General Information
The repository for this application (open on GitHub) has 663 stars and was forked 425 times. The codebase consists of 4245 lines of code and makes use of the following technologies:
Docker Docker Compose Eureka Gradle Hystrix Ribbon Spring Config Spring OAuth Turbine Zipkin Zuul
Data Flow Diagram
Download the following model file here. Other formats are provided below.
{
"services": [
{
"name": "configserver",
"stereotypes": [
"infrastructural",
"configuration_server"
],
"tagged_values": {
"Port": 8888,
"Configuration Server": "Spring Cloud Config"
}
},
{
"name": "webservice_registry",
"stereotypes": [
"infrastructural",
"service_discovery"
],
"tagged_values": {
"Port": 8761,
"Service Discovery": "Eureka"
}
},
{
"name": "zipkin_tracing",
"stereotypes": [
"infrastructural",
"tracing_server"
],
"tagged_values": {
"Port": 9411,
"Tracing Server": "Zipkin"
}
},
{
"name": "mysqldb",
"stereotypes": [
"database",
"plaintext_credentials"
],
"tagged_values": {
"Port": 3306,
"Database": "MySQL",
"Password": "password"
}
},
{
"name": "auth_server",
"stereotypes": [
"infrastructural",
"authorization_server",
"resource_server",
"authentication_scope_all_requests",
"plaintext_credentials"
],
"tagged_values": {
"Port": 8899,
"Authorization Server": "Spring OAuth2",
"Endpoints": [
"/me"
],
"Username": "user",
"Password": "password"
}
},
{
"name": "web_portal",
"stereotypes": [
"infrastructural",
"monitoring_dashboard",
"monitoring_server",
"authentication_scope_all_requests"
],
"tagged_values": {
"Port": 8090,
"Monitoring Server": "Turbine",
"Monitoring Dashboard": "Hystrix"
}
},
{
"name": "user_webservice",
"stereotypes": [
"internal",
"local_logging",
"resource_server",
"authentication_scope_all_requests"
],
"tagged_values": {
"Port": 8091,
"Endpoints": [
"/",
"/{userName}"
]
}
},
{
"name": "comments_webservice",
"stereotypes": [
"internal",
"local_logging",
"resource_server"
],
"tagged_values": {
"Port": 8083,
"Endpoints": [
"/comments",
"/comments/{taskId}"
]
}
},
{
"name": "task_webservice",
"stereotypes": [
"internal",
"local_logging",
"authentication_scope_all_requests",
"resource_server",
"circuit_breaker",
"load_balancer"
],
"tagged_values": {
"Port": 8082,
"Circuit Breaker": "Hystrix",
"Endpoints": [
"/",
"/{taskId}",
"/usertask/{userName}"
],
"Load Balancer": "Spring Cloud"
}
},
{
"name": "api_gateway",
"stereotypes": [
"infrastructural",
"gateway",
"load_balancer",
"circuit_breaker",
"csrf_disabled"
],
"tagged_values": {
"Port": 8765,
"Gateway": "Zuul",
"Load Balancer": "Ribbon",
"Circuit Breaker": "Hystrix"
}
}
],
"external_entities": [
{
"name": "github_repository",
"stereotypes": [
"github_repository",
"entrypoint"
],
"tagged_values": {
"URL": "https://github.com/anilallewar/microservices-basics-cloud-config"
}
},
{
"name": "user",
"stereotypes": [
"user_stereotype",
"entrypoint",
"exitpoint"
],
"tagged_values": {}
}
],
"information_flows": [
{
"sender": "github_repository",
"receiver": "configserver",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "configserver",
"receiver": "webservice_registry",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "configserver",
"receiver": "zipkin_tracing",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "configserver",
"receiver": "auth_server",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "mysqldb",
"receiver": "auth_server",
"stereotypes": [
"restful_http",
"plaintext_credentials_link"
],
"tagged_values": {
"'Username'": "\"root\"",
" 'Password'": "\"password\""
}
},
{
"sender": "auth_server",
"receiver": "webservice_registry",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "web_portal",
"receiver": "webservice_registry",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "configserver",
"receiver": "web_portal",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "user_webservice",
"receiver": "zipkin_tracing",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "configserver",
"receiver": "user_webservice",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "user_webservice",
"receiver": "webservice_registry",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "auth_server",
"receiver": "user_webservice",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "comments_webservice",
"receiver": "zipkin_tracing",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "configserver",
"receiver": "comments_webservice",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "comments_webservice",
"receiver": "webservice_registry",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "task_webservice",
"receiver": "zipkin_tracing",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "configserver",
"receiver": "task_webservice",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "auth_server",
"receiver": "task_webservice",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "task_webservice",
"receiver": "webservice_registry",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "task_webservice",
"receiver": "web_portal",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "task_webservice",
"receiver": "comments_webservice",
"stereotypes": [
"restful_http",
"circuit_breaker_link",
"load_balanced_link"
],
"tagged_values": {}
},
{
"sender": "api_gateway",
"receiver": "user",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "user",
"receiver": "api_gateway",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "configserver",
"receiver": "api_gateway",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "webservice_registry",
"receiver": "api_gateway",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "api_gateway",
"receiver": "zipkin_tracing",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "auth_server",
"receiver": "api_gateway",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "api_gateway",
"receiver": "user_webservice",
"stereotypes": [
"restful_http",
"load_balanced_link",
"circuit_breaker_link"
],
"tagged_values": {}
},
{
"sender": "api_gateway",
"receiver": "task_webservice",
"stereotypes": [
"restful_http",
"load_balanced_link",
"circuit_breaker_link"
],
"tagged_values": {}
}
]
}
Model Items
The Application consists of 149 items:
| Item Group | Count |
|---|---|
| Services | 10 |
| External Entities | 2 |
| Information Flows | 29 |
| Annotations | 108 |
| Total Items | 149 |
Model Representations
Open the model in the following formats:
Traceability
Open the traceability information for all model items:
Security Rules
The following table shows the application’s adherence to the 17 architectural security rules. The last column provides model variants that adhere to the rule for each rule that is initially violated.
| Rule ID | Verdict | Evidence | Model Variant |
|---|---|---|---|
| R1 | Evidence | ||
| R2 | Evidence | ||
| R3 | Evidence | ||
| R4 | Evidence | Variant | |
| R5 | Evidence | ||
| R6 | Evidence | Variant | |
| R7 | Evidence | Variant | |
| R8 | Evidence | Variant | |
| R9 | Evidence | Variant | |
| R10 | Evidence | Variant | |
| R11 | Evidence | Variant | |
| R12 | Evidence | Variant | |
| R13 | Evidence | ||
| R14 | Evidence | ||
| R16 | Evidence | ||
| R17 | Evidence | Variant | |
| R18 | Evidence | Variant |
Evidence and explanations for rule decisions
R1
Rule is partially adhered to:
- The @EnableZuulProxy annotation is present.
- The @EnableOAuth2Sso annotation is present.
- No routing to the authorization server as mentioned by author, thus no single entrypoint.
- The README.md of the authorization server mentions request at port 8899, while API Gateway port is 8765.
Artifacts:
- Dockerfile: Line: 24
- bootstrap.yml: Line: 2
- GatewayApplication.java: Line: 48
- WebSecurityConfiguration.java: Line: 21
- README.md: Line: 93
- api-gateway.yml: Lines: 59, 66
R2
Rule is adhered to: All downstream services are resource servers per @EnableResourceServer annotation, meaning even requests between services need to be authenticated/authorized.
Artifacts:
- WebSecurityConfiguration.java: Line: 21
- ResourceServerConfiguration.java: Line: 27
- ResourceServerConfiguration.java: Line: 27
- CommentsApplication.java: Line: 30
- AuthServerApplication.java: Line: 22
R3
Rule is adhered to:
- The @EnableAuthorizationServer annotation is present,
- JwtAccessTokenConverter bean present, thus using JWTs,
- Downstream services like API-Gateway have public key hardcoded in YML.
Artifacts:
R4
Rule is violated: As Rule 2 already confirms, every downstream service needs tokens for authorization/authentication. However, no evidence of tokens transferred to internal identity representations.
R5
Rule is adhered to:
- All resource servers have the @EnableResourceServer annotation.
- The public key is hardcoded into each Resource Servers YML-Configuration.
Artifacts:
- TaskApplication.java: Line: 42
- UserApplication.java: Line: 34
- api-gateway.yml: Line: 52
- user-webservice.yml: Line: 23
- comments-webservice.yml: Line: 22
- task-webservice.yml: Line: 23
R6
Rule is violated: No functionality of consequences for failed login attempts
R7
Rule is violated: No mention of SSL, TLS, keystores or trust-stores in application
R8
Rule is violated: See rule 7.
R9
Rule is violated: No central logging system is deployed.
R10
Rule is violated: No central logging system is deployed.
R11
Rule is violated: Logs are not explicitly sanitized.
R12
Rule is violated: No message broker is deployed and no logs are collected.
R13
Rule is adhered to: Hystrix Circuit Breaker enabled through @EnableZuulProxy annotation.
Artifacts:
- GatewayApplication.java: Line: 48
R14
Rule is adhered to: The gateway server uses load balancing via Ribbon to access dependent services through @EnableZuulProxy annotation.
Artifacts:
- GatewayApplication.java: Line: 48
R16
Rule is adhered to:
- Registry Service (Eureka Server) with @EnableEurekaServer present.
- Started in Docker Container through Compose, thus deployable on dedicated server
Artifacts:
R17
Rule is violated:
There is no HTTP basic password password listed in any YML-Configuration of format username:password@here-location-of-eureka-server at “eureka.client.serviceUrl.defaultZone”.
Artifacts:
- api-gateway.yml: Line: 138
R18
Rule is violated: No secret manager is deployed. The deployed git configuration server is not a secrets manager.
Artifacts:
- application.yml: Line: 3