search

sczyh30 / vertx-blueprint-microservice

Vert.x Blueprint Project - Micro-Shop microservice application
Apache License 2.0
772 stars 301 forks source link

Internal api security #32

Open sheldon-sminq opened 6 years ago

sheldon-sminq commented 6 years ago

Ho would you go about preventing the internal apis from getting accessed directly without routing requests through the api gateway?

We would like to enforce all requests to go through the api gateway only.

pmlopes commented 6 years ago

With Vert.x 3.5 there is a experimental service proxy interceptors feature and the only implemented one is a JWT interceptor:

https://github.com/vert-x3/vertx-service-proxy/blob/master/src/main/java/io/vertx/serviceproxy/ServiceBinder.java

https://github.com/vert-x3/vertx-service-proxy/blob/master/src/main/java/io/vertx/serviceproxy/ServiceJWTInterceptor.java

So you can then protect your service if the given JWT is valid. This was a very late adition to 3.5 and we haven't documented it properly that is why it is considered experimental at the moment.