I wanna refactor a monolithic spring boot application basically a web app with login and functionalities for customers. We already have a Security implementation which works with a session id stored as a cookie but I dont have much knowledge about it at all and im completetly new to this topic. It seems JWT is a better solution for Microservices because of an independent authentication service.
So my questions are:
is it alot of work to create a JWT authentication service and exchange the session id implemenation? (since im doing it for my bachelor thesis and have a clear deadline)
can I stay at the session ids while using microservices?
are there maybe other ways to implement authentication?
is it alot of work to create a JWT authentication service and exchange
the session id implemenation? (since im doing it for my bachelor
thesis and have a clear deadline)
This question is hard to answer, as it depends how tightly coupled your particular implementation is. It's certainly not trivial.
can I stay at the session ids while using microservices?
Yes, but you need to figure out how to federate sessions across the microservices (i.e. how to get the information in the session from one service to the other). Overall, this represents a risk of tight coupling between services, so I'd recommend treating this as a transitionary step only.
are there maybe other ways to implement authentication?
As many as the day is long. That being said, without specific reason to do otherwise, I generally prefer to stick to the middle of the road.
Typical user sessions is not recommended in microservices.You should use Stateless architecture and tokens (Tokens stored in database or JWT).
It's better to use Spring Boot OAuth2.
You should implement an Authorization server and Resource servers with Spring Boot.
Authorization server:
Choose the token storage method (JWT,Jdbc,...)
Configure client details
Add a RESTful Api for user info or enable /oauth/check_token api.(Called by Resource servers)
Resource servers:
Set user-info-uri or token-info-uri in Spring boot OAuth2 properties.
Extends ResourceServerConfigurerAdapter class for securing url mappings.
Related
We are experiencing an issue in production which seems identical to when we restart our dev boxes and try to authenticate using the token that was generated with the previous instance of our SSO Spring Boot App and powered by Spring Authorization Server.
The error is: Wrong nonce
In production, it looks to occur when our SSO app scales up due to a user spike. We could see this happening at a point with high user activity and we would continually get logged out.
Now, of course we do not want all our active users to suddenly have invalid tokens just because a new instances of SSO is added.
This questions also relates to the currently unanswered, but much older question here: Can Spring Security OAuth2 Authorization Server scale horizontally?
Please advise. It is the number 1 most frustrating issue we are having in production right now and we are not quite sure how to proceed. We are not using any In-Memory implementations of classes.
2022-07-12 - Update: The question was asked "How are we storing the session?"
We are storing OAuth2 authorizations, authorization consents and registered clients in MongoDb.
We implemented OAuth2AuthorizationService, OAuth2AuthorizationConsentService and RegisteredClientRepository
Spring Authorization Server is built on Spring Security (see docs Overview) and does require knowledge of Spring Security (see Getting Help).
In particular, you'll want to review the Authentication chapter of Spring Security documentation. Session management falls under this topic, and if you're using (for example) form login or something similar, you'll almost certainly want to add Spring Session to your server to manage distributed sessions.
You are also likely running into an issue on the client side if you are not managing sessions in a database, so once again looking into Spring Session for the client will help alleviate issues such as the nonce error you mentioned. You will also want to look into the OAuth2 Client documentation and review the core interfaces as you will need to be storing your client authorizations in a database as well.
Steve writes a great response above already and I marked it as the answer.
To answer the title of this question:
Yes, Spring Authorization Server can easily be scaled to include multiple instances without suffering from the original misconfiguration issue we were experiencing.
Spring Authorization Server does not have any magic tools to persist a session across instances. It is reliant on session management being configured correctly. We use Spring Session backed by MongoDb for our purpose.
Session validity best practices is probably something that should be addressed and whether some of them should have the same timeout values.
Servlet session timeout
Spring Session timeout (this overrides 1 when present)
Remember me timeout
Token timeout
We are still figuring out / playing with what these values should be and have found no document or article that speak of one best way of doing things.
i have a spring boot application that provides an API consumed by a frontend app (CRUD operation). This spring boot app is based on oauth2.0 authentication standard to verify the JWT access token received in the header of each API against an authorization server. I want to provide another API to be consumed by a backend (M2M usage). This API will rely on same database (same entities) but it will be slightly different (only Read operations are allowed here and responses contain more fields). Also this new API will rely on an another authorization server to verify the JWT token.
Firstly, i was thinking to provide both API with the same spring boot application, but it looks like it will a hack to support both (for instance issuer uri of the token are diferent, port can be different, path of API are different..).
So, I'm now thinking to separate the 2 APIS into 2 different spring boot application, so that the apps are isolated by nature, but i'm not sure it's a good practice at the end? For instance, what about the concurrency issues that can occur with such design ? In the opposite, can i build easily teh 2 spring boot apps that share the same code repo (some code should be common for both apps). Those are the questions i have, so any suggestion will be appreciated.
You can try with multiple authentication providers. Example given in following -
Java Spring Security config - multiple authentication providers
I have application that I want to divide into micro-services to increase overall performance on high load. Overall structure I plan to create like this:
Web -> Authorization Server -> Eureka + Zulu -> Spring boot Micro-services
Since my previous application was monolith I used Spring boot + Spring security and had no problem while logging things like #CreatedBy #LastModifiedBy - I laso use Aspects to log every action in app and track who made the changes. Now since I don't have session across microservicies I don't know what to do - I do need to log the action owners - log who is doing what.
Can someone tell me how can I maintain the logging possibilities in my new structure. Maybe there is some ready made patters or maybe I need to make some changes in my structure?
How are you dealing with authorization? If the web component calls the authorization server with an authentication token, that token should be forwarded when calling microservices. Every microservice should be stateless (so, no session is ever stored), and that token should contain information about the user so each microservice can access it and authenticate requests.
If you could specify what you mean by Authorization Server, I'll be glad to explain in greater detail.
I'm just wrapping my head on Oauth2. I have a Spring boot app with its own users and roles system handled by Spring Security 5. Internally I use email to identify users, I want people who registered with their gmail addresses to be able to log in through Oauth2. Or, more generally, how do I make one of my users log in to my app using Oauth2? If you need code or more information just ask. Thanks in advance.
As far as I understood your question, you are looking for a general approach to authenticate users for using your Spring Boot application with the help of OAuth2 protocol.
In your case you will probably use Google as an authentication provider and your application as resource server, according to the OAuth2 standard wording. First at all to answer your general question, there are different ways of using OAuth2 to authenticate users. A good starting points are these links:
https://www.rfc-editor.org/rfc/rfc6749
https://auth0.com
To find the proper way of implementing OAuth2 for your usecase I recommend using this decision tree: https://auth0.com/docs/api-auth/which-oauth-flow-to-use
For starting to implement OAuth2 in Spring Boot you can use several Spring Security projects with further documentation:
https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html#boot-features-security-oauth2
https://docs.spring.io/spring-security-oauth2-boot/docs/current-SNAPSHOT/reference/htmlsingle/
I am implementing a Spring Data REST based app and I would like to know if there is an elegant way to implement authentication and authorization rules using this framework or related frameworks.
All HTTP requests to the REST server must carry authentication headers, I need to check them and decide to authorize or not based on the HTTP method and the association of the authenticated user with the resource being requested. For example, (the app is the REST server of an e-learning system), the instructors can access only their own course sections, students can access only the courses sections they are subscribed, etc.
I would like to know if there is a default way to implement authorization in Spring Data REST. If the answer is no, could you make a suggestion for my issue? I am thinking about:
Servlet Filters
Spring Security
Spring Data REST Handlers (how to access the HTTP headers?)
The best bet for you is Spring Security.
That would help you achieve authorization is much simpler manner.
Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically.
Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my rest services ( which were build using RestEasy )
RESTful Authentication via Spring
There is an alternate method as well..
Refer
http://www.baeldung.com/spring-security-authentication-provider
In both cases you can disable the session creation by declaring the stateless authentication in spring security, this would help you improve the performance considerably when large volume of hits are made to the state-less REST services..