Going down the microservices route makes a lot of things around creating and maintaining large systems easier but it comes at a cost too, particularly associated with challenges around security. While securing monolithic applications was a relatively well understood area, the same can't be said about microservice based architectures.
This presentation covers how implementing microservices affects the security of distributed systems, outlines pros and cons of several standards and common practices and offers practical suggestions for securing microservice based systems using Play and Akka HTTP.
From previously developed a simple web application (based on X-Files tv series) the aim will be to set both user authentication and authorization of web resources both for themselves and for the invocation of business components. It’ll be established a minimum security settings, which will be completed with more sophisticated mechanisms. All of these emphasizing the novelties of version 3.x of Spring Security as the use of SPEL, Annotations, Namespace, Java config, etc. Attendees will see many of the features that implements Spring Security to set security mechanisms within JEE applications. The tools to be used are Spring Tool Suite 3.4, Springframework 3.2, Maven 3 and Spring Tc Server 2.9.
Typesafe trainer and consultant Will Sargent describes just how Play Framework is so "fast" for Java and Scala production apps.
More Play, Akka, Scala and Apache Spark webinars, presentations, and videos:
http://typesafe.com/resources/videos
With Apache Kafka 0.9, the community has introduced a number of features to make data streams secure. In this talk, we’ll explain the motivation for making these changes, discuss the design of Kafka security, and explain how to secure a Kafka cluster. We will cover common pitfalls in securing Kafka, and talk about ongoing security work.
Full stack development with node and NoSQL - All Things Open - October 2017Matthew Groves
What is different about this generation of web applications? A solid development approach must consider latency, throughput, and interactivity demanded by users users across mobile devices, web browsers, and IoT. These applications often use NoSQL to support a flexible data model and easy scalability required for modern development.
A full stack application (composed of Couchbase, WebAPI, Angular2, and ASP.NET/ASP.NET Core) will be demonstrated in this session. The individual parts of a stack may vary, but the overall design is the focus.
Lucio Grenzi - Building serverless applications on the Apache OpenWhisk platf...Codemotion
Apache OpenWhisk provides a powerful and flexible environment for deploying cloud-native applications driven by data, message, and API call events. We will show how and why we integrated Apache OpenWhisk and GitHub to make deployment as easy and transparent as `git push`. We will also discuss the benefit of using an open source cloud platform and explain how serverless allows developers to focus on writing value-adding code.
From previously developed a simple web application (based on X-Files tv series) the aim will be to set both user authentication and authorization of web resources both for themselves and for the invocation of business components. It’ll be established a minimum security settings, which will be completed with more sophisticated mechanisms. All of these emphasizing the novelties of version 3.x of Spring Security as the use of SPEL, Annotations, Namespace, Java config, etc. Attendees will see many of the features that implements Spring Security to set security mechanisms within JEE applications. The tools to be used are Spring Tool Suite 3.4, Springframework 3.2, Maven 3 and Spring Tc Server 2.9.
Typesafe trainer and consultant Will Sargent describes just how Play Framework is so "fast" for Java and Scala production apps.
More Play, Akka, Scala and Apache Spark webinars, presentations, and videos:
http://typesafe.com/resources/videos
With Apache Kafka 0.9, the community has introduced a number of features to make data streams secure. In this talk, we’ll explain the motivation for making these changes, discuss the design of Kafka security, and explain how to secure a Kafka cluster. We will cover common pitfalls in securing Kafka, and talk about ongoing security work.
Full stack development with node and NoSQL - All Things Open - October 2017Matthew Groves
What is different about this generation of web applications? A solid development approach must consider latency, throughput, and interactivity demanded by users users across mobile devices, web browsers, and IoT. These applications often use NoSQL to support a flexible data model and easy scalability required for modern development.
A full stack application (composed of Couchbase, WebAPI, Angular2, and ASP.NET/ASP.NET Core) will be demonstrated in this session. The individual parts of a stack may vary, but the overall design is the focus.
Lucio Grenzi - Building serverless applications on the Apache OpenWhisk platf...Codemotion
Apache OpenWhisk provides a powerful and flexible environment for deploying cloud-native applications driven by data, message, and API call events. We will show how and why we integrated Apache OpenWhisk and GitHub to make deployment as easy and transparent as `git push`. We will also discuss the benefit of using an open source cloud platform and explain how serverless allows developers to focus on writing value-adding code.
Building a serverless company on AWS lambda and Serverless frameworkLuciano Mammino
Planet9energy.com is a new electricity company building a sophisticated analytics and energy trading platform for the UK market. Since the earliest draft of the platform, we took the unconventional decision to go serverless and build the product on top of AWS Lambda and the Serverless framework using Node.js. In this talk, I want to discuss why we took this radical decision, what are the pros and cons of this approach and what are the main issues we faced as a tech team in our design and development experience. We will discuss how normal things like testing and deployment need to be re-thought to work on a serverless fashion but also the benefits of (almost) infinite self-scalability and the peace of mind of not having to manage hundreds of servers. Finally, we will underline how Node.js seems to fit naturally in this scenario and how it makes developing serverless applications extremely convenient.
Technologies:
Backend
Frontend
Application architecture
Javascript
cloud computing
Spicing up JMX with Jolokia (Devoxx 2014)roland.huss
Slides for my "Tools-in-Action" Talk @ Devoxx 2014
The source code for the demos can be found at http://ro14nd.de/talks/2014/devoxx/jolokia-devoxx-2014-demo.tgz
The evolution of the Java Management Extensions (JMX) has stalled. Its fossilisation started some years ago but although JMX's future is more than unclear, it is still present in every JVM out there. However, JMX is not without severe issues in a polyglot world with regard to remote access. Jolokia is an open source project which provides an easy HTTP access to JMX not only for Java clients.
Originally intended as backbone for lightweight Nagios monitoring, Jolokia is nowadays used as a general purpose management API adopted by platforms such as ActiveMQ or Spring XD and used by HTML5 consoles like hawt.io.
This talk gives a detailed overview of Jolokia and its architecture. Jolokia uses an agent based approach where multiple variants with support for many platforms are available. In addition to standard JMX operations, Jolokia provides unique features like bulk requests or policy based security.
The live coding part in this presentation demonstrates how easily a custom browser based JMX-JavaScript client can be developed.
A live sneak preview of the forthcoming Jolokia 2.0 release finally completes this session.
Come sta la nostra applicazione? Un viaggio alla scoperta degli Health Check ...Andrea Dottor
In questa sessione scopriremo come utilizzare al meglio di Health Check, funzionalità che è stata introdotta in ASP.NET ancora dalla versione 2.2, ma che poche applicazioni sfruttano.
Uno strumento davvero utile anche per un primo debug, o per una semplice verifica dello stato delle nostre applicazioni...e non solo per chi utilizza container e orchestratori.
Cosa ci permettono di sapere gli Health Check?
Come possiamo essere notificati se qualcosa non va nel verso giusto?
A queste e ad altre domande daremo risposta nel corso della sessione
Stanco delle solite sessioni introduttive o generiche su blazor? Bene, questa è la serata che fa per te.
In questa sessione ho raccolto una serie di argomenti, problematiche e tips derivanti da due anni di utilizzo di Blazor (praticamente dal suo lancio). Casi reali affrontanti e risolti.
E come nel (ormai) classico format online di XE, ci sarà ampio spazio per le domande ed il confronto.
The shield is a plugin for Elasticsearch that enables you to easily secure an elasticsearch cluster.
Kibana is an open source analytics and visualization platform designed to work with Elasticsearch
Here’s a step-by-step guide to implement Flask JWT Authentication with an example. Clone the flask-jwt authentication github repo and play around with the code
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Masoud Kalali
This session focuses on how Java EE 7 provides extensive set of new and enhanced features to support standards like HTML5, WebSockets, and Server Sent Events among others.In this session we will show how these new features are designed and matched to work together for developing lightweight solutions matching end users high expectation from a web application’s responsiveness. The session will cover best practices and design patterns governing application development using JAX-RS 2.0, Async Servlet, and JSON-P (among others) as well as iterating over the pitfalls that should be avoided. During the session we will show code snippets and block diagrams that clarify use of APIs coming from the demo application we will show at the end.
Security Architecture Consulting - Hiren ShahNSConclave
In modern age it has become crucial to perform secure architecture review along with regular pentest practice. Application architecture review can be defined as reviewing the current security controls in the application architecture. This helps a user to identify potential security flaws at an early stage and mitigate them before starting the development stage.
Building a serverless company on AWS lambda and Serverless frameworkLuciano Mammino
Planet9energy.com is a new electricity company building a sophisticated analytics and energy trading platform for the UK market. Since the earliest draft of the platform, we took the unconventional decision to go serverless and build the product on top of AWS Lambda and the Serverless framework using Node.js. In this talk, I want to discuss why we took this radical decision, what are the pros and cons of this approach and what are the main issues we faced as a tech team in our design and development experience. We will discuss how normal things like testing and deployment need to be re-thought to work on a serverless fashion but also the benefits of (almost) infinite self-scalability and the peace of mind of not having to manage hundreds of servers. Finally, we will underline how Node.js seems to fit naturally in this scenario and how it makes developing serverless applications extremely convenient.
Technologies:
Backend
Frontend
Application architecture
Javascript
cloud computing
Spicing up JMX with Jolokia (Devoxx 2014)roland.huss
Slides for my "Tools-in-Action" Talk @ Devoxx 2014
The source code for the demos can be found at http://ro14nd.de/talks/2014/devoxx/jolokia-devoxx-2014-demo.tgz
The evolution of the Java Management Extensions (JMX) has stalled. Its fossilisation started some years ago but although JMX's future is more than unclear, it is still present in every JVM out there. However, JMX is not without severe issues in a polyglot world with regard to remote access. Jolokia is an open source project which provides an easy HTTP access to JMX not only for Java clients.
Originally intended as backbone for lightweight Nagios monitoring, Jolokia is nowadays used as a general purpose management API adopted by platforms such as ActiveMQ or Spring XD and used by HTML5 consoles like hawt.io.
This talk gives a detailed overview of Jolokia and its architecture. Jolokia uses an agent based approach where multiple variants with support for many platforms are available. In addition to standard JMX operations, Jolokia provides unique features like bulk requests or policy based security.
The live coding part in this presentation demonstrates how easily a custom browser based JMX-JavaScript client can be developed.
A live sneak preview of the forthcoming Jolokia 2.0 release finally completes this session.
Come sta la nostra applicazione? Un viaggio alla scoperta degli Health Check ...Andrea Dottor
In questa sessione scopriremo come utilizzare al meglio di Health Check, funzionalità che è stata introdotta in ASP.NET ancora dalla versione 2.2, ma che poche applicazioni sfruttano.
Uno strumento davvero utile anche per un primo debug, o per una semplice verifica dello stato delle nostre applicazioni...e non solo per chi utilizza container e orchestratori.
Cosa ci permettono di sapere gli Health Check?
Come possiamo essere notificati se qualcosa non va nel verso giusto?
A queste e ad altre domande daremo risposta nel corso della sessione
Stanco delle solite sessioni introduttive o generiche su blazor? Bene, questa è la serata che fa per te.
In questa sessione ho raccolto una serie di argomenti, problematiche e tips derivanti da due anni di utilizzo di Blazor (praticamente dal suo lancio). Casi reali affrontanti e risolti.
E come nel (ormai) classico format online di XE, ci sarà ampio spazio per le domande ed il confronto.
The shield is a plugin for Elasticsearch that enables you to easily secure an elasticsearch cluster.
Kibana is an open source analytics and visualization platform designed to work with Elasticsearch
Here’s a step-by-step guide to implement Flask JWT Authentication with an example. Clone the flask-jwt authentication github repo and play around with the code
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Masoud Kalali
This session focuses on how Java EE 7 provides extensive set of new and enhanced features to support standards like HTML5, WebSockets, and Server Sent Events among others.In this session we will show how these new features are designed and matched to work together for developing lightweight solutions matching end users high expectation from a web application’s responsiveness. The session will cover best practices and design patterns governing application development using JAX-RS 2.0, Async Servlet, and JSON-P (among others) as well as iterating over the pitfalls that should be avoided. During the session we will show code snippets and block diagrams that clarify use of APIs coming from the demo application we will show at the end.
Security Architecture Consulting - Hiren ShahNSConclave
In modern age it has become crucial to perform secure architecture review along with regular pentest practice. Application architecture review can be defined as reviewing the current security controls in the application architecture. This helps a user to identify potential security flaws at an early stage and mitigate them before starting the development stage.
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
Learn how to secure a Pulsar cluster with Hashicorp Vault and deploy it on Kubernetes. Vault provides a secure way to generate tokens and store sensitive data and Pulsar has a pluggable architecture for authentication, authorization and secret management. This talk will walk through how to create custom plugins for Vault, integrate them with Pulsar and then deploy a Pulsar cluster on Kubernetes.
Apache Shiro, a simple easy-to-use framework to enforce user security by Shiro PMC Chair and Stormpath CTO, Les Hazlewood.
http://shiro.apache.org
http://stormpath.com
Super simple application security with Apache ShiroMarakana Inc.
Les Hazlewood, founder of the Apache Shiro project, covers the benefits of using Shiro as an application security framework.
Check out the video for this presentation, as well as more training resources for Java here: http://marakana.com/forums/java/general/183.html
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers. Ultimately the aim is to free pentesters’ time by continuously reducing the amount of
recurring (easy to find) default findings, so that pentesters can use
that time to focus on the really high-hanging fruits.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
In a dynamic infrastructure world, let's stop pretending credentials aren't public knowledge in an organization and just assume that they have already been leaked, now what?
Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends.
It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation.
It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to .
It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.
In this Java Hibernate Training session, you will learn Integrating Struts with Hibernate. Topics covered in this session are:
• Struts 2
• Struts Action Class
• Validation
• Control Tags
• Data Tags
For more information, visit this link:
https://www.mindsmapped.com/courses/software-development/learn-hibernate-fundamentals-from-scratch/
Similar to Securing Microservices using Play and Akka HTTP (20)
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
2. About me
• Lead Consultant at
OpenCredo
• Helping companies transform
their IT platforms and the ways
their do business
• Technologist, architect,
developer
• Agile practitioner & evangelist
• Scala <- Java <- PHP
2
3. (Micro)services
• SOA reloaded
• Lightweight, open standards
• Loosely coupled, self-contained
• Independent and scalable
• Bounded context (part of business domain)
3
5. Securing the monolith -
considerations
• Combined presentation and business logic tier
• End user login
• Session based authentication
• Single sign-on (usually with SAML)
5
7. • Who is the consumer (the end user vs the third-party system)?
• Is user context relevant?
• access control granularity
• act on behalf
• What are the security related requirements?
• highly sensitive data
• integration over public internet
• social login
• single sign-on (SSO)
Securing microservices - considerations
7
8. • What are commercial requirements for your project?
• time to market
• availability of skills / expertise
• buy vs build
• What about the legacy?
• existing security implementation
• interoperability with the legacy platform
Securing microservices - considerations
8
9. API gateway
DB DB DB
API gateway
Pros
• single point of entry
• limited surface attack
• configurable authentication
protocols and backends
• faster time to market
• gateway availability/scalability
Cons
• additional cost
• services unsecured internally
• HTTP level access control
• limited auth context
9
10. HTTP basic auth + client id&secret
DB DB DB
Pros
• easy
• good for third-party integration
• stateless
Cons
• requires TLS
• doesn’t expire
• difficult to enforce at scale
(unless used with API gateway)
client_id
client_secret
10
11. Play Framework
• Basic HTTP auth with HTTP filter
• Basic HTTP auth with Action builder
• Play2.x Authentication and Authorization module
(https://github.com/t2v/play2-auth)
• Pac4j module (https://github.com/leleuj/play-pac4j)
• Secure Social module (http://securesocial.ws/)
• Silhouette module (http://silhouette.mohiva.com/)
11
12. Akka HTTP
• authenticateBasicX directives
• http://doc.akka.io/docs/akka-stream-and-http-experimental/2.0-M2/scala/http/routing-dsl/directives/
security-directives/authenticateBasic.html#authenticatebasic
def myUserPassAuthenticator(credentials: Credentials): Future[Option[String]] =
credentials match {
case p @ Credentials.Provided(id) =>
Future {
// potentially
if (p.verify("s3cr3t")) Some(id)
else None
}
case _ => Future.successful(None)
}
val route =
Route.seal {
path("secured") {
authenticateBasicAsync(realm = "secure site", myUserPassAuthenticator)
{ userName =>
complete(s"The user is '$userName'")
}
}
}
12
13. OAuth2+OpenID Connect
DB DB DB
Auth Server
Pros
• standard based
• popular for social login & delegated
authorisation
• caters for browser, mobile and
server-to-server use cases
• token expiry
Cons
• requires TLS
• requires Authorisation Server
• developed initially as authorisation
framework
• numerous flavours used
• non-trivial to get right
• authentication impl out of scope
13
14. Play Framework
• Pac4j module (https://github.com/leleuj/play-pac4j)
- supports OAuth2, OAuth2 and OpenID
• Secure Social module (http://securesocial.ws/) -
supports OAuth1 and OAuth2
• Silhouette module (http://silhouette.mohiva.com/) -
supports OAuth1, OAuth2 and OpenID
14
15. Akka HTTP
• authenticateOAuth2X directives
• http://doc.akka.io/docs/akka-stream-and-http-experimental/2.0-M2/scala/http/
routing-dsl/directives/security-directives/
authenticateOAuth2.html#authenticateoauth2
def authenticateOAuth2[T](realm: String,
authenticator: Authenticator[T]):
AuthenticationDirective[T]
Usage the same as HTTP basic but requires validating access
token retrieved from the header (not supported natively).
15
17. JSON Web Token
DB DB DB
Auth Server
Pros
• auth claims can be signed
(HMAC or RSA)
• compact (suitable for URLs,
headers, query params)
• self-contained, stateless
• excellent SAML alternative for
SSO
Cons
• requires TLS or encryption
• authentication impl out of scope
http://jwt.io/
17
18. JSON Web Token
• No built-in support in Play or Akka HTTP
• authentikat-jwt (https://github.com/jasongoodwin/
authentikat-jwt) - Scala
• iain-logan/jwt (https://github.com/iain-logan/jwt) - Scala
• jose4j (https://bitbucket.org/b_c/jose4j/wiki/Home) -
Java
• jjwt (https://github.com/jwtk/jjwt) - Java
18
19. Mutually authenticated TLS
DB DB DB
Pros
• strong point to point security
Cons
• requires PKI
• key management and
distribution challenging
• difficult to implement and
troubleshoot
• no user context
mTLS
19
20. Play Framework - server-side
• https://www.playframework.com/documentation/2.4.x/ConfiguringHttps
class CustomSSLEngineProvider(appProvider: ApplicationProvider) extends SSLEngineProvider {
def createSSLContext(applicationProvider: ApplicationProvider): SSLContext = {
val keyManagers = readKeyManagers()
val trustManagers = readTrustManagers()
val sslContext = SSLContext.getInstance("TLS")
sslContext.init(keyManagers, trustManagers, null)
sslContext
}
override def createSSLEngine(): SSLEngine = {
val sslContext = createSSLContext(appProvider)
val sslParameters = sslContext.getDefaultSSLParameters
sslParameters.setUseCipherSuitesOrder(true)
sslParameters.setNeedClientAuth(true)
val engine = sslContext.createSSLEngine
engine.setSSLParameters(sslParameters)
engine
}
}
20
21. Akka HTTP - server-side
• http://doc.akka.io/docs/akka-stream-and-http-experimental/2.0-
M2/scala/http/low-level-server-side-api.html#serversidehttps
def createSSLContext(): SSLContext = {
val keyManagers = readKeyManagers()
val trustManagers = readTrustManagers()
val sslContext = SSLContext.getInstance("TLS")
sslContext.init(keyManagers, trustManagers, null)
sslContext
}
def run() = {
implicit val system = ActorSystem("server")
implicit val materializer = ActorMaterializer()
val sslContext = createSSLContext()
val serverSource = Http().bind(interface = "localhost", port = 8200, ServerSettings(system),
Some(HttpsContext(sslContext, Some(immutable.Seq("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384")),
Some(immutable.Seq("TLSv1.2")), Some(Need), Some(sslContext.getDefaultSSLParameters))))
…
}
21
22. Authorisation
• At the perimeter or within the business logic?
• Where user roles/permissions are coming from
(each bounded context might have different
access control considerations)?
• How is the user context passed into the service?
22
23. Play Framework
• Authorisation with HTTP filter
• Authorisation with Action builder
• Deadbolt (http://deadbolt.ws/#/home) - works with
Silhouette and SecureSocial for authentication
23
24. Akka HTTP
• authorize directive
• http://doc.akka.io/docs/akka-stream-and-http-experimental/2.0-M2/scala/http/routing-dsl/
directives/security-directives/authorize.html#authorize
case class User(name: String)
val admins = Set("Peter")
def hasAdminPermissions(user: User): Boolean =
admins.contains(user.name)
val route =
Route.seal {
authenticateBasic(realm = "secure site", myUserPassAuthenticator) { user
=>
path("peters-lair") {
authorize(hasAdminPermissions(user)) {
complete(s"'${user.name}' visited Peter's lair")
}
}
}
}
24
25. Key takeaways
• Securing microservice based architectures is
challenging
• The technology landscape changes all the time
• One size (solution) doesn’t fit all
• Consider your requirements before committing to a
technical solution
25
26. Questions?
• Email: rafal.gancarz@opencredo.com
• Twitter: @RafalGancarz
• See me tomorrow at lunchtime for a Q&A session on
Securing Microservices using Play and Akka HTTP
• Visit OpenCredo’s booth tomorrow and enter a draw to
win Apple Watch!
• See you at the Scala Exchange party later :)
• Thank you!
26