JHipster Microservice and Gateway - Gateway Scalability - spring-security

I am using JHipster 6.4.1 to generate an Oauth2 (Okta) Microservice application with a React UI / API Gateway.
I understand that the Microservice application/s can support multiple instances under the same
Registry and will use a round-robin approach to load balancing and in this way can horizontally scale.
My understanding is that the Gateway application with Oauth2 uses a stateful Spring Security implementation (JSESSIONID cookie), so the same stateless scalability approach cannot work here.
Are there any recommended solutions for applying scalability to the Gateway application?

You can use Spring Session to share your sessions between gateway instances, there's usually nothing wrong being stateful if the state is small, can be easily replicated and does not contain business data.

Related

What is the best architectural way to connect Envoy filter (API Gateway), PingFederate (Auth Server) and OPA (Policy Engine) for an IAM solution?

I would like to deploy this on Kubernetes. Would it make sense for both the Auth Server and the Policy engine to talk to the API Gateway independently or is it more accurate for only the Auth Server to talk to the API Gateway and the OPA to talk to the API Gateway only via the Auth Server
At Curity we have some good resources related to this. Usually the first key consideration is around components that use data sources:
APIs
Authorization Server
These are always deployed with a reverse proxy / gateway in front of them, so that an attacker has to breach 2 layers to access data sources - this is covered in our IAM Primer.
In addition the gateway can then provide some interesting capabilities:
Token Introspection and Caching
Dynamic Routing
In terms of OPA it depends how you will use it - here are a couple of possible options:
Gateway calls OPA to perform high level checks to grant or deny accesx as in this OPA use case
The API calls OPA and passes it a Claims Principal, then uses the response to decide how to filter results, as described in our Claims Best Practices article

How to migrate netflix zuul 1 to zuul 2 or spring cloud gateway

Our services are currently using spring cloud netflix zuul as our gateway.
Now we have to support websocket so we need to migrate zuul 1 to zuul 2 or spring cloud gateway.
I know spring cloud team is no more supporting zuul as they have their own spring cloud gateway.
I briefly looked into zuul 2.0 and I got to know that we should change filter things first
and there is no more #EnableZuulProxy. (How about Routes configration in application.yml?)
So My question is, is there an reference or simple document to migrate zuul 1.0 to 2.0?
Or we have to rebuild our gateway application?
Any help would be appreciated!
I am looking into this right now myself, probably going to migrate to Spring Cloud Gateway as we're using Spring a lot already. One major thing to watch out for is that both Spring Cloud Gateway and Zuul 2 are using a reactive programming model, with only a couple of threads handling all the requests, which means that if you have any custom code that calls http endpoints or other services, you will have to re-code those pieces in a reactive fashion, or else your threads will block and your gateway won't be able to handle more than a couple requests at a time.
You can read a bit about Spring Webflux (used in Spring Cloud Gateway instead of Spring MVC) and reactive programming here: https://docs.spring.io/spring-framework/docs/current/reference/html/web-reactive.html
And no, I have not found a document that will guide you through a migration. In fact that's how I googled to this StackOverflow question...

How to integrate AWS + ELB + AutoScale + Docker + Spring Cloud

I want to design an application using AWS as IAAS, Docker as PAAS and Spring Boot and Spring cloud as application technology.
For this, I googled and read a lot of blogs and watch videos but could not find any answer for that.
I developed one application using Spring Boot and Spring cloud technology, and the application architecture looks like below image.
This design looks good and working fine as per expectation.
Now the new task is, I need to use the cloud (AWS) as Infrastructure and Docker.
For that, I designed one more architecture, and it looks like below image.
The component as follows:
ELB - (Elastic Load Balancer) -> Target Group (Part of Auto Scaling) -> EC2 instance (will be created more on demand)
Now if I want to integrate my previous design then I think there is not need of Zuul server here because this load balancing is done by ELB, the second I do not need Service Discovery component as well because it will be done by Target AutoScale group.
I am a little bit confused here with Spring Cloud and AWS infrastructure.
Could someone help me to make really simple how I can integrate these components to work together?
Thanks
Why Spring Cloud with AWS ?
Let's take example when you need Spring Cloud even if your architecture is deployed on AWS infra :
Imagine your Product service need to communicate with your Order Service, in this case you will see Spring Cloud utility.
You don't see the necessity of Spring Cloud because you don't have an internal communication (between your services) and this is the role of Registry service.
Why Gateway service (Zuul in your architecture) ?
Again, your current architecture don't use (need) the powerful of Gateway pattern.
Let's assume your system need to aggregate multiple results from different services to response to client request. You can do this in Gateway (Zuul in your case).
Another advantage to use Gateway service is you can use it as a unified front door to your system, which allows a browser, mobile app or other user interface to consume services from multiple hosts without managing cross-origin resource sharing (CORS) and authentication for each one.
Important :
It's fine to not use Spring Cloud, is not a rule or THE right way to implement microservices architecture. If you don't need it don't use it.

What benefits does Spring AMQP have over Spring Cloud Stream for Microservices Architecture

I use Spring Cloud approach for building few microservices which supposed to interact with each other. For messaging between microservices I intended to use RabbitMQ and Spring AMQP, but after I looked at Spring Cloud Stream I feel lost. In my mind Spring Cloud Stream is next level of abstraction (probably too strong, but you should get overall impression) with many very useful features. So I wonder why would someone use Spring AMQP for new development? Could you please provide any Spring AMQP benefits over Spring Cloud Stream for pretty basic case when one microservice sends message to another microservice and receives reply?
Thanks.
Spring Cloud Stream provides an opinionated configuration model that connects to the external system (Binder, Consumer Group etc.,). This is mainly intended for Streaming applications where the applications are connected via pipeline. The applications that don't fit this opinionated model can be configured directly from Spring Integration (+ Spring AMQP).
For instance, Spring Cloud Stream doesn't provide direct support for request/reply scenarios for example. You can read this SO question and the github issue here

Use oauth2 authentication for the main app and basic auth for the management endpoints in spring boot?

I'm using Spring Boot to build a REST Api which I can secure with Oauth2 (using spring-security-oauth2).
I want to manage a separate authentication and authorization schema for the actuator management endpoints (metrics, health, etc.).
And I want the management endpoints to run on a different port (management.port=8081 in application.properties)
I've been reading quite a lot but couldn't find a way to do it.
Thanks
That's because you can't separate endpoints by port. If the actuator management endpoints and the management endpoints are on the same component, the Spring Boot container (Tomcat) will launch that whole component on one port.
What you are saying can maybe be achieved by a proxy. You would map some urls on the proxy to internally correspond with the urls on your component.

Resources