Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Security issue in microservices with Spring Boot

Tags:

java

spring-mvc

spring

spring-cloud

spring-security

I have misunderstanding security in microservices in spring boot (and general). I want to build a project using Spring framework and microservices but in architecture planning I stuck. How should be security in microservices at all? In my opinion that in all project should be one component which all request go throw the component and spread to other components. What I could find it's Spring Cloud Zuul which is api gateway in microservices and I got idea to make a project which is response for gateway and add security in the component as well. I mean it will be something like a project that contains Spring Cloud Zuul, Spring Security, Spring Data JPA dependencies. How do you think is it good way to provide a security or not? Is it possible to build something like that?

like image 428
Dave Avatar asked Jan 04 '23 08:01

Dave

2 Answers

In the project I was involved, we used security at a couple of different levels:

  • Security at individual route level in Zuul.
  • Security at each internal service

Here is the flowchart for the security model used in our Spring Cloud project,

  1. When Zuul receives a request, it checks if a route exists for the request.
  2. If a route exists, checks if the route is secured based on custom configuration.
  3. If the route is secured, authenticates the request.
  4. Once the request is authenticated at Zuul, Zuul again checks if the internal service, to which request is to be routed, is secured based on configuration.
  5. If the internal service is secured, creates a new Authentication header based on the user credentials (stored in the custom configuration) before routing the service to the internal service.
  6. Once the internal service receives the request from Zuul, it checks if the request needs to be authenticated.
  7. Once authenticated, processes the request and sends the response back.
like image 187
Indra Basak Avatar answered Jan 06 '23 01:01

Indra Basak

I think the answer here might help you, they are talking about using firewall to limit the access from the outbound IP and only allow zuul gateway to access all microservice.

Don't allow direct calls to Microservices. Only allow through API Gateway

like image 39
Chi Dov Avatar answered Jan 06 '23 02:01

Chi Dov
Sign in to Comment

Related questions

Throw java exception and stops
Spring Boot Connect to mysql docker
The easiest way to configure Embedded MongoDB
missing javadoc detail in intelliJ
How to submit multiple jars to workers through sparkSession?
Can I store instance of an object in a javaFX node?
Aligning JLabel to Left or Right inside BoxLayout with Y_AXIS Constraint of JPanel
Project is missing required library - but correct JAR exists?
spring rest return multipart/form-data with application/json content-type
How to redirect user to login screen, If an ajax call is received after session timeout
Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.5.1:compile (default-compile) on project
What is a GoAway Frame in Http2 and how is it linked to Redirects?
Define constructor for this enum for the list in JAVA?
JavaFX Pagination button sizes and style
Why is the EJB bean method not detected if it is package private?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!