Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I am trying to implement Authentication for Rest API's using Spring boot but i'm getting confusion between word authentication and authenticate. Someone please help me how to implement Authentication and authenticate in spring boot?
Spring Security Architecture guide:
Application security boils down to two more or less independent problems: authentication (who are you?) and authorization (what are you allowed to do?).
As a suggestion, you can review these sample articles:
Spring Security with JWT
Introduction to Spring Method Security
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 2 years ago.
Improve this question
We are about to start a new microservice based application and we are going to use Spring boot for this. Feign client is really convenient tool to use. But I recently came to know that Rest-Template is going to be deprecated and will be replaced by WebClient, and Feign Client internally uses Rest-Template. My question is what should be our action in this case.
As far as I know, Spring Cloud OpenFeign does not use RestTemplate under the hood.
For example, you can also configure the use of OkHttpClient or ApacheHttpClient instead of the default one in order to support HTTP/2.
In response to your question, you can use the Spring Cloud OpenFeign independently of RestTemplate and WebClient.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I'm working on a Spring Boot Application which has both REST API and JWT Authentication. But It's over-weighted and I'm planning to detach the Security module to another micro-service.
What are some of the advantages and disadvantages of having this level of separation?
Are there any security concerns that may introduce vulnerabilities in the separated REST API?
You can do authentication on a different service or even use a thirdparty tool or provider e.g. Auth0 or Keycloak.
Only the authorization should be in the "business" service.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I have a microservices architecture, and i want to secure the REST API of each microservice which is developed in spring boot, should i use spring security in each one? I have an auth service, which will be the authenticator and authorizator and the other microservices will use their services to validate token, authorization? Is this correct? Any help with the code?
The approach I take in my projects is to have a gateway application netflix-zuul (not actively developed anymore but more mature) or spring-cloud-gateway (developed by the spring team and a successor to zuul, but still has some quirks as a rather fresh project. Recommended for new apps)
The gateway would then be the only service that is directly exposed to the user while all of the other services (auth, business logic, etc) would be placed in a DMZ and unreachable from the outside of your network.
If you follow the said architecture, you would only need to implement security in the gateway service and, assuming the implementation and the network setup is correct, you would not need to worry about the security inside the other services.
In practice, I still keep the toked parsing modules in each service as the access token carries user-identifying information that is used in my business logic. This, however, is used for data transportation and not for security purposes.
The gateway has to be configured (plenty of guides and samples are available online for either of the two) to be aware of each of your services or you might want to include a service registry (such as netflix-eureka) to keep track of all of your services and instances.
A service registry is a lightweight service that would provide your gateway service with dynamic aliases for each service and save you all the set-up hassle when you are scaling your infrastructure beyond a single PM (physical machine) and provide load balancing for you at little to no additional development cost
Yes, to secure endpoints of all services, the best approach is to implement Spring Security in all applications. You can have one centralized application that performs authentication and authorization (let's say, auth-service). Other services would use an authentication manager that would point to remote token service (present in your auth-service). With this in place, you can define security protection rules for various endpoints in each application, something like this:
<sec:filter-security-metadata-source id="securityMetadataSource"
request-matcher="ant"
use-expressions="true">
<sec:intercept-url pattern="/admin/**" access="isFullyAuthenticated() and hasRole('ADMIN')"/>
In the above example, we've declared a rule that all endpoints that starts with /admin/** should be authenticated and should have role ADMIN.
Depending on your use case, you can configure that each services should also need to authenticate themselves. This means you can secure your intra-service communication as well.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I'm creating a microservice architecture demo application.
I got a doubt that, do we need both Zuul and API-Gateway?
What is not possible in Zuul and API-Gateway so that we need both?
Please suggest.
Zuul brings along the capabilities of a gateway (or API-gateway). As stated in the documentation:
Zuul is a JVM-based router and server-side load balancer from Netflix
It is well integrated in the sping-boot cloud project and can be used as router and load balancer. This are the core features of a gateway. Thus I would not double this function and stick to Zuul here.
Also I want to point out, that there are a lot of similar API-gateway solutions that can be used in the context of a spring-boot application. Here you can find an article explaining and comparing them. The three products mentioned there are:
NGINX
Zuul
Spring Cloud Gateway
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
what is best way to orchestrate micro services in spring boot.
You have many options but I will list 3 of them that I would choose from:
Directly call the other microservice using REST calls (hard code the URL in a property file or create a service for inter service communication).
Setup microservice architecture with spring-cloud and netflix OSS
Setup microservice architecture with spring-cloud and kubernetes