetic Initialization Vector (SIV) mode 475

System.getenv(String name) method 417

T

tampering 18

tap utility 373

targetPort attribute 348

TCP (Transmission Control Protocol) 441

temporary tables 270

test client 388

third-party caveats 328-330

answers to exercises 330

creating 329-330

third-party clients 111

threat models 16-18

threats 17, 63-64

throttling 24-25

thumbprint method 411

timeOfDay attribute 288

TimestampCaveatVerifier 325

timing attacks 134

TLS (Transport Layer Security) 9, 79, 440-457

authenticating devices with 492-496

cipher suites for constrained devices 452-457

Datagram TLS (DTLS) 441-452

implementing for client 443-450

implementing for server 450-452

mutual TLS (mTLS) authentication 396-414

certificate-bound access tokens 410-414

client certificate authentication 399-401

using service mesh 406-409

verifying client identity 402-406

with OAuth2 409-410

securing communications with 368-369

using service mesh for 370-374

TLS cipher suite 245

TLS secret 416

TlsContext class 495

TLS_DHE_PSK_WITH_AES_128_CCM cipher suite 466

TLS_DHE_PSK_WITH_AES_256_CCM cipher suite 466

TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 cipher suite 466

TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 cipher suite 466

TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 cipher suite 466

TLS_EMPTY_RENEGOTIATION_INFO_SCSV marker cipher suite 456

TlsPSKIdentityManager 460

TLS_PSK_WITH_AES_128_CCM cipher suite 464

TLS_PSK_WITH_AES_128_CCM_8 cipher suite 464

TLS_PSK_WITH_AES_128_GCM_SHA256 cipher suite 464

TLS_PSK_WITH_AES_256_CCM cipher suite 464

TLS_PSK_WITH_AES_256_CCM_8 cipher suite 464

TLS_PSK_WITH_AES_256_GCM_SHA384 cipher suite 464

TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 cipher suite 464

Token class 111-112

Token endpoint 529

token exchange 431-435

token introspection 239-244

Token object 117

token parameter 241

token revocation 143

token store abstraction 111-112

token-based authentication 109-115

implementing token-based login 112-115

modern 146-180

allowing cross-domain requests with CORS 147-154

hardening database token storage 170-180

tokens without cookies 154-169

token store abstraction 111-112

TokenController class 177, 194, 200, 209, 315

TokenController interface 113-115, 118, 136

TokenController validateToken() method 124

tokenController.requireScope method 222

TokenController.validateToken method 317

tokenId argument 124, 134

tokenId parameter 136

tokens 102

access tokens 239-258

ID tokens 260-262, 264-266

macaroons 319-330

contextual caveats 321

first-party caveats 325-328

macaroon token store 322-324

third-party caveats 328-330

refresh tokens 237-238

scoped tokens 218-224

adding to Natter 220-222

difference between scopes and permissions 223-224

self-contained tokens 181-214

encrypting sensitive attributes 195-205

handling token revocation 209-213

JWTs 185-194

using types for secure API design 206-209

without cookies 154-169

Bearer authentication scheme 160-162

deleting expired tokens 162-163

storing token state in database 155-160

storing tokens in Web Storage 163-166

updating CORS filter 166

XSS attacks on Web Storage 167-169

tokens table 158, 305

TokenStore interface 111-113, 115, 118, 124, 143-144, 207-208, 243, 303, 322

tokenStore variable 315

token_type_hint parameter 241

toPublicJWKSet method 392

Transmission Control Protocol (TCP) 441

trust boundaries 17

Trusted Types 169

TrustManager array 443, 450

TrustManagerFactory 443

tryAcquire() method 67

two-factor authentication (2FA) 22

U

UDP (User Datagram Protocol) 65, 442

UDPTransport 461

UIDs (user IDs) 343, 350

UMA (User Managed Access) 224

unacceptable inputs 50

uniqueMember attribute 272

Universal Links 235

UNPROTECTED header 471

unwrap() method 447-448, 450-451

update() method 426

updateUnique method 44

URI field 407

uri.toASCIIString() method 305

URL class 312

user codes 513

User Datagram Protocol (UDP) 65, 442

user IDs (UIDs) 343, 350

User Managed Access (UMA) 224

user requests 428-435

OAuth2 token exchange 431-435

phantom token pattern 429-431

UserController class 74, 76, 91, 113, 269, 404, 413

UserController.lookupPermissions method 306

user_id column 305

user_id field 277

UserInfo endpoint 260, 529

username attribute 316

username field 242

user_roles table 277-279, 305

users 268-273

adding new to Natter space 94-95

authenticating 75-77

determining user roles 279-280

Lightweight Directory Access Protocol (LDAP) groups 271-273

registering 74-75

users table 90, 269

V

validateToken method 123, 137

validation

capabilities 306-307

session cookies 123-125

signed JWTs 193-194

VARCHAR 491

verification URI 513

verification_uri_complete field 515

version control capabilities 23

virtual machines (VMs) 337

virtual private cloud (VPC) 423

virtual static groups 272

VirtualBox

Linux 534

MacOS 532-533

Windows 534

VMs (virtual machines) 337

volumeMounts section 417

VPC (virtual private cloud) 423

W

WAF (web application firewall) 10

web browsers, session cookie authentication in 102-108

calling Natter API from JavaScript 102-104

drawbacks of HTTP authentication 108

intercepting form submission 104

serving HTML from same origin 105-108

Web Ontology Language (OWL) 281

Web Storage

storing tokens in 163-166

XSS attacks on 167-169

WebAuthn 397

web-keys 312

wikis 23

window object 104

window.location.hash variable 312

window.referrer field 312

window.referrer variable 301-302

Windows

setting up Java and Maven on 525

setting up Kubernetes 534

Minikube 534

VirtualBox 534

wrap() method 447-449, 451

WWW-Authenticate challenge header 161

WWW-Authenticate header 89

X

x5c claim 409

x5c header 251

XACML (eXtensible Access-Control Markup Language) 290-291

X-Content-Type-Options header 57

X-CSRF-Token header 130, 136, 142, 160, 163, 166

X-Forwarded-Client-Cert header 407-408

X-Frame-Options header 57

XMLHttpRequest object 102

XOR operator 135

xor() method 504

XSS (cross-site scripting) attacks 54, 56, 168

exploiting 54-57

on Web Storage 167-169

preventing 57-58

X-XSS-Protection header 57

Z

zero trust networking 362

 

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.22.248.208