Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security enforcement of Java Microservices with Apiman & Keycloak

2,831 views

Published on

Security enforcement of Java Microservices with Apiman & Keycloak

Published in: Technology

Security enforcement of Java Microservices with Apiman & Keycloak

  1. 1. Security enforcement of the Java Microservice Applications Charles Moulliard (@cmoulliard) 9th February 2017  
  2. 2. Who Software Engineer Work on Spring Boot & Cloud, WildFly Swarm, Fabric8 Mountain Biker, Belgian Beer Fan Blog: Twitter: Email: http://cmoulliard.github.io @cmoulliard cmoulliard@redhat.com
  3. 3. Agenda RESTfull Use case How to Secure the Endpoint Policy Web Container Api Management Demo
  4. 4. Use case description  
  5. 5. Use case
  6. 6. REST Service @GET @Path("/customers/{id}/") @Produces("application/xml") @ApiOperation(value = "Find Customer by ID", notes = "More notes about this method", response = Customer.class) @ApiResponses(value = { @ApiResponse(code = 500, message = "Invalid ID supplied"), @ApiResponse(code = 204, message = "Customer not found") }) public Customer getCustomer(@ApiParam(value = "ID of Customer to fetch", required = true) @PathParam("id") String id) { LOG.info("Invoking getCustomer, Customer id is: {}", id); long idNumber = Long.parseLong(id); Customer c = customers.get(idNumber); return c; }
  7. 7. Api documented : Swagger
  8. 8. How to Secure ?  
  9. 9. Level ! Endpoint Framework/Policy/Interceptor   HTTP Web Container Handler & Constraints   Externally Api Manager
  10. 10. Endpoint Level  
  11. 11. Endpoint level
  12. 12. Intercept Framework based : Apache Shiro, Spring Security Interceptor/Policy : Apache Camel, Apache CXF JAXRS : @Roles
  13. 13. Camel Design import org.apache.camel.builder.RouterBuilder; public class FilterRoute extends RouteBuilder { public void configure() throws Exception { from("netty4-http://http://localhost:7777/camel/client) .setHeader("id").simple("$header.CamelHttpQuery") .beanRef("customerServer","getCustomer"; } }
  14. 14. Interceptor To trace, log, secure
  15. 15. Camel Endpoint Goal Extract from the HTTP request the info needed to authenticate a user How Use a Camel Policy to wrap the Route / Pipeline with a new processor     Camel Example public class ShiroSecurityPolicy implements AuthorizationPolicy { public Processor wrap(RouteContext routeContext, final Processor processor) { return new ShiroSecurityProcessor(processor, this); } ... @Override public boolean process(Exchange exchange, AsyncCallback callback) { try { applySecurityPolicy(exchange);
  16. 16. CXF Endpoint How Using the ContainerRequestFilter JAXRS Interface Rely on CXF Intercept    CXF Example @Provider @PreMatching public class SecurityRequestFilter implements ContainerRequestFilter { @Override public void filter(final ContainerRequestContext requestContext) throws IOException { ...
  17. 17. Web HTTP Container  
  18. 18. Web container level
  19. 19. HTTP Handler How Apply Constraints on Web Resources path(s) GET /rest/accountservice/account for User POST /webservices/customerservices/customer for Admin Designed using JAAS JDBC, LDAP, Properties Could use Roles 
  20. 20. Jetty Example Goal restrict or allow access to resources How URL requested matched with one the rule(s)   Example Constraint constraint = new Constraint(); constraint.setRoles(new String[] { "user", "admin" }); ConstraintMapping mapping = new ConstraintMapping(); mapping.setPathSpec("/say/hello/*"); mapping.setMethod("GET"); mapping.setConstraint(constraint);
  21. 21. Login Auth Example // Describe the Authentication Constraint to be applied (BASIC, DIGEST, NEGOTIATE, ...) Constraint constraint = new Constraint(Constraint.__BASIC_AUTH, "user"); constraint.setAuthenticate(true); // Map the Auth Constraint with a Path ConstraintMapping cm = new ConstraintMapping(); cm.setPathSpec("/*"); cm.setConstraint(constraint); HashLoginService loginService = new HashLoginService("MyRealm", "myrealm.props"); ConstraintSecurityHandler sh = new ConstraintSecurityHandler(); sh.setAuthenticator(new BasicAuthenticator()); sh.setConstraintMappings(cm); sh.setLoginService(loginService);
  22. 22. JAXRS @Roles Goal Allow/Deny Access to resources How using annotation @RolesAllowed   Example @Path("projects") @Produces("application/json") public class ProjectsResource { @POST @RolesAllowed("manager") public Project createProject(final Project project) { ... } @GET @Path("{id}") public Project getProject(@PathParam("id") final Long id) { ... }
  23. 23. Web Secured & Policy Level
  24. 24. Pros / Cons  
  25. 25. Conclusions Pros No product lock Great flexibility Spec managed Cons Intrusive Low Management Capability Lack of Governance
  26. 26. External Player  
  27. 27. Api Manager
  28. 28. Api Man Goal Externalize/Delegate security endpoint to Api   How Api acts as a Proxy/Gateway matching : Incoming request against 1 Many policies Delivering requests to target endpoint if validation succeeds  
  29. 29. Manager
  30. 30. Api
  31. 31. Api
  32. 32. Api Man - Basic Auth How : Associate a Policy using the Basic Auth Plugin to an endpoint "contracts" : [ { "apiOrgId" : "Policy_BasicAuthStatic", "apiId" : "echo", "apiVersion" : "1.0.0", "policies" : [ { "policyImpl" : "class:io.apiman.gateway.engine.policies.BasicAuthenticationPol "policyJsonConfig" : "{ "realm" : "Test", "forwardIdentityHttpHeader" : } ] } ]
  33. 33. Api Man - OpenId connect Goal Authenticate a user using an Identity provider to get a token used for SSO purposes Authentication between Client and Identity Provider: public, secret or PKI JSon Web Token : Compact token format, Encode claims to be transmitted, Base64url encoded and digitally signed and/or encrypted 
  34. 34. OpenId connect - Example { "jti": "af68fac6-fd50-4b73-bd37-5c555a8e561e", "exp": 1442847825, "nbf": 0, "iat": 1442847525, "iss": "http://localhost:8080/auth/realms/fuse", "aud": "fuse", "sub": "3591e417-7c60-4464-8714-96190c7fad92", "azp": "fuse", "session_state": "f58d5dfc-6e4c-4ad2-bd2f-70713f6b942d", "client_session": "f06b673f-ecbe-47f2-ba76-b6a5901d5afe", "allowed-origins": [], "realm_access": { "roles": [ "write" ] }, "name": "writer ", "preferred_username": "writer", "given_name": "writer" }
  35. 35. Role Mapping Goal Restrict/allow access to an application based on an Authorization Rule How Define a collection of Authorization rules as such & Combined with Auth Plugin (Keycloak, Basic, …)     Path Verb Role required .* PUT Writer .* GET Reader
  36. 36. Pros / Cons  
  37. 37. Conclusions Pros Centralized governance policy configuration Loose coupling Tracking of APIs and consumers of those APIs Gathering statistics/metrics Service Discovery Simplify security audit Cons Performance New Architecture Brick Features = plugins available 
  38. 38. Demo  
  39. 39. Questions Twitter : @cmoulliard Apiman : Keycloak : http://apiman.io http://www.keycloak.org/

×