Upload
matt-raible
View
560
Download
4
Embed Size (px)
Citation preview
Microservices for the Masses
Spring Boot · JWT · JHipster
Brought to you by Matt Raible and Stormpath
Conway’s Law
Any organization that designs a system (defined
broadly) will produce a design whose structure is a copy
of the organization’s communication structure.
Melvyn Conway 1967
"Do one thing and do it well."
The Future?
You shouldn’t start with a microservices architecture.
Instead begin with a monolith, keep it modular, and split
it into microservices once the monolith becomes a
problem.
Martin Fowler March 2014
start.spring.io
Microservices are awesome, but they’re not free.
Les Hazlewood Stormpath CTO
Spring Boot Demo
JHipster by the numbers
+250 contributors+5400 Github stars+320,000 installations+100 companies officially using it
How to use JHipster
To install JHipster, you run an npm command:
$ npm install -g generator-jhipster
$ mkdir myapp && cd myapp $ yo jhipster
What’s Generated?
Spring Boot applicationAngularJS applicationLiquibase changelog filesConfiguration files
Security Screens
Several generated screensLogin, logout, forgot passwordAccount managementUser management
Useful for most applicationsPages must be tweakedUser roles will be added/extended
Provides good examples of working screensForms, directives, validation…
Admin Screens
MonitoringHealth
Spring Boot configurationSpring Security auditsLog management
Very useful in production
Liquibase
ThoughtWorks Radar
Securing your API
Choose the Right API Security ProtocolBasic API Authentication w/ TLS (formlerly known as SSL)OAuth1.0a, OAuth2
API Keys vs. Username/Password AuthenticationStore Your API Security Key securely
Use globally unique IDs (e.g. Url62)Avoid sessions, especially in URLs
How to Secure your API
https://www.youtube.com/watch?v=hdSrT4yjS1g
Learn more on the Stormpath blog
Anatomy of a JWT
Create a JWT in Java
String jwt = Jwts.builder() .setSubject("users/TzMUocMF4p")
.setExpiration(new Date(1300819380)) .claim("name", "Robert Token Man")
.claim("scope", "self groups/admins")
.signWith(
SignatureAlgorithm.HS256,
"secret".getBytes("UTF-8")
)
.compact();
Validating a JWT
String jwt = // get JWT from Authorization header Jws<Claims> claims = Jwts.parser()
.setSigningKey("secret".getBytes("UTF-8"))
.parseClaimsJws(jwt)
String scope = claims.getBody().get("scope") assertEquals(scope, "self groups/admins");
Better Secret
String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";
.signWith(SignatureAlgorithm.HS256,
TextCodec.BASE64.decode(b64EncodedSecret))
JWTs in Java for CSRF and Microservices
https://www.youtube.com/watch?v=QSYK4OCmycI
Learn more on the Stormpath blog
Microservices with JHipster
Microservices are not free, but you get a deep discount
on microservices with JHipster.
Matt Raible 2016
JHipster.next
Angular 2JUnit 5Spring 5 and ReactiveApache KafkaHTTP/2Progressive Web App Support
Do one thing and do it well.
Unix philosophy
This Presentation and Demos
https://github.com/mraible/microservices-for-the-masses
Image Credits
Fountain of colours - Paulius Malinovskis on FlickrPonte dell’Accademia at Sunrise - Trey Ratcliff on Stuck in CustomsConway’s Law - Martin Fowler and James Lewis on MicroservicesGood Morning Denver - Sheila Sund on FlickrMonoliths - Arches National Park on FlickrMexico - Trish McGinity on McGinity PhotoFuture - vivianhir on FlickrSpring Runoff - Ian Sane on FlickrThe memory Seeker, Santa Monica Pier, CA - Pacheco on FlickrSan Francisco By Night - Trish McGinity on McGinity Photo