This talk explains how microservices (Restfull Endpoint) could be secured using a Policy based approach to intercept the HTTP request. A less intrusive pattern is proposed at the level of the Web Container using Contrants mapping the Web Resources with JAAS API & Roles. Finally we will investigate how such Security design can be developed using an external API Management platform which reenforce the Security and Governance aspect.
2. Who
Committer, Coder, Architect
Work on Apache Camel, Karaf, Fabric8, Hawtio, Apiman, Drools
Mountain Biker, Belgian Beer Fan
Blog:
Twitter:
Email:
http://cmoulliard.github.io
@cmoulliard
cmoulliard@redhat.com
15. Camel Endpoint
Goal Extract from the HTTP request the info needed to authenticate a
user
How Use a Camel Policy to wrap the Route / Pipeline with a new
processor
ïĄ
ïĄ
Â
Camel Example
publicclassShiroSecurityPolicyimplementsAuthorizationPolicy{
publicProcessorwrap(RouteContextrouteContext,finalProcessorprocessor){
returnnewShiroSecurityProcessor(processor,this);
}
...
@Override
publicbooleanprocess(Exchangeexchange,AsyncCallbackcallback){
try{
applySecurityPolicy(exchange);
16. CXF Endpoint
How Using the ContainerRequestFilter JAXRS Interface
Rely on CXF Intercept
ïĄ
Â
CXF Example
@Provider
@PreMatching
publicclassSecurityRequestFilterimplementsContainerRequestFilter{
@Override
publicvoidfilter(finalContainerRequestContextrequestContext)
throwsIOException{
...
19. HTTP Handler
How Apply Constraints on Web Resources path(s)ïĄ
GET/rest/accountservice/accountforUser
POST/webservices/customerservices/customerforAdmin
Designed using JAAS JDBC, LDAP, Properties
Could use Roles
ïĄ
20. Jetty Example
Goal restrict or allow access to resources
How URL requested matched with one the rule(s)
ïĄ
ïĄ
Example
Constraintconstraint=newConstraint();
constraint.setRoles(newString[]{"user","admin"});
ConstraintMappingmapping=newConstraintMapping();
mapping.setPathSpec("/say/hello/*");
mapping.setMethod("GET");
mapping.setConstraint(constraint);
28. Api Man
Goal Externalize/Delegate security endpoint to ApiïĄ
Â
How Api acts as a Proxy/Gateway matching :
Incoming request against 1 Many policies
Delivering requests to target endpoint if validation succeeds
ïĄ
ïĄ
33. Api Man - Basic Auth
How : Associate a Policy using the Basic Auth Plugin to an endpoint
"contracts":[
{
"apiOrgId":"Policy_BasicAuthStatic",
"apiId":"echo",
"apiVersion":"1.0.0",
"policies":[
{
"policyImpl":"class:io.apiman.gateway.engine.policies.BasicAuthenticationPol
"policyJsonConfig":"{"realm":"Test","forwardIdentityHttpHeader":
}
]
}
]
34. Api Man - OpenId connect
Goal Authenticate a user using an Identity provider to get a token used
for SSO purposes
Authentication between Client and Identity Provider: public, secret or PKI
JSon Web Token :
Compact token format,
Encode claims to be transmitted,
Base64url encoded and digitally signed and/or encrypted
ïĄ
36. Role Mapping
Goal Restrict/allow access to an application based on an Authorization
Rule
How Define a collection of Authorization rules as such & Combined with
Auth Plugin (Keycloak, Basic, âŠ)
ïĄ
ïĄ
Â
Path Verb Role required
.* PUT Writer
.* GET Reader
39. Conclusions
Pros
Centralized governance policy configuration
Loose coupling
Tracking of APIs and consumers of those APIs
Gathering statistics/metrics
Service Discovery
Simplify security audit
Cons
Performance
New Architecture Brick
Features = plugins available ïȘ