0

Currently in developer training, I am working on a personal project on spring. I started java 6 months ago, so there is a certain notion that I do not yet master. My trainer does not know spring at all, so he cannot help me. I am also French and there is very little reliable documentation on spring (it is evolving quickly). For example, I followed a French tutorial on microservices, and I used the ribbon and zuul proxy while they are currently in maintenance at spring. I started all over (new project) to recode in reactive webflux

I have several concerning spring starter security or spring cloud security

  • Spring cloud config (in connection with gitlab)
  • eureka server
  • admin server
  • gateway
  • 2 business microservices
  • 2 sub-module (model and repository)

I want all my microservices and the internal microservices (eureka, admin server, configserver) to be secure now. But I do not know how.

I want the microservice that consults config-server to identify themselves, and I also want the microservice gateway to identify itself to make requests to other microservices. Finally I want all my microservices to be protected.

Should we put spring-starter-security in microservice? Should we create a new microservice with spring-cloug-security? Should we create a new spring-cloud-security microservice and add spring-start-security everywhere?

https://cloud.spring.io/spring-cloud-security/2.2.x/reference/html/ Obviously I find this link not very explanatory

Thank you

Olivier4477
  • 11
  • 6

1 Answers1

0

In a microservice architecture that I have worked, we have always used the OAUTH2 specification for securing service.

OAuth2 is a token-based security framework that allows a user to authenticate themselves with a third-party authentication server. If the user successfully authenticates, they will be presented with a token that must be sent with every request. The token can then be validated back to the OAuth2 Server. The OAuth2 Server is the intermediary between the application and the services being consumed. The OAuth2 Server allows the user to authenticate themselves without having to pass their user credentials down to every service the application is going to call on behalf of the user.

Detail information for OAuth2 you can find in the following LINK .

I have implemented simple microservice architecture for demonstrating how services are connected with each other.

Here is the link LINK

Below is the image representing the architecture: enter image description here

Rando Shtishi
  • 1,222
  • 1
  • 21
  • 31
  • 1
    Thank you, I look quietly and I come back to you if I have any questions, thank you endlessly – Olivier4477 Jul 17 '20 at 15:03
  • I watch whenever I have time, because right now I'm learning hash, 'salt and pepper' (I don't know how to say in English) However, the identification, if I want to secure the microservice config server, is it the same principle as employee and department? How did you make your scheme? – Olivier4477 Jul 20 '20 at 07:54
  • In this example, we deploy the microservice, we should have restricted all inbound port traffic so that only port 5555 is open to the public. The services of payroll application can only be accessed by Zuul Gateway Server. All the servers, including your Configuration server, won’t be publicly accessible to the outside world. – Rando Shtishi Jul 27 '20 at 14:00
  • er ... is port 5555 restricted at the server level? or microservice gateway? you have an example? – Olivier4477 Jul 28 '20 at 13:07
  • In my example for deploying the microservices, I have created a Linux virtual machine when I have placed all the jars of services (Configuration Server, Eureka Server, Gateway Server, OAuth2 Server, Employee and Department services). Also, I have already installed Kafka, Redis, ELK and Zipkin. Then I have closed inbound access of all ports except 5555 port of gateway server. So the user cannot access the configuration information because the port is blocked. In real life, you would dockerize these applications and deploy them in amazon ECS. – Rando Shtishi Jul 28 '20 at 13:59
  • ok thank you. we only saw the deployment on the server on Monday – Olivier4477 Jul 29 '20 at 13:34
  • You are welcome. You would help me by marking this answer as accepted and giving a thumbs up if this answer has been helpful to you. – Rando Shtishi Jul 29 '20 at 13:37
  • how did you make your microservice diagram? (with what software?) – Olivier4477 Jul 29 '20 at 14:23
  • I used lucid charts, it is an online tool, https://www.lucidchart.com/ – Rando Shtishi Jul 29 '20 at 14:24