{"id":89400,"date":"2019-03-18T08:55:04","date_gmt":"2019-03-18T06:55:04","guid":{"rendered":"http:\/\/www.javacodegeeks.com\/?p=89400"},"modified":"2019-03-25T08:44:35","modified_gmt":"2019-03-25T06:44:35","slug":"secure-service-spring-microservices","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/2019\/03\/secure-service-spring-microservices.html","title":{"rendered":"Secure Service-to-Service Spring Microservices with HTTPS and OAuth 2.0"},"content":{"rendered":"

\u201cI love writing authentication and authorization code.\u201d ~ No Java Developer Ever.<\/b> Tired of building the same login screens over and over? Try the Okta API for hosted authentication, authorization, and multi-factor auth.<\/a><\/span><\/p>\n

Building a microservices architecture is possible with minimal code if you use Spring Boot, Spring Cloud, and Spring Cloud Config. Package everything up in Docker containers and you can run everything using Docker Compose. If you\u2019re communicating between services, you can ensure your services are somewhat secure by not exposing their ports in your docker-compose.yml<\/code> file.<\/p>\n

But what happens if someone accidentally exposes the ports of your microservice apps? Will they still be secure or can anyone access their data?<\/p>\n

In this post, I\u2019ll show you how to use HTTPS and OAuth 2.0 to secure service-to-service communication.<\/p>\n

Develop a Microservices Stack with Spring Boot, Spring Cloud, and Spring Cloud Config<\/h2>\n

I\u2019m going to shortcut the process of building a full microservices stack with Spring Boot, Spring Cloud, and Spring Cloud Config. My buddy, Raphael, wrote a post on how to build Spring microservices and Dockerize them for production<\/a>. You can use his example app as a starting point. Clone the okta-spring-microservices-docker-example<\/a> project:<\/p>\n

git clone https:\/\/github.com\/oktadeveloper\/okta-spring-microservices-docker-example.git spring-microservices-security\ncd spring-microservices-security\n<\/pre>\n
This project requires two OpenID Connect apps on Okta, one for development and one for production. You\u2019ll need to create each app on Okta if you didn\u2019t run through the aforementioned tutorial.<\/p>\n
Create OpenID Connect Apps on Okta<\/h3>\n
You can register for a free developer account<\/a> that will allow you to have up to 1000 monthly active users for $0. That should be plenty for this example.<\/p>\n
Why Okta? Because authentication is no fun to write. Okta has Authentication and User Management APIs that allow you to develop your apps faster. Our API and SDKs make it easy for you to authenticate, manage, and secure your users in minutes.<\/p>\n
After creating your account, create a new Web Application in Okta\u2019s dashboard (Applications<\/strong> > Add Application<\/strong>). Give the app a name you\u2019ll remember, duplicate the existing Login redirect URI and make it use HTTPS. Click Done<\/strong>.<\/p>\n
The result should look similar to the screenshot below.<\/p>\n
\n
\"Secure<\/figure>\n<\/div>\n
Create another app for production. I called mineProd Microservices<\/code>.<\/p>\n
In the project you cloned, modifyconfig\/school-ui.properties<\/code> to have the settings from your dev app.<\/p>\n
okta.oauth2.issuer=https:\/\/{yourOktaDomain}\/oauth2\/default\nokta.oauth2.clientId={devClientId}\nokta.oauth2.clientSecret={devClientId}<\/pre>\n
These settings will be used when running your apps individually using Maven. The production settings are used when running with Docker Compose. Modifyconfig-data\/school-ui-production.properties<\/code>to have the settings from your production app.<\/p>\n
okta.oauth2.clientId={prodClientId}\nokta.oauth2.clientSecret={prodClientId}\n<\/pre>\n
You can see thatspring.profiles.active<\/code>turns on the production profile indocker-compose.yml<\/code>:<\/p>\n
school-ui:\n  image: developer.okta.com\/microservice-docker-school-ui:0.0.1-SNAPSHOT\n  environment:\n    - JAVA_OPTS=\n      -DEUREKA_SERVER=http:\/\/discovery:8761\/eureka\n      -Dspring.profiles.active=production\n  restart: on-failure\n  depends_on:\n    - discovery\n    - config\n  ports:\n    - 8080:8080\n<\/pre>\n
Docker Compose runs from a directory above the apps, and it reads its data from aconfig-data<\/code> directory. For this reason, you\u2019ll need to copy these properties files into this directory. Run the following commands from the root of this project.<\/p>\n
cp config\/*.properties config-data\/.<\/pre>\n
Start Your Spring Microservices Stack with Docker Compose<\/h2>\n
This project has an aggregatorpom.xml<\/code> in its root directory that will allow you to build all the projects with one command. Run the following Maven commands to build, test, and build Docker images for each project.<\/p>\n
mvn clean install<\/pre>\n
\n
If you don\u2019t have Maven installed, you can install it with SDKMAN!<\/a>sdk install maven<\/code><\/p>\n<\/blockquote>\n
When the process completes, start all the apps { config, discovery, school-service, and school-ui } with Docker Compose. See Install Docker Compose<\/a> if you don\u2019t have it installed.<\/p>\n
docker-compose up -d<\/pre>\n
\n
You can use Kitematic<\/a> to watch the logs of each app as it starts up.<\/p>\n<\/blockquote>\n
Navigate tohttp:\/\/localhost:8080<\/a><\/code> in your favorite browser. You should be able to log in and see a list of school classes after doing so.<\/p>\n
\n
\"Secure<\/figure>\n<\/div>\n
Spring Security and OAuth 2.0<\/h3>\n
This example uses Okta\u2019s Spring Boot Starter<\/a>, which is a thin layer on top of Spring Security. The Okta starter simplifies configuration and does audience validation in the access token. It also allows you to specify the claim that will be used to create Spring Security authorities.<\/p>\n
Thedocker-compose.yml<\/code> file doesn\u2019t expose theschool-service<\/code> to the outside world. It does this by not specifyingports<\/code>.<\/p>\n
Theschool-ui<\/code> project has aSchoolController<\/code> class that talks to theschool-service<\/code> using Spring\u2019sRestTemplate<\/code>.<\/p>\n
@GetMapping(\"\/classes\")\n@PreAuthorize(\"hasAuthority('SCOPE_profile')\")\npublic ResponseEntity<List<TeachingClassDto>> listClasses() {\n\n    return restTemplate\n            .exchange(\"http:\/\/school-service\/class\", HttpMethod.GET, null,\n                    new ParameterizedTypeReference<List<TeachingClassDto>>() {});\n}<\/pre>\n
You\u2019ll notice there is security on this class\u2019s endpoint, but no security exists between the services. I\u2019ll show you how to solve that in the steps below.<\/p>\n
First, expose the port ofschool-service<\/code> to simulate someone fat-fingering the configuration. Change theschool-service<\/code>configuration indocker-compose.yml<\/code> to expose its port.<\/p>\n
school-service:\n  image: developer.okta.com\/microservice-docker-school-service:0.0.1-SNAPSHOT\n  environment:\n    - JAVA_OPTS=\n      -DEUREKA_SERVER=http:\/\/discovery:8761\/eureka\n  depends_on:\n    - discovery\n    - config\n  ports:\n    - 8081:8081<\/pre>\n
Restart everything with Docker Compose:<\/p>\n
docker-compose down\ndocker-compose up -d<\/pre>\n
You\u2019ll see that you don\u2019t need to authenticate to see data at http:\/\/localhost:8081<\/a><\/code>. Yikes! \ud83d\ude31<\/p>\n
Make sure<\/strong> to shut down all your Docker containers before proceeding to the next section.<\/p>\n
docker-compose down<\/pre>\n
HTTPS Everywhere!<\/h2>\n
HTTPS stands for “Secure” HTTP. HTTPS connections are encrypted and its contents are vastly more difficult to read than HTTP connections. There\u2019s been a big movement in recent years to use HTTPS everywhere, even when developing. There are issues you might run into when running with HTTPS, and it\u2019s good to catch them early.<\/p>\n
Let\u2019s Encrypt<\/a> is a certificate authority that offers free HTTPS certificates. It also has APIs to automate their renewal. In short, it makes HTTPS so easy, there\u2019s no reason not to use it! See Add Social Login to Your JHipster App<\/a> for instructions on how to usecertbot<\/code>with Let\u2019s Encrypt to generate certificates.<\/p>\n
I also encourage you to checkout Spring Boot Starter ACME<\/a>. This is a Spring Boot module that simplifies generating certificates using Let\u2019s Encrypt and the Automatic Certificate Management Environment (ACME) protocol.
 
<\/div> <\/div><\/p>\n
Make Local TLS Easy with mkcert<\/h3>\n
I recently found a tool called mkcert<\/a> that allows creatinglocalhost<\/code> certificates. You can install it using Homebrew on macOS<\/p>\n
brew install mkcert\nbrew install nss # Needed for Firefox<\/pre>\n
If you\u2019re on Linux, you\u2019ll need to installcertutil<\/code> first:<\/p>\n
sudo apt install libnss3-tools<\/pre>\n
Then run thebrew install mkcert<\/code> command using Linuxbrew<\/a>. Windows users can use Chocolately or Scoop<\/a>.<\/p>\n
Execute the followingmkcert<\/code> commands to generate a certificate forlocalhost<\/code>,127.0.0.1<\/code>, your machine\u2019s name, and thediscovery<\/code> host (as referenced indocker-compose.yml<\/code>).<\/p>\n
mkcert -install\nmkcert localhost 127.0.0.1 ::1 `hostname` discovery<\/pre>\n
If this generates files with a number in them, rename the files so they don\u2019t have a number.<\/p>\n
mv localhost+2.pem localhost.pem\nmv localhost+2-key.pem localhost-key.pem<\/pre>\n
HTTPS with Spring Boot<\/h3>\n
Spring Boot doesn\u2019t support certificates with the PEM<\/a> extension, but you can convert it to aPKCS12<\/code> extension, which Spring Boot does support. You can use OpenSSL to convert the certificate and private key to PKCS12. This will be necessary for Let\u2019s Encrypt generated certificates too.<\/p>\n
Runopenssl<\/code> to convert the certificate:<\/p>\n
openssl pkcs12 -export -in localhost.pem -inkey \\\nlocalhost-key.pem -out keystore.p12 -name bootifulsecurity<\/pre>\n
Specify a password when prompted.<\/p>\n
Create anhttps.env<\/code> file at the root of your project and specify the following properties to enable HTTPS.<\/p>\n
export SERVER_SSL_ENABLED=true\nexport SERVER_SSL_KEY_STORE=..\/keystore.p12\nexport SERVER_SSL_KEY_STORE_PASSWORD={yourPassword}\nexport SERVER_SSL_KEY_ALIAS=bootifulsecurity\nexport SERVER_SSL_KEY_STORE_TYPE=PKCS12\n<\/pre>\n
Update the.gitignore<\/code> file to exclude.env<\/code> files so the keystore password doesn\u2019t end up in source control.<\/p>\n
*.env<\/pre>\n
Runsource https.env<\/code> to set these environment variables. Or, even better, add this like to your.bashrc<\/code> or.zshrc<\/code> file so these variables are set for every new shell. Yes, you can also include them in each app\u2019sapplication.properties<\/code>, but then you\u2019re storing secrets in source control. If you\u2019re not checking this example into source control, here are the settings you can copy\/paste.<\/p>\n
server.ssl.enabled=true\nserver.ssl.key-store=..\/keystore.p12\nserver.ssl.key-store-password: {yourPassword}\nserver.ssl.key-store-type: PKCS12\nserver.ssl.key-alias: bootifulsecurity\n<\/pre>\n
Start thediscovery<\/code> app:<\/p>\n
cd discovery\nsource ..\/https.env\nmvn spring-boot:run\n<\/pre>\n
Then confirm you can access it athttps:\/\/localhost:8761<\/a><\/code>.<\/p>\n
\n
\"Secure<\/figure>\n<\/div>\n
Opendocker-compose.yml<\/code> and change all instances ofhttp<\/code> tohttps<\/code>. Editschool-ui\/src\/main\/java\/\u2026\u200b\/ui\/controller\/SchoolController.java<\/code> to change the call toschool-service<\/code> to use HTTPS.<\/p>\n
return restTemplate\n        .exchange(\"https:\/\/school-service\/class\", HttpMethod.GET, null,\n                new ParameterizedTypeReference<List<TeachingClassDto>>() {});\n<\/pre>\n
Update{config,school-service,school-ui}\/src\/main\/resources\/application.properties<\/code> to add properties that cause each instance to register as a secure application<\/a>.<\/p>\n
eureka.instance.secure-port-enabled=true\neureka.instance.secure-port=${server.port}\neureka.instance.status-page-url=https:\/\/${eureka.hostname}:${server.port}\/actuator\/info\neureka.instance.health-check-url=https:\/\/${eureka.hostname}:${server.port}\/actuator\/health\neureka.instance.home-page-url=https:\/\/${eureka.hostname}${server.port}\/\n<\/pre>\n
Also, change the Eureka address in eachapplication.properties<\/code> (and inbootstrap.yml<\/code>) to behttps:\/\/localhost:8761\/eureka<\/a><\/code>.<\/p>\n
\n
Theapplication.properties<\/code> in theschool-ui<\/code> project doesn\u2019t have a port specified. You\u2019ll need to addserver.port=8080<\/code>.<\/p>\n<\/blockquote>\n
At this point, you should be able to start all your apps by running the following in each project (in separate terminal windows).<\/p>\n
source ..\/https.env\n.\/mvnw spring-boot:start\n<\/pre>\n
Confirm it all works athttps:\/\/localhost:8080<\/a><\/code>. Then kill everything withkillall java<\/code>.<\/p>\n
Using HTTPS with Docker Compose<\/h2>\n
Docker doesn\u2019t read from environment variables, it doesn\u2019t know about your local CA (Certificate Authority), and you can\u2019t add files from a parent directory to an image.<\/p>\n
To fix this, you\u2019ll need to copykeystore.p12<\/code> andlocalhost.pem<\/code> into each project\u2019s directory. The first will be used for Spring Boot, and the second will be added to the Java Keystore on each image.<\/p>\n
cp localhost.pem keystore.p12 config\/.\ncp localhost.pem keystore.p12 discovery\/.\ncp localhost.pem keystore.p12 school-service\/.\ncp localhost.pem keystore.p12 school-ui\/.<\/pre>\n
Then modify each project\u2019s Dockerfile<\/code> to copy the certificate and add it to its trust store.<\/p>\n
FROM openjdk:8-jdk-alpine\nVOLUME \/tmp\nADD target\/*.jar app.jar\nADD keystore.p12 keystore.p12\nUSER root\nCOPY localhost.pem $JAVA_HOME\/jre\/lib\/security\nRUN \\\n    cd $JAVA_HOME\/jre\/lib\/security \\\n    && keytool -keystore cacerts -storepass changeit -noprompt \\\n    -trustcacerts -importcert -alias bootifulsecurity -file localhost.pem\nENV JAVA_OPTS=\"\"\nENTRYPOINT [ \"sh\", \"-c\", \"java $JAVA_OPTS -Djava.security.egd=file:\/dev\/.\/urandom -jar \/app.jar\" ]\n<\/pre>\n
Then create a .env<\/code> file with environment variables for Spring Boot and HTTPS.<\/p>\n
SERVER_SSL_ENABLED=true\nSERVER_SSL_KEY_STORE=keystore.p12\nSERVER_SSL_KEY_STORE_PASSWORD={yourPassword}\nSERVER_SSL_KEY_ALIAS=bootifulsecurity\nSERVER_SSL_KEY_STORE_TYPE=PKCS12\nEUREKA_INSTANCE_HOSTNAME={yourHostname}\n<\/pre>\n
You can get the value for{yourHostname}<\/code> by runninghostname<\/code>.<\/p>\n
Docker Compose has an “env_file” configuration option that allows you to read this file for environment variables. Updatedocker-compose.yml<\/code> to specify anenv_file<\/code> for each application.<\/p>\n
version: '3'\nservices:\n  discovery:\n    env_file:\n      - .env\n    ...\n  config:\n    env_file:\n      - .env\n    ...\n  school-service:\n    env_file:\n      - .env\n    ...\n  school-ui:\n    env_file:\n      - .env\n    ...\n<\/pre>\n
You can make sure it\u2019s working by runningdocker-compose config<\/code> from your root directory.<\/p>\n
Runmvn clean install<\/code> to rebuild all your Docker images with HTTPS enabled for Eureka registration. Then start all everything.<\/p>\n
docker-compose up -d<\/pre>\n
Now all your apps are running in Docker with HTTPS! Prove it athttps:\/\/localhost:8080<\/a><\/code>.<\/p>\n
\n
If your apps do not start up or can\u2019t talk to each other, make sure your hostname matches what you have in.env<\/code>.<\/p>\n<\/blockquote>\n
You can make one more security improvement: use OAuth 2.0 to secure your school-service API.<\/p>\n
API Security with OAuth 2.0<\/h2>\n
Add the Okta Spring Boot Starter and Spring Cloud Config toschool-service\/pom.xml<\/code>:<\/p>\n
<dependency>\n    <groupId>com.okta.spring<\/groupId>\n    <artifactId>okta-spring-boot-starter<\/artifactId>\n    <version>1.1.0<\/version>\n<\/dependency>\n<dependency>\n    <groupId>org.springframework.cloud<\/groupId>\n    <artifactId>spring-cloud-starter-config<\/artifactId>\n<\/dependency>\n<\/pre>\n
Then create aSecurityConfiguration.java<\/code> class inschool-service\/src\/main\/java\/\u2026\u200b\/service\/configuration<\/code>:<\/p>\n
package com.okta.developer.docker_microservices.service.configuration;\n\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\n\n@Configuration\npublic class SecurityConfiguration extends WebSecurityConfigurerAdapter {\n\n    @Override\n    protected void configure(HttpSecurity http) throws Exception {\n        http\n            .authorizeRequests().anyRequest().authenticated()\n            .and()\n            .oauth2ResourceServer().jwt();\n    }\n}\n<\/pre>\n
Create aschool-service\/src\/test\/resources\/test.properties<\/code> file and add properties so Okta\u2019s config passes, and it doesn\u2019t use discovery or the config server when testing.<\/p>\n
okta.oauth2.issuer=https:\/\/{yourOktaDomain}\/oauth2\/default\nokta.oauth2.clientId=TEST\nspring.cloud.discovery.enabled=false\nspring.cloud.config.discovery.enabled=false\nspring.cloud.config.enabled=false<\/pre>\n
Then modifyServiceApplicationTests.java<\/code> to load this file for test properties:<\/p>\n
import org.springframework.test.context.TestPropertySource;\n\n...\n@TestPropertySource(locations=\"classpath:test.properties\")\npublic class ServiceApplicationTests {\n    ...\n}\n<\/pre>\n
Add aschool-service\/src\/main\/resources\/bootstrap.yml<\/code> file that allows this instance to read its configuration from Spring Cloud Config.<\/p>\n
eureka:\n  client:\n    serviceUrl:\n      defaultZone: ${EUREKA_SERVER:https:\/\/localhost:8761\/eureka}\nspring:\n  application:\n    name: school-service\n  cloud:\n    config:\n      discovery:\n        enabled: true\n        serviceId: CONFIGSERVER\n      failFast: true\n<\/pre>\n
Then copyconfig\/school-ui.properties<\/code> to have aschool-service<\/code> equivalent.<\/p>\n
cp config\/school-ui.properties config\/school-service.properties<\/pre>\n
For Docker Compose, you\u2019ll also need to create aconfig-data\/school-service.properties<\/code> with the following settings:<\/p>\n
okta.oauth2.issuer=https:\/\/{yourOktaDomain}\/oauth2\/default\nokta.oauth2.clientId={prodClientId}\nokta.oauth2.clientSecret={prodClientId}\n<\/pre>\n
You\u2019ll also need to modifydocker-compose.yml<\/code> so theschool-service<\/code> restarts on failure.<\/p>\n
school-service:\n  ...\n  restart: on-failure<\/pre>\n
\n
You could create a service app on Okta that uses client credentials, but this post is already complex enough. See Secure Server-to-Server Communication with Spring Boot and OAuth 2.0<\/a> for more information on that approach.<\/p>\n<\/blockquote>\n
The last step you\u2019ll need to do is modify SchoolController<\/code> (in the school-ui<\/code> project) to add an OAuth 2.0 access token to the request it makes to school-server<\/code>.<\/p>\n
\n
Example 1. Add an AccessToken to RestTemplate<\/span><\/div>\n<\/div>\n
package com.okta.developer.docker_microservices.ui.controller;\n\nimport com.okta.developer.docker_microservices.ui.dto.TeachingClassDto;\nimport org.springframework.core.ParameterizedTypeReference;\nimport org.springframework.http.HttpMethod;\nimport org.springframework.http.HttpRequest;\nimport org.springframework.http.ResponseEntity;\nimport org.springframework.http.client.ClientHttpRequestExecution;\nimport org.springframework.http.client.ClientHttpRequestInterceptor;\nimport org.springframework.http.client.ClientHttpResponse;\nimport org.springframework.security.access.prepost.PreAuthorize;\nimport org.springframework.security.core.annotation.AuthenticationPrincipal;\nimport org.springframework.security.oauth2.client.OAuth2AuthorizedClient;\nimport org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;\nimport org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;\nimport org.springframework.security.oauth2.core.OAuth2AccessToken;\nimport org.springframework.stereotype.Controller;\nimport org.springframework.web.bind.annotation.GetMapping;\nimport org.springframework.web.bind.annotation.RequestMapping;\nimport org.springframework.web.client.RestTemplate;\nimport org.springframework.web.servlet.ModelAndView;\n\nimport java.io.IOException;\nimport java.util.List;\n\n@Controller\n@RequestMapping(\"\/\")\npublic class SchoolController {\n\n    private final OAuth2AuthorizedClientService authorizedClientService;\n    private final RestTemplate restTemplate;\n\n    public SchoolController(OAuth2AuthorizedClientService clientService,\n                            RestTemplate restTemplate) { (1)\n        this.authorizedClientService = clientService;\n        this.restTemplate = restTemplate;\n    }\n\n    @RequestMapping(\"\")\n    public ModelAndView index() {\n        return new ModelAndView(\"index\");\n    }\n\n    @GetMapping(\"\/classes\")\n    @PreAuthorize(\"hasAuthority('SCOPE_profile')\")\n    public ResponseEntity<List<TeachingClassDto>> listClasses(\n            @AuthenticationPrincipal OAuth2AuthenticationToken authentication) { (2)\n\n        OAuth2AuthorizedClient authorizedClient =\n                this.authorizedClientService.loadAuthorizedClient(\n                        authentication.getAuthorizedClientRegistrationId(),\n                        authentication.getName()); (3)\n\n        OAuth2AccessToken accessToken = authorizedClient.getAccessToken(); (4)\n        restTemplate.getInterceptors().add(getBearerTokenInterceptor(accessToken.getTokenValue())); (5)\n\n        return restTemplate\n                .exchange(\"https:\/\/school-service\/class\", HttpMethod.GET, null,\n                        new ParameterizedTypeReference<List<TeachingClassDto>>() {});\n    }\n\n    private ClientHttpRequestInterceptor getBearerTokenInterceptor(String accessToken) {\n        return (request, bytes, execution) -> {\n            request.getHeaders().add(\"Authorization\", \"Bearer \" + accessToken);\n            return execution.execute(request, bytes);\n        };\n    }\n}\n<\/pre>\n
    \n
  1. Add anOAuth2AuthorizedClientService<\/code> dependency to the constructor<\/li>\n
  2. Inject anOAuth2AuthenticationToken<\/code> into thelistClasses()<\/code> method<\/li>\n
  3. Create anOAuth2AuthorizedClient<\/code> from theauthentication<\/code><\/li>\n
  4. Get the access token from the authorized client<\/li>\n
  5. Add the access token to theAuthorization<\/code> header<\/li>\n<\/ol>\n
    That\u2019s it! Since theschool-ui<\/code> and theschool-service<\/code> use the same OIDC app settings, the server will recognize and validate the access token (which is also a JWT), and allow access.<\/p>\n
    At this point, you can choose to run all your apps individually with.\/mvnw spring-boot:run<\/code> or with Docker Compose. The latter method requires just a few commands.<\/p>\n
    mvn clean install\ndocker-compose down\ndocker-compose up -d<\/pre>\n
    Use HTTP Basic Auth for Secure Microservice Communication with Eureka and Spring Cloud Config<\/h2>\n
    To improve security between your microservices, Eureka Server, and Spring Cloud Config, even more, you can add HTTP Basic Authentication. To do this, you\u2019ll need to addspring-boot-starter-security<\/code> as a dependency in both theconfig<\/code> anddiscovery<\/code> projects. Then you\u2019ll need to specify aspring.security.user.password<\/code> for each and encrypt it. You can learn more about how to do this in Spring Cloud Config\u2019s security docs<\/a>.<\/p>\n
    Once you have Spring Security configured in both projects, you can adjust the URLs to include a username and password in them. For example, here\u2019s what the setting will look like in theschool-ui<\/code> project\u2019sbootstrap.yml<\/code>:<\/p>\n
    eureka:\n  client:\n    serviceUrl:\n      defaultZone: ${EUREKA_SERVER:https:\/\/username:password@localhost:8761\/eureka}\n<\/pre>\n
    You\u2019ll need to make a similar adjustment to the URLs in docker-compose.yml<\/code>.<\/p>\n
    Enhance Your Knowledge about Spring Microservices, Docker, and OAuth 2.0<\/h2>\n
    This tutorial showed you how to make sure your service-to-service communications are secure in a microservices architecture. You learned how to use HTTPS everywhere and lock down your API with OAuth 2.0 and JWTs.<\/p>\n
    You can find the source code for this example on GitHub at oktadeveloper\/okta-spring-microservices-https-example<\/a>.<\/p>\n
    If you\u2019d like to explore these topics a bit more, I think you\u2019ll like the following blog posts:<\/p>\n