2. Who
Software Engineer
Work on Spring Boot & Cloud, WildFly Swarm, Fabric8
Mountain Biker, Belgian Beer Fan
Blog:
Twitter:
Email:
http://cmoulliard.github.io
@cmoulliard
cmoulliard@redhat.com
15. Camel Endpoint
Goal Extract from the HTTP request the info needed to authenticate a
user
How Use a Camel Policy to wrap the Route / Pipeline with a new
processor
Camel Example
public class ShiroSecurityPolicy implements AuthorizationPolicy {
public Processor wrap(RouteContext routeContext, final Processor processor) {
return new ShiroSecurityProcessor(processor, this);
}
...
@Override
public boolean process(Exchange exchange, AsyncCallback callback) {
try {
applySecurityPolicy(exchange);
16. CXF Endpoint
How Using the ContainerRequestFilter JAXRS Interface
Rely on CXF Intercept
CXF Example
@Provider
@PreMatching
public class SecurityRequestFilter implements ContainerRequestFilter {
@Override
public void filter(final ContainerRequestContext requestContext)
throws IOException {
...
19. HTTP Handler
How Apply Constraints on Web Resources path(s)
GET /rest/accountservice/account for User
POST /webservices/customerservices/customer for Admin
Designed using JAAS JDBC, LDAP, Properties
Could use Roles
20. Jetty Example
Goal restrict or allow access to resources
How URL requested matched with one the rule(s)
Example
Constraint constraint = new Constraint();
constraint.setRoles(new String[] { "user", "admin" });
ConstraintMapping mapping = new ConstraintMapping();
mapping.setPathSpec("/say/hello/*");
mapping.setMethod("GET");
mapping.setConstraint(constraint);
21. Login Auth Example
// Describe the Authentication Constraint to be applied (BASIC, DIGEST, NEGOTIATE, ...)
Constraint constraint = new Constraint(Constraint.__BASIC_AUTH, "user");
constraint.setAuthenticate(true);
// Map the Auth Constraint with a Path
ConstraintMapping cm = new ConstraintMapping();
cm.setPathSpec("/*");
cm.setConstraint(constraint);
HashLoginService loginService = new HashLoginService("MyRealm",
"myrealm.props");
ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
sh.setAuthenticator(new BasicAuthenticator());
sh.setConstraintMappings(cm);
sh.setLoginService(loginService);
22. JAXRS @Roles
Goal Allow/Deny Access to resources
How using annotation @RolesAllowed
Example
@Path("projects")
@Produces("application/json")
public class ProjectsResource {
@POST
@RolesAllowed("manager")
public Project createProject(final Project project) { ... }
@GET
@Path("{id}")
public Project getProject(@PathParam("id") final Long id) { ... }
28. Api Man
Goal Externalize/Delegate security endpoint to Api
How Api acts as a Proxy/Gateway matching :
Incoming request against 1 Many policies
Delivering requests to target endpoint if validation succeeds
33. Api Man - Basic Auth
How : Associate a Policy using the Basic Auth Plugin to an endpoint
"contracts" : [
{
"apiOrgId" : "Policy_BasicAuthStatic",
"apiId" : "echo",
"apiVersion" : "1.0.0",
"policies" : [
{
"policyImpl" : "class:io.apiman.gateway.engine.policies.BasicAuthenticationPol
"policyJsonConfig" : "{ "realm" : "Test", "forwardIdentityHttpHeader" :
}
]
}
]
34. Api Man - OpenId connect
Goal Authenticate a user using an Identity provider to get a token used
for SSO purposes
Authentication between Client and Identity Provider: public, secret or PKI
JSon Web Token :
Compact token format,
Encode claims to be transmitted,
Base64url encoded and digitally signed and/or encrypted
36. Role Mapping
Goal Restrict/allow access to an application based on an Authorization
Rule
How Define a collection of Authorization rules as such & Combined with
Auth Plugin (Keycloak, Basic, …)
Path Verb Role required
.* PUT Writer
.* GET Reader
38. Conclusions
Pros
Centralized governance policy configuration
Loose coupling
Tracking of APIs and consumers of those APIs
Gathering statistics/metrics
Service Discovery
Simplify security audit
Cons
Performance
New Architecture Brick
Features = plugins available