This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.
Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server.
In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too.
There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation.
Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system.
In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.
Álvaro is a passionate software architect and agile enthusiast with over 14 years of experience. He started his career in 2001 coding in Perl and Java, but then quickly focused on Java EE, working for companies like IBM BCS, BEA Systems or Sun Microsystems. He created his own company in 2005, Salenda, and since 2007 he specialised on Groovy/Grails, introducing them in Spain by founding Escuela de Groovy, the very first Grails company in Spain. Now he works in 4finance as Application Architect. He is a speaker at conferences like Greach, Codemotion Madrid and Rome, GGX London or GR8Conf Copenhagen (lanyrd.com/profile/alvaro_sanchez/). He also has wrote several Grails plugins, including Spring Security REST, which provides stateless, RESTful, token based authentication for Grails using OAuth 2 and JWT (github.com/alvarosanchez).