GR8EU 2019 - Micronaut Security

Slide 1

Slide 1 text

objectcomputing.com © 2018, Object Computing, Inc. (OCI). All rights reserved. No part of these notes may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior, written permission of Object Computing, Inc. (OCI) MICRONAUT SECURITY SERGIO DEL AMO

Slide 2

Slide 2 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. © 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 2 • MICRONAUT / GRAILS OCI TEAM • GUADALAJARA, SPAIN • CURATOR OF GROOVYCALAMARI.COM • PODCAST HOST OF PODCAST.GROOVYCALAMARI.COM • GREACH Conference organizer • @SDELAMO • HTTP://SERGIODELAMO.ES SERGIO DEL AMO

Slide 3

Slide 3 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 3 CONTROLLER EXAMPLE @Controller(“/books") public class BookController { @Get public List index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

Slide 4

Slide 4 text

Slide 5

Slide 5 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 5 SECURITY INSTALLATION dependencies { ... .. . annotationProcessor "io.micronaut:micronaut-security" compile "io.micronaut:micronaut-security" } build.gradle src/main/resources/application.yml micronaut: security: enabled: true

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Slide 9

Slide 9 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 9 @Secured IS_ANONYMOUS import io.micronaut.security.annotation.Secured; @Controller(“/books") public class BookController { @Secured(SecurityRule.IS_ANONYMOUS) @Get public List index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

Slide 10

Slide 10 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 10 @Secured IS_ANONYMOUS import io.micronaut.security.annotation.Secured; @Secured(SecurityRule.IS_ANONYMOUS) @Controller(“/books") public class BookController { @Get public List index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

Slide 11

Slide 11 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 11 JSR_250 annotations import javax.annotation.security.PermitAll; @Controller(“/books") public class BookController { @PermitAll @Get public List index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

Slide 12

Slide 12 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 12 INTERCEPT URL MAP src/main/java/example/micronaut/BookController.java @Controller(“/books") public class BookController { @Get public List index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } } src/main/resources/application.yml micronaut: security: enabled: true intercept-url-map: - pattern: "/books" http-method: GET access: - isAnonymous()

Slide 13

Slide 13 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 13 INTERCEPT URL MAP for STATIC RESOURCES src/main/resources/application.yml micronaut: router: static-resources: default: enabled: true mapping: /static/** paths: - classpath: public security: enabled: true intercept-url-map: - pattern: "/static/logo.png" http-method: GET access: - isAnonymous()

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 18 BASIC AUTH import javax.inject.Singleton @Singleton public class ExampleAuthenticationProvider implements AuthenticationProvider { @Override public Publisher authenticate(AuthenticationRequest authenticationRequest) { if (authenticationRequest.getIdentity().equals("user") && authenticationRequest.getSecret().equals("password"))) { UserDetails u = new UserDetails(authenticationRequest.getIdentity(), Arrays.asList("ROLE_USER")); return Flowable.just(u); } return Flowable.just(new AuthenticationFailed()); } } $ curl - u name:password http://micronaut.example/books curl with basic auth

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 21 DELEGATING AUTHENTICATION PROVIDER import javax.inject.Singleton @CompileStatic @Singleton class UserFetcherService implements UserFetcher { protected final UserGormService userGormService UserFetcherService(UserGormService userGormService) { this.userGormService = userGormService } @Override Publisher findByUsername(String username) { UserState user = userGormService.findByUsername(username) as UserState (user ? Flowable.just(user) : Flowable.empty()) as Publisher } } implementation of UserFetcher

Slide 22

Slide 22 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 22 DELEGATING AUTHENTICATION PROVIDER package example.micronaut.services import io.micronaut.security.authentication.providers.AuthoritiesFetcher import io.reactivex.Flowable import org.reactivestreams.Publisher import javax.inject.Singleton @Singleton class AuthoritiesFetcherService implements AuthoritiesFetcher { protected final UserRoleGormService userRoleGormService AuthoritiesFetcherService(UserRoleGormService userRoleGormService) { this.userRoleGormService = userRoleGormService } @Override Publisher> findAuthoritiesByUsername(String username) { Flowable.just(userRoleGormService.findAllAuthoritiesByUsername(username)) } } implementation of AuthoritiesFetcher

Slide 23

Slide 23 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 23 DELEGATING AUTHENTICATION PROVIDER import io.micronaut.security.authentication.providers.PasswordEncoder import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder import javax.inject.Singleton @Singleton class BCryptPasswordEncoderService implements PasswordEncoder { org.springframework.security.crypto.password.PasswordEncoder delegate = new BCryptPasswordEncoder() String encode(String rawPassword) { return delegate.encode(rawPassword) } @Override boolean matches(String rawPassword, String encodedPassword) { return delegate.matches(rawPassword, encodedPassword) } } implementation of PasswordEncoder dependencies { ... compile “org.springframework.security:spring-security-crypto:5.2.5.RELEASE” } build.gradle

Slide 24

Slide 24 text

Slide 25

Slide 25 text

Slide 26

Slide 26 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 26 SESSION AUTH dependencies { ... .. . annotationProcessor "io.micronaut:micronaut-security" compile "io.micronaut:micronaut-security-session" } build.gradle src/main/resources/application.yml micronaut: security: enabled: true session: enabled: true

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Slide 30

Slide 30 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 30 LOGOUT CONTROLLER src/main/resources/application.yml micronaut: security: enabled: true endpoints: logout: enabled: true

Slide 31

Slide 31 text

Slide 32

Slide 32 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 32 @Secured IS_AUTHENTICATED import io.micronaut.security.annotation.Secured; @Controller(“/books") public class BookController { @Secured(SecurityRule.IS_AUTHENTICATED) @Get public List index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

Slide 33

Slide 33 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 33 @Secured IS_AUTHENTICATED import io.micronaut.security.annotation.Secured; @Secured(SecurityRule.IS_AUTHENTICATED) @Controller(“/books") public class BookController { @Get public List index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

Slide 34

Slide 34 text

Slide 35

Slide 35 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 35 AUTHORIZATION import io.micronaut.security.annotation.Secured; @Controller("/books") public class BookController { @Secured({"ROLE_ADMIN","ROLE_USER"}) @Get public List index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

Slide 36

Slide 36 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 36 JSR_250 annotations import javax.annotation.security.RolesAllowed; @Controller("/books") public class BookController { @RolesAllowed({"ROLE_ADMIN","ROLE_USER"}) @Get public List index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

Slide 37

Slide 37 text

Slide 38

Slide 38 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 38 Retrieve the Authenticated User import io.micronaut.security.annotation.Secured; import java.security.Principal; import javax.annotation.Nullable; @Controller(“/books") public class BookController { @Secured(SecurityRule.IS_ANONYMOUS) @Get public List index(@Nullable Principal principal) { if (principal != null && principal.getName().equals("Harry Potter”)) { return Arrays.asList(new Book("9781781102459", "Philosopher's Stone”)); } return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

Slide 39

Slide 39 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 39 Retrieve the Authenticated User import io.micronaut.security.annotation.Secured; import java.security.Principal; @Controller(“/books") public class BookController { @Secured(SecurityRule.IS_AUTHENTICATED) @Get public List index(Principal principal) { if (principal.getName().equals("Harry Potter”)) { return Arrays.asList(new Book("9781781102459", "Philosopher's Stone”)); } return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

Slide 40

Slide 40 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 40 Retrieve the Authenticated User import io.micronaut.security.annotation.Secured; import io.micronaut.security.authentication.Authentication; @Controller(“/books") public class BookController { @Secured(SecurityRule.IS_AUTHENTICATED) @Get public List index(Authentication authentication) { if (authentication.getName().equals("Harry Potter”)) { return Arrays.asList(new Book("9781781102459", "Philosopher's Stone”)); } return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

Slide 41

Slide 41 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 41 Retrieve the Authenticated User import io.micronaut.security.annotation.Secured; import io.micronaut.security.authentication.Authentication; @Controller("/books") public class BookController { private final SecurityService securityService; public BookController(SecurityService securityService) { this.securityService = securityService; } @Secured(SecurityRule.IS_AUTHENTICATED) @Get public List index() { if (securityService.getAuthentication().getName().equals(“Harry Potter”)) { return Arrays.asList(new Book("9781781102459", "Philosopher's Stone”)); } return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

Slide 42

Slide 42 text

Slide 43

Slide 43 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 43 LDAP src/main/resources/application.yml micronaut: .. . security: ... .. ldap: default: enabled: true context: server: 'ldap://ldap.forumsys.com:389' managerDn: 'cn=read-only-admin,dc=example,dc=com' managerPassword: 'password' search: base: "dc=example,dc=com" groups: enabled: true base: "dc=example,dc=com" build.gradle dependencies { ... .. . annotationProcessor "io.micronaut:micronaut-security" compile "io.micronaut:micronaut-security" compile "io.micronaut.configuration:micronaut-security-ldap" } LDAP authentication in Micronaut supports configuration of one or more LDAP servers to autehtnicate with. Each server has it’s own settings and can be enabled or disabled

Slide 44

Slide 44 text

Slide 45

Slide 45 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 45 SECURITY JWT INSTALLATION dependencies { ... .. . annotationProcessor "io.micronaut:micronaut-security" compile "io.micronaut:micronaut-security-jwt" } build.gradle src/main/resources/application.yml micronaut: security: enabled: true token: jwt: enabled: true

Slide 46

Slide 46 text

Slide 47

Slide 47 text

Slide 48

Slide 48 text

Slide 49

Slide 49 text

Slide 50

Slide 50 text

Slide 51

Slide 51 text

Slide 52

Slide 52 text

Slide 53

Slide 53 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 53 JWT Signature Generation and Validation To enable a JWT signature in token generation, you need to have in your app a bean of type RSASignatureGeneratorConfiguration, ECSignatureGeneratorConfiguration, SecretSignatureConfiguration qualified with name generator. To verify signed JWT tokens, you need to have in your app a bean of type RSASignatureConfiguration, RSASignatureGeneratorConfiguration, ECSignatureGeneratorConfiguration, ECSignatureConfiguration, or SecretSignatureConfiguration.

Slide 54

Slide 54 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 54 JWT Configuration src/main/resources/application.yml micronaut: security: enabled: true token: jwt: enabled: true signatures: secret: generator: secret: pleaseChangeThisSecretForANewOne jws-algorithm: HS256

Slide 55

Slide 55 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 55 Claims Validation Bean Description ExpirationJwtClaimsValidator Validate JWT is not expired. SubjectNotNullJwtClaimsValidator Validate JWT subject claim is not null. io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator Provide your own!

Slide 56

Slide 56 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 56 RFRESH CONTROLLER src/main/resources/application.yml micronaut: security: enabled: true endpoints: oauth: enabled: true

Slide 57

Slide 57 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 57 JSON Web Key JWK A JSON Object that represents a cryptographic key. The members of the object represent properties of the key, including its value. { "kty":"EC", "crv":"P-256", "kid":"test-personal-node", "x":"kdoE0JmUQra00UWJXHBwVvQetJ_L7vXt8nuXkaftKjo", "y":"PV7FUShMZ8Jg_kc2vjxgfwswEy26w_vWvVCHAGQ9tEQ" }

Slide 58

Slide 58 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 58 JWK Set A JSON object that represents a set of JWKs. The JSON object MUST have a "keys" member, which is an array of JWKs. { "keys": [ { "kty":"EC", "crv":"P-256", "kid":"123", "x":"kdoE0JmUQra00UWJXHBwVvQetJ_L7vXt8nuXkaftKjo", "y":"PV7FUShMZ8Jg_kc2vjxgfwswEy26w_vWvVCHAGQ9tEQ" } ] }

Slide 59

Slide 59 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com src/main/resources/application.yml micronaut: security: enabled: true endpoints: keys: enabled: true import com.nimbusds.jose.jwk.JWK; import io.micronaut.security.token.jwt.endpoints.JwkProvider; import javax.inject.Singleton; import java.text.ParseException; @Singleton class ExampleJwkProvider implements JwkProvider { @Override List retrieveJsonWebKeys() { try { return [JWK.parse(''' { "kty":"EC", "crv":"P-256", "kid":"123", “x": "kdoE0JmUQra00UWJXHBwVvQetJ_L7vXt8nuXkaftKjo", "y":"PV7FUShMZ8Jg_kc2vjxgfwswEy26w_vWvVCHAGQ9tEQ" }''')] } catch (ParseException e) { return [] as List } } } 59 KEYS CONTROLLER - Expose a JWK Set

Slide 60

Slide 60 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 60 KEYS CONTROLLER $ curl localhost:8080/keys {"keys":[{"kty":"EC","crv":"P-256","kid":"test-personal- node","x":"kdoE0JmUQra00UWJXHBwVvQetJ_L7vXt8nuXkaftKjo","y":"PV7FUShMZ8Jg_kc2vjx gfwswEy26w_vWvVCHAGQ9tEQ"}]}

Slide 61

Slide 61 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 61 REMOTE JWKS VALIDATION src/main/resources/application.yml micronaut: security: enabled: true token: jwt: enabled: true signatures: jwks: securityservice: url: "http://localhost:8081/keys"

Slide 62

Slide 62 text

Slide 63

Slide 63 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 63 Security Events Event Name Description LoginFailedEvent Trigger when an unsuccessful login takes place. LoginSuccessfulEvent Trigger when a successful login takes place. LogoutEvent Triggered when the user logs out. TokenValidatedEvent Trigger when a token is validated. AccessTokenGeneratedEvent Trigger when a JWT access token is generated. RefreshTokenGeneratedEvent Trigger when a JWT refresh token is generated. @Singleton class LogoutFailedEventListener implements ApplicationEventListener { @Override void onApplicationEvent(LogoutEvent event) { println "received logout event" } }

Slide 64

Slide 64 text

Slide 65

Slide 65 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com src/main/resources/application.yml micronaut: security: enabled: true token: jwt: enabled: true writer: header: enabled: true propagation: enabled: true service-id-regex: "recommendations|catalogue|inventory" 65 Token Propagation

Slide 66

Slide 66 text

Slide 67

Slide 67 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 67 OAUTH 2 build.gradle dependencies { ... .. . annotationProcessor "io.micronaut:micronaut-security" compile "io.micronaut:micronaut-security" compile “io.micronaut.configuration:micronaut-oauth2:1.0.0.BUILD-SNAPSHOT" }

Slide 68

Slide 68 text

Slide 69

Slide 69 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End- User based on the authentication performed by an Authorization Server , as well as to obtain basic profile information about the End-User in a interoperable and REST-like manner. 69

Slide 70

Slide 70 text

Slide 71

Slide 71 text

Slide 72

Slide 72 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 72 Open ID Connect Configuration src/main/resources/application.yml micronaut: security: enabled: true oauth2: enabled: true clients: cognito: client-secret: '${OAUTH_CLIENT_SECRET}' client-id: '${OAUTH_CLIENT_ID}' openid: issuer: 'https://cognito-idp.${AWS_REGION}.amazonaws.com/${COGNITO_POOL_ID}'

Slide 73

Slide 73 text

Slide 74

Slide 74 text

Slide 75

Slide 75 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 75 Oauth Configuration src/main/resources/application.yml micronaut: security: enabled: true oauth2: enabled: true clients: github: client-id: <> client-secret: <> scopes: - user:email - read:user authorization: url: https://github.com/login/oauth/authorize token: url: https://github.com/login/oauth/access_token auth-method: client-secret-post

Slide 76

Slide 76 text

Slide 77

Slide 77 text

Slide 78

Slide 78 text

Slide 79

Slide 79 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 79 Oauth Configuration src/main/resources/application.yml micronaut: security: … oauth2: … clients: github: grant-type: password

Slide 80

Slide 80 text

Slide 81

Slide 81 text

Slide 82

Slide 82 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 82 Oauth Configuration src/main/resources/application.yml micronaut: security: … endpoints: logout: enabled: true get-allowed: true

Slide 83

Slide 83 text

Slide 84

Slide 84 text

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 84 Micronaut Guides Guides Micronaut Basic Auth Session based Authentication Micronaut JWT Authentication Micronaut JWT Authentication with Cookies LDAP and Database authentication Providers Micronaut Token Propagation Secure a Micronaut app with Okta https://guides.micronaut.io/tags/security.html

Slide 85

Slide 85 text

Slide 86

Slide 86 text