Microservices Security Using JWT | Spring Cloud Gateway | JavaTechie
HTML-код
- Опубликовано: 20 сен 2024
- This tutorial will guide you How to secure your microservices with with JWT Authentication using Spring Cloud Gateway.
We are going to discuss an architecture in which one microservice will act as a api gateway service which does central authentication, redirect an incoming request to other microservices. The main advantage of this architecture is you can easily add multiple microservices to the system and all authentication, authorization will be taken care from a central unit
#Javatechie #Microservice #Security #JWT
Spring boot microservice Live course Just started (Recordings available)
Hurry-up & Register today itself!
COURSE LINK : javatechie5246...
PROMO CODE : Java40
GitHub:
github.com/Jav...
Blogs:
/ javatechie
Facebook:
/ javatechie
guys if you like this video please do subscribe now and press the bell icon to not miss any update from Java Techie
Disclaimer/Policy:
--------------------------------
Note : All uploaded content in this channel is mine and its not copied from any community ,
you are free to use source code from above mentioned GitHub account
Could you explain me : Client -> Security Service (GenerateToken) -> API Gateway -> MicroService1 (validate JWT) this flow is fine . What happen we request come directly to Client-> Microservice1 . How to check JWT for each endpoint.
How to block each microservice endpoint to access??
Finally found an understandable tutorial about securing a Spring Cloud Gateway microservices architecture! A thousand times thank you sir!
I feel like your explanations are even better than people who have english as their first language lol. You really do have a gift for this!
I love you. Finally the architecture I'm looking for. A lot of tutorial are covering authentication for only one microservice and you are probably the only one that approaches the problem keeping in mind the whole microservice architecture.
Thank you so much Lukasz for appreciating my work 🥰🥰
you worth millions of like
Waited last couple of month to get solution which you explain about validate and filter the request form spring cloud getway. ##you make my weekend Basant Sir.
Thank you Sir
Thanks buddy 😊. Keep learning 👍
This is Gold Boss... Thanks a ton for this video.. I lost most of my interview only because of not answering how to security is implemented in micro services question.... Appreciate your efforts.
Thank you buddy 🙂
Best course available in youtube. Thankfully it is free. Keep up the good work
Actually without your tutorial I couldn't learn easily new things implementation in spring app...
You are Guru. Thanks lot.
Thank you Siva . Keep learning 😃
This video is very useful for me . Thank you for your time and explanation
i love you brother, you are the best teacher for learners in this field.
Thanks a lot.
I am looking for security in Microservices architecture. It is one of the best way, you have explained.
Glad to hear that😊
Great Video sir, completely Awesome...Add the role based security through api gateway.
instead of completely using spring cloud stack we can make this more OSS (open source stack) like every micro service is containerised (dockerised) then use KONG as API gateway. this way we can make the configuration more simple and reduce tight coupling.
Could you please explain more about how that works?
can you please come with your hands on similar like this using KONG.
This is the best channel about Spring and stuffs of all RUclips. Thank you Java Techie.
THIS IS THE VIDEO I WAS LOOKING FOR, THANKS SO MUCH FROM COLOMBIA
Thanks aTon Sir ❤, No one can match your Explanation level 👍
Looks really simple, just as I used to implement the JWT service in a monolithic way, but porting everything to a new independent webservice to validate JWT to access any endpoint without compromising the other webservices.
Hi Basant sir, Jwt in microservices explanation is so good. Thank you so much...
Thank you so much for clear explain no one will explain like you.
You have one of the best educational channels out there. I would love to give you a constructive opinion: It would be great if you could change your microphone into something clearer, like what the java brain and Navin have. Trust me, it makes a huge difference.
Thanks Filz , i noted it and going forward i will come with better audio quality. Need to look into rode configuration
@@Javatechie 🎉d o 😢😢😢😮😊😂😅😅😅😅😮😮😮😮😮😅😮fq😢😢😢😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮
Archana not getting you
@@Javatechie I think, that's a bot.
Even not getting you buddy. What do you mean by bot
it's awsome,,
I was trying to solve this kind of problem and this tutorial helps me a lot.
Thank You so much for the video tutorial.
Nobody explains like you do..Thank you very much for the video.
This Video is really helpful, Pls. Can you cover Role base authentication and Authorization on the individual microservices?
Wooooow.... i seached a lot for this kind of scenario but i did not find and in so many interviews i faced this question and got stucked. A million thanks basanth.... it helps us a looooot......👏👏👏🤝🤝🤝🙏🙏🙏 Thanks you so much
Next Please do videos on TESTING(mockito) microservices end to end and GLOBAL EXCEPTIONAL HANDLING (please think about it)
I will share the link with what you mentioned which i already uploaded. Even if you can search in the channel it's already there buddy
Exception handling : ruclips.net/video/gPnd-hzM_6A/видео.html
Mockito testing: ruclips.net/video/Hh17JDpsKqc/видео.html
Its a very best content which i ever seen in across youtube .. thanks basant keep it up..
me too
Awesome videos. Hats off to you in explaining it in a very simple and easy manner. One question.
May I know if we have a requirement to secure our swiggy and restaurant service endpoint and grant access based on role, then how we can achieve this requirement .
Hi sir! I am grateful for this tutorial. In this tutorial you have two client services, one gate way, one security service and you added security in Api Gate. I like the way you did it. But i need to move forward and add some Authorization. Suppose in swiggy service there are some end points what only admin can access and some end points normal user can access. How to apply this type of Authorization. Would you please make second part of this tutorial please? I am following this tutorial and trying to learn. I tried to implement the security directly in the API GATE-WAY service. But that was not easy because gate-way supports webflux not the web.
make use of method level authorization and roles
Yes I am still not finding any solution for this approach. Will check and update you
@@Javatechie Thanks
@@Javatechie I saw others using OAuth2 to solve this problem. KeyCloak is one of them.
@@Javatechie Hey, I found your video helpful, however I wanted to inquire, did you find any solution for this approach?
Best video you can find for JWT auth ❤
Grateful for such a wonderful insight on Microservices security. It will definitely help me to improve skills in my projects. Thankyou so much for the efforts. I'm learning a lot from your channel. Awaiting for more interesting videos.
Thanks buddy keep learning 😃
Searching every where finally got it thanks sir 😀
Wow Very Nicely Explained In Easy To Understand Manner.
1 Request can you please show how to implement role based authentication with Spring API Gateway ?
Yes buddy it's in queue i will upload soon
Thank you very much for providing such a detailed explanation. Your video is undoubtedly superior to paid courses that tend to overcomplicate things and stretch on for more than 8 hours.
I have a question: If I were to call Swiggy or a restaurant service directly, bypassing the gateway or discovery service, how would I handle authentication?
you can't but you can make that api endpoint in api gateway itself
I had been waiting for this topic for long time. Finally wait is over.
Hey Basant Anna, this is awesome 👌thanks for such a smooth flow..its really a very complex topic & nightmare for interview candidates.
I've been waiting this long, thanks java techie greetings from peru😎
Great Video! Need some more info : How do we avoid scattering secret? it can be stolen from code repo. How will the services be talking to each other? How will they get the token? Also how to enable HTTPS with proper handling of secrets.
Much waited ❤ Thank you sir for your wonderful teaching and the knowledge your sharing .
I am new to microservices & your videos helped me a lott🙌🙌 also can you please tell me, what should I use for role based authorisation in microservices.
I am working on project which is a web portal for sanctioning government applications, It has user & admin as roles.
Please guide🙌
I am working on jwt token microservices.
How to logout user or expire token imediate?
Hi Basant ,
Very useful tutorial however I have one doubt, In production when the token is generated by passing a valid username and password it should automatically pass the token to the gateway right but here I saw that you are manually passing the token to the gateway through Postman for accessing microservices, My question is how we can automatically pass the token to the gateway for accessing microservices when the token is generated
Your question is genuine but this automatically stuff needs to handle from UI not from the backend
@@Javatechie ok thank you!
No words Mind Blowing
Quite informative, thanks!
Thanks Sir , Good explanation, your course was clear and understandable.
Thank you for such an awesome lecture. We many of us benefit from such work. Continue teaching brother
bro you helped me a lot, thank you very much and greetings from Argentina
Nice video we learn couple of thing related to microservices and spring security ❤❤❤
Excellent Explanation. this is the Video i was looking for. thanks
Awesome explanation !!! Really i feel that you are one of the most amazing solution architect !!!
Thank you for appreciating buddy. I am just a senior software Engineer not an architect 🤪🤪
Nice explanation! Only thing I'm concerning is that why did you filter and authenticate user in gateway directly rather than routing to IDENTITY service and authenticate?
Thanks so much Basant. Appreciate your efforts. I am learning lot from your videos. Waiting for more videos.
Good explanation, your course was clear and understandable.
This is what, I was waiting for ,Very Helpful for me
Awesome video.
Fantastic video and an outstanding explanation ❤🔥. Thank you so much!!!
In Gateway service, can you please show us role based authentication. You just showed authentication part but not authorisation. Please show us. It’s very important
1:11:00 The rest call from gateway to auth service is not working. It is throwing an error saying cannot call from java.lang.illegalstateexception: block()/blockfirst()/blocklast() are blocking, which is not supported in thread reactor-http-nio-1. Please let me know if someone can help in this
Thanks!! Helpful for basic understanding.
finally someone addressed this scenario with proper explanation. Thanks as always.
one question that if auth service also has to pass through api gateway and we didn't add filter param in gateways routes for auth service then why we are checking those urls through validators in authentication filter ? because request will never land on filter in case of /register and /token api
No usually we should do a rest call to identify service from gateway to validate and get token but here to avoid that I have directly used jwt logic in gateway that's why it's confusing for you
@@Javatechie but that rest call we are doing lately when all the checks are true before that. I am talking about that "if" condition in start (validator.isSecured.test(exchange.getRequest())) {
because in this condition we are checking /register and /token urls to bypass the token check and according to implementation when we will call register or token it would never land on Authentication Filter.
let me know if I am missing something still.
That's correct right. In the filter we had token validation logic right? So when i don't want to authenticate the user for the first time login then why do you want this to be delegated to filter what is the sense here ?
Let me know if I understand your concern correctly. If not please drop an email to javatechie4u@gmail.com
@@Javatechie no I dont want to authenticate for the first time.
I am just saying that, main if condition is of no use when we will call /register or /token , it does not matter if the condition is there or not.
Will email no problem
@@faixan13 okay simple things buddy remove those 2 url from validator don't bypass it and run your app then test . Hope you will get your point.
Awesome video Bhai.. much needed.. thanks a lot for the content shared. 🎉
Wonderful and clearly explained. I want just to know how to access authentication info (principal for example) and how to do authorization if needed in microservices
Please check the video below 👇 you will get an idea ruclips.net/video/qODoDq5_hAM/видео.html
@@Javatechie Thanks a lot
Wonderful. Thank you very much for sharing
thanks for giving us this much excellent content and awesome video
great job Sr. does it come with new spring boot verison
keep it up good work.
Thank you so much. Can you do a video share how to config authorization with JWT in microservices ?
Explained very well. My doubt is if there are 100s of microservices all the call will go through API gate way and the auth Service, how to handle API gateway or auth service failure ?
You need to handle it through DR . In microservice world 🌎 no guarantee of 0 downtime
@@Javatechie thanks
Nice work man, please implement the swegger this application which is used for api documentation, thanks in advance
You are super talented man.clear explanation .Thank you
13:44 Comienza a crear el proyecto identity-service (lo hace desde el Spring initializer de su IDE IntelliJ)
Thank you so much !!
But how can we restrict direct access to individual microservices
Only one way to avoid exposing them
My English is poor. Maybe you talked about this. I understood correctly that in a real project we do not need to create a method for validating tokens in the identity service, because validation needs to be implemented only in Spring Gateway?
We can keep it in the gateway that's what I did in this video but it's a bad practice because the key thumb rules of microservice is to segregate functionality to different modules so if I keep security and routing in the same application then it violates the principle isn't it?
Excellent work , but the website u use for getting the secret is not working any more . so people are suffering to get the secret and cant able to use the full potential of the work you have done here . pls give an alternative way to get secret from else where . i was suffering for a week for validating JWT and routing . this came as a life saver . Thanks much for a fablous work . i would like to do a donation . if u have any payment portal pls let me know .
Ohh is it , the last time I tried it works since these are open-source we can't predict from any website will check alternative and update in thread
Hi @@Javatechie , Appreciate you're reading the comments . if you make shorts for generating the secret please share the link here and the spring security video description .
why did you copy the code of "/validate" to gateway? It's useless now in the identity-service if you run this piece of code from the gateway
Rather than doing another rest call to identity service i have used it in gateway itself
@@Javatechie i get that, but if this was the goal all along, then why did we implement this in the id-service to begin with? I want to avoid duplicate code.
Your explanation is amazing. Learned lot of concepts with this practical example.
I have a request hope you would look into it. I need to integrate same service and gateway with AWS cognito as auth service. Possible to do one video on this. ?
Yes I will try that
Thanks for sharing ❤
But how can we authenticate based on role.
Here we can access the whole microservice but how can we access some end points of one microservice and other endpoint for another role.
since springboot 3.0 you dont have to do @EnableDiscoveryClient annotation. It is enough that dependency is defined in pom.xml
I haven't tried , will check and update you
Thank you for this wonderful video❤️❤️
really helpful, but I have a doubt, what if someone directly access the microservice url by bypassing the api gateway. how to handle that?
How does someone know your URL, if you are sharing then it strictly breaks the microservice contract
Excellent Work....Thank you
It was the best tutorial I found on this concept... Thank you sir... And one doubt for authorization we have to call the security service other wise we have to write the security code in Api Gate way itself these are the two possibilities otherwise is there any other best practice is there sir? ..... Open question question for all java developers out there thanks in advance
No these are the only 2 options if you are using your own security impl if you are using any third party like keyclok then it's not required
@@Javatechiethanks for responding ❤
Hey Basant, Once again you delivered nice content which we were looking since long time. I locally setup up and tried it working fine. I have a concern here
If user directly request to 'Swiggy App' or 'Restaurent Service' then he able to get all details without providing JWT token.
How secure these 2 apps if user directly send request?
Hi Rahim think practically why you will expose swiggy and restaurant microservice endpoints directly to the end user. If that is the case API gateway itself is no use right .
So we should only expose api gateway endpoints that is how we can force everyone to use gateway with token
@@Javatechie Hi that was a great explanation, but I have a question. Is there any way we can secure swiggy and restaurant microservice and use it in gateway as well?
Again we landed in the same context . If this is your requirement then you should avoid using gateway
@@Javatechie We can make secure swiggy and restuarent apps too.
Currently I am on similar kind of project where we secure each microservices app.
I will update here later.
@@rahimkhan-fh9dd Can you provide more details. It would be helpful. Thanks.
Hi Basant, Its really good explanation, I have one doubt, how should we handle @PreAuthorize in our microservices in case we are following this pattern.
Please do answer me , its really urgent for me.
Hello Shivansh , I am also not sure about your question if we will go with pre Authorize annotations then in every microservice we need to implement security but that's what is not advisable.i am looking into solution will update you once I find
@@Javatechie thanks
Great explanation, but you only cover authentication part dosnt cover authorization , can explain that
Hello Sir ,
In spring data mongodb one annotation is there @Encrypted , How can i use for Encryption with AWs KMS please make a video for this topic
One more , How to modify RequestBody, response body in Interceptor and pass to controller.
Okay i will do this
Thank you for this tutorial... Kudos
00:05 Triển khai Bảo mật dựa trên JWT trong microservice bằng Spring Cloud Gateway
07:12 Hai dịch vụ vi mô, Swiggi Service và dịch vụ nhà hàng, đang liên lạc với nhau thông qua API Gateway.
21:19 Cần phải viết một phương pháp để đăng ký người dùng, tạo mã thông báo và xác thực mã thông báo
28:07 Đã triển khai các điểm cuối xác thực và xác thực mã thông báo.
41:40 Xác định Dịch vụ chi tiết người dùng của riêng bạn để xác thực người dùng
48:42 Đã hoàn tất triển khai dịch vụ nhận dạng
1:02:00 Xác thực mã thông báo trong API Gateway
1:09:10 Triển khai logic xác thực mã thông báo JWT trong Cổng
1:22:07 Triển khai bảo mật microservice bằng xác thực JWT
Crafted by Merlin AI.
Hi Java Techie, Thanks, you have covered the Authentication part, if you could add Authorization part ,it would be great.
I am looking for this solution buddy will update shortly
@@Javatechie any update on that sir
No updates. I did postmortem in Google but didn't find any solution so far . Only one approach available where you need to create microservices specific to Role which is not a good practice
@@Javatechie ok thanks
Thanks for sharing the knowledge ❤
Why calling validate endpoint from auth-service(identity-service) was bad idea? I don't understand.
Hello Can I directly come to this video withOut watching your previous videos of springSecurity?
The best explanation
I didn’t understand the need of spring security dependency in identity service, ok you are using auth manager and user details service but it you are permitting all requests for them other then that req no req will come … tue validation of jwt token can be done only with jwt dependency.. correct me if i am wrong
superb clear video
Loved your explaination ❤❤❤❤
Thank you! but i have a question! is this enough in term of security in my application and how can i add more security layers
This is the way to implement in microservice but if you want more secure then better use 3rd party identity providers like okta or keyclok. I already uploaded a video of keyclok using microservice
Thanks for sharing this video.
I have one question. Do we need of validator.isSecure for endpoints /token, /register, /validateToken? I think no because we are not applying filter for IdentityService then obviously API Gateway will not use the filter. Please correct me I am wrong.
Yes it's required otherwise wise how can we bipass the request. Currently I am not calling identity service api but as per best practices it's good to do rest API call to validate the token hence above URL required to bypass
Thank you, Basant Bhai...
Loved the explanations!! But, how can i do a role based authentication, like admin and user for example? I've faced with this question and got stucked. I wonder if you can help me.
Great explanation but Authorization concept is missing, can you please add lecture for it as well.
love you bro you are helping so much
Let me ask you a question. If, for example, I try to access the restaurant service directly (giving the restaurant service port), that is, without going through Gateway, I will skip the validate token part, right? So the restaurant service isn't protected at all, is it?
Then what is the need of the API gateway buddy? If you will directly expose your microservice endpoints to users
@@Javatechie The point is, if a hacker knows the port of my services (for somehow), he can easily access them.
Do you get any solution regarding this
@@Javatechie then how disallow it...?....bcz if somebody knows our port...he can access it
Knowing only port how someone can access buddy? We shouldn't expose our microservice endpoints even though it's exposed then we need to implement cross origin so that if the request comes from only api gateway then only allow that.