6

I have to build an application by using microservice architecture. I divided the whole system into multiple components and each component represents a spring boot project. There are several spring boot projects around 6. I have used the eureka server to register all the services for load balancing. A separate Spring boot project has been developed for the web portal and that application contains authentication, authorization with spring security, and JWT protocol. Now I have 7 projects including a web portal and each project has controller classes under the controller's package.

Now I need to know the following things,

  1. SignUp and SignIn request come to the web portal and after signing a JWT token is generated and it is sent to the client but the Authorization part is only available in the SecurityConfig class on the web portal. So should I send all the requests from the client to a component through the web portal each and every time after authenticated?

         Client ----------------> Web Portal ------------------>Service/Component

I need to know that can I send a request to another component/service directly like below?

                  username + password
   Client --------------------------------------->  Web Portal

                     JWT token
   Client <-------------------------------------- Web Portal
            
                    JWT token
   Client ------------------------------------------> Service/Component
Improve this question
1

1 Answer 1

Reset to default
0

likely yes, because JWT is something available with the user and every time he sends the request, the token shall be validated by the issuer or in cases when we black list some tokens then those requests shall not be processes directly.

In microservices, the API gateways take care of these things and after checking for role and permissions, it forwards the request to the respective microservices based on the incoming route or URI which is then mapped to URI of backend service registered in Eureka server.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

should I have to implement zuul server as an API gateway with the implementation of the security configuration and register it with the eureka server or can I implement security configure in the eureka server directly?
It actually depends on the infrastructure setup. When all of your microservices are publicly reachable and in theory can be called directly, they need to validate the correctness of the user authentication and authorization on their own when requests are hitting an endpoint. For validating the correct signature of a JWT, the services would need to know the public key of the key-pair that was used to sign the tokens. Another approach is to not make the services publicly reachable and use an API gateway as central entrypoint which also verifies the authentication/authorization correctness.
basic idea is that generally we won't be looking forward to distribute the responsibility of authentication and authorization to each of the service, without loss of generality the API Gateway's are supposed to take care of this and yes you can go by implementing Zuul as a gateway

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.