Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Micronaut Tutorial: Part 2: Easy Distributed Tracing, JWT Security and AWS Lambd ...

0
0

Key Takeaways Micronaut provides seamless integration with several distributed tracing solutions, such asZipkin and Jaeger Several security solutions are provided "out-of-the-box" with the framework, suchas JWT-based authentications. Micronaut provides features such as “Token Propagation” to ease secure communication between microservices. Thanks to its low memory footprint, Micronaut is capable of running in Function as a Service (FaaS) serverless environments.

In the rst article within this series we developed and deployed three microservices with the JVM-based Micronaut framework. In this second tutorial article we are going to add several features to our app: distributed tracing, security via JWT and a serverless function. Moreover, we will discuss the user input validation capabilities offered by Micronaut.

Distributed tracing

Breaking our system up into smaller, ne-grained microservices results in multiple benets, but it also adds complexity when it comes to monitoring the system in production.

You should assume that your networks are plagued with malevolent entities ready to unleash their ire on a whim. Sam Newman, Building Microservices

Micronaut integrates natively with Jaeger and Zipkin -- the top open-source distributed tracing solutions.

Zipkin is a distributed tracing system. It helps gather timing data needed to troubleshoot latency problems in microservice architectures. It manages both the collection and lookup of this data.

An easy way to start Zipkin is via Docker:

$ docker run -d -p 9411:9411 openzipkin/zipkin

The app is composed of three microservices. (gateway,inventory,books) which we developed in therst article.

You will need to do these changes to all three microservices.

Modify build.gradle to add tracing dependency:

build.gradle
compile "io.micronaut:micronaut-tracing"

Add the following dependencies to build.gradle to send tracing spans to Zipkin.

build.gradle
runtime 'io.zipkin.brave:brave-instrumentation-http'
runtime 'io.zipkin.reporter2:zipkin-reporter'
compile 'io.opentracing.brave:brave-opentracing'

Congure tracing:

src/main/resources/application.yml
tracing:
zipkin:
http:
url: http://localhost:9411
enabled: true
sampler:
probability: 1

Setting tracing.zipkin.sample.probability=1 means we want to trace 100% of request. In production, you probably would want set a lower percentage.

Disable tracing in tests:

src/test/resources/application-test.yml
tracing:
zipkin:
enabled: false

That is it. With minimum conguration changes you are able to integrate distributed tracing into Micronaut.

Running the app

Let us run the app and see the distributed tracing integration action. In the rst article, we integrated Consul for service discovery into our app. Because of this, you need to start both Zipkin and Consul before starting the microservices. When we start the microservices, they will register themselves at Consul service discovery. When we engage them with a request, they will send spans to Zipkin.

To start the microservices, Gradle has a handy ag (-parallel) for that:

./gradlew -parallel run

You can run a cURL command to engage the three microservices:

$ curl http://localhost:8080/api/books
[{"isbn":"1680502395","name":"Release It!","stock":3},
{"isbn":"1491950358","name":"Building Microservices","stock":2}]

You can then navigate to http://localhost:9411 to access the Zipkin UI.

Security via JWT

Micronaut ships with several security options out of the box. You can congure basic authentication, session based authentication, JWT authentication, Ldap authentication etc. JSON Web Token (JWT) is an open, industry standard RFC 7519 method for representing claims securely between two parties.

Micronaut ships out-of-the-box with capabilities to generate, sign and/or encrypt, and verify JWT tokens.

We are going to integrate JWT authentication into our app.

Changes in gateway to support JWT

The gateway microservice will be responsible for generating and propagating JWT tokens.

Modify build.gradle to add micronaut-ecurity-jwt dependency to each microservice ( gateway,inventory and books ):

gateway/build.gradle
compile "io.micronaut:micronaut-security-jwt"
annotationProcessor "io.micronaut:micronaut-security"

Modify application.yml :

gateway/src/main/resources/application.yml
micronaut:
application:
name: gateway
server:
port: 8080
security:
enabled: true
endpoints:
login:
enabled: true
oauth:
enabled: true
token:
jwt:
enabled: true
signatures:
secret:
generator:
secret: pleaseChangeThisSecretForANewOne
writer:
header:
enabled: true
propagation:
enabled: true
service-id-regex: "books|inventory"

We have made several important conguration changes which are worth discussing:

micronaut.security.enable=true turns on security and secures every endpoint by default. micronaut.security.endpoints.login.enable=true enables the /login endpoint which we will use shortly to authenticate. micronaut.security.endpoints.oauth.enable=true enables a/oauth/access_tokenendpoint which we could use to obtain a new JWT access token once the issued token expires. micronaut.security.jwt.enable=true enables JWT capabilities. We congure our app to issue signed JWTs with a secret conguration. Please check the JWT token Generation documentation to learn about the different signing and encrypting options at your disposal. micronaut.security.token.propagation.enabled=true means we are turning on Token Propagation. This is a feature which simplies working with JWT or other token security mechanism in a microservices architecture. Please, read Token Propagation tutorial to learn more. micronaut.security.writer.header.enabled enables a token writer which will write the JWT tokens transparently for the developer in a HTTP header. micronaut.security.token.propagation.service-id-regex sets a regular expression which matches the services targeted for token propagation. We are matching the other two services in the app.

With Micronaut, you can use @Secured annotation to congure access at Controller or Controller's Action level.

Annotate BookController.java with@ Secured("isAuthenticated()" ). It permits access only to authenticated users. Remember to annot

Viewing all articles
Browse latest Browse all 12749