No video
Spring Cloud API Gateway | JWT Security | Pass UserDetails to Microservices | JavaTechie
Рет қаралды 62,427
Күн бұрынIn this Tutorial, we will understand How to pass authentication user information from Spring cloud api gateway to other microservices
#javatechie #microservice #security #jwt
Spring boot microservice Premium course lunched with 70% off 🚀 🚀
Hurry-up & Register today itself!
COURSE LINK : javatechie5246...
PROMO CODE : JAVATECHIE50
Join this channel to get access to perks:
www.youtube.co...
Microservices Security Using JWT | Spring Cloud Gateway
• Microservices Security...
GitHub:
github.com/Jav...
Blogs:
/ javatechie
Facebook:
/ javatechie
guys if you like this video please do subscribe now and press the bell icon to not miss any update from Java Techie
Disclaimer/Policy:
--------------------------------
Note : All uploaded content in this channel is mine and its not copied from any community ,
you are free to use source code from above mentioned GitHub account
@impertator644 Жыл бұрын
Great content. It would be also great to see, how to integrate this authentication with frontend, I mean for example, how to handle loging. And also how to handle "log once".
@ntjoel19 6 ай бұрын
I appreciate the content and the architecture. Thank you for the video. For a better scalability, separation of concerns, security enforcement, I thing you can totaly seperate the gateway with the authentication by making the authentication service an independant microservice.
@Javatechie 6 ай бұрын
Yes that's what we need to play with identity services from gateway
@saqlainmirza9644 5 ай бұрын
@@Javatechie please make this
@MAMUNGM Жыл бұрын
Thank you so much to add this requested content
@MAMUNGM Жыл бұрын
Thanks to you for adding this. How to configure the cors origin configuration in api-gateway and auth microservice?
@siddharthshitole7574 Жыл бұрын
Hi Techie, I really love your content, requesting you to make a series on code review. it will be helpful for everyone
@Javatechie Жыл бұрын
Yes it's on my queue buddy soon i will do that
@RahulKumar-qu1if Жыл бұрын
Hi , can you please make a video on how to integrate both Oauth2 and jwt in a single application
@Javatechie Жыл бұрын
Okay i will
@pranoydas9654 Жыл бұрын
@@Javatechiesir, have you created the video of Oauth2 and JWT in a single application?
@jimiotulana2546 Жыл бұрын
Thanks a lot, very informative, however, I was wondering if the restaurant API had been using a role-based control how do you pass the user role such that the endpoint can only honor the request if the user has the right permission
@Gabrysia445 Жыл бұрын
maybe you could pass this in the same manner that user name was sent? Add a header "userRoles" with role as a value in the gateway
@dineshpanigrahi1065 Жыл бұрын
Hi @JavaTechie, Can you please make a video explaining to prevent direct calls to microservices, we should access the microservices only through the api gateway, and role based authorization in continuation of the spring cloud api gateway | JWT Security video
@Javatechie Жыл бұрын
Yes interesting. I will give it a try
@dineshpanigrahi1065 Жыл бұрын
@@Javatechie Thank you . Can we have a video in continuation to this video ASAP
@Adventurevictoria 2 ай бұрын
is this an excellent idea? pour all the security logic into the gateway which is the busiest service for routing the message that can cause potential bottlenecks for the entire service? and make all sub-microservices open up with as naked? the main job of gateway is routing the messages to the proper microservice. you could implement basic token validation here since it will cut down all unnecessary burdens in earliest point but securityfilter in gateway shouldn't be much heavy like this .
@hduy8536 5 ай бұрын
You can make a video to decentralize permissions. For example, if the user does not have permission to access service A, it will be denied.
@southcroydon7462 28 күн бұрын
Hi, which video has API Gateway details ? not sure I understand AbstractGatewayFilterFactory
@ngonimugandani4504 3 ай бұрын
This is awesome
@collinstamaletalemwa6218 7 ай бұрын
Great tutorial! Although, what is the best way for one to secure the microservices as well? Since they only appear secure when accessed through the gateway, but one does not need to be authorised to access the microservices directly
@Javatechie 7 ай бұрын
If you will allow user to directly access to microservices then what is the need of api gateway it doesn’t make any sense right because we are bypassing the flow
@collinstamaletalemwa6218 7 ай бұрын
@@Javatechie it is not a matter of giving users access, but it turns out to be a big security concern once anyone decides to attack you. There is no point of defense at all
@Javatechie 7 ай бұрын
Okay if forcefully you want to secure then you need to implement security in each and every microservices that is what I can think at this moment. Will check and update if there could be any better approach
@aadiraj6126 Жыл бұрын
What is the industry best practices? Details are passed through header or request body?
@Javatechie Жыл бұрын
Yes we can pass as part of the header not an issue it won't be visible to outside calls. Request body needs to use when we have to pass multiple fields or object
@nadigatlapraveen4681 5 ай бұрын
Hi sir, can you please make a video on role based spring boot microservices security
@Prakash-gz6py Жыл бұрын
Hi, I’m curious to know about your mac experience. Is it good for development? Which MacBook you are using, please? Is it worth to buy? Planning to buy but not sure with performance!! Thanks.
@Javatechie Жыл бұрын
Mac for development is superb and can't compare with any other OS. Without any second thought go ahead with it . I am using both Mac desktop and mac pro laptop 💻 . It's amazing 😍
@Abhi-wh3lh 7 күн бұрын
Do a video for roles from gateway to swiggyservice
@AbhishekSharma-jg2ow Жыл бұрын
Hi @Java Techie, Thank you for such great content. Sir, I came across a question in an interview and was still unable to find a suitable solution, I will be grateful if you can make a small video on this. I believe this may require generics, recursion or reflection concepts. WAP to compare if two arguments are equal, they can be anything primitive, Array, Map, Collection or custom objects, and the input param type is Object. Ex, isEqual(Object arg1, Object arg2). As per the question, we don't have knowledge of the input provided.
@amjadali3601 Жыл бұрын
We can do this using generic method if all the Class that we need to compare implements Comparable interface
@Javatechie Жыл бұрын
Good question i believe we can directly play with object but will check and update
@cevinananda1639 9 ай бұрын
very good tutorial, but i have a question. The services is secure if we access it from the api gateway, but it have no secure system when we try access it directly from the service (without using api gateway endpoint). My question, is there any ways to make the services only can be access from the api gateway and can't be access from the service directly. Thank you
@Javatechie 9 ай бұрын
That is why we are using gateway to make a single entry point to our application so if you won't expose microservice endpoints then the user won't access it .
@cevinananda1639 9 ай бұрын
thank you for your fast response. Forgive me, I am new to this microservices thing. I just knew that when we already at the deployment phase, we can make the service only accessible by the api gateway and block any other request that's not from the api gateway. good tutorial and very helpful person, thank you very much
@pranoydas9654 Жыл бұрын
Sir, can you make a video of role based authentication like user role , admin role etc ? Using JWT
@Javatechie Жыл бұрын
Role base i am also struggling to find a solution. Will definitely update you
@cd62 Жыл бұрын
Hi @Java Techie, Thank you for such great content. Sir, how to handle if api gateway go down? In this conditions I need to create cluster for this. Can you create a video to explain if possible? Thanks for support
@Javatechie Жыл бұрын
Hi buddy, usually in real-time we do follow multiple instances for service as a replica, in case of region instance goes down then immediately traffic should redirect to active instance and to achieve this usually we do need to configure proper DR (disaster recovery)
@MEGANE34 Жыл бұрын
Hi Java Techie, Thank you for great content.can make spring boot project for deploying azure with jenkins pls
@Javatechie Жыл бұрын
Azure doesn't have much experience but will check and update you
@MEGANE34 Жыл бұрын
@@Javatechie Thank you, i am looking forwad 😳😳
@Virat77799 4 ай бұрын
How rolebased authorisation happens witn this architecture..please make a video of it. How any rest end point will give access to only admin or role ?
@anupamupadhyay826 Жыл бұрын
Hi @Java Techie, thank you for sharing such valuable content. I have a question: could you please help me understand the process of implementing method-level role-based authorization in a Swiggy microservice? While I'd prefer not to use Keycloak, I'm interested in any references or guidance you could provide to achieve this. For instance, I'm curious about effectively utilizing the @PreAuthorize annotation in a Swiggy microservice
@Javatechie Жыл бұрын
That's tough to implement i am working on a poc once it is done i will upload
@hieunghiemxuan3992 3 ай бұрын
Hi @@Javatechie, I went through your series about Auth in microservice and I couldn't find the videos about role-based authorization. I mean the next video of this one. Did you already upload it?
@Javatechie 3 ай бұрын
Not uploaded yet buddy
@walterricardoforerosanchez8461 Жыл бұрын
Thanks for the content ❤ What is the name of the app next to the configuration?
@akshaynilkanth9671 Жыл бұрын
Hi Brother, I guess we need not do that because when the request is forwarded the SecurityContextHolder object already has user details int it.........after learning from your previous video i implemented the same architecture and tried it
@Javatechie Жыл бұрын
Yes that's correct but in each microservice i shouldn't add security dependency to just fetch the user info
@akshaynilkanth9671 Жыл бұрын
@@Javatechie Yes indeed......thanks for all your tutorials.....you have no idea how much it has helped me to build my career
@Javatechie Жыл бұрын
Glad to hear this Akshay . Keep learning 😃
@viacheslav_chudnovskyi Жыл бұрын
Is it considered a bad practice to set Authentication in the SecurityContextHolder in the API gateway to make it accessible from a controller in another service?
@Javatechie Жыл бұрын
No not at all
@user-yd6zf5kf5l 10 ай бұрын
Hi @Java Techie, Thank you for This content, and it is very much useful for me, But How Swagger calls works in this case. Can you pls add that also..
@Javatechie 10 ай бұрын
Okay sure
@rahulvijay1781 Жыл бұрын
Awsome javatechie can u implement oauth2 in api gateway ?
@anilkumarraju8839 Жыл бұрын
Hi bro nice can we expect Saga pattern implementation video bro
@Javatechie Жыл бұрын
Hi Anil Kumar , please check this video it's already there in the channel kzfaq.info/get/bejne/bLVlnK1otbG5mKc.html
@srinukumbam6918 Жыл бұрын
Hi Bro, Thank you for This content, and it is very much useful for every java developer. And my question is here restaurant service also authorised service if swiggy service want to call restaurant service like using RestTemplate, how we have to pass the token since the request will directly go to gatway. Is it As you explained in above or any other way?
@Javatechie Жыл бұрын
Swiggy service needs to pass a token to access restaurant service using rest template headers
@srinukumbam6918 Жыл бұрын
@@Javatechie Thank you bro.
@maantram 7 ай бұрын
We have Zuul proxy and spring boot 2.1.x and implemented resourceserverconfig adapter. Now we have upgarding to spring boot 3.2.0 and cloud gateway. What is the equalent implementation for resourceconfigadaptor
@karthicks2198 10 ай бұрын
Hi, But still need to product other micro services right, between micro services communication how to secure? Without using api gate still you can access directly other micro service, it should required security right?
@Javatechie 10 ай бұрын
Simple answer why will you expose other microservices direct endpoint? What is the need for an api gateway then ?
@ratnajiguptha5643 Жыл бұрын
Hi , can you make a video implementation of oauth and sign with different platform like google, Facebook, github .
@BrilliantMindsZw Жыл бұрын
Thank you, do you have any audit implementation?
@Javatechie Жыл бұрын
Audit implementation using spring security?
@hoanganhtuan7266 Жыл бұрын
Hello , my identity-service is not working properly, after running all service 15' it works. Please show me how to configure that, thank you !
@hkkabir2024 3 ай бұрын
i have checked in the gateway it's not possible to use RouteValidator class "/auth/**" it's not working. would u like to findout the solution
@gamingbeast710 9 ай бұрын
aswome
@robinrajlouis9183 5 ай бұрын
How to handle Authorization (role based Authorization)?
@SanjayKumar-di5db Жыл бұрын
there is security vulnerability in this way, if client adds the same header in the request then micro services might read the header added by the client and not the gateway so need to block the header coming from the client either at infra level like nginx or cloudfront or need to put check on gateway itself that if client sending any of these headers then forbidden
@Javatechie Жыл бұрын
Not getting you Sanjay , what do you mean by client here ?
@SanjayKumar-di5db Жыл бұрын
In detail all headers in http could be a list of values and gateway is adding some headers and hacker can add the same headers then there is a chance that micro service side the header it reads is coming from hacker
@Javatechie Жыл бұрын
Okay got you.then we can mask it and pass
@deviprasadhota2617 Жыл бұрын
Great one... One question how to enable cors cor support host header?
@deviprasadhota2617 Жыл бұрын
Just encountered like problem.. Can you tell me how I can support host header for my api... Now its forbidding the host header. One of our client wants to access the api by giving its endpoint.
@vinodhreddy6227 Жыл бұрын
U can cover roles to access the rest endpoint
@Javatechie Жыл бұрын
No but this is not the way to maintain Authorization. I will upload that video
@vinodhreddy6227 Жыл бұрын
@@Javatechie ok, identity service we can't add roles and services we can use ryt?
@Javatechie Жыл бұрын
You can add roles in identity service but in other microservices to use this role for Authorization bit tricky
@vinodhreddy6227 Жыл бұрын
@@Javatechie cover that topic also, thanks
@logic_master950 Жыл бұрын
Hi sir, can you create a video on how to to password reset using mail api.
@sk-ip4md Жыл бұрын
Hi, Can you please make a video on Oauth2 + webclient+ token uri?
@arpit1145 Жыл бұрын
Better approach is use two way TLS or A2A cert .
@saurabhtandel3332 Жыл бұрын
How to exclude some API from applying Jwt in the headers.
@sujeetsharma9976 Жыл бұрын
Hi Java Techie, Can you make a video on logout that makes Jwttoken expired in microservice.
@slogger5033 7 ай бұрын
I am getting a forbidden error after following the above video, Can anyone please tell what can be possible scenarios to look into it?
@Javatechie 7 ай бұрын
You might have made some mistake please import the code and try again
@mohdshahrukh6176 Жыл бұрын
Sir career related kuch guidance milskti hae?
@Javatechie Жыл бұрын
Drop me an email to javatechie4u@gmail.com
@user-te2wj9ng9z Жыл бұрын
I got the problem while I try it using Postman, it's send me a message : An expected CSRF token cannot be found
@Javatechie Жыл бұрын
Disable it
@user-te2wj9ng9z Жыл бұрын
@@Javatechie how i did'nt understand, i have disable the csrf in auth-service
@Javatechie Жыл бұрын
I have done this in securityFilterChain please check and do the same
@user-te2wj9ng9z Жыл бұрын
@@Javatechie thank you, i didn't check it before. Now its work
@sagar8964 Жыл бұрын
how To disable direct access to microservice & allow only though api gateway?
@Javatechie Жыл бұрын
Yes that's what the gateway pattern
@sagar8964 Жыл бұрын
@@Javatechie can you please make a tutorial on it?? Also how to use preAuthorize in swiggy controller?
@kmiiloberrio-dev Жыл бұрын
How to deploy in aws this distributed system?
@vamshibyagari5986 11 ай бұрын
08:31 why's this crying😂
@tendaikawadza4492 Жыл бұрын
i need support on one of my api to do this
@ashishmishra2346 10 ай бұрын
how routing will be done if url of swiggy-service(host1:port1) and restaurant-service(host2:port2) is different
@mrowox 9 ай бұрын
Is it possible to pass a user object instead of the username. For example, I might need the email, username, and role of the user. Also how to I restrict API endpoints bu roles and permissions
@Javatechie 9 ай бұрын
I don't think we can pass an object directly in the header but you can pass multiple key and value
@mrowox 9 ай бұрын
@@Javatechie so how can I use something like @AuthenticatedPrincipal or annotations like @hasRole and @hasAuthority in the respective microservices?
@Javatechie 9 ай бұрын
I still have not found the solution for role based Authorization in this approach. Looking into it m
Java Techie
Рет қаралды 33 М.
Фани Хани
Рет қаралды 1,8 МЛН
Java Techie
Рет қаралды 216 М.
Daily Code Buffer
Рет қаралды 183 М.
SPS Tech
Рет қаралды 32 М.