DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workkloads.

Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • Building AMQP-Based Messaging Framework on MongoDB
  • Spring Boot - Microservice- JaxRS Jersey - HATEOAS - JerseyTest - Integration
  • USA PATRIOT Act vs SecNumCloud: Which Model for the Future?
  • The Evolution of Adaptive Frameworks

Trending

  • Subtitles: The Good, the Bad, and the Resource-Heavy
  • Mastering Advanced Traffic Management in Multi-Cloud Kubernetes: Scaling With Multiple Istio Ingress Gateways
  • How to Format Articles for DZone
  • Develop a Reverse Proxy With Caching in Go
  1. DZone
  2. Data Engineering
  3. Data
  4. GDPR-Ready Microservices Framework

GDPR-Ready Microservices Framework

In this post, we take a look a how developers can use a microservices framework to create GDPR complaint applications that ensure data security.

By 
Grzegorz Skorupa user avatar
Grzegorz Skorupa
·
May. 08, 18 · Analysis
Likes (5)
Comment
Save
Tweet
Share
6.6K Views

Join the DZone community and get the full member experience.

Join For Free

The General Data Protection Regulation (GDPR), in Article 25, addresses data protection by design as a legal obligation for data controllers and processors. This requirement is particularly important for architects and developers implementing programs collecting such data.

GDPR Compliant Microservices

Cricket Microservices Platform offers a specific set of features that programmers can use to provide GDPR compliance:

  • Secure communication

  • User database encryption (both: operational and backup)

  • API request authentication

  • Access rights

  • Two-phase confirmation

  • "Forget me" implementation

  • Data access log

  • Data export

Secure Communication

Communication encryption is usually delegated to a separate service (e.g. NGINX, Apache httpd), but the embedded HTTP server also supports SSL. Thanks to this, we can immediately start our microservice protected by the default, self-signed certificate.

Database Encryption

User data is stored in the separate database so we can connect to an external, encrypted one. We can use the embedded H2 database as well, which uses the AES-128 encryption algorithm to protect the database and the backup files.

API Request Authentication

All API requests, except user registering and logging, require access tokens. Tokens have a configurable expiration time and are managed by the dedicated adapter exposing the REST API.

Access Rights

Personal data is only available to the user and administrators, so standard data is protected by default.

Each request in the authentication process is given an additional header identifying the user. We can use this to design our own API to check each request for compliance with the authorization policy.

Two-Phase Confirmation

To register a user with the REST API, two steps are required:

  1. Create a user account.

  2. Modification of the account by changing the "confirmed" parameter.

This allows us to comply with the requirement of informed consent to the storage of personal data.
The internal scheduler will help us automatically delete unconfirmed accounts.

"Forget Me" Implementation

Right to erasure, addressed in Article 17, requires an administrator to erase personal data without undue delay, in strictly defined cases.

The user's ability to delete his own data is implemented by default. Other cases must be implemented depending on the characteristics of the implemented service. Designing of appropriate procedures will be facilitated by the platform's architecture, including the event system.

Data Access Log

Cricket uses a special event category fired by used data activities (CRUD). These events, along with the dedicated logger adapter, are used to create anonymized data access log files. These elements can also be used to implement a specific, extended logging policy.

Data Export

User data can be exported as a file in JSON format using the REST API. Logged in users can do this at any time without administrator assistance.

Use Cases

The method of registering a user and accessing data using the REST API of a site built using the Cricket Microservices Framework can be traced on the following examples. We will use for this purpose a microservice operating locally on port 8080 and a cURL program as a REST API client.

If we already have Docker installed, it is easiest to use a ready-made container with the "Microsite" service of the Cricket platform.

$ docker run -p 127.0.0.1:8080:8080 gskorupa/cricket-microsite:latest

Having the service up and running, we can start testing.

1. We generate a session token for the admin user

$ echo admin:cricket|base64
YWRtaW46Y3JpY2tldAo=

$ curl -k -H "Authentication: Basic YWRtaW46Y3JpY2tldAo=" -H "Accept: text/plain" -X POST "http://localhost:8080/api/auth"
YWRtaW46MTUyNTQ3MTg0MDQzMA==

2. We register the user with the name/login user1.

$ curl -H "Accept: text/plain" -d "uid=user1&email=myname@myserver&password=mypassword" http://localhost:8080/api/user
user1

3. The administrator has access to the data of each user. By using our token, we can download user data.

$ curl -k -H "Authentication: YWRtaW46MTUyNTQ3MTg0MDQzMA==" http://localhost:8080/api/user/user1
{
  "type":0,
  "uid":"user1",
  "email":"myname@myserver",
  "role":"",
  "confirmed":false,
  "unregisterRequested":false,
  "confirmString":"LTE1NDY3NzU5Mzg0NTg0NzI4MjM",
  "password":"34819d7beeabb9260a5c854bc85b3e44",
  "authStatus":0,
  "createdAt":1525472221682,
  "number":4
}

4. A registered user does not have access to the system (they cannot download the session token) until they confirm the registration (users consent to the processing of personal data).

$ echo user1:mypassword|base64
dXNlcjE6bXlwYXNzd29yZAo=

$ curl -k -H "Authentication: Basic dXNlcjE6bXlwYXNzd29yZAo=" -H "Accept: text/plain" -X POST "http://localhost:8080/api/auth"
authorization required

5. The administrator can confirm the user's agreement to the processing of personal data (we assume that the admin obtained such consent).

$ curl -k -H "Authentication: YWRtaW46MTUyNTQ3MTg0MDQzMA==" -X PUT -d "confirmed=true" http://localhost:8080/api/user/user1
{
  "type":0,
  "uid":"user1",
  "email":"myname@myserver",
  "role":"",
  "confirmed":true,
  "unregisterRequested":false,
  "confirmString":"LTE1NDY3NzU5Mzg0NTg0NzI4MjM",
  "password":"34819d7beeabb9260a5c854bc85b3e44",
  "authStatus":1,
  "createdAt":1525472221682,
  "number":4
}

6. After confirming the registration, the user can log in, get a session token, and then download his data.

$ curl -k -H "Authentication: Basic dXNlcjE6bXlwYXNzd29yZAo=" -H "Accept: text/plain" -X POST "http://localhost:8080/api/auth"
dXNlcjE6MTUyNTQ3MjUzMTIwMQ==

$ curl -k -H "Authentication: dXNlcjE6MTUyNTQ3MjUzMTIwMQ==" http://localhost:8080/api/user/user1
{
  "type":0,
  "uid":"user1",
  "email":"myname@myserver",
  "role":"",
  "confirmed":true,
  "unregisterRequested":false,
  "confirmString":"LTE1NDY3NzU5Mzg0NTg0NzI4MjM",
  "password":"34819d7beeabb9260a5c854bc85b3e44",
  "authStatus":1,
  "createdAt":1525472221682,
  "number":4
}

7. However, attempts to download another user's data will fail.

$ curl -i -H "Authentication: dXNlcjE6MTUyNTQ3MjUzMTIwMQ==" http://localhost:8080/api/user/admin
HTTP/1.1 403 Forbidden
Access-control-allow-headers: Authentication
Pragma: no-cache
Access-control-max-age: 1728000
Date: Fri, 04 May 2018 22:25:46 GMT
Access-control-allow-methods: POST, GET, OPTIONS, DELETE, PUT
Last-modified: Fri, 4 May 2018 22:25:46 UTC
Content-type: application/json; charset=UTF-8
Access-control-allow-origin: *
Access-control-allow-credentials: true
Content-length: 6

null
microservice Data (computing) Framework

Published at DZone with permission of Grzegorz Skorupa. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Building AMQP-Based Messaging Framework on MongoDB
  • Spring Boot - Microservice- JaxRS Jersey - HATEOAS - JerseyTest - Integration
  • USA PATRIOT Act vs SecNumCloud: Which Model for the Future?
  • The Evolution of Adaptive Frameworks

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!