Unshakeable Security for Java Microservices with Micronaut

Micronaut: Making Security and OAuth2 Integration a Breeze for Java Microservices

May 15, 2024

Unshakeable Security for Java Microservices with Micronaut

When it comes to locking down your microservices, especially when you’re coding in Java, having a dependable framework can make all the difference. Enter Micronaut, a game-changer with its strong security features and built-in support for OAuth2. With Micronaut, you can keep your applications secure and authenticated without breaking a sweat. Let’s break down how to use Micronaut Security and OAuth2 to safeguard your microservices effectively.

To get the ball rolling, you’ve got to include the right dependencies in your project. If Maven is your thing, you would typically start by adding a dependency to your pom.xml file, like so:

<dependency>
    <groupId>io.micronaut</groupId>
    <artifactId>micronaut-security</artifactId>
</dependency>

Once that’s sorted out, you need to switch on security in your app’s configuration. In your application.yml file, you just set micronaut.security.enabled to true:

micronaut:
  security:
    enabled: true

Now onto the big fish: OAuth2. This beast of an authorization framework lets clients access resources for a resource owner, but setting it up in Micronaut is pretty straightforward. Start by adding the OAuth2 dependency:

<dependency>
    <groupId>io.micronaut.security</groupId>
    <artifactId>micronaut-security-oauth2</artifactId>
</dependency>

Following that, you adjust the OAuth2 settings in your application.yml file. Here’s a basic setup:

micronaut:
  security:
    token:
      jwt:
        signatures:
          secret:
            generator:
              secret: pleaseChangeThisSecretForANewOne
              jws-algorithm: HS256
        propagation:
          header:
            enabled: true
            headerName: Authorization
            prefix: Bearer
          enabled: true
          service-id-regex: http://localhost:(8083|8081|8082)

This configuration enables JWT (JSON Web Token) signatures and propagation settings to keep things secure and tidy.

Your next mission is to secure your controllers. Micronaut Security comes with handy annotations for this. You might use @Secured to specify which roles or permissions a user needs to hit a certain endpoint:

import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.Get;
import io.micronaut.security.annotation.Secured;
import io.micronaut.security.rules.SecurityRule;

@Controller("/secure")
@Secured(SecurityRule.IS_AUTHENTICATED)
public class SecureController {

    @Get
    public String index() {
        return "Hello, authenticated user!";
    }
}

With this example, only authenticated users can access the index method, keeping intruders out.

Then there’s authentication, one of the most crucial gears in the machine of securing microservices. Micronaut lets you implement it in various ways, including using OAuth2 tokens. Here, for example, is how you might handle a login endpoint that returns an OAuth2 token:

import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.Post;
import io.micronaut.security.authentication.AuthenticationRequest;
import io.micronaut.security.authentication.AuthenticationResponse;
import io.micronaut.security.token.jwt.generator.RefreshTokenGenerator;
import io.micronaut.security.token.jwt.generator.TokenGenerator;
import io.micronaut.security.token.jwt.generator.TokenGeneratorConfiguration;

@Controller("/login")
public class LoginController {

    @Post
    public AuthenticationResponse login(AuthenticationRequest request) {
        // Authentication logic goes here

        String username = request.getUsername();
        String password = request.getPassword();

        // Generate a JWT token
        TokenGenerator tokenGenerator = new TokenGenerator(TokenGeneratorConfiguration.builder().build());
        String token = tokenGenerator.generateToken(username);

        return new AuthenticationResponse(token);
    }
}

Testing secure endpoints is a step that can’t be skipped. Use Micronaut’s @MicronautTest to make this a breeze.

Here’s how to test a secure endpoint:

import io.micronaut.test.extensions.junit5.annotation.MicronautTest;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.*;

@MicronautTest
public class SecureControllerTest {

    @Inject
    EmbeddedServer server;

    @Test
    public void testSecureEndpoint() throws MalformedURLException {
        HttpClient client = HttpClient.create(new URL("http://" + server.getHost() + ":" + server.getPort()));
        UserToken token = client.toBlocking().retrieve(HttpRequest.POST("/login", new UserCredentials("username", "password")), UserToken.class);
        String response = client.toBlocking().retrieve(HttpRequest.GET("/secure").bearerAuth(token.getAccessToken()));
        assertEquals("Hello, authenticated user!", response);
    }
}

This checks if your endpoint is indeed protected and functioning as expected.

Let’s not forget one of the hottest tools in the toolbox: JSON Web Tokens (JWT). JWTs are pretty standard for authentication and authorization in microservices, and Micronaut has built-in support for them.

Here’s how you could set up JWT with a secure endpoint:

import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.Get;
import io.micronaut.security.annotation.Secured;
import io.micronaut.security.rules.SecurityRule;

@Controller("/secure")
@Secured(SecurityRule.IS_AUTHENTICATED)
public class SecureController {

    @Get
    public String index() {
        return "Hello, authenticated user!";
    }
}

This setup forces any request to present a valid JWT token before proceeding.

Let’s talk protocols for a bit. HTTPS is mandatory for secure communication between clients and servers. Micronaut makes enabling HTTPS simple:

micronaut:
  ssl:
    enabled: true
    client-authentication: want
    key-store:
      path: classpath:ssl/keystore.p12
      password: your_keystore_password
      type: PKCS12
    trust-store:
      path: classpath:ssl/truststore.jks
      password: your_truststore_password
      type: JKS

Enable SSL/TLS, plug in your key store and trust store paths and passwords, and you’re golden.

Micronaut is cloud-native, meaning it’s smooth sailing when deploying microservices to cloud environments like Kubernetes. Micronaut integrates perfectly with cloud tech, including service discovery, distributed tracing, and circuit breakers.

Here’s a quick service discovery config using Consul:

micronaut:
  discovery:
    consul:
      client:
        registration:
          enabled: true
        service-name: my-service

With this setup, your service is registered with Consul for seamless service discovery.

The wrap-up — testing. Fast and efficient testing is critical, and Micronaut is here to make sure of that. Micronaut’s compile-time dependency injection and aspect-oriented programming guarantee that tests are swift and without the overhead of reflection.

Here’s one way of writing a test for a Micronaut controller:

import io.micronaut.test.extensions.junit5.annotation.MicronautTest;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.*;

@MicronautTest
public class HelloControllerTest {
  
    @Inject
    EmbeddedServer server;
  
    @Test
    public void testHelloWorldResponse() throws MalformedURLException {
        HttpClient client = HttpClient.create(new URL("http://" + server.getHost() + ":" + server.getPort()));
        String response = client.toBlocking().retrieve(HttpRequest.GET("/hello"));
        assertEquals("{\"message\":\"Hello World\"}", response);
    }
}

A simple test like this ensures your functionality is as it should be.

Wrapping things up, securing microservices might sound like climbing Mount Everest, but with a framework like Micronaut, it’s more like a walk in the park. Leveraging its built-in security capabilities, OAuth2 support, and cloud-friendly architecture, Micronaut makes sure your applications are safe while also offering you the tools you need to keep them that way. Follow these steps and configurations, and your microservices will be locked down, authenticated, and cloud-ready.