security enforcement of microservices with api management
TRANSCRIPT
![Page 1: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/1.jpg)
Security enforcement ofMicroservices with APIManagement
Charles Moulliard (@cmoulliard)17 June 2016
![Page 2: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/2.jpg)
Who
Committer, Coder, Architect
Work on Apache Camel, Karaf, Fabric8, Hawtio, Apiman, Drools
Mountain Biker, Belgian Beer Fan
Blog:
Twitter:
Email:
http://cmoulliard.github.io
@cmoulliard
![Page 3: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/3.jpg)
Agenda
RESTfull Use case
How to Secure the Endpoint
Policy
Web Container
Api Management
Demo
![Page 4: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/4.jpg)
Use case description
![Page 5: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/5.jpg)
Use case
![Page 6: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/6.jpg)
REST Service@GET @Path("/customers/{id}/") @Produces("application/xml") @ApiOperation(value = "Find Customer by ID", notes = "More notes about this method", response = Customer.class) @ApiResponses(value = { @ApiResponse(code = 500, message = "Invalid ID supplied"), @ApiResponse(code = 204, message = "Customer not found") }) public Customer getCustomer(@ApiParam(value = "ID of Customer to fetch", required = true) @PathParam("id") String id) { LOG.info("Invoking getCustomer, Customer id is: {}", id); long idNumber = Long.parseLong(id); Customer c = customers.get(idNumber); return c; }
![Page 7: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/7.jpg)
Api documented : Swagger
![Page 8: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/8.jpg)
How to Secure ?
![Page 9: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/9.jpg)
Level !
Endpoint Framework/Policy/Interceptor
HTTP Web Container Handler & Constraints
Externally Api Manager
![Page 10: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/10.jpg)
Endpoint Level
![Page 11: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/11.jpg)
Endpoint level
![Page 12: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/12.jpg)
Intercept
Framework based : Apache Shiro, Spring Security
Interceptor/Policy : Apache Camel, Apache CXF
JAXRS : @Roles
![Page 13: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/13.jpg)
Camel Design
import org.apache.camel.builder.RouterBuilder; public class FilterRoute extends RouteBuilder { public void configure() throws Exception { from("netty4-http://http://localhost:7777/camel/client) .setHeader("id").simple("$header.CamelHttpQuery") .beanRef("customerServer","getCustomer"; } }
![Page 14: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/14.jpg)
Interceptor
To trace, log, secure
![Page 15: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/15.jpg)
Camel Endpoint
Goal Extract from the HTTP request the info needed to authenticate auser
How Use a Camel Policy to wrap the Route / Pipeline with a newprocessor
Camel Examplepublic class ShiroSecurityPolicy implements AuthorizationPolicy { public Processor wrap(RouteContext routeContext, final Processor processor) { return new ShiroSecurityProcessor(processor, this); } ... @Override public boolean process(Exchange exchange, AsyncCallback callback) { try { applySecurityPolicy(exchange);
![Page 16: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/16.jpg)
CXF Endpoint
How Using the ContainerRequestFilter JAXRS Interface
Rely on CXF Intercept
CXF Example@Provider @PreMatching public class SecurityRequestFilter implements ContainerRequestFilter { @Override public void filter(final ContainerRequestContext requestContext) throws IOException { ...
![Page 17: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/17.jpg)
Web HTTP Container
![Page 18: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/18.jpg)
Web container level
![Page 19: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/19.jpg)
HTTP Handler
How Apply Constraints on Web Resources path(s)
GET /rest/accountservice/account for User POST /webservices/customerservices/customer for Admin
Designed using JAAS JDBC, LDAP, Properties
Could use Roles
![Page 20: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/20.jpg)
Jetty Example
Goal restrict or allow access to resources
How URL requested matched with one the rule(s)
ExampleConstraint constraint = new Constraint(); constraint.setRoles(new String[] { "user", "admin" }); ConstraintMapping mapping = new ConstraintMapping(); mapping.setPathSpec("/say/hello/*"); mapping.setMethod("GET"); mapping.setConstraint(constraint);
![Page 21: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/21.jpg)
Login Auth Example// Describe the Authentication Constraint to be applied (BASIC, DIGEST, NEGOTIATE, ...)Constraint constraint = new Constraint(Constraint.__BASIC_AUTH, "user"); constraint.setAuthenticate(true); // Map the Auth Constraint with a Path ConstraintMapping cm = new ConstraintMapping(); cm.setPathSpec("/*"); cm.setConstraint(constraint); HashLoginService loginService = new HashLoginService("MyRealm", "myrealm.props"); ConstraintSecurityHandler sh = new ConstraintSecurityHandler(); sh.setAuthenticator(new BasicAuthenticator()); sh.setConstraintMappings(cm); sh.setLoginService(loginService);
![Page 22: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/22.jpg)
JAXRS @Roles
Goal Allow/Deny Access to resources
How using annotation @RolesAllowed
Example@Path("projects") @Produces("application/json") public class ProjectsResource { @POST @RolesAllowed("manager") public Project createProject(final Project project) { ... } @GET @Path("{id}") public Project getProject(@PathParam("id") final Long id) { ... }
![Page 23: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/23.jpg)
Web Secured & Policy Level
![Page 24: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/24.jpg)
Pros / Cons
![Page 25: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/25.jpg)
Conclusions
Pros
No product lock
Great flexibility
Spec managed
Cons
Intrusive
Low Management Capability
Lack of Governance
![Page 26: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/26.jpg)
External Player
![Page 27: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/27.jpg)
Api Manager
![Page 28: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/28.jpg)
Api Man
Goal Externalize/Delegate security endpoint to Api
How Api acts as a Proxy/Gateway matching :
Incoming request against 1 Many policies
Delivering requests to target endpoint if validation succeeds
![Page 29: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/29.jpg)
Manager
![Page 30: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/30.jpg)
Api
![Page 31: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/31.jpg)
![Page 32: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/32.jpg)
Api
![Page 33: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/33.jpg)
Api Man - Basic Auth
How : Associate a Policy using the Basic Auth Plugin to an endpoint
"contracts" : [ { "apiOrgId" : "Policy_BasicAuthStatic", "apiId" : "echo", "apiVersion" : "1.0.0", "policies" : [ { "policyImpl" : "class:io.apiman.gateway.engine.policies.BasicAuthenticationPolicy" "policyJsonConfig" : "{ \"realm\" : \"Test\", \"forwardIdentityHttpHeader\" : \"X-Authenticated-Identity\", \"staticIdentity\" : { \"identities\" : [ { \"username\" : \"bwayne\", \"password\" : \"bwayne\" } ] } }" } ] } ]
![Page 34: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/34.jpg)
Api Man - OpenId connect
Goal Authenticate a user using an Identity provider to get a token usedfor SSO purposes
Authentication between Client and Identity Provider: public, secret or PKI
JSon Web Token :
Compact token format,
Encode claims to be transmitted,
Base64url encoded and digitally signed and/or encrypted
![Page 35: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/35.jpg)
OpenId connect - Example{ "jti": "af68fac6-fd50-4b73-bd37-5c555a8e561e", "exp": 1442847825, "nbf": 0, "iat": 1442847525, "iss": "http://localhost:8080/auth/realms/fuse", "aud": "fuse", "sub": "3591e417-7c60-4464-8714-96190c7fad92", "azp": "fuse", "session_state": "f58d5dfc-6e4c-4ad2-bd2f-70713f6b942d", "client_session": "f06b673f-ecbe-47f2-ba76-b6a5901d5afe", "allowed-origins": [], "realm_access": { "roles": [ "write" ] }, "name": "writer ", "preferred_username": "writer", "given_name": "writer" }
![Page 36: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/36.jpg)
Role Mapping
Goal Restrict/allow access to an application based on an AuthorizationRule
How Define a collection of Authorization rules as such & Combined withAuth Plugin (Keycloak, Basic, …)
Path Verb Role required
.* PUT Writer
.* GET Reader
![Page 37: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/37.jpg)
Discovery - Cloud Platform
![Page 38: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/38.jpg)
Pros / Cons
![Page 39: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/39.jpg)
Conclusions
Pros
Centralized governance policy configuration
Loose coupling
Tracking of APIs and consumers of those APIs
Gathering statistics/metrics
Service Discovery
Simplify security audit
Cons
Performance
New Architecture Brick
Features = plugins available
![Page 40: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/40.jpg)
Demo
![Page 41: Security enforcement of Microservices with API Management](https://reader031.vdocument.in/reader031/viewer/2022030303/587bdff01a28ab834d8b7427/html5/thumbnails/41.jpg)
Questions
Twitter : @cmoulliard
Apiman : , Fabric8 : http://apiman.io http://fabric8.io