4

I have misunderstanding security in microservices in spring boot (and general). I want to build a project using Spring framework and microservices but in architecture planning I stuck. How should be security in microservices at all? In my opinion that in all project should be one component which all request go throw the component and spread to other components. What I could find it's Spring Cloud Zuul which is api gateway in microservices and I got idea to make a project which is response for gateway and add security in the component as well. I mean it will be something like a project that contains Spring Cloud Zuul, Spring Security, Spring Data JPA dependencies. How do you think is it good way to provide a security or not? Is it possible to build something like that?

Dave
  • 507
  • 7
  • 22
  • 1
    You can add authentication in the gateway, have you looked into JSON Web Tokens? You could validate and mange the tokens at the gateway and then pass em to the individual services. – Jeff Oct 06 '17 at 18:18
  • If I add security config in gateway component and make validation of user it's not problem but how to add security to methods in other services. I mean for example @PreAuthorize() @PostAutorize(), etc. I would like to add in only one place security config and everythin related to this. I've no imagination how to do this. I don't want to duplicate Security Config in all services – Dave Oct 06 '17 at 19:52

3 Answers3

6

In the project I was involved, we used security at a couple of different levels:

  • Security at individual route level in Zuul.
  • Security at each internal service

Here is the flowchart for the security model used in our Spring Cloud project,

  1. When Zuul receives a request, it checks if a route exists for the request.
  2. If a route exists, checks if the route is secured based on custom configuration.
  3. If the route is secured, authenticates the request.
  4. Once the request is authenticated at Zuul, Zuul again checks if the internal service, to which request is to be routed, is secured based on configuration.
  5. If the internal service is secured, creates a new Authentication header based on the user credentials (stored in the custom configuration) before routing the service to the internal service.
  6. Once the internal service receives the request from Zuul, it checks if the request needs to be authenticated.
  7. Once authenticated, processes the request and sends the response back.
Indra Basak
  • 7,124
  • 1
  • 26
  • 45
2

I think the answer here might help you, they are talking about using firewall to limit the access from the outbound IP and only allow zuul gateway to access all microservice.

Don't allow direct calls to Microservices. Only allow through API Gateway

Chi Dov
  • 1,447
  • 1
  • 11
  • 22
1

I think you can consider using OAuth. It uses JWT(Jason web token), which is a token passed along with all request/response. you can find detailed information here: https://nordicapis.com/api-security-oauth-openid-connect-depth/

Demon
  • 89
  • 9