Security enforcement ofthe Java MicroserviceApplications

Charles Moulliard (@cmoulliard) 9th February 2017

 

Who

Software Engineer

Work on Spring Boot & Cloud, WildFly Swarm, Fabric8

Mountain Biker, Belgian Beer Fan

Blog:

Twitter:

Email:

http://cmoulliard.github.io

@cmoulliard

cmoulliard@redhat.com

Agenda

RESTfull Use case

How to Secure the Endpoint

Policy

Web Container

Api Management

Demo

Use case description

 

Use case

REST Service@GET @Path("/customers/{id}/") @Produces("application/xml") @ApiOperation(value = "Find Customer by ID", notes = "More notes about this method", response = Customer.class) @ApiResponses(value = { @ApiResponse(code = 500, message = "Invalid ID supplied"), @ApiResponse(code = 204, message = "Customer not found") }) public Customer getCustomer(@ApiParam(value = "ID of Customer to fetch", required = true) @PathParam("id") String id) { LOG.info("Invoking getCustomer, Customer id is: {}", id); long idNumber = Long.parseLong(id); Customer c = customers.get(idNumber); return c; }

Api documented : Swagger

How to Secure ?

 

Level !

Endpoint Framework/Policy/Interceptor

 

HTTP Web Container Handler & Constraints

 

Externally Api Manager

Endpoint Level

 

Endpoint level

Intercept

Framework based : Apache Shiro, Spring Security

Interceptor/Policy : Apache Camel, Apache CXF

JAXRS : @Roles

Camel Design

import org.apache.camel.builder.RouterBuilder; public class FilterRoute extends RouteBuilder { public void configure() throws Exception { from("netty4-http://http://localhost:7777/camel/client) .setHeader("id").simple("$header.CamelHttpQuery") .beanRef("customerServer","getCustomer"; } }

Interceptor

To trace, log, secure

Camel Endpoint

Goal Extract from the HTTP request the info needed to authenticate auser

How Use a Camel Policy to wrap the Route / Pipeline with a newprocessor

 

Camel Examplepublic class ShiroSecurityPolicy implements AuthorizationPolicy { public Processor wrap(RouteContext routeContext, final Processor processor) { return new ShiroSecurityProcessor(processor, this); } ... @Override public boolean process(Exchange exchange, AsyncCallback callback) { try { applySecurityPolicy(exchange);

CXF Endpoint

How Using the ContainerRequestFilter JAXRS Interface

Rely on CXF Intercept

 

CXF Example@Provider @PreMatching public class SecurityRequestFilter implements ContainerRequestFilter { @Override public void filter(final ContainerRequestContext requestContext) throws IOException { ...

Web HTTP Container

 

Web container level

HTTP Handler

How Apply Constraints on Web Resources path(s)

GET /rest/accountservice/account for User POST /webservices/customerservices/customer for Admin

Designed using JAAS JDBC, LDAP, Properties

Could use Roles

Jetty Example

Goal restrict or allow access to resources

How URL requested matched with one the rule(s)

ExampleConstraint constraint = new Constraint(); constraint.setRoles(new String[] { "user", "admin" }); ConstraintMapping mapping = new ConstraintMapping(); mapping.setPathSpec("/say/hello/*"); mapping.setMethod("GET"); mapping.setConstraint(constraint);

Login Auth Example// Describe the Authentication Constraint to be applied (BASIC, DIGEST, NEGOTIATE, ...)Constraint constraint = new Constraint(Constraint.__BASIC_AUTH, "user"); constraint.setAuthenticate(true); // Map the Auth Constraint with a Path ConstraintMapping cm = new ConstraintMapping(); cm.setPathSpec("/*"); cm.setConstraint(constraint); HashLoginService loginService = new HashLoginService("MyRealm", "myrealm.props"); ConstraintSecurityHandler sh = new ConstraintSecurityHandler(); sh.setAuthenticator(new BasicAuthenticator()); sh.setConstraintMappings(cm); sh.setLoginService(loginService);

JAXRS @Roles

Goal Allow/Deny Access to resources

How using annotation @RolesAllowed

Example@Path("projects") @Produces("application/json") public class ProjectsResource { @POST @RolesAllowed("manager") public Project createProject(final Project project) { ... } @GET @Path("{id}") public Project getProject(@PathParam("id") final Long id) { ... }

Web Secured & Policy Level

Pros / Cons

 

Conclusions

Pros

No product lock

Great flexibility

Spec managed

Cons

Intrusive

Low Management Capability

Lack of Governance

External Player

 

Api Manager

Api Man

Goal Externalize/Delegate security endpoint to Api

 

How Api acts as a Proxy/Gateway matching :

Incoming request against 1 Many policies

Delivering requests to target endpoint if validation succeeds

Manager

Api

Api

Api Man - Basic Auth

How : Associate a Policy using the Basic Auth Plugin to an endpoint

"contracts" : [ { "apiOrgId" : "Policy_BasicAuthStatic", "apiId" : "echo", "apiVersion" : "1.0.0", "policies" : [ { "policyImpl" : "class:io.apiman.gateway.engine.policies.BasicAuthenticationPolicy" "policyJsonConfig" : "{ \"realm\" : \"Test\", \"forwardIdentityHttpHeader\" : \"X-Authenticated-Identity\", \"staticIdentity\" : { \"identities\" : [ { \"username\" : \"bwayne\", \"password\" : \"bwayne\" } ] } }" } ] } ]

Api Man - OpenId connect

Goal Authenticate a user using an Identity provider to get a token usedfor SSO purposes

Authentication between Client and Identity Provider: public, secret or PKI

JSon Web Token :

Compact token format,

Encode claims to be transmitted,

Base64url encoded and digitally signed and/or encrypted

OpenId connect - Example{ "jti": "af68fac6-fd50-4b73-bd37-5c555a8e561e", "exp": 1442847825, "nbf": 0, "iat": 1442847525, "iss": "http://localhost:8080/auth/realms/fuse", "aud": "fuse", "sub": "3591e417-7c60-4464-8714-96190c7fad92", "azp": "fuse", "session_state": "f58d5dfc-6e4c-4ad2-bd2f-70713f6b942d", "client_session": "f06b673f-ecbe-47f2-ba76-b6a5901d5afe", "allowed-origins": [], "realm_access": { "roles": [ "write" ] }, "name": "writer ", "preferred_username": "writer", "given_name": "writer" }

Role Mapping

Goal Restrict/allow access to an application based on an AuthorizationRule

How Define a collection of Authorization rules as such & Combined withAuth Plugin (Keycloak, Basic, …)

 

Path Verb Role required

.* PUT Writer

.* GET Reader

Pros / Cons

 

Conclusions

Pros

Centralized governance policy configuration

Loose coupling

Tracking of APIs and consumers of those APIs

Gathering statistics/metrics

Service Discovery

Simplify security audit

Cons

Performance

New Architecture Brick

Features = plugins available

Demo

 

Questions

Twitter : @cmoulliard

Apiman :

Keycloak :

http://apiman.io

http://www.keycloak.org/