Security enforcement of Microservices with API Management
2 likes1,350 views
The document discusses securing microservices through API management, focusing on the use of REST services and various security frameworks. It covers examples of implementing security policies, endpoint management, and authentication methods such as Basic Auth and OpenID Connect. The document concludes by weighing the pros and cons of centralized governance in API security management.
![Jetty Example
Goal restrict or allow access to resources
How URL requested matched with one the rule(s)
Example
Constraintconstraint=newConstraint();
constraint.setRoles(newString[]{"user","admin"});
ConstraintMappingmapping=newConstraintMapping();
mapping.setPathSpec("/say/hello/*");
mapping.setMethod("GET");
mapping.setConstraint(constraint);](https://image.slidesharecdn.com/jbcnconf-security-microservices-2016-160620062907/85/Security-enforcement-of-Microservices-with-API-Management-20-320.jpg)
![Api Man - Basic Auth
How : Associate a Policy using the Basic Auth Plugin to an endpoint
"contracts":[
{
"apiOrgId":"Policy_BasicAuthStatic",
"apiId":"echo",
"apiVersion":"1.0.0",
"policies":[
{
"policyImpl":"class:io.apiman.gateway.engine.policies.BasicAuthenticationPol
"policyJsonConfig":"{"realm":"Test","forwardIdentityHttpHeader":
}
]
}
]](https://image.slidesharecdn.com/jbcnconf-security-microservices-2016-160620062907/85/Security-enforcement-of-Microservices-with-API-Management-33-320.jpg)
![OpenId connect - Example
{
"jti":"af68fac6-fd50-4b73-bd37-5c555a8e561e",
"exp":1442847825,
"nbf":0,
"iat":1442847525,
"iss":"http://localhost:8080/auth/realms/fuse",
"aud":"fuse",
"sub":"3591e417-7c60-4464-8714-96190c7fad92",
"azp":"fuse",
"session_state":"f58d5dfc-6e4c-4ad2-bd2f-70713f6b942d",
"client_session":"f06b673f-ecbe-47f2-ba76-b6a5901d5afe",
"allowed-origins":[],
"realm_access":{
"roles":[
"write"
]
},
"name":"writer",
"preferred_username":"writer",
"given_name":"writer"
}](https://image.slidesharecdn.com/jbcnconf-security-microservices-2016-160620062907/85/Security-enforcement-of-Microservices-with-API-Management-35-320.jpg)
Security enforcement of Microservices with API Management
- 1. Security enforcement of Microservices with API Management Charles Moulliard (@cmoulliard) 17 June 2016
- 2. Who Committer, Coder, Architect Work on Apache Camel, Karaf, Fabric8, Hawtio, Apiman, Drools Mountain Biker, Belgian Beer Fan Blog: Twitter: Email: http://cmoulliard.github.io @cmoulliard cmoulliard@redhat.com
- 3. Agenda RESTfull Use case How to Secure the Endpoint Policy Web Container Api Management Demo
- 5. Use case
- 7. Api documented : Swagger
- 8. How to Secure ?
- 9. Level ! Endpoint Framework/Policy/Interceptor HTTP Web Container Handler & Constraints Externally Api Manager
- 10. Endpoint Level
- 11. Endpoint level
- 12. Intercept Framework based : Apache Shiro, Spring Security Interceptor/Policy : Apache Camel, Apache CXF JAXRS : @Roles
- 14. Interceptor To trace, log, secure
- 15. Camel Endpoint Goal Extract from the HTTP request the info needed to authenticate a user How Use a Camel Policy to wrap the Route / Pipeline with a new processor Camel Example publicclassShiroSecurityPolicyimplementsAuthorizationPolicy{ publicProcessorwrap(RouteContextrouteContext,finalProcessorprocessor){ returnnewShiroSecurityProcessor(processor,this); } ... @Override publicbooleanprocess(Exchangeexchange,AsyncCallbackcallback){ try{ applySecurityPolicy(exchange);
- 16. CXF Endpoint How Using the ContainerRequestFilter JAXRS Interface Rely on CXF Intercept CXF Example @Provider @PreMatching publicclassSecurityRequestFilterimplementsContainerRequestFilter{ @Override publicvoidfilter(finalContainerRequestContextrequestContext) throwsIOException{ ...
- 19. HTTP Handler How Apply Constraints on Web Resources path(s) GET/rest/accountservice/accountforUser POST/webservices/customerservices/customerforAdmin Designed using JAAS JDBC, LDAP, Properties Could use Roles
- 20. Jetty Example Goal restrict or allow access to resources How URL requested matched with one the rule(s) Example Constraintconstraint=newConstraint(); constraint.setRoles(newString[]{"user","admin"}); ConstraintMappingmapping=newConstraintMapping(); mapping.setPathSpec("/say/hello/*"); mapping.setMethod("GET"); mapping.setConstraint(constraint);
- 22. JAXRS @Roles Goal Allow/Deny Access to resources How using annotation @RolesAllowed Example @Path("projects") @Produces("application/json") publicclassProjectsResource{ @POST @RolesAllowed("manager") publicProjectcreateProject(finalProjectproject){...} @GET @Path("{id}") publicProjectgetProject(@PathParam("id")finalLongid){...}
- 23. Web Secured & Policy Level
- 24. Pros / Cons
- 25. Conclusions Pros No product lock Great flexibility Spec managed Cons Intrusive Low Management Capability Lack of Governance
- 26. External Player
- 27. Api Manager
- 28. Api Man Goal Externalize/Delegate security endpoint to Api How Api acts as a Proxy/Gateway matching : Incoming request against 1 Many policies Delivering requests to target endpoint if validation succeeds
- 29. Manager
- 30. Api
- 32. Api
- 33. Api Man - Basic Auth How : Associate a Policy using the Basic Auth Plugin to an endpoint "contracts":[ { "apiOrgId":"Policy_BasicAuthStatic", "apiId":"echo", "apiVersion":"1.0.0", "policies":[ { "policyImpl":"class:io.apiman.gateway.engine.policies.BasicAuthenticationPol "policyJsonConfig":"{"realm":"Test","forwardIdentityHttpHeader": } ] } ]
- 34. Api Man - OpenId connect Goal Authenticate a user using an Identity provider to get a token used for SSO purposes Authentication between Client and Identity Provider: public, secret or PKI JSon Web Token : Compact token format, Encode claims to be transmitted, Base64url encoded and digitally signed and/or encrypted
- 35. OpenId connect - Example { "jti":"af68fac6-fd50-4b73-bd37-5c555a8e561e", "exp":1442847825, "nbf":0, "iat":1442847525, "iss":"http://localhost:8080/auth/realms/fuse", "aud":"fuse", "sub":"3591e417-7c60-4464-8714-96190c7fad92", "azp":"fuse", "session_state":"f58d5dfc-6e4c-4ad2-bd2f-70713f6b942d", "client_session":"f06b673f-ecbe-47f2-ba76-b6a5901d5afe", "allowed-origins":[], "realm_access":{ "roles":[ "write" ] }, "name":"writer", "preferred_username":"writer", "given_name":"writer" }
- 36. Role Mapping Goal Restrict/allow access to an application based on an Authorization Rule How Define a collection of Authorization rules as such & Combined with Auth Plugin (Keycloak, Basic, …) Path Verb Role required .* PUT Writer .* GET Reader
- 37. Discovery - Cloud Platform
- 38. Pros / Cons
- 39. Conclusions Pros Centralized governance policy configuration Loose coupling Tracking of APIs and consumers of those APIs Gathering statistics/metrics Service Discovery Simplify security audit Cons Performance New Architecture Brick Features = plugins available
- 40. Demo
- 41. Questions Twitter : @cmoulliard Apiman : , Fabric8 :http://apiman.io http://fabric8.io