When I turn Circuit Breaker on I'm getting authentication problems from my services, because authorization token is not present in headers of request.
I found in the web that Circuit Breaker runs on secondary thread, that doesn't has spring security context.
For hystrix, the solution I found is to use shareSecurityContext=true config option, and implement a request interceptor that get the token and set for request.
But, for resilience4j, I not found a solution.
Thanks for help.
Related
I am using keycloak (v15.0.2) adapter for spring boot to achieve RBAC in one of my projects. I observed that the adapter makes a rest call to authorization server per request for policy evaluation. Is there a way to avoid this extra network call?
I am new to spring microservice world. As I am in learning phase, I tried and implemented the following things.
Authentication/Authorization as a separate microservice
Routing (Able to route using Spring cloud gateway)
Load balancing (Netflix Eureka)
Rate Limit and Circuit Breaker (Resilience4j)
I just need certain clarification and suggestion on what to do in these situations:
As I already had created Authentication/Authorization as a separate microservice centralized.
Now how can I implement such that every request must contain jwt token and pass-through API gateway to call other microservice also it should check which user has permission to access API in other microservice
If some has same good source so that I can learn please do share or if someone has a basic skeleton on GitHub.
Requests from outside your cluster should be intercepted/validated by Zuul (example) will be your gatekeeper which will pass the request to the request checker in this case would be your authentication service where the acquired token will be validated (this should exists at the header of the request). One tokens are validated, the request will be routed to the authorization service to check if the user has access to particular endpoint based on your rules defined for access.
I've been creating an OAuth2 Login application with Spring Security and have been making good progress, The Identity Provider I am working with requires that their /authorization endpoint be triggered with an HTTP POST.
I've been doing some testing and it seems that Spring Security triggers the /authorization endpoint by a GET request.
From looking at the OAuth RFC documentation, I see the following.
https://www.rfc-editor.org/rfc/rfc6749#section-3.1
The authorization server MUST support the use of the HTTP "GET"
method [RFC2616] for the authorization endpoint and MAY support the
use of the "POST" method as well.
So before I implement anything custom to trigger a POST request to the authorization server I am integrating with, I was just curious if anyone knew of a way to get Spring Security to trigger a POST for the /authorization instead of a /GET.
Curious if I'm missing where that functionality is supported, if at all.
Thanks for your time.
You can use springsecurity and oauth2server to configure your login model and through this interface to login
POST:
http://your_ip:port/auth/oauth/token?grant_type=password&username=username&password=password&client_id=yourclientid&client_secret=yoursecret
I am creating a project with microservices architecture using spring. I have zuul for centralized security management, and some other microservices.
To access current authenticated user, in zuul i use this line of code :
SecurityContextHolder.getContext().authentication
But to get the user from other microservices, i extract the token (jwt) from the header in each request, and then i extract user info from the claims, but i find this method is a little annoying.
So, is there another more pretty method?
I tried to add the dependencies of spring security in the other microservices to use :
SecurityContextHolder.getContext().authentication
but every time i execute a request through zuul, even if the authentication is done from there, i get an unauthorized error message, despite having disabled the security autoconfiguration from these microservices.
Any suggestion?
Using SecurityContextHolder.getContext().authentication won't work in other microservices until you set the principal object in the Spring SecurityContext.
I don't know why you are setting the principal in security context at Zuul and extracting the same there, But yes Authentication and token validation should be done at Zuul and same jwt should be sent to backend microservices in header.
Now in backend microservices, By using spring security, extract the required claims from jwt and put in the SecurityContextHolder once, So that you can utilize it further for request authorizations or method level authorizations too.
I am implementing a Spring Data REST based app and I would like to know if there is an elegant way to implement authentication and authorization rules using this framework or related frameworks.
All HTTP requests to the REST server must carry authentication headers, I need to check them and decide to authorize or not based on the HTTP method and the association of the authenticated user with the resource being requested. For example, (the app is the REST server of an e-learning system), the instructors can access only their own course sections, students can access only the courses sections they are subscribed, etc.
I would like to know if there is a default way to implement authorization in Spring Data REST. If the answer is no, could you make a suggestion for my issue? I am thinking about:
Servlet Filters
Spring Security
Spring Data REST Handlers (how to access the HTTP headers?)
The best bet for you is Spring Security.
That would help you achieve authorization is much simpler manner.
Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically.
Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my rest services ( which were build using RestEasy )
RESTful Authentication via Spring
There is an alternate method as well..
Refer
http://www.baeldung.com/spring-security-authentication-provider
In both cases you can disable the session creation by declaring the stateless authentication in spring security, this would help you improve the performance considerably when large volume of hits are made to the state-less REST services..