I have a springboot application with 4 microservices, eureka server and a centralised API gateway. I have performed authentication using jwt token at api gateway and now i want to implement role based security on methods which are present in microservices other than gateway. I have tried to use #PreAuthorize but its not working out of the gateway. Is there any solution to achieve this type of security ?
Related
I am unable to implement spring security with jwt role based authorization in spring cloud gateway. Is it possible or I have to implement spring security in every microservice ?
I have multiple Spring boot micro-services deployed to kubernetes. Im also using Spring Gateway & Eureka Discovery.
Those micro-services are secured with Spring Security and require JWT token for access to the endpoints. Im using #PreAuthorize methods etc.
It all works fine when I'm accessing those endpoints from frontend application that is sending JWT token in request,
but, I can't bypass that security in service-to-service communication via FeignClient.
Ideally, my micro-services wouldn't need token at all to call other micro-service's methods via FeignClient. But I still need that security when endpoints are accessed from frontend or when requests are coming from Spring Api Gateway.
Do you know some elegant solution to this problem?
I was thinking about adding another pair of endpoints that don't have security annotations (#PreAuthorize) and somehow disable access to those endpoints on Spring Api Gateway, so they cannot be accessed from outside, but only directlly by one of the micro-services.
I have the below microservice architecture(spring boot ,java). I want to implement OAUTH2 JWT security at ZUUL gateway only and not replicate the security code in microservices .
let say Microservice 1 has rest end point http://localhost:8080/microservice-1/get/person then i should not have any security code in Microservice 1 but still at the same time no one should be able to access the Microservice 1 rest end point directly without passing JWT tokens but it should only be accessible via ZUUL.
You can use WebSecurityConfigurerAdapter class in your Zuul gateway and configure the security for each route.
This is an excellent example for you
https://medium.com/#bharatrajmeriyala/spring-cloud-security-with-netflix-zuul-2ef04a1dcfb
I'm developing a back-end with microservices architecture. I'm new about that architecture and for now I have developed 3 microservices (RESTful web services, with Spring Boot) each in a container.
I want to implement OAuth2 and JWT Rest Protection and a gateway.
Is it correct to implement a gateway with Authorization Server and Resource Server?
Am I doing something wrong about the architecture?
Thanks for the replies
As per the standard, should not mix gateway with authorization because both the purposes are different.
Gateway
Gateway can be differentiated in two ways - Internal and External. Purpose of gateway is to route the call from external or internal to the protected resource.
Authorization Server
Authorization server comes into the picture for identity access management. All the request coming from external or internal via gateway should be authenticated or authorized before routing call to the protected resource with JWT or access token etc.
https://medium.com/swlh/authentication-and-authorization-in-microservices-how-to-implement-it-5d01ed683d6f
Authentication and Authorization - There should be a separate service that authentication the user (like supporting OAuth0 type of protocol and providing JWT Token). Your frontend should call API Gateway.
Now question comes at what granular level you are maintaining permissions - Only small set of roles or granular level of permission set. Now API Gateway should communicate with Authorization server with JWT and get the set of roles and permission. Based on the same, API gateway should forward or block the call to Microservice.
Even if you have small set of roles and JWT can be extracted and validated by Gateway but avoid to keep the same at Gateway as there are chances that you have to extract the functionality to some other service in near future.
microservices architecture
I have a micro service(userservice:user related microservice) but in Zuul API gateway application i want to authenticate requests for all microservices and use spring security. I have to create signin and signup requests(AuthController) in Zuul application which require datasources,userRepository all things in zuul application.
If i use userservice(microservice user related)for other user related requests then i have use same datasource and create duplicate beans and repository for same data source which i already created in zuul api gateway application ?
I don't feel it would be a good design to authenticate usenames and passwords at gateway level. Instead what you can do is, you can add JWT tokens which can validate the request itself in zuul filters. This can be one level of verification at gateway level.
Second, you can implement caching at api level which would significantly increase the throughput of your backend security api.