stateless microservice security via
play

Stateless Microservice Security via QCON SP JWT, TomEE and - PowerPoint PPT Presentation

Mar 14, 2023 •20 likes •820 views

Stateless Microservice Security via QCON SP JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe Why am I here today? QCON SP Microservices architecture case Security opEons OAuth2

  1. Stateless Microservice Security via QCON SP JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  2. Why am I here today? QCON SP Microservices architecture case Security opEons OAuth2 with JWT HTTP Signatures Demo with MP-JWT and TomEE #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  3. Microservices QCON SP (SOA with a sexy name) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  4. TradiEonal system Component A Component B QCON SP System (Monolithic) Component D Component C #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  5. … with tradiEonal scalability QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  6. … with tradiEonal scalability QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  7. … with tradiEonal scalability QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  8. … with tradiEonal scalability QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  9. … and its tradiEonal security QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  10. What to expect from microservices? • The technical perspec/ve QCON SP • The organiza/onal perspec/ve #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  11. Microservices - the technical perspecEve • Cloud QCON SP • Containers • Virtualiza/on • Large scale #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  12. The organizaEonal perspecEve • Agile methodology QCON SP • Small teams • HR / organiza/onal changes free #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  13. But there are new challenges • Scalability QCON SP • Cost reduc/on • Resilience • Monitoring • Security #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  14. Baseline Architecture QCON SP 1000 users 4 hops x 3 TPS 3000 TPS 12000 TPS frontend backend #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  15. Microservices security opEons QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  16. OpEons • Basic Auth QCON SP • OAuth2 • OpenID Connect • JWT - Facebook / Google way • HTTP Signatures - Amazon way • « In-house » solu/ons • And many more … #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  17. “The nice thing about standards is you have so many to choose from .” QCON SP - Andrew S. Tanenbaum #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  18. Basic Auth QCON SP (and its problems) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  19. Basic Auth Message POST /painter/color/object HTTP/1.1 Host: localhost:8443 QCON SP Authorization: Basic c25vb3B5OnBhc3M= User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"b":255,"g":0,"name":"blue","r":0}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  20. Basic Auth QCON SP username+password (no auth) Base64 Password Sent 3000 TPS 12000 TPS (HTTP+SSL) (HTTP) 3000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  21. Basic Auth QCON SP username+password username+password Base64 Base64 Password Sent Password Sent 3000 TPS 12000 TPS (HTTP+SSL) (HTTP) 15000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  22. Basic Auth - ATacks Valid QCON SP Password Sent 3000 TPS (HTTP+SSL) No auth Invalid 12000 TPS Password Sent 6000 TPS (HTTP) (HTTP+SSL) 9000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  23. OAuth 2.0 QCON SP (and its problems) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  24. The theory behind it QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  25. Based on tokens QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  26. Based on tokens QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  27. Based on tokens QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  28. OAuth 2 - Password Grant (LDAP) POST /oauth2/token Verify Host: api.superbiz.io User-Agent: curl/7.43.0 Password QCON SP Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Generate Cache-Control: no-store Token Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600, (Token Store) "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", } #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  29. OAuth 2.0 Message POST /painter/color/object HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":0,"b":255,"name":"blue"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  30. OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":255,"b":0,"name":"green"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  31. OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  32. OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  33. OAuth 2.0 Message POST /painter/color/stroke HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":255,"g":200,"b":255,"name":"orange"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  34. QCON SP 401 #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  35. OAuth 2 - Refresh Grant (LDAP) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 QCON SP Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA HTTP/1.1 200 OK Verify and Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Generate Pragma: no-cache Token { "access_token":"6Fe4jd7TmdE5yW2q0y6W2w", "expires_in":3600, (Token Store) "refresh_token":"hyT5rw1QNh5Ttg2hdtR54e", } #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  36. Old pair • Access Token 2YotnFZFEjr1zCsicMWpAA QCON SP • Refresh Token tGzv3JOkF0XG5Qx2TlKWIA New pair • Access Token 6Fe4jd7TmdE5yW2q0y6W2w • Refresh Token hyT5rw1QNh5Ttg2hdtR54e #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  37. OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 46 {"color":{"r":0,"g":255,"b":0,"name":"green"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  38. OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  39. OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

Recommend

Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

EclipseCon France Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe EclipseCon France Why am I here today? Microservices architecture case

1.26k views • 69 slides
Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io http:/ /safestack.io caution: fast paced field ahead watch for out of date

1.06k views • 66 slides
IPv6 Stateless Address Autoconfiguration: Balancing Between Security, Privacy and Usability Ahmad

IPv6 Stateless Address Autoconfiguration: Balancing Between Security, Privacy and Usability Ahmad

IPv6 Stateless Address Autoconfiguration: Balancing Between Security, Privacy and Usability Ahmad AlSadeh, Hosnieh Rafiee, Christoph Meinel Hasso-Plattner-Institut, University of Potsdam, Germany IPv6 StateLess Address Auto- Configuration

330 views • 20 slides
A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome OS Speed Security - Verified boot Security - Reboot to recover Security for the internet age Current Operating Systems Chrome OS Apps have

424 views • 8 slides
Security Considerations for Microservice Architectures Daniel Richter, Tim Neumann, and Andreas

Security Considerations for Microservice Architectures Daniel Richter, Tim Neumann, and Andreas

Security Considerations for Microservice Architectures Daniel Richter, Tim Neumann, and Andreas Polze Operating Systems & Middleware Group Hasso Plattner Institute at University of Potsdam, Germany Motivation EPA the legacy system

1.28k views • 30 slides
API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb.

API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb.

API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb. 28, 2018 Agenda Purpose and Goals Background Current Approaches - Network-level Controls - Application-level Controls - Emerging

785 views • 43 slides
Enterprise Microservice Platform and Operation

Enterprise Microservice Platform and Operation

Enterprise Microservice Platform and Operation Experience Sharing Ivan Hsieh P .1 Agenda Microservice Architecture How to break a Monolith into Microservices

519 views • 36 slides
CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote "Using Docker" for O'Reilly 40% Discount with AUTHD code Free Docker Security minibook http://www.oreilly.com/webops-perf/free/docker-

1.06k views • 68 slides
CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF Fingerprinting Tester https://panopticlick.eff.org 3 Panopticlick Testing 4 IE Brave Fingerprinting Components 5

1.28k views • 78 slides
PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3

PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3

MINIMIZING THE WINDOW OF COMPROMISE PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3 PROBLEM VLAN-TASTIC MICROSERVICE ARCHITECTURE S1 DB S2 S1 S3 PROBLEM CORRECT MICROSERVICE ARCHITECTURE

736 views • 61 slides
Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis

Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis

Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis Gkikopoulos, PhD student and research assistant, ZHAW and UNINE, Switzerland The Microservice Pattern An increasingly prevalent approach to

300 views • 15 slides
Probably the worlds best stateless traffic generation and analysis platform 2 1 2 4 5 6

Probably the worlds best stateless traffic generation and analysis platform 2 1 2 4 5 6

1 Probably the worlds best stateless traffic generation and analysis platform 2 1 2 4 5 6 3 OVERVIEW TYPES OF TESTS HARDWARE SOFTWARE AUTOMATION KEY FEATURES LEARN MORE 3 OVERVIEW Valkyrie is a full-featured stateless traffic

720 views • 43 slides
Probably the worlds best stateless Ethernet traffic generation and analysis platform 2 1 2

Probably the worlds best stateless Ethernet traffic generation and analysis platform 2 1 2

1 Probably the worlds best stateless Ethernet traffic generation and analysis platform 2 1 2 4 5 6 3 OVERVIEW TYPES OF TESTS HARDWARE SOFTWARE AUTOMATION KEY FEATURES LEARN MORE 3 OVERVIEW Valkyrie is a full-featured stateless

805 views • 43 slides
Towards TVF 4 TVF 3 TVF 2 TVF 1 r log(Packet Value) r + D 3 D 3 r + D 3 + D 2 Core-Stateless

Towards TVF 4 TVF 3 TVF 2 TVF 1 r log(Packet Value) r + D 3 D 3 r + D 3 + D 2 Core-Stateless

Towards TVF 4 TVF 3 TVF 2 TVF 1 r log(Packet Value) r + D 3 D 3 r + D 3 + D 2 Core-Stateless Fairness D 2 r + D 3 + D 2 + D 1 D 1 on Multiple Timescales 1 2 3 4 5 6 7 log(Throughput) Szilveszter Ndas(Ericsson Research) Gerg Gombos,

1.1k views • 20 slides
Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume

Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume

Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume Endignoux 2 Wednesday 18 th April, 2018 1 Kudelski Security 2 Work done while at Kudelski Security and EPFL 1 Hash-based signatures What are hash-based

370 views • 36 slides
Armeria Armeria A Microservice Framework A Microservice Framework Well-suited Everywhere

Armeria Armeria A Microservice Framework A Microservice Framework Well-suited Everywhere

Armeria Armeria A Microservice Framework A Microservice Framework Well-suited Everywhere Well-suited Everywhere Trustin Lee, LINE Oct 2019 @armeria_project line/armeria A microservice framework, again? @armeria_project line/armeria

643 views • 50 slides
dIVI-pd: Dual-Stateless IPv4/IPv6 Translation with Prefix Delegation X. Li, C. Bao, W. Dec, R.

dIVI-pd: Dual-Stateless IPv4/IPv6 Translation with Prefix Delegation X. Li, C. Bao, W. Dec, R.

dIVI-pd: Dual-Stateless IPv4/IPv6 Translation with Prefix Delegation X. Li, C. Bao, W. Dec, R. Asati, C. Xie, Q. Sun 2011-11-12 Introduction The dIVI-PD is an extension of stateless IPv4/IPv6 translation with address sharing RFC6052:

890 views • 15 slides
Stateless Reset QUIC Interim 2017-06, Paris Manifest Confusion What is the purpose of a

Stateless Reset QUIC Interim 2017-06, Paris Manifest Confusion What is the purpose of a

Stateless Reset QUIC Interim 2017-06, Paris Manifest Confusion What is the purpose of a Stateless Reset? What signals do we want endpoints to generate? ...and who do we want to have consume those signals? What is the role of a middlebox in

390 views • 13 slides
Stateless Determinis-c NAT (SD-NAT)

Stateless Determinis-c NAT (SD-NAT)

Stateless Determinis-c NAT (SD-NAT) dra6-penno-so6wire-sdnat-01 Reinaldo Penno (rpenno@juniper.net) Olivier Vautrin (olivier@juniper.net) Alain Durand

613 views • 9 slides
Highly-Available Applications on Unreliable Infrastructure: Microservice Architectures in

Highly-Available Applications on Unreliable Infrastructure: Microservice Architectures in

Highly-Available Applications on Unreliable Infrastructure: Microservice Architectures in Practice Daniel Richter, Marcus Konrad, Katharina Utecht, and Andreas Polze Operating Systems & Middleware Group Hasso Plattner Institute at

679 views • 29 slides
Wage Your Bets: Microservice, Monolith, or Serverless Presented

Wage Your Bets: Microservice, Monolith, or Serverless Presented

AW23 Agile/ DevOps Transformations Wednesday, November 6th, 2019 3:00 PM Wage Your Bets: Microservice, Monolith, or Serverless Presented by:

327 views • 3 slides
Microservice A B Evolution B B Adalberto R. Sampaio Jr, Harshavardhan Kadiyala, Bo

Microservice A B Evolution B B Adalberto R. Sampaio Jr, Harshavardhan Kadiyala, Bo

NIER A B B B C Supporting Microservice A B Evolution B B Adalberto R. Sampaio Jr, Harshavardhan Kadiyala, Bo Hu, John Steinbacher, Tony Erwin, Nelson Rosa, Ivan Beschastnikh, Julia Rubin Federal University University of IBM

155 views • 12 slides
Microservice How to Model Services? Software Engineering II Sharif University of Technology

Microservice How to Model Services? Software Engineering II Sharif University of Technology

Microservice How to Model Services? Software Engineering II Sharif University of Technology MohammadAmin Fazli Topics What makes a good service? The bounded context Communications in terms of business concepts Reading:

428 views • 16 slides
NDN: an Orchestrated Microservice Architecture for Named Data Networking Xavier MARCHAL,

NDN: an Orchestrated Microservice Architecture for Named Data Networking Xavier MARCHAL,

NDN: an Orchestrated Microservice Architecture for Named Data Networking Xavier MARCHAL, Thibault CHOLEZ, Olivier FESTOR LORIA, UMR 7503 (University of Lorraine, CNRS, INRIA) Vandoeuvre-les-Nancy, F-54506, France September 22, 2018

786 views • 21 slides

More recommend