2

I have a microservices based web app. Microservices communicate with each other via a REST API exposed. I want an easy, yet secure solution to secure communication between my microservices. I've already used JWT protocol to secure my user-services communication but I can't figure out the best way to secure server-server communication.

Update: I want an easy way to authenticate APIs. Is is a good way to hardcode key and secret or put them in configurations files and then use them to authenticate to an other end point? I've heard about OAuth2 protocol but I'm afraid it's an overkill for my need.So What can be the easy and secure way to authenticate APIs?

elghazal-a
  • 582
  • 1
  • 8
  • 15
  • Secure against what? Communication between servers, authentication, security against tampering? – Neville Kuyt Oct 19 '15 at 14:31
  • You're right, I wasn't specific. Actually, I need an autentication system. Please see my update. Thanks – elghazal-a Oct 24 '15 at 00:37
  • http://stackoverflow.com/questions/4817643/how-to-secure-restful-web-services - is there anything you can add to your question to explain why "Oauth2 is overkill"? – Neville Kuyt Oct 26 '15 at 07:58
  • I am not an expert in authentication mecanisms, but when I searched about OAuth2, I found that it's not an authentication protocol, not authorization one, but it's for delegation. I thought maybe using OAuth2 assumes delegating the authentication to a third party (Facebook, twitter,...) or create my own one. PS: I'll check your link and learn more about OAuth2. Thanks – elghazal-a Oct 26 '15 at 14:36

1 Answers1

1

You should use HTTPS in order to make communication between servers secure. As far as point to point security (transport layer security) is concerned this is the way to go.

But keep in mind that this still doesn't mean that you'll have message-level security (end-to-end security). Intermediaries (i.e. service agents or other services and applications) along the message path will be able to see what is in the message content while processing it.

REST relies on the uniform contract provided by HTTP, so you cannot use the advanced features of WS-Security as you would have with SOAP. The security features of SOAP provide a wider spectrum of options, so if security is key in your case, you should definitely check SOAP web services out.

Also, take a look at this question. It's relevant to yours and I'm sure you'll find it helpful.

Hope this helps!

Community
  • 1
  • 1
Plamen G
  • 4,729
  • 4
  • 33
  • 44