5

I have two Spring Boot web applications. Both applications have different databases and different sets of users. Also, both applications use Spring Security for authentication and authorisation which works properly.

At any given point I will have one instance of the first application running and multiple instances of the 2nd web application running.

I want to expose REST APIs from 1st web application (one instance running) and be able to use that REST APIs from 2nd web application (multiple instances running).

How do I make sure that REST APIs can be accessed securely with proper authentication and by instances of the 2nd applications only.

Improve this question
3
  • 1
    Show us your Spring Security configurations for both applications. Commented Mar 20, 2017 at 5:27
  • 1
    Can you clarify what you want to achieve ? "I want to expose REST APIs from 1st web application (one instance running) and be able to use that REST APIs from 2nd web application (multiple instances running)." doesn't make sense. Commented Mar 20, 2017 at 14:45
  • So, basically I will have first web application deployed on a single server (i.e. tomcat). It will have some REST API's. I will have 2nd web application also deployed on another web server. Now, this 2nd web application is basically a client application. So, if there are many clients, each client will have its own war for 2nd application running in a separate tomcat. Hence, the multiple instances of the 2nd application. Now, I want to be able to access REST Api's from 1st web application from the all the 2nd client applications with proper security and authorization. Commented Mar 21, 2017 at 4:01

3 Answers 3

Reset to default
3
+50

If you could change your security, I would recommend you to use OAUTH2. Basically it generates a token that is used in your APP2 instances to make the API calls. You can see more here.

https://spring.io/guides/tutorials/spring-boot-oauth2/

http://websystique.com/spring-security/secure-spring-rest-api-using-oauth2/

But if you can't change your APP's security, you can continue using your current schema. In the APP1 you can create an user for the API calls, this user only has access to the API services. In your APP2 you need to store the credentials to access the APP1. Finally you do login into APP1 and invoke the API using HTTP client, you can use Spring RestTemplate or Apache HttpComponents Client.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

SSL based authentication could be an option, if you seriously thinking about the security aspects.

Assume that you REST api exposed by App 1 is over HTTPs, then you can configure the App 1 to ask the client to give their SSL/TLS certificate when they try to access this REST API (exposed by App 1).

This will help us identify that the client is indeed a client from app 2.

Two More Cents:
In case if your App 1 REST API calls needs load balancing, NGINX should be your chose. The SSL client certificate based authentication can be offloaded to NGINX and Your Spring boot app no more worry about the SSL related configurations.

Improve this answer

Comments

0

The solution we went with was to secure both using an OAuth2 client_credentials workflow. That is the OAuth2 flow where clients request a token on behalf of themselves, not a calling User.

Check out Spring Cloud Security

1) Secure your services using @EnableResourceServer

@SpringBootApplication
@EnableResourceServer
public class Application ...

2) Make calls from one service to another using an OAuth2RestTemplate

Check out Resource Server Token Relay in http://cloud.spring.io/spring-cloud-security/spring-cloud-security.html which will specify how to configure an Oauth2RestTemplate to forward on security context details (token) from one service to another.

3) Service A and Service B should be able to communicate using these techniques if they are configured using the same Oauth2 Client and Secret. This will be configured in the applications' application.properties file, hopefully injected by the environment. Oauth2 Scopes can be used as role identifiers. You could therefore say that only a Client with Scopes (api-read, api-write) should have access to Endpoint A in Service A. This is configurable using Spring Security's Authorization configuration as well as @EnableGlobalMethodSecurity

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.