Video není dostupné.
Omlouváme se.
Spring Cloud API Gateway | JWT Security | Pass UserDetails to Microservices | JavaTechie
Vložit
- čas přidán 28. 04. 2023
- In this Tutorial, we will understand How to pass authentication user information from Spring cloud api gateway to other microservices
#javatechie #microservice #security #jwt
Spring boot microservice Premium course lunched with 70% off 🚀 🚀
Hurry-up & Register today itself!
COURSE LINK : javatechie5246...
PROMO CODE : JAVATECHIE50
Join this channel to get access to perks:
www.youtube.co...
Microservices Security Using JWT | Spring Cloud Gateway
• Microservices Security...
GitHub:
github.com/Jav...
Blogs:
/ javatechie
Facebook:
/ javatechie
guys if you like this video please do subscribe now and press the bell icon to not miss any update from Java Techie
Disclaimer/Policy:
--------------------------------
Note : All uploaded content in this channel is mine and its not copied from any community ,
you are free to use source code from above mentioned GitHub account
Great content. It would be also great to see, how to integrate this authentication with frontend, I mean for example, how to handle loging. And also how to handle "log once".
I appreciate the content and the architecture. Thank you for the video. For a better scalability, separation of concerns, security enforcement, I thing you can totaly seperate the gateway with the authentication by making the authentication service an independant microservice.
Yes that's what we need to play with identity services from gateway
@@Javatechie please make this
Thank you so much to add this requested content
Thanks to you for adding this. How to configure the cors origin configuration in api-gateway and auth microservice?
is this an excellent idea? pour all the security logic into the gateway which is the busiest service for routing the message that can cause potential bottlenecks for the entire service? and make all sub-microservices open up with as naked? the main job of gateway is routing the messages to the proper microservice. you could implement basic token validation here since it will cut down all unnecessary burdens in earliest point but securityfilter in gateway shouldn't be much heavy like this .
Hi , can you please make a video on how to integrate both Oauth2 and jwt in a single application
Okay i will
@@Javatechiesir, have you created the video of Oauth2 and JWT in a single application?
Thanks a lot, very informative, however, I was wondering if the restaurant API had been using a role-based control how do you pass the user role such that the endpoint can only honor the request if the user has the right permission
maybe you could pass this in the same manner that user name was sent? Add a header "userRoles" with role as a value in the gateway
Hi Techie, I really love your content, requesting you to make a series on code review. it will be helpful for everyone
Yes it's on my queue buddy soon i will do that
Hi, which video has API Gateway details ? not sure I understand AbstractGatewayFilterFactory
Hi @JavaTechie,
Can you please make a video explaining to prevent direct calls to microservices, we should access the microservices only through the api gateway, and role based authorization in continuation of the spring cloud api gateway | JWT Security video
Yes interesting. I will give it a try
@@Javatechie Thank you . Can we have a video in continuation to this video ASAP
You can make a video to decentralize permissions. For example, if the user does not have permission to access service A, it will be denied.
This is awesome
What is the industry best practices? Details are passed through header or request body?
Yes we can pass as part of the header not an issue it won't be visible to outside calls. Request body needs to use when we have to pass multiple fields or object
Hi sir, can you please make a video on role based spring boot microservices security
How rolebased authorisation happens witn this architecture..please make a video of it. How any rest end point will give access to only admin or role ?
Is it considered a bad practice to set Authentication in the SecurityContextHolder in the API gateway to make it accessible from a controller in another service?
No not at all
very good tutorial, but i have a question. The services is secure if we access it from the api gateway, but it have no secure system when we try access it directly from the service (without using api gateway endpoint). My question, is there any ways to make the services only can be access from the api gateway and can't be access from the service directly. Thank you
That is why we are using gateway to make a single entry point to our application so if you won't expose microservice endpoints then the user won't access it .
thank you for your fast response. Forgive me, I am new to this microservices thing. I just knew that when we already at the deployment phase, we can make the service only accessible by the api gateway and block any other request that's not from the api gateway.
good tutorial and very helpful person, thank you very much
aswome
We have Zuul proxy and spring boot 2.1.x and implemented resourceserverconfig adapter. Now we have upgarding to spring boot 3.2.0 and cloud gateway. What is the equalent implementation for resourceconfigadaptor
Hi Brother,
I guess we need not do that because when the request is forwarded the SecurityContextHolder object already has user details int it.........after learning from your previous video i implemented the same architecture and tried it
Yes that's correct but in each microservice i shouldn't add security dependency to just fetch the user info
@@Javatechie Yes indeed......thanks for all your tutorials.....you have no idea how much it has helped me to build my career
Glad to hear this Akshay . Keep learning 😃
Awsome javatechie can u implement oauth2 in api gateway ?
i have checked in the gateway it's not possible to use RouteValidator class "/auth/**" it's not working. would u like to findout the solution
Hi, I’m curious to know about your mac experience. Is it good for development? Which MacBook you are using, please? Is it worth to buy? Planning to buy but not sure with performance!! Thanks.
Mac for development is superb and can't compare with any other OS. Without any second thought go ahead with it .
I am using both Mac desktop and mac pro laptop 💻 . It's amazing 😍
Hi @Java Techie, Thank you for such great content.
Sir, how to handle if api gateway go down? In this conditions I need to create cluster for this.
Can you create a video to explain if possible?
Thanks for support
Hi buddy, usually in real-time we do follow multiple instances for service as a replica, in case of region instance goes down then immediately traffic should redirect to active instance and to achieve this usually we do need to configure proper DR (disaster recovery)
Thanks for the content ❤
What is the name of the app next to the configuration?
Sir, can you make a video of role based authentication like user role , admin role etc ? Using JWT
Role base i am also struggling to find a solution. Will definitely update you
Hi Java Techie, Thank you for great content.can make spring boot project for deploying azure with jenkins pls
Azure doesn't have much experience but will check and update you
@@Javatechie Thank you, i am looking forwad 😳😳
Hi @Java Techie, thank you for sharing such valuable content. I have a question: could you please help me understand the process of implementing method-level role-based authorization in a Swiggy microservice? While I'd prefer not to use Keycloak, I'm interested in any references or guidance you could provide to achieve this. For instance, I'm curious about effectively utilizing the @PreAuthorize annotation in a Swiggy microservice
That's tough to implement i am working on a poc once it is done i will upload
Hi @@Javatechie, I went through your series about Auth in microservice and I couldn't find the videos about role-based authorization. I mean the next video of this one. Did you already upload it?
Not uploaded yet buddy
Hi, But still need to product other micro services right, between micro services communication how to secure? Without using api gate still you can access directly other micro service, it should required security right?
Simple answer why will you expose other microservices direct endpoint? What is the need for an api gateway then ?
Great tutorial!
Although, what is the best way for one to secure the microservices as well? Since they only appear secure when accessed through the gateway, but one does not need to be authorised to access the microservices directly
If you will allow user to directly access to microservices then what is the need of api gateway it doesn’t make any sense right because we are bypassing the flow
@@Javatechie it is not a matter of giving users access, but it turns out to be a big security concern once anyone decides to attack you. There is no point of defense at all
Okay if forcefully you want to secure then you need to implement security in each and every microservices that is what I can think at this moment. Will check and update if there could be any better approach
Hi @Java Techie, Thank you for such great content.
Sir, I came across a question in an interview and was still unable to find a suitable solution, I will be grateful if you can make a small video on this. I believe this may require generics, recursion or reflection concepts. WAP to compare if two arguments are equal, they can be anything primitive, Array, Map, Collection or custom objects, and the input param type is Object. Ex, isEqual(Object arg1, Object arg2). As per the question, we don't have knowledge of the input provided.
We can do this using generic method if all the Class that we need to compare implements Comparable interface
Good question i believe we can directly play with object but will check and update
Hello , my identity-service is not working properly, after running all service 15' it works. Please show me how to configure that, thank you !
How to handle Authorization (role based Authorization)?
Hi bro nice can we expect Saga pattern implementation video bro
Hi Anil Kumar , please check this video it's already there in the channel czcams.com/video/6O5iJ7PKUhs/video.html
Hi Bro,
Thank you for This content, and it is very much useful for every java developer.
And my question is here restaurant service also authorised service if swiggy service want to call restaurant service like using RestTemplate, how we have to pass the token since the request will directly go to gatway. Is it As you explained in above or any other way?
Swiggy service needs to pass a token to access restaurant service using rest template headers
@@Javatechie Thank you bro.
Hi @Java Techie, Thank you for This content, and it is very much useful for me, But How Swagger calls works in this case. Can you pls add that also..
Okay sure
How to exclude some API from applying Jwt in the headers.
Hi , can you make a video implementation of oauth and sign with different platform like google, Facebook, github .
Hi Java Techie, Can you make a video on logout that makes Jwttoken expired in microservice.
Thank you, do you have any audit implementation?
Audit implementation using spring security?
I am getting a forbidden error after following the above video, Can anyone please tell what can be possible scenarios to look into it?
You might have made some mistake please import the code and try again
Better approach is use two way TLS or A2A cert .
there is security vulnerability in this way, if client adds the same header in the request then micro services might read the header added by the client and not the gateway so need to block the header coming from the client either at infra level like nginx or cloudfront or need to put check on gateway itself that if client sending any of these headers then forbidden
Not getting you Sanjay , what do you mean by client here ?
In detail all headers in http could be a list of values and gateway is adding some headers and hacker can add the same headers then there is a chance that micro service side the header it reads is coming from hacker
Okay got you.then we can mask it and pass
Great one... One question how to enable cors cor support host header?
Just encountered like problem.. Can you tell me how I can support host header for my api... Now its forbidding the host header. One of our client wants to access the api by giving its endpoint.
Hi, Can you please make a video on Oauth2 + webclient+ token uri?
how routing will be done if url of swiggy-service(host1:port1) and restaurant-service(host2:port2) is different
U can cover roles to access the rest endpoint
No but this is not the way to maintain Authorization. I will upload that video
@@Javatechie ok, identity service we can't add roles and services we can use ryt?
You can add roles in identity service but in other microservices to use this role for Authorization bit tricky
@@Javatechie cover that topic also, thanks
Hi sir, can you create a video on how to to password reset using mail api.
How to deploy in aws this distributed system?
I got the problem while I try it using Postman, it's send me a message : An expected CSRF token cannot be found
Disable it
@@Javatechie how i did'nt understand, i have disable the csrf in auth-service
I have done this in securityFilterChain please check and do the same
@@Javatechie thank you, i didn't check it before. Now its work
Sir career related kuch guidance milskti hae?
Drop me an email to javatechie4u@gmail.com
how To disable direct access to microservice & allow only though api gateway?
Yes that's what the gateway pattern
@@Javatechie can you please make a tutorial on it?? Also how to use preAuthorize in swiggy controller?
08:31 why's this crying😂
i need support on one of my api to do this
Is it possible to pass a user object instead of the username. For example, I might need the email, username, and role of the user. Also how to I restrict API endpoints bu roles and permissions
I don't think we can pass an object directly in the header but you can pass multiple key and value
@@Javatechie so how can I use something like @AuthenticatedPrincipal or annotations like @hasRole and @hasAuthority in the respective microservices?
I still have not found the solution for role based Authorization in this approach. Looking into it m