Microservices? Mit Sicherheit! (W-Jax16)

Transcript

1. Microservices? Mit Sicherheit! Claus Straube, IT Architekt für Anwendungsentwicklung

2. None
3. None
4. None
5. None
6. None
7. None

8. System (Monolith) WAF HTTPS

9. System (Monolith) WAF HTTPS

10. System (Monolith) WAF HTTPS

11. None

12. Eoin Woods @eoinwoodz

13. None

14. Separate responsibilities

15. System (Monolith) WAF HTTPS

16. System (Monolith) WAF HTTPS

17. MS WAF HTTPS MS MS MS MS MS

18. Never invent security technology

19. SC WAF HTTPS SC SC SC SC SC

20. WAF HTTPS

21. None

22. Proxy WAF HTTPS OAuth MS MS MS MS

23. Proxy WAF HTTPS OAuth MS MS MS MS Resource Owner

    Client Authorization Server Protected Resource OAuth2 Terms

24. Proxy WAF HTTPS OAuth MS MS MS MS Access Token

    OAuth2 Terms 1e89e206­5845­49b5­9172­5674c7faf4cd

25. Client redirects user agent to authorization endpoint User agend loads

    authorization endpoint Resource owner authenticates to authorization server Resource owner authorizes client Authorization server redirects user agent to client with authorization code User agent loads redirect URI at client with authorization code Authorization endpoint

26. Client sends authorization code and its own credentials to token

    endpoint Authorization server sends access token to client Token endpoint Client sends access token to protected resource Protected resource returns resource to client

27. „Bin ich schon drin?“

28. None

29. Client MS1 MS2 Http request Http request

30. Client MS1 MS2 Http request Http request zu testender Artefakt

31. RestTemplate Mock MS1 @RestController @Service

32. RestTemplate Mock MS1 @RestController @Service OAuth2 Kein OAuth2

33. OAuthRestTemp Mock MS1 @RestController @Service OAuth2 Kein OAuth2 OAuth Access

    Token Principal Testkontext

34. OAuthRestTemp Mock MS1 @RestController @Service OAuth2 Kein OAuth2 OAuth Access

    Token Principal RestTemplate Testkontext

35. Assign the least privilege possible

36. Authorization Peter Paul Mary

37. Authorization Domain „X“ Peter Paul Mary „Official“ „Senior Official“ „Admin“

38. Roles Permissions User „Sen. Official“ „Perm A“ „Perm B“ „Perm

    C“

39. Authorization Domain „X“ Peter Paul Mary „Official“ „Senior Official“ „Admin“

    OAuth Server User Endpoint

40. Authorization Server

41. Microservice

42. VORSICHT! Microservice

43. Cross Domain Authorization Domain „Customer Care“ Domain „Billing“ Domain „Time

    Tracking“ „Official“ „Sen. Official“ „Admin“ „Official“ „Admin“ „Staff“ „Viewer“ „Staff“ „Staff“

44. Roles Permissions User „Sen. Official“ „Viewer“ „Staff“ „Perm A“ „Perm

    B“ „Perm C“ „Perm B“ „Perm C“ „Perm B“

45. Cross Domain Authorization Domain „Customer Care“ Domain „Billing“ Domain „Time

    Tracking“ „Official“ „Sen. Official“ „Admin“ „Official“ „Admin“ „Staff“ „Viewer“ „Staff“ „Staff“ OAuth Server User Endpoint

46. Fail securely & use secure defaults

47. None
48. None

49. Audit sensitive events

50. None
51. None
52. None

53. Proxy OAuth MS MS MS MS

54. Proxy OAuth MS MS MS MS Sensor

55. Proxy OAuth MS MS MS MS Sensor

56. None
57. None
58. None

59. Client MS1 MS2 Demo Setup Http request User Endpoint OAuth

    Server Token Endpoint Auth. Endpoint Http request

60. Demo Setup User Endpoint OAuth Server Token Endpoint Auth. Endpoint

    MS1 MS2 Http request Http request

61. Requests for token with basic authentication UE TE MS1 MS2

    Requests /hello with OAuth token Request for principal with Oauth token Requests /hello with OAuth token Response /hello Request for principal with Oauth token Response /hello

62. Demo!

63. github.com/xdoo/oauth2_password_flow_sample

64. speakerdeck.com/xdoo/microservices-mit-sicherheit-w-jax16

65. Claus Straube Landeshauptstadt München it@M Agnes-Pockels-Bogen 21 80992 München claus.straube(at)muenchen.de

    https://plus.google.com/u/0/+ClausStraube https://mobile.twitter.com/clausstraube Herzlichen Dank für die Aufmerksamkeit!