I am having 4 different micro-services in my application. The technology stack that I am using for the development of applications is SBT stack(Scala,Akka and Play web framework). For external clients to communicate with my micro-services, I have security mechanisms such as authorization and authentication of users using Oauth protocol, White-listing Allowable Http Methods and performing input validation. However, I wanted to know 2 things
1) Is it necessary to implement security mechanisms when one microservice calls another microservice internally
2)And if required, how to implement security on messages passed from one micro service to other. Any help would be highly appreciated. Thanks in advance !!!
Related
I'm quite a newbie to microservices architecture. I'm referring to one of my clients projects with microservice architecture. It has one of the service as Notification
Order ->(talks to)-> Notification client(as a lib) -> calls api from - > Notification service.
I don't really understand the purpose of having a client in between, where in it has a few exceptions handled for hitting the api. I understand, microservices communicate via api gateway but I feel Notification Client is just an addon. I tried to figure out the terminology used for this kind of implementation but in vain.
Please help me understand this use case.
It may feel that the client is redundant if Order service is the only microservice that is consuming the APIs. But considering the notification service is getting used by a few more microservices having a notification client as a lib makes sense. The reason is,
The client lib will wrap all the API calls and their implementation
so that other services can simply call it just like a method.
Other services don't have to write REST client for notification service when it wants to
make use of the APIs.
Same client lib can be shared by other microservices without actually
writing code to call the APIs.
Any changes/fixes made to the notification service can be cascaded to other services by simply changing the version of the client lib.
i have a spring boot application that provides an API consumed by a frontend app (CRUD operation). This spring boot app is based on oauth2.0 authentication standard to verify the JWT access token received in the header of each API against an authorization server. I want to provide another API to be consumed by a backend (M2M usage). This API will rely on same database (same entities) but it will be slightly different (only Read operations are allowed here and responses contain more fields). Also this new API will rely on an another authorization server to verify the JWT token.
Firstly, i was thinking to provide both API with the same spring boot application, but it looks like it will a hack to support both (for instance issuer uri of the token are diferent, port can be different, path of API are different..).
So, I'm now thinking to separate the 2 APIS into 2 different spring boot application, so that the apps are isolated by nature, but i'm not sure it's a good practice at the end? For instance, what about the concurrency issues that can occur with such design ? In the opposite, can i build easily teh 2 spring boot apps that share the same code repo (some code should be common for both apps). Those are the questions i have, so any suggestion will be appreciated.
You can try with multiple authentication providers. Example given in following -
Java Spring Security config - multiple authentication providers
Currently in developer training, I am working on a personal project on spring. I started java 6 months ago, so there is a certain notion that I do not yet master. My trainer does not know spring at all, so he cannot help me.
I am also French and there is very little reliable documentation on spring (it is evolving quickly).
For example, I followed a French tutorial on microservices, and I used the ribbon and zuul proxy while they are currently in maintenance at spring. I started all over (new project) to recode in reactive webflux
I have several concerning spring starter security or spring cloud security
Spring cloud config (in connection with gitlab)
eureka server
admin server
gateway
2 business microservices
2 sub-module (model and repository)
I want all my microservices and the internal microservices (eureka, admin server, configserver) to be secure now. But I do not know how.
I want the microservice that consults config-server to identify themselves, and I also want the microservice gateway to identify itself to make requests to other microservices. Finally I want all my microservices to be protected.
Should we put spring-starter-security in microservice? Should we create a new microservice with spring-cloug-security?
Should we create a new spring-cloud-security microservice and add spring-start-security everywhere?
https://cloud.spring.io/spring-cloud-security/2.2.x/reference/html/ Obviously I find this link not very explanatory
Thank you
In a microservice architecture that I have worked, we have always used the OAUTH2 specification for securing service.
OAuth2 is a token-based security framework that allows a user to authenticate themselves with a third-party authentication server. If the user successfully authenticates, they will be presented with a token that must be sent with every request. The token can then be validated back to the OAuth2 Server. The OAuth2 Server is the intermediary between the application and the services being consumed. The OAuth2 Server allows the user to authenticate themselves without having to pass their user credentials down to every service the application is going to call on behalf of the user.
Detail information for OAuth2 you can find in the following LINK .
I have implemented simple microservice architecture for demonstrating how services are connected with each other.
Here is the link LINK
Below is the image representing the architecture:
I wanna refactor a monolithic spring boot application basically a web app with login and functionalities for customers. We already have a Security implementation which works with a session id stored as a cookie but I dont have much knowledge about it at all and im completetly new to this topic. It seems JWT is a better solution for Microservices because of an independent authentication service.
So my questions are:
is it alot of work to create a JWT authentication service and exchange the session id implemenation? (since im doing it for my bachelor thesis and have a clear deadline)
can I stay at the session ids while using microservices?
are there maybe other ways to implement authentication?
is it alot of work to create a JWT authentication service and exchange
the session id implemenation? (since im doing it for my bachelor
thesis and have a clear deadline)
This question is hard to answer, as it depends how tightly coupled your particular implementation is. It's certainly not trivial.
can I stay at the session ids while using microservices?
Yes, but you need to figure out how to federate sessions across the microservices (i.e. how to get the information in the session from one service to the other). Overall, this represents a risk of tight coupling between services, so I'd recommend treating this as a transitionary step only.
are there maybe other ways to implement authentication?
As many as the day is long. That being said, without specific reason to do otherwise, I generally prefer to stick to the middle of the road.
Typical user sessions is not recommended in microservices.You should use Stateless architecture and tokens (Tokens stored in database or JWT).
It's better to use Spring Boot OAuth2.
You should implement an Authorization server and Resource servers with Spring Boot.
Authorization server:
Choose the token storage method (JWT,Jdbc,...)
Configure client details
Add a RESTful Api for user info or enable /oauth/check_token api.(Called by Resource servers)
Resource servers:
Set user-info-uri or token-info-uri in Spring boot OAuth2 properties.
Extends ResourceServerConfigurerAdapter class for securing url mappings.
I need to use activemq to communicate between micro-service and the system has access control to limit the user action. I already check the user from restful endpoint by spring security. After authentication, I send message to queue. Do I need to verify the user again? If yes, how can I pass the user credential by activemq.
If it is microservices architecture already. And as what you said you have an authentication/Authorization micro-service then there is no point duplicating the checks all over again.
The best approach is to let the Gateway-Service do the authentication/authorization thing.
Usually it is bound to the Zuul implementing service. So that all calls to specific service URL got intercepted by that gateway and apply whatever security policies you have