how to implement role-based security in microservices architecture [closed]

Answer 1

Question is wide at the moment as the nature of the traffic to your microservices is not clear.

• Assuming that all external traffic coming via your API gateway to your microservices.

  • You don't need to validate the JWT twice once in API gateway and then again in your internal microservice. If the JWT is invalid , the request will never reach your microservice
  • Then API gateway propagate the roles. In your microservice, you initialise the spring security context using the roles passed in the header. It will allow you to use @PreAuthorize etc

• Assuming that external traffic can come via your API gateway as well as directly to your microservices.

  • Now you need to verify it in both API gateway and in your microservices

Update

• I don't have knowledge about Zuul API gateway. This is just addressing the following:

I have tried to use @PreAuthorize but it's not working out of the gateway (obviously in order to make it work I have to set a Spring Security authentication object in the SecurityContextHolder in my microservices and populate it with authorities).

    public class PreAuthenticatedUserRoleHeaderFilter 
        extends GenericFilterBean {

    public void doFilter(ServletRequest servletRequest, 
                         ServletResponse servletResponse,
                         FilterChain chain) 
            throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) servletRequest;
        String rolesString = //extract the roles
        String userName = // extract the username

        List authorities 
           = AuthorityUtils.commaSeparatedStringToAuthorityList(rolesString);


        PreAuthenticatedAuthenticationToken authentication 
                = new PreAuthenticatedAuthenticationToken(
                                    userName, null, authorities);
        SecurityContextHolder.getContext().setAuthentication(authentication);
        chain.doFilter(servletRequest, servletResponse);
    }
}

    @Configuration
    @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, 
        jsr250Enabled = true)
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        PreAuthenticatedUserRoleHeaderFilter authFilter
                = new PreAuthenticatedUserRoleHeaderFilter();
        http.
                antMatcher("/**")
                .csrf()
                .disable()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .addFilterBefore(authFilter, 
                                 BasicAuthenticationFilter.class)
                .authorizeRequests()
                .anyRequest()
                .authenticated();
      }

    }