We have developed project using spring boot microservices. We have implemented spring security on each microservice. We are using wso2 IAM. Is it good practice to use security on each microservice or there should be common module for spring security that can be called in each microservice
Related
I want to use Spring Cloud Gateway with SAML. Is this possible?
It seems that the Saml extension for spring security is based on the old Spring Stack and won't work with Gateway.
Has anybody got any experience on this?
I'm afraid SAML is not supported as of time of writing. Spring Cloud Gateway has been redeveloped using Reactive programming and is now based on Spring WebFlux. Only the following authentication methods are currently supported :
OAuth 2.0 or OpenID Connect 1.0
x509 authentication
This is stated on SCG page:
Spring Cloud Gateway is built on Spring Boot 2.x, Spring WebFlux, and
Project Reactor. As a consequence, many of the familiar synchronous
libraries (Spring Data and Spring Security, for example) and patterns
you know may not apply when you use Spring Cloud Gateway. If you are
unfamiliar with these projects, we suggest you begin by reading their
documentation to familiarize yourself with some of the new concepts
before working with Spring Cloud Gateway.
The previous gateway spring-cloud-netflix-zuul, based on Servlets and which supported SAML, has been removed from Spring Cloud 2020.
Here is an open issue on GitHub, SAML2 for reactive environment, where we can vote for asking for this to be implemented.
I just started learning spring cloud security and I have a basic question. How it is different from spring security? Do we need our application to be built on spring boot for using spring cloud security?
Thanks in advance.
Spring Security is a stand alone framework within Spring Framework. Spring Cloud Security is a Cloud Container and MicroServices focused Security Framework that provides Tokenised Security for Spring Boot applications.
I got below instruction from spring boot doc:
Adding both spring-boot-starter-web and spring-boot-starter-webflux modules in your application results in Spring Boot auto-configuring Spring MVC, not WebFlux. This behavior has been chosen because many Spring developers add spring-boot-starter-webflux to their Spring MVC application to use the reactive WebClient. You can still enforce your choice by setting the chosen application type to SpringApplication.setWebApplicationType(WebApplicationType.REACTIVE)
My question is:
What if my application contains both MVC services and webflux services?
Is it supported?
For example:
I may have some existing admin service which is MVC based. Now I want to add some new services with webflux style.
No, this is not supported. Spring MVC and Spring WebFlux have different runtime models and don't support the same servers (for example, Spring WebFlux can be run with Netty, Spring MVC cannot).
Also, Spring MVC and Spring WebFlux are full web frameworks, meaning each has its own infrastructure that somehow duplicates the other. Deploying both in the same app would make it difficult to map requests (which requests should go where?).
I have a Spring web application - which doesn't use Spring-based GUI, but Wicket - and I would like to build contract-first REST services.
I already have a contract defined in Swagger and I generate model and API artifacts. Swagger codegen generates either Spring Boot artifacts, or Spring MVC ones.
My intention is to use ideally just a model, and maybe API (controllers) from this generated code. But up to my knowledge/research, there is no simple way to have just simple REST service without MVC/Boot boilerplate.
Therefore my questions are:
Is it possible to build lightweight Spring-based REST service, without having "heavy" dependency of full Spring MVC/Spring Boot?
If not, which approach is more lightweight? Spring Boot, or Spring MVC?
You are misinterpreting the Spring ecosystem.
Spring MVC is THE rest web and web service library within Spring portfolio.
The same way as Spring-WS is THE soap web service library.
They are very similar in architecture and style of use.
The fact that Spring MVC is bundled with Spring Framework does not change the situation.
Spring Boot does not bring any new REST offering. It is just a bootstrap mechanism to start Java web server with web app already deployed from a plain main() method. Therefore if you see "Building REST web services with Spring Boot", it just means that it is Spring MVC bootstrapped by Spring Boot.
Therefore, the question to what is more lightweight is straightforward: Spring MVC.
To answer the question #2:
The usage of Spring MVC is more lighweight, then usage of Spring Boot:
Size of the WAR archive:
6,1 MB for Spring MVC
9,2 MB for Spring Boot
Number of libraries in WAR archive:
12 for Spring MVC
28 for Spring Boot
I'm in the process of converting a Tomcat deployed web app to a Spring Boot packaged web UI. The original Tomcat WAR used Spring Security to secure URL's exposed by the web app. Within a short while I will be developing a second web app that will be deployed as a second discrete Spring Boot app.
Before using Spring Boot I would probably have encapsulated both web apps into a single WAR file using Spring Security to secure the URL's of both.
However, given that that there are now two distinct JAR's deployed onto two distinct servers, how do I apply a common Spring Security model? If a user is authenticated on web app #1 then I want that authenticated state to be recognized by web app #2, to avoid the user having to login again.
To reduce inter dependence should I configure each Spring Boot app to employ the same underlying Spring Security configuration? Or is there a different appraoch required?
An excellent article for your problem at https://spring.io/guides/tutorials/spring-security-and-angular-js/
You have to use #EnableRedisHttpSession and #EnableZuulProxy annotations.