The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

205907 (1) [Avatar] Offline
#1
Greetings!

I was looking through the table of contents for this book with great excitement until I found no mention of security and protecting microservices. Do you intend to cover this important topic in the book? I'm thinking OAuth 2 here, but maybe there is some other topic that should be covered?

Thanks!
John Carnell (26) [Avatar] Offline
#2
Thanks for your comment. I honestly have been struggling about where, when and if I should talk about microservice security. I am meeting with my editor on Friday because my original plan had been to touch on security in Chapter 6 when I was working through the Zuul and the concept of a service gateway.

A services gateway is a natural policy enforcement point around security. One of the "extra" code examples that I wrote, but did not cover in detail (there is a lot of material to cover just on the services gateway) was how to use a Zuul Pre-filter to perform authentication. Spring Cloud also provides a integration point to an OAUTH2 service in Zuul.

One of the challenges in writing about security is it very broad topic area. Do you only cover OAUTH for authentication? Whats the role of authorization and what kind of role setup and implementation should you use? Some places go for just integration out to a simple LDAP and/or Active Directory server for role definition and service authorization.

I worked at one place where we did all service authorization through a XACML (eXtensible Access Control Markup Language) XACML server. We not only used XACML to define what services could be accessed by a particular user, but also enforced fine-grained security control so that sensitive fields (like SSN, health-related information) would be scrubbed from the payload being returned by a service if your user role and the application they were trying to access the data from not allowed to see that one data element.

This is what I am going to meet with my editor on. There are a boatload of topic areas to cover in microservices security, but everyone's environment is different and so is hard to reach a general subject area. I am debating whether I should collapse Chapters 8 and 9 on build pipelines and deploying to a cloud into one chapter and then include a chapter on microservice security.

Some potential topics include:

1. Writing your own authentication filter in Zuul
2. Zuul and OAUTH integration
3. Audit loggin using Zuul and Spring Cloud Sleuth
4. The role of access control (probably would not cover a specific implementation, but provide examples of how deep people can
go).

Any other thoughts on the subject would be very welcome.

Thanks,
John

Trifon (1) [Avatar] Offline
#3
a chapter on microservice security.

Some potential topics include:

1. Writing your own authentication filter in Zuul
2. Zuul and OAUTH integration
3. Audit loggin using Zuul and Spring Cloud Sleuth
4. The role of access control (probably would not cover a specific implementation, but provide examples of how deep people can
go).


I definitely think that having a chapter or even 2 on Microservice Security will make the book much more valuable. I'm Java developer so I care more about how to write microservices than how to deploy them.
I also think that without good security microservices are not usable for public applications.

Best Regards,
Trifon

P.S. I'm at the end of first chapter and I really enjoyed reading it. Keep the good work!
John Carnell (26) [Avatar] Offline
#4
Hi Trifon,

Thanks for the feedback. I am glad you liked chapter 1. I would welcome any other feedback as you work your way through the rest of the book.

Thanks,
John