Securing Microservices with API Key Based Auth - Spring Cloud Gateway | JavaTechie

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone welcome to java techy whenever we think of microservices and distributed applications the first point that comes to mind is security obviously in distributed architecture it is really difficult to manage security as you do not have much control over the application right so in this tutorial i will guide you how you can secure your micro services using api key based authentication okay so without any further delay let's get started [Music] foreign [Music] let's assume i have two microservices student microservice and course microservice now to maintain security the first necessary condition is to restrict direct micro service call for outside callers all calls should only go through a single entry point so if you can remember in micro service architecture we usually consider apa gateway as an entry point right so in micro service architecture all requests should first intercept by a pay gateway next api gateway should route that incoming request to corresponding microservices based on mapped url okay let's say user send request with slash student then request will redirect to student service similarly if user will pass last courses then the request should redirect to course microservices this is what typical workflow of api gateway in microservices world right so here while routing the request api gateway should authenticate and authorize the incoming request made by external callers so this spring cloud gateway should take that responsibility to authenticate and authorize the incoming request now let's understand how we can authenticate and authorize incoming request using api key mechanism we'll use something like api key and service id mapping if you can see this below json structure i have defined a key and with that key we mapped multiple services here so you can consider this key as a api key or gateway key and these are service id or route id which will be unique for each micro services okay so if user is giving this particular api key as part of header then he will able to access student and course microservices similarly if user is passing this api key then he can able to access only core services okay this is how we need to maintain apik and service id mapping in our application now you might have a question where will you keep this api key and service id mapping information right so here you have many option you can use any in memory database but in this example i will use redis nosql database okay no worries if you don't know how to work with spring data radius already i cover this concept just go to my youtube channel and search the keyword with redis you will find this tutorial okay i'll share the link in video description so that you guys can refer it now i hope you got the complete context of how you can map the key and services okay with a single key how you can map the multiple services we are going to implement the same in action will create two micro services student service and core service then we will create another project that is spring cloud gateway and there will implement the security okay so let me go to my intellij id so already i created two micro services student service and there is another micro services which is core service so i didn't write any complex logic in each micro services to make it simple i am just returning hard code core subject with this endpoint similarly if you will go to the student service i also return the couple of uh hardcoded student object with this particular endpoint okay so these two api is good one exposed on 8081 and another exposed on port 8082 now the main feature which we are going to implement will write a new spring cloud gateway project and will implement the security over there now let me go to the spring initializer then i will just create a new project i'll just change the group as a com.javateki then artifact i'll just name it spring gateway security okay so i'll just change the package name here com.javateki security or something like that i will use the jdk8 now let me add all the required dependency we will add spring web we are going to write it using the spring whipflux so i just need to add spring reactive wave okay then i just need to add the lombok then i'll use radius then also i need apigee to write spring cloud gateway now let me generate this project now let me go to the directory and let me input this particular project to my intellij id go to intellij id then i'll just click on file open then let me go to the desktop java key code then just scroll down this is where the project right spring gateway security just open it it may take few seconds to download all the latest version of dependency because we just added 2.6.4 of spring boot right so let's wait it to complete so you can see here project imported successfully downloaded all the lattice dependency let me minimize this now go to the palm.xml okay so this is what the cloud version okay so what is the parent version 2.6.4 so let me downgrade it to the 2.6.3 and also this 2021 0 and 0 this is what the cloud version i'm going to use better let me add the dependency properly okay i already have the template i'll just add it so just one additional dependency added that is z to work with the radius we just need to add this dependency apart from that everything is same we just added the gateway we just added the webflocks and the cloud version i downgrade to the 0.0 okay so this is what the palm.xml with the correct dependency hierarchy so first let me create couple of package will go step by step so i will just go to the src i'll go inside main java i'll create a package called config okay not file i just need to create a package click on package and name it config so inside this config package we just need to enable the radius configuration okay now i also need to add a filter which will intercept my all the request coming to the api gateway so i will just name it filter okay then also i want a d2 which will be my api key class will contains the api key id and service id list of service service id so i'll name it dto then also i need one kind of util class where i can define the constraint i can define the utility logic okay so i'll just write util that's it for now first let's begin with our dto we'll just add the json structure here okay so i'll just create a java class api key so if you can remember in this api key this is what api key class we need to create and we need to add a get to a key and we just need to add list of services inside that so for that's the reason what i'll do i will just create a variable here private string i'll name it key you can name it get to a key or anything else and then i just want to add private list of string okay then this will be my services because ok let me input this because for a specific api key i just added the wrong java util okay because for a specific api key we can map multiple services since i added lombok i can directly use the annotation other data are there all argument constructor at the red no argument constructor and also i just want to add equals and hash code i will also add tostring fine now we need to store this api key in our radius case or radius in memory database so for that first let me configure the radius configuration here okay i'll just create a class redis config something like that then already i configured redis in my tutorial so i will just add a live template here also i will share this gate of code with you you can just reuse the code okay so i will just add the live template something like red is configuration template already i created this so what i do i will just add the annotation or the rate configuration then this is the environment came from the spring framework i will just i'll just input all the required statement okay so i can directly use this okay fine so we imported all the required statement now the redis jds connection factory will be up and running on the port which is specified in your application.properties file okay so let me enter this so that you can see this okay we are just adding the two property in our application.property space which will be spring.redis.host spring.redis.port okay so these two configuration we need to add in our application.properties files because we are just trying to customize our radius connection nothing else so i will just add these two so let me copy directly from here go to your application.properties file just add it put which you can specify let me remember 3 6 6 3 7 9 or yeah you can customize any number okay i will just give the default number which will be 6379 now also i just need to specify the host for now i'll specify the host as a local host so i'll just specify localhost now we configure the radius here right so you can start the redis server from your system but before that we also need to add a radish hash component so that we can store this api key information in this radish component okay so what i'll do i will just create another class new java class i'll name it radius has component you can give any name guys okay so here i will just annotate this at the red component next you can also annotate here at the rate sl 4j which will come from the lumbar okay so you can directly use the log statement directly now what i need to do i just need to inject the radius template here so what i will do i will just write private final radius template then i'll specify the type generic which will be key as a string and value as an object so i'll name it radius template only so i can directly use the constructor here i can do control enter i will just add the constructor here see it's up to you if you want you can directly use the right auto ad here and you don't need to add any constructor but this is what introduced in spring 4.4.3 i believe i'm not sure about the exact version this is what the you can use you just add a field and you can just create a constructor if you have multiple constructor of a same class then you must need to auto add it okay this is one of the advantages of spring 4.3 now what i need to do i'll write few method where i will save the api key details to the radius what i can say it is in memory dv and also i want to fetch okay so what i'll do i'll just write a method public void h set any name you can give here okay here what i want to save i just want to save the string which will be api key i'll name it key then also i just want to say something like haskey which is nothing your outright your service id you can give any name guys okay husky and also i just want to set the object which is nothing your api key object okay so i'll just name it value or something like that now to save it i can directly use the radius template dot oops per house okay so i will just use redis template dot for us and here i can add it right i can call the method put and i can pass this three object okay but i don't want to pass the raw object i just want to maintain a json structure something like this okay how i can achieve that i can directly use the map this is the key and this is the value again this is the key this is the value so i can directly use the map here right so for that whatever i will just create a util class who will take this particular object and will convert it to the map data structure so for that what i will do i will just create a java class i'll name it something like mapper utils or something like that okay then there is annotation in lombok i can use the utility class if you will define this annotation other utility class all the method which you will define by default it will be static okay you don't need to define the static keyword manually so what i will do i will just return it type generic so i can define type generic fine then i'll just name it object mapper or something like that object mapper then give the object which you want to convert so i'll give it object because i don't know the data type of it and then i will define the expected class type which will again type generic so i can give it something like content class type or something like that fine now here how i can convert that using object mapper so i'll just create a object of object mapper mapper okay it is suggested new object mapper okay now here what i'll do i'll just return mapper dot convert value fine i'll just give this object and then to value type i will specify content class type that's it okay now here what i will do in this redisas component rather than directly store this particular object i will first convert it to the map then i will directly store it in the radius template or radius in memory db so for that what i'll do i will just use a object of map i will not specify any type generic here i'll name it something like rule hash or some hash value then i will just use what is the class name i created mapper utils mapper utils dot you can see here i'm directly getting the method name object mapper okay if you observe i didn't define this as a static but this is what the advantages of use this annotation now let's go back to the code and here i will just give the object which is nothing the value object okay value and you are expecting it as a map data structure so i will just use map dot class now it will give you a result as a map now i can put that to the in memory redis database okay so how can i push i can give key then has key instead of value i will pass this rule house fine this is one time setup guys you just doing the set value to the radius template that's it and i am just converting it to the map and adding to the radius so that i can get this particular hierarchy now next i need to fetch from the redis template so what i can do i will just write a method public will return me the object h gate something like that because has gate and has said something like that this is where the standard you can give any name guys that's not an issue and what you want to get based on the key right string you can pass the key and also you can pass the has key of it which is nothing your route id or service id so i will give it hash key fine how we can get it directly okay remove this we can directly get it from return radius template dot oops per house dot get give the key and husky fine now also we need to write a method to check whether there is any entry present in the radius temp radius in memory db or not so for that i will just write a method public will return me the list of object present in my redis database i'll just return type list of object i'll just check h values okay i'll give the key based on key whether is there any record or not it will just give us the result i'll directly use return redis template oops perhaps dot values per key fine this is what we just set the value to the radius template check the value if it is present return all the value and just get the value based on the key and ascii which is nothing api key and your service id guys this one don't be confused here these are the key and service key i'll just add this particular hard coded value while start up my application you will understand it okay so we just created the configuration for readys so next what will do if you go through the presentation again there is some hard-coded service id which is specific to the microservices for student service i define this particular service id or route id right similarly for core service i define this similarly this is the same as core service and this is where the api key now what i'll do i will just hard code this value in some constraint file or some properties file okay for now i will create one constant class something like application constraint or i'll name it up constrain fine and here i will just define those hard coded key so i have the template let me add it something like keys yeah so i just define this value okay student service key key for student service or you can just i'll just add a comment here service id or route id of student service okay similarly the second one is service id or route id for courses service so you can just add like this okay core service so these are the two hard coded student service and core service key i defined this is what you will generate dynamically guys for the for this particular demo purpose i hardcoded some value but you need to generate this using some algorithm logic or some hashing mechanism okay for now let's go with this hard coded value now next what we'll do initially there is no key and value configured in our radius database right so an application startup i just want to add a key with the corresponding services like this i just want to add a api key and corresponding services similarly key and services okay so for that what i'll do i'll just go to my main class i'll just annotate here or i'll just write a method here first i will just i just need to inject the radius as template right or radius has a component so i'll just do radius hash component because this is where we wrote the gate set method right so i will use the same here so i will just use radius as component and simply i will just use are there at auto head fine now i will just write a method public okay let me minimize this public void init keys to radius or something like that i just give the meaningful method name fine so here what i'll do i'll just create a object of list of api key then what i will give it the name api keys equal to new rlist fine now in this api keys i just need to add few hardcoded value so i'll just add it ap keys dot add new api key this is what the key for this particular key okay let me input this first with the import statement for app constraint okay i have constants this is what the class name we created fine okay now here if you observe we are telling to the red is take this key and with this key configure service id of these two micro services student service key and core service key again with this api key just configure only core service key that is what we created the object of api key and we are adding a list of api keys inside that okay so next what we need to do we just need to check in the redis in memory db whether is there any key configured if not just simply add it just check in the redis component dot h values whether is there any value or not based on the api keys okay so rather than hard code this api key since i defined it in a constraint i can directly use that up constraints dot record key okay which will return me the list of object whether it is there or not even though it is not there it will just return me the empty list right so i can name it list then here i will just add a check if list dot is empty if there is no record then just loop it and add it in the um radius in memory dv so what i'll do i'll just iterate it api keys dot for each okay then get the object i'll just simply add it in the redisadas component dot it's set okay here you just need to provide the key which will be nothing the record key means this is what the constraint okay let me copy this then next you need to provide the hash key which is nothing the api key this is what api key okay so how i can get that this is the object i have of api key i can directly use k dot get key fine then i can just pass the complete object of api key this is what i am just adding here guys so this is what i just want to execute at the time of application startup so i can simply annotate here otherwise post construct at the time of application startup i just want to configure these api key and corresponding microservices service id and route id to the redis in memory db that is what the intention of this particular method now the next step we need to define the router in our api ga2 application so if you go to the ppt if the url is coming with slash students then redirect that request to the student service if it come with slash courses then redirect it to the core service so this is what router logic we need to write here okay so we can create a separate class but for now i will add it in a main class only so just write public route location locator okay then i'll name it something like custom route locator or something like that fine then i need to pass the argument as a route builder okay route locator builder so i will just give route locator builder then just give the name okay i will just annotate this at the red bin then here what you need to do you need to write return builder dot route the request okay then just route see this routes because it can route to multiple request okay that's the reason builder dot routes now route this request to the uh what i can say you can map the endpoint as well as the service id if with a specific api key and the service id if it map to this corresponding and matches then forward that request to the corresponding microservices okay something like that concept so let me show you constraint okay of constraints dot i'll just add for the student service the next will add for the core service if the route id is student service key and then if the path which is coming r dot path each slash what i will give api slash student service slash star star okay then just filter that request if i lt filter that okay give me a second just filter that request and pass it to the url i will just specify here okay f dot prefix just pass it to and specify the uri which is nothing http localhost 808081 okay and then just build it so you can remove this and you can add it here that is fine now i don't want to build it because i have another service which is core service now to cross verify let me show you student service is hosted on port 8081 okay that is what i just give the correct host and port similarly rather than build it what i'll do i will just remove this for now i'll just add a another route statement for student service just paste it okay and now this is for course service just added and just specify the url patterns here now though if request is coming with slash api slash core service then redirect that request to 8082 where my core service is up and running now i'll simply build it that that's it okay let me format this code so you can format this as well fine so this is simple statement guys this is what also we used in our traditional approach spring cloud gateway if you remember there we configured in our application.iml file and here i am just writing the custom router with the specific and matchers or you can say with the patterns if the service id student service key and if the url is coming with this particular endpoint then redirect that request to this if the route id or service id is core service key and the path is apa core services then redirect the request to this 8082 server but before redirect we want to authenticate that particular request we also want to authorize that particular request right so how we can do that before routing any request to the api gateway and api gateway route it to the corresponding microservices we need to intercept that request right for that we can create a filter class so just write a java class and name it auth filter fine then just annotate this at the right component okay this should be capital component then also i just want to add sl4j from lombok then extend this or implement this class from something called global filter if you observe this came from the spring cloud gateway okay it means first the request will be intercept by this global filter then it will go to your api gateway and also specify the order fine add it now you just need to overwrite the methods filter and get order so in the gate order you can specify the something like ordered okay dot it is a num so i'll just give lowest precedence now in this filter you need to write the actual logic to authenticate and authorize that request okay so before we authenticate first let's get the api key or gateway key from the header which user will pass so how i can get that i can specify a list of i can directly get it from the exchange object okay so i'll just list of string then i'll name it api keys header okay then i will just get it from exchange dot get request then get headers then i'll just keep the key to get it the key or the header key which you are going to pass that is gateway get to a key you can name it okay the same you need to pass as part of your request header get to a key just add a semicolon now i also just want to log it log dot info i'll name it something like uh api key then i'll just something like i'll just add a i'll just return this api key headers so i can do in this weird i will just specify this and i'll just rename it api key header h e okay there is a spelling mistake fine i'll just copy this i will add it so from the request you'll get the api key which is nothing the gateway key now next step you need to get the route id or the service id from the api gateway okay so if you go and check the main class which you wrote because as part of request we are also giving the service key even though you are not passing as part of header but spring cloud gateway know the service id because we only configured with the url right so that we need to get here okay so how i can get it there is a logic route get the route it should come from the spring okay let me get the proper route fine get the route then you can get it from exchange dot get attribute okay give the attribute name server web exchange util some class is there server wave exchange okay this is the class dot you can use this gateway route after okay so once you get the route object then you can get the route id string route id equal to you can directly check if route object not equal to null then you can get it from the route object itself right otherwise you can return the null fine now we just need to validate if route id equal equal to null okay or user is not giving any api key as part of header so we can write something like collects on utils okay dot is empty api key header okay next see this is what we are checking whether is there any router id or not whether user is giving the api key header or not if user is giving these two okay let me go back if user is giving these two field then we just need to authorize that request okay so to authorize that request whatever i'll just write another private method who will authorize the request private is authorized au t h o r i j d okay now how you can authorize based on the route id and api key this is what the information we are giving here right api key and route id so i can just pass the argument string route id string api key fine so with these information i will just check in my redis component or sorry red is in memory dv i'll check with this api key whether there is a record or not or there is a service map to this api key or not if it is there then this particular request is authorized to access that particular microservices okay so for that what i will do i will just need to inject the radius has component radius has component i can simply auto add it fine just add a enter and then i can write that logic here so i will just check the api key api key object i will name it something like that i'll check in the radius in memory db okay how i can check that radius as component there is a method you define h gate okay we'll give the key which is nothing the constant api key so i will just give the app constraint dot record key now give the actual key okay which is nothing the api key which you are passing as part of header with this whether there is any object present in radius component if yes how i can build it if api key object not equal to null it means there is some record present with this key in redis component then get that api key object okay key and then convert that using the uh what is the class name we created object map or something like that okay let me check mapper util maperutils.object mapper give the api key object and convert it to the corresponding class which is api keys api key dot class fine now i'll just check return key dot get services dot contents the incoming route id or not fine guys now if you see here the route id is nothing the service id okay i will show you the diagram again the route id is nothing the service id here what i am checking in red is a db or radius in memory database i am getting the api key enter apk object based on the api key which is nothing though get to a key which will pass as part of header then i will just check the incoming route id is present for this particular service or not or the route id which is mapped to this particular service with this api key or not okay this is how we just simply authorized it if it is correct then return it otherwise just written else written false fine so this is straightforward way to authorize it check the radius db get the piq object if it is there then check just check the route id whether it is mapped to the listed services in the dv or not okay now what i'll do i'll just check here or each authorized give the route id and api key headers right get it dot get give it 0 first index okay if it is not authorized and there is no header and there is no route id then simply i want to throw a exception through new i'll give something like response status exception i'll give the http status status so i can give unauthorized which will be four not one okay unauthorized and also i just want to specify some message you cannot consume this service please check your api key or something like this you can't consume this service please validate your api keys fine so i'll just return this exception if the user is not authorized if there is no api key and there is no route id otherwise i'll just continue my filter kind of thing okay so i don't want to write any else statement guys i can directly return chain dot filter give the exchange object continue the flow that is what so this is what the actual logic to authenticate and authorize the incoming request based on the gateway key header which which user will pass as part of request and the configured service key for the student service and courses service okay so i believe we are good now we created a filter we just created the router okay everything we created now what i will do i will just start the student service and core service then will try to access from the api gateway so let me quickly go to the student service let me start it parallely let me go to the core service then i'll just start it but before start this get to gateway security since we are using the redis i just need to start my redis server locally right so there is a command i can use this but how we can use in windows that i already covered in this tutorial okay in this tutorial we'll follow the same here while working on this particular example so i'll just go to the terminal i will just start this radius it will take few seconds to start the radius yeah successfully started now let me see whether these two classes these two services is up and running or not okay student service is up and running on port 8081 similarly core service is running on port 8082 okay you can see here now we started the radius and we added all the things let me cross verify we added the radius config we added the hash component we created dto filter yeah it looks good now let me start it fine let's go to the main class anything let me cross verify fine now let me start this application okay so i just want to add a debug point so that i can show you on application startup we are adding few value to the view api key to the application okay or radius component now also i just want to show you the authentication filter logic fine i'll just show you here but before debug let's start in the normal mode without debug then we'll develop the code and we'll try to understand the flow okay let's go to the main class i will directly start it spring gateway it will default start on port 8080 because you didn't specify any port here okay so let's wait it to complete okay cannot access redis client jd spool config here it is let me build this code once again i'm not sure okay fine it seems there is java cannot access redis dot clients jd spool config class file for redis client okay let's go to the palm.xml we added the dependency that is right let me refresh this now let me start the application okay so build is succeed it started the application so we added this dependency manually guys but we didn't re-import it okay so this dependency or jar is not there in the class path so it is starting now you can see here there is something router predicate factory cannot determine local host name okay yeah so you can see here it started on port 8080 now what i'll do i will go to the browser or i'll go to the postman i'll create a new request http request which will be get so i'll just give http from the api gateway now the request i will trigger to the api gateway okay so i just need to provide http localhost and apigee2 is running on port 8080 and then if you will go to the main class let me minimize this go to the main class here you specify if user is giving this url api student service then redirect that request to this 8081 which is nothing the student service right so i'll just give that url if i am giving slash api student service then redirect that request to the student microservice and access the endpoint students from student service so i will go to the student service the endpoint which you define students right i am giving the same endpoint so just go to the postman fine i gave the same endpoint now in authorization we just need to provide api key based authentication and the header is something we configured in our filter let me go to the api gateway logic go to the filter class the key which we are expecting to pass as part of request header is this get a key right i will give the same get to a key now the key which you defined if you will go to the main class this is what the key will define right if you will give this particular key as a gateway key then you can able to access both student service as well as the core service fine if you will give this you can only able to access course service not student service we'll try both the case okay go to the postman and i will give this key with this key i can able to access both student and course now let me hit this endpoint i am seeing the response from student microservice here right all the three student object which i added i can see here now with the same i just want to try to access the course micro service so i'll just change the url see guys if you see the url for the accessing the core service this is what the api get to url now go to your course microservice and get the endpoint from there as well go to main class this is what slash courses okay first you need to provide the url from a pa gateway i will give it okay api slash courses course service okay then the url from the core service is this go to the postman and access this now i will click on send i can see all the results from the course micro service as well it means the gateway key which we are giving is applicable or it configured these two services student service and core service using using the route id or service id now if you'll check with this particular url i oh sorry is this particular api key i can able to access only in core service okay now what i'll do with this particular api key i will try to access student service then definitely i'll get 401 unauthorized access so let's verify that gateway i will give the header this and i want to access student service slash students fine now if i will click on send i am getting four note one okay because this api key is not mapped to the student service key and i am trying to access it from the request from the api gateway right now the authentication filter will validate it and it will throw you the exception so to show you that what i'll do i'll just stop this and i will run it in a debug mode so that i can show you before request coming to the spring cloud gateway it will intercept by auth filter and it will authorize that request okay so i'll just add a yeah now let me go to the main class as well so that i can show you an application startup what are the values populating to the radius in memory db so i hope this concept is clear for you guys right there is nothing to demonstrate further give the valid gateway key and access your api for this valid api key you need to configure the service id that is how we configured here right for this student service and core service for this core service fine now let me debug this so the request starting should come to this init key to radius okay it will take few second so since this will execute first because we annotate post construct which will work as a net method so let me show you the debugging statement so in this api key we are adding new api key of this and we are giving the service key or route key okay so let me show you here directly i'll directly resume this i will show you the api keys here now if you see in this api key let me okay let me evaluate this if you'll see we have api key this and we configured the id of two service year right one for student service one for core service and this is the api key this is what the id or service id or route id for student service now we manually added these things to apiq object and that api key object we are inserting inserting to the radius database so i'll just resume this there is nothing to debug now this value will set in our radius database so once application will start i will show you the statement for auth filter okay it is started now what i'll do i will go to the auth filter now i'll send the request okay so this is the not happy scenario request because we are giving the uh api key with that api key you can't access the student service right with this api key you can only access the core service so i'll just send the request in the auth filter i will show you from the api key header from the request i will get the api key header and i will just log that you can see this is what my api key okay and i will also try to get the route id okay now if you see the route id let me show you the route id which is nothing your service id you can see here this is the service id now this service id is for student service so if you will verify it the end is bud ok go to the main class you can go and check in app constraint correct this is for student service that is what we are giving you guys right we are giving the student service url request will goes to the api gateway from the api gateway it will get the route id and it will pass to the header okay let me go back fine it will get the route id now it will check if route id equal equal to null and if there is no apk header and if it is authorized user so these two condition will pass because we are getting the value from the header right now it will go to the is authorized statement so let's move the cursor here it will just go to the redis database and it will just take the api key you can see this is what the apic you are giving right which is the gateway key as part of requested we are passing and it will face from the database and it will check if there there is no object but we have the object here the statement is true here there is two object you can see here key this and service this right now just go next step you'll get the api key object fine now with this key dot get service which will give you the list of service id with that particular api key we have only one which is core service and what you are giving is different one so you can see here guys right this is a different and what is there in my key dot service apk or service is different let me show you this is completely different so it will return false because see i will show you once again if you'll go to the main class for this particular api key you can only access the core service but with this api key i am trying to access with this apk this is the same which i shown you just now i am trying to access student service which is not authorized we can say okay because this is what this particular key is not for student service it is for core service since we are hitting the url of student service you are getting the uh where it went let me go to the default statement you are getting the route id for student service not for course service okay and though from db with that key he found the service id of core service you can see here this is for core service and this is for student service that is completely mismatched here it will fail you'll get the through statement directly okay i'll just throw it now if you'll go and check you'll get the full note one so if i'll give slash course iphone service and slash courses you can able to access it because the input gateway key with that gateway key you can find the valid service id or route id from the redis database okay and it will be authorized to access that particular microservices that's what we configured in our main class right api key and corresponding key of your microservices so i hope this concept is clear for you if you have a bunch of microservices and you are interrupting them using spring cloud gateway then in spring cloud gateway itself you can implement the security you can use this api key mechanism or you can use the jwt token based authentication okay so let me know in comment section if you guys are interested to know how we can implement token based authentication in spring cloud gateway that's all about this particular video guys thanks for watching this video meet you soon with a new concept

Info

Channel: Java Techie

Views: 42,520

Rating: undefined out of 5

Keywords: spring cloud gateway security, secure microservice, security, microservices, javatechie, APIKey based security

Id: g4As3PLg6Ts

Channel Id: undefined

Length: 55min 47sec (3347 seconds)

Published: Sat Mar 12 2022