GR8EU 2019 - Micronaut Security

objectcomputing.com © 2018, Object Computing, Inc. (OCI). All rights reserved.
No part of these notes may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior, written permission of Object Computing, Inc. (OCI) MICRONAUT SECURITY SERGIO DEL AMO

© 2018, Object Computing, Inc. (OCI). All rights reserved. ©
2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com 2 • MICRONAUT / GRAILS OCI TEAM • GUADALAJARA, SPAIN • CURATOR OF GROOVYCALAMARI.COM • PODCAST HOST OF PODCAST.GROOVYCALAMARI.COM • GREACH Conference organizer • @SDELAMO • HTTP://SERGIODELAMO.ES SERGIO DEL AMO

© 2018, Object Computing, Inc. (OCI). All rights reserved. objectcomputing.com
3 CONTROLLER EXAMPLE @Controller(“/books") public class BookController { @Get public List<Book> index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

4 INSTALLATION

5 SECURITY INSTALLATION dependencies { ... .. . annotationProcessor "io.micronaut:micronaut-security" compile "io.micronaut:micronaut-security" } build.gradle src/main/resources/application.yml micronaut: security: enabled: true

© 2018, Object Computing, Inc. (OCI). objectcomputing.com 6 SECURED BY
DEFAULT

7 Security Filter

8 ANONYMOUS ACCESS

9 @Secured IS_ANONYMOUS import io.micronaut.security.annotation.Secured; @Controller(“/books") public class BookController { @Secured(SecurityRule.IS_ANONYMOUS) @Get public List<Book> index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

10 @Secured IS_ANONYMOUS import io.micronaut.security.annotation.Secured; @Secured(SecurityRule.IS_ANONYMOUS) @Controller(“/books") public class BookController { @Get public List<Book> index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

11 JSR_250 annotations import javax.annotation.security.PermitAll; @Controller(“/books") public class BookController { @PermitAll @Get public List<Book> index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

12 INTERCEPT URL MAP src/main/java/example/micronaut/BookController.java @Controller(“/books") public class BookController { @Get public List<Book> index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } } src/main/resources/application.yml micronaut: security: enabled: true intercept-url-map: - pattern: "/books" http-method: GET access: - isAnonymous()

13 INTERCEPT URL MAP for STATIC RESOURCES src/main/resources/application.yml micronaut: router: static-resources: default: enabled: true mapping: /static/** paths: - classpath: public security: enabled: true intercept-url-map: - pattern: "/static/logo.png" http-method: GET access: - isAnonymous()

14 BASIC AUTH

16 Basic Auth

17 Basic Auth

18 BASIC AUTH import javax.inject.Singleton @Singleton public class ExampleAuthenticationProvider implements AuthenticationProvider { @Override public Publisher<AuthenticationResponse> authenticate(AuthenticationRequest authenticationRequest) { if (authenticationRequest.getIdentity().equals("user") && authenticationRequest.getSecret().equals("password"))) { UserDetails u = new UserDetails(authenticationRequest.getIdentity(), Arrays.asList("ROLE_USER")); return Flowable.just(u); } return Flowable.just(new AuthenticationFailed()); } } $ curl - u name:password http://micronaut.example/books curl with basic auth

19 DELEGATING AUTHENTICATION PROVIDER

© 2018, Object Computing, Inc. (OCI). objectcomputing.com 20 DELEGATION AUTHENTICATION
PROVIDER

21 DELEGATING AUTHENTICATION PROVIDER import javax.inject.Singleton @CompileStatic @Singleton class UserFetcherService implements UserFetcher { protected final UserGormService userGormService UserFetcherService(UserGormService userGormService) { this.userGormService = userGormService } @Override Publisher<UserState> findByUsername(String username) { UserState user = userGormService.findByUsername(username) as UserState (user ? Flowable.just(user) : Flowable.empty()) as Publisher<UserState> } } implementation of UserFetcher

22 DELEGATING AUTHENTICATION PROVIDER package example.micronaut.services import io.micronaut.security.authentication.providers.AuthoritiesFetcher import io.reactivex.Flowable import org.reactivestreams.Publisher import javax.inject.Singleton @Singleton class AuthoritiesFetcherService implements AuthoritiesFetcher { protected final UserRoleGormService userRoleGormService AuthoritiesFetcherService(UserRoleGormService userRoleGormService) { this.userRoleGormService = userRoleGormService } @Override Publisher<List<String>> findAuthoritiesByUsername(String username) { Flowable.just(userRoleGormService.findAllAuthoritiesByUsername(username)) } } implementation of AuthoritiesFetcher

23 DELEGATING AUTHENTICATION PROVIDER import io.micronaut.security.authentication.providers.PasswordEncoder import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder import javax.inject.Singleton @Singleton class BCryptPasswordEncoderService implements PasswordEncoder { org.springframework.security.crypto.password.PasswordEncoder delegate = new BCryptPasswordEncoder() String encode(String rawPassword) { return delegate.encode(rawPassword) } @Override boolean matches(String rawPassword, String encodedPassword) { return delegate.matches(rawPassword, encodedPassword) } } implementation of PasswordEncoder dependencies { ... compile “org.springframework.security:spring-security-crypto:5.2.5.RELEASE” } build.gradle

24 SESSION BASED AUTHENTICATION

26 SESSION AUTH dependencies { ... .. . annotationProcessor "io.micronaut:micronaut-security" compile "io.micronaut:micronaut-security-session" } build.gradle src/main/resources/application.yml micronaut: security: enabled: true session: enabled: true

27 SECURITY SESSION CLI INSTALLATION $ mn create-app my-app --features security-session MICRONAUT SECURITY SESSION

28 ENDPOINTS

29 LOGIN CONTROLLER src/main/resources/application.yml micronaut: security: enabled: true endpoints: login: enabled: true

30 LOGOUT CONTROLLER src/main/resources/application.yml micronaut: security: enabled: true endpoints: logout: enabled: true

31 AUTHENTICATION

32 @Secured IS_AUTHENTICATED import io.micronaut.security.annotation.Secured; @Controller(“/books") public class BookController { @Secured(SecurityRule.IS_AUTHENTICATED) @Get public List<Book> index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

33 @Secured IS_AUTHENTICATED import io.micronaut.security.annotation.Secured; @Secured(SecurityRule.IS_AUTHENTICATED) @Controller(“/books") public class BookController { @Get public List<Book> index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

34 AUTHORIZATION

35 AUTHORIZATION import io.micronaut.security.annotation.Secured; @Controller("/books") public class BookController { @Secured({"ROLE_ADMIN","ROLE_USER"}) @Get public List<Book> index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

36 JSR_250 annotations import javax.annotation.security.RolesAllowed; @Controller("/books") public class BookController { @RolesAllowed({"ROLE_ADMIN","ROLE_USER"}) @Get public List<Book> index() { return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

37 RETRIEVE CURRENT USER

38 Retrieve the Authenticated User import io.micronaut.security.annotation.Secured; import java.security.Principal; import javax.annotation.Nullable; @Controller(“/books") public class BookController { @Secured(SecurityRule.IS_ANONYMOUS) @Get public List<Book> index(@Nullable Principal principal) { if (principal != null && principal.getName().equals("Harry Potter”)) { return Arrays.asList(new Book("9781781102459", "Philosopher's Stone”)); } return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

39 Retrieve the Authenticated User import io.micronaut.security.annotation.Secured; import java.security.Principal; @Controller(“/books") public class BookController { @Secured(SecurityRule.IS_AUTHENTICATED) @Get public List<Book> index(Principal principal) { if (principal.getName().equals("Harry Potter”)) { return Arrays.asList(new Book("9781781102459", "Philosopher's Stone”)); } return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

40 Retrieve the Authenticated User import io.micronaut.security.annotation.Secured; import io.micronaut.security.authentication.Authentication; @Controller(“/books") public class BookController { @Secured(SecurityRule.IS_AUTHENTICATED) @Get public List<Book> index(Authentication authentication) { if (authentication.getName().equals("Harry Potter”)) { return Arrays.asList(new Book("9781781102459", "Philosopher's Stone”)); } return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

41 Retrieve the Authenticated User import io.micronaut.security.annotation.Secured; import io.micronaut.security.authentication.Authentication; @Controller("/books") public class BookController { private final SecurityService securityService; public BookController(SecurityService securityService) { this.securityService = securityService; } @Secured(SecurityRule.IS_AUTHENTICATED) @Get public List<Book> index() { if (securityService.getAuthentication().getName().equals(“Harry Potter”)) { return Arrays.asList(new Book("9781781102459", "Philosopher's Stone”)); } return Arrays.asList(new Book("1491950358", "Building Microservices"), new Book("1680502395", "Release It!"), new Book("0321601912", "Continuous Delivery")); } }

42 LDAP

43 LDAP src/main/resources/application.yml micronaut: .. . security: ... .. ldap: default: enabled: true context: server: 'ldap://ldap.forumsys.com:389' managerDn: 'cn=read-only-admin,dc=example,dc=com' managerPassword: 'password' search: base: "dc=example,dc=com" groups: enabled: true base: "dc=example,dc=com" build.gradle dependencies { ... .. . annotationProcessor "io.micronaut:micronaut-security" compile "io.micronaut:micronaut-security" compile "io.micronaut.configuration:micronaut-security-ldap" } LDAP authentication in Micronaut supports configuration of one or more LDAP servers to autehtnicate with. Each server has it’s own settings and can be enabled or disabled

44 JWT

45 SECURITY JWT INSTALLATION dependencies { ... .. . annotationProcessor "io.micronaut:micronaut-security" compile "io.micronaut:micronaut-security-jwt" } build.gradle src/main/resources/application.yml micronaut: security: enabled: true token: jwt: enabled: true

46 SECURITY JWT CLI INSTALLATION $ mn create-app my-app --features security-jwt MICRONAUT SECURITY JWT

48 Security Filter

49 LOGIN CONTROLLER JWT Bearer authentication

51 Security Filter

52 LOGIN CONTROLLER JWT Bearer authentication

53 JWT Signature Generation and Validation To enable a JWT signature in token generation, you need to have in your app a bean of type RSASignatureGeneratorConfiguration, ECSignatureGeneratorConfiguration, SecretSignatureConfiguration qualified with name generator. To verify signed JWT tokens, you need to have in your app a bean of type RSASignatureConfiguration, RSASignatureGeneratorConfiguration, ECSignatureGeneratorConfiguration, ECSignatureConfiguration, or SecretSignatureConfiguration.

54 JWT Configuration src/main/resources/application.yml micronaut: security: enabled: true token: jwt: enabled: true signatures: secret: generator: secret: pleaseChangeThisSecretForANewOne jws-algorithm: HS256

55 Claims Validation Bean Description ExpirationJwtClaimsValidator Validate JWT is not expired. SubjectNotNullJwtClaimsValidator Validate JWT subject claim is not null. io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator Provide your own!

56 RFRESH CONTROLLER src/main/resources/application.yml micronaut: security: enabled: true endpoints: oauth: enabled: true

57 JSON Web Key JWK A JSON Object that represents a cryptographic key. The members of the object represent properties of the key, including its value. { "kty":"EC", "crv":"P-256", "kid":"test-personal-node", "x":"kdoE0JmUQra00UWJXHBwVvQetJ_L7vXt8nuXkaftKjo", "y":"PV7FUShMZ8Jg_kc2vjxgfwswEy26w_vWvVCHAGQ9tEQ" }

58 JWK Set A JSON object that represents a set of JWKs. The JSON object MUST have a "keys" member, which is an array of JWKs. { "keys": [ { "kty":"EC", "crv":"P-256", "kid":"123", "x":"kdoE0JmUQra00UWJXHBwVvQetJ_L7vXt8nuXkaftKjo", "y":"PV7FUShMZ8Jg_kc2vjxgfwswEy26w_vWvVCHAGQ9tEQ" } ] }

src/main/resources/application.yml micronaut: security: enabled: true endpoints: keys: enabled: true import com.nimbusds.jose.jwk.JWK; import io.micronaut.security.token.jwt.endpoints.JwkProvider; import javax.inject.Singleton; import java.text.ParseException; @Singleton class ExampleJwkProvider implements JwkProvider { @Override List<JWK> retrieveJsonWebKeys() { try { return [JWK.parse(''' { "kty":"EC", "crv":"P-256", "kid":"123", “x": "kdoE0JmUQra00UWJXHBwVvQetJ_L7vXt8nuXkaftKjo", "y":"PV7FUShMZ8Jg_kc2vjxgfwswEy26w_vWvVCHAGQ9tEQ" }''')] } catch (ParseException e) { return [] as List<JWK> } } } 59 KEYS CONTROLLER - Expose a JWK Set

60 KEYS CONTROLLER $ curl localhost:8080/keys {"keys":[{"kty":"EC","crv":"P-256","kid":"test-personal- node","x":"kdoE0JmUQra00UWJXHBwVvQetJ_L7vXt8nuXkaftKjo","y":"PV7FUShMZ8Jg_kc2vjx gfwswEy26w_vWvVCHAGQ9tEQ"}]}

61 REMOTE JWKS VALIDATION src/main/resources/application.yml micronaut: security: enabled: true token: jwt: enabled: true signatures: jwks: securityservice: url: "http://localhost:8081/keys"

62 SECURITY EVENTS

63 Security Events Event Name Description LoginFailedEvent Trigger when an unsuccessful login takes place. LoginSuccessfulEvent Trigger when a successful login takes place. LogoutEvent Triggered when the user logs out. TokenValidatedEvent Trigger when a token is validated. AccessTokenGeneratedEvent Trigger when a JWT access token is generated. RefreshTokenGeneratedEvent Trigger when a JWT refresh token is generated. @Singleton class LogoutFailedEventListener implements ApplicationEventListener<LogoutEvent> { @Override void onApplicationEvent(LogoutEvent event) { println "received logout event" } }

64 TOKEN PROPAGATION

src/main/resources/application.yml micronaut: security: enabled: true token: jwt: enabled: true writer: header: enabled: true propagation: enabled: true service-id-regex: "recommendations|catalogue|inventory" 65 Token Propagation

66 MICRONAUT OAUTH 2 https://micronaut-projects.github.io/micronaut-security/ snapshot/guide/#oauth

67 OAUTH 2 build.gradle dependencies { ... .. . annotationProcessor "io.micronaut:micronaut-security" compile "io.micronaut:micronaut-security" compile “io.micronaut.configuration:micronaut-oauth2:1.0.0.BUILD-SNAPSHOT" }

68 authorization code flow - OpenID Connect

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End- User based on the authentication performed by an Authorization Server , as well as to obtain basic profile information about the End-User in a interoperable and REST-like manner. 69

70

71 OAUTH 2

72 Open ID Connect Configuration src/main/resources/application.yml micronaut: security: enabled: true oauth2: enabled: true clients: cognito: client-secret: '${OAUTH_CLIENT_SECRET}' client-id: '${OAUTH_CLIENT_ID}' openid: issuer: 'https://cognito-idp.${AWS_REGION}.amazonaws.com/${COGNITO_POOL_ID}'

73 authorization code flow - Oauth 2.0

74

75 Oauth Configuration src/main/resources/application.yml micronaut: security: enabled: true oauth2: enabled: true clients: github: client-id: <<my client id>> client-secret: <<my client secret>> scopes: - user:email - read:user authorization: url: https://github.com/login/oauth/authorize token: url: https://github.com/login/oauth/access_token auth-method: client-secret-post

76 Grant type password

77

78

79 Oauth Configuration src/main/resources/application.yml micronaut: security: … oauth2: … clients: github: grant-type: password

80 Logout

81

82 Oauth Configuration src/main/resources/application.yml micronaut: security: … endpoints: logout: enabled: true get-allowed: true

83 SAMPLES

84 Micronaut Guides Guides Micronaut Basic Auth Session based Authentication Micronaut JWT Authentication Micronaut JWT Authentication with Cookies LDAP and Database authentication Providers Micronaut Token Propagation Secure a Micronaut app with Okta https://guides.micronaut.io/tags/security.html

85 Questions?

GR8EU 2019 - Micronaut Security

GR8EU 2019 - Micronaut Security

More Decks by Sergio del Amo

Other Decks in Programming

Featured

Transcript