Implementing Microservices Security Patterns & Protocols

~ Adib Saikali ~ Leave a comment
Nov 13 2018 Talk @ Devoxx Belgium

A video of my talk Implementing Microservices Security Patterns & Protocols with my friend Joe Grandja on Nov 13 2018 at Devoxx Belgium.

Abstract:

Building secure microservices requires mastering a variety of patterns, protocols, frameworks, and technologies. This deep dive provides a holistic end-to-end view of how to secure microservices using industry standard protocols and Spring. The goal is to present how standards such as JWT, JWA, JWS, JWE, JWK, OAuth2, OpenID Connect, TLS can be combined to make writing secure microservices easy.

The deep dive will alternate between slides that explain the security standards and protocols and code walkthroughs/live coding showing how to apply the patterns and standards using Spring Security 5.1. We will demonstrate the following patterns and their implementations.

  • Web SSO Login
  • Implementing OAuth2 resource servers
  • Implementing edge service gateways
  • Token Exchange in a microservice call chain
  • Token Relay in a microservice call chain
  • Integration with OpenID Connect / OAuth2 Servers
  • Features of Spring Security 5.1 that make it easier to secure microservices

We assume no prior experience with security standards or Spring Security. However, we assume that you are comfortable reading Java code and web development.

Microservices Security Patterns & Protocols with Spring & PCF

~ Adib Saikali ~ Leave a comment
September 26 2018 Talk @ Spring One Platform

A video of my talk at Microservices Security Patterns & Protocols with Spring & PCF on September 26 2018 at Spring One Platform Conference in Washington DC.

Abstract:

This introductory talk introduces the patterns and protocols used to secure microservices. The goal is to present how standards such as JWT, JWA, JWS, JWE, JWK, OAuth2, OpenId Connect, and others can be combined to make writing secure microservices easy. The patterns and protocols will be illustrated with a demo application build using Spring & PCF. The goal is to demonstrate how to make writing secure microservices easier.

Storing JKS files in Spring Cloud Config Sever

~ Adib Saikali ~ Leave a comment

A customer asked me how they can store a JKS file with certificates in a spring cloud config server, retrieve it on application startup and use it to setup a a Java SSLContext for doing mutual TLS with a backend system, that was using self signed certificates.

The config server can’t store binary files, so you have to first encode the JKS file as a base64 string, put in the config server then pull it at startup with regular Spring @Value annotation which is then used to setup the context. I created a sample application which you can find at https://github.com/asaikali/mtls-demo

Test Driven Development for Microservices Using Spring Cloud Contracts & Cloud Foundry

~ Adib Saikali ~ Leave a comment
April 19 2018 Talk @ Cloud Foundry Summit Boston

A video of my talk Test Driven Development for Microservices Using Spring Cloud Contracts & Cloud Foundry with my colleague Reshmi Krishna On April 19 2018 at Cloud Foundry Summit in Boston.

Abstract:

Test Driven Development for Microservices Using Spring Cloud Contracts & Cloud Foundry – Reshmi Krishna & Adib Saikali, Pivotal

TDD introduced many improvements into the development process, but in our opinion the biggest impact relates to code design. Looking at the code from the usage perspective (by first writing an acceptance test) allows us to focus on usability rather than concrete implementation. Unfortunately, we usually rest on our laurels not trying to uplift this practice to the architecture level.

Consumer driven contracts (CDC) are like TDD applied to the API. It’s especially important in the world of microservices. Since it’s driven by consumers, it’s much more user friendly. Of course microservices are really cool, but most people do not take into consideration plenty of potential obstacles that should be tackled. Then instead of frequent, fully automated deploys via a delivery pipeline, you might end up in an asylum due to frequent mental breakdowns caused by production disasters.

This presentation will show you how you can use the Spring Cloud Contracts to have a fully automated solution to a consumer driven testing disasters. We will then deploy all these applications to Cloud Foundry. At the end, you will see how easy is it to write applications that have a consumer driven API and that will allow a developer to speed up the time of writing his better quality software.

Consumer Driven Contracts and Your Microservice Architecture

~ Adib Saikali ~ Leave a comment

Video of my talk Consumer Driven Contracts and Your Microservice Architecture co-delivered with my friend Marcin Grzejszczak at Spring One Platform 2017

Abstract:

Consumer driven contracts (CDC) are like TDD applied to the API. It’s especially important in the world of microservices. Since it’s driven by consumers, it’s much more user friendly. Of course microservices are really cool, but most people do not take into consideration plenty of potential obstacles that should be tackled. Then instead of frequent, fully automated deploys via a delivery pipeline, you might end up in an asylum due to frequent mental breakdowns caused by production disasters.

We will write a system using the CDC approach together with Spring Boot, Spring Cloud Contract verifier. We’ll show you how easy it is to write applications that have a consumer driven API and that will allow a developer to speed up the time of writing his better quality software.