I love you. Finally the architecture I'm looking for. A lot of tutorial are covering authentication for only one microservice and you are probably the only one that approaches the problem keeping in mind the whole microservice architecture.
We need this kind of videos. It is an end to end tutorial for microservices with security + JWT. Plz make videos on real time deployments with microservice architecture.
00:05 Triển khai Bảo mật dựa trên JWT trong microservice bằng Spring Cloud Gateway 07:12 Hai dịch vụ vi mô, Swiggi Service và dịch vụ nhà hàng, đang liên lạc với nhau thông qua API Gateway. 21:19 Cần phải viết một phương pháp để đăng ký người dùng, tạo mã thông báo và xác thực mã thông báo 28:07 Đã triển khai các điểm cuối xác thực và xác thực mã thông báo. 41:40 Xác định Dịch vụ chi tiết người dùng của riêng bạn để xác thực người dùng 48:42 Đã hoàn tất triển khai dịch vụ nhận dạng 1:02:00 Xác thực mã thông báo trong API Gateway 1:09:10 Triển khai logic xác thực mã thông báo JWT trong Cổng 1:22:07 Triển khai bảo mật microservice bằng xác thực JWT Crafted by Merlin AI.
This is Gold Boss... Thanks a ton for this video.. I lost most of my interview only because of not answering how to security is implemented in micro services question.... Appreciate your efforts.
Looks really simple, just as I used to implement the JWT service in a monolithic way, but porting everything to a new independent webservice to validate JWT to access any endpoint without compromising the other webservices.
Hi Basant , Very useful tutorial however I have one doubt, In production when the token is generated by passing a valid username and password it should automatically pass the token to the gateway right but here I saw that you are manually passing the token to the gateway through Postman for accessing microservices, My question is how we can automatically pass the token to the gateway for accessing microservices when the token is generated
Awesome videos. Hats off to you in explaining it in a very simple and easy manner. One question. May I know if we have a requirement to secure our swiggy and restaurant service endpoint and grant access based on role, then how we can achieve this requirement .
Waited last couple of month to get solution which you explain about validate and filter the request form spring cloud getway. ##you make my weekend Basant Sir. Thank you Sir
1:11:00 The rest call from gateway to auth service is not working. It is throwing an error saying cannot call from java.lang.illegalstateexception: block()/blockfirst()/blocklast() are blocking, which is not supported in thread reactor-http-nio-1. Please let me know if someone can help in this
Could you explain me : Client -> Security Service (GenerateToken) -> API Gateway -> MicroService1 (validate JWT) this flow is fine . What happen we request come directly to Client-> Microservice1 . How to check JWT for each endpoint.
The API Gateway is like the front door to your entire microservices setup. Every request coming in or going out passes through it. Think of it as a super-secure, load-balanced gatekeeper that makes sure only the right people and requests get in. Once you’ve validated requests at the gateway, there’s no need to worry about extra authentication for internal services since they aren’t directly accessible from the outside world. This setup keeps everything neat, secure, and centralized, so your microservices can focus on what they do best-without worrying about who’s knocking on the door.
Hi sir! I am grateful for this tutorial. In this tutorial you have two client services, one gate way, one security service and you added security in Api Gate. I like the way you did it. But i need to move forward and add some Authorization. Suppose in swiggy service there are some end points what only admin can access and some end points normal user can access. How to apply this type of Authorization. Would you please make second part of this tutorial please? I am following this tutorial and trying to learn. I tried to implement the security directly in the API GATE-WAY service. But that was not easy because gate-way supports webflux not the web.
instead of completely using spring cloud stack we can make this more OSS (open source stack) like every micro service is containerised (dockerised) then use KONG as API gateway. this way we can make the configuration more simple and reduce tight coupling.
Hello sir. there is api still open for each microservice. like calling the order in it's own microservice with port like localhost: 8082 then api is open . if anyone can call that api wihout gateway and security then what is the usage of jwt ???
@@Javatechie using url or somehow user know the endpoint or hacker know the endpoint. so the endpoints are not secured for each MS. you have to reconsider your code and try to figure out how to secure all the endpoints separately also
@@hkkabir2024 no buddy it will be known by user only if you exposed it . If we are doing that then it's the wrong approach then what is the need for a gateway?
@@ahammedhussain9335 I think the services need not to be public, so we cannot access them directly, we can only access them through gateway as the end user, and at gateway we filter request to check for the token and authentication for routing the request to the appropriate service.
Thank you so much great video. Just wanted to mention that oauth 2.1 removed the password grant type so a generated client_credentials would be a better option, and would like to see an updated video on that implementation.
Let me ask you a question. If, for example, I try to access the restaurant service directly (giving the restaurant service port), that is, without going through Gateway, I will skip the validate token part, right? So the restaurant service isn't protected at all, is it?
Knowing only port how someone can access buddy? We shouldn't expose our microservice endpoints even though it's exposed then we need to implement cross origin so that if the request comes from only api gateway then only allow that.
Thank you very much for providing such a detailed explanation. Your video is undoubtedly superior to paid courses that tend to overcomplicate things and stretch on for more than 8 hours. I have a question: If I were to call Swiggy or a restaurant service directly, bypassing the gateway or discovery service, how would I handle authentication?
My approach for this is to apply filters to individual microservice, in which set up the securitycontextholder which would look something like below UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, null, authorities); SecurityContextHolder.getContext().setAuthentication(authenticationToken); This is working for me.
@@Javatechie i get that, but if this was the goal all along, then why did we implement this in the id-service to begin with? I want to avoid duplicate code.
finally someone addressed this scenario with proper explanation. Thanks as always. one question that if auth service also has to pass through api gateway and we didn't add filter param in gateways routes for auth service then why we are checking those urls through validators in authentication filter ? because request will never land on filter in case of /register and /token api
No usually we should do a rest call to identify service from gateway to validate and get token but here to avoid that I have directly used jwt logic in gateway that's why it's confusing for you
@@Javatechie but that rest call we are doing lately when all the checks are true before that. I am talking about that "if" condition in start (validator.isSecured.test(exchange.getRequest())) { because in this condition we are checking /register and /token urls to bypass the token check and according to implementation when we will call register or token it would never land on Authentication Filter. let me know if I am missing something still.
That's correct right. In the filter we had token validation logic right? So when i don't want to authenticate the user for the first time login then why do you want this to be delegated to filter what is the sense here ? Let me know if I understand your concern correctly. If not please drop an email to javatechie4u@gmail.com
@@Javatechie no I dont want to authenticate for the first time. I am just saying that, main if condition is of no use when we will call /register or /token , it does not matter if the condition is there or not. Will email no problem
Explained very well. My doubt is if there are 100s of microservices all the call will go through API gate way and the auth Service, how to handle API gateway or auth service failure ?
This is the way to implement in microservice but if you want more secure then better use 3rd party identity providers like okta or keyclok. I already uploaded a video of keyclok using microservice
Very good explanation, have one doubt in jwt tutorial you mentioned to validate token you passed token and user details object , but here in api gateway you are passing just token , what if I modify token , and how api gateway is validating modified token since we are not passing user details object
@@Javatechie was mentioning about below method , can u plz explain here we are just passing token we r not extracting username public void validateToken(final String token) { Jwts.parserBuilder().setSigningKey(getSignKey()).build().parseClaimsJws(token); }
Thank you very much for the video., if restaurant service has to call swiggy service using rest template, now we have to include jwt token in httpheaders otherwise we will get 401 authorization as we have implemented jwt authentication is my understanding correct please let me know
No phani , we haven't implemented security in microservice level we have added on gateway level so inter communication doesn't require any authentication mechanism
Thanks so much, it is the Best tutorial ive seen. I have one question. Hoy can I get the current loged user and roles from the servíces to make autorizations
Do we need to remember JwtService class? i mean do we need to remember all the methods what all it does or we already have it written somewhere in any libraries?
Why did you create bean UserDetailsService if CustomUserDetailsService anotated with @Component? Wouldn't it be better create argument UserDetailsService into authenticationProvider method?
If I want to add userId to the order table as a primary key then how can I get the current logged-in user so that I can take the user credential then take userId and place it into the order table?
@@Javatechie Thanx for the reply. what about swaggy microservice or restaurant microservice. there has no security configuration so how I can get the logged-in user from swaggy or restaurant microservice?
In the gateway service when we create authfilter is good to copy default methods and paste them or memorize them bc there is a lot methods? at 59:52 onwards
@@Javatechie how ...i tried with global exception handling but for that web dependency required..but web and gateway both are not compatible with each other.. so how are to?..
Yes correct but gateway we have used wwbflux right so we can use global exception handling for reactive approach but wait let me do some cross check will update in same thread
Wow Very Nicely Explained In Easy To Understand Manner. 1 Request can you please show how to implement role based authentication with Spring API Gateway ?
Can we explain this when we were asked in interview explain security in microservices and where you will implement in API Gateway or in each microservices?
You have one of the best educational channels out there. I would love to give you a constructive opinion: It would be great if you could change your microphone into something clearer, like what the java brain and Navin have. Trust me, it makes a huge difference.
Great Video! Need some more info : How do we avoid scattering secret? it can be stolen from code repo. How will the services be talking to each other? How will they get the token? Also how to enable HTTPS with proper handling of secrets.
Wonderful and clearly explained. I want just to know how to access authentication info (principal for example) and how to do authorization if needed in microservices
Hello basant, should I define the sessionCreationPolicy to SessionCreationPolicy.STATELESS inside the securityFilterChain to precise I don't want to use jsessionid ?
Hi @javatechie I have a question. What is i dont want to validate the token in cloud-gateway. every request which is coming to gateway and cloud-gateway has to call identity-service to validate the token and send back to cloud-gateway and based on the response it will call the endpoint or throw an exception. Is it possible ??
Yes it's absolutely possible that is what I explained in PPT but while explaining code I have added validateToken logic in gateway but you can do that easily just refer flow it will be dead easy
Hi Basant, Its really good explanation, I have one doubt, how should we handle @PreAuthorize in our microservices in case we are following this pattern. Please do answer me , its really urgent for me.
Hello Shivansh , I am also not sure about your question if we will go with pre Authorize annotations then in every microservice we need to implement security but that's what is not advisable.i am looking into solution will update you once I find
Thanks for sharing this video. I have one question. Do we need of validator.isSecure for endpoints /token, /register, /validateToken? I think no because we are not applying filter for IdentityService then obviously API Gateway will not use the filter. Please correct me I am wrong.
Yes it's required otherwise wise how can we bipass the request. Currently I am not calling identity service api but as per best practices it's good to do rest API call to validate the token hence above URL required to bypass
Hi Sir, actually regarding sso in every RUclips tutorial up to okta telling, but how to modify the database of existing application because already users everything is present, please suggest any video on this.
i have a question, what if i have 3 microservices (agency -> service -> activities ) and i want to get all activities from the services that an agency offers, do i need to ask for the token 3 times?
how spring cloud check that request came from web or mobile app and executes corresponding version of RequestMapping method. can you please clarify my query?
Basant can you tell me how to JWT token pass through one service to another service as we only sent the payload (order details) to call restaurant API. Here how JWT propagation happening
I feel like your explanations are even better than people who have english as their first language lol. You really do have a gift for this!
I love you. Finally the architecture I'm looking for. A lot of tutorial are covering authentication for only one microservice and you are probably the only one that approaches the problem keeping in mind the whole microservice architecture.
Thank you so much Lukasz for appreciating my work 🥰🥰
you worth millions of like
Is it still applicable in 2024, in the latest version of spring?
Finally found an understandable tutorial about securing a Spring Cloud Gateway microservices architecture! A thousand times thank you sir!
We need this kind of videos. It is an end to end tutorial for microservices with security + JWT. Plz make videos on real time deployments with microservice architecture.
00:05 Triển khai Bảo mật dựa trên JWT trong microservice bằng Spring Cloud Gateway
07:12 Hai dịch vụ vi mô, Swiggi Service và dịch vụ nhà hàng, đang liên lạc với nhau thông qua API Gateway.
21:19 Cần phải viết một phương pháp để đăng ký người dùng, tạo mã thông báo và xác thực mã thông báo
28:07 Đã triển khai các điểm cuối xác thực và xác thực mã thông báo.
41:40 Xác định Dịch vụ chi tiết người dùng của riêng bạn để xác thực người dùng
48:42 Đã hoàn tất triển khai dịch vụ nhận dạng
1:02:00 Xác thực mã thông báo trong API Gateway
1:09:10 Triển khai logic xác thực mã thông báo JWT trong Cổng
1:22:07 Triển khai bảo mật microservice bằng xác thực JWT
Crafted by Merlin AI.
This is Gold Boss... Thanks a ton for this video.. I lost most of my interview only because of not answering how to security is implemented in micro services question.... Appreciate your efforts.
Thank you buddy 🙂
Actually without your tutorial I couldn't learn easily new things implementation in spring app...
You are Guru. Thanks lot.
Thank you Siva . Keep learning 😃
THIS IS THE VIDEO I WAS LOOKING FOR, THANKS SO MUCH FROM COLOMBIA
Great Video sir, completely Awesome...Add the role based security through api gateway.
Nobody explains like you do..Thank you very much for the video.
Looks really simple, just as I used to implement the JWT service in a monolithic way, but porting everything to a new independent webservice to validate JWT to access any endpoint without compromising the other webservices.
Best course available in youtube. Thankfully it is free. Keep up the good work
i love you brother, you are the best teacher for learners in this field.
No words Mind Blowing
Hi , Boss, Thanks for the video , i am following you since 2018, your videos help me to get move forward .
Hi Basant ,
Very useful tutorial however I have one doubt, In production when the token is generated by passing a valid username and password it should automatically pass the token to the gateway right but here I saw that you are manually passing the token to the gateway through Postman for accessing microservices, My question is how we can automatically pass the token to the gateway for accessing microservices when the token is generated
Your question is genuine but this automatically stuff needs to handle from UI not from the backend
@@Javatechie ok thank you!
Thank you so much for clear explain no one will explain like you.
This is the best channel about Spring and stuffs of all RUclips. Thank you Java Techie.
Awesome videos. Hats off to you in explaining it in a very simple and easy manner. One question.
May I know if we have a requirement to secure our swiggy and restaurant service endpoint and grant access based on role, then how we can achieve this requirement .
Waited last couple of month to get solution which you explain about validate and filter the request form spring cloud getway. ##you make my weekend Basant Sir.
Thank you Sir
Thanks buddy 😊. Keep learning 👍
1:11:00 The rest call from gateway to auth service is not working. It is throwing an error saying cannot call from java.lang.illegalstateexception: block()/blockfirst()/blocklast() are blocking, which is not supported in thread reactor-http-nio-1. Please let me know if someone can help in this
Could you explain me : Client -> Security Service (GenerateToken) -> API Gateway -> MicroService1 (validate JWT) this flow is fine . What happen we request come directly to Client-> Microservice1 . How to check JWT for each endpoint.
How to block each microservice endpoint to access??
The API Gateway is like the front door to your entire microservices setup. Every request coming in or going out passes through it. Think of it as a super-secure, load-balanced gatekeeper that makes sure only the right people and requests get in.
Once you’ve validated requests at the gateway, there’s no need to worry about extra authentication for internal services since they aren’t directly accessible from the outside world. This setup keeps everything neat, secure, and centralized, so your microservices can focus on what they do best-without worrying about who’s knocking on the door.
This video is very useful for me . Thank you for your time and explanation
Hi sir! I am grateful for this tutorial. In this tutorial you have two client services, one gate way, one security service and you added security in Api Gate. I like the way you did it. But i need to move forward and add some Authorization. Suppose in swiggy service there are some end points what only admin can access and some end points normal user can access. How to apply this type of Authorization. Would you please make second part of this tutorial please? I am following this tutorial and trying to learn. I tried to implement the security directly in the API GATE-WAY service. But that was not easy because gate-way supports webflux not the web.
make use of method level authorization and roles
Yes I am still not finding any solution for this approach. Will check and update you
@@Javatechie Thanks
@@Javatechie I saw others using OAuth2 to solve this problem. KeyCloak is one of them.
@@Javatechie Hey, I found your video helpful, however I wanted to inquire, did you find any solution for this approach?
Hi Basant sir, Jwt in microservices explanation is so good. Thank you so much...
instead of completely using spring cloud stack we can make this more OSS (open source stack) like every micro service is containerised (dockerised) then use KONG as API gateway. this way we can make the configuration more simple and reduce tight coupling.
Could you please explain more about how that works?
can you please come with your hands on similar like this using KONG.
Searching every where finally got it thanks sir 😀
Best video you can find for JWT auth ❤
Thanks a lot.
I am looking for security in Microservices architecture. It is one of the best way, you have explained.
Glad to hear that😊
Hello sir. there is api still open for each microservice. like calling the order in it's own microservice with port like localhost: 8082 then api is open . if anyone can call that api wihout gateway and security then what is the usage of jwt ???
Simple question can you please answer me how the user will know about the endpoints of your microservice ?
@@Javatechie using url or somehow user know the endpoint or hacker know the endpoint. so the endpoints are not secured for each MS. you have to reconsider your code and try to figure out how to secure all the endpoints separately also
@@hkkabir2024 no buddy it will be known by user only if you exposed it . If we are doing that then it's the wrong approach then what is the need for a gateway?
It is authenticated only when it routes through the gateway. But the end point for the micro services are still open how to secure that?
I think we need to implement spring security at service level for each service
Is there any solution for this issue?
@@ahammedhussain9335 I think the services need not to be public, so we cannot access them directly, we can only access them through gateway as the end user, and at gateway we filter request to check for the token and authentication for routing the request to the appropriate service.
No no just implement cross origin bro
@@darshanrajashekhar5914 please elaborate
Thank you so much sir for wonderful explanation ❤
since springboot 3.0 you dont have to do @EnableDiscoveryClient annotation. It is enough that dependency is defined in pom.xml
I haven't tried , will check and update you
I had been waiting for this topic for long time. Finally wait is over.
Thank you so much great video. Just wanted to mention that oauth 2.1 removed the password grant type so a generated client_credentials would be a better option, and would like to see an updated video on that implementation.
Let me ask you a question. If, for example, I try to access the restaurant service directly (giving the restaurant service port), that is, without going through Gateway, I will skip the validate token part, right? So the restaurant service isn't protected at all, is it?
Then what is the need of the API gateway buddy? If you will directly expose your microservice endpoints to users
@@Javatechie The point is, if a hacker knows the port of my services (for somehow), he can easily access them.
Do you get any solution regarding this
@@Javatechie then how disallow it...?....bcz if somebody knows our port...he can access it
Knowing only port how someone can access buddy? We shouldn't expose our microservice endpoints even though it's exposed then we need to implement cross origin so that if the request comes from only api gateway then only allow that.
52:00 Auth service integrate with Gateway
56:00 Validate token
Thank you very much for providing such a detailed explanation. Your video is undoubtedly superior to paid courses that tend to overcomplicate things and stretch on for more than 8 hours.
I have a question: If I were to call Swiggy or a restaurant service directly, bypassing the gateway or discovery service, how would I handle authentication?
you can't but you can make that api endpoint in api gateway itself
Excellent Explanation. this is the Video i was looking for. thanks
Good explanation, your course was clear and understandable.
This Video is really helpful, Pls. Can you cover Role base authentication and Authorization on the individual microservices?
My approach for this is to apply filters to individual microservice,
in which set up the securitycontextholder
which would look something like below
UsernamePasswordAuthenticationToken authenticationToken =
new UsernamePasswordAuthenticationToken(username, null, authorities);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
This is working for me.
Nice video we learn couple of thing related to microservices and spring security ❤❤❤
why did you copy the code of "/validate" to gateway? It's useless now in the identity-service if you run this piece of code from the gateway
Rather than doing another rest call to identity service i have used it in gateway itself
@@Javatechie i get that, but if this was the goal all along, then why did we implement this in the id-service to begin with? I want to avoid duplicate code.
Thanks aTon Sir ❤, No one can match your Explanation level 👍
Its a very best content which i ever seen in across youtube .. thanks basant keep it up..
me too
Is it still applicable in spring 3 (2024) ?
Yes
it's awsome,,
I was trying to solve this kind of problem and this tutorial helps me a lot.
Thank You so much for the video tutorial.
Thanks Sir , Good explanation, your course was clear and understandable.
finally someone addressed this scenario with proper explanation. Thanks as always.
one question that if auth service also has to pass through api gateway and we didn't add filter param in gateways routes for auth service then why we are checking those urls through validators in authentication filter ? because request will never land on filter in case of /register and /token api
No usually we should do a rest call to identify service from gateway to validate and get token but here to avoid that I have directly used jwt logic in gateway that's why it's confusing for you
@@Javatechie but that rest call we are doing lately when all the checks are true before that. I am talking about that "if" condition in start (validator.isSecured.test(exchange.getRequest())) {
because in this condition we are checking /register and /token urls to bypass the token check and according to implementation when we will call register or token it would never land on Authentication Filter.
let me know if I am missing something still.
That's correct right. In the filter we had token validation logic right? So when i don't want to authenticate the user for the first time login then why do you want this to be delegated to filter what is the sense here ?
Let me know if I understand your concern correctly. If not please drop an email to javatechie4u@gmail.com
@@Javatechie no I dont want to authenticate for the first time.
I am just saying that, main if condition is of no use when we will call /register or /token , it does not matter if the condition is there or not.
Will email no problem
@@faixan13 okay simple things buddy remove those 2 url from validator don't bypass it and run your app then test . Hope you will get your point.
Explained very well. My doubt is if there are 100s of microservices all the call will go through API gate way and the auth Service, how to handle API gateway or auth service failure ?
You need to handle it through DR . In microservice world 🌎 no guarantee of 0 downtime
@@Javatechie thanks
Thank you! how is it going if i have the UserData in an other service, is there any video with this case ?
In our case also user data available in other services right
Thank you! but i have a question! is this enough in term of security in my application and how can i add more security layers
This is the way to implement in microservice but if you want more secure then better use 3rd party identity providers like okta or keyclok. I already uploaded a video of keyclok using microservice
great job Sr. does it come with new spring boot verison
Bro, thank you!!! God bless you!!!
I've been waiting this long, thanks java techie greetings from peru😎
Very good explanation, have one doubt in jwt tutorial you mentioned to validate token you passed token and user details object , but here in api gateway you are passing just token , what if I modify token , and how api gateway is validating modified token since we are not passing user details object
In jwt from token we extract user details . We Don't pass user details explicitly
@@Javatechie was mentioning about below method , can u plz explain here we are just passing token we r not extracting username
public void validateToken(final String token) {
Jwts.parserBuilder().setSigningKey(getSignKey()).build().parseClaimsJws(token);
}
Please Debug parseClaim method you Will understand from token what all we are extracting
Thank you very much for the video., if restaurant service has to call swiggy service using rest template, now we have to include jwt token in httpheaders otherwise we will get 401 authorization as we have implemented jwt authentication is my understanding correct please let me know
No phani , we haven't implemented security in microservice level we have added on gateway level so inter communication doesn't require any authentication mechanism
@@Javatechie 🙏🙏👍thanks
bro you helped me a lot, thank you very much and greetings from Argentina
Awesome video Bhai.. much needed.. thanks a lot for the content shared. 🎉
Thanks so much, it is the Best tutorial ive seen. I have one question. Hoy can I get the current loged user and roles from the servíces to make autorizations
Please check the next video you will get logged in user info but regarding Authorization i am working on it
This is what, I was waiting for ,Very Helpful for me
thanks for giving us this much excellent content and awesome video
Do we need to remember JwtService class? i mean do we need to remember all the methods what all it does or we already have it written somewhere in any libraries?
No nothing to remember it's just how we play with token that's what we have define in that classes. I don't find any utility library as such
Why did you create bean UserDetailsService if CustomUserDetailsService anotated with @Component?
Wouldn't it be better create argument UserDetailsService into authenticationProvider method?
Buddy i create a bean of interface where the implementation is CustomUDService
@@Javatechie Isn't it unnecessary to create a bean? @Component itself creates the bean, you can simply pass it to the method?
Got your points and Agree buddy
Awesome explanation !!! Really i feel that you are one of the most amazing solution architect !!!
Thank you for appreciating buddy. I am just a senior software Engineer not an architect 🤪🤪
If I want to add userId to the order table as a primary key then how can I get the current logged-in user so that I can take the user credential then take userId and place it into the order table?
From controller method just call principal.getUserName()
@@Javatechie Thanx for the reply.
what about swaggy microservice or restaurant microservice. there has no security configuration so how I can get the logged-in user from swaggy or restaurant microservice?
Wonderful. Thank you very much for sharing
In the gateway service when we create authfilter is good to copy default methods and paste them or memorize them bc there is a lot methods? at 59:52 onwards
is there any way to get the exact exception message in response ? in gateway
Yes we can do that
@@Javatechie how ...i tried with global exception handling but for that web dependency required..but web and gateway both are not compatible with each other.. so how are to?..
Yes correct but gateway we have used wwbflux right so we can use global exception handling for reactive approach but wait let me do some cross check will update in same thread
Can't we play with the fallback method of resilense4j
@@Javatechie so we have to write fallback method to get the proper exception...am I right?..
Wow Very Nicely Explained In Easy To Understand Manner.
1 Request can you please show how to implement role based authentication with Spring API Gateway ?
Yes buddy it's in queue i will upload soon
superb clear video
Can we explain this when we were asked in interview explain security in microservices and where you will implement in API Gateway or in each microservices?
Yes you can absolutely explain this architecture or just explicitly new identity service which i mentioned in presentation both approach acceptable
The best explanation
You have one of the best educational channels out there. I would love to give you a constructive opinion: It would be great if you could change your microphone into something clearer, like what the java brain and Navin have. Trust me, it makes a huge difference.
Thanks Filz , i noted it and going forward i will come with better audio quality. Need to look into rode configuration
@@Javatechie 🎉d o 😢😢😢😮😊😂😅😅😅😅😮😮😮😮😮😅😮fq😢😢😢😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮
Archana not getting you
@@Javatechie I think, that's a bot.
Even not getting you buddy. What do you mean by bot
You are super talented man.clear explanation .Thank you
Thank you for this tutorial... Kudos
Thank you so much. Can you do a video share how to config authorization with JWT in microservices ?
Excellent Work....Thank you
Thank you, Basant Bhai...
Great Video! Need some more info : How do we avoid scattering secret? it can be stolen from code repo. How will the services be talking to each other? How will they get the token? Also how to enable HTTPS with proper handling of secrets.
Very good coverage ! I find the RouteValidator to be superficial. Why not using annotations on endpoints ?
Nice work man, please implement the swegger this application which is used for api documentation, thanks in advance
Wonderful and clearly explained. I want just to know how to access authentication info (principal for example) and how to do authorization if needed in microservices
Please check the video below 👇 you will get an idea ruclips.net/video/qODoDq5_hAM/видео.html
@@Javatechie Thanks a lot
Thanks for sharing the knowledge ❤
Hello basant, should I define the sessionCreationPolicy to SessionCreationPolicy.STATELESS inside the securityFilterChain to precise I don't want to use jsessionid ?
It's good to have
Hi @javatechie
I have a question. What is i dont want to validate the token in cloud-gateway. every request which is coming to gateway and cloud-gateway has to call identity-service to validate the token and send back to cloud-gateway and based on the response it will call the endpoint or throw an exception. Is it possible ??
Yes it's absolutely possible that is what I explained in PPT but while explaining code I have added validateToken logic in gateway but you can do that easily just refer flow it will be dead easy
Thanks!! Helpful for basic understanding.
Won't the rest template call to identity service will be blocking and will lead to an issue?
Yes it should be synchronous
Hi Basant, Its really good explanation, I have one doubt, how should we handle @PreAuthorize in our microservices in case we are following this pattern.
Please do answer me , its really urgent for me.
Hello Shivansh , I am also not sure about your question if we will go with pre Authorize annotations then in every microservice we need to implement security but that's what is not advisable.i am looking into solution will update you once I find
@@Javatechie thanks
may i know why feign cannot use within the custom filter,i had issue that my feign is null
I guess we can use it. But not sure whether will it work with traditional api call or not will check and update
Thanks for sharing this video.
I have one question. Do we need of validator.isSecure for endpoints /token, /register, /validateToken? I think no because we are not applying filter for IdentityService then obviously API Gateway will not use the filter. Please correct me I am wrong.
Yes it's required otherwise wise how can we bipass the request. Currently I am not calling identity service api but as per best practices it's good to do rest API call to validate the token hence above URL required to bypass
Thank you for this wonderful video❤️❤️
Thanks so much Basant. Appreciate your efforts. I am learning lot from your videos. Waiting for more videos.
Loved your explaination ❤❤❤❤
Hi Sir, actually regarding sso in every RUclips tutorial up to okta telling, but how to modify the database of existing application because already users everything is present, please suggest any video on this.
I will cover this
@@Javatechie thank you so much sir for your quick reply
i have a question, what if i have 3 microservices (agency -> service -> activities ) and i want to get all activities from the services that an agency offers, do i need to ask for the token 3 times?
It should be done in one go , simply we are applying security on the entry point not in individual microservice
Could you please tell me, what kind of design pattern have you used in the microservice apoplication
Thank you so much !!
But how can we restrict direct access to individual microservices
Only one way to avoid exposing them
Thank you for such an awesome lecture. We many of us benefit from such work. Continue teaching brother
how spring cloud check that request came from web or mobile app and executes corresponding version of RequestMapping method. can you please clarify my query?
There is no such mechanism whether it's mobile or web app endpoint will always be the same buddy .
@@Javatechie i am facing interview questions about it. i can't able to answer that. what could expert answer from you. plz help me on this.
For desktop or mobile view frontend team needs to design responsive pages. Nothing to do from the backend
thanks @@Javatechie
Basant can you tell me how to JWT token pass through one service to another service as we only sent the payload (order details) to call restaurant API. Here how JWT propagation happening
Jwt will only pass to api gateway for authentication It won't pass to other microservices Please debug the filter class you will understand