Spring boot micro services rest API security - rest

Am newbie to spring boot micro services. I have 3 micro service that are
1. Login authentication
2. User service
3. Account service.
4. UI Service
UI Service contains UI part this micro service will calls other API's. First 3 services should validate every rest api calls. I need to implement security for rest api calls that need to be global and shared across all micro services. What would be the best approach without using oauth. Because OAuth need server. Hence without this is there any way to achieve this. I googled and not getting clear view. how to resolve this

Usally you use a JWT Token. Have a look here:
https://www.toptal.com/java/rest-security-with-jwt-spring-security-and-java

Related

SAP SSO Authentication as a rest service

I have a legacy SAP Java application hosted on neo platform which uses form based SSO authentication. I want to consume this service from rest client like Postman which is not possible right now. What options do I have?
Is it possible that I write a service on top of the current service and call the "original" service. But again, How do I pass the SSO credentials to the "original" service

how to secure API with mod_auth_openidc

I have 3 applications
old JSP based java app
Spring Boot webapp
SPA
5 java micro services REST API built using Spring Boot
I need to secure all of them at the same time. I have picked keycloak as it seemed like a good idea. As we are using Apache for reverse proxy. We have picked mod_auth_openidc to limit access to services at reverse proxy level.
We have built Extensions for Spring Webapp and old JSP app to use headers provided by mod_auth_openidc to handle active users and aithentication.
At this point now we have run into the issue that the we also secured the APIs using mod_auth_openidc headers. Although this has a serious drawback as APIs can not talk to each other just using JWT tokens as the reverse proxy needs them to be authenticated.
Should we secure the APIs using JWT only instead ?
Any mod_auth_openidc guru knows the best approach to this scenario?
I need the REST API to be able to talk to each other without any user interaction. E.g. only using tokens.
Our webapps ( JSP and SPA ) are always fully secured e.g. the user has to be logged in to access any part of it.
I would appreciate any suggestions.
Thanks

How to secure REST APIs in Spring Boot web application?

I have two Spring Boot web applications. Both applications have different databases and different sets of users. Also, both applications use Spring Security for authentication and authorisation which works properly.
At any given point I will have one instance of the first application running and multiple instances of the 2nd web application running.
I want to expose REST APIs from 1st web application (one instance running) and be able to use that REST APIs from 2nd web application (multiple instances running).
How do I make sure that REST APIs can be accessed securely with proper authentication and by instances of the 2nd applications only.
If you could change your security, I would recommend you to use OAUTH2. Basically it generates a token that is used in your APP2 instances to make the API calls.
You can see more here.
https://spring.io/guides/tutorials/spring-boot-oauth2/
http://websystique.com/spring-security/secure-spring-rest-api-using-oauth2/
But if you can't change your APP's security, you can continue using your current schema. In the APP1 you can create an user for the API calls, this user only has access to the API services. In your APP2 you need to store the credentials to access the APP1. Finally you do login into APP1 and invoke the API using HTTP client, you can use Spring RestTemplate or Apache HttpComponents Client.
SSL based authentication could be an option, if you seriously thinking about the security aspects.
Assume that you REST api exposed by App 1 is over HTTPs, then you can configure the App 1 to ask the client to give their SSL/TLS certificate when they try to access this REST API (exposed by App 1).
This will help us identify that the client is indeed a client from app 2.
Two More Cents:
In case if your App 1 REST API calls needs load balancing, NGINX should be your chose. The SSL client certificate based authentication can be offloaded to NGINX and Your Spring boot app no more worry about the SSL related configurations.
The solution we went with was to secure both using an OAuth2 client_credentials workflow. That is the OAuth2 flow where clients request a token on behalf of themselves, not a calling User.
Check out Spring Cloud Security
1) Secure your services using #EnableResourceServer
#SpringBootApplication
#EnableResourceServer
public class Application ...
2) Make calls from one service to another using an OAuth2RestTemplate
Check out Resource Server Token Relay in http://cloud.spring.io/spring-cloud-security/spring-cloud-security.html which will specify how to configure an Oauth2RestTemplate to forward on security context details (token) from one service to another.
3) Service A and Service B should be able to communicate using these techniques if they are configured using the same Oauth2 Client and Secret. This will be configured in the applications' application.properties file, hopefully injected by the environment. Oauth2 Scopes can be used as role identifiers. You could therefore say that only a Client with Scopes (api-read, api-write) should have access to Endpoint A in Service A. This is configurable using Spring Security's Authorization configuration as well as #EnableGlobalMethodSecurity

Bluemix API Management, secure the API implementation

I want to expose a REST-ful service as an API to the outside world on Bluemix Public. Therefore I have a liberty app, containing a REST service implemented in JAX-RS.
Additionally I leverage the "API Management Service" to secure that app, via Plans, Authentication etc. So thanks to the API Management Gateway I have a secure proxy to my service exposed.
Yet, the app that provides my service remains accessible to the outside via the Bluemix route. So, it can be called without any credentials or whatsoever.
Is there a way, to only have my API Management gateway access the service implementation app?
One approach would be to delete the route of the service implementing app, but how would you then bind the API Management to the service?
Happy to hear your thoughts or alternative solutions.
If your API is running on Bluemix Public as a Cloud Foundry application, there is currently not a way to create a route such that it is only accessible by the API management service, but not the the outside world. You should implement security within your jax-rs application (easy to with web.xml security-constraint) and add those credentials to APIm service if you still want to use APIm to get monitoring, throttling, discovery, etc.
Another option would be to deploy the application in a VM and then use Secure Gateway to connect to it:
https://github.com/IBM-Bluemix/onprem-integration-demo

Securing Spring boot Rest services with CAS

Friends,
Recently I have created one web-services application using spring-boot and now its having few unsecured entry points. (This is a pure rest based application having only rest entry points doesn't have any UI components).
Now I would like to add CAS client with this application for securing the rest entry points.
My CAS server is ready and its up and running. And I have configured CAS Rest protocol as well in my cas server to access TGT/ST through rest call and I'm in the planning of using only the rest call rather than using login pages.
So, when an user tries to access my rest application, I'm going to call CAS rest entry points internally (by using restTemplate) to validate user credentials and generating TGT and ST.
Available CAS entry points are (from jasig reference docs),
POST /cas/v1/tickets HTTP/1.0
username=battags&password=password&additionalParam1=paramvalue
POST /cas/v1/tickets/{TGT id} HTTP/1.0
service={form encoded parameter for the service url}
DELETE /cas/v1/tickets/TGT-fdsjfsdfjkalfewrihfdhfaie HTTP/1.0
I think, I'm little clear on this part. Please correct me if I'm wrong.
And now my query here is, what should I do to add a ST ticket validator in my spring boot application? Do I need to add any filters using spring-security? Or do I need to call any other rest api for validating the ST? Please guide me to proceed further.
You can use existing Spring boot cas starter:
cas security spring boot starter
cas client autoconfig support
That will configure for you and magically your spring boot app with CAS authentication (and thus your application will be able to read ST or PT without effort).
I'm author of cas security spring boot starter, so I won't influence your choice but main difference from that project and cas client autoconfig support developed by Unicon is about Spring security integration.
Indeed cas security spring boot starter is fully compliant with spring security, thus you will be able to use any feature you know from spring security. Whereas cas client autoconfig support will instantiate and configure Apereo (Jasig) filters that is not designed to work out of box with Spring security.
You don't need a service ticket unless you want to call another service from your web service. Validating the received credentials via the CAS REST API is enough.
If you are looking for a security library to protect your web service via the CAS REST API, you should give a try to: https://github.com/pac4j/spring-webmvc-pac4j and especially this configuration: https://github.com/pac4j/spring-webmvc-pac4j-demo/blob/master/src/main/webapp/WEB-INF/demo-servlet.xml#L74