I have misunderstanding security in microservices in spring boot (and general). I want to build a project using Spring framework and microservices but in architecture planning I stuck. How should be security in microservices at all? In my opinion that in all project should be one component which all request go throw the component and spread to other components. What I could find it's Spring Cloud Zuul which is api gateway in microservices and I got idea to make a project which is response for gateway and add security in the component as well. I mean it will be something like a project that contains Spring Cloud Zuul, Spring Security, Spring Data JPA dependencies. How do you think is it good way to provide a security or not? Is it possible to build something like that?
In the project I was involved, we used security at a couple of different levels:
Security at individual route level in Zuul.
Security at each internal service
Here is the flowchart for the security model used in our Spring Cloud project,
When Zuul receives a request, it checks if a route exists for the request.
If a route exists, checks if the route is secured based on custom configuration.
If the route is secured, authenticates the request.
Once the request is authenticated at Zuul, Zuul again checks if the internal service, to which request is to be routed, is secured based on configuration.
If the internal service is secured, creates a new Authentication header based on the user credentials (stored in the custom configuration) before routing the service to the internal service.
Once the internal service receives the request from Zuul, it checks if the request needs to be authenticated.
Once authenticated, processes the request and sends the response back.
I think the answer here might help you, they are talking about using firewall to limit the access from the outbound IP and only allow zuul gateway to access all microservice.
Don't allow direct calls to Microservices. Only allow through API Gateway
I think you can consider using OAuth.
It uses JWT(Jason web token), which is a token passed along with all request/response.
you can find detailed information here: https://nordicapis.com/api-security-oauth-openid-connect-depth/
Related
I want to use Crnk Client 3.4 to consume a JSON:API endpoint that is secured with OAuth2. I am using a client_credentials grant and Spring Security OAuth2 (with Boot) to configure the credentials.
Since the Spring team has decided to try to force everyone onto reactive WebClient, there is no out-of-the-box RestTemplate interceptor that can retrieve an access token from Spring Security OAuth2, which suggests that I'll have to do some level of integration on my own.
Is there a best practice for supplying an access token to a CrnkClient instance? The documentation mentions SecurityModule in passing, but it doesn't seem that it actually supports adding credentials. I could write a module, but it appears that to add headers I want to implement HttpAdapterListener, and modules don't provide a mechanism to register them; instead they have HttpRequestProcessor, which is not used at all by the client.
I can see two possible clean integration options; is either of these recommended or discouraged?
Write the missing ClientHttpRequestInterceptor to integrate Spring Security OAuth2. Create a RestTemplate in a bean method using RestTemplateBuilder and add the OAuth2 interceptor. Call crnkClient.setHttpAdapter(new RestTemplateAdapter(interceptedRt)).
Write a Crnk Module implementing HttpAdapterAware that is a Spring bean and contributes an HttpAdapterListener that retrieves the access token and calls HttpAdapterRequest#header.
Small question on how to create traceID, but when the app is not Spring-based please.
My application is the first, the initiator of a HTTP call. Therefore, the app can be considered as client.
The destinations, the servers, are all Spring Boot Spring Cloud based web applications. I would like to emphasize, while the servers are Spring-based, me, the client, I am not a Spring Boot app.
While my app, being a non-Spring app, I do use the Spring Webflux WebClient in order to create the HTTP requests to those servers. To emphasize, it is not because I use the Spring Webflux WebClient, that makes the app a Spring app!
Since I am the first of the call chain, I would like to create some kind of traceID, so the subsequent services will carry the traceID I created.
I am puzzled as what should come inside this piece of code that I tried:
final var response = webClient.post().uri("http://some-third-party-api.com/someroute").header("X-B3-TraceId", "How to create a traceID?").body(BodyInserters.fromValue(payload)).retrieve().bodyToMono(String.class).block();
Therefore, I would like to ask, being the first, the HTTP call initiator, using a Spring Webflux WebClient, but in a non-Spring app, how to create those traceID so the subsequent services get the one that I created?
By default Sleuth is using OpenZipkin's tracing library called Brave. If your application is java-based, you can use Brave, if not, you can find official implementations for other platforms in the
OpenZipkin org or official and non-official ones in https://zipkin.io/pages/tracers_instrumentation.html
I am working on an application architecture which will have independent UI Layer(HTML5 and Angular2) and Service Layer(Spring Boot Project) . Both will be hosted on independent servers. The UI layer will fetch data from DB using REST Calls. I Have few queries.
1. I am building my UI with Angular2 which basically runs on node.js. How can i integrate spring security using ldap.
2. How can i make REST Calls to my service which is hosted on a different server.
3. How do i solve the issue of authentication/authorization with REST Service using Spring security.
Looking forward to your responses.
Thanks,
Avinash
How can i integrate spring security using ldap.
Use Spring Security LDAP module to wire up the security services of your backend. Secure the URIs and that is all that you require.
Spring LDAP Guide
Spring LDAP Reference
How can i make REST Calls to my service which is hosted on a different server.
I presume that you will have the backend on a server and there is connectivity between your nodejs server and the backend server. Use the hostname and port if you want things to be simple. Please allow CORS on your backend server either programmatically, or by using a proxy server such as nginx.
How do i solve the issue of authentication/authorization with REST Service using Spring security.
Spring security will enable end points for Authentication and Authorization. Your angular application must need to check for the authentication at the start of every request ideally, and when there is a (401) Authentication Failure, redirect to a login controller. Keep the default route to the angular application to the login controller too.
I am starting with new Spring project where i am planning to use SSO. I have red the blogs and come to know spring security SAML will be best solution for SP.
So i have implemented Spring Security SAML sample application provided by spring site https://github.com/SpringSource/spring-security-saml as SP along with Shibboleth IDP.
IDP connects with LDAP server. I am able to execute the Spring security sample application.
I am confused how can i use this Spring security SAML extension along with multiple spring projects.
Any example link or suggestions on architecturing the Spring SAML project integration with multiple Spring MVC application will be helpful.
Provided your REST APIs are only called by the web application which is deployed together with them (in a single war and therefore sharing the same HTTP session) you can use Spring SAML + Spring Security to secure them.
Spring SAML will be used to authenticate the users against a remote IDP and populate their entitlements (granted authorities); Spring Security can then be used to define security policies for the APIs called from the UI.
In case you want to be able to call the REST APIs from remote clients, you may want to look into the Spring Security OAuth project - as this is no longer about web single sign-on.
It is possible to create a central installation of Spring SAML which handles all SSO logic. Of course you will need to implement a mechanism in which Spring SAML relays information about the authenticated user and her attributes to your other applications, and do so in a secure way. One possible way to approach it (provided the applications are deployed on the same domain and therefore can share cookies) is to:
after authentication in Spring SAML set a shared cookie which is visible to all the other applications and which is e.g. signed by the Spring SAML's key, or encrypted using a shared key, the cookie should also contain user's attributes
this can be done in a custom AuthenticationSuccessHandler which is subsequently expected to redirect user to the correct application (e.g. based on some custom logic or relay state)
the target application needs to verify the cookie (by checking the signature or decrypting using a shared key, possibly performing other checks), parse the attributes and start own session which is pre-authenticated based on the content of the cookie
All of this can be done with implementations to standard interfaces of Spring Security and Spring SAML. But it's not a trivial task - mainly considering that any security vulnerability in your implementation might compromise security of your applications.
Starting a new project to create a restful Web Service that requires callers to be Authenticated by Kerberos (Active Directory).
The web service will be hosted by Tomcat and I was planning to use JAX-RS with JAAS but I'm not finding much information on this, does anyone have information or experience on getting this to work?
Should I be looking at Spring and Spring Security instead?
Apache provides good documentation for using JAXRS with kerberos. Here is the link:
http://cxf.apache.org/docs/jaxrs-kerberos.html
I have the same issue. I googled extensively and not found a good answer.
The problem is that the issue has several layers and most answers point to (usually vague) solutions for only one layer.
And there is not a single complete and clear example for the end-to-end solution.
LAYERS
Client call to rest service using kerberos/windows logged in credentials.
Answers usually show how to use kerberos to authenticate but fail to say how to use it to pass the logged in credentials to the REST service.
Both Spring REST client functionality and native Java seem capable of doing this but it is not clear how.
Processing by the REST service of the authentication request by the client that is authenticating via windows/kerberos.
Spring REST service functionality appears to be the easiest way to implement it but again it is not clear how to tell the REST service to expect that authentication method.
Either forwarding the client kerberos credentials to whatever resource the REST service is trying to access, or get a success/failure and then the REST service uses kerberos/windows authentication itself (different credentials from the clients) to access a resource.
I hope this clarification of the issue helps in producing a good answer.
In Kerberos there are two severs url involved authentication server and the other ticketing server. If you go to browser console under ticketing server response parameter you can see a cookie that you can utilise to authenticate your rest api by utilising it as a request parameters.
That’s the only solution to authenticate your rest api.