Is there any Spring boot Security specific solution to my needs?

Question

I started using spring 4 mounth ago, I want to try any idea that I got and now I want to know if what I m trying to do is possible, if so is there any specific security mechanism that I m not yet aware of.

I successfully implmented a secured API that have Authentication and Authorization using the basic auth and ssl enabled, this API handles a cruds of pizza fabrication with it ingerdiants.

Now I Want to create another API that will handle billing of pizza so this api is going to use the previous.

this reuse principle got my attention is it possible to implement a security mechanisme in my second api that ask my first if my current user is loged in ?

the scenario in my head is looking like

user authentication and authorization in API pizza

user ask api bill to get a bill of a pizza (some request with headers ...)

the bill api asks the pizza api if the request source is already authenticated

pizza api answers if is authenticated or not

bill api store in memory the authentication state

By googling I m not sure if the spring security token based authentication is a solution.

NB: I m using only http Request there is no form or front end

Answer 1

High-level overview of the solution would be as follows:

1. Establish OAuth2 Server and Zuul gateway.
2. Service "A" authenticates against OAuth2 authentication server and calls service "B"'s Rest endpoint via Zuul gateway (i.e Zuul proxies call to Service "B") with OAuth2 token stored in the session and adds OAuth2 token in HTTP "Authorization" header on request.
3. Zuul looks up service "B" endpoint, propagates service "A"'s OAuth2 token using it's filter by inspecting Headers and and forwards call with the same token in "Authorization" header.
4. Service "B", which is protected resource, receives request, inspects headers and validates recived token against OAuth2 server.

You can also let Zuul automatically propagate OAuth2 access tokens further and authorize incoming requests against the OAuth2 service by using the @EnableOAuth2Sso annotation.