I am building a middle tier which will consume information from multiple downstream systems. The ask is to talk to them over 1 way SSL. I looked up samples but this concept is a bit if a mystery to me. Please help.
The question is too vague IMHO, I'll try to provide general insights
The answer may vary depending on the actual requirements in your organization security department and your actual spring boot configuration.
Spring Boot is a Java framework that usually allows the deployment architecture with an embedded tomcat, jetty or undertow servers that serve Http endpoints exposed by Spring MVC or without an embedded server at all (usually for legacy deployments)
If you in a "legacy" mode (build a WAR) - then HTTPs configuration should be done on the actual server and not in spring boot application.
If you use an embedded server, then the actual technical solution can actually depend on the server you use underneath, at least to some extent.
Indeed like Steffen Ullrich has stated in the comment section, there are many examples of doing this.
For example, take a look at This one
If you want to redirect HTTP requests to HTTPs you should configure your server to do so, and this solution is Tomcat specific.
Another thing to consider is whether you want to use SSL at the level of spring boot at all. Maybe you're running under the gateway / some kind of proxy. In this case, it can make sense to use https for accessing the proxy from outside, but from a proxy to java application you could use HTTP.
I know I'm just speculating about this solution, I've just decided to mention it because in my experience there are many organizations that work like this.
In addition, since spring boot is used for microservice development, the chances are that you have many spring boot artifacts that somehow "talk" to each other, so maybe running HTTPs between them is redundant.
Related
I followed this documentation for Archaius and some other online articles. However, presumably, each service should have Archaius or configuration related codes/dependencies(-jars) to load configuration values. My concern is that if a change is required in loading configuration, then each service has to be reloaded/redeployed.
Q1. Can anyone let me know how to keep a centralized Archaius configuration service so that client services pull configurations.
On the contrary, Spring Cloud Config server does that job - all configurations are in one place. But I feel that it lacks loading configurations from a custom resource - data loads from a database as Archaius provides, for example.
Q2. Is there a work around to make Config Server loads configurations from Archaius ?
For Q1, you should look at the 2.x branch of Archaius, specifically https://github.com/Netflix/archaius/blob/2.x/archaius2-persisted2/src/main/java/com/netflix/archaius/persisted2/Persisted2ConfigProvider.java. This is configured to make a rest call to some service which will front your Config. At Netflix, we have a rest service backed by Cassandra. Naturally, you can back that with whatever you would like. But fair warning, this Archaius setup was made for Guice and requires a bit of manual setup. It is not quite as seamless as you might expect if you've been working with Spring Boot/Cloud starters for example.
For Q2, Spring Cloud Config does indeed support loading data from a DB. Also, in my experience with the Spring products, they are almost always quite easy to extend to your own purposes if you'd like to do something more custom.
General suggestion: If you have no other need/use of Archaius aside from remote config and you are a Spring user, I'd suggest just going with Spring Cloud. It would be far easier to configure and probably serve your requirements just fine.
Archaius provides a way to deal with reading dynamically changing Config with minimal performance impact. If you're not in Spring, or happen to need fast access to dynamic properties, consider Archaius.
Is Spring cloud config server an example of sidecar application for microservices?
Do you mean if the Spring Cloud Config Server itself is what the Spring Cloud documentation labels as Sidecar? Then no, as far as I know it is just a plain, regular Spring Boot app.
A Sidecar as referred to in Polyglot support with Sidecar is a Spring Boot application that acts as a bridge between your service infrastructure and a service that is not written in a JVM language. Apps written in Python, Go, Ruby, C#, NodeJS, Erlang or really any other language that can bind something to a port come to mind.
The benefits of the Sidecar are, that your Non-JVM apps
service discovery become automatically discoverable through Eureka, which means that JVM services can resolve the host:port/<service-id> of the Non-JVM apps as well as the other way around,
monitoring are monitorable through the same health-endpoints-infrastructure that is available in Spring Boot (Actuator), i.e. by manually providing the health endpoint in the Non-JVM app Eureka knows when the Non-JVM service is down
routing/proxying query the services by either manually looking up their hosts/ports or proxying these requests through Zuul, which in turn resolves their current addresses through Eureka
balancing be load balanced by Ribbon and
configuration may consume configuration properties provided via Spring Cloud Config.
I hope this answer addresses your question, if not (or someone finds it to be inaccurate or misleading) just let me know and I delete it to make room for something more suitable. ;-)
We're using the Camunda RestAPI to communicate with the camunda-engine in the backend, so far so good, but we haven't been able to enable the Camunda authentication service so that users/rolls can only instanciate/claim/complete/see (when requesting via http) the tasks and processes which are assigned to them or their groups.
We're also using the spring boot implementation of the configuration, we have tried several things, but non has work so far as anyone can do anything and it's not even asking for credentials, so I was thinking I may be doing something wrong considering how complicated it has been.
So the question is, what are the standard steps we need to take to make these services work?
Thanks in advance.
Camunda is running bundled with a Tomcat server which allows LDAP, so one way might be to let your Tomcat do the permission management. In other words, you might limit the user access via the hosting web server.
Based on an answer from #andy-wilkinson to a past Spring Boot question, it appears that with the exception of a couple parameters (port for example), the management server leverages the same configuration as the regular servlet container.
I would like to configure the main Spring Boot server to use HTTPS (for the application/service it is serving) and to use just HTTP for the actuator endpoints. Has anyone done this? Is this even possible?
-Joshua
It's not possible at the moment. Please open an issue if it's an enhancement that you'd like to see.
If I have multiple Spring Boot embedded tomcat containers and each can have service endpoints like
http://localhost:8080/employeeSelfService/getDetails
http://localhost:8081/employeeSelfService/getDetails
How can do load balancing using 2 micro services such that clients can hit any of the URL's mentioned based on some load balancing startegy
One option thats come to my mind is to use NetFlix Curator (or) have a apache webserver acting as reverse proxy but with apache, when you create new instances of your services, you will have have an entry of that service as a member in httpd.conf
Does Spring Boot provides any service discovery and load balancing mechanism ?
Spring Boot does not provide this feature, as it is already usually provided by a reverse proxy such as apache/nginx running in front of the Spring Boot server.
See here for an example here how the commercial version of nginx provides the functionality of dynamically scaling and reducing the upstream nodes.
So in this case it's for the dynamic instance, in this case the Spring Boot process to signal it's presence/unregister itself to the upstream server at initialization/shutdown.
See here how to do so in the case of nginx, this procedure will be different from server to server.
Arguably it's not really an application's role to manage its own load-balancing, and Spring Boot focuses on the implementation of an application (or service, equivalently). We have been thinking about whether we could provide features in Spring (Boot or otherwise) to make it easy to write your own load-balancer, or service registry app, but even then I don't think that was what the question was really about (or was it?).
If I interpret the question, and the example use case, literally, I would say that the most natural answer is an out-of-the-box reverse proxy solution (as the other answers pointed out). I also note that such a reverse proxy is an essential and natural part of a PaaS solution, so if you need it to "just work" and don't want to know about the details, PaaS would be a natural path (e.g. see cloudfoundry as an example of such a solution that I happen to have worked on).
Indeed Spring Boot has not inherit support for load-balancing. Just to add to the list of available solutions for load-balancing, here are the instructions to configure an Apache for load-balancing.