Thomas Südbröcker

Get started with securing your cloud-native Java microservices applications

Secure your entire cloud-native Java stack. This guide covers JWT authentication with Keycloak and encrypts all internal traffic with Istio's mutual TLS.

Get started with securing your cloud-native Java microservices applications
#1about 5 minutes

Introducing the cloud-native starter security project

An overview of the sample Java microservices application, its architecture, and the security goals of the workshop.

#2about 7 minutes

Choosing an open source stack for security

Keycloak, Quarkus, and MicroProfile are chosen for their standards-based support for OpenID Connect and JSON Web Tokens.

#3about 12 minutes

Implementing the authentication and authorization workflow

The complete login flow is detailed, from the frontend JavaScript SDK to backend token propagation between microservices.

#4about 13 minutes

Understanding platform security with the Istio service mesh

Core Istio concepts are explained, including the sidecar proxy model for traffic control, ingress gateways, and mutual TLS.

#5about 6 minutes

Setting up the hands-on lab environment

Instructions are provided for requesting a pre-configured Kubernetes cluster on IBM Cloud to follow along with the workshop.

#6about 29 minutes

Configuring the Istio ingress with a TLS certificate

This lab section covers installing Istio and configuring the ingress gateway with a DNS name and a Let's Encrypt TLS certificate.

#7about 17 minutes

Deploying and configuring the full application stack

The lab continues with deploying Keycloak, the Java microservices, and the web frontend onto the Kubernetes cluster.

#8about 17 minutes

Enforcing internal security with mTLS and authorization policies

Learn how to apply a strict mutual TLS policy to encrypt all internal traffic and use authorization policies to control service-to-service communication.

#9about 2 minutes

Conclusion and next steps in cloud security

The workshop concludes with a recap and a look at other important security dimensions like container scanning and vulnerability management.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Comparing the security models of browsers and native apps
05:01 MIN

Comparing the security models of browsers and native apps

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Crypto crime, EU regulation, and working while you sleep
01:15 MIN

Crypto crime, EU regulation, and working while you sleep

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Malware campaigns, cloud latency, and government IT theft
01:06 MIN

Malware campaigns, cloud latency, and government IT theft

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Technical challenges of shipping a cross-platform browser
09:38 MIN

Technical challenges of shipping a cross-platform browser

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Preventing exposed API keys in AI-assisted development
03:45 MIN

Preventing exposed API keys in AI-assisted development

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Getting hired by contributing to open source projects
05:32 MIN

Getting hired by contributing to open source projects

Devs vs. Marketers, COBOL and Copilot, Make Live Coding Easy and more - The Best of LIVE 2025 - Part 3

The security challenges of building AI browser agents
06:33 MIN

The security challenges of building AI browser agents

AI in the Open and in Browsers - Tarek Ziadé

Europe's push for digital independence from US tech
05:17 MIN

Europe's push for digital independence from US tech

WeAreDevelopers LIVE – AI, Freelancing, Keeping Up with Tech and More

Featured Partners

Related Videos

See all videos
Keycloak case study: Making users happy with service level indicators and observability27:15

Keycloak case study: Making users happy with service level indicators and observability

Alexander Schwartz

Architecting API Security47:34

Architecting API Security

Philippe De Ryck

Enabling automated 1-click customer deployments with built-in quality and security44:40

Enabling automated 1-click customer deployments with built-in quality and security

Christoph Ruggenthaler

You can’t hack what you can’t see29:34

You can’t hack what you can’t see

Reto Kaeser

Development of reactive applications with Quarkus39:10

Development of reactive applications with Quarkus

Niklas Heidloff

Security Challenges of Breaking A Monolith45:19

Security Challenges of Breaking A Monolith

Reinhard Kugler

2021: Familiar APIs on Kickass Runtimes #slideless37:55

2021: Familiar APIs on Kickass Runtimes #slideless

Adam Bien

Serverless Java in Action: Cloud Agnostic Design Patterns and Tips27:11

Serverless Java in Action: Cloud Agnostic Design Patterns and Tips

Kevin Dubois & Daniel Oh

Related Articles

View all articles
CH
Chris Heilmann
With AIs wide open - WeAreDevelopers at All Things Open 2025
Last week our VP of Developer Relations, Chris Heilmann, flew to Raleigh, North Carolina to present at All Things Open . An excellent event he had spoken at a few times in the past and this being the “Lucky 13” edition, he didn’t hesitate to come and...
With AIs wide open - WeAreDevelopers at All Things Open 2025

From learning to earning

Jobs that call for the skills explored in this talk.

Platform Engineer (m/w/d)

Platform Engineer (m/w/d)

Qvest Digital AG
Bonn, Germany

Remote
Intermediate
Senior
Terraform
Continuous Integration
Cloud (AWS/Google/Azure)