Fine-Grained Access Control for Microservices

  • Antonio NehmeEmail author
  • Vitor JesusEmail author
  • Khaled MahbubEmail author
  • Ali AbdallahEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11358)


Microservices-based applications are considered to be a promising paradigm for building large-scale digital systems due to their flexibility, scalability, and agility of development. To achieve the adoption of digital services, applications holding personal data must be secure while giving end-users as much control as possible. On the other hand, for software developers, the adoption of a security solution for microservices requires it to be easily adaptable to the application context and requirements while fully exploiting reusability of security components. This paper proposes a solution that targets key security challenges of microservice-based applications. Our approach relies on a coordination of security components, and offers a fine-grained access control in order to minimise the risks of token theft, session manipulation, and a malicious insider; it also renders the system resilient against confused deputy attacks. This solution is based on a combination of OAuth 2 and XACML open standards, and achieved through reusable security components integrated with microservices.


Microservices Security Confused deputy attack Gateways Access control 


  1. 1.
    Our approach to API authentication. Accessed 20 May 2018
  2. 2.
    Ahmad, A., Hassan, M.M., Aziz, A.: A multi-token authorization strategy for secure mobile cloud computing. In: 2014 2nd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering (MobileCloud), pp. 136–141. IEEE, April 2014Google Scholar
  3. 3.
    Yarygina, T., Bagge, A.H.: Overcoming security challenges in microservice architectures. In: 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE), pp. 11–20. IEEE, March 2018Google Scholar
  4. 4.
    Dragoni, N., et al.: Microservices: yesterday, today, and tomorrow. In: Mazzara, M., Meyer, B. (eds.) Present and Ulterior Software Engineering, pp. 195–216. Springer, Cham (2017). Scholar
  5. 5.
    Gao, X., Uehara, M.: Design of a sports mental cloud. In: 2017 31st International Conference on Advanced Information Networking and Applications Workshops (WAINA), pp. 443–448. IEEE, March 2017Google Scholar
  6. 6.
    Geisriegler, M., Kolodiy, M., Stani, S., Singer, R.: Actor based business process modeling and execution: a reference implementation based on ontology models and microservices. In: 2017 43rd Euromicro Conference on Software Engineering and Advanced Applications (SEAA), pp. 359–362. IEEE, August 2017Google Scholar
  7. 7.
    Härtig, H., Roitzsch, M., Weinhold, C., Lackorzynski, A.: Lateral thinking for trustworthy apps. In: 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), pp. 1890–1899. IEEE, June 2017.
  8. 8.
    IBM: An integrated approach to insider threat protection. Accessed 15 May 2018
  9. 9.
    Ilhan, Ö.M., Thatmann, D., Küpper, A.: A performance analysis of the XACML decision process and the impact of caching. In: 2015 11th International Conference on Signal-Image Technology & Internet-Based Systems (SITIS), pp. 216–223. IEEE, November 2015Google Scholar
  10. 10.
    Jones, M., et al.: OAuth 2.0 token exchange draft-ietf-oauth-token-exchange-13.
  11. 11.
    Newman, S.: Building Microservices: Designing Fine-Grained Systems. O’Reilly Media, Inc., Sebastopol (2015)Google Scholar
  12. 12.
    Patanjali, S., Truninger, B., Harsh, P., Bohnert, T.M.: Cyclops: a micro service based approach for dynamic rating, charging & billing for cloud. In: 2015 13th International Conference on Telecommunications (ConTEL), pp. 1–8. IEEE, July 2015Google Scholar
  13. 13.
    Rajani, V., Garg, D., Rezk, T.: On access control, capabilities, their equivalence, and confused deputy attacks. In: 2016 IEEE 29th Computer Security Foundations Symposium (CSF), pp. 150–163. IEEE, June 2016Google Scholar
  14. 14.
    Samlinson, E., Usha, M.: User-centric trust based identity as a service for federated cloud environment. In: 2013 Fourth International Conference on Computing, Communications and Networking Technologies (ICCCNT), pp. 1–5. IEEE, July 2013Google Scholar
  15. 15.
    Suryotrisongko, H., Jayanto, D.P., Tjahyanto, A.: Design and development of backend application for public complaint systems using microservice spring boot. Procedia Comput. Sci. 124, 736–743 (2017)CrossRefGoogle Scholar
  16. 16.
    Suzic, B.: Securing integration of cloud services in cross-domain distributed environments. In: Proceedings of the 31st Annual ACM Symposium on Applied Computing, pp. 398–405. ACM, April 2016Google Scholar
  17. 17.
    Suzic, B.: User-centered security management of API-based data integration workflows. In: 2016 IEEE/IFIP Network Operations and Management Symposium (NOMS), pp. 1233–1238. IEEE, April 2016Google Scholar
  18. 18.
    Tang, L., Ouyang, L., Tsai, W.T.: Multi-factor web API security for securing mobile cloud. In: 2015 12th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD), pp. 2163–2168. IEEE, August 2015Google Scholar
  19. 19.
    Yu, Y., Silveira, H., Sundaram, M.: A microservice based reference architecture model in the context of enterprise architecture. In: 2016 IEEE Advanced Information Management, Communicates, Electronic and Automation Control Conference (IMCEC), pp. 1856–1860. IEEE, October 2016Google Scholar
  20. 20.
    Zhang, H., Li, Z., Wu, W.: Open social and XACML based group authorization framework. In: 2012 Second International Conference on Cloud and Green Computing (CGC), pp. 655–659. IEEE, November 2012Google Scholar
  21. 21.
    Linthicum, D.S.: Practical use of microservices in moving workloads to the cloud. IEEE Cloud Comput. 3(5), 6–9 (2016)CrossRefGoogle Scholar
  22. 22.
    Nehme, A., Jesus, V., Mahbub, K., Abdallah, A.: Securing microservices. IT Prof. 21(1), 42–49 (2019). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.School of Computing and Digital TechnologiesBirmingham City UniversityBirminghamUK

Personalised recommendations