Security enforcement of the Java Microservice Applications Charles Moulliard (@cmoulliard) 9th February 2017
Security enforcement ofthe Java MicroserviceApplications
Charles Moulliard (@cmoulliard) 9th February 2017
Who
Software Engineer
Work on Spring Boot & Cloud, WildFly Swarm, Fabric8
Mountain Biker, Belgian Beer Fan
Blog:
Twitter:
Email:
http://cmoulliard.github.io
@cmoulliard
Agenda
RESTfull Use case
How to Secure the Endpoint
Policy
Web Container
Api Management
Demo
Use case description
Use case
REST Service@GET @Path("/customers/{id}/") @Produces("application/xml") @ApiOperation(value = "Find Customer by ID", notes = "More notes about this method", response = Customer.class) @ApiResponses(value = { @ApiResponse(code = 500, message = "Invalid ID supplied"), @ApiResponse(code = 204, message = "Customer not found") }) public Customer getCustomer(@ApiParam(value = "ID of Customer to fetch", required = true) @PathParam("id") String id) { LOG.info("Invoking getCustomer, Customer id is: {}", id); long idNumber = Long.parseLong(id); Customer c = customers.get(idNumber); return c; }
Api documented : Swagger
How to Secure ?
Level !
Endpoint Framework/Policy/Interceptor
HTTP Web Container Handler & Constraints
Externally Api Manager
Endpoint Level
Endpoint level
Intercept
Framework based : Apache Shiro, Spring Security
Interceptor/Policy : Apache Camel, Apache CXF
JAXRS : @Roles
Camel Design
import org.apache.camel.builder.RouterBuilder; public class FilterRoute extends RouteBuilder { public void configure() throws Exception { from("netty4-http://http://localhost:7777/camel/client) .setHeader("id").simple("$header.CamelHttpQuery") .beanRef("customerServer","getCustomer"; } }
Interceptor
To trace, log, secure
Camel Endpoint
Goal Extract from the HTTP request the info needed to authenticate auser
How Use a Camel Policy to wrap the Route / Pipeline with a newprocessor
Camel Examplepublic class ShiroSecurityPolicy implements AuthorizationPolicy { public Processor wrap(RouteContext routeContext, final Processor processor) { return new ShiroSecurityProcessor(processor, this); } ... @Override public boolean process(Exchange exchange, AsyncCallback callback) { try { applySecurityPolicy(exchange);
CXF Endpoint
How Using the ContainerRequestFilter JAXRS Interface
Rely on CXF Intercept
CXF Example@Provider @PreMatching public class SecurityRequestFilter implements ContainerRequestFilter { @Override public void filter(final ContainerRequestContext requestContext) throws IOException { ...
Web HTTP Container
Web container level
HTTP Handler
How Apply Constraints on Web Resources path(s)
GET /rest/accountservice/account for User POST /webservices/customerservices/customer for Admin
Designed using JAAS JDBC, LDAP, Properties
Could use Roles
Jetty Example
Goal restrict or allow access to resources
How URL requested matched with one the rule(s)
ExampleConstraint constraint = new Constraint(); constraint.setRoles(new String[] { "user", "admin" }); ConstraintMapping mapping = new ConstraintMapping(); mapping.setPathSpec("/say/hello/*"); mapping.setMethod("GET"); mapping.setConstraint(constraint);
Login Auth Example// Describe the Authentication Constraint to be applied (BASIC, DIGEST, NEGOTIATE, ...)Constraint constraint = new Constraint(Constraint.__BASIC_AUTH, "user"); constraint.setAuthenticate(true); // Map the Auth Constraint with a Path ConstraintMapping cm = new ConstraintMapping(); cm.setPathSpec("/*"); cm.setConstraint(constraint); HashLoginService loginService = new HashLoginService("MyRealm", "myrealm.props"); ConstraintSecurityHandler sh = new ConstraintSecurityHandler(); sh.setAuthenticator(new BasicAuthenticator()); sh.setConstraintMappings(cm); sh.setLoginService(loginService);
JAXRS @Roles
Goal Allow/Deny Access to resources
How using annotation @RolesAllowed
Example@Path("projects") @Produces("application/json") public class ProjectsResource { @POST @RolesAllowed("manager") public Project createProject(final Project project) { ... } @GET @Path("{id}") public Project getProject(@PathParam("id") final Long id) { ... }
Web Secured & Policy Level
Pros / Cons
Conclusions
Pros
No product lock
Great flexibility
Spec managed
Cons
Intrusive
Low Management Capability
Lack of Governance
External Player
Api Manager
Api Man
Goal Externalize/Delegate security endpoint to Api
How Api acts as a Proxy/Gateway matching :
Incoming request against 1 Many policies
Delivering requests to target endpoint if validation succeeds
Manager
Api
Api
Api Man - Basic Auth
How : Associate a Policy using the Basic Auth Plugin to an endpoint
"contracts" : [ { "apiOrgId" : "Policy_BasicAuthStatic", "apiId" : "echo", "apiVersion" : "1.0.0", "policies" : [ { "policyImpl" : "class:io.apiman.gateway.engine.policies.BasicAuthenticationPolicy" "policyJsonConfig" : "{ \"realm\" : \"Test\", \"forwardIdentityHttpHeader\" : \"X-Authenticated-Identity\", \"staticIdentity\" : { \"identities\" : [ { \"username\" : \"bwayne\", \"password\" : \"bwayne\" } ] } }" } ] } ]
Api Man - OpenId connect
Goal Authenticate a user using an Identity provider to get a token usedfor SSO purposes
Authentication between Client and Identity Provider: public, secret or PKI
JSon Web Token :
Compact token format,
Encode claims to be transmitted,
Base64url encoded and digitally signed and/or encrypted
OpenId connect - Example{ "jti": "af68fac6-fd50-4b73-bd37-5c555a8e561e", "exp": 1442847825, "nbf": 0, "iat": 1442847525, "iss": "http://localhost:8080/auth/realms/fuse", "aud": "fuse", "sub": "3591e417-7c60-4464-8714-96190c7fad92", "azp": "fuse", "session_state": "f58d5dfc-6e4c-4ad2-bd2f-70713f6b942d", "client_session": "f06b673f-ecbe-47f2-ba76-b6a5901d5afe", "allowed-origins": [], "realm_access": { "roles": [ "write" ] }, "name": "writer ", "preferred_username": "writer", "given_name": "writer" }
Role Mapping
Goal Restrict/allow access to an application based on an AuthorizationRule
How Define a collection of Authorization rules as such & Combined withAuth Plugin (Keycloak, Basic, …)
Path Verb Role required
.* PUT Writer
.* GET Reader
Pros / Cons
Conclusions
Pros
Centralized governance policy configuration
Loose coupling
Tracking of APIs and consumers of those APIs
Gathering statistics/metrics
Service Discovery
Simplify security audit
Cons
Performance
New Architecture Brick
Features = plugins available
Demo
Questions
Twitter : @cmoulliard
Apiman :
Keycloak :
http://apiman.io
http://www.keycloak.org/