Spring Boot Secured Rest API

Question

I currently tried to understand the concept of secured microservices and want to use Spring Boot and Spring Security.

Frontend: login via oauth2 provider + token retrieval.

REST-API: request with token in header + token validation + return myListOfinterestingThings()

I thought the Security 5 library is a nice tool to implement this approach. This is the example I tried but I don't know how to ensure that my REST-API don't redirect to login page.

Did I need to rely on a custom filter, that I have to implement? I thought the "magic" of Spring Boot and Security 5 would be strong enough :D

https://github.com/oktadeveloper/okta-spring-security-5-example

Answer 1

You should use JWT based stateless security. Simple flow: After login AUTH microservice must return JWT token with user credentials. After, with each request frontend must send this token back. Order service every time should call AUTH service and verify token. After each login token must be re-generated. No one microservice remember state. Everything must reconstruct after each request. No logout.

Answer 2

You could do it in many ways. Using spring security, you could implement WebMVcConfigurer and configure how your resources are protected. But this is not an ideal inplemention for a micro service. If your intend is to protect APIs but not provide login, you could go for JWT. Using JWT token is provided by the application or API that generates a JWT token that may consist of user details, roles and validity of the token. And in your services, you could use these JWT tokens to authenticate and authorise your APIs.