Chapter 7. Securing your microservices

 

This chapter covers

  • Learning why security matters in a microservice environment
  • Understanding the OAuth2 standard
  • Setting up and configuring a Spring-based OAuth2 service
  • Performing user authentication and authorization with OAuth2
  • Protecting your Spring microservice using OAuth2
  • Propagating your OAuth2 access token between services

Security. The mention of the word will often cause an involuntary groan from the developer who hears it. You’ll hear them mutter and curse under their breath, “It’s obtuse, hard to understand, and even harder to debug.” Yet you won’t find any developer (except maybe for inexperienced developers) say that that they don’t worry about security.

A secure application involves multiple layers of protection, including

  • Ensuring that the proper user controls are in place so that you can validate that a user is who they say they are and that they have permission to do what they’re trying to do
  • Keeping the infrastructure the service is running on patched and up-to-date to minimize the risk of vulnerabilities.
  • Implementing network access controls so that a service is only accessible through well-defined ports and accessible to a small number of authorized servers

7.1. Introduction to OAuth2

 
 
 
 

7.2. Starting small: using Spring and OAuth2 to protect a single endpoint

 
 
 

7.2.1. Setting up the EagleEye OAuth2 authentication service

 
 
 

7.2.2. Registering client applications with the OAuth2 service

 
 
 

7.2.3. Configuring EagleEye users

 

7.2.4. Authenticating the user

 
 
 
 

7.3. Protecting the organization service using OAuth2

 
 

7.3.1. Adding the Spring Security and OAuth2 jars to the individual services

 
 
 

7.3.2. Configuring the service to point to your OAuth2 authentication service

 
 
 

7.3.3. Defining who and what can access the service

 
 
 
 

7.3.4. Propagating the OAuth2 access token

 
 

7.4. JavaScript Web Tokens and OAuth2

 
 
 

7.4.1. Modifying the authentication service to issue JavaScript Web Tokens

 
 
 

7.4.2. Consuming JavaScript Web Tokens in your microservices

 

7.4.3. Extending the JWT Token

 
 
 
 

7.4.4. Parsing a custom field out of a JavaScript token

 
 
 

7.5. Some closing thoughts on microservice security

 
 
 
 

Use HTTPS/Secure Sockets Layer (SSL) for all service communication

 
 

Use a services gateway to access your microservices

 

Zone your services into a public API and private API

 
 
 

Limit the attack surface of your microservices by locking down un- nneeded network ports

 
 

7.6. Summary

 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest