SlideShare une entreprise Scribd logo

Implementing Microservices Security Patterns & Protocols with Spring

VMware Tanzu
VMware Tanzu

SpringOne Tour Toronto 2018 by Pivotal Implementing Microservices Security Patterns & Protocols with Spring - Adib Saikali

Technologie
1  sur  66
Télécharger pour lire hors ligne
© Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0 Dec 13 2018 Adib Saikali - @asaikali 2.5 hour version of theis talk https://www.youtube.com/watch?v=nrmQH5SqraA https://github.com/jgrandja/oauth2-protocol-patterns Implementing Microservices Security Patterns & Protocols with Spring Security 5
● Who has used OAuth 2.0 and/or OpenID Connect 1.0? ● Who has used Spring Security? ● Who has tried the OAuth 2.0 Client features in Spring Security 5.1? ● Who has tried the OAuth 2.0 Resource Server features in Spring Security 5.1? Quick Survey
So you want to build secure cloud native applications!
The Security Toolbox
It’s easy to get confused
Goal for this talk is to organize the security toolbox
So you can build secure cloud native applications
So you can work better with your infosec team
Cover w/ Image The plan is to explore security patterns and protocols through a series of use cases with examples on how to implement them with Spring Security 5
Let’s start from the beginning
Your company has 1 application App 1 Database App 1 Server Simple and easy to implement using Spring Security but ● Application collects credentials and thus can leak credentials ● Validates credentials against the credentials tables in the database ● Need to implement forgot password functionality ● Need to implement user management functionality ● A server side bug / security vulnerability can compromise user tables ● Authentication logic changes less frequently than application features
How to allow users to use the credentials with app 1 and app 2? Your company grows and now has 2 applications
Extract user tables into its own database App 2 Database App 2 Server App 1 Database App 1 Server User Database
Extract user tables into its own database App 2 DB App 2 Server App 1 DB App 1 Server User DB Challenges ● 2 application collects credentials and thus can leak credentials ● Duplicate implementation of login / user management / forgot password functionality across apps ● A server side bug / security vulnerability can compromise user tables ● Authentication logic changes less frequently than application features ● Requires coordination between app 1 and app 2 when making changes to user tables.
Company wants to use a 3rd party application App 2 DB App 2 Server App 1 DB App 1 Server User DB 3rd Party Application Challenges ● 3rd party app does not understand the database schema we are using to manage the users ● 3rd party app does not support the database app 1 and app 2 use ● Integrating 3rd party app into the company requires modifying the code for the 3rd party app which is not practical!
Introduce a directory service App 2 DB App 2 Server App 1 DB App 1 Server LDAP directory Service Standards based directory server enables in house apps and 3rd apps to access the user database using a common protocol and schema ● Widely deployed in the enterprise ● Improvement over a custom shared SQL DB ● Easy to implement with Spring Security LDAP But ● Every app must collect a user credentials and can leak them through a vunerability / bad code / malicious intent ● Optimized for username / password creds. What about multifactor authentication ● Only works inside the corporate boundary, can’t easily extend to external parties 3rd Party Application
Don’t trust apps with user credentials
Simplistic Web Application Security App 1 Database App 1 Server Simple and easy to implement using Spring Security but ● Application collects credentials and thus can leak credentials ● Validates credentials against the credentials tables in the database ● Need to implement forgot password functionality ● Need to implement user management functionality ● A server side bug / security vulnerability can compromise user tables ● Authentication logic changes less frequently than application features
Use OpenID Connect to Authenticate Users App 2 DB App 2 Server App 1 DB App 1 Server OpenID Connect Server OIDC DB All applications will redirect users to the SSO server to be authenticated. The SSO server will authenticate users and provide the app with the user’s identity. ● Apps don’t see user credentials ● Easy to implement with Spring Security ● Widely deployed standards Kerberos / SAML / OpenID Connect But ● Lots of products that provide SSO server ● The standards can be complex to work with ● Lots of ways that the standards and products can be configured
UAA OpenID Connect Server Demo ● CloudFoundry User Account and Authentication (UAA) Server ● Open Source Apache Licensed ● Used to secure the Cloud Foundry Ecosystem ● Designed to be embedded inside a larger system ● Easy to use as a development OIDC server ● https://github.com/cloudfoundry/uaa
Spring Security 5 OpenID Connect Support Demo Configure the OIDC Provider ● Register client with UAA ● Obtain a client id and secret from UAA ● Note the UAA oauth2/oidc endpoints
How can my new cloud native application integrate with the existing corporate standard Active Directory / LDAP / SAML infrastructure?
Introduce OpenID Connect to LDAP Bridge ● Configure the OpenID Connect Server to use LDAP when Authenticating users ● The Cloud Foundry UAA can be used as a bridge to LDAP / Active Directory / SAML and other OpenID Connect Servers ● The PCF SSO leverages the UAA to offer applications running on PCF easy access to OpenID Connect and OAuth from the cf marketplace App 1 DB App 1 Server OpenID Connect Server OIDC DB LDAP Server SAML Idp
What are the standards that underpin OpenID Connect?
Javascript Object Signing and Encryption (jose) OpenID Connect Standards Layer Cake JSON Web Algorithms (JWA) & JSON Web Key (JWK) JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Token (JWT) OAuth 2 OpenID Connect
JSON Web Signature (JWS) ● JWS is a data format for representing content secured with digital signatures or Message Authentication Codes ● Given a JWS document you can answer two questions about the JSON payload of the document ○ Has this JSON object been changed since it was created? ○ Who created this JSON object? “JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.” RFC 7515
JWS Format Header Payload Signature { “typ” : “JWT”, “alg” : “HS256” } { “sub”: “1234567890”, “name”: “John Doe”, “admin”: true } TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFO NFh7HgQ
Example JWS Document eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwI iwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2c Bab30RMHrHDcEfxjoYZgeFONFh7HgQ base64url(header).base64url(payload).base64url(signature)
JWS Features ● A JWS document encoded in the compact serialization format can be safely included in URLs or HTTP authorization headers ● Anyone can decode and view the payload of the document ● It is easy to verify that the payload was not tampered with ● It is easy to determine who created the document via shared secret or a certificate ● Useful to anyone wanting to transmit or store JSON objects
Validating a JWS Demo ● Get the UAA certificate used to sign the JWS object ● Decode the JWS on jwt.io ● Validate that the JWS is not tampered with and was issued by the localhost UAA
OAuth 2.0 Authorization Framework ● Is a framework for allowing users to authorize applications to access their data ○ An invoicing application might request permission to allow it to send emails containing invoices and payment reminders from your gmail account ● Authorized applications get an access token that they can use to call a service ○ invoicing app gets an access token it can use to call gmail to send an email but can’t use the token to delete emails or read them ● Does not tell the authorized application anything about the identity of the user ○ The invoicing app can’t find out profile or other information about the user that authorized the invoicing app to send emails via gmail ● Does not specify a token format. ● Expects other frameworks to extend it
OAuth 2 by itself is not enough “OAuth 2.0 provides a rich authorization framework with well-defined security properties. However, as a rich and highly extensible framework with many optional components, on its own, this specification is likely to produce a wide range of non-interoperable implementations. In addition, this specification leaves a few required components partially or fully undefined (e.g., client registration, authorization server capabilities, endpoint discovery). Without these components, clients must be manually and specifically configured against a specific authorization server and resource server in order to interoperate. This framework was designed with the clear expectation that future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.” - RFC 6749
4 Key OAuth Concepts / Terms ● Resource Server ○ a network accessible service ○ typically a web application or an api ● Resource Owner ○ An entity that can agree to provide access to a protected resource ○ typically a person ● Client ○ an application making requests to a resource server ○ Typically web application calling an api or an api calling an api ● Authorization Server ○ Ask the resource owner if they will allow a client to access a resource server on their behalf ○ Issues access tokens allowing client to call the resource server
Getting an Access Token from an OAuth2 Server App 1 Server aka Client Resource Server X Authorization Server please ask the owner if I can access resource server x Do you want to allow app 1 do access resource server x? yes AT AT Resource Owner
Resource Owner Password Credentials Grant Give me an access token because I know the users password On the Roadmap for Spring security 5.2
Client Credentials There is no user Give me a token to act on my own behalf here is my client id and client secret Supported by Spring Security 5.1
Implicit Grant Go ask the user if I can access their resources By the way be warned I can’t be trusted to keep the token secure so give me a temporary access token Not applicable to spring since there is no server side code in this flow.
Authorization Code Grant Go ask the user if I can access their resources By the way I can keep all my tokens secure. When the access token expires I want to renew it without bothering the user so give me a refresh token too Supported by Spring Security 5
OpenID Connect ● Authentication protocol built on top of OAuth2, JWT and TLS ● Defines a standardized user identity token as JWT with required fields ● Defines a userinfo endpoint that clients can call to learn details about the user such as email address, profile, contact info … etc. ● Most OAuth2 servers also implement OpenID Connect ● Large scale implementations exist
✅ Javascript Object Signing and Encryption (jose) OpenID Connect Standards Layer Cake ✅ JSON Web Algorithms (JWA) & JSON Web Key (JWK) ✅ JSON Web Signature (JWS) ✅ JSON Web Encryption (JWE) ✅ JSON Web Token (JWT) ✅ OAuth 2 ✅ OpenID Connect
How is a single microservice secured?
Microservices talk to each other
Essence of the solution Every request to a microservice must include a security token that the microservice can easily validate and use for making authentication / authorization decisions.
What protocol does your microservice speak? ● HTTP (REST, SOAP) ● AMQP (Messaging) ● Apache Thrift (Remote Procedure Call Framework) ● gRPC (Remote Procedure Call Framework) ○ A high performance, open source, general RPC framework that puts mobile and HTTP/2 first from Google. ● Custom TCP protocol
Key Idea: There is no one “best” protocol! ● There is no one best protocol to use ● Protocols will evolve over time so it’s best to make sure that any security solution can work with current and future protocols
What format should the security token use? ● Is the token format standardized? ● Can the token be used with any protocol? ● Is the token easy to parse? ● Can the token be included in a URL parameter? ● Does the token support HTTP? ● Can the token be used with non HTTP protocols? ● Are there lots of libraries in lots of programming languages for working with the token? ● Is the token format considered “easy” to work with?
Standard Security Token Formats ● To get a Kerberos ticket you need a Kerberos server ● To get a SAML token you need a SAML server / protocol ● To get a JWT you need something that can give it to you Token Standard Format Protocol Specific Year of Standardization Kerberos Ticket Binary Yes, Kerberos 1993 SAML Token XML Yes, SAML 2002 JWT Token JSON NO 2015
Use JWT Tokens ● Every request to a microservice must include a security token that the microservice can easily authenticate and use for making authorization decisions. ● Your HTTP only microservices will likely evolve to support support other protocols such as AMQP, Thrift, or gRPC ● JWT is a simple and useful security token format with libraries available in most programming languages ● JWT is protocol agnostic Microservice A Microservice B JWT
Demo ● Implementing a Resource Server Implementing a Resource Server with Spring Security 5.1
Multiple Microservices
How should the UI code interact with microservices? A B C Browser What about CORS? What about a Native Mobile Clients? What about Server Side Rendering for a Web UI?
Monolithic Edge Gateway Make a UI Microservice that is exposed to end users and have it serve up the UI? UI Native Mobile Browser A B C
Backend For Frontend (BFF) Extend each UI experience with a dedicated backend component for UI http://samnewman.io/patterns/architectural/bff/ WEB BFF Browser iPhone MobileiPhone BFF A B C
The Big Picture Native Mobile App Single Page App Desktop App Microservice Microservice Microservice GUI Layer Edge Microservices Internal Microservices Problem: How can we secure the call chain between different microservices?
Bearer Token Relay ● The access and id tokens are passed from the edge microservice to the downstream microservices. ● Token must have all the scopers required by the BFF, A, B ● Very easy to implement but not very secure ● Bearer tokens have many well known attacks against them. Collaborate with your infosec team on a solution that takes your specific context into account before BFF A B Oauth2 Server Get token
Bearer Token Cautionary Tale Facebook hack of 50 million accounts “The perpetrator’s ultimate aim was to steal what are known as “OAuth bearer tokens.” Essentially, these tokens prove the Facebook user is the rightful owner of an account and denote what they have access to. As Shadwell describes them: “OAuth tokens are like car keys, if you're holding them you can use them, there's no discrimination of the holder.” And in the context of this attack, those keys unlocked not just Facebook accounts, but any site that affected users accessed with a Facebook login. That might include Instagram or news websites.” -- Forbes Arcticle @ https://www.forbes.com/sites/thomasbrewster/2018/09/29/how-facebook-was-hacked-and- why-its-a-disaster-for-internet-security/#5a1b65a20336
Token Relay ● How to implement Token Relay with Spring Security 5
Bearer Token Exchange ● At every hop of the microservice call chain we exchange the token we got for a new token to use with downstream services ● Allows for tokens with a narrower scope ● Standards in this space for OAuth2 are emerging ● Bearer tokens have many well known attacks against them. Collaborate with your infosec team on a solution that takes your specific context into account before BFF A B Oauth2 Server Get token Get token
Token Exchange ● How to implement Token Exchange with Spring Security 5
Service Username / Password ● At every hop of the microservice call chain we exchange the token we got for a new token to use with downstream services ● Standards in this space for OAuth2 are emerging ● Bearer tokens have many well known attacks against them. Collaborate with your infosec team on a solution that takes your specific context into account before using token exchange. BFF A B Oauth2 Server Get token
Client Credentials ● How to use Client Credentials with Spring Security 5
PCF and Microservice Security
PCF and Microservice Security ● PCF provides three features that are useful when implementing microservices security ○ Route Services ○ Container to Container networking ○ Container Instance Identity ● Pushing complexity out of your code into the platform.
Route Services ● Cloud Foundry Route services enable the processing of requests before they reach the application ● Can be used to route requests through an api gateway where security policies can be enforced ● https://docs.cloudfoundry.org/servic es/route-services.html
Container-to-Container Networking ● Enables direct communication between application containers on Cloud Foundry ● Enables the definition of fine grained policies about how apps are allowed to talk to each other ● Policies can be defined via cf cli so easy to incorporate into your pipelines no need for tickets to configure firewalls ● Provides DNS based service discovery ● https://docs.cloudfoundry.org/concepts/u nderstand-cf-networking.html
Container Instance Identity ● Every container instance created on a Cloud Foundry is assigned a unique ○ X.509 certificate ○ PKCS#1 RSA private key ● The certificate and key pair are rotated every 24 hours or shorter duration set by the administrator ● The certificate contains ○ The Common Name property is set to the instance GUID for the given app instance. ○ The certificate contains an IP SAN set to the container IP address for the given app instance. ○ The certificate contains a DNS SAN set to the instance GUID for the given app instance. ○ The Organizational Unit property in the certificate’s Subject Distinguished Name contains the values organization:ORG-GUID, space:SPACE-GUID, and app:APP-GUID. The ORG-GUID, SPACE-GUID, and APP-GUID are set to the GUIDs for the organization, space, and app as assigned by Cloud Controller. ● Enables mutual TLS between microservices calling each other OAuth spec assumes TLS is used ○ https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-vi a-automatic-cert-rotation

Recommandé

MariaDB High Availability
MariaDB High AvailabilityMariaDB High Availability
MariaDB High AvailabilityMariaDB plc
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
The Complete MariaDB Server tutorial
The Complete MariaDB Server tutorialThe Complete MariaDB Server tutorial
The Complete MariaDB Server tutorialColin Charles
 
Migrating with Debezium
Migrating with DebeziumMigrating with Debezium
Migrating with DebeziumMike Fowler
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka SecurityDataWorks Summit
 
BitBucket presentation
BitBucket presentationBitBucket presentation
BitBucket presentationJonathan Lawerh
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Cloud Monitoring tool Grafana
Cloud Monitoring tool Grafana Cloud Monitoring tool Grafana
Cloud Monitoring tool Grafana Dhrubaji Mandal ♛
 

Recommandé

MariaDB High Availability
MariaDB High AvailabilityMariaDB High Availability
MariaDB High AvailabilityMariaDB plc
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
The Complete MariaDB Server tutorial
The Complete MariaDB Server tutorialThe Complete MariaDB Server tutorial
The Complete MariaDB Server tutorialColin Charles
 
Migrating with Debezium
Migrating with DebeziumMigrating with Debezium
Migrating with DebeziumMike Fowler
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka SecurityDataWorks Summit
 
BitBucket presentation
BitBucket presentationBitBucket presentation
BitBucket presentationJonathan Lawerh
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Cloud Monitoring tool Grafana
Cloud Monitoring tool Grafana Cloud Monitoring tool Grafana
Cloud Monitoring tool Grafana Dhrubaji Mandal ♛
 
Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server13bcs0012
 
MySQL HA with PaceMaker
MySQL HA with PaceMakerMySQL HA with PaceMaker
MySQL HA with PaceMakerKris Buytaert
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Introduction To Liquibase
Introduction To Liquibase Introduction To Liquibase
Introduction To Liquibase Knoldus Inc.
 
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Vietnam Open Infrastructure User Group
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security DataWorks Summit/Hadoop Summit
 
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...Severalnines
 
Vault
VaultVault
VaultJean-Philippe Bélanger
 
Building Fast and Scalable Persistence Layers with Spring Data JPA
Building Fast and Scalable Persistence Layers with Spring Data JPABuilding Fast and Scalable Persistence Layers with Spring Data JPA
Building Fast and Scalable Persistence Layers with Spring Data JPAVMware Tanzu
 
Distributed Tracing with Jaeger
Distributed Tracing with JaegerDistributed Tracing with Jaeger
Distributed Tracing with JaegerInho Kang
 
Grafana optimization for Prometheus
Grafana optimization for PrometheusGrafana optimization for Prometheus
Grafana optimization for PrometheusMitsuhiro Tanda
 
Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Mydbops
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntuSim Janghoon
 
NGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEANGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEANGINX, Inc.
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
PostgreSQL and JDBC: striving for high performance
PostgreSQL and JDBC: striving for high performancePostgreSQL and JDBC: striving for high performance
PostgreSQL and JDBC: striving for high performanceVladimir Sitnikov
 
Introduction of MariaDB 2017 09
Introduction of MariaDB 2017 09Introduction of MariaDB 2017 09
Introduction of MariaDB 2017 09GOTO Satoru
 
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Vietnam Open Infrastructure User Group
 
OSMC 2022 | Ignite: Observability with Grafana & Prometheus for Kafka on Kube...
OSMC 2022 | Ignite: Observability with Grafana & Prometheus for Kafka on Kube...OSMC 2022 | Ignite: Observability with Grafana & Prometheus for Kafka on Kube...
OSMC 2022 | Ignite: Observability with Grafana & Prometheus for Kafka on Kube...NETWAYS
 
Istio
Istio Istio
Istio Arun prasath
 
Microservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCFMicroservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCFVMware Tanzu
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 

Contenu connexe

Tendances

Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server13bcs0012
 
MySQL HA with PaceMaker
MySQL HA with PaceMakerMySQL HA with PaceMaker
MySQL HA with PaceMakerKris Buytaert
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Introduction To Liquibase
Introduction To Liquibase Introduction To Liquibase
Introduction To Liquibase Knoldus Inc.
 
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Vietnam Open Infrastructure User Group
 
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...Severalnines
 
Building Fast and Scalable Persistence Layers with Spring Data JPA
Building Fast and Scalable Persistence Layers with Spring Data JPABuilding Fast and Scalable Persistence Layers with Spring Data JPA
Building Fast and Scalable Persistence Layers with Spring Data JPAVMware Tanzu
 
Distributed Tracing with Jaeger
Distributed Tracing with JaegerDistributed Tracing with Jaeger
Distributed Tracing with JaegerInho Kang
 
Grafana optimization for Prometheus
Grafana optimization for PrometheusGrafana optimization for Prometheus
Grafana optimization for PrometheusMitsuhiro Tanda
 
Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Mydbops
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntuSim Janghoon
 
NGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEANGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEANGINX, Inc.
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
PostgreSQL and JDBC: striving for high performance
PostgreSQL and JDBC: striving for high performancePostgreSQL and JDBC: striving for high performance
PostgreSQL and JDBC: striving for high performanceVladimir Sitnikov
 
Introduction of MariaDB 2017 09
Introduction of MariaDB 2017 09Introduction of MariaDB 2017 09
Introduction of MariaDB 2017 09GOTO Satoru
 
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Vietnam Open Infrastructure User Group
 
OSMC 2022 | Ignite: Observability with Grafana & Prometheus for Kafka on Kube...
OSMC 2022 | Ignite: Observability with Grafana & Prometheus for Kafka on Kube...OSMC 2022 | Ignite: Observability with Grafana & Prometheus for Kafka on Kube...
OSMC 2022 | Ignite: Observability with Grafana & Prometheus for Kafka on Kube...NETWAYS
 

Tendances (20)

Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server
 
MySQL HA with PaceMaker
MySQL HA with PaceMakerMySQL HA with PaceMaker
MySQL HA with PaceMaker
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Introduction To Liquibase
Introduction To Liquibase Introduction To Liquibase
Introduction To Liquibase
 
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security
 
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
 
Vault
VaultVault
Vault
 
Building Fast and Scalable Persistence Layers with Spring Data JPA
Building Fast and Scalable Persistence Layers with Spring Data JPABuilding Fast and Scalable Persistence Layers with Spring Data JPA
Building Fast and Scalable Persistence Layers with Spring Data JPA
 
Distributed Tracing with Jaeger
Distributed Tracing with JaegerDistributed Tracing with Jaeger
Distributed Tracing with Jaeger
 
Grafana optimization for Prometheus
Grafana optimization for PrometheusGrafana optimization for Prometheus
Grafana optimization for Prometheus
 
Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security Achieving compliance With MongoDB Security
Achieving compliance With MongoDB Security
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntu
 
NGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEANGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEA
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
PostgreSQL and JDBC: striving for high performance
PostgreSQL and JDBC: striving for high performancePostgreSQL and JDBC: striving for high performance
PostgreSQL and JDBC: striving for high performance
 
Introduction of MariaDB 2017 09
Introduction of MariaDB 2017 09Introduction of MariaDB 2017 09
Introduction of MariaDB 2017 09
 
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
 
OSMC 2022 | Ignite: Observability with Grafana & Prometheus for Kafka on Kube...
OSMC 2022 | Ignite: Observability with Grafana & Prometheus for Kafka on Kube...OSMC 2022 | Ignite: Observability with Grafana & Prometheus for Kafka on Kube...
OSMC 2022 | Ignite: Observability with Grafana & Prometheus for Kafka on Kube...
 
Istio
Istio Istio
Istio
 

Similaire à Implementing Microservices Security Patterns & Protocols with Spring

Microservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCFMicroservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCFVMware Tanzu
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 
Multiple ldap implementation with ebs using oid
Multiple ldap implementation with ebs using oidMultiple ldap implementation with ebs using oid
Multiple ldap implementation with ebs using oidpasalapudi
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdfNilesh Gule
 
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...Jitendra Bafna
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...NCCOMMS
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADuberbaum
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityMark Diodati
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsLibbySchulze
 
Oracle APEX Social Login
Oracle APEX Social LoginOracle APEX Social Login
Oracle APEX Social Loginmsewtz
 

Similaire à Implementing Microservices Security Patterns & Protocols with Spring (20)

Microservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCFMicroservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCF
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
Multiple ldap implementation with ebs using oid
Multiple ldap implementation with ebs using oidMultiple ldap implementation with ebs using oid
Multiple ldap implementation with ebs using oid
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdf
 
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure AD
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern Identity
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
Microservices
MicroservicesMicroservices
Microservices
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environments
 
Oracle APEX Social Login
Oracle APEX Social LoginOracle APEX Social Login
Oracle APEX Social Login
 
Sso & rman
Sso & rmanSso & rman
Sso & rman
 

Plus de VMware Tanzu

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItVMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023VMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleVMware Tanzu
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023VMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductVMware Tanzu
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready AppsVMware Tanzu
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And BeyondVMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023VMware Tanzu
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptxVMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchVMware Tanzu
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishVMware Tanzu
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVMware Tanzu
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - FrenchVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023VMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootVMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerVMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeVMware Tanzu
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsVMware Tanzu
 

Plus de VMware Tanzu (20)

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
 

Dernier

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Dernier (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

Implementing Microservices Security Patterns & Protocols with Spring

  • 1. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0 Dec 13 2018 Adib Saikali - @asaikali 2.5 hour version of theis talk https://www.youtube.com/watch?v=nrmQH5SqraA https://github.com/jgrandja/oauth2-protocol-patterns Implementing Microservices Security Patterns & Protocols with Spring Security 5
  • 2. ● Who has used OAuth 2.0 and/or OpenID Connect 1.0? ● Who has used Spring Security? ● Who has tried the OAuth 2.0 Client features in Spring Security 5.1? ● Who has tried the OAuth 2.0 Resource Server features in Spring Security 5.1? Quick Survey
  • 3. So you want to build secure cloud native applications!
  • 5. It’s easy to get confused
  • 6. Goal for this talk is to organize the security toolbox
  • 7. So you can build secure cloud native applications
  • 8. So you can work better with your infosec team
  • 9. Cover w/ Image The plan is to explore security patterns and protocols through a series of use cases with examples on how to implement them with Spring Security 5
  • 10. Let’s start from the beginning
  • 11. Your company has 1 application App 1 Database App 1 Server Simple and easy to implement using Spring Security but ● Application collects credentials and thus can leak credentials ● Validates credentials against the credentials tables in the database ● Need to implement forgot password functionality ● Need to implement user management functionality ● A server side bug / security vulnerability can compromise user tables ● Authentication logic changes less frequently than application features
  • 12. How to allow users to use the credentials with app 1 and app 2? Your company grows and now has 2 applications
  • 13. Extract user tables into its own database App 2 Database App 2 Server App 1 Database App 1 Server User Database
  • 14. Extract user tables into its own database App 2 DB App 2 Server App 1 DB App 1 Server User DB Challenges ● 2 application collects credentials and thus can leak credentials ● Duplicate implementation of login / user management / forgot password functionality across apps ● A server side bug / security vulnerability can compromise user tables ● Authentication logic changes less frequently than application features ● Requires coordination between app 1 and app 2 when making changes to user tables.
  • 15. Company wants to use a 3rd party application App 2 DB App 2 Server App 1 DB App 1 Server User DB 3rd Party Application Challenges ● 3rd party app does not understand the database schema we are using to manage the users ● 3rd party app does not support the database app 1 and app 2 use ● Integrating 3rd party app into the company requires modifying the code for the 3rd party app which is not practical!
  • 16. Introduce a directory service App 2 DB App 2 Server App 1 DB App 1 Server LDAP directory Service Standards based directory server enables in house apps and 3rd apps to access the user database using a common protocol and schema ● Widely deployed in the enterprise ● Improvement over a custom shared SQL DB ● Easy to implement with Spring Security LDAP But ● Every app must collect a user credentials and can leak them through a vunerability / bad code / malicious intent ● Optimized for username / password creds. What about multifactor authentication ● Only works inside the corporate boundary, can’t easily extend to external parties 3rd Party Application
  • 17. Don’t trust apps with user credentials
  • 18. Simplistic Web Application Security App 1 Database App 1 Server Simple and easy to implement using Spring Security but ● Application collects credentials and thus can leak credentials ● Validates credentials against the credentials tables in the database ● Need to implement forgot password functionality ● Need to implement user management functionality ● A server side bug / security vulnerability can compromise user tables ● Authentication logic changes less frequently than application features
  • 19. Use OpenID Connect to Authenticate Users App 2 DB App 2 Server App 1 DB App 1 Server OpenID Connect Server OIDC DB All applications will redirect users to the SSO server to be authenticated. The SSO server will authenticate users and provide the app with the user’s identity. ● Apps don’t see user credentials ● Easy to implement with Spring Security ● Widely deployed standards Kerberos / SAML / OpenID Connect But ● Lots of products that provide SSO server ● The standards can be complex to work with ● Lots of ways that the standards and products can be configured
  • 20. UAA OpenID Connect Server Demo ● CloudFoundry User Account and Authentication (UAA) Server ● Open Source Apache Licensed ● Used to secure the Cloud Foundry Ecosystem ● Designed to be embedded inside a larger system ● Easy to use as a development OIDC server ● https://github.com/cloudfoundry/uaa
  • 21. Spring Security 5 OpenID Connect Support Demo Configure the OIDC Provider ● Register client with UAA ● Obtain a client id and secret from UAA ● Note the UAA oauth2/oidc endpoints
  • 22. How can my new cloud native application integrate with the existing corporate standard Active Directory / LDAP / SAML infrastructure?
  • 23. Introduce OpenID Connect to LDAP Bridge ● Configure the OpenID Connect Server to use LDAP when Authenticating users ● The Cloud Foundry UAA can be used as a bridge to LDAP / Active Directory / SAML and other OpenID Connect Servers ● The PCF SSO leverages the UAA to offer applications running on PCF easy access to OpenID Connect and OAuth from the cf marketplace App 1 DB App 1 Server OpenID Connect Server OIDC DB LDAP Server SAML Idp
  • 24. What are the standards that underpin OpenID Connect?
  • 25. Javascript Object Signing and Encryption (jose) OpenID Connect Standards Layer Cake JSON Web Algorithms (JWA) & JSON Web Key (JWK) JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Token (JWT) OAuth 2 OpenID Connect
  • 26. JSON Web Signature (JWS) ● JWS is a data format for representing content secured with digital signatures or Message Authentication Codes ● Given a JWS document you can answer two questions about the JSON payload of the document ○ Has this JSON object been changed since it was created? ○ Who created this JSON object? “JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.” RFC 7515
  • 27. JWS Format Header Payload Signature { “typ” : “JWT”, “alg” : “HS256” } { “sub”: “1234567890”, “name”: “John Doe”, “admin”: true } TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFO NFh7HgQ
  • 29. JWS Features ● A JWS document encoded in the compact serialization format can be safely included in URLs or HTTP authorization headers ● Anyone can decode and view the payload of the document ● It is easy to verify that the payload was not tampered with ● It is easy to determine who created the document via shared secret or a certificate ● Useful to anyone wanting to transmit or store JSON objects
  • 30. Validating a JWS Demo ● Get the UAA certificate used to sign the JWS object ● Decode the JWS on jwt.io ● Validate that the JWS is not tampered with and was issued by the localhost UAA
  • 31. OAuth 2.0 Authorization Framework ● Is a framework for allowing users to authorize applications to access their data ○ An invoicing application might request permission to allow it to send emails containing invoices and payment reminders from your gmail account ● Authorized applications get an access token that they can use to call a service ○ invoicing app gets an access token it can use to call gmail to send an email but can’t use the token to delete emails or read them ● Does not tell the authorized application anything about the identity of the user ○ The invoicing app can’t find out profile or other information about the user that authorized the invoicing app to send emails via gmail ● Does not specify a token format. ● Expects other frameworks to extend it
  • 32. OAuth 2 by itself is not enough “OAuth 2.0 provides a rich authorization framework with well-defined security properties. However, as a rich and highly extensible framework with many optional components, on its own, this specification is likely to produce a wide range of non-interoperable implementations. In addition, this specification leaves a few required components partially or fully undefined (e.g., client registration, authorization server capabilities, endpoint discovery). Without these components, clients must be manually and specifically configured against a specific authorization server and resource server in order to interoperate. This framework was designed with the clear expectation that future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.” - RFC 6749
  • 33. 4 Key OAuth Concepts / Terms ● Resource Server ○ a network accessible service ○ typically a web application or an api ● Resource Owner ○ An entity that can agree to provide access to a protected resource ○ typically a person ● Client ○ an application making requests to a resource server ○ Typically web application calling an api or an api calling an api ● Authorization Server ○ Ask the resource owner if they will allow a client to access a resource server on their behalf ○ Issues access tokens allowing client to call the resource server
  • 34. Getting an Access Token from an OAuth2 Server App 1 Server aka Client Resource Server X Authorization Server please ask the owner if I can access resource server x Do you want to allow app 1 do access resource server x? yes AT AT Resource Owner
  • 35. Resource Owner Password Credentials Grant Give me an access token because I know the users password On the Roadmap for Spring security 5.2
  • 36. Client Credentials There is no user Give me a token to act on my own behalf here is my client id and client secret Supported by Spring Security 5.1
  • 37. Implicit Grant Go ask the user if I can access their resources By the way be warned I can’t be trusted to keep the token secure so give me a temporary access token Not applicable to spring since there is no server side code in this flow.
  • 38. Authorization Code Grant Go ask the user if I can access their resources By the way I can keep all my tokens secure. When the access token expires I want to renew it without bothering the user so give me a refresh token too Supported by Spring Security 5
  • 39. OpenID Connect ● Authentication protocol built on top of OAuth2, JWT and TLS ● Defines a standardized user identity token as JWT with required fields ● Defines a userinfo endpoint that clients can call to learn details about the user such as email address, profile, contact info … etc. ● Most OAuth2 servers also implement OpenID Connect ● Large scale implementations exist
  • 40. ✅ Javascript Object Signing and Encryption (jose) OpenID Connect Standards Layer Cake ✅ JSON Web Algorithms (JWA) & JSON Web Key (JWK) ✅ JSON Web Signature (JWS) ✅ JSON Web Encryption (JWE) ✅ JSON Web Token (JWT) ✅ OAuth 2 ✅ OpenID Connect
  • 41. How is a single microservice secured?
  • 42. Microservices talk to each other
  • 43. Essence of the solution Every request to a microservice must include a security token that the microservice can easily validate and use for making authentication / authorization decisions.
  • 44. What protocol does your microservice speak? ● HTTP (REST, SOAP) ● AMQP (Messaging) ● Apache Thrift (Remote Procedure Call Framework) ● gRPC (Remote Procedure Call Framework) ○ A high performance, open source, general RPC framework that puts mobile and HTTP/2 first from Google. ● Custom TCP protocol
  • 45. Key Idea: There is no one “best” protocol! ● There is no one best protocol to use ● Protocols will evolve over time so it’s best to make sure that any security solution can work with current and future protocols
  • 46. What format should the security token use? ● Is the token format standardized? ● Can the token be used with any protocol? ● Is the token easy to parse? ● Can the token be included in a URL parameter? ● Does the token support HTTP? ● Can the token be used with non HTTP protocols? ● Are there lots of libraries in lots of programming languages for working with the token? ● Is the token format considered “easy” to work with?
  • 47. Standard Security Token Formats ● To get a Kerberos ticket you need a Kerberos server ● To get a SAML token you need a SAML server / protocol ● To get a JWT you need something that can give it to you Token Standard Format Protocol Specific Year of Standardization Kerberos Ticket Binary Yes, Kerberos 1993 SAML Token XML Yes, SAML 2002 JWT Token JSON NO 2015
  • 48. Use JWT Tokens ● Every request to a microservice must include a security token that the microservice can easily authenticate and use for making authorization decisions. ● Your HTTP only microservices will likely evolve to support support other protocols such as AMQP, Thrift, or gRPC ● JWT is a simple and useful security token format with libraries available in most programming languages ● JWT is protocol agnostic Microservice A Microservice B JWT
  • 49. Demo ● Implementing a Resource Server Implementing a Resource Server with Spring Security 5.1
  • 51. How should the UI code interact with microservices? A B C Browser What about CORS? What about a Native Mobile Clients? What about Server Side Rendering for a Web UI?
  • 52. Monolithic Edge Gateway Make a UI Microservice that is exposed to end users and have it serve up the UI? UI Native Mobile Browser A B C
  • 53. Backend For Frontend (BFF) Extend each UI experience with a dedicated backend component for UI http://samnewman.io/patterns/architectural/bff/ WEB BFF Browser iPhone MobileiPhone BFF A B C
  • 54. The Big Picture Native Mobile App Single Page App Desktop App Microservice Microservice Microservice GUI Layer Edge Microservices Internal Microservices Problem: How can we secure the call chain between different microservices?
  • 55. Bearer Token Relay ● The access and id tokens are passed from the edge microservice to the downstream microservices. ● Token must have all the scopers required by the BFF, A, B ● Very easy to implement but not very secure ● Bearer tokens have many well known attacks against them. Collaborate with your infosec team on a solution that takes your specific context into account before BFF A B Oauth2 Server Get token
  • 56. Bearer Token Cautionary Tale Facebook hack of 50 million accounts “The perpetrator’s ultimate aim was to steal what are known as “OAuth bearer tokens.” Essentially, these tokens prove the Facebook user is the rightful owner of an account and denote what they have access to. As Shadwell describes them: “OAuth tokens are like car keys, if you're holding them you can use them, there's no discrimination of the holder.” And in the context of this attack, those keys unlocked not just Facebook accounts, but any site that affected users accessed with a Facebook login. That might include Instagram or news websites.” -- Forbes Arcticle @ https://www.forbes.com/sites/thomasbrewster/2018/09/29/how-facebook-was-hacked-and- why-its-a-disaster-for-internet-security/#5a1b65a20336
  • 57. Token Relay ● How to implement Token Relay with Spring Security 5
  • 58. Bearer Token Exchange ● At every hop of the microservice call chain we exchange the token we got for a new token to use with downstream services ● Allows for tokens with a narrower scope ● Standards in this space for OAuth2 are emerging ● Bearer tokens have many well known attacks against them. Collaborate with your infosec team on a solution that takes your specific context into account before BFF A B Oauth2 Server Get token Get token
  • 59. Token Exchange ● How to implement Token Exchange with Spring Security 5
  • 60. Service Username / Password ● At every hop of the microservice call chain we exchange the token we got for a new token to use with downstream services ● Standards in this space for OAuth2 are emerging ● Bearer tokens have many well known attacks against them. Collaborate with your infosec team on a solution that takes your specific context into account before using token exchange. BFF A B Oauth2 Server Get token
  • 61. Client Credentials ● How to use Client Credentials with Spring Security 5
  • 63. PCF and Microservice Security ● PCF provides three features that are useful when implementing microservices security ○ Route Services ○ Container to Container networking ○ Container Instance Identity ● Pushing complexity out of your code into the platform.
  • 64. Route Services ● Cloud Foundry Route services enable the processing of requests before they reach the application ● Can be used to route requests through an api gateway where security policies can be enforced ● https://docs.cloudfoundry.org/servic es/route-services.html
  • 65. Container-to-Container Networking ● Enables direct communication between application containers on Cloud Foundry ● Enables the definition of fine grained policies about how apps are allowed to talk to each other ● Policies can be defined via cf cli so easy to incorporate into your pipelines no need for tickets to configure firewalls ● Provides DNS based service discovery ● https://docs.cloudfoundry.org/concepts/u nderstand-cf-networking.html
  • 66. Container Instance Identity ● Every container instance created on a Cloud Foundry is assigned a unique ○ X.509 certificate ○ PKCS#1 RSA private key ● The certificate and key pair are rotated every 24 hours or shorter duration set by the administrator ● The certificate contains ○ The Common Name property is set to the instance GUID for the given app instance. ○ The certificate contains an IP SAN set to the container IP address for the given app instance. ○ The certificate contains a DNS SAN set to the instance GUID for the given app instance. ○ The Organizational Unit property in the certificate’s Subject Distinguished Name contains the values organization:ORG-GUID, space:SPACE-GUID, and app:APP-GUID. The ORG-GUID, SPACE-GUID, and APP-GUID are set to the GUIDs for the organization, space, and app as assigned by Cloud Controller. ● Enables mutual TLS between microservices calling each other OAuth spec assumes TLS is used ○ https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-vi a-automatic-cert-rotation