Service Security. Hello, dear friends. This lesson will cover security in the microservice architecture. As you know, in a microservices environment, there are many services that must communicate with each other. Security is an important concern in such an environment. The MicroProfile platform uses JWT for security implementation. JWT is pronounced as jot and stands for JSON Web Token. According to the JSON community page, JSON Web Token is an open standard. The standard name RFC 7519, that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWT is used for authorization and information exchange. When a user logs into an application, their role and system information can be saved as a JWT token, allowing them to access subsequent equivalent resources. JWT is also useful for securely transmitting information between parties.

Because JWTs can be signed, you can be certain that the senders are who they claim to be. A JWT looks like this. It is in base 64 format and is split into three parts by dot. The first part is the header. The second part is payload, or in other words, claims. The third part is signature. When we decode the token, it looks like this. The first section typically consists of two parts: the type of the token and the signing algorithm being used. The type is JWT. The algorithm is generally HMACSHA256 or RSA. The second part is the payload. It contains claims. Claims are statements about an entity. It consists of information about a user's name, role, etc. The third part is signature. A signature is an encrypted form of first and second parts. A signature by SHA256 can be created using this method. Let me give you an example. We have a microservices application. It consists of two services: frontend and backend. The frontend service is for user login.

The backend service is responsible for gathering system information from the server and delivering it to the frontend service. To demonstrate, we define two users. One user will be an admin, while the other will be a user. An admin user will have access to system information, but a regular user will not. To implement JWT, some changes have been made to the services. JWT feature has been added to both services in the server.xml file. On the frontend service, user and role info have been added to the server.xml file. As you can see, the basic registry tag has been used to describe username and password information. Passwords can be encrypted in this manner, and security roles have been mapped under the application tag. This information could have also been written into the microprofile-config.properties file. As you see here, this info has been written into the microprofile-config.properties file in the backend service.

In the backend service, the system resource file specifies which groups of users have access to which sources. So, as you can see here, the claim info in the JWT is injected to the roles variable. It is used in the getRoles() function. As you can see, each function specifies which roles are permitted to run. I will run services. First, I will run frontend. I will write simply liberty:dev. Okay, now I will run the backend. Okay, it started both. Okay, now I open a webpage. Write localhost:9090/login.jsf. A login screen appeared. Enter your regular username and password. As you see, it says, "You are not authorized to access this system property". I open a new login page. And now I will log in as an admin user. As you can see, I can see the system property now. Okay, guys, that's all. See you in the next lesson.