Microservice architecture, authentication and other services

Question

I m studying the micro-services architecture, and I m have a question.

Admitting that I have multiple services on different host like following :

• Authentication service on http://80.80.80.80:9000/
• Billing service on http://90.90.90.90:1234/
• Planning service on http://70.70.70.70:7412/

My question is, when a user request on the gateway, he sends an access token (stateless, oauth2.0, whatever), then the gateway asks the authentication service, and if the user exists and has permissions, he access the ressources on another service.

That's okay, but what if I try to call directly the BillingService from his host ? You can tell me that the port is closed, and I agree with that.

But does it mean that they are port allowed only from a certain host to another ? Meaning that the billing service on port 1234 is allowed only from the gateway machine ?

Am I missing something ?

Thanks for advance

Answer 1

The Billing service needs to protect itself. In this situation you cannot rely on network security alone. The way that the Billing service protects itself is by checking if the token/session is still active. This should not be done by business logic but should be done by the security framework you are using.

For example, in previous projects we have used CAS to protect our services. Here is the instructions for adding CAS Filters to your Servlet container. So to protect my services I just include those filters to my web.xml and the appropriate jar files. Those CAS filters will intercept each request and verify that the token/session is active and that the user is logged in. You might not be using CAS but the approach should be similar. Hopefully you will not have to write custom code to inspect the HTTP request and verify that it has the appropriate active token/session in your Billing service.