Nebraska.Code() Sessions tagged microservices

Securing Java Microservices with Java JWT

Abstract

Micah will take you on a token based journey. The talk covers what tokens are, looking at cryptographically signed tokens, using the JJWT library to create JWTs, mitigating CSRF attacks using JWTs and establishing trust between microservices using JWTs. Some slides and lots of code.

Description

"Microservices are awesome, but they're not free" - Les Hazlewood, CTO Stormpath

This is a popular talk that I gave during my motorcycle road trip up and down the east coast. While I work for Stormpath, there are no Stormpath dependencies in the code. It's an example that uses Spring Boot with Spring Security and the open-source JJWT.

In the first part of the talk, I introduce JWTs and their utility by replacing the default CSRF functionality in Spring Security with a custom one that uses JWT. It demonstrates how, in addition to doing a "dumb" equals match for the submitted token and the one on record, a JWT can be inspected for expiration. This makes it so that you can have a form, protected by CSRF, that must be submitted within a certain period of time.

In the second part of the talk, I have a Spring Boot microservices example. I run two instances of the example and demonstrate how they initially do not trust signed JWT messages between each other. I then discuss how to establish trust between these microservices (by registering the public keys of each with each other) and then show how they now will trust messages. Finally, I talk about and demonstrate a more modern approach to microservices using Kafka messaging as the backbone rather than HTTP.

Here's a blog post I wrote on the subject as well.

Speaker

Micah Silverman

Micah Silverman

Senior Developer Advocate, Okta

Microservices, Micronaut And Your Digital Future

The modernization of a sophisticated technology stack is a delicate balancing act that rests on understanding how any one change will affect the entire ecosystem. Business leaders who oversee mature technology stacks are particularly confounded by the demand to make changes quickly (and correctly) while simultaneously increasing the complexity of their applications. Microservices promise to alleviate this burden by decomposing complex applications into a set of manageable services that are much faster to develop and much easier to understand and maintain, but there are challenges associated with this type of application architecture. It is important to recognize the challenges and to understand how best to manage those challenges.

Speaker

Jeff Brown

Jeff Brown

Partner, Grails and Micronaut Practice Lead , Object Computing, Inc.