Stateless Microservice Security via JWT, TomEE and MicroProfile - PowerPoint PPT Presentation

EclipseCon France Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

EclipseCon France Why am I here today? Microservices architecture case Security opCons OAuth2 with JWT Demo with MP-JWT and Apache TomEE #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

EclipseCon France Microservices (SOA with a sexy name) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

TradiConal system EclipseCon France Component A Component B System (Monolithic) Component D Component C #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

… with tradiConal scalability EclipseCon France #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

… and its tradiConal security EclipseCon France #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

What to expect from microservices? EclipseCon France • 2 possible perspec-ves • Technical • Organiza-onal #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

Microservices - the technical perspecCve EclipseCon France • Cloud • Containers • Virtualiza-on • Large scale #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

The organizaConal perspecCve EclipseCon France • Agile methodology • Small teams • HR / organiza-onal changes free (Conway’s Law) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

But there are new challenges EclipseCon France • Scalability • Cost reduc-on • Resilience • Monitoring • Security #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

Microservices Security OpCons EclipseCon France • Basic Auth • OAuth2 • OpenID Connect • JWT - Facebook / Google way • HTTP Signatures - Amazon way • « In-house » solu-ons • More … #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

Baseline Architecture EclipseCon France 1000 users 4 hops x 3 TPS 3000 TPS 12000 TPS frontend backend #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

EclipseCon France Basic Auth (and its problems) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

Basic Auth Message EclipseCon France POST /painter/color/object HTTP/1.1 Host: localhost:8443 Authorization: Basic c25vb3B5OnBhc3M= User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"b":255,"g":0,"name":"blue","r":0}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

Basic Auth EclipseCon France username+password (no auth) Base64 Password Sent 3000 TPS 12000 TPS (HTTP+SSL) (HTTP) 3000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

Basic Auth EclipseCon France username+password username+password Base64 Base64 Password Sent Password Sent 3000 TPS 12000 TPS (HTTP+SSL) (HTTP) 15000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

Basic Auth - ARacks EclipseCon France Valid Password Sent 3000 TPS (HTTP+SSL) No auth Invalid 12000 TPS Password Sent 6000 TPS (HTTP) (HTTP+SSL) 9000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

EclipseCon France OAuth 2.0 (and its problems) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

The theory behind it EclipseCon France #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

Based on tokens EclipseCon France #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

OAuth 2 - Password Grant EclipseCon France (LDAP) POST /oauth2/token Verify Host: api.superbiz.io User-Agent: curl/7.43.0 Password Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Generate Cache-Control: no-store Token Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600, (Token Store) "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", } #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

OAuth 2.0 Message EclipseCon France POST /painter/color/object HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":0,"b":255,"name":"blue"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

OAuth 2.0 Message EclipseCon France POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":255,"b":0,"name":"green"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

OAuth 2.0 Message EclipseCon France POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

OAuth 2.0 Message EclipseCon France POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

OAuth 2.0 Message EclipseCon France POST /painter/color/stroke HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":255,"g":200,"b":255,"name":"orange"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

EclipseCon France 401 #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

OAuth 2 - Refresh Grant EclipseCon France (LDAP) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA HTTP/1.1 200 OK Verify and Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Generate Pragma: no-cache Token { "access_token":"6Fe4jd7TmdE5yW2q0y6W2w", "expires_in":3600, (Token Store) "refresh_token":"hyT5rw1QNh5Ttg2hdtR54e", } #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

EclipseCon France Old pair • Access Token 2YotnFZFEjr1zCsicMWpAA • Refresh Token tGzv3JOkF0XG5Qx2TlKWIA New pair • Access Token 6Fe4jd7TmdE5yW2q0y6W2w • Refresh Token hyT5rw1QNh5Ttg2hdtR54e #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

What have we achieved? EclipseCon France • Avoid high rate username + password transit on wire • Replaced by a blind « token » referencing a state on the server side • Generate many « short live » passwords stored on devices • Create a « new » …. HTTP Session architecture #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

4 hops OAuth 2 EclipseCon France 12000 TPS Password Sent 1000/daily backend (HTTP+SSL) (LDAP) OAuth 2 No auth Tokens Sent 3000 TPS (HTTP+SSL) 3000 TPS (token checks) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

OAuth 2 EclipseCon France Password Sent 1000/daily backend (HTTP+SSL) (LDAP) OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) 3000 TPS 12000 TPS (token checks) (token checks) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

0 hops OAuth 2 EclipseCon France 0 TPS Password Sent 1000/daily backend (HTTP+SSL) (LDAP) OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) 0 TPS 0 TPS (token checks) (token checks) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

Stateless Microservice Security via JWT, TomEE and MicroProfile - PowerPoint PPT Presentation

EclipseCon France Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe EclipseCon France Why am I here today? Microservices architecture case

Stateless Microservice Security via QCON SP JWT, TomEE and MicroProfile Jean-Louis Monteiro

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

IPv6 Stateless Address Autoconfiguration: Balancing Between Security, Privacy and Usability Ahmad

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

Security Considerations for Microservice Architectures Daniel Richter, Tim Neumann, and Andreas

API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb.

Enterprise Microservice Platform and Operation

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

ASF Tomcat and EE: from Meecrowave to TomEE Romain Manni-Bucau ApacheCon NA 2017

PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3

Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis

Probably the worlds best stateless traffic generation and analysis platform 2 1 2 4 5 6

Probably the worlds best stateless Ethernet traffic generation and analysis platform 2 1 2

Towards TVF 4 TVF 3 TVF 2 TVF 1 r log(Packet Value) r + D 3 D 3 r + D 3 + D 2 Core-Stateless

Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume

Armeria Armeria A Microservice Framework A Microservice Framework Well-suited Everywhere

dIVI-pd: Dual-Stateless IPv4/IPv6 Translation with Prefix Delegation X. Li, C. Bao, W. Dec, R.

Stateless Reset QUIC Interim 2017-06, Paris Manifest Confusion What is the purpose of a

Stateless Determinis-c NAT (SD-NAT)

Highly-Available Applications on Unreliable Infrastructure: Microservice Architectures in

Wage Your Bets: Microservice, Monolith, or Serverless Presented

Microservice A B Evolution B B Adalberto R. Sampaio Jr, Harshavardhan Kadiyala, Bo

Microservice How to Model Services? Software Engineering II Sharif University of Technology