Securing Microservices that use Spring Cloud & Netflix's Eureka and Feign

Question

I'm trying to figure out the best way to structure and implement microservices using Spring Cloud and Netflix's stack, specifically using Eureka and Feign. I have a few security related questions regarding each:

1. I've seen that you can configure Eureka Server with a username / password credential. This keeps out unauthorized apps, but then each app must share credentials to access Eureka. Is there a simple way to create a registry of credentials so each microservice can have it's own? (It would be sweet to hook it into Spring Security's stack -- UserDetailService and the like)

2. Once the microservices are wired up and communicating over feign, is it possible to share / pass the credentials used on an original request to additional calls that are made to other microservices? So if "Jim" requests /foos on FooService, and FooService requests /bars on BarService, BarService would know that it was Jim requesting them?

Jim > FooService > BarService - where BarService knows the request is being handled for Jim...

Answer 1

David. You may want to take a look at an article I wrote about securing spring cloud services. The spring team has largely left this topic up to the developer as it should be since security implementations vary greatly between organizations. This example uses basic auth on the eureka and config servers.

http://www.baeldung.com/spring-cloud-securing-services

Some small takeaways should be: authentication must be defined on the config and discovery servers apart from whatever other kind of authentication you have for the rest of your system. These two servers have to handle their own auth becuase they are often required to be running before an auth server can start (since it pulls it's config from config service and registers with the discovery service).

Service to service communication is a different beast. The question you have to ask yourself, like David is saying, is are you running with your services with ip security, are they running exposed to the whole web, where is authentication happening in your app. Without these questions it is hard to give specific advice.

Some general advice in this area could be:

• If your services are running behind an IP firewall you can specify a unique header that will authenticate any service coming in. In this way you don't really need to specify permissions for your internal network just identifying each service will be sufficient. You can even white list specific IP addresses to always allow.

• If you are running these services exposed to the web you may want to direct all your traffic back to your gateway (this should also be where authentication is happening for your app). If you get a 403 then you should programatically perform a login and retry the request with the session id. If you configure your system with spring-session each service will automatically pull in the authentication details of that service.

These are just two out of a whole host of possibilities. I'm not exactly sure how comfortable you are at writing these security configurations so if you want some more assistance clarify your questions down to one scenario and I will attempt to write a generic solution for your use case.