I have created JHipster application with a gateway and few micro services. This jhipster application uses Keycloak for authentication. Now , i want completely different application (third party application written in Java) to integrate with my Jhipster application. This third party application also uses same keycloak authentication server.
This Third party application should be able to consume my micro services.So basically this is backend to backend integration.
Can anyone guide me how to achieve this? Will simply using RestTemplate and calling JHipster microservices work?
regards,
Venky
Using Keycloak means it will be stateful application. For integration with third parties, microservices should be stateless. So we use Jhipster UAA . Clients with valid OAuth token can call the microservices now.
Related
We are developing an Angular App, and we need to use the Microservice Aggregation(AWS API Gateway) pattern.
But we need to consume the REST Services which are going to deploy in API Gateway, to test while developing.
We have Spring boot REST Services as microservices.
I am writing a microservice app by spring boot and spring cloud. I have five modules which are
API-Gateway (base on spring cloud gateway spect)
Discovery-Server (base on spring cloud Netflix Eureka service discovery)
Microservice-A (It is a spring boot app that includes our business)
Microservice-B (It is a spring boot app that includes our business)
Microservice-C (It is a spring boot app that includes our business)
All requests which come from users route to API gateway and through API gateway send to app A or B or C (these are not exposed out). Now I have a question, base on one business role, app A will need to call one rest endpoint of app B. Which approach is the best? I call app B endpoint from app A directly or I call by API-Gateway?
The API Gateway should serve as an ingress layer, it only accepts traffic which is coming from outside of your application (clients / external integrations). More details here.
Any internal communication between your microservices, should be a point-to-point interaction, that can be done in multiple ways. This answer describes that in more details.
So the API Gateway should not be concerned with orchestration of the microservices.
If I were you I'll use a message broker for microservices communication. Let the api gateway for external clients. I think we overuse the http protocol. With a microservice architecture we should try to think differently.
Currently in developer training, I am working on a personal project on spring. I started java 6 months ago, so there is a certain notion that I do not yet master. My trainer does not know spring at all, so he cannot help me.
I am also French and there is very little reliable documentation on spring (it is evolving quickly).
For example, I followed a French tutorial on microservices, and I used the ribbon and zuul proxy while they are currently in maintenance at spring. I started all over (new project) to recode in reactive webflux
I have several concerning spring starter security or spring cloud security
Spring cloud config (in connection with gitlab)
eureka server
admin server
gateway
2 business microservices
2 sub-module (model and repository)
I want all my microservices and the internal microservices (eureka, admin server, configserver) to be secure now. But I do not know how.
I want the microservice that consults config-server to identify themselves, and I also want the microservice gateway to identify itself to make requests to other microservices. Finally I want all my microservices to be protected.
Should we put spring-starter-security in microservice? Should we create a new microservice with spring-cloug-security?
Should we create a new spring-cloud-security microservice and add spring-start-security everywhere?
https://cloud.spring.io/spring-cloud-security/2.2.x/reference/html/ Obviously I find this link not very explanatory
Thank you
In a microservice architecture that I have worked, we have always used the OAUTH2 specification for securing service.
OAuth2 is a token-based security framework that allows a user to authenticate themselves with a third-party authentication server. If the user successfully authenticates, they will be presented with a token that must be sent with every request. The token can then be validated back to the OAuth2 Server. The OAuth2 Server is the intermediary between the application and the services being consumed. The OAuth2 Server allows the user to authenticate themselves without having to pass their user credentials down to every service the application is going to call on behalf of the user.
Detail information for OAuth2 you can find in the following LINK .
I have implemented simple microservice architecture for demonstrating how services are connected with each other.
Here is the link LINK
Below is the image representing the architecture:
I have two spring boot application. One is Rest and the other one is Spring boot web MVC app which consumes the Rest. The Rest has spring security configured and I want to login/logout from the client app. The client app has nothing but view and controllers to interact with the rest api.
I am using rest template to interact with the api now.
If the client app is not secured so any other anonymous app may do the same, and this is not security, it's a sieve ...
If you want to create a custom authorization/authentication, you can create own protocol and use tokens/JWT (possibly, OpenID or other global technology) and exchange information between applications.
But there is technology to do it all centrally and reliably - OAuth2, and Spring has it 'from the box' - authorization server, resource server, client. The most advantage - multiple applications (clients), one authorization - you create one user and can authenticate it on any client with the same credentials. You can customize it with JWT, and use any data in the access token and as a consequence get any information about principle/authorization.
What is the standard approach in securing REST endpoints implemented with CXF in OSGI?
The system in question is a web application deployed as a WAB in Karaf. The application contains JavaScript making AJAX calls to REST service implemented in a separate OSGI bundle using CXF. The main Web application is secured using Spring Security (with the standard DelegatingFilterProxy). The application should be open to be used with any security provider compatible with Spring Security.
We need to be able to obtain the user information in REST services based on the principal with which the user authenticated in the main Web application.
What is the best way to secure the REST endpoints in the application?
Thank you,
Michael