Community

0 votes
asked by (190 points)

Hello

We would like to execute a search from a Java Microservice when a JmsListener triggers.

@JmsListener(destination = "indexDataChanged")

Depending on the changed document, we need to execute a search and do something with the found objects. I thought I can use a FeignClient for this as follows:

@FeignClient(name = "search")
public interface SearchClient {
    @RequestMapping(method = POST, value = "/search")
    Map<String, Object> search(@RequestBody Map<String, Object> request);
}

But sadly this always returns a 401, probably because the JmsListener does not have an authentication header. I cannot use DMS FeignClient

@RequestMapping(method = GET, value = "/rest-ws/service/result/query")

as I need to search for a complex field (table column) and this is not supported by the DMS Endpoint. I also tried to add the search endpoint to the list of authentication.exposed.endpoints as follows:

authentication.exposed.endpoints: '/enaio/client/**,/enaio/custom/**,/search/**'

but I could not log in to the client anymore after a restart of the gateway. This would probably not be an option in production anyways.

Could you please advise me on how to execute a search on complex fields from a Microservice which is not triggered by a JMSListener?

Kind regards,
Nicole

1 Answer

0 votes
answered by (800 points)
selected by
 
Best answer

Hi Nicole,

you should be able to use the search service using feign if you simply add an authentication header to your request:

Map<String, Object> search(@RequestHeader("Authorization") String auth, @RequestBody Map<String, Object> request);

For the auth String you just pass in your base64 encoded Basic Auth:

String auth = "Basic " + Base64.getEncoder().encodeToString((username + ":" + password).getBytes());

Username and password can be injected from a config.
For a production environment it would probably be best to create or use an already existing technical user for this service that only has the rights needed for the search.

Cheers,

Kolja

commented by (190 points)
Hi Kolja

Thank you for your answer. Adding the Authorization header works only if I specify the direct URL in addition to the Service Name in the Feign Client. If I don't specify the URL, it sends the request to the port 7221 and I still get a 401 response. If possible I would like to avoid specifing the URL for the Feign Client.

@FeignClient(name = "search", url = "http://<ip>")

Am I doing something wrong that the authentication does not work when called with the port? I have the same problem when trying to make a test call from the swager-ui.html using http://<ip>:7221/swagger-ui.html#/.

Kind regards
Nicole
commented by (800 points)
Hi Nicole,

The gateway expects a JWT if you want to access a service directly. You can create one for your request in your Java code.

But he easier way would be to use "gateway" as your feign client name instead of "search", then it will work with basic auth without the URL.


Hope that helps,

Kolja
commented by (190 points)
Hi Kolja

Thank you very much, when using gateway instead of search it works. Just out of curiosity: why is it required to provide authentication for the search service, but not for the DMS requests? Are the DMS requests authenticated somewhere in the background with the user we used to connect to the cloud services (spring cloud config)?

Thanks and kind regards
Nicole
commented by (800 points)
Hi Nicole,

I forwarded the question to our dev team and the short answer is:
Anything that goes directly to the rest-ws is considered trustworthy and automatically gains access via the DMS-Sidecar.
All other calls are directed through the gateway and need authorization.

If you require more information about that topic I can get you in touch with our developers.


Cheers,

Kolja
...