Build J2EE Microservices Architecture
This post will cover the following aspects: Keycloak setup, Eureka service registration and discovery, Spring Cloud API gateway, and more!
Join the DZone community and get the full member experience.Join For Free
I posted an article in regards to a single-page application(UI), but in this post, I'm going to introduce how to build microservice architecture for the J2EE application with Spring framework and open-source SSO framework Keycloak. This post will cover the following aspects:
- Keycloak setup
- Eureka service registration and discovery
- Spring Cloud API gateway
- Spring Security (OAuth2 login) and the integration with Keycloak
The code is available in my Github and please check the docker-compose.yml at first so that you can read the rest of the post easier. One thing I need to mention here is you need to replace the IP address of the keycloak server URL with your own before running the docker containers.
Then, you can run the following cmd to start up docker containers.
1.1 Create a Realm
Login http://localhost:18080/ with admin/admin, then create a realm as below, leaving all the fields as default.
1.2 Create Clients Under the Above Realm
As shown above, we created three clients that represent API-gateway, microservice consumer, microservice producer. There are two things necessary to mention.
First, fill mandatory field(Valid Redirect URIs) as * so that we can redirect back to our URI configured in our application.
Then, choose client id and secrete as Client Authenticator, which is suitable for the integration with Spring Security OAuth2 client.
1.3 Create a User
As shown in the screenshot below, we need to fill some necessary fields like first name, last name, and email, etc.
2. Eureka Sever — Service Registration
It's quite straight forward to build a service registration server based on Spring Cloud Eureka, and we just need annotation @EnableEurekaServer to enable that.
3. API Gateway
Spring framework 5 releases Spring Cloud gateway to replace the previous gateway — Spring Cloud Zuul. Spring Cloud Gateway is a new generation nonblocking gateway built on top of Project Reactor, Spring WebFlux, and Spring Boot 2.0, while Zuul is a blocking gateway. So, in this post, I use Spring Cloud Gateway as an API gateway for the microservices.
First of all, I need to show the application.yml configuration profile.
3.1 Route Definition in Spring Cloud Gateway
We defined two routes for two microservices: consumer and producer. The lb://microservice-consumer means it points to microservice-consumer based on service registration server - Eureka. We use TokenRelay so that the access_token from the request can be passed through to the microservice resource server which is secured by Spring Security OAuth2 along with Keycloak as well.
3.2 Eureka Client Configuration
The API gateway also acts as a Eureka client so that it can work with microservice replicas. We just need an annotation @EnableEurekaClient and configure the eureka server URL in the properties.
3.3 Spring Security OAuth2 and the Integration With Keycloak Server
3.3.1 Spring Security OAuth2
One of the key features of Spring Security 5 is the native support for OAuth2 and OIDC, instead of the legacy client support in the old Spring Security OAuth subproject, integrating with IAM(Identity and Access Management) providers gets super easy. We need to add the following dependencies:
3.3.2 OAuth2 Client Registration
The properties for OAuth 2 clients are prefixed with
oauth2.client.provider. For Keycloak specifically, we have to configure the details of the OAuth2 provider and provides the details of client registration as below.
3.3.3 Spring Security OAuth2 Resource Server
Keycloak uses a public/private key pair to issue and verify the JWT(JSON Web Token). In particular, it uses a private key to sign the access token, and the OAuth2 client uses the public key to verify the token.
We need to protect the API gateway as an OAuth2 resource server so that when a request coming in with a bearer token under the Authorization header, it can also verify the token rather than redirect to the SSO server for authentication, then the request can eventually go to downstream microservices. For example, we can use an HTTP client to issue a request as below.
3.3.4 Enable OAuth2 Login and Resource Server
To enable Spring Security OAuth2 login as well as a resource server, we need to leverage DSL methods.
Spring Security’s OAuth 2.0 Login support is enabled via the Spring Security
oauth2Login() DSL method.
Spring Security’s Resource Server support is enabled via the Spring Security
oauth2ResourceServer DSL method.
Illustrated as below:
Microservices should be protected by Keycloak and enabled as the OAuth2 resource server as well. So the configuration is similar to the API gateway. One key difference is that Spring Cloud gateway is built on top of Spring WebFlux while our microservices are built on top of Spring MVC. So the security configuration has a slight difference, illustrated as below.
That's it and you are good to go. Please check the source code from my Github.
Published at DZone with permission of Kunkka Li. See the original article here.
Opinions expressed by DZone contributors are their own.