Microservices based architecture seems to be the common convergence point in the industry. But when it comes to security we are still struggling to evolve from monolithic systems or people oriented architecture. This presentation will be focusing on this landscape and explain how to leverage the quickly evolving MicroProfile JWT specification to secure Microservices and in a fully stateless and scalable manner. We’ll introduce the specification in a quick and no nonsense fashion and move on to several code examples that show how to setup JWT verification and obtain trusted claims via lookup or dependency injection. For our playground, we’ll be using Apache TomEE, fully open source lightweight Java EE server and MicroProfile implementation.
6. @dblevins @tomitribe
DublinJUG
#DubJug @JLouisMonteiro @tomitribe
Challenges with security
• Who is the caller?
• What can he do?
• How to propagate the security context?
“If you can’t build monolith correctly, why do you think putting network in the
middle will help?” - @simonbrown
33. @dblevins @tomitribe
DublinJUG
#DubJug @JLouisMonteiro @tomitribe
What have we achieved?
• Avoid high rate username + password transit on wire
• Replaced by a blind « token » referencing a state on the server
side
• Generate many « short live » passwords stored on devices
• Create a new …. HTTP Session architecture
44. @dblevins @tomitribe
DublinJUG
#DubJug @JLouisMonteiro @tomitribe
Access Token Now
• Header (JSON > Base64 URL Encoded)
• Describes how the token signature can be checked
• Payload (JSON > Base64 URL Encoded)
• Basically a map of whatever you want to put in it
• Some standard entries (called claims) such as expiraFon
• Signature (Binary > Base64 URL Encoded
• The actual digital signature
• Made exclusively by the /oauth2/token endpoint
• If RSA, can be checked by anyone
61. @dblevins @tomitribe
DublinJUG
#DubJug @JLouisMonteiro @tomitribe
What is it?
• hnps://microprofile.io/
• Enterprise Java for Microservices
• Open Source
• Hosted at Eclipse FoundaFon
• IniFal version 1.0 focused on CDI, JAX-RS and JSON-P
62. @dblevins @tomitribe
DublinJUG
#DubJug @JLouisMonteiro @tomitribe
Where are we at?
• Currently at version 2.2
• ConfiguraFon, Fault Tolerance, JWT, Health Checks, Metrics,
Open Tracing, Open API and REST Client
• 3 to 4 releases per year
66. @dblevins @tomitribe
DublinJUG
#DubJug @JLouisMonteiro @tomitribe
Microprofile JWT
• Most current version 1.1
• Role Based Access Control
• Very lightweight and interoperable way to propagate idenFFes
• Keys (JWKS)
• Standard configuraFon (Microprofile Config)