Micro-services Authorization and session maintenance - spring boot












1














I have application that I want to divide into micro-services to increase overall performance on high load. Overall structure I plan to create like this: 



Web -> Authorization Server -> Eureka + Zulu -> Spring boot Micro-services


Since my previous application was monolith I used Spring boot + Spring security and had no problem while logging things like @CreatedBy @LastModifiedBy - I laso use Aspects to log every action in app and track who made the changes. Now since I don't have session across microservicies I don't know what to do - I do need to log the action owners - log who is doing what.



Can someone tell me how can I maintain the logging possibilities in my new structure. Maybe there is some ready made patters or maybe I need to make some changes in my structure?






spring spring-boot spring-security microservices







share|improve this question



























    1














    I have application that I want to divide into micro-services to increase overall performance on high load. Overall structure I plan to create like this: 



    Web -> Authorization Server -> Eureka + Zulu -> Spring boot Micro-services


    Since my previous application was monolith I used Spring boot + Spring security and had no problem while logging things like @CreatedBy @LastModifiedBy - I laso use Aspects to log every action in app and track who made the changes. Now since I don't have session across microservicies I don't know what to do - I do need to log the action owners - log who is doing what.



    Can someone tell me how can I maintain the logging possibilities in my new structure. Maybe there is some ready made patters or maybe I need to make some changes in my structure?






    spring spring-boot spring-security microservices







    share|improve this question

























      1












      1








      1







      I have application that I want to divide into micro-services to increase overall performance on high load. Overall structure I plan to create like this: 



      Web -> Authorization Server -> Eureka + Zulu -> Spring boot Micro-services


      Since my previous application was monolith I used Spring boot + Spring security and had no problem while logging things like @CreatedBy @LastModifiedBy - I laso use Aspects to log every action in app and track who made the changes. Now since I don't have session across microservicies I don't know what to do - I do need to log the action owners - log who is doing what.



      Can someone tell me how can I maintain the logging possibilities in my new structure. Maybe there is some ready made patters or maybe I need to make some changes in my structure?






      spring spring-boot spring-security microservices







      share|improve this question













      I have application that I want to divide into micro-services to increase overall performance on high load. Overall structure I plan to create like this: 



      Web -> Authorization Server -> Eureka + Zulu -> Spring boot Micro-services


      Since my previous application was monolith I used Spring boot + Spring security and had no problem while logging things like @CreatedBy @LastModifiedBy - I laso use Aspects to log every action in app and track who made the changes. Now since I don't have session across microservicies I don't know what to do - I do need to log the action owners - log who is doing what.



      Can someone tell me how can I maintain the logging possibilities in my new structure. Maybe there is some ready made patters or maybe I need to make some changes in my structure?






      spring spring-boot spring-security microservices




      spring spring-boot spring-security microservices






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 2 days ago









      Irakli

      49521135




      49521135
























          1 Answer
          1






          active

          oldest

          votes


















          0














          How are you dealing with authorization? If the web component calls the authorization server with an authentication token, that token should be forwarded when calling microservices. Every microservice should be stateless (so, no session is ever stored), and that token should contain information about the user so each microservice can access it and authenticate requests.



          If you could specify what you mean by Authorization Server, I'll be glad to explain in greater detail.






          share|improve this answer








          New contributor




          gbandres is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.


















          • Right now I haven't build authorization server yet - that 's just the idea how I plan to make changes. if you can give an example of what you just mentioned - will be great
            – Irakli
            2 days ago










          • For example, a very simple authorization server: You call it with correct username and password parameters, and it returns an encrypted token which contains the user's details (for example, its name, roles and the token's expiration time). Now that the client has that token, it can use it to call any microservice needed. The microservices can decrypt the token because they know the same private key used by the authorization server and can access the logged user's information.
            – gbandres
            2 days ago












          • You mean that I need to send token myself to all my requests yes? Maybe there is easier way - Spring Security Client - or something like that?
            – Irakli
            yesterday











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53944909%2fmicro-services-authorization-and-session-maintenance-spring-boot%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          How are you dealing with authorization? If the web component calls the authorization server with an authentication token, that token should be forwarded when calling microservices. Every microservice should be stateless (so, no session is ever stored), and that token should contain information about the user so each microservice can access it and authenticate requests.



          If you could specify what you mean by Authorization Server, I'll be glad to explain in greater detail.






          share|improve this answer








          New contributor




          gbandres is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.


















          • Right now I haven't build authorization server yet - that 's just the idea how I plan to make changes. if you can give an example of what you just mentioned - will be great
            – Irakli
            2 days ago










          • For example, a very simple authorization server: You call it with correct username and password parameters, and it returns an encrypted token which contains the user's details (for example, its name, roles and the token's expiration time). Now that the client has that token, it can use it to call any microservice needed. The microservices can decrypt the token because they know the same private key used by the authorization server and can access the logged user's information.
            – gbandres
            2 days ago












          • You mean that I need to send token myself to all my requests yes? Maybe there is easier way - Spring Security Client - or something like that?
            – Irakli
            yesterday
















          0














          How are you dealing with authorization? If the web component calls the authorization server with an authentication token, that token should be forwarded when calling microservices. Every microservice should be stateless (so, no session is ever stored), and that token should contain information about the user so each microservice can access it and authenticate requests.



          If you could specify what you mean by Authorization Server, I'll be glad to explain in greater detail.






          share|improve this answer








          New contributor




          gbandres is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.


















          • Right now I haven't build authorization server yet - that 's just the idea how I plan to make changes. if you can give an example of what you just mentioned - will be great
            – Irakli
            2 days ago










          • For example, a very simple authorization server: You call it with correct username and password parameters, and it returns an encrypted token which contains the user's details (for example, its name, roles and the token's expiration time). Now that the client has that token, it can use it to call any microservice needed. The microservices can decrypt the token because they know the same private key used by the authorization server and can access the logged user's information.
            – gbandres
            2 days ago












          • You mean that I need to send token myself to all my requests yes? Maybe there is easier way - Spring Security Client - or something like that?
            – Irakli
            yesterday














          0












          0








          0






          How are you dealing with authorization? If the web component calls the authorization server with an authentication token, that token should be forwarded when calling microservices. Every microservice should be stateless (so, no session is ever stored), and that token should contain information about the user so each microservice can access it and authenticate requests.



          If you could specify what you mean by Authorization Server, I'll be glad to explain in greater detail.






          share|improve this answer








          New contributor




          gbandres is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.









          How are you dealing with authorization? If the web component calls the authorization server with an authentication token, that token should be forwarded when calling microservices. Every microservice should be stateless (so, no session is ever stored), and that token should contain information about the user so each microservice can access it and authenticate requests.



          If you could specify what you mean by Authorization Server, I'll be glad to explain in greater detail.







          share|improve this answer








          New contributor




          gbandres is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.









          share|improve this answer



          share|improve this answer






          New contributor




          gbandres is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.









          answered 2 days ago









          gbandres

          3939




          3939




          New contributor




          gbandres is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.





          New contributor





          gbandres is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.






          gbandres is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.












          • Right now I haven't build authorization server yet - that 's just the idea how I plan to make changes. if you can give an example of what you just mentioned - will be great
            – Irakli
            2 days ago










          • For example, a very simple authorization server: You call it with correct username and password parameters, and it returns an encrypted token which contains the user's details (for example, its name, roles and the token's expiration time). Now that the client has that token, it can use it to call any microservice needed. The microservices can decrypt the token because they know the same private key used by the authorization server and can access the logged user's information.
            – gbandres
            2 days ago












          • You mean that I need to send token myself to all my requests yes? Maybe there is easier way - Spring Security Client - or something like that?
            – Irakli
            yesterday


















          • Right now I haven't build authorization server yet - that 's just the idea how I plan to make changes. if you can give an example of what you just mentioned - will be great
            – Irakli
            2 days ago










          • For example, a very simple authorization server: You call it with correct username and password parameters, and it returns an encrypted token which contains the user's details (for example, its name, roles and the token's expiration time). Now that the client has that token, it can use it to call any microservice needed. The microservices can decrypt the token because they know the same private key used by the authorization server and can access the logged user's information.
            – gbandres
            2 days ago












          • You mean that I need to send token myself to all my requests yes? Maybe there is easier way - Spring Security Client - or something like that?
            – Irakli
            yesterday
















          Right now I haven't build authorization server yet - that 's just the idea how I plan to make changes. if you can give an example of what you just mentioned - will be great
          – Irakli
          2 days ago




          Right now I haven't build authorization server yet - that 's just the idea how I plan to make changes. if you can give an example of what you just mentioned - will be great
          – Irakli
          2 days ago












          For example, a very simple authorization server: You call it with correct username and password parameters, and it returns an encrypted token which contains the user's details (for example, its name, roles and the token's expiration time). Now that the client has that token, it can use it to call any microservice needed. The microservices can decrypt the token because they know the same private key used by the authorization server and can access the logged user's information.
          – gbandres
          2 days ago






          For example, a very simple authorization server: You call it with correct username and password parameters, and it returns an encrypted token which contains the user's details (for example, its name, roles and the token's expiration time). Now that the client has that token, it can use it to call any microservice needed. The microservices can decrypt the token because they know the same private key used by the authorization server and can access the logged user's information.
          – gbandres
          2 days ago














          You mean that I need to send token myself to all my requests yes? Maybe there is easier way - Spring Security Client - or something like that?
          – Irakli
          yesterday




          You mean that I need to send token myself to all my requests yes? Maybe there is easier way - Spring Security Client - or something like that?
          – Irakli
          yesterday


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53944909%2fmicro-services-authorization-and-session-maintenance-spring-boot%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Monofisismo

          Image
          Monofisismo (do grego: monos - "único, singular" e physis - "natureza") é o ponto de vista cristológico que defende que, depois da união do divino e do humano na encarnação histórica, Jesus Cristo, como encarnação do Filho ou Verbo ( Logos ) de Deus, teria apenas uma única "natureza", a divina, e não uma síntese de ambas. O monofisismo é contraposto pelo diofisismo (ou "diafisismo"), que defende que Jesus preservou em si as duas naturezas. Historicamente, o monofisismo se refere primordialmente à posição dos que (especialmente no Egito e, em menor grau, na Síria) rejeitaram as decisões do Concílio de Calcedônia em 451 (o quarto concílio ecumênico). Os membros mais moderados entre eles, porém, defendem a teologia "miafisita", que se tornou a oficial para as Igrejas Ortodoxas Orientais. Muitos ortodoxos orientais, porém, rejeitam essa classificação, mesmo como um termo genérico, mas ele é amplamente utilizado na literatura históri...
          Read more

          Angular Downloading a file using contenturl with Basic Authentication

          Image
          0 I have a contentUrl when user clicks on that,file should be downloaded. If I try to browse the contentUrl in the browser it asks for Userid and password.I believe this is Basic Authentication.I dont want user to enter UserId and Password so I am passing it Authorization(Please see below code). Url looks some thing like this: http://XXX.XXX.XX.XXX:8080/flowable-rest/service/runtime/tasks/90875/attachments/90555/content let username : string = 'admin'; let pwd : string = 'test'; let headers = new Headers(); headers.set('Accept', 'text/json'); headers.append('Content-Type', 'application/json'); headers.set('Access-Control-Allow-Origin', '*'); headers.set('Access-Control-Allow-Methods','POST, GET, OPTIONS, PUT, DELETE'); head...
          Read more

          Olmecas

          Image
          Monumento 1, uma das quatro cabeças colossais encontradas em La Venta, com altura aproximada de 3 metros Olmecas é a designação do povo e da civilização que estiveram na origem da antiga cultura pré-colombiana da Mesoamérica e que se desenvolveram nas regiões tropicais do centro-sul do atual México durante o pré-clássico, próximo de onde hoje estão localizados os estados mexicanos de Veracruz e Tabasco, no Istmo de Tehuantepec, numa zona designada área nuclear olmeca. A cultura olmeca floresceu nesta região aproximadamente entre 1500 e 400 a.C., [ 1 ] e crê-se que tenha sido a civilização-mãe de todas as civilizações mesoamericanas que se desenvolveram posteriormente. [ 2 ] No entanto, desconhece-se a sua exacta filiação étnica, ainda que existam numerosas hipóteses colocadas para tentar resolver esta questão. O etnónimo olmeca foi cunhado pelos arqueólogos do século XX, e não devem confundir-se com os muito posteriores olmecas-xicalancas que ocuparam vários locais do México...
          Read more