stateless microservice security via
play

Stateless Microservice Security via QCON SP JWT, TomEE and - PowerPoint PPT Presentation

Mar 14, 2023 •20 likes •820 views

Stateless Microservice Security via QCON SP JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe Why am I here today? QCON SP Microservices architecture case Security opEons OAuth2

  1. Stateless Microservice Security via QCON SP JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  2. Why am I here today? QCON SP Microservices architecture case Security opEons OAuth2 with JWT HTTP Signatures Demo with MP-JWT and TomEE #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  3. Microservices QCON SP (SOA with a sexy name) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  4. TradiEonal system Component A Component B QCON SP System (Monolithic) Component D Component C #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  5. … with tradiEonal scalability QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  6. … with tradiEonal scalability QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  7. … with tradiEonal scalability QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  8. … with tradiEonal scalability QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  9. … and its tradiEonal security QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  10. What to expect from microservices? • The technical perspec/ve QCON SP • The organiza/onal perspec/ve #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  11. Microservices - the technical perspecEve • Cloud QCON SP • Containers • Virtualiza/on • Large scale #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  12. The organizaEonal perspecEve • Agile methodology QCON SP • Small teams • HR / organiza/onal changes free #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  13. But there are new challenges • Scalability QCON SP • Cost reduc/on • Resilience • Monitoring • Security #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  14. Baseline Architecture QCON SP 1000 users 4 hops x 3 TPS 3000 TPS 12000 TPS frontend backend #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  15. Microservices security opEons QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  16. OpEons • Basic Auth QCON SP • OAuth2 • OpenID Connect • JWT - Facebook / Google way • HTTP Signatures - Amazon way • « In-house » solu/ons • And many more … #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  17. “The nice thing about standards is you have so many to choose from .” QCON SP - Andrew S. Tanenbaum #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  18. Basic Auth QCON SP (and its problems) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  19. Basic Auth Message POST /painter/color/object HTTP/1.1 Host: localhost:8443 QCON SP Authorization: Basic c25vb3B5OnBhc3M= User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"b":255,"g":0,"name":"blue","r":0}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  20. Basic Auth QCON SP username+password (no auth) Base64 Password Sent 3000 TPS 12000 TPS (HTTP+SSL) (HTTP) 3000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  21. Basic Auth QCON SP username+password username+password Base64 Base64 Password Sent Password Sent 3000 TPS 12000 TPS (HTTP+SSL) (HTTP) 15000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  22. Basic Auth - ATacks Valid QCON SP Password Sent 3000 TPS (HTTP+SSL) No auth Invalid 12000 TPS Password Sent 6000 TPS (HTTP) (HTTP+SSL) 9000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  23. OAuth 2.0 QCON SP (and its problems) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe

  24. The theory behind it QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  25. Based on tokens QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  26. Based on tokens QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  27. Based on tokens QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  28. OAuth 2 - Password Grant (LDAP) POST /oauth2/token Verify Host: api.superbiz.io User-Agent: curl/7.43.0 Password QCON SP Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Generate Cache-Control: no-store Token Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600, (Token Store) "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", } #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  29. OAuth 2.0 Message POST /painter/color/object HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":0,"b":255,"name":"blue"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  30. OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":255,"b":0,"name":"green"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  31. OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  32. OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  33. OAuth 2.0 Message POST /painter/color/stroke HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":255,"g":200,"b":255,"name":"orange"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  34. QCON SP 401 #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  35. OAuth 2 - Refresh Grant (LDAP) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 QCON SP Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA HTTP/1.1 200 OK Verify and Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Generate Pragma: no-cache Token { "access_token":"6Fe4jd7TmdE5yW2q0y6W2w", "expires_in":3600, (Token Store) "refresh_token":"hyT5rw1QNh5Ttg2hdtR54e", } #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  36. Old pair • Access Token 2YotnFZFEjr1zCsicMWpAA QCON SP • Refresh Token tGzv3JOkF0XG5Qx2TlKWIA New pair • Access Token 6Fe4jd7TmdE5yW2q0y6W2w • Refresh Token hyT5rw1QNh5Ttg2hdtR54e #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  37. OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 46 {"color":{"r":0,"g":255,"b":0,"name":"green"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  38. OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

  39. OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

EclipseCon France Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe EclipseCon France Why am I here today? Microservices architecture case

1.26k views • 69 slides
Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io http:/ /safestack.io caution: fast paced field ahead watch for out of date

1.06k views • 66 slides
IPv6 Stateless Address Autoconfiguration: Balancing Between Security, Privacy and Usability Ahmad

IPv6 Stateless Address Autoconfiguration: Balancing Between Security, Privacy and Usability Ahmad

IPv6 Stateless Address Autoconfiguration: Balancing Between Security, Privacy and Usability Ahmad AlSadeh, Hosnieh Rafiee, Christoph Meinel Hasso-Plattner-Institut, University of Potsdam, Germany IPv6 StateLess Address Auto- Configuration

330 views • 20 slides
A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome OS Speed Security - Verified boot Security - Reboot to recover Security for the internet age Current Operating Systems Chrome OS Apps have

424 views • 8 slides
Security Considerations for Microservice Architectures Daniel Richter, Tim Neumann, and Andreas

Security Considerations for Microservice Architectures Daniel Richter, Tim Neumann, and Andreas

Security Considerations for Microservice Architectures Daniel Richter, Tim Neumann, and Andreas Polze Operating Systems & Middleware Group Hasso Plattner Institute at University of Potsdam, Germany Motivation EPA the legacy system

1.28k views • 30 slides
API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb.

API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb.

API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb. 28, 2018 Agenda Purpose and Goals Background Current Approaches - Network-level Controls - Application-level Controls - Emerging

785 views • 43 slides
Enterprise Microservice Platform and Operation

Enterprise Microservice Platform and Operation

Enterprise Microservice Platform and Operation Experience Sharing Ivan Hsieh P .1 Agenda Microservice Architecture How to break a Monolith into Microservices

519 views • 36 slides
CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote "Using Docker" for O'Reilly 40% Discount with AUTHD code Free Docker Security minibook http://www.oreilly.com/webops-perf/free/docker-

1.06k views • 68 slides
CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF Fingerprinting Tester https://panopticlick.eff.org 3 Panopticlick Testing 4 IE Brave Fingerprinting Components 5

1.28k views • 78 slides
PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3

PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3

MINIMIZING THE WINDOW OF COMPROMISE PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3 PROBLEM VLAN-TASTIC MICROSERVICE ARCHITECTURE S1 DB S2 S1 S3 PROBLEM CORRECT MICROSERVICE ARCHITECTURE

736 views • 61 slides
Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis

Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis

Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis Gkikopoulos, PhD student and research assistant, ZHAW and UNINE, Switzerland The Microservice Pattern An increasingly prevalent approach to

300 views • 15 slides
Probably the worlds best stateless traffic generation and analysis platform 2 1 2 4 5 6

Probably the worlds best stateless traffic generation and analysis platform 2 1 2 4 5 6

1 Probably the worlds best stateless traffic generation and analysis platform 2 1 2 4 5 6 3 OVERVIEW TYPES OF TESTS HARDWARE SOFTWARE AUTOMATION KEY FEATURES LEARN MORE 3 OVERVIEW Valkyrie is a full-featured stateless traffic

720 views • 43 slides
Probably the worlds best stateless Ethernet traffic generation and analysis platform 2 1 2

Probably the worlds best stateless Ethernet traffic generation and analysis platform 2 1 2

1 Probably the worlds best stateless Ethernet traffic generation and analysis platform 2 1 2 4 5 6 3 OVERVIEW TYPES OF TESTS HARDWARE SOFTWARE AUTOMATION KEY FEATURES LEARN MORE 3 OVERVIEW Valkyrie is a full-featured stateless

805 views • 43 slides
Towards TVF 4 TVF 3 TVF 2 TVF 1 r log(Packet Value) r + D 3 D 3 r + D 3 + D 2 Core-Stateless

Towards TVF 4 TVF 3 TVF 2 TVF 1 r log(Packet Value) r + D 3 D 3 r + D 3 + D 2 Core-Stateless

Towards TVF 4 TVF 3 TVF 2 TVF 1 r log(Packet Value) r + D 3 D 3 r + D 3 + D 2 Core-Stateless Fairness D 2 r + D 3 + D 2 + D 1 D 1 on Multiple Timescales 1 2 3 4 5 6 7 log(Throughput) Szilveszter Ndas(Ericsson Research) Gerg Gombos,

1.1k views • 20 slides
Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume

Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume

Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume Endignoux 2 Wednesday 18 th April, 2018 1 Kudelski Security 2 Work done while at Kudelski Security and EPFL 1 Hash-based signatures What are hash-based

370 views • 36 slides
Armeria Armeria A Microservice Framework A Microservice Framework Well-suited Everywhere

Armeria Armeria A Microservice Framework A Microservice Framework Well-suited Everywhere

Armeria Armeria A Microservice Framework A Microservice Framework Well-suited Everywhere Well-suited Everywhere Trustin Lee, LINE Oct 2019 @armeria_project line/armeria A microservice framework, again? @armeria_project line/armeria

643 views • 50 slides
RSA Authentication Manager 8.2 Over 25,000 customers 50 60 million active tokens in

RSA Authentication Manager 8.2 Over 25,000 customers 50 60 million active tokens in

RSA Authentication Manager 8.2 Over 25,000 customers 50 60 million active tokens in circulation 10 million units shipped per year More than 50% market share RSA Ready Partner Program: 400 Partners with Native SecurID Integration THE

226 views • 20 slides
Bharosa Acquisition Announcement Delivers next generation of risk-based access management July

Bharosa Acquisition Announcement Delivers next generation of risk-based access management July

Bharosa Acquisition Announcement Delivers next generation of risk-based access management July 18, 2007 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be

235 views • 20 slides
EM EMVS Nationa nal Bl Bluepri rint System A Technical Overview for Pharmacies and

EM EMVS Nationa nal Bl Bluepri rint System A Technical Overview for Pharmacies and

EM EMVS Nationa nal Bl Bluepri rint System A Technical Overview for Pharmacies and Wholesalers Charles Young Lo Local System De Desig ign Lo Local User r Authori risation NBS does not authenticate or authorise local users for

357 views • 15 slides
CryptoMate64 Cryptographic USB Token A Product Presentation www.acs.com.hk Rundown 1. Product

CryptoMate64 Cryptographic USB Token A Product Presentation www.acs.com.hk Rundown 1. Product

CryptoMate64 Cryptographic USB Token A Product Presentation www.acs.com.hk Rundown 1. Product Overview 2. Product Features 3. Comparison Charts 4. Product Applications 5. Related Products 6. Q & A 2 Product Overview 3

552 views • 19 slides
? Group 6 ? ? CPU ? CPU Memory We want multiple processors to share memory

? Group 6 ? ? CPU ? CPU Memory We want multiple processors to share memory

Shared Memory Architecture Shared Memory Bus for Multiprocessor Systems Memory CPU ? Mat Laibowitz and Albert Chiou ? ? ? ? Group 6 ? ? CPU ? CPU Memory We want multiple processors to share memory Question: How do we

286 views • 5 slides
Digital Coin Offerings: New SEC Guidance on Registration of Blockchain Tokens as Securities

Digital Coin Offerings: New SEC Guidance on Registration of Blockchain Tokens as Securities

Presenting a live 90-minute webinar with interactive Q&A Digital Coin Offerings: New SEC Guidance on Registration of Blockchain Tokens as Securities TUESDAY, OCTOBER 3, 2017 1pm Eastern | 12pm Central | 11am Mountain | 10am

516 views • 26 slides
dCache Storage Resource Manager introduction Timur Perelmutov For the dCache team Edinburgh,

dCache Storage Resource Manager introduction Timur Perelmutov For the dCache team Edinburgh,

dCache Storage Resource Manager introduction Timur Perelmutov For the dCache team Edinburgh, November 2007 Nov 13-14, 2007, Edinburgh SRM 2.2 Workshop 1 Project Topology : The Team Head of dCache.ORG Head of Development FNAL : Timur

281 views • 11 slides
Contextual Access and Multi-Factor Authentication Lessons learned on getting past single-factor

Contextual Access and Multi-Factor Authentication Lessons learned on getting past single-factor

Conference 2018 Contextual Access and Multi-Factor Authentication Lessons learned on getting past single-factor authentication! Panelists Corey Scholefield - Team Lead, Identity Services Wendy Blake Director, Network and Technical Services

519 views • 33 slides

More recommend