stackoom
  简体   繁体   中英

JHipster: How to make secure calls to microservices from UAA server with unauthenticated user

 原文  2018-06-06 13:24:05       java/ spring-boot/ spring-security/ jhipster

Question

Dear StackOverflow Community,

I found that someone else already asked something similar to my problem here but didn't receive any good answers.

I want to create an entity on microservice A as soon as a User gets activated on the UAA server (when activateAccount() is called in the AccountResource). At this point the user is not authenticated and therefor I'm not able to use an AuthenticatedFeignClient, as I would on other microservices. When I disable authentication on microservice A and use a FeignClient as described in the JHipster Docs , it works as expected, but I don't want to leave the endpoint reachable from the outside. Is there a way to let the UAA server authenticate itself or only allow the UAA server to access this specific endpoint in microservice A's API?

Edit:

I finally got it to work by using AuthenticatedFeignClient. I simply copied the client package and FeignConfiguration from the microservice to the uaa server and changed the security settings in application-dev.yml and application-prod.yml as follows: 

security:
    client-authorization: 
    access-token-uri: uaa/oauth/token 
    token-service-id: uaa 
    client-id: internal 
    client-secret: internal

2 answers

solution1
 1  2018-06-21 09:17:23

despite you already found the correct solution, I should quickly explain why this is correct.

JHipster UAA supports two different authorization flows: user-to-service and service-to-service. The first one is the most commonly used. This is when you want to control what a user is permitted to do in your application.

A service-to-service call doesn't consist of any user related issue, as not the user is "logging in" but your microservice itself. That's why should add the config.

The stuff with copying the annotation interface from other apps into UAA is a little bad design. I'm considering to make a move of these annotations from generated code into the JHipster library to solve this.

solution2
 1  2018-10-25 08:55:34

I found what was the problem regarding authentication and authorization between microservices, it took me three days to figure it out how to solve this. I was using the tag @AuthorizedFeignClient and due that I'm protecting the api resource using: @PreAuthorize("hasRole("" + AuthoritiesConstants.USER + "")") , I was not able to reach them through a feign client because @AuthorizedFeignClient just verify if the resource is authenticate or not (see config/SecurityConfiguration.java) but it wouldn't be able to reach the endpoint because the resource that I wanted to reach has another security layer which is that is protected by role ( @PreAuthorize ), so, in these cases we will need to use @AuthorizedUserFeignClient instead of @AuthorizedFeignClient .

The use about @AuthorizedUserFeignClient has not been documented by Jhipster yet, and it would be good idea to do it, see: https://www.jhipster.tech/using-uaa/#inter-service-communication

I hope this could help other people that has these kind of problems between inter-service-communication.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Jhipster UAA External Client How to make Servlet calls from JSP more secure? How to make restful calls from server? JHipster UAA service and social logins How to secure by Ajax calls from BOTs? jhipster jdl import with microservices JHipster microservices as a single project Architecture Microservices Jhipster How to make SMTP Server secure using Java How to make data from applet secure?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM