This talk explains how microservices (Restfull Endpoint) could be secured using a Policy based approach to intercept the HTTP request. A less intrusive pattern is proposed at the level of the Web Container using Contrants mapping the Web Resources with JAAS API & Roles. Finally we will investigate how such Security design can be developed using an external API Management platform which reenforce the Security and Governance aspect.

1. Security enforcement of
Microservices with API
Management
Charles Moulliard (@cmoulliard)
17 June 2016

2. Who
Committer, Coder, Architect
Work on Apache Camel, Karaf, Fabric8, Hawtio, Apiman, Drools
Mountain Biker, Belgian Beer Fan
Blog:
Twitter:
Email:
http://cmoulliard.github.io
@cmoulliard
cmoulliard@redhat.com

3. Agenda
RESTfull Use case
How to Secure the Endpoint
Policy
Web Container
Api Management
Demo

4. Use case description

5. Use case

6. REST Service
@GET
@Path("/customers/{id}/")
@Produces("application/xml")
@ApiOperation(value="FindCustomerbyID",
notes="Morenotesaboutthismethod",
response=Customer.class)
@ApiResponses(value={
@ApiResponse(code=500,message="InvalidIDsupplied"),
@ApiResponse(code=204,message="Customernotfound")
})
publicCustomergetCustomer(@ApiParam(value="IDofCustomertofetch",
required=true)@PathParam("id")Stringid){
LOG.info("InvokinggetCustomer,Customeridis:{}",id);
longidNumber=Long.parseLong(id);
Customerc=customers.get(idNumber);
returnc;
}

7. Api documented : Swagger

8. How to Secure ?

9. Level !
Endpoint Framework/Policy/Interceptor
HTTP Web Container Handler & Constraints
Externally Api Manager

10. Endpoint Level

11. Endpoint level

12. Intercept
Framework based : Apache Shiro, Spring Security
Interceptor/Policy : Apache Camel, Apache CXF
JAXRS : @Roles

13. Camel Design
importorg.apache.camel.builder.RouterBuilder;
publicclassFilterRouteextendsRouteBuilder{
publicvoidconfigure()throwsException{
from("netty4-http://http://localhost:7777/camel/client)
.setHeader("id").simple("$header.CamelHttpQuery")
.beanRef("customerServer","getCustomer";
}
}

14. Interceptor
To trace, log, secure

15. Camel Endpoint
Goal Extract from the HTTP request the info needed to authenticate a
user
How Use a Camel Policy to wrap the Route / Pipeline with a new
processor


Camel Example
publicclassShiroSecurityPolicyimplementsAuthorizationPolicy{
publicProcessorwrap(RouteContextrouteContext,finalProcessorprocessor){
returnnewShiroSecurityProcessor(processor,this);
}
...
@Override
publicbooleanprocess(Exchangeexchange,AsyncCallbackcallback){
try{
applySecurityPolicy(exchange);

16. CXF Endpoint
How Using the ContainerRequestFilter JAXRS Interface
Rely on CXF Intercept

CXF Example
@Provider
@PreMatching
publicclassSecurityRequestFilterimplementsContainerRequestFilter{
@Override
publicvoidfilter(finalContainerRequestContextrequestContext)
throwsIOException{
...

17. Web HTTP Container

18. Web container level

19. HTTP Handler
How Apply Constraints on Web Resources path(s)
GET/rest/accountservice/accountforUser
POST/webservices/customerservices/customerforAdmin
Designed using JAAS JDBC, LDAP, Properties
Could use Roles


20. Jetty Example
Goal restrict or allow access to resources
How URL requested matched with one the rule(s)


Example
Constraintconstraint=newConstraint();
constraint.setRoles(newString[]{"user","admin"});
ConstraintMappingmapping=newConstraintMapping();
mapping.setPathSpec("/say/hello/*");
mapping.setMethod("GET");
mapping.setConstraint(constraint);

21. Login Auth Example
//DescribetheAuthenticationConstrainttobeapplied(BASIC,DIGEST,NEGOTIATE,...)
Constraintconstraint=newConstraint(Constraint.__BASIC_AUTH,"user");
constraint.setAuthenticate(true);
//MaptheAuthConstraintwithaPath
ConstraintMappingcm=newConstraintMapping();
cm.setPathSpec("/*");
cm.setConstraint(constraint);
HashLoginServiceloginService=newHashLoginService("MyRealm",
"myrealm.props");
ConstraintSecurityHandlersh=newConstraintSecurityHandler();
sh.setAuthenticator(newBasicAuthenticator());
sh.setConstraintMappings(cm);
sh.setLoginService(loginService);

22. JAXRS @Roles
Goal Allow/Deny Access to resources
How using annotation @RolesAllowed


Example
@Path("projects")
@Produces("application/json")
publicclassProjectsResource{
@POST
@RolesAllowed("manager")
publicProjectcreateProject(finalProjectproject){...}
@GET
@Path("{id}")
publicProjectgetProject(@PathParam("id")finalLongid){...}

23. Web Secured & Policy Level

24. Pros / Cons

25. Conclusions
Pros
No product lock
Great flexibility
Spec managed
Cons
Intrusive
Low Management Capability
Lack of Governance

26. External Player

27. Api Manager

28. Api Man
Goal Externalize/Delegate security endpoint to Api
How Api acts as a Proxy/Gateway matching :
Incoming request against 1 Many policies
Delivering requests to target endpoint if validation succeeds



29. Manager

30. Api

32. Api

33. Api Man - Basic Auth
How : Associate a Policy using the Basic Auth Plugin to an endpoint
"contracts":[
{
"apiOrgId":"Policy_BasicAuthStatic",
"apiId":"echo",
"apiVersion":"1.0.0",
"policies":[
{
"policyImpl":"class:io.apiman.gateway.engine.policies.BasicAuthenticationPol
"policyJsonConfig":"{"realm":"Test","forwardIdentityHttpHeader":
}
]
}
]

34. Api Man - OpenId connect
Goal Authenticate a user using an Identity provider to get a token used
for SSO purposes
Authentication between Client and Identity Provider: public, secret or PKI
JSon Web Token :
Compact token format,
Encode claims to be transmitted,
Base64url encoded and digitally signed and/or encrypted


35. OpenId connect - Example
{
"jti":"af68fac6-fd50-4b73-bd37-5c555a8e561e",
"exp":1442847825,
"nbf":0,
"iat":1442847525,
"iss":"http://localhost:8080/auth/realms/fuse",
"aud":"fuse",
"sub":"3591e417-7c60-4464-8714-96190c7fad92",
"azp":"fuse",
"session_state":"f58d5dfc-6e4c-4ad2-bd2f-70713f6b942d",
"client_session":"f06b673f-ecbe-47f2-ba76-b6a5901d5afe",
"allowed-origins":[],
"realm_access":{
"roles":[
"write"
]
},
"name":"writer",
"preferred_username":"writer",
"given_name":"writer"
}

36. Role Mapping
Goal Restrict/allow access to an application based on an Authorization
Rule
How Define a collection of Authorization rules as such & Combined with
Auth Plugin (Keycloak, Basic, …)


Path Verb Role required
.* PUT Writer
.* GET Reader

37. Discovery - Cloud Platform

38. Pros / Cons

39. Conclusions
Pros
Centralized governance policy configuration
Loose coupling
Tracking of APIs and consumers of those APIs
Gathering statistics/metrics
Service Discovery
Simplify security audit
Cons
Performance
New Architecture Brick
Features = plugins available 

40. Demo

41. Questions
Twitter : @cmoulliard
Apiman : , Fabric8 :http://apiman.io http://fabric8.io