I am looking for an optimal and effective solution for protecting several microservices that communicate via REST with a web client application.
Current setting :
These microservices are created in Java with the Spring Framework and run in Docker containers.
The client is an Angular 2 application.
I created a new μService, which will act as a “gateway” and become the only point of exchange between my web client and my other services.
I am extracting an encrypted JWT token from a remote authentication API (let it LOCK)
Solution I was thinking about :
I could save the JWT login in a cookie and send it to the gateway.
Entering the gateway into the final payload sent to the corresponding μService market and saving the user if it is new in the database.
Then the microservice receives the request, checks the role of the user in the remote authentication service, and if it is enough, it returns the status 200 with the result.
Edit
We will need to have RabbitMQ Broker in our bush μServices and, therefore, use WebSockets. To protect WebSockets as well as providing the REST API, I’m not sure that we should still manage the security in the gateway and possibly manage it at the microservice level ourselves. Because a lot of messages will go through, and we need to get rid of middleware that will slow it down.
Questions
Is this a good practice? What can be done better? Do you have any example of what has been done to meet the same needs? Thank you very much for your actions and thoughts.
spring spring-security microservices
Alex
source share