I am trying out JHipster based on the supported Microservice architecture. I have created a Registry, Gateway, and a Microservice (based on JWT authentication) as described in documentation and everything works. However I am not sure why a Gateway in JHispter need to have a database. Questions that are still unanswered for me:
1- Why does a Gateway need a database? In which scenarios would you create a Gateway with/without a database?
2- Do the Gateway and Microservice use the same database? Or should they use separate database instances?
Ok, I did a bit more research on JHipster-Gateway and the inner workings of it. Below is a summary, related to my question:
1- A Gateway using a JWT or Oauth2 type only needs a database if the User related entities and backend code are also generated in the Gateway codebase. This is the case for a default JHipster Gateway, but does not have to be like this. As indicated in JHipster documentation a JHipster Gateway is actually a monolithic application and can be used as a monolithic application:
You will have the choice either to generate an new entity normally (a gateway is also a standard JHipster application, so this would work like for a monolith application), or use an existing JHipster configuration from a microservice.
When you create a JHipster Gateway, it creates the User entity related backend in Gateway codebase as default. But you can choose to have all the Backend code (including User) be placed/generated in Microservice codebase.
In such case there is no need of a database in JHipster Gateway application. Gateway working purely as a gateway to pass requests to microservices only needs to have the /api configurations properly set.
In the default case of a JHipster Gateway the User entity backend code is also generated in Gateway part, that is the reason why a database is needed. But you can move the backend code to Microservice and replace it by a proper /api configuration.
1) A gateway using JWT or OAuth2 auth types need a database to store users and their account details. A gateway using UAA auth type does not need a database, because the UAA microservice handles users and authentication.
2) Gateways and microservices should use their own database instances. You can use the same database instance in dev, but in prod each should have their own.
You can generate a docker-compose or kubernetes config for your gateway/microservices with the JHipster subgenerators, and in the generated YML files you will see each app has its own database instance.
Related
Currently in developer training, I am working on a personal project on spring. I started java 6 months ago, so there is a certain notion that I do not yet master. My trainer does not know spring at all, so he cannot help me.
I am also French and there is very little reliable documentation on spring (it is evolving quickly).
For example, I followed a French tutorial on microservices, and I used the ribbon and zuul proxy while they are currently in maintenance at spring. I started all over (new project) to recode in reactive webflux
I have several concerning spring starter security or spring cloud security
Spring cloud config (in connection with gitlab)
eureka server
admin server
gateway
2 business microservices
2 sub-module (model and repository)
I want all my microservices and the internal microservices (eureka, admin server, configserver) to be secure now. But I do not know how.
I want the microservice that consults config-server to identify themselves, and I also want the microservice gateway to identify itself to make requests to other microservices. Finally I want all my microservices to be protected.
Should we put spring-starter-security in microservice? Should we create a new microservice with spring-cloug-security?
Should we create a new spring-cloud-security microservice and add spring-start-security everywhere?
https://cloud.spring.io/spring-cloud-security/2.2.x/reference/html/ Obviously I find this link not very explanatory
Thank you
In a microservice architecture that I have worked, we have always used the OAUTH2 specification for securing service.
OAuth2 is a token-based security framework that allows a user to authenticate themselves with a third-party authentication server. If the user successfully authenticates, they will be presented with a token that must be sent with every request. The token can then be validated back to the OAuth2 Server. The OAuth2 Server is the intermediary between the application and the services being consumed. The OAuth2 Server allows the user to authenticate themselves without having to pass their user credentials down to every service the application is going to call on behalf of the user.
Detail information for OAuth2 you can find in the following LINK .
I have implemented simple microservice architecture for demonstrating how services are connected with each other.
Here is the link LINK
Below is the image representing the architecture:
is possible create authorization server for PKCE authentication in current version of spring security?
I did research and I found out this authorization server project https://github.com/spring-projects-experimental/spring-authorization-server but there is no usable sample for that project.
I also find out that spring recommends Keycloak as authorization server, but it is not fit for my case.
We need be able fetch and verify user against remote service, and then use authorization server only for generating and verifying jwt tokens. In my knowledge Keycloak should holds also users right? So the best solution would be custom spring standalone authorization server. Is it possible in some way? Thank you!
You may have a look to this project: CloudFoundry User Account and Authentication (UAA) Server.
UAA is a (Spring MVC) component of Cloud Foundry but it could be used as a stand alone OAuth2 server. It can support external authentication service. And there is a Pull Request that implements PKCE: https://github.com/cloudfoundry/uaa/pull/939 (not yet merged, but under review).
You can find an example on how to use UAA on baeldung.com.
As far as I know, Spring framework has one more implementation of the authorization server. It is a part of spring-security-oauth project. But this project was moved into maintenance mode.
According to this migration guide, the new authorization server project (that you have already found) will be created to change the legacy solution.
From my point of view now there are several possible options:
Using old legacy spring-security-oauth. More examples with old auth server
Using external services like Keycloak, Auth0, Okta and etc
microservices architecture
I have a micro service(userservice:user related microservice) but in Zuul API gateway application i want to authenticate requests for all microservices and use spring security. I have to create signin and signup requests(AuthController) in Zuul application which require datasources,userRepository all things in zuul application.
If i use userservice(microservice user related)for other user related requests then i have use same datasource and create duplicate beans and repository for same data source which i already created in zuul api gateway application ?
I don't feel it would be a good design to authenticate usenames and passwords at gateway level. Instead what you can do is, you can add JWT tokens which can validate the request itself in zuul filters. This can be one level of verification at gateway level.
Second, you can implement caching at api level which would significantly increase the throughput of your backend security api.
I implemented a Spring backend which is responsible to store different data (users, lectures, ...). This backend is secured with a JWT and everything is working fine. For my studies I want to enhance the backend and now I want to use a microservice architecture instead of a monolith. For this purpose I have the requirements to use Docker and Kubernetes. I always read articles which write that I need a Authorization Server and a Ressource Server when I want to use the JWT in a microservice architecture. Is that correct? And do I need a Gateway (e.g. Zuul) for my purpose? Can someone help me to structure the project and give advice for the technology stack. At the end the whole project will run in one single server.
I implemented a molotithical backend, secured with JWT.
Kubernetes officially supports authentication to API server within JSON Web Tokens(JWT) through OpenID Connect tool using OAuth 2.0 protocol for user request identification. However, this only represents a part of Authorization model, which determines how authenticated user can be granted with appropriate security policies or roles to manage Kubernetes cluster resources.
In order to build or migrate application to Kubernetes, you might consider to expose application outside the cluster, for that purpose Ingress proxies requests to exact service by matching request path. Actually, Ingress is a logical resource element which describes a set of rules for traffic management via Ingress Controller. Therefore, Ingress controller can play a role of API Gateway by delivering L7 network facilities like: load balancing, SSL termination and HTTP/HTTPS traffic routing for nested application services.
As you mentioned Zuul gateway can be one of the option for the edge proxying service in front of Kubernetes cluster, however I would recommend to look for some more Kubernetes oriented solutions. Istio is a good example, as it brings a wide set of network router functions with a quite simple integration into Kubernetes cluster via its core Service mesh design. Istio provides end user authentication via JWT within declared authentication policy.
Alternativelly, you can get through Nginx plus features with announced JWT authentication as well.
I am trying to build a simple application with microservices architecture.
Below are the details about 3 microservices I have created.
1] Customer.
database: mongodb
server : embeded tomcat server.
port : 8081
2] vendor.
database: mongodb
server : embeded tomcat server.
port : 8082
3] product.
database: mongodb
server : embeded tomcat server.
port : 8083
All the 3 micros runs on an embeded tomcat server.
Now I want to create a common gateway for all these micros [API gateway].
which help me to route my request based on the request I get for example:-
for example if I get a request of http://hostname:port_of_gateway/customer.
on reading this I need to route the request tom my customer micro and fetch its response and send it back to client.
Which of the spring tool I can use to achieve this?
Because your requirements are quite simple you can implement such a gateway by yourself. Here's an example.
But if you really want to use some Spring solution you can try to use Spring Cloud Netflix which is a part of Spring Cloud umbrella project. It includes router and filter features which in turn based on Netflix Zuul gateway service.
Note that this is not a complete standalone application but a library. Therefore you still should create another microservice that would act as API gateway in your application. To make it a gateway you should just add #EnableZuulProxy annotation to the same class that has #SrpingBootApplication annotation. You can find a very good example here.
Please also note that you should somehow inform the gateway about your microservices' addresses for redirection. It can be done in two general ways:
By statically defining the addresses in gateway microservice's configuration;
By applying service discovery pattern in conjunction with e.g. Netflix Eureka service registry.
The 1st approach is easy and straightforward but is not very well for large number of microservices and/or when microservices' locations can change dynamically (e.g. due to auto-scaling).
The 2nd approach requires additional component - service registry - and needs modification of other microservices (to let them register themselves in the registry). This is quite more complicated approach but is the only possible in case of complex architecture. Simple yet expressive example can be found in the same article.
UPDATE (January'19)
As of December 2018 the Spring Cloud team announced that almost all Netflix components in Spring Cloud (except Eureka) entered maintenance mode. It means that for the next year they won't receive any feature updates (only bugs and security fixes).
There are replacements for all the affected components, including Netflix Zuul aforementioned above. So please consider using Spring Cloud Gateway instead of it in new projects.