1

My architecture looks like this. I use a gateway to redirect requests to different microservices. I have an auth-service for JWT validation in gateway. In addition to the above there are two services: X and Y. I would like to use the token in services X and Y because, depending on the role, so the user can/cannot perform certain actions. I get the user roles from the token. I wouldn't want to re-validate on sites X and Y just to pull out a role.

Role-based validation looks like this: @PreAuthorize("hasRole('ROLE_ADMIN')")

Improve this question
4
  • I will let someone else answer, maybe there is a more spring-way to do it. But a simple way is to just forward the jwt (or just the payload-part, the part betwern the two dots in the jwt) and let X and Y dig out the scopes them self using base64 decoding. X and Y does not need to check the signature of the jwt again. Commented Apr 3, 2024 at 9:13
  • Thanks for your comment. The application will run behind a firewall, on the company internal network. i was thinking about deleting rule based security and specify allowed origins in gateway service. Thanks to this solution, role forwarding will not be necessary and I will be sure that no one will try to send requests to an unauthorized endpoint Commented Apr 3, 2024 at 9:58
  • with gateway, do you mean spring cloud gateway? Commented Apr 10, 2024 at 9:10
  • Yes, I mean spring cloud gateway Commented Apr 11, 2024 at 9:13
Related questions
2647
What's the difference between @Component, @Repository & @Service annotations in Spring?
1118
How to configure port for a Spring Boot application
669
JWT (JSON Web Token) automatic prolongation of expiration
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.