Spring Security in a microservices architecture [closed] - spring

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I have a microservices architecture, and i want to secure the REST API of each microservice which is developed in spring boot, should i use spring security in each one? I have an auth service, which will be the authenticator and authorizator and the other microservices will use their services to validate token, authorization? Is this correct? Any help with the code?

The approach I take in my projects is to have a gateway application netflix-zuul (not actively developed anymore but more mature) or spring-cloud-gateway (developed by the spring team and a successor to zuul, but still has some quirks as a rather fresh project. Recommended for new apps)
The gateway would then be the only service that is directly exposed to the user while all of the other services (auth, business logic, etc) would be placed in a DMZ and unreachable from the outside of your network.
If you follow the said architecture, you would only need to implement security in the gateway service and, assuming the implementation and the network setup is correct, you would not need to worry about the security inside the other services.
In practice, I still keep the toked parsing modules in each service as the access token carries user-identifying information that is used in my business logic. This, however, is used for data transportation and not for security purposes.
The gateway has to be configured (plenty of guides and samples are available online for either of the two) to be aware of each of your services or you might want to include a service registry (such as netflix-eureka) to keep track of all of your services and instances.
A service registry is a lightweight service that would provide your gateway service with dynamic aliases for each service and save you all the set-up hassle when you are scaling your infrastructure beyond a single PM (physical machine) and provide load balancing for you at little to no additional development cost

Yes, to secure endpoints of all services, the best approach is to implement Spring Security in all applications. You can have one centralized application that performs authentication and authorization (let's say, auth-service). Other services would use an authentication manager that would point to remote token service (present in your auth-service). With this in place, you can define security protection rules for various endpoints in each application, something like this:
<sec:filter-security-metadata-source id="securityMetadataSource"
request-matcher="ant"
use-expressions="true">
<sec:intercept-url pattern="/admin/**" access="isFullyAuthenticated() and hasRole('ADMIN')"/>
In the above example, we've declared a rule that all endpoints that starts with /admin/** should be authenticated and should have role ADMIN.
Depending on your use case, you can configure that each services should also need to authenticate themselves. This means you can secure your intra-service communication as well.

Related

Spring starter security or spring cloud security How to secure an entire microservice architecture?

Currently in developer training, I am working on a personal project on spring. I started java 6 months ago, so there is a certain notion that I do not yet master. My trainer does not know spring at all, so he cannot help me.
I am also French and there is very little reliable documentation on spring (it is evolving quickly).
For example, I followed a French tutorial on microservices, and I used the ribbon and zuul proxy while they are currently in maintenance at spring. I started all over (new project) to recode in reactive webflux
I have several concerning spring starter security or spring cloud security
Spring cloud config (in connection with gitlab)
eureka server
admin server
gateway
2 business microservices
2 sub-module (model and repository)
I want all my microservices and the internal microservices (eureka, admin server, configserver) to be secure now. But I do not know how.
I want the microservice that consults config-server to identify themselves, and I also want the microservice gateway to identify itself to make requests to other microservices. Finally I want all my microservices to be protected.
Should we put spring-starter-security in microservice? Should we create a new microservice with spring-cloug-security?
Should we create a new spring-cloud-security microservice and add spring-start-security everywhere?
https://cloud.spring.io/spring-cloud-security/2.2.x/reference/html/ Obviously I find this link not very explanatory
Thank you
In a microservice architecture that I have worked, we have always used the OAUTH2 specification for securing service.
OAuth2 is a token-based security framework that allows a user to authenticate themselves with a third-party authentication server. If the user successfully authenticates, they will be presented with a token that must be sent with every request. The token can then be validated back to the OAuth2 Server. The OAuth2 Server is the intermediary between the application and the services being consumed. The OAuth2 Server allows the user to authenticate themselves without having to pass their user credentials down to every service the application is going to call on behalf of the user.
Detail information for OAuth2 you can find in the following LINK .
I have implemented simple microservice architecture for demonstrating how services are connected with each other.
Here is the link LINK
Below is the image representing the architecture:

How to setup Spring backend with JWT and Kubernetes

I implemented a Spring backend which is responsible to store different data (users, lectures, ...). This backend is secured with a JWT and everything is working fine. For my studies I want to enhance the backend and now I want to use a microservice architecture instead of a monolith. For this purpose I have the requirements to use Docker and Kubernetes. I always read articles which write that I need a Authorization Server and a Ressource Server when I want to use the JWT in a microservice architecture. Is that correct? And do I need a Gateway (e.g. Zuul) for my purpose? Can someone help me to structure the project and give advice for the technology stack. At the end the whole project will run in one single server.
I implemented a molotithical backend, secured with JWT.
Kubernetes officially supports authentication to API server within JSON Web Tokens(JWT) through OpenID Connect tool using OAuth 2.0 protocol for user request identification. However, this only represents a part of Authorization model, which determines how authenticated user can be granted with appropriate security policies or roles to manage Kubernetes cluster resources.
In order to build or migrate application to Kubernetes, you might consider to expose application outside the cluster, for that purpose Ingress proxies requests to exact service by matching request path. Actually, Ingress is a logical resource element which describes a set of rules for traffic management via Ingress Controller. Therefore, Ingress controller can play a role of API Gateway by delivering L7 network facilities like: load balancing, SSL termination and HTTP/HTTPS traffic routing for nested application services.
As you mentioned Zuul gateway can be one of the option for the edge proxying service in front of Kubernetes cluster, however I would recommend to look for some more Kubernetes oriented solutions. Istio is a good example, as it brings a wide set of network router functions with a quite simple integration into Kubernetes cluster via its core Service mesh design. Istio provides end user authentication via JWT within declared authentication policy.
Alternativelly, you can get through Nginx plus features with announced JWT authentication as well.

Authentication in Microservices with spring

I wanna refactor a monolithic spring boot application basically a web app with login and functionalities for customers. We already have a Security implementation which works with a session id stored as a cookie but I dont have much knowledge about it at all and im completetly new to this topic. It seems JWT is a better solution for Microservices because of an independent authentication service.
So my questions are:
is it alot of work to create a JWT authentication service and exchange the session id implemenation? (since im doing it for my bachelor thesis and have a clear deadline)
can I stay at the session ids while using microservices?
are there maybe other ways to implement authentication?
is it alot of work to create a JWT authentication service and exchange
the session id implemenation? (since im doing it for my bachelor
thesis and have a clear deadline)
This question is hard to answer, as it depends how tightly coupled your particular implementation is. It's certainly not trivial.
can I stay at the session ids while using microservices?
Yes, but you need to figure out how to federate sessions across the microservices (i.e. how to get the information in the session from one service to the other). Overall, this represents a risk of tight coupling between services, so I'd recommend treating this as a transitionary step only.
are there maybe other ways to implement authentication?
As many as the day is long. That being said, without specific reason to do otherwise, I generally prefer to stick to the middle of the road.
Typical user sessions is not recommended in microservices.You should use Stateless architecture and tokens (Tokens stored in database or JWT).
It's better to use Spring Boot OAuth2.
You should implement an Authorization server and Resource servers with Spring Boot.
Authorization server:
Choose the token storage method (JWT,Jdbc,...)
Configure client details
Add a RESTful Api for user info or enable /oauth/check_token api.(Called by Resource servers)
Resource servers:
Set user-info-uri or token-info-uri in Spring boot OAuth2 properties.
Extends ResourceServerConfigurerAdapter class for securing url mappings.

Where to manage session in microservices architecture with Spring Boot

I am fairly new in microservices architecture. I've been trying to build a microservices stack using Spring Boot, Spring Cloud and Netflix OSS libraries.
I want to know what is the correct way and place to store session.
Here is an overview of the infrastructure that I created:
OAuth2 backed Authorization/Authentication Server
UI Service (Spring Boot, Front end service)
Backend Service-1
Backend Service-2
Redis Server to store session and other cachable data
Discovery Server (eureka)
Currently, I'm trying to store session in Redis by configuring UI service to perform it. It seems to be working fine, although I haven't had the chance to try it for multiple service instances. However, I'm already having serialization/deserialization issues while developing.
By the way, trying to store the session on front end app is the correct place to do or it should be done in Authorization/Authentication service as authentication is processed in that service?
Here is my Session config in UI service (front end service)
#Configuration
#EnableRedisHttpSession
public class SessionConfig extends
AbstractHttpSessionApplicationInitializer {
public SessionConfig() {
super(RedisConfig.class);
}
}
To sum up, I'm expecting to achieve and use best practices on this project. Your kind assistance would be appreciated.
The idea of a general server side user session and a microservices style architecture don't go together well. The reason being that you are likely to break the separation of concern that you use separate the domain boundaries of your services.
Remember, every service is supposed to service a specific domain problem autonomously - including all required data persistence. So for example if there is anything to remember for a users connected devices you would do that in the one service that is responsible for those device connections and nowhere else. The service would be responsible for processing those request and persisting any status that the devices require. Similarly when there is anything to remember about he users authorization you would do that in the authorization service.
And regarding the question to use Redis or not - In a microservices architecture the choice of storage system would be up to the service architect. Maybe one service stores its data in a relational database, maybe another uses a key-value-store and yet another may use an event queue system or a time series database.
So in summary you have to ask yourself what your session really is used for and make the corresponding services responsible to persist that information in a domain specific way. (If you give some more details in your question about this, I can give you my opinion).

Implement security on messages passed from one micro service to other

I am having 4 different micro-services in my application. The technology stack that I am using for the development of applications is SBT stack(Scala,Akka and Play web framework). For external clients to communicate with my micro-services, I have security mechanisms such as authorization and authentication of users using Oauth protocol, White-listing Allowable Http Methods and performing input validation. However, I wanted to know 2 things
1) Is it necessary to implement security mechanisms when one microservice calls another microservice internally
2)And if required, how to implement security on messages passed from one micro service to other. Any help would be highly appreciated. Thanks in advance !!!

Resources