I am designing microservice applications (all in Spring-boot) and Netflix's Eureka service. So far, I have a database application that will manage a database, another managing email sending and another for external API Authorization. All three are microservices, and are operating as Eureka clients. These microservices will interact via Remote method incovation using the RestTemplate class.

Initially, I had thought that the Eureka discovery server would be run locally and this would interact with a separate Springboot application that would function as a webserver and the bridge between the users and the microservices. Essentially, I would just have to worry about securing the Webserver and that the rest of the endpoints will be abstracted away from an intruder and can only be accessed locally.

However, I have just found out that any user may put the IP address and port number of one of the microservices and access these microservices (so they may manipulate the database at will) and so there is a major security flaw in my application.

I was wondering if there was a way to abstract/hide the other eureka clients away from the internet, or would I have to implement some sort of authorisation for each microservice?

CodePudding user response：

You have to put here more details. How do you serve your microservices? In containers or embedded server?

CodePudding user response：

If your service is accessible from public network, you absolutely should put some authentication and authorization to manage access. Arguably, even a non public service should have security enabled.

You don't have to make it super complicated - e.g. deploy some distributed key management, certificates, etc. At the and f the day you have to pick either shared secret or public/private one.

Since you are already using Spring, Spring-Security is the stuff you are looking for - just google "spring security for api" to get specific details.