In this article we continue our discussion of how to use Spring Security with Angular JS in a “single page application”. Here we show how to build an API Gateway to control the authentication and access to the backend resources using Spring Cloud. This is the fourth in a series of articles, and you can catch up on the basic building blocks of the application or build it from scratch by reading the first article, or you can just go straight to the source code in Github. In the last article we built a simple distributed application that used Spring Session to authenticate the backend resources. In this one we make the UI server into a reverse proxy to the backend resource server, fixing the issues with the last implementation (technical complexity introduced by custom token authentication), and giving us a lot of new options for controlling access from the browser client.
In this article we continue our discussion of how to use Spring Security with Angular JS in a “single page application”. Here we start by breaking out the “greeting” resource that we are using as the dynamic content in our application into a separate server, first as an unprotected resource, and then protected by an opaque token. This is the third in a series of articles, and you can catch up on the basic building blocks of the application or build it from scratch by reading the first article, or you can just go straight to the source code in Github, which is in two parts: one where the resource is unprotected, and one where it is protected by a token.
In this article we show some nice features of Spring Security, Spring Boot and Angular JS working together to provide a pleasant and secure user experience. It should be accessible to beginners with Spring and Angular JS, but there also is plenty of detail that will be of use to experts in either. This is actually the first in a series of articles on Spring Security and Angular JS, with new features exposed in each one successively. We’ll improve on the application in the second and subsequent installments, but the main changes after this are architectural rather than functional.
In this article we continue our discussion of how to use Spring Security with Angular JS in a “single page application”. Here we show how to use Angular JS to authenticate a user via a form and fetch a secure resource to render in the UI. This is the second in a series of articles, and you can catch up on the basic building blocks of the application or build it from scratch by reading the first article, or you can just go straight to the source code in Github. In the first article we built a simple application that used HTTP Basic authentication to protect the backend resources. In this one we add a login form, give the user some control over whether to authenticate or not, and fix the issues with the first iteration (principally lack of CSRF protection).
Support for Hystrix metrics aggregation via an annotation
@EnableTurbineAmqp(for an AMQP-based collector)
A rehaul of the Ribbon configuration making it more friendly for Spring users. You can now configure each Ribbon client in its own
@RibbonClientand override various bits, like the
LoadBalancer, or the
ServerListFilter, by providing
DiscoveryHealthIndicatoris now a composite that users can add information to by declaring
Discovery is now abstracted away from Eureka into a new spring-cloud-commons library, and enabled via new annotations like
@EnableDiscoveryClient(instead of the old
@EnableEurekaClient). The same pattern also applies to circuit breakers
Several improvements to the Zuul proxy, including automatic updates when the Eureka catalog changes, support for form-encoded POSTs, external configuration of the routes and authentication scheme for each client.
Declarative configuration of which routes require OAuth2 authentication in Spring Cloud Security.
Support for labels (like git branches) in the “native” profile of the Config Server (looks in subdirectory of the search locations).
Fail fast option in Config Server and Client if the required URI to locate config data is invalid.
Out of the box support for JSON messages in the Spring Cloud Bus.
A nice framework for Feign configuration based on a new
@FeignClientannotation (a bit like Spring Data repositories).
Spring Security OAuth 2.0.5.RELEASE is available now in all the usual Maven repositories. This is a bugfix release but nothing critical. We recommend upgrading if you are having trouble with customizing the Java config, since most of the issues resolved relate to that (for instance it is much easier to customize the password encoder for client secrets). There is a small breaking change for anyone using the
AuthorizationServerEndpointsConfigurer directly to configure a
ClientDetailsService (it doesn’t work that way, so you would be failing to configure it anyway).
Spring Cloud 1.0.0.M3 is available now in the repo.spring.io repository. The following projects all had a 1.0.0.M3 release:
Spring Cloud Config: centralized key-value (or YAML) configuration management. Now supports the config server being fully embedded in another application.
Spring Cloud Netflix. Also has better support for embeddability of the server components. Now also properly records load balancer statistics in Ribbon-enabled Spring
Spring Cloud for Amazon Web Services. Has new Spring Boot integration points, externalizing configuration for AWS metadata.
Spring Cloud Security: super simple OAuth2 in a declarative style.
Spring Cloud Bus: broadcasts framework-level events to Spring Cloud components. Big news here is that we now have a RabbitMQ-based aggregator for Hystrix metrics (based on Turbine 2), so you don't have to rely on having direct HTTP access to all service instances.
Spring Cloud CLI: Groovy CLI for writing microservices in self-contained scripts.
Spring Cloud for Cloud Foundry: now bridges between Spring Cloud Security and Cloud Foundry service bindings, making it super easy to do Single Sign On and OAutth2 protected resources in Cloud Foundry.
Spring Security OAuth 2.0.4.RELEASE is available now in the usual repositories. It's a bug fix release, so upgrading is recommended, but there is also a small set of new features:
OAuth2Authentication) can now be queried explicitly to find the grant type for the associated token. If the token is being refreshed the grant type in the
OAuth2Requestpresented to a
TokenEnhanceris the original grant type, not "refresh_token".
The client authorities are exposed in the "/check_token" endpoint
Password grants are more flexible and open to extension because both client and server can add additional parameters to the request. A custom
AuthenticationManageron the server side should still expect a
UsernamePasswordAuthenticationToken, but the additional parameters will be available in the
AuthenticationDetails. Multi-factor authentication for mobile devices could be implemented in this way, for instance.
Keystore support for JWT token signing and verification. User provides a Resource and a password and can then lift the keys out of the store by name. As long as they are RSA keys they can be injected into a
JwtAccessTokenConverter(using a new setter).
If you are building microservices with Spring you will be interested to see that Spring Cloud 1.0.0.M2 hit the streets yesterday and today, and can now be found in the Spring repository. Visit the individual project pages links in the main umbrella page or look at their github repositories for detailed instructions about how to get started using the individual components. There is also a Reference Guide covering the core modules.
Since Spring Cloud is an umbrella project we have a "release train" of related updates to all the sub-projects (like with Spring Data). The 1.0.0.M2 release has updates to spring Cloud Config, Spring Cloud Netflix, Spring Cloud Bus, Spring Cloud Security and Spring Cloud CLI.
Spring Cloud (the new umbrella project announced in September) has reached a milestone, its first, and fresh jars are available in the repo.spring.io repository. Spring Cloud is going to follow a “release train” model for releases, a bit like Spring Data, but we haven’t got a cool name for this one yet, so it’s just 1.0.0.M1. The modules that are part of this release are
Spring Cloud Config: Centralized external configuration management backed by a git repository. The configuration resources map directly to Spring
Environmentbut could be used by non-Spring applications if desired.
Spring Cloud Netflix: Integration with various Netflix OSS components (Eureka, Hystrix, Zuul, Archaius, etc.).
Spring Cloud Bus: An event bus for linking services and service instances together with distributed messaging. Useful for propagating state changes across a cluster (e.g. config change events).
Spring Cloud Security: A set of primitives for building secure applications and services with minimum fuss.
Spring Cloud CLI: Spring Boot CLI plugin for creating Spring Cloud component applications quickly in Groovy.
Spring Cloud Starters: Spring Boot-style starter projects to ease dependency management for consumers of Spring Cloud.