We are implementing microservices with JHipster and we have a scenario where we need a specific resource in one of our microservices to be available via Gateway without the need for authorization/authentication.
What sort of configuration should be done in the microservice app or gateway in order to achieve such behavior?
You need to give access to the resource on that microservice, so the resource is accessible from the gateway without authentication.
In you microservice, edit SecuritConfiguration exclude service from .antMatchers("/api/**").authenticated() and add ,for example, .antMatchers("/api/service1").permitAll() line before that.
Related
I'm creating AKS cluster, and I want to use API gateway (Ocelot ) to route, and authenticate requests towards containers(microservices) behind the gateway. My question is how to achieve this? I know I must deploy ocelot API gateway inside node, but I don't know how will I configure all traffic to go through API gateway. Can't find an example or directions that could help me. What steps do I need to take? Or is there maybe a better way of accomplishing the desired scenario?
If you use Ocelot as an API Gateway, you must create a .NET project with a configuration file for the routes you want to use. You then deploy this with a Deployment inside your cluster along with the containers running your APIs and front your API Gateway with a ClusterIP service. At this point, you should test internally if the calls are routed properly from the ClusterIP to the API Gateway and to your APIs. You can then expose your API Gateway on the Internet using either a Load Balancer service, an Ingress controller or Azure Application Gateway.
Another way is not to use an Ocelot API Gateway at all by using an Ingress controller and configuring the routes directly in it.
I've setup a POC with the following components:
JHipster registry
JHipster API gateway
2 JHipster microservices
The communication works very well between these components.
Another requirement of my POC is to register an legacy webservice(SOAP or REST not developed with JHipster) in the JHipster gateway.
Is it possible?
I would want to use the API Gateway as a unique entry point for all the clients(external and internal)to access all the webservices of my company.
Thank you.
Two important criteria are service discovery and security.
For service discovery, JHipster offers 2 options: JHipster Registry (Eureka) and HashiCorp Consul. Consul is better suited for legacy apps as it is less invasive because you can use DNS resolution and templates and a sidecar proxy approach.
For security, legacy apps should be able to consume authentication tokens to apply authorizations.
I created a microservice project with a gateway & stuff, and I've some interrogation on one of the gateway spring property.
I've this one on my gateway's application-dev.yml (also prod):
jhipster:
gateway:
authorized-microservices-endpoints:
app1: /api,/v2/api-docs
I'm suspecting that the 'app1' shall be replaced by one or all my microservices (and maybe the UAA one too), but I don't know what it does.
Any description or insight on it?
Regards,
The jhipster.gateway.authorized-microservices-endpoints config variable controls access to your microservices when requested through the gateway. In the case of the example, only /api (API endpoints) and /v2/api-docs (Swagger docs) are accessible through the gateway for the app1 microservice.
This means if you try to request an API mapping that is not present in the list (such as an actuator endpoint http://gateway:8080/app1/management/info) it will fail. You can still make the request directly to the microservice if you needed to.
By default, all paths are open to any microservice. To secure your apps, you will need to add your microservices to the list and set the accessible endpoints.
In summary, this config lets you reduce the attack surface of your microservices. Here's a link to the related JHipster issue where this was added. You can also find details in JHipster's Gateway documentation.
We are splitting rest api monolith into microservices and we encountered following issue
Let us assume the following
project is asp.net mvc, hosted on iis
project is hosted on dedicated server (not a cloud)
monolith rest api had urls defined such as www.domain.com/orders/ www.domain.com/tickets/ etc
When splitting monolith to microservice, ideal situation would be that we end up with
ms1 -> www.domain.com/orders/
ms2 -> www.domain.com/tickets/
Since microservices do not usually correlate with resources this could get messy, for example one microservice could serve more then one resource, or on resource could be served by more then one microservice.
fe.
www.domain.com/tickets/ (ms1)
www.domain.com/tickets/reports (ms2)
or
www.domain.com/tickets (ms1)
www.domain.com/orders (ms1)
What would be solution for this?
Use IIS rewrite to match resource with microservice
fe. GET www.domain.com/tickets/5 via iis rewrite to call -> ticketsms.domain.com/tickets/5
Use API gateway to route request to proper microservice endpoint
fe.
GET www.domain.com/tickets/5 via API gateway to call -> ticketsms.domain.com/tickets/5
So basically the primary goal is to have full rest api apear like
GET www.domain.com/tickets/5
GET www.domain.com/orders/5
POST www.domain.com/orders/
GET www.domain.com/invoices/100
etc
So are iis rewrite and api gateway are the only two options here?
Should microservices be exposed directly to the clients, or should they go trought API gateway. Is API gateway overkill in this scenario?
The API gateway definitely adds value - what you split is your implementation into smaller units (the microservices) - it allows you to manage, monitor and govern the API interfaces centrally as a single unit, separately from the implementation(s).
Exposing individual microservice endpoints might not be easy to manage - for instance, you would need to apply access control policies separately to each.
I have setup my Jhipster Uaa server, gateways and others micro services and i want to use #AuthorizedFeignClient annotation for inter-service-communication as well explained here : https://jhipster.github.io/using-uaa/
But i cannot find it into the java source generated(Jhispter Release 3.11.0).
Did i have to copy manually in my project this only 2 classes found in jhispter github generator for the moment ? (because still in beta ?) :
.../client/_AuthorizedFeignClient.java
and
.../client/_OAuth2InterceptedFeignConfiguration.java
Thanks,
Francois
currently the #AuthorizedFeignClient annotation is only available for microservice applications using UAA as authentication type, but not for gateways and UAA server itself!
I guess you were looking for the annoation in the gateway, or the the UAA server.
Why is this like this? For the gateway it is because the gateway already has a couple of responsibilities, so building composite logic in there is not a good idea.
If you generate a microservice (not gateway, not uaa server), you should have the client package in your Java root with this annoatation, as well as some more configurations (feign client config, load balanced resource details...)
You can copy those to your gateway, to make it working there.
You can copy them to the UAA, too. More on that, this even will work, but with some weird fact...when UAA will ask service "foo" for some data, it will first ask the UAA for a client credentials authentication....like performing a query to itself...while it could just access grant it itself. There is no accurate way to do it, but I didn't want to keep it in this uncool way in JHipster, so the annotation is for microservice only.