Secure rest api on microservices vws2016
•Download as PPTX, PDF•
3 likes•422 views
This document discusses securing REST APIs on microservices. It recommends using an API gateway for centralized authentication and authorization. The gateway supports various authorization flows like client credentials for internal services, authorization code flow for public apps, and resource owner password credentials for mobile apps. It also recommends implementing rate limiting and monitoring APIs to track metrics like availability, throughput, response time, and errors. Logging all API requests is also suggested for security and monitoring purposes.
Report
Share
Report
Share
Recommended
Microservices & API Gateways
How API Gateways are becoming increasing popular in efficiently managing and orchestrating microservices at scale - a new pattern emerged.
Kong
Kong is an open source API gateway that runs in front of RESTful APIs. It provides functionality through plugins such as authentication, security, traffic control, and logging. Kong creates and manages APIs and plugins to add authentication. For example, a key authentication plugin is enabled on an API, and a consumer is created with a key that must be provided in requests to access the API. Without a valid key, requests return an error.
API Gateway report
This document provides an overview of API gateways. It discusses the API gateway pattern which includes separating client and server code, providing distinct API views from the same origin, and composing calls between APIs. It also includes an architecture diagram and discusses core features like uniform authentication, REST over HTTPS, horizontal scalability, payload rewrite, request composition, and backend as a service. Popular API gateway players like APIGEE, AWS API Gateway, and Kong are compared. Potential pitfalls around dependency, lock-in, scalability, and backend savings are also covered. The conclusion recommends using API gateways as accelerators but planning to reduce their footprint, using standard protocols, managing cache/data, and being able to migrate to an open
Api gateway in microservices
A brief overview of the significance of API Gateways in microservices architecture by providing Kong as an example.
Slide 2: Monolith Vs Microservices
Monolith:
Pros-
Simple to implement
Less integration test - easy to test
Easy to ship
Fast development
Cons-
Violates Open-Close principle
Nightmare when it comes to managing the code
Difficult to enhance
Bigger artifacts
Hard to replace individual components like DB, Logger etc.
Microservices-
Pros-
Easy to manage
One reason to change
Dynamic scaling
Single responsibility
Cons-
Multiple points of failure
Hard to test - rich integration tests required
Heterogeneity in infrastructure
Slide 3: API Gateway Pattern
It is microservices design pattern.
An API gateway is a service which is the entry point into the application from the outside world. It’s responsible for request routing, API composition, and other functions, such as authentication.
There are a lot of issues when client is talking to multiple components to get the job done. These include multiple proxies at client side, different logic to handle different calls, client needs to know the implementation details of server.
A much better approach is for a client to make a single request to what’s known as an API gateway. An API gateway is a service which is the single entry-point for API requests into an application. It’s similar to the Facade pattern from object-oriented design. Like a facade, an API gateway encapsulates the application’s internal architecture and provides an API to its clients. It might also have other responsibilities, such as authentication, monitoring, and rate limiting.
These are also termed as BFF - Backend For Frontend
Slide 4: API Gateway in Action
It acts as a “backend for the frontend”. The clients do not know which services they are talking to. They communicate with a single interface - API Gateway. The gateway resolves the client requests and distributes them to respective services.
Slide 7: Kong Architecture
Kong is a cloud-native, fast, scalable, and distributed Microservice Abstraction Layer (also known as an API Gateway, API Middleware or in some cases Service Mesh). Made available as an open-source project in 2015, its core values are high performance and extensibility.
Actively maintained, Kong is widely used in production at companies ranging from startups to Global 5000 as well as government organizations.
Build a REST API for your Mobile Apps using Node.js
Join Stormpath Developer Evangelist, Edward Jiang, to learn how to build your first REST API using Node.js, and connect it to an iOS or Android app. He’ll cover everything you need to know to about building an API and take you through an example with live code samples.
REST API Security: OAuth 2.0, JWTs, and More!
Les Hazlewood, Stormpath CTO, already showed you how to build a Beautiful REST+JSON API, but how do you secure your API? At Stormpath, we spent 18 months researching best practices. Join Les as he explains how to secure your REST API, the right way. We'll also host a live Q&A session at the end.
The Ultimate Guide to Mobile API Security
Join Stormpath Developer Evangelist Edward Jiang to learn more about the common ways developers authenticate users in their mobile apps, what to watch out for when building your backend API and mobile apps, and how to integrate a secure user datastore to manage your users and authentication.
What is an API Gateway?
Irfan Baqui, Senior Engineer at LunchBadger, breaks down the important role of the API Gateway in Microservices. Additionally, Irfan covers how to get started with Express Gateway, an open source API Gateway built entirely on Express.js. Originally presented at the San Francisco Node Meetup.
Recommended
Microservices & API Gateways
How API Gateways are becoming increasing popular in efficiently managing and orchestrating microservices at scale - a new pattern emerged.
Kong
Kong is an open source API gateway that runs in front of RESTful APIs. It provides functionality through plugins such as authentication, security, traffic control, and logging. Kong creates and manages APIs and plugins to add authentication. For example, a key authentication plugin is enabled on an API, and a consumer is created with a key that must be provided in requests to access the API. Without a valid key, requests return an error.
API Gateway report
This document provides an overview of API gateways. It discusses the API gateway pattern which includes separating client and server code, providing distinct API views from the same origin, and composing calls between APIs. It also includes an architecture diagram and discusses core features like uniform authentication, REST over HTTPS, horizontal scalability, payload rewrite, request composition, and backend as a service. Popular API gateway players like APIGEE, AWS API Gateway, and Kong are compared. Potential pitfalls around dependency, lock-in, scalability, and backend savings are also covered. The conclusion recommends using API gateways as accelerators but planning to reduce their footprint, using standard protocols, managing cache/data, and being able to migrate to an open
Api gateway in microservices
A brief overview of the significance of API Gateways in microservices architecture by providing Kong as an example.
Slide 2: Monolith Vs Microservices
Monolith:
Pros-
Simple to implement
Less integration test - easy to test
Easy to ship
Fast development
Cons-
Violates Open-Close principle
Nightmare when it comes to managing the code
Difficult to enhance
Bigger artifacts
Hard to replace individual components like DB, Logger etc.
Microservices-
Pros-
Easy to manage
One reason to change
Dynamic scaling
Single responsibility
Cons-
Multiple points of failure
Hard to test - rich integration tests required
Heterogeneity in infrastructure
Slide 3: API Gateway Pattern
It is microservices design pattern.
An API gateway is a service which is the entry point into the application from the outside world. It’s responsible for request routing, API composition, and other functions, such as authentication.
There are a lot of issues when client is talking to multiple components to get the job done. These include multiple proxies at client side, different logic to handle different calls, client needs to know the implementation details of server.
A much better approach is for a client to make a single request to what’s known as an API gateway. An API gateway is a service which is the single entry-point for API requests into an application. It’s similar to the Facade pattern from object-oriented design. Like a facade, an API gateway encapsulates the application’s internal architecture and provides an API to its clients. It might also have other responsibilities, such as authentication, monitoring, and rate limiting.
These are also termed as BFF - Backend For Frontend
Slide 4: API Gateway in Action
It acts as a “backend for the frontend”. The clients do not know which services they are talking to. They communicate with a single interface - API Gateway. The gateway resolves the client requests and distributes them to respective services.
Slide 7: Kong Architecture
Kong is a cloud-native, fast, scalable, and distributed Microservice Abstraction Layer (also known as an API Gateway, API Middleware or in some cases Service Mesh). Made available as an open-source project in 2015, its core values are high performance and extensibility.
Actively maintained, Kong is widely used in production at companies ranging from startups to Global 5000 as well as government organizations.
Build a REST API for your Mobile Apps using Node.js
Join Stormpath Developer Evangelist, Edward Jiang, to learn how to build your first REST API using Node.js, and connect it to an iOS or Android app. He’ll cover everything you need to know to about building an API and take you through an example with live code samples.
REST API Security: OAuth 2.0, JWTs, and More!
Les Hazlewood, Stormpath CTO, already showed you how to build a Beautiful REST+JSON API, but how do you secure your API? At Stormpath, we spent 18 months researching best practices. Join Les as he explains how to secure your REST API, the right way. We'll also host a live Q&A session at the end.
The Ultimate Guide to Mobile API Security
Join Stormpath Developer Evangelist Edward Jiang to learn more about the common ways developers authenticate users in their mobile apps, what to watch out for when building your backend API and mobile apps, and how to integrate a secure user datastore to manage your users and authentication.
What is an API Gateway?
Irfan Baqui, Senior Engineer at LunchBadger, breaks down the important role of the API Gateway in Microservices. Additionally, Irfan covers how to get started with Express Gateway, an open source API Gateway built entirely on Express.js. Originally presented at the San Francisco Node Meetup.
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Slides from Paul Mooney's talk at the OWASP Ireland June Chapter meeting offering an overview of the Encrypted Token Pattern, and ARMOR, its .NET implementation.
Realtime web experience with signalR
The document discusses SignalR, an open source library for ASP.NET developers building real-time web functionality. SignalR provides a simple API for adding real-time web functionality to applications, abstracting how real-time connections are established and messages transferred across different transports like web sockets, server-sent events, and long polling. It supports self-hosting, scaling out to multiple servers, and has client libraries for .NET, JavaScript, and mobile platforms. The document also covers how to install and configure SignalR in ASP.NET applications and some of its key features around authentication, authorization, and scaling.
CIS14: Early Peek at PingFederate Administrative REST API
PingFederate provides REST-based administrative APIs to enable self-service administration, common administration across products, configuration scaling, and configuration management. The APIs support flexible authentication, centralized authorization, validation and error handling comparable to the admin UI. An interactive API documentation and roadmap are shown, including capabilities that can be built now like self-service SSO portals and OAuth client registration.
CIS14: PingAccess 101
John DaSilva, Ping Identity
Scott Tomlinson, Ping Identity
A detailed overview of PingAccess, giving you insight into Ping Identity’s next-generation web access management solution to solve your access management challenges.
SignalR
This document provides an overview of SignalR, a library for adding real-time web functionality to applications. It discusses the history and limitations of traditional HTTP requests and polling. SignalR introduces "push" capabilities using transports like long polling, server-sent events, and websockets. The presentation demonstrates long polling and a progress bar example using SignalR. It notes some considerations when using SignalR like JavaScript naming conventions and verifying the proxy configuration. Overall, the document introduces SignalR as a library that enables real-time web functionality and asynchronous server-client communication patterns using different transport mechanisms.
Intro to signalR
This presentation introduces ASP.NET SignalR, a library for adding real-time functionality to web applications. SignalR allows for bidirectional communication between server and client via persistent connections. It was explained that SignalR chooses the best network transport based on client capabilities, with WebSockets being the ideal method. The presentation covered the SignalR API, including hubs for high-level communication and persistent connections for lower-level access. A demo of a SignalR chat application was shown to demonstrate its use. Security concerns with SignalR were also briefly discussed.
Kong API Gateway
Kong API Gateway is a solution that proxies APIs to address problems like lack of visibility into API usage and inability to stop abusive consumers. It provides features like authentication, security controls, rate limiting, request transformation, and logging to various outputs. It is open source, uses trusted technologies, and has considerations around additional components, latency, and plugin customization. Improvements could include better monitoring and moving more to response rate limiting.
SignalR with ASP.NET MVC 6
Deep diving SignalR with ASP.NET MVC 6.
Speaker: Mr Sherman Chen - Telerik Senior Architect/Advocate with more than 15 years developing desktop, web and mobile apps
SignalR With ASP.Net part1
This document provides an overview of traditional web approaches, real-time web applications, and SignalR. It discusses how traditional approaches rely on pulling data via HTTP requests, while real-time approaches use pushing via persistent connections. SignalR is introduced as a library that abstracts different transport mechanisms and allows developers to focus on application logic rather than connection handling. Key concepts covered include SignalR transports, connections, hubs for server-client communication, and how to get started with SignalR. The document concludes with a note about an upcoming demo.
Real time Communication with Signalr (Android Client)
This document discusses real-time communication using SignalR. It begins with examples of real-time applications and techniques for implementing real-time functionality like polling, long polling, and web sockets. It then introduces SignalR as a library that provides real-time functionality in ASP.NET applications and supports cross-platform communication. Implementation details are covered for both the server-side Hub API in ASP.NET and client-side usage in JavaScript and Android apps. Common use cases for SignalR are also listed.
Practical API Security - PyCon 2018
With the dominance of Mobile Apps, Single Page Apps for the Web, and Micro-Services, we are all building more APIs than ever before. Like many other developers, I had struggled with finding the right mix of security and simplicity for securing APIs. Some standards from the IETF have made it possible to accomplish both. Let me show you how to utilize existing libraries to lock down you API without writing a ton of code.
In this tutorial, you will learn how to write a secure API with future proof security utilizing JOSE. JOSE is a collection of complimentary standards: JWT, JWE, JWS, JWA, and JWK. JOSE is used by OAuth, OpenID, and others to secure communications between APIs and consumers. Now you can use it to secure your API.
Real-time ASP.NET with SignalR
This document discusses SignalR, a Microsoft technology for building real-time web applications. SignalR provides a simple abstraction over various transport mechanisms like websockets, server-sent events, and long polling. It allows for easy implementation of real-time features like chat, live dashboards, and games. The document covers key aspects of SignalR like hubs for defining server-side endpoints, group management, authentication, and deployment options on web farms using Redis or SQL Server.
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
John DaSilva, Identity Architect, Ping Identity
Brian Campbell, Portfolio Architect, Ping Identity
If you asked yourself the question, "What is OAuth and will it solve my mobile device SSO headaches?” then this is the session for you! In this bootcamp, you will learn the basic foundations of OAuth, the drivers (the “why”) behind it, the use cases, the protocol flow and basic terminology. Once we have a basic understanding of OAuth, we will explore various implementation strategies for OAuth 2.0. We’ll dissect the Web Server, User Agent and Native Application use cases, and describe how to configure OAuth in PingFederate Authorization Server. We will even take a look at the up and coming OpenID Connect specification. Bring your laptop; a configuration of PingFederate that you can set up and temporary product licenses will be supplied.
SignalR Overview
SignalR is an ASP.NET library that allows real-time communication between web servers and clients. It uses various techniques like websockets, server-sent events, and long polling to provide a persistent connection. SignalR supports .NET, JavaScript, and mobile clients and can scale out to server farms using backplanes like SQL Server, Service Bus, and Redis. It includes hubs for calling methods between clients and servers and sending messages. Examples of SignalR in use include chat applications and games.
Security components in mule esb
Anypoint platform provides several security components including Anypoint Enterprise Security, API Security Manager, and Virtual Private Cloud. Enterprise Security includes modules like Mule Secure Token Service and security for REST APIs. It ensures APIs are properly protected by authentication and authorization schemes like SAML, OAuth 2, WS-Security, and PingFederate. Enterprise Security applies inbound, process-level, and outbound security across experience, process, and system APIs. Combining HTTPS and OAuth 2.0 is a best practice, with HTTPS providing basic authentication and OAuth 2.0 used to issue and validate tokens to control API access.
«Real Time» Web Applications with SignalR in ASP.NET
Creating responsive and interactive web applications has always been one of my hidden dreams. One of the biggest show stopper has been the communication between server and clients. The rise of websockets now open some space for a brand new kind of applications; but we need a library that makes things 'easy' for us and that is able to fall back on previous solutions when the latest technologies are not available.
Suddenly on the ASP.NET scene appears SignalR: a persistence connection abstraction library that helps ASP.NET developers deal with 'real time' client-server communication sceneries.
Real-time Communications
with SignalR
This document discusses building real-time web applications and introduces ASP.NET SignalR. It defines real-time functionality as the ability for server code to instantly push content to connected clients. It then reviews common real-time examples and various techniques for implementing real-time communications like periodic polling, long polling, and web sockets. The document presents SignalR as an abstraction that handles connection management and negotiates the optimal transport, allowing for easy implementation of real-time functionality like server-to-client push and RPC calls across browsers.
Introduction to SignalR
A modified version of my Desert Code Camp 2011.2 presentation on SignalR from November 5th, 2011.
It's modified since I'm more of a talker and rarely utilize bullet points and much text in my slides.
Introduction to SignalR
An introduction to SignalR
This deck was part of my presentation to Virtusa employees on an ASP.NET asynchronous, persistent signaling library known as SignalR
There is also a slide on how to use SignalR with SharePoint.
Date: August 2013
Follow / Tweet me: @ShehanPeruma
Building Realtime Web Applications With ASP.NET SignalR
This document discusses building real-time web applications and introduces SignalR as a library that simplifies creating persistent HTTP connections for real-time functionality. It describes how older techniques like polling and long polling have disadvantages, while newer techniques like web sockets have limited browser support. SignalR abstracts these complexities by automatically negotiating the best transport and allowing real-time functionality to be easily added to applications. It also enables scaling out applications across servers and backing services. Demos and components of SignalR are presented, along with how it provides a fallback mechanism to support older servers and clients.
Introduction to AWS API Gateway Presentation
An API gateway accepts API requests from a client, processes them based on defined policies, directs them to the appropriate services, and combines the responses for a simplified user experience. Aws api gateway is the solution to implement managed API gateway for authentication, validation, monitor APIs & comparison with other managed & cloud API gateways.
Oauth2.0
This document provides an overview of OAuth 2.0. It discusses what OAuth is, its history and terminology. It then covers the main authorization flows in OAuth 2.0 including server-side web applications, client-side web applications, resource owner passwords, and client credentials. Considerations for using OAuth in mobile apps are also outlined. The document concludes with information about tools, libraries and a demo for implementing OAuth.
More Related Content
What's hot
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Slides from Paul Mooney's talk at the OWASP Ireland June Chapter meeting offering an overview of the Encrypted Token Pattern, and ARMOR, its .NET implementation.
Realtime web experience with signalR
The document discusses SignalR, an open source library for ASP.NET developers building real-time web functionality. SignalR provides a simple API for adding real-time web functionality to applications, abstracting how real-time connections are established and messages transferred across different transports like web sockets, server-sent events, and long polling. It supports self-hosting, scaling out to multiple servers, and has client libraries for .NET, JavaScript, and mobile platforms. The document also covers how to install and configure SignalR in ASP.NET applications and some of its key features around authentication, authorization, and scaling.
CIS14: Early Peek at PingFederate Administrative REST API
PingFederate provides REST-based administrative APIs to enable self-service administration, common administration across products, configuration scaling, and configuration management. The APIs support flexible authentication, centralized authorization, validation and error handling comparable to the admin UI. An interactive API documentation and roadmap are shown, including capabilities that can be built now like self-service SSO portals and OAuth client registration.
CIS14: PingAccess 101
John DaSilva, Ping Identity
Scott Tomlinson, Ping Identity
A detailed overview of PingAccess, giving you insight into Ping Identity’s next-generation web access management solution to solve your access management challenges.
SignalR
This document provides an overview of SignalR, a library for adding real-time web functionality to applications. It discusses the history and limitations of traditional HTTP requests and polling. SignalR introduces "push" capabilities using transports like long polling, server-sent events, and websockets. The presentation demonstrates long polling and a progress bar example using SignalR. It notes some considerations when using SignalR like JavaScript naming conventions and verifying the proxy configuration. Overall, the document introduces SignalR as a library that enables real-time web functionality and asynchronous server-client communication patterns using different transport mechanisms.
Intro to signalR
This presentation introduces ASP.NET SignalR, a library for adding real-time functionality to web applications. SignalR allows for bidirectional communication between server and client via persistent connections. It was explained that SignalR chooses the best network transport based on client capabilities, with WebSockets being the ideal method. The presentation covered the SignalR API, including hubs for high-level communication and persistent connections for lower-level access. A demo of a SignalR chat application was shown to demonstrate its use. Security concerns with SignalR were also briefly discussed.
Kong API Gateway
Kong API Gateway is a solution that proxies APIs to address problems like lack of visibility into API usage and inability to stop abusive consumers. It provides features like authentication, security controls, rate limiting, request transformation, and logging to various outputs. It is open source, uses trusted technologies, and has considerations around additional components, latency, and plugin customization. Improvements could include better monitoring and moving more to response rate limiting.
SignalR with ASP.NET MVC 6
Deep diving SignalR with ASP.NET MVC 6.
Speaker: Mr Sherman Chen - Telerik Senior Architect/Advocate with more than 15 years developing desktop, web and mobile apps
SignalR With ASP.Net part1
This document provides an overview of traditional web approaches, real-time web applications, and SignalR. It discusses how traditional approaches rely on pulling data via HTTP requests, while real-time approaches use pushing via persistent connections. SignalR is introduced as a library that abstracts different transport mechanisms and allows developers to focus on application logic rather than connection handling. Key concepts covered include SignalR transports, connections, hubs for server-client communication, and how to get started with SignalR. The document concludes with a note about an upcoming demo.
Real time Communication with Signalr (Android Client)
This document discusses real-time communication using SignalR. It begins with examples of real-time applications and techniques for implementing real-time functionality like polling, long polling, and web sockets. It then introduces SignalR as a library that provides real-time functionality in ASP.NET applications and supports cross-platform communication. Implementation details are covered for both the server-side Hub API in ASP.NET and client-side usage in JavaScript and Android apps. Common use cases for SignalR are also listed.
Practical API Security - PyCon 2018
With the dominance of Mobile Apps, Single Page Apps for the Web, and Micro-Services, we are all building more APIs than ever before. Like many other developers, I had struggled with finding the right mix of security and simplicity for securing APIs. Some standards from the IETF have made it possible to accomplish both. Let me show you how to utilize existing libraries to lock down you API without writing a ton of code.
In this tutorial, you will learn how to write a secure API with future proof security utilizing JOSE. JOSE is a collection of complimentary standards: JWT, JWE, JWS, JWA, and JWK. JOSE is used by OAuth, OpenID, and others to secure communications between APIs and consumers. Now you can use it to secure your API.
Real-time ASP.NET with SignalR
This document discusses SignalR, a Microsoft technology for building real-time web applications. SignalR provides a simple abstraction over various transport mechanisms like websockets, server-sent events, and long polling. It allows for easy implementation of real-time features like chat, live dashboards, and games. The document covers key aspects of SignalR like hubs for defining server-side endpoints, group management, authentication, and deployment options on web farms using Redis or SQL Server.
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
John DaSilva, Identity Architect, Ping Identity
Brian Campbell, Portfolio Architect, Ping Identity
If you asked yourself the question, "What is OAuth and will it solve my mobile device SSO headaches?” then this is the session for you! In this bootcamp, you will learn the basic foundations of OAuth, the drivers (the “why”) behind it, the use cases, the protocol flow and basic terminology. Once we have a basic understanding of OAuth, we will explore various implementation strategies for OAuth 2.0. We’ll dissect the Web Server, User Agent and Native Application use cases, and describe how to configure OAuth in PingFederate Authorization Server. We will even take a look at the up and coming OpenID Connect specification. Bring your laptop; a configuration of PingFederate that you can set up and temporary product licenses will be supplied.
SignalR Overview
SignalR is an ASP.NET library that allows real-time communication between web servers and clients. It uses various techniques like websockets, server-sent events, and long polling to provide a persistent connection. SignalR supports .NET, JavaScript, and mobile clients and can scale out to server farms using backplanes like SQL Server, Service Bus, and Redis. It includes hubs for calling methods between clients and servers and sending messages. Examples of SignalR in use include chat applications and games.
Security components in mule esb
Anypoint platform provides several security components including Anypoint Enterprise Security, API Security Manager, and Virtual Private Cloud. Enterprise Security includes modules like Mule Secure Token Service and security for REST APIs. It ensures APIs are properly protected by authentication and authorization schemes like SAML, OAuth 2, WS-Security, and PingFederate. Enterprise Security applies inbound, process-level, and outbound security across experience, process, and system APIs. Combining HTTPS and OAuth 2.0 is a best practice, with HTTPS providing basic authentication and OAuth 2.0 used to issue and validate tokens to control API access.
«Real Time» Web Applications with SignalR in ASP.NET
Creating responsive and interactive web applications has always been one of my hidden dreams. One of the biggest show stopper has been the communication between server and clients. The rise of websockets now open some space for a brand new kind of applications; but we need a library that makes things 'easy' for us and that is able to fall back on previous solutions when the latest technologies are not available.
Suddenly on the ASP.NET scene appears SignalR: a persistence connection abstraction library that helps ASP.NET developers deal with 'real time' client-server communication sceneries.
Real-time Communications
with SignalR
This document discusses building real-time web applications and introduces ASP.NET SignalR. It defines real-time functionality as the ability for server code to instantly push content to connected clients. It then reviews common real-time examples and various techniques for implementing real-time communications like periodic polling, long polling, and web sockets. The document presents SignalR as an abstraction that handles connection management and negotiates the optimal transport, allowing for easy implementation of real-time functionality like server-to-client push and RPC calls across browsers.
Introduction to SignalR
A modified version of my Desert Code Camp 2011.2 presentation on SignalR from November 5th, 2011.
It's modified since I'm more of a talker and rarely utilize bullet points and much text in my slides.
Introduction to SignalR
An introduction to SignalR
This deck was part of my presentation to Virtusa employees on an ASP.NET asynchronous, persistent signaling library known as SignalR
There is also a slide on how to use SignalR with SharePoint.
Date: August 2013
Follow / Tweet me: @ShehanPeruma
Building Realtime Web Applications With ASP.NET SignalR
This document discusses building real-time web applications and introduces SignalR as a library that simplifies creating persistent HTTP connections for real-time functionality. It describes how older techniques like polling and long polling have disadvantages, while newer techniques like web sockets have limited browser support. SignalR abstracts these complexities by automatically negotiating the best transport and allowing real-time functionality to be easily added to applications. It also enables scaling out applications across servers and backing services. Demos and components of SignalR are presented, along with how it provides a fallback mechanism to support older servers and clients.
What's hot (20)
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
CIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST API
Real time Communication with Signalr (Android Client)
Real time Communication with Signalr (Android Client)
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
«Real Time» Web Applications with SignalR in ASP.NET
«Real Time» Web Applications with SignalR in ASP.NET
Building Realtime Web Applications With ASP.NET SignalR
Building Realtime Web Applications With ASP.NET SignalR
Similar to Secure rest api on microservices vws2016
Introduction to AWS API Gateway Presentation
An API gateway accepts API requests from a client, processes them based on defined policies, directs them to the appropriate services, and combines the responses for a simplified user experience. Aws api gateway is the solution to implement managed API gateway for authentication, validation, monitor APIs & comparison with other managed & cloud API gateways.
Oauth2.0
This document provides an overview of OAuth 2.0. It discusses what OAuth is, its history and terminology. It then covers the main authorization flows in OAuth 2.0 including server-side web applications, client-side web applications, resource owner passwords, and client credentials. Considerations for using OAuth in mobile apps are also outlined. The document concludes with information about tools, libraries and a demo for implementing OAuth.
API Economy, Realizing the Business Value of APIs
This document discusses Adobe API Management and how it can help businesses realize value from their APIs. It outlines how API Management automates access control, versioning, analytics, documentation and other functionality that would otherwise require manual implementation. The document also provides examples of API monetization strategies like transactional payments, subscriptions, marketplaces and partnerships. It highlights the speed, simplicity and scalability of Adobe's API Management platform and demonstrates its request flow and user interface.
API Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
This document summarizes an API Tech Talk presentation. It discusses API design best practices including using RESTful principles like HTTP verbs in URLs, plural nouns, concrete names, and placing complex parameters behind query strings. It also covers versioning, pagination, supporting multiple formats, securing APIs with OAuth 2.0, and common concerns for API providers like security, traffic management, and mediation. The presentation included an overview of API tools and software as well as hands-on examples with Apigee and Usergrid products.
We Built This City - Apigee Edge Architecture
This document discusses the technical challenges of building and maintaining APIs at a global scale. It notes that APIs must be highly available, globally distributed with no downtime, rigorously monitored, and secure from attacks. It outlines Apigee's approach of using services like Zookeeper, Cassandra, and analytics platforms to distribute data and configurations globally, implement features like quotas and abuse detection, and manage high volumes of data and traffic with five-nines availability. The document also stresses the importance of managing the API platform itself with the same availability and reliability standards as the APIs.
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Understanding how emerging standards like OAuth and OpenID Connect impact federation
Federation is a critical technology for reconciling user identity across Web applications. Now that users consume the same data through cloud and mobile, federation infrastructure must adapt to enable these new channels while maintaining security and providing a consistent user experience.
This webinar will examine the differences between identity federation across Web, cloud and mobile, look at API specific use cases and explore the impact of emerging federation standards.
You Will Learn
Best practices for federating identity across mobile and cloud
How emerging identity federation standards will impact your infrastructure
How to implement an identity-centric API security and management infrastructure
Presenters
Ehud Amiri
Director, Product Management, CA Technologies
Francois Lascelles
Chief Architect, Layer 7
#1922 rest-push2 ap-im-v6
IBM Integration Bus and API Management can help enterprises unleash their systems by exposing them as APIs and managing API access. Integration Bus allows connecting different systems and exposing their data through REST APIs. These REST APIs can then be pushed to IBM API Management, which provides tools to securely publish, monitor, and manage access to APIs. The demo showed how a REST API created in Integration Bus can be pushed to API Management to publish it and create pricing plans for external access.
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
L'utilizzo di API basate su eventi è diventato fondamentale per soddisfare la domanda dei clienti e fornire una migliore esperienza utente. Poiché esistono diverse differenze fondamentali tra le API REST e le API asincrone, l'utilizzo di una soluzione di gestione API standard può essere difficile.
La giusta soluzione di gestione delle API dovrebbe combinare le tradizionali funzionalità di gestione delle API con un'architettura basata sugli eventi, per offrire un enorme valore aggiunto e per espandere la portata e l'adozione del business
Introducing WSO2 API Manager for Mobile Applications and Rapid Integration
This document provides an overview and summary of WSO2's API Manager product for managing APIs and mobile applications. Some key points:
- WSO2 API Manager allows companies to publish, secure, manage access to, monitor usage of, and generate revenue from APIs. It supports JSON/HTTP and SOAP/HTTP protocols.
- The API Manager includes an API Store for subscribers to search, view docs/samples, and request access to APIs. It also includes a Publisher back office for managing the API lifecycle.
- Other components include an API Gateway for access control and throttling, and analytics for monitoring API usage over various time periods.
- The API Manager supports managing internal and external APIs
2013 02-apache conna-api-manager-asanka
This document discusses an open source API management platform built using Apache modules. It allows users to find and subscribe to APIs through an API store. It manages, secures, and protects APIs using an API gateway. It also monitors APIs and provides analytics to help monetize APIs.
2022 APIsecure_Securing Large API Ecosystems
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Securing Large API Ecosystems
Michal Trojanowski, Product Marketing Engineer at Curity AB
Securing APIs with oAuth2
Understanding the oAuth2 flows can be challenging. At some point we have probably interacted with one, most of us struggle with how they work, and often times they leaves us very confused. Whether you are on the frontend or backend, understanding oAuth2 can take your skills to the next level. Learn how to secure your APIs through the oAuth2 flows using express. We will dive into the different oAuth flows, the use of scopes, and validating Json Web Tokens (JWT). Each step along the way will be illustrated with code examples using express. Finally, we will touch on the challenges with integration testing and local development.
Open Banking & Open Insurance
This document discusses open banking and insurance through APIs. It begins by defining open banking/insurance as using APIs to share financial data between institutions. It then discusses why open APIs are used, providing benefits like being customer-centric, stimulating innovation, and creating new revenue streams. The document outlines API anatomy and common elements. It also discusses technology challenges around security, performance, and audit that can be overcome using Amazon API Gateway. Finally, it provides considerations for successful API implementations and management.
Role of Rest vs. Web Services and EI
REST is a lightweight architecture for building client-server applications. It uses standard HTTP methods to allow requesting and modifying resource state representations. While SOAP and web services will continue to be used, REST is better suited for mobile and web applications. Organizations are realizing they cannot replace existing technologies and instead focus on integrating technologies to leverage their respective strengths. Exposing existing systems through a REST API gateway allows for coexistence while providing a clean interface. Security, caching, throttling and monitoring are important when managing REST APIs at an enterprise scale.
API Strategy Introduction
Are your APIs becoming too complicated and ad hoc? Feeling the need to set up policies for your API? This presentation will give you strategy options for designing and developing your APIs.
Take Control of your APIs in a Microservice Architecture
Microservices are a new architectural approach to modularize systems into smaller units. The benefits include that services can be adapted more rapidly to changing business demands. Application programming interfaces (APIs) are crucial in every microservice architecture (MSA) as they link up the various microservices. Key challenges of MSA are getting API security, access control and analytics right in an environment that is constantly changing. This workshop talk will show how the features of the 3scale API management platforms in combination with the Red Hat OpenShift PaaS can be leveraged to overcome these challenges.
Operating your Production API
Learn how to monitor and manage your serverless APIs in production. We show you how to set up Amazon CloudWatch alarms, interpret CloudWatch logs for Amazon API Gateway and AWS Lambda, and automate common maintenance and management tasks on your service.
API Security with OAuth2.0.
Traditional security models no longer suffice in the new digital and API driven economy. APIs expose corporate data in very deliberate and thoughtful ways, but, as with any technology that involves enterprise data, security should always be a prime concern. How do you keep your customers' digital experiences as secure as your backend data and services?
OAuth is an API authorization protocol that enables apps to access information on behalf of users without requiring them to divulge their usernames and passwords.
Craft Conference 2015 - Evolution of the PayPal API: Platform & Culture
PayPal provides a faster, safer way to pay and get paid online, via mobile devices and in stores. With 143 million active accounts in 193 markets and 26 currencies around the world, PayPal enables global commerce, processing more than 9 million payments every day. From its initial product which enabled consumers to exchange money via PDA devices, PayPal has been enabling online merchants to accept secure payments via PayPal, helping users access money in their PayPal accounts via ATM machines and enabling consumers to pay at POS terminals in stores.
From enabling simple HTML buttons for the web, PayPal APIs evolved over the last 14 years, and enabled integrations across a variety of channels including mobile, POS, ATMs and other connected devices like televisions and gaming consoles. Through the years, PayPal’s external APIs became increasingly inconsistent, complex and difficult to use, and its internal SOA built on proprietary approaches became tightly coupled and was crippling development.
To address these issues, PayPal began developing a new API and Services Platform in 2012 basing it on principles such as API as a Product, API First and loosely coupled services. The new API Platform was initially launched in 2013 to external developers and partners, and is now being used by PayPal’s own developers to build PayPal’s new products and experiences in hours instead of weeks.
In this talk, you will learn about how PayPal’s API Platform has evolved both internally and externally, as well as how the company’s culture has changed along with the new API Platform.
In this presentation, you will learn about how PayPal’s API Platform has evolved both internally and externally, as well as how the company’s culture has changed along with the new API Platform.
Architecting an Enterprise API Management Strategy
The document discusses strategies for architecting an enterprise API management strategy. It covers factors to consider like whether to treat APIs as a product or tactic. It also discusses API management components like the API publisher and store. The document outlines reference architectures like using API management within an orthogonal toolset. It provides examples of API management for use cases like within a telecommunications ecosystem.
Similar to Secure rest api on microservices vws2016 (20)
API Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
API Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
Introducing WSO2 API Manager for Mobile Applications and Rapid Integration
Introducing WSO2 API Manager for Mobile Applications and Rapid Integration
Take Control of your APIs in a Microservice Architecture
Take Control of your APIs in a Microservice Architecture
Craft Conference 2015 - Evolution of the PayPal API: Platform & Culture
Craft Conference 2015 - Evolution of the PayPal API: Platform & Culture
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
Recently uploaded
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Azure API Management to expose backend services securely
How to use Azure API Management to expose backend service securely
Introduction of Cybersecurity with OSS at Code Europe 2024
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Generating privacy-protected synthetic data using Secludy and Milvus
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Digital Marketing Trends in 2024 | Guide for Staying Ahead
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
AWS Cloud Cost Optimization Presentation.pptx
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Main news related to the CCS TSI 2023 (2023/1695)
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
This case study explores designing a scalable e-commerce platform, covering key requirements, system components, and best practices.
dbms calicut university B. sc Cs 4th sem.pdf
Its a seminar ppt on database management system using sql
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
June Patch Tuesday
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Finale of the Year: Apply for Next One!
Presentation for the event called "Finale of the Year: Apply for Next One!" organized by GDSC PJATK
Choosing The Best AWS Service For Your Website + API.pptx
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Recently uploaded (20)
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Azure API Management to expose backend services securely
Azure API Management to expose backend services securely
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Secure rest api on microservices vws2016
- 1. Secure REST API on Microservices Nguyễn Minh Quý Head of Technology at Bizweb Bizweb.vn
- 3. Bizweb Rest API Security
- 4. Private AppsWeb Apps Mobile Apps ERP SystemsPublic Apps Bizweb APIs
- 5. Authentication and Authorization for Microservices 1. Centralized authen/author 2. authen/author on each microservices Token Validation Gateway Microservices Microservices Token Validation API Gateway Token Relay Microservices Token Validation Microservices Token Validation Microservices Microservices
- 6. Private AppsMobile Apps Public AppsWeb Apps ERP Systems Bizweb APIs 1st Party Apps
- 7. Client Credentials • Basic Auth + Session Auth • Call between microservices • 1st App: backend, frontend, theme store, app store …
- 8. Private AppsWeb Apps Mobile Apps ERP SystemsPublic Apps Bizweb APIs
- 9. Authorization Code Flow • OAuth 2 • Resource Owner (RO): the user • Client: the web or mobile app • Authorization Service (AS): OAuth 2.0 server • Resource Server (RS): where the actual service is stored Public Apps – 3rd Apps
- 10. Private AppsWeb Apps ERP SystemsPublic AppsMobile Apps Bizweb APIs
- 11. xAuth - Mobile • OAuth2 • Resource Owner Password Credentials Grant (Mobile App)
- 12. Web Apps Mobile Apps ERP SystemsPublic AppsPrivate Apps Bizweb APIs
- 13. Basic Auth - Private Apps • HTTP Authentication • HTTPS
- 14. 14 Bizweb Authentication & Authorization
- 15. Rest API Rate Limit
- 16. Rate-Limiting Best Practices • Authenticated • Have a standard, application wide rate limit • Custom limit for each user, application • Unauthenticated • Based on domain or IP address • Allow limit to be overridden as well
- 17. Public API Rate Limit Filter • Leaky Bucket algorithm (Fill Rate: 2 request/s, Bucket Size: 40) • Http Header Response: X-Bizweb-Api-Call-Limit: 16/40 • 16: Used requests • 40: Maximum requests • When an client exceeds : response code 429 - Too Many Requests 17
- 18. API Monitoring
- 19. Why Monitor?
- 20. Why Monitor? • You need to know if your application is working correctly • Understand what needs to be fixed when something goes wrong • Detect and prevent attacks
- 21. API monitoring – Key metrics • Availability • Throughput • Response time • Errors • Notifications
- 22. API monitoring
- 23. API monitoring
- 25. Summary • Using flexible authorization grant for microservices • OAuth 2.0 is a standard, and has a lot of useful features • API Rate limit • All request to your API must be through HTTPS, reject otherwise. • Log all request to your API
- 26. Thank you! Q&A
Editor's Notes
- Câu hỏi số 3: Phân biệt Authentication vs Authorization Phân biệt Scope với Role