Skip to content
This repository has been archived by the owner on Dec 24, 2019. It is now read-only.

API Gateway Component

Jump to bottom
Amin Boudeffa edited this page Sep 25, 2018 · 7 revisions

The CROSSMIER API Gateway :

  • Provide a centralized access point to all web services implemented by the differents tools involved in the platform (DevOps Dashboard,Workflow Execution Engine,Knowledge Base,Metric Provider,Administration Application).
  • Provide a centralized mechanisms to secuerize CROSSMINER web services and manage authentication required to access to this services.

API Gateway Architecture

The API Gateway is a pattern which come form microserivces echosystem. An API Gateway is a single point of entry (and control) for front end clients, which could be browser based or mobile. The client only has to know the URL of one server, and the backend can be refactored at will with no change.

The API Gateway act as a revers web proxy in which can be integrated others functions like load balancing and authentication. In case of the CROSSMINER platform, the API Gateway will manage the authentication for all services of the platform.

Authentication Mechanism

JSON Web Tokens

The CROSSMIER API Gateway is secruized using JSON Web Tokens (JWT) mechanism, an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned and must be saved locally, instead of the traditional approach of creating a session in the server and returning a cookie.When the client request an access to a protected service ,the server's protected routes will check for a valid JWT in the Authorization header of the request, and if it's present, the user will be allowed to access protected resources. (More about JWT : https://jwt.io)

Authentication Architecture

In CROSSMINER, the authentification service is a sub component of the Administration Application which centralise Right Management for the whole platform. As for the others services, the authentication service is accessed behind the API Gateway.

Authentication Flow

  1. To obtain an access to a specific service, the client must authenticate with the authentication service.If the authentication success,he recived a web token that should be include in the header of all of his future requests.
  2. When the client request a specific service, the api gateway valivate the token from the authentication service. If the token is valide, the api gateway transmite the request to the related service.

Implementation

The implementation of the gateway is based on Zuul proxy, a component of the spring-cloud project, an extention ofthe spring framework dedicated to microservices architectures.

https://projects.spring.io/spring-cloud/spring-cloud.html#_router_and_filter_zuul

API Gateway Configuration

The CROSSMINER Gateway can be configured by the intermediary of an external property file (application.properties) to place in the execution directory of the CROSSMINER Gateway component. This file allow to configure the routing of requests send to the gateway an some security parameters.

Server Configuration

id : server.port default : 8086
Port of the CORSSMINER API server. Each REST request sent to the gateway must be addressed to this port.

JWT Security Configuration

id : apigateway.security.jwt.secret default : NA
Private key pair which allow to sign jwt tokens using RSA.
id : apigateway.security.jwt.url default : /login
URL Path of the authentication service.
id : apigateway.security.jwt.expiration default : 86400 (24H)
Port of the CORSSMINER API server. Each request sent to the gateway must be addressed to this port.

Routing : Authentication Service Configuration

id : zuul.routes.auth-center.path default : /api/authentication/**
Relative path of the authentication service.
id : zuul.routes.auth-center.url default : NA
URL of the authentification server. Example :http://127.0.0.1:8081/
id : zuul.routes.auth-center.sensitiveHeaders default : Cookie,Set-Cookie
Specify a list of ignored headers as part of the route configuration which will be not leaking downstream into external servers.
id : zuul.routes.auth-center.stripPrefix default : false
Switch off the stripping of the service-specific prefix from individual routes

Routing : Service Configuration

id : zuul.routes.**servicename**.path default : NA
Relative path of the incoming service which will be redirected. Example : /test1/**
id : zuul.routes.**servicename**.url default : NA
Redirection URL of the route. Example : http://127.0.0.1:8082/test1

Configuration file example

#API Gateway Port
server.port=8086

# JWT Configuration
apigateway.security.jwt.secret=otherpeopledontknowit
apigateway.security.jwt.url=/api/authentication
apigateway.security.jwt.expiration=86400

# Rooting Configuration : Authentication Service
zuul.routes.auth-center.path=/api/authentication/**
zuul.routes.auth-center.url=http://127.0.0.1:8081/
zuul.routes.auth-center.sensitiveHeaders=Cookie,Set-Cookie
zuul.routes.auth-center.stripPrefix=false


# Rooting Configuration : Test1 Service
zuul.routes.test1.path=/test1/**
zuul.routes.test1.url=http://127.0.0.1:8082/test1

# Rooting Configuration : Test2 Service
zuul.routes.test2.path=/test2/**
zuul.routes.test2.url=http://127.0.0.1:8083/test2

Control access API

The CROSSMINER platform comes with public and private APIs to control the access to the REST API using different permission levels. By default, there are three authorization levels which are predefined to get access to all the CROSSMINER's APIS, including:

  • “ROLE_ADMIN”
  • “ROLE_PROJECT_MANAGER”
  • “ROLE_USER”

By the way, The frontend SCAVA administration comes with a default “admin” who is mainly the admin user with all authorities access including “ROLE_ADMIN”, “ROLE_PROJECT_MANAGER” and “ROLE_USER” authorizations. His default password is “admin”.

# Filtering private restApi

scava.routes.config.adminAccessApi[0]=/api/users
scava.routes.config.adminAccessApi[1]=/api/user/**

scava.routes.config.projectManagerAccessApi[0]=/administration/projects/create
scava.routes.config.projectManagerAccessApi[1]=/administration/projects/import
scava.routes.config.projectManagerAccessApi[2]=/administration/analysis/**

scava.routes.config.userAccessApi[0]=/administration/projects
scava.routes.config.userAccessApi[1]=/administration/projects/p/**
scava.routes.config.userAccessApi[2]=/api/users/**
scava.routes.config.userAccessApi[3]=/api/account

Packaging Form Sources

Maven Packaging

mvn -Pprod install

API Gateway Execution

  1. complete an put the "application.properties" configuration file in the execute directory.
  2. Execute the crossmeter-api-gateway-1.0.0.jar Jar.
java -jar scava-api-gateway-1.0.0.jar

Client Implementation

How to consume a CROSSMINER REST services ?
This guideline is dedicated to clients which would like to used CORSSMINER REST Services.It adress authentication issues
Clone this wiki locally