Develop Spring Security as a Common Module and Swicting it in Spring Boot Micro Service Architecture

Question

I have a micro service architecture with spring boot. I decided to add Spring security for each micro service which will authenticate, authorise the user.

So i develop a separate project with has Spring Security authentication.

I have use a Filter which extends AbstractAuthenticationProcessingFilter.

The paths which needs authentication and authorisation are mentioned in my filter class as below,

private AntPathRequestMatcher[] authenticationMatcher = { 
            new AntPathRequestMatcher("//api/myservice1/**"),
            new AntPathRequestMatcher("/api/myservice") 
            };

private AntPathRequestMatcher[] authorizationMatcher = { 
            new AntPathRequestMatcher("/api/myservice") 
            };

So in the filter class doFilter method i check request path and do relevant logics.

My SecurityConfig class configure method just look like below,

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterBefore(getMyAuthenticationFilter(), BasicAuthenticationFilter.class); 
    }

So my questions are,

1. What approach i should do for introduce this module (project) to each micro service?

   What i had in my mind is expose this as a jar file and use it in any micro service. In that case how can i over ride those authenticationMatcher and authorizationMatcher url's which will be specific to each micro services?

   Am i declare those url's in correct place and if so what Object Oriented principles i should apply?

2. Is there a possibility i can by pass authentication filter if required and enable it when required? Like switching it?

Answer 1

I believe this approach can work like you want and can be done using Spring Boot. In regards to your questions:

1. In your filter class you can declare something like this which can be populated by bean initialization.

   @Value("${security.checkValues}")
   private String[] checkValues;
   

   Below is an example I used with my own custom filter declared as a bean and passed in to the security configuration. You probably don't need all of it.

   @Configuration
   @Order(3)
   public static class SubscriptionWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
   
       protected void configure(HttpSecurity http) throws Exception {
           http
                   .requestMatchers().antMatchers("/subscribe**","/subscribe/**").and()
                   .addFilterBefore(applicationSecurityTokenFilter(), UsernamePasswordAuthenticationFilter.class)
                   .authorizeRequests()
                   .anyRequest().authenticated()
                   .and()
                   .httpBasic()
                   .and()
                   .csrf().disable();
       }
   
   
       @Bean
       public ApplicationSecurityTokenFilter applicationSecurityTokenFilter() {
           return new ApplicationSecurityTokenFilter();
       }
   }
   

   Then each application.properties instance in your micro services (assuming they are separate projects) will have a line like below to specify the URLs to use.

   security.checkValues=/api/myservice,/api/myservice2
   

2. If you include an empty string property like this:

   security.checkValues=
   

   Then the String array will be set to a 0 length array and you can know that it should not be active. I'm not entirely sure this is what your question was referencing so please review.

Let me know if this is what you are looking for. We can flush it out a little further if necessary.