Securing Microservice Communication across WCF, JAX-RS, and Spring Boot: Authentication, Authorization, and Audit Patterns for Healthcare Interoperability
DOI:
https://doi.org/10.63282/3117-5481/AIJCST-V8I2P102Keywords:
Microservice Security, WCF, JAX-RS, Spring Boot, Oauth 2.0, Openid Connect, JWT, Mtls, API Gateway, Healthcare Interoperability, HIPAA, Authentication, Authorization, Audit LoggingAbstract
Healthcare integration environments commonly include services written across multiple eras of platform evolution. Windows Communication Foundation services from the early 2010s, Java EE web services using JAX-RS from the mid-2010s, and Spring Boot microservices from the late 2010s and onward all coexist in production at most healthcare technology vendors and many hospital information technology shops. Each stack expresses authentication, authorization, and audit through its own idioms, and securing communication across the heterogeneous environment requires both per-stack rigor and cross-stack consistency. This paper presents authentication, authorization, and audit patterns that work across WCF, JAX-RS, and Spring Boot services, with specific attention to the healthcare integration setting in which these services exchange protected health information. The patterns cover OAuth 2.0 and OpenID Connect token validation in each stack, mutual TLS as a transport-level complement to token-based authentication, attribute-based access control at the service boundary, and audit logging that satisfies both regulatory requirements and operational debugging needs. The paper closes with a discussion of how the patterns interact with API gateway and service mesh deployments, and with the architectural choices that determine whether security can be applied uniformly or has to be reasoned about per stack.
References
[1] Hardt, D. The OAuth 2.0 Authorization Framework. IETF RFC 6749, October 2012. https://scholar.google.com/scholar?hl=en&q=The OAuth 2.0 Authorization Framework
[2] Jones, M., Bradley, J., and Sakimura, N. JSON Web Token (JWT). IETF RFC 7519, May 2015. https://scholar.google.com/scholar?hl=en&q=JSON Web Token (JWT)
[3] Sakimura, N. et al. OpenID Connect Core 1.0. OpenID Foundation, November 2014. https://scholar.google.com/scholar?hl=en&q=et al
[4] Rescorla, E. The Transport Layer Security (TLS) Protocol Version 1.3. IETF RFC 8446, August 2018. https://scholar.google.com/scholar?hl=en&q=The Transport Layer Security (TLS) Protocol Version 1.3
[5] National Institute of Standards and Technology. Guide to Attribute-Based Access Control Definition and Considerations, NIST Special Publication 800-162. https://scholar.google.com/scholar?hl=en&q=Guide to Attribute-Based Access Control Definition and Considerations, NIST Special Publication 800-162
[6] Open Policy Agent project. OPA documentation. https://www.openpolicyagent.org/docs/ | https://scholar.google.com/scholar?hl=en&q=OPA documentation
[7] Microsoft Corporation. Windows Communication Foundation documentation. https://scholar.google.com/scholar?hl=en&q=Windows Communication Foundation documentation
[8] Eclipse Foundation. Jakarta RESTful Web Services Specification. https://scholar.google.com/scholar?hl=en&q=Jakarta RESTful Web Services Specification
[9] Spring Project. Spring Security reference documentation. https://scholar.google.com/scholar?hl=en&q=Spring Security reference documentation
[10] Spring Project. Spring Boot reference documentation. https://scholar.google.com/scholar?hl=en&q=Spring Boot reference documentation
[11] Red Hat. Keycloak documentation. https://www.keycloak.org/documentation |https://scholar.google.com/scholar?hl=en&q=Keycloak documentation
[12] Cloud Native Computing Foundation. Istio service mesh documentation. https://istio.io/latest/docs/ | https://scholar.google.com/scholar?hl=en&q=Istio service mesh documentation
[13] Cloud Native Computing Foundation. Envoy proxy documentation. https://www.envoyproxy.io/docs/ | https://scholar.google.com/scholar?hl=en&q=Envoy proxy documentation
[14] Integrating the Healthcare Enterprise. IHE IT Infrastructure Technical Framework, Audit Trail and Node Authentication Profile. https://scholar.google.com/scholar?hl=en&q=IHE IT Infrastructure Technical Framework, Audit Trail and Node Authentication Profile
[15] United States Department of Health and Human Services. Health Insurance Portability and Accountability Act Security Rule, 45 CFR Part 164 Subpart C. https://scholar.google.com/scholar?hl=en&q=Health Insurance Portability and Accountability Act Security Rule, 45 CFR Part 164 Subpart C
[16] Open Web Application Security Project. OWASP API Security Top Ten, 2023 edition. https://scholar.google.com/scholar?hl=en&q=OWASP API Security Top Ten, 2023 edition
[17] National Institute of Standards and Technology. Security Strategies for Microservices-based Application Systems, NIST Special Publication 800-204. https://scholar.google.com/scholar?hl=en&q=Security Strategies for Microservices-based Application Systems, NIST Special Publication 800-204
[18] Newman, S. Building Microservices, Second Edition. O'Reilly Media, 2021. https://scholar.google.com/scholar?hl=en&q=Building Microservices, Second Edition
[19] Richardson, C. Microservices Patterns. Manning Publications, 2018. https://scholar.google.com/scholar?hl=en&q=Microservices Patterns
