Advanced API Security with Spring Security OAuth

Transcript

1. ADVANCED API SECURITY Advanced API Security Workshop Eugen Paraschiv @baeldung

   [email protected]

2. . . . . . . . . . .

   . . . Advanced API Security - Workshop HI • My name is Eugen Paraschiv • I’ve been running Baeldung for almost 5 years • And I’ve written quite a few Oauth implementations

3. . . . . . . . . . .

   . . . Advanced API Security - Workshop • Get you comfortable with OAuth at a high level and get you started implementing it cleanly with Spring Security WORKSHOP GOAL

4. Advanced API Security - Workshop • An intro to Security

   Tokens AGENDA

5. Advanced API Security - Workshop • An intro to Security

   Tokens • Understand OAuth2 AGENDA

6. Advanced API Security - Workshop • An intro to Security

   Tokens • Understand OAuth2 • An OAuth implementation for a REST API with Spring Security AGENDA

7. Advanced API Security - Workshop • An intro to Security

   Tokens • Understand OAuth2 • An OAuth implementation for a REST API with Spring Security • How to consume the secured API from a JS client AGENDA

8. Advanced API Security - Workshop • An intro to Security

   Tokens • Understand OAuth2 • An OAuth implementation for a REST API with Spring Security • How to consume the secured API from a JS client • Understanding security threats AGENDA

9. . . . . . . . . . .

   . . . . OPEN QUESTION TIME Have you ever used OAuth to secure a system before?

10. . . . . . . . . . .

    . . . . I. Security Tokens

11. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The history of Security Tokens Security Tokens

12. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The history of Security Tokens • The structure of a Security Token Security Tokens

13. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The history of Security Tokens • The structure of a Security Token • JSON Web Tokens (JWT) Security Tokens

14. . . . . . . . . . .

    . . . Advanced API Security - Workshop • SAML – XML Based – Lots of encryption and signature options The History of Security Tokens

15. . . . . . . . . . .

    . . . Advanced API Security - Workshop • SAML – XML Based – Lots of encryption and signature options • Simple Web Token – Form / URL encoded – Symmetric signatures only The History of Security Tokens

16. . . . . . . . . . .

    . . . Advanced API Security - Workshop • SAML – XML Based – Lots of encryption and signature options • Simple Web Token – Form / URL encoded – Symmetric signatures only • JSON Web Tokens (JWT) – JSON Encoded – Symmetric and asymmetric signatures – Symmetric and asymmetric encryption The History of Security Tokens

17. . . . . . . . . . .

    . . . Advanced API Security - Workshop • A Security Token contains information about: – The Issuer – The Recipient – The Subject – An Expiration Time (usually) The Structure of a Security Token

18. . . . . . . . . . .

    . . . Advanced API Security - Workshop • A Security Token contains information about: – The Issuer – The Recipient – The Subject – An Expiration Time (usually) • Tokens are typically signed (symmetrically or asymmetrically) The Structure of a Security Token

19. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The simple, high-level structure of a JWT Token is: – [header].[payload].[signature] JWT

20. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The simple, high-level structure of a JWT Token is: – [header].[payload].[signature] • It’s self-contained JWT

21. . . . . . . . . . .

    . . . Advanced API Security - Workshop • eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3O DkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95 OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ JWT EXAMPLE

22. . . . . . . . . . .

    . . . Advanced API Security - Workshop • A Header example: JWT HEADER EXAMPLE { "alg": "HS256“, "typ": "JWT" }

23. . . . . . . . . . .

    . . . Advanced API Security - Workshop • A Payload example: JWT PAYLOAD EXAMPLE { "iss": "scotch.io", "exp": 1300819380, "name": "Chris Sevilleja", "admin": true }

24. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Signature contains: – The Header (Base64 URL encoded) – The Payload (Base64 URL encoded) – A Secret JWT SIGNATURE

25. Advanced API Security - Workshop

26. . . . . . . . . . .

    . . . . PLAY TIME Let’s hit a real Authorization Server

27. . . . . . . . . . .

    . . . . STOP Q&A Time

28. . . . . . . . . . .

    . . . . II. What is OAuth2?

29. . . . . . . . . . .

    . . . Advanced API Security - Workshop • OAuth2 is an Authorization protocol OAuth2

30. . . . . . . . . . .

    . . . Advanced API Security - Workshop • OAuth2 is an Authorization protocol • A client can get limited access without asking for the master key OAuth2

31. . . . . . . . . . .

    . . . Advanced API Security - Workshop • OAuth2 is an Authorization protocol • A client can get limited access without asking for the master key • A strong reason for OAuth2 - mobile OAuth2

32. Advanced API Security - Workshop THE OAUTH ACTORS Resource Owner

33. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner uses

34. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner Resource Server uses

35. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner Resource Server uses owns a Resource

36. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner Authorization Server Resource Server uses owns a Resource trusts

37. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner Authorization Server Resource Server uses owns a Resource trusts registers with … issues access token

38. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner Authorization Server Resource Server uses owns a Resource trusts registers with … issues access token

39. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner Authorization Server Resource Server uses owns a Resource trusts registers with … issues access token

40. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Authorization Code Flow OAUTH2 FLOWS

41. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Authorization Code Flow • Implicit Flow OAUTH2 FLOWS

42. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Authorization Code Flow • Implicit Flow • Resource Owner Password Credentials Flow OAUTH2 FLOWS

43. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Authorization Code Flow • Implicit Flow • Resource Owner Password Credentials Flow • Client Credentials Flow OAUTH2 FLOWS

44. . . . . . . . . . .

    . . . . STOP Q&A Time

45. . . . . . . . . . .

    . . . . IMPLEMENTATION - SCENARIO 1 A minimal OAuth2 setup

46. . . . . . . . . . .

    . . . Advanced API Security - Workshop SPRING SECURITY OAUTH <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth2</artifactId> <version>2.0.8.RELEASE</version> </dependency>

47. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE AUTHORIZATION SERVER @SpringBootApplication @EnableAuthorizationServer public class AuthServer extends WebMvcConfigurerAdapter { public static void main(String[] args) { SpringApplication.run(AuthserverApplication.class, args); } }

48. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE AUTHORIZATION SERVER @SpringBootApplication @EnableAuthorizationServer public class AuthServer extends WebMvcConfigurerAdapter { public static void main(String[] args) { SpringApplication.run(AuthserverApplication.class, args); } }

49. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE AUTHORIZATION SERVER @SpringBootApplication @EnableAuthorizationServer public class AuthServer extends WebMvcConfigurerAdapter { public static void main(String[] args) { SpringApplication.run(AuthserverApplication.class, args); } }

50. . . . . . . . . . .

    . . . Advanced API Security - Workshop AUTH SERVER - application.properties ... security.oauth2.client.clientId: sampleClientId security.oauth2.client.clientSecret: set_your_secret security.oauth2.client.authorized-grant-types: password security.oauth2.client.scope: read

51. . . . . . . . . . .

    . . . Advanced API Security - Workshop AUTH SERVER – JAVA CONFIG @Override public void configure (ClientDetailsServiceConfigurer clients) throws Exception { clients. … .withClient(" sampleClientId ") .secret("set_your_secret") .authorizedGrantTypes("password") .scopes("read"); }

52. . . . . . . . . . .

    . . . Advanced API Security - Workshop RUN THE AUTH SERVER (BOOT) … server.port=8081 security.user.password=password server.contextPath=/auth …

53. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE RESOURCE SERVER @SpringBootApplication @EnableResourceServer public class ResourceApplication extends ResourceServerConfigurerAdapter { public static void main(String[] args) { SpringApplication.run(ResourceApplication.class, args); } }

54. . . . . . . . . . .

    . . . . Play Time Let’s now get an Access Token and consume the REST API with it

55. . . . . . . . . . .

    . . . . IMPLEMENTATION - SCENARIO 2 Let’s now switch from standard tokens to JWT

56. Advanced API Security - Workshop AUTH SERVER - JWT <dependency>

    <groupId>org.springframework.security</groupId> <artifactId>spring-security-jwt</artifactId> </dependency>

57. Advanced API Security - Workshop AUTH SERVER - JWT @Bean

    public JwtAccessTokenConverter accessTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setSigningKey(signingKey); return converter; } @Bean public TokenStore tokenStore() { return new JwtTokenStore(accessTokenConverter()); }

58. Advanced API Security - Workshop AUTH SERVER - JWT @Bean

    @Primary public DefaultTokenServices tokenServices() { DefaultTokenServices tokenServices = new DefaultTokenServices(); tokenServices.setTokenStore(tokenStore()); return tokenServices; }

59. Advanced API Security - Workshop AUTH SERVER - JWT @Override

    public void configure(AuthorizationServerEndpointsConfigurer conf) { conf. tokenStore(tokenStore()). allowedTokenEndpointRequestMethods(GET, POST). accessTokenConverter(accessTokenConverter()); }

60. Advanced API Security - Workshop RESOURCE SERVER - JWT @Bean

    public JwtAccessTokenConverter accessTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setSigningKey(signingKey); return converter; } @Bean public TokenStore tokenStore() { … } @Bean @Primary public DefaultTokenServices tokenServices() { … }

61. Advanced API Security - Workshop RESOURCE SERVER - JWT @Override

    public void configure(ResourceServerSecurityConfigurer config) { config.tokenServices(tokenServices()); }

62. . . . . . . . . . .

    . . . . Play Time Let’s now get an Access Token and consume the REST API with it

63. . . . . . . . . . .

    . . . . IMPLEMENTATION - SCENARIO 3 Introducing Refresh Tokens

64. . . . . . . . . . .

    . . . Advanced API Security - Workshop AUTH SERVER – REFRESH TOKEN @Override public void configure (ClientDetailsServiceConfigurer clients) throws Exception { clients. … .authorizedGrantTypes("password", "refresh_token") .refreshTokenValiditySeconds(2592000) // 30 days }

65. . . . . . . . . . .

    . . . Advanced API Security - Workshop AUTH SERVER – REFRESH TOKEN @Bean public DefaultTokenServices tokenServices() { … tokenServices.setSupportRefreshToken(true); return tokenServices; }

66. . . . . . . . . . .

    . . . . Play Time Let’s see the new Refresh Token in action

67. . . . . . . . . . .

    . . . . STOP Q&A Time

68. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Using User Authorities is an OK option for authorization GRANULAR AUTHORIZATION WITH OAUTH

69. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Using User Authorities is an OK option for authorization • Scopes are also a good option to drive granular authorization GRANULAR AUTHORIZATION WITH OAUTH

70. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Using User Authorities is an OK authorization option • Scopes are also a good option to drive granular authorization • In the Password Flow, scopes can be complex to implement GRANULAR AUTHORIZATION WITH OAUTH

71. . . . . . . . . . .

    . . . . STOP Q&A Time

72. . . . . . . . . . .

    . . . . The Client Side IV. Token Storage in the Browser

73. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Access Token – stored by the JS using a Cookie – short lived – 2 minutes STORING THE ACCESS TOKEN

74. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Access Token – stored by the JS using a Cookie – short lived – 2 minutes – the cookie does not drive authentication STORING THE ACCESS TOKEN

75. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Access Token – stored by the JS using a Cookie – short lived – 2 minutes – the cookie does not drive authentication – it’s only used for storage STORING THE ACCESS TOKEN

76. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE CLIENT – ACCESS TOKEN var req = { method: 'POST', url: "oauth/token", headers: {"Content-type": "application/x-www-form-urlencoded"}, data: $httpParamSerializer(params) }

77. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE CLIENT – ACCESS TOKEN $http(req).then(function(data){ // success }, function(){ console.log("error"); window.location.href = "login"; } );

78. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE CLIENT – ACCESS TOKEN $http.defaults.headers.common.Authorization = 'Bearer ' + data.data.access_token;

79. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE CLIENT – ACCESS TOKEN $http.defaults.headers.common.Authorization = 'Bearer ' + data.data.access_token; // save the Access Token var expireDate = new Date( new Date().getTime() + (1000 * data.data.expires_in));

80. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE CLIENT – ACCESS TOKEN $http.defaults.headers.common.Authorization = 'Bearer ' + data.data.access_token; // save the Access Token var expireDate = new Date( new Date().getTime() + (1000 * data.data.expires_in)); $cookies.put("access_token", data.data.access_token, {'expires': expireDate});

81. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE CLIENT – ACCESS TOKEN $http.defaults.headers.common.Authorization = 'Bearer ' + data.data.access_token; // save the Access Token var expireDate = new Date( new Date().getTime() + (1000 * data.data.expires_in)); $cookies.put("access_token", data.data.access_token, {'expires': expireDate}); window.location.href = "index";

82. . . . . . . . . . .

    . . . . The Refresh Token

83. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Cookie is secure (HTTPS only - no network sniffing attacks) THE REFRESH TOKEN – IN A COOKIE

84. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Cookie is secure (HTTPS only - no network sniffing attacks) • The Cookie is HTTP only (no JS - no XSS attacks) THE REFRESH TOKEN – IN A COOKIE

85. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Cookie is secure (HTTPS only - no network sniffing attacks) • The Cookie is HTTP only (no JS - no XSS attacks) • The Cookie has a very specific path (/oauth/path) THE REFRESH TOKEN – IN A COOKIE

86. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Cookie is secure (HTTPS only - no network sniffing attacks) • The Cookie is HTTP only (no JS - no XSS attacks) • The Cookie has a very specific path (/oauth/path) • /oauth/path has CSRF protection THE REFRESH TOKEN – IN A COOKIE

87. . . . . . . . . . .

    . . . Advanced API Security - Workshop • By default, the Refresh Token is returned with the Access Token JSON HOW DO WE WORK WITH THE COOKIE?

88. . . . . . . . . . .

    . . . Advanced API Security - Workshop • By default, the Refresh Token is returned with the Access Token JSON • We will intercept that Request <-> Response and make changes HOW DO WE WORK WITH THE COOKIE?

89. . . . . . . . . . .

    . . . Advanced API Security - Workshop • By default, the Refresh Token is returned with the Access Token JSON • We will intercept that Request <-> Response and make changes • We’ll use the Zuul Proxy to make the changes on the Request / Response HOW DO WE WORK WITH THE COOKIE?

90. . . . . . . . . . .

    . . . Advanced API Security - Workshop • When we obtain an Access Token, we also receive the Refresh Token OBTAINING THE TOKENS - THE RESPONSE

91. . . . . . . . . . .

    . . . Advanced API Security - Workshop • When we obtain an Access Token, we also receive the Refresh Token • The Proxy will get the value from the JSON Body and set it to the Cookie OBTAINING THE TOKENS - THE RESPONSE

92. . . . . . . . . . .

    . . . Advanced API Security - Workshop • When we refresh the Access Token, the Cookie will be sent by the Browser REFRESHING THE ACCESS TOKEN

93. . . . . . . . . . .

    . . . Advanced API Security - Workshop • When we refresh the Access Token, the Cookie will be sent by the Browser • The Proxy will get the Refresh Token value from the Cookie REFRESHING THE ACCESS TOKEN

94. . . . . . . . . . .

    . . . Advanced API Security - Workshop • When we refresh the Access Token, the Cookie will be sent by the Browser • The Proxy will get the Refresh Token value from the Cookie • And it will add it as a parameter on the Request REFRESHING THE ACCESS TOKEN

95. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The JS Client can now trigger a refresh of the token behind the scenes • The JS Client can also intercept a 401 Response and refresh the token THE CLIENT – DOING REFRESH

96. . . . . . . . . . .

    . . . . STOP Q&A Time

97. . . . . . . . . . .

    . . . . THE OAUTH2 THREAT MODEL V. Let’s explore some security attacks

98. . . . . . . . . . .

    . . . Advanced API Security - Workshop • We are not using Cookies to drive authentication CSRF Vulnerability?

99. . . . . . . . . . .

    . . . Advanced API Security - Workshop • We are not using Cookies to drive authentication • We are not using Cookies to drive authentication (mostly) CSRF Vulnerability?

100. . . . . . . . . . .

     . . . Advanced API Security - Workshop • We are not using Cookies to drive authentication • We are not using Cookies to drive authentication (mostly) • The Refresh Token is using a Cookie on /oauth/token CSRF Vulnerability?

101. . . . . . . . . . .

     . . . Advanced API Security - Workshop • We are not using Cookies to drive authentication • We are not using Cookies to drive authentication (mostly) • The Refresh Token is using a Cookie on /oauth/token • So we need CSRF protection on /oauth/token only CSRF Vulnerability?

102. . . . . . . . . . .

     . . . Advanced API Security - Workshop • The Browser sends security information implicitly HOW CSRF WORKS

103. . . . . . . . . . .

     . . . Advanced API Security - Workshop • The Browser sends security information implicitly • So any site can send a request to our API HOW CSRF WORKS

104. . . . . . . . . . .

     . . . Advanced API Security - Workshop • The Browser sends security information implicitly • So any site can send a request to our API • And because the browser is indeed authenticated with our API HOW CSRF WORKS

105. . . . . . . . . . .

     . . . Advanced API Security - Workshop • The Browser sends security information implicitly • So any site can send a request to our API • And because the browser is indeed authenticated with our API • That request will be valid and will go through HOW CSRF WORKS

106. . . . . . . . . . .

     . . . Advanced API Security - Workshop • We check the Referrer header of the Request SOLUTIONS

107. . . . . . . . . . .

     . . . Advanced API Security - Workshop • We check the Referrer header of the Request (Week) SOLUTIONS

108. . . . . . . . . . .

     . . . Advanced API Security - Workshop • We check the Referrer header of the Request (Week) • We check the Origin header of the Request SOLUTIONS

109. . . . . . . . . . .

     . . . Advanced API Security - Workshop • We check the Referrer header of the Request (Week) • We check the Origin header of the Request (Better) SOLUTIONS

110. . . . . . . . . . .

     . . . Advanced API Security - Workshop • We check the Referrer header of the Request (Week) • We check the Origin header of the Request (Better) • We use the Synchronizer Token Pattern to stop CSRF attacks SOLUTIONS

111. . . . . . . . . . .

     . . . Advanced API Security - Workshop • Use HTTPS only REPLAY ATTACKS

112. . . . . . . . . . .

     . . . Advanced API Security - Workshop • Use HTTPS only • Sign requests and use nonces and timestamps to uniquely identify requests REPLAY ATTACKS

113. . . . . . . . . . .

     . . . Advanced API Security - Workshop • This attack is orchestrated with a counterfeit Resource Server ACCESS TOKEN PHISHING

114. . . . . . . . . . .

     . . . Advanced API Security - Workshop • This attack is orchestrated with a counterfeit Resource Server • The endpoint URL of the Resource Server should be hard set in the Client ACCESS TOKEN PHISHING

115. . . . . . . . . . .

     . . . . STOP Q&A Time

116. . . . . . . . . . .

     . . . Advanced API Security - Workshop • Authentication in OAuth2 (OpenID Connect) OTHER POINTS TO HIT ON

117. . . . . . . . . . .

     . . . Advanced API Security - Workshop • Authentication in OAuth2 (OpenID Connect) • How do we revoke Tokens OTHER POINTS TO HIT ON

118. . . . . . . . . . .

     . . . Advanced API Security - Workshop • Authentication in OAuth2 (OpenID Connect) • How do we revoke Tokens • Encrypting tokens in the browser OTHER POINTS TO HIT ON

119. . . . . . . . . . .

     . . . Advanced API Security - Workshop • Authentication in OAuth2 (OpenID Connect) • How do we revoke Tokens • Encrypting tokens in the browser • Protecting the Login against CSRF Attacks OTHER POINTS TO HIT ON

120. . . . . . . . . . .

     . . . Advanced API Security - Workshop • Authentication in OAuth2 (OpenID Connect) • How do we revoke Tokens • Encrypting tokens in the browser • Protecting the Login against CSRF Attacks • How exactly do we do granular authorization? OTHER POINTS TO HIT ON

121. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

     2 Hour Workshop (129$) • Separate Reads from Writes in a Spring API using CQRS

122. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

     2 Hour Workshop (129$) • Separate Reads from Writes in a Spring API using CQRS • Implement our Event Store and persist raw JSON events

123. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

     2 Hour Workshop (129$) • Separate Reads from Writes in a Spring API using CQRS • Implement our Event Store and persist raw JSON events • Go from Commands to Events with a Spring 4.2+ impl

124. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

     2 Hour Workshop (129$) • Project Events into useful, eventually-consistent views

125. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

     2 Hour Workshop (129$) • Project Events into useful, eventually-consistent views • Leverage Polyglot Persistence for our Projections

126. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

     2 Hour Workshop (129$) • Project Events into useful, eventually-consistent views • Leverage Polyglot Persistence for our Projections • Discuss transactional semantics across Projections

127. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

     2 Hour Workshop (129$) • Project Events into useful, eventually-consistent views • Leverage Polyglot Persistence for our Projections • Discuss transactional semantics across Projections • Deal with Eventual Consistency from the client side

128. ADVANCED API SECURITY “Advanced API Discoverability and HATEOAS” 2 Hour

     Workshop (99$) • Use Spring HATEOAS for dynamic link building

129. ADVANCED API SECURITY “Advanced API Discoverability and HATEOAS” 2 Hour

     Workshop (99$) • Use Spring HATEOAS for dynamic link building • Return relations as full embedded Resources vs. Links

130. ADVANCED API SECURITY “Advanced API Discoverability and HATEOAS” 2 Hour

     Workshop (99$) • Use Spring HATEOAS for dynamic link building • Return relations as full embedded Resources vs. Links • Implement fetch plans / field plans

131. ADVANCED API SECURITY “Advanced API Discoverability and HATEOAS” 2 Hour

     Workshop (99$) • Use Spring HATEOAS for dynamic link building • Return relations as full embedded Resources vs. Links • Implement fetch plans / field plans • Build a custom Media Type and why that's useful

132. ADVANCED API SECURITY Workshop Bonus (next 48 hours) “All In

     One” Workshops: 124$ (50% Off) - “Advanced API Discoverability and HATEOAS” - “CQRS and Event Sourcing With Spring Boot”

133. . . . . . . . . . .

     . . . . THANK YOU It’s Q&A Time