Spring Cloud Config per client application authorization support issue

Hi,

This is indeed a question/query rather than an issue so please treat accordingly:)

We are trying to use spring cloud config server as main config server of our application infrastructure. We have numerous applications that pull configuration from the server.

As far as we understand , the security concern of spring cloud config is handled by spring security foundation. (We are able to use basic auth credentials and etc.)

However, we could not figure out if "per client application authorization" can be achieved or not.

To be more precise, as long as a client has valid credentials to access the config server, assuming that it knows application, profile and label info for any other app, it can obtain the resources (config info) of the other app by querying the config server as follows:

http://{host}:{port}/{application}/{profile}/{label}/resource

I know that this issue can be avoided by using separate config servers for each application but we do not want that.

Is there any mechanism we can use to achieve the above mentioned "per client application authorization" ?

Or should we consider application, profile and label params as credentials that should be secured in the same was as spring security credentials in the client side?

Regards

Comment From: ryanjbaxter

If each app had their own user name and password you could use Spring Security to configure which app can access which paths.

Comment From: simpleusr

Hi @ryanjbaxter

Thanks for your response. If I understand correctly, you are mentioning the role based security config of spring security (hasRole, hasAuthority ) ? This should work in theory, but it would introduce a moving part in config server for every new application added , i.e. we will need to alter security config of config server for every new application and most probably we will not want that.

Does this mean that such a concern is not handled by spring cloud config and delegated to spring security?

Regards

Comment From: ryanjbaxter

Does this mean that such a concern is not handled by spring cloud config and delegated to spring security?

Yeah the config server does not handle any kind of security itself.

This should work in theory, but it would introduce a moving part in config server for every new application added , i.e. we will need to alter security config of config server for every new application and most probably we will not want that.

There is probably a pattern you could come up with where the application name matches the path and only then allow access so the configuration is not crazy. Although you still have to deal with adding the credentials for each application, but I suppose that could be externalized as well.

I am by no means a Spring Security expert, so there is probably a better solution than what I am coming up with here.

Comment From: simpleusr

Hİ @ryanjbaxter

Thanks for the info.

Closing the issue

Best regards