1

I have a requirement to secure rest endpoints exposed by spring cloud functions hosted on azure. We want to use spring security to authenticate and authorize the call but I am unable to do it. The same code works on springboot application but does not have any effect on spring cloud functions.

So breaking down my question into smaller chunks

  1. Does spring cloud functions support spring security?
  2. If yes, how can this be achieved.
  3. If no, what should be the approach to achieve this?
Anshul Dhyani
  • 23
  • 5

2 Answers2

2
  1. Doubt... Spring Security is quite a heavy mechanism which requires either some in-memory storage ( sessions, user credentials, etc. ) or a connection with a storage solution ( e.g: db ) or auth server. All of these implementations would be quite out of the scope for a simple function. Theoretically, it is possible but highly inefficient.
  2. -
  3. I'm guessing that you have some sort of API gateway in front of those functions. A common pattern is to intercept all the calls in that gateway, authenticate and authorize them ( either calling a service or use an in-built auth mechanism, depending on your requirements ) and then forward them to your spring cloud functions which can be called only from inside your network ( by API gateway ).
BogdanSucaciu
  • 884
  • 6
  • 13
  • Thank you Bogdan, I liked your idea of having authentication and authorization on gateway level, but right now we don't have gateway in use. I might have to do it in my function app right now :( – Anshul Dhyani Jul 23 '19 at 17:03
-1

If you have a controller with your api, you can implement oAuth2 with spring security where it provides a token to protect your urls.

Tutorials: https://dzone.com/articles/securing-rest-services-with-oauth2-in-springboot-1 https://medium.com/google-cloud/understanding-oauth2-and-building-a-basic-authorization-server-of-your-own-a-beginners-guide-cf7451a16f66

If u need help for configure all type of clients, just comment below and I'll do my best to give you the right answer.

Goran Gajic
  • 185
  • 1
  • 13
  • Hi Goran, thank you for the help, I am working on spring cloud function and it does not have anything annotated as controller , but it does expose the functions the same way as springboot exposes controllers, that's why I thought to try spring security. but I think both have different way of implementation so cannot use in same way. – Anshul Dhyani Jul 23 '19 at 17:12
  • But with spring security you need only the url, not the controller, if u see in the implementation of cofiguration of WebSecurityConfigurerAdapter and ResourceConfigurationAdapter, you have to match the path with the clientId given from oAuth token stored in memory. So I think u need only a url, if u don't have that I think you should do yourserlf an algorithm to create and store a token, nothing impossible to do. – Goran Gajic Jul 24 '19 at 13:19
  • I have urls but I think because its a function app, by default function app or functions does not have the same entrypoint as a web application.Hence when I add WebSecurityConfigurerAdapter to my function app ,it does not do anything. Request still goes directly to my function logic. It will be great if I could use WebSecurityConfigAdaptereven for my functions. – Anshul Dhyani Jul 24 '19 at 15:45
  • my mistake, it's not only a url, but a path (done with requestMapping) that even application can use (all this is on server side, so only api are exposed and the security is not even visible to angular or other front end languages). I don't think that it will be different if it where on an application or web application, it work only with the path of api (@RequestMapping(path="your path")). You know u need an authorizationServer, ResourceServer, WebServerConfiguration and an oauthController (this just for revoke token) – Goran Gajic Jul 24 '19 at 15:57
  • in spring cloud, we dont have any classic controller/@RequestMapping kind of thing that is we was familier in spring boot. Though spring uses same under the cover, but it is not accessible to developers. Typically developers provides the Function and spring exposes them as rest endpoints (using cloud-function-web dependency). Please have a look https://docs.spring.io/spring-cloud-function/docs/3.1.0-M2/reference/html/spring-cloud-function.html#_getting_started – Abhishek Chatterjee Aug 11 '20 at 09:16