miércoles, enero 03, 2018

Cloud Native Applications with JWT


A native cloud application is an application that is developed for a cloud computing environment.

There is no specific answer to the question "what is a cloud-native application" but different concepts that must be met. 

One of the most important in my opinion is the ability to scale up and down at a rapid rate. And this means that our applications cannot have any state on each of the servers since if one server goes down or is scaled down, then the state stored in that server will be lost.

This is very well summarized at https://www.youtube.com/watch?v=osz-MT3AxqA where it is explained with a shopping cart example. In monolith approach, you store the products of the shopping cart in a server session, if the server went down then all products of shopping cart were lost as well. In a cloud-native app, where server instances can be scaled up and down quickly, it is important to not have this stateful behavior on your services and design them to be stateless.

There are different approaches to achieve this goal of implementing a stateless architecture but they can be summarized into two categories:
  • Use a distributed in-memory key/value data store like Infinispan.
  • Use a token which acts as a session between client and server using for example JWT.
In this post, I am going to introduce you the later approach.


JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.  

This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret using HMAC or a public/private key pair using RSA.

JSON Web Tokens consist of three Base64Url strings separated by dots which are: Header.Payload.Signature

So the idea basic idea for implementing stateless architecture on backend using JWT is the next one:
  1. When the user adds the first product, the backend service generates a new JWT token with the product added and sent it back to the frontend.
  2. When the user adds a new product, it sends the product to add and also the JWT token that was sent before by backend.
  3. Then the backend verifies that the token has not been modified (verifying the signature), then it gets the products from JWT payload added previously and add the new one to the list. Finally, it creates a new token with previous and new products and it sent it back to the frontend.
  4. The same process is repeated all the time.



So as you can see, now it is not necessary to maintain any state or add any new database service on backend side, you just need to sent back and forward the JWT token with the products inside.

I have recorded a video of a simple shopping cart example where I show the stateless nature of the solution. It can be seen at:



Also if you want to check the project that I used for recording you can take a look at https://github.com/lordofthejars/shop-jwt.

Notice that this is just a simple post so you can get the basic idea. But you need to take into consideration next things to use it in production:
  1. Use HTTPS instead of HTTP
  2. JWT just signs the token, if you want extra protection apart from HTTPS, use JWE to encrypt the payload of JWT token as well.
  3. Fingerprinting the token to avoid any man-in-the-middle attack and use these parameters as authentication parameters for the token.
  4. JWT can be used for passing authentication and authorization things as well.
You can watch my talk at JavaZone where I introduce some of these techniques:



The good part of JWT approach is that it simplifies a lot the deployment of the service, you don't need to deploy or configure any other distributed database to share the content across the cluster, which minimizes the problems related to the network for communicating to the distributed database or misconfiguring of any of the nodes.

The drawback is that the client needs to be aware to receive and sent back the token and deal with it. In backend side, you need to sign and verify every token all the time.

Note that this approach might work in some cases and might get into some troubles in others (for example if there are parallel connections to backend all of them modifying the token). This post just shows an example of how I implemented this stateless thing in a project with specific requirements, but in other cases it might be wrong to do it. A real shopping cart implementation would have some problems, but for the sake of simplicity and having a business model that everyone undertands, I decided to implement it in this way.

We keep learning,
Alex.
Turn it up, it's your favorite song (hey), Dance, dance, dance to the distortion, Turn it up (turn it up), keep it on repeat, Stumbling around like a wasted zombie (like a wasted zombie) (Chained to the Rhythm - Katy Perry)
Music: https://www.youtube.com/watch?v=Um7pMggPnug

Follow me at https://twitter.com/alexsotob

6 comentarios:

Dr. Lina dijo...

Jual obat aborsi cytotec
Jual obat aborsi bandung
Jual obat aborsi batam
Jual obat aborsi makassar


Jual obat aborsi malang
Jual obat aborsi palembang
Jual obat aborsi semarang

Jual obat aborsi jakarta
Jual obat aborsi bekasi

Jual obat aborsi surabaya ,Semarang, Jogja, yogyakarta,Malang, Surabaya, Jakarta, Bandung, Bekasi, Batam, Palembang dan Makassar.

Obat Aborsi Manjur dijo...

[url=http://aborsi-tuntas.com]Jual Obat Aborsi[/url]

[url=http://klinikaborsigaransi.com]Obat Aborsi Manjur[/url]

Jual Obat Aborsi ,

Obat Aborsi Manjur ,

Hub / WA : 08 222 5555 602

Seo479 dijo...

http://jualpilcytotecasli.com ,
Jual Cytotec Asli ,
http://jualpilcytotecasli.com/tiga-cara-menggugurkan-kandungan-pill-cytotec-misoprostol/ ,
http://jualpilcytotecasli.com/jual-obat-penggugur-kandungan-paling-manjur/ ,
Jual Obat Aborsi ,
Obat Penggugur Kandungan ,
http://jualobataborsimanjur.com/jual-obat-pelancar-haid/ ,
http://jualobataborsimanjur.com/jual-obat-telat-bulan/ ,

norhan dijo...

تركيب ستائر بالرياض شركة تركيب ستائر بالرياض
تنظيف مكيفات بالرياض شركة تنظيف مكيفات بالرياض
شركة تنظيف افران الغاز بالرياض شركة تنظيف افران بالرياض

yanmaneee dijo...

nike air max 97
chrome hearts outlet
retro jordans
off white nike
ferragamo belts
golden goose
supreme clothing
kyrie 6 shoes
air max
kd 10

COMPOSITE CYBER SECURITY SPECIALISTS dijo...

🔥 ☑️MEET THE REAL HACKERS☑️ 🔥

It Tears me Up Whenever we receive complaints from People About Their Experience With the Hackers They Met Before They Heard about us.
These Days There Are alot of Hackers Online, You Just Have to Be Careful about who you meet for help, because many people now don't really know who to ask for help anymore but there is an actual solution to that which I am giving you for free, Trust Me You Don't Wanna go out there seeking for Hackers Yourself, Because the probability of getting a Real Hacker Out there Is Very Slim . ❌❌ ❌ Most Of Them are actually not who they say they're, they are just out there to Rip people Off, Trust Me You Don’t Wanna Risk It. You Can Always Identify Them With Their False Advertisements and False Testimonies Trying To Lure you Into their Arms, And most of them use yahoomails, gmails and other cheap email providers which could easily expose their vulnerabilities, Please Don’t Fall For Them🚷 Come To Think Of It, Why would a Legit Hacker Be using a gmail or a cheap email provider that exposes his vulnerabilities????⚠️⚠️⚠️
Well, Our Purpose Here Is To Link You Up With Top Notched Legit Hackers With Great Online Reputations and Impressive LinkedIn Profiles That’ll Blow Your Mind. Trust Me, You Don’t Wanna Miss This Great Opportunity.

🔥 ☑️ COMPOSITE CYBER SECURITY SPECIALISTS are the Answers to your PRAYERS . We are here to Provide you with The BEST and FASTEST Hackers that would get your Job Done as Fast as possible. 🔥 🔥


☑️All our Specialists are well experienced in their various niches with Great Skills, Technical Hacking Strategies And Positive Online Reputations And Recommendations🔘
They hail from a proven track record and have cracked even the toughest of barriers to intrude and capture all relevant data needed by our Clients. 🔥 🔥

We have Digital Forensic Specialists⚡️, Certified Ethical Hackers⚡️, Software Engineers⚡️, Cyber Security Experts⚡️, Private investigators and more⚡️⚡️. Our Goal is to make your digital life secure, safe and hassle free by Linking you Up With these great Professionals such as JACK CABLE, ARNE SWINNEN, SEAN MELIA, DAWID CZAGAN, BEN SADEGHIPOUR And More. These Professionals are Well Reserved Professionals who are always ready to Handle your job with great energy and swift response so that your problems can be solved very quickly.
All You Need to Do is to send us a mail and we’ll Assign any of these specialists to Handle your Job immediately. ⚡️⚡️⚡️

☑️ Below Is A List Of Our Major Services:
▪️ FUNDS RECOVERY ON BITCOIN SCAM, INVESTMENTS, BINARY OPTIONS TRADING and ALL TYPES OF SCAMS.
▪️ WEBSITE AND DATABASE HACKING 💻
▪️ CREDIT REPAIR. 💳
▪️ PHONE HACKING & CLONING (giving you 📱 Unnoticeable access to everything Happening on the Target’s Phone)
▪️ CLEARING OF CRIMINAL RECORDS ❌
▪️ SOCIAL MEDIA ACCOUNTS HACKING 📱
▪️RECOVERY OF DELETED FILES 📤
▪️LOCATION TRACKING 📌
▪️BITCOIN MINING ⛏ And lot More.

✅ COMPOSITE CYBER SECURITY SPECIALISTS are Basically the ANSWERS to your PRAYERS. Trust Me, You Don’t Wanna Miss Out This Great Experience.

📩CONTACT US TODAY:
Email:
composite.cybersecurity@protonmail.com

🔘2020 © composite cybersecurity specialists
🔘Want faster service? Contact us!
🔘All Rights Reserved ®️