Secure (Spring) Microservices


Microservices offer scalability and flexibility but increase the attack surface. Securing Spring-based microservices requires a layered approach covering client, API gateway, services, data, and infrastructure.

1️⃣ Authentication & Authorization

  • Authentication – Verifies the identity of a user or system.
    Example: Logging in with username/password or OAuth token.

  • Authorization – Determines what a verified user can access (roles, permissions).

    Example: Admins can access /admin/**, users cannot. 


Authentication Approaches in Spring

Authentication verifies who a user is. Spring provides multiple ways to implement it depending on your needs: stateless, session-based, enterprise directories, or external providers.

1) OAuth 2.0 / OpenID Connect

  • Definition: Token-based authentication via an external Identity Provider (IdP). Supports single sign-on and microservices.

  • Example IdPs: Keycloak, Okta, Auth0, AWS Cognito, Azure AD.

  • Token Type: Usually JWT.

  • How it Works:

    1. Client requests login via IdP.

    2. IdP authenticates and issues JWT access token.

    3. Token sent with API requests (Authorization: Bearer <token>).

  • Spring Example (Resource Server):

@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/public/**").permitAll()
                .requestMatchers("/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated()
            )
            .oauth2ResourceServer(oauth2 -> oauth2.jwt());
        return http.build();
    }
}

  • Use Case: Microservices needing centralized authentication.


2) JWT (Stateless Token Authentication)

  • Definition: Self-contained token carrying user claims; no server session needed.

  • Usage: Authorization: Bearer <token> header.

  • Advantages: Lightweight, scalable, can store roles/permissions.

  • Spring Example (Creating JWT):

String token = Jwts.builder()
    .setSubject(user.getUsername())
    .claim("roles", user.getRoles())
    .setIssuedAt(new Date())
    .setExpiration(new Date(System.currentTimeMillis() + 3600000)) // 1 hour
    .signWith(SignatureAlgorithm.HS256, secretKey)
    .compact();

  • Use Case: Stateless APIs and microservices.


3) Basic Authentication

  • Definition: Simple HTTP auth using username/password encoded in Base64.

  • Spring Example:

        http
            .authorizeHttpRequests().anyRequest().authenticated()
            .and().httpBasic();

  • Use Case: Quick prototyping or internal APIs (always use HTTPS in production).


4) LDAP Authentication

  • Definition: Authenticate against Lightweight Directory Access Protocol (LDAP) server (e.g., corporate directories).

  • Spring Example:

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.ldapAuthentication()
        .userDnPatterns("uid={0},ou=people")
        .groupSearchBase("ou=groups")
        .contextSource().url("ldap://localhost:8389/dc=springframework,dc=org");
}

  • Use Case: Corporate environments using centralized directories like Active Directory.


5) SAML (Security Assertion Markup Language)

  • Definition: XML-based protocol for single sign-on (SSO) in enterprise environments.

  • How it Works:

    1. User logs in via Identity Provider (IdP).

    2. IdP sends a SAML assertion to the Service Provider (SP).

    3. SP validates and grants access.

  • Spring Example:
    Use spring-security-saml2-service-provider dependency:

        http
            .saml2Login(saml2 -> saml2
                .loginPage("/saml2/authenticate"));

  • Use Case: Enterprise apps needing SSO across multiple systems.


6) API Key Authentication

  • Definition: Simple token-based access where clients include an API key in headers or query params.

  • Spring Example:

        http
            .addFilterBefore(new ApiKeyFilter("X-API-KEY"), UsernamePasswordAuthenticationFilter.class);

  • Use Case: Public APIs, microservices, or internal apps needing simple token access.


7) Form-Based Login

  • Definition: Traditional username/password login with session-based authentication.

  • Spring Example:

        http
            .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
            .formLogin(form -> form
                .loginPage("/login")
                .permitAll());
  • Use Case: Web applications with server-side session management.

Comparison Table of Authentication Approaches

Approach

Stateless

Token Type / Session

Use Case

OAuth 2.0

Yes

JWT

Centralized microservice auth

JWT

Yes

JWT

Stateless API auth

Basic Auth

No

None

Internal APIs, quick prototyping

LDAP

No

None

Corporate directory auth

SAML

No

XML Assertion

Enterprise SSO

API Key

Yes

API key

Public/internal APIs

Form Login

No

Session

Web apps, traditional login forms



Authorization Approaches in Spring

Authorization determines what a user is allowed to do. Spring provides several ways to implement it, from roles to fine-grained permissions.

1) Role-Based Access Control (RBAC)

  • Definition: Grant access to resources based on user roles (e.g., ADMIN, USER).

  • How it Works:

    1. Assign roles to users during authentication.

    2. Use Spring Security to check roles when accessing endpoints.

  • Spring Example:

        http
            .authorizeHttpRequests()
            .requestMatchers("/admin/**").hasRole("ADMIN")          // Only ADMIN can access
            .requestMatchers("/user/**").hasAnyRole("USER","ADMIN") // USER or ADMIN can access
            .anyRequest().authenticated();

  • Use Case: Applications with simple role hierarchies, e.g., Admin vs Regular User.


2) Method-Level Security

  • Definition: Protect specific methods in controllers or services using annotations rather than only URL paths.

  • Annotations:

    • @PreAuthorize – evaluates Spring Expression Language (SpEL) expressions before method execution.

    • @PostAuthorize – evaluates after method execution.

  • Spring Example:

        @RestController
        public class UserController {

            @PreAuthorize("hasRole('ADMIN')")
            @GetMapping("/admin/users")
            public List<User> getAllUsers() {
                return userService.findAll();
            }

            @PreAuthorize("hasAnyRole('USER','ADMIN')")
            @GetMapping("/profile")
            public User getProfile(@AuthenticationPrincipal User user) {
                return user;
            }
        }

  • How it Works: Only users with the required role can invoke the method; others get a 403 Forbidden response.

  • Use Case: When URL-based authorization is insufficient or you need method-specific control.


3) Permission-Based Authorization (Fine-Grained Control)

  • Definition: Instead of broad roles, use specific permissions or authorities (e.g., USER_READ, USER_WRITE).

  • How it Works:

    1. Assign authorities to roles or directly to users.

    2. Use @PreAuthorize or @Secured annotations to check permissions.

  • Spring Example:

        @PreAuthorize("hasAuthority('USER_READ')")
        @GetMapping("/users/{id}")
        public User getUser(@PathVariable Long id) {
            return userService.getById(id);
        }

  • Use Case: Applications needing fine-grained access control, e.g., editing vs reading data.


Quick Comparison Table

Authorization Type

Level

Example Use Case

Role-Based (RBAC)

Endpoint / URL

Admin vs User access

Method-Level Security

Method

Protect controller or service methods

Permission-Based

Method / Endpoint

Fine-grained control (read/write access)

2️⃣ API Gateway Security

API Gateway (Spring Cloud Gateway, Kong, Istio Ingress) is the entry point for requests.

Features & Examples

  • Token Validation: Verify JWT before routing.

  • Rate Limiting: Limit requests per IP/user.

spring:
  cloud:
    gateway:
      routes:
        - id: user-service
          uri: http://user-service:8080
          predicates:
            - Path=/users/**
          filters:
            - name: RequestRateLimiter
              args:
                redis-rate-limiter.replenishRate: 5
                redis-rate-limiter.burstCapacity: 10

  • Throttling: Slow down excessive requests.

  • IP Whitelisting: Allow access only from trusted networks.

  • CORS Control: Restrict cross-origin requests.

@Configuration
public class CorsConfig {
    @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurer() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping("/api/**")
                        .allowedOrigins("https://myapp.com")
                        .allowedMethods("GET", "POST", "PUT", "DELETE")
                        .allowCredentials(true);
            }
        };
    }
}

3️⃣ Service-to-Service Security

  • Definition: Internal microservices must trust each other.

  • mTLS (Mutual TLS): Both client & server authenticate using certificates.

  • Service Mesh (Istio/Linkerd): Automates mTLS, traffic rules, zero-trust policies.

server:
  port: 8443
  ssl:
    enabled: true
    key-store: classpath:service-a-keystore.jks
    key-store-password: changeit
    trust-store: classpath:truststore.jks
    trust-store-password: changeit
    client-auth: need

4️⃣ Data Security

  • Transport Security: Enforce HTTPS/TLS 1.2+.

  • Secret Management: Use Vault to store credentials.

spring:
  cloud:
    vault:
      uri: http://vault:8200
      token: s.1234567890abcdef
      kv:
        enabled: true
        backend: secret
        default-context: myapp

@Value("${db.password}")
private String dbPassword;

  • Password Hashing: Store passwords securely.

    @Bean
    public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); }

5️⃣ Secure Coding Practices

  • Prevent SQL Injection

// Bad
String query = "SELECT * FROM users WHERE username='" + input + "'";

// Good
@Query("SELECT u FROM User u WHERE u.username = :username")
User findByUsername(@Param("username") String username);

  • Disable stack traces in production.

  • CSRF protection for session-based apps (disable for JWT APIs).

  • Content Security Policy (CSP) headers to reduce XSS risk.

6️⃣ Monitoring & Auditing

  • Spring Security Audit Logging

@Bean
public ApplicationListener<AuditApplicationEvent> auditListener() {
    return event -> System.out.println("AUDIT: " +
            event.getAuditEvent().getType() + " - " +
            event.getAuditEvent().getPrincipal());
}

  • Centralized Monitoring:

    • Logs → ELK/EFK or Loki + Promtail + Grafana

    • Metrics → Prometheus + Grafana

    • Traces → Jaeger / Zipkin

7️⃣ Infrastructure & Container Security

  • Docker Security

FROM eclipse-temurin:17-jdk
RUN addgroup spring && adduser --system --ingroup spring spring
USER spring:spring
COPY target/app.jar app.jar
ENTRYPOINT ["java","-jar","/app.jar"]

  • Kubernetes Security

    • RBAC – restrict who can access resources.

    • Network Policies – control pod communication.

    apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
          name: allow-gateway-to-userservice
      spec:
          podSelector:
              matchLabels:
                  app: user-service
      ingress:
          - from:
              - podSelector:
                  matchLabels:
                      app: api-gateway

  • Secrets: Store credentials securely (encrypted).

  • Pod Security: Non-root, read-only filesystem.

  • Image Scanning: Trivy / Clair / Anchore.

8️⃣ Stable Tech Stack

Layer

Recommended Tech

Security Core

Spring Boot + Spring Security

API Gateway

Spring Cloud Gateway

Authentication

Keycloak / Okta / Auth0

Secrets

HashiCorp Vault + Spring Cloud Config

Service Mesh

Istio / Linkerd

Monitoring

Prometheus + Grafana + Loki + Jaeger

Containerization

Docker + Kubernetes

Final Checklist

✔ OAuth2 + JWT for user identity
✔ Centralized API Gateway (rate limiting, CORS, IP whitelisting)
✔ Service-to-service trust (mTLS/service mesh)
✔ Secrets stored in Vault
✔ Encrypt data in transit & at rest
✔ Secure coding practices (SQL injection, password hashing, CSRF)
✔ Centralized monitoring & audit logging (ELK/Loki alternative)
✔ Hardened infrastructure (non-root Docker, K8s RBAC, network policies)

By