Tutorial. Spring Cloud API Gateway security with JSON Web Tokens

preview_player
Показать описание
Would you like to enhance your software security? In this video tutorial, ORIL`s Lead Software Engineer, Ihor Kosandiak, shows you how to secure your microservices architecture with JSON Web Tokens (JWT). You’ll learn how to implement token authentication mechanisms to authorize and verify users in the system.

For this tutorial, we use Java 11, Spring Boot, Spring Cloud, JWT, Maven, MacOS, and IntelliJ IDEA.

0:00 Intro
0:18 Project setup: Root module and Discovery service
2:21 Config service module.
4:33 Fetch connection data from Git.
5:55 Create Auth service module.
7:28 JWT builder implementation.
10:39 Auth service functionality.
15:31 User service module.
19:25 API Gateway service configuration.
24:43 Filter implementation.
26:17 Clearing things up, preparation for starting up the services.
26:52 Postman request test One.
29:07 Postman request test Two.

Follow us:

#development #softwaredevelopment #tutorial #java #springboot #Springcloud #APIGateway #security
  1. ORIL
  2. software
  3. software development
  4. java
  5. spring boot
  6. security
Рекомендации по теме
Building an API 0:23:01

Building an API Gateway in Java with Spring Cloud Gateway

API Gateway | 0:11:48

API Gateway | Microservice

Tutorial. Spring Cloud 0:29:43

Tutorial. Spring Cloud API Gateway security with JSON Web Tokens

💻 Securing Your 0:32:06

💻 Securing Your APIs with Spring Cloud API Gateway in Java

Spring Boot Microservices 0:28:03

Spring Boot Microservices Project Example - Part 4 | API Gateway

🔥 Implementing API 0:25:49

🔥 Implementing API GATEWAY in Simple ways | Microservices Tutorial Series

Spring Cloud API 0:15:17

Spring Cloud API Gateway | JWT Security | Pass UserDetails to Microservices | JavaTechie

Microservices API Gateway 0:29:18

Microservices API Gateway Tutorial | Spring Cloud | Java Spring Boot

Cyber Security with 1:12:31

Cyber Security with Cloud Security (8 Weekends Batch) tutorials || by Vishwa On 17-08-2024@5PM IST

Making Spring Cloud 0:36:07

Making Spring Cloud Gateway your perfect API gateway solution by Dan Erez @ Spring I/O 2024

Spring Cloud Gateway: 0:46:45

Spring Cloud Gateway: Resilience, Security, and Observability by Thomas Vitale @ Spring I/O 2022

Spring Boot APIs 0:22:50

Spring Boot APIs Gateway in 20 Minutes

Microservices Api gateway 0:15:07

Microservices Api gateway tutorial | Quick start | Code Decode | Part -1

Spring Boot MicroServices 0:39:47

Spring Boot MicroServices Course : API Gateway using Spring Cloud Gateway

Protect Your Microservices 0:28:10

Protect Your Microservices with Spring Cloud Gateway

Implementing API Gateway 0:18:19

Implementing API Gateway in Microservices |Spring Cloud | API Gateway |Microservices Architecture

Microservices using SpringBoot 1:25:38

Microservices using SpringBoot 3.0 | Full Example [NEW]

Spring Boot Microservices 0:13:17

Spring Boot Microservices Tutorial - Part 5 - Spring Cloud Gateway MVC

Spring Cloud | 0:10:33

Spring Cloud | What is Spring Cloud Really All About?

What is API 0:08:56

What is API gateway really all about? Java Brains - Brain Bytes

Microservices Architecture using 0:04:44

Microservices Architecture using Spring Boot and Spring Cloud in 5 Minutes

Spring Tips: Spring 0:26:19

Spring Tips: Spring Cloud Gateway for Spring MVC

Microservices using SpringBoot 1:21:39

Microservices using SpringBoot | Full Example

How to use 0:11:00

How to use the Spring Cloud Gateway Filter for Authentication | Microservices 3

Комментарии
Автор

This video is a tutorial that briefly explains the key parts, and it is very useful.
Thank you very much.

ofziton
Автор

Kudos to Ihor for another fantastic tutorial

oksankamelnyk
Автор

Thanks for the clean and short tutorial. I am developing my project by following your instruction. I have one question here. If i want to get the get the authenticated username in /secured api, how will I get that ?

shahriarmiraj
Автор

Thanks for the tutorial, where would my user database be located to validate it at the time of registration? In user-service or auth-service?

nicholasboari
Автор

Thank you for awesome tutorial. it's really helpful
pls stop background music in future video🙂

RN-jozt
Автор

Is this the right approach to application security? Can a user directly call services (e.g., user-service "/secured") and bypass token verification? How would roles and scopes work in this approach? Should role and scope checks also be performed in the API gateway?

NikitaPorshennikov
Автор

thank you so much, but can you tell me how to write open point for pattern like /product/{id} ?

meoconhoccode
Автор

Thank you for awesome tutorial. It was very clean and briefly explained.

I have two questions. If we need to call another service using feign client how should we pass the token? I implemented a feign client request interceptor to add token to header before each request. Is that a good practice or not? Also if we need to communicate between microservices without user interaction what should we do? Can we get token from auth service for internal no user interaction requests? Thank you so much ❤

Автор

so you don't use spring starter security dependency or any security dependency at all?

xsztamurda
Автор

how can I create a filter for each service? because I dont want to do all JWT service on each microservice

nicolaubr
Автор

thanks @oril .. i have one issue how to deal with cors error from frontend whil accessing api gateway

rashadbs
Автор

Let's say my endpoints securityConfig class in the Authentication Service have a configuration like "ep-1/**" haveRole("SaleMan"). Then how the gateway service know the "ep-1/**" haveRole("SaleMan") configuration to intercept the request?

anhucnguyen
Автор

This is an insightful tutorial.

Although, the security set up in the tutorial does not seem to protect the microservices themselves. If you access the endpoints in the user-service directly, responses will be successfully returned. If anyone has a solution to this, I would be glad if you shared!

collinstamaletalemwa
Автор

Hi. I'm really glad to have such a helpful course like this. However, while following the video, I'm encountering a case: when making an API request, I only need to tick the Key Authorization in the Header. But in the value part, I leave it empty, without a token value. It still passes through securely. Can you help me resolve this issue? I'm extremely grateful.

quangvan
Автор

Great video, thanks! Do you have a GitHub link to this project?

p
Автор

can u tell me how to get user info in a service?

meoconhoccode
Автор

То есть, в случае обмена данными между микросервисами, это окей, что у нас дублирование кода? Просто люди пишут, что выносить общие DTO в отдельную библиотеку и подключать в разных микросервисах это не ок, это будет кошмар. И я не знаю, как поступать лучше.

xbdvewj
Автор

Very useful tutorial, thank u
I have a question regarding the implementation of the bff pattern using a (react, angular...) app and spring cloud gateway + (keycloak or spring auth server). When I follow the authorization_code grant type hitting the gateway routes from the browser it redirects me to the auth server, i get authenticated and then the request goes back to the gateway which stores the tokens (in memory, redis, db, etc) then the request goes to the resource server with an auth token and I can get a response and a session id (no tokens in the browser).
However, for some reason when I send a request from the react app to the gateway, the chain stops working and the auth server redirects me to its root /, instead of redirecting to the spring gateway, it would be really amazing if you could share some insights about the BFF pattern, there aren't many examples about this.

emersontavera
Автор

Great video, but I have a question: If a user has dual roles as both a customer and an employee, and the customer sends a request with an authenticated token to access a resource associated with the employee, how can the API gateway differentiate permissions and allocate resources accordingly?

phucthinhnguyen