General Information
The repository for this application (open on GitHub) has 120 stars and was forked 139 times. The codebase consists of 1028 lines of code and makes use of the following technologies:
Eureka Ribbon Spring OAuth Zuul
Data Flow Diagram
Download the following model file here. Other formats are provided below.
{
"services": [
{
"name": "discovery_server",
"stereotypes": [
"service_discovery",
"infrastructural"
],
"tagged_values": {
"Service Discovery": "Eureka",
"Port": 8761
}
},
{
"name": "gateway_server",
"stereotypes": [
"gateway",
"in_memory_authentication",
"plaintext_credentials",
"infrastructural",
"authentication_scope_all_requests",
"load_balancer"
],
"tagged_values": {
"Gateway": "Zuul",
"Username": "root",
"Password": "password",
"Port": 8765,
"Load Balancer": "Ribbon"
}
},
{
"name": "auth_server",
"stereotypes": [
"authorization_server",
"encryption",
"infrastructural",
"resource_server",
"token_server",
"local_logging"
],
"tagged_values": {
"Authorization Server": "Spring OAuth2",
"Port": 9999
}
},
{
"name": "account_service",
"stereotypes": [
"internal",
"pre_authorized_endpoints",
"resource_server"
],
"tagged_values": {
"Pre-authorized Endpoints": [
"/{id}",
"/"
],
"Port": 8082
}
},
{
"name": "customer_service",
"stereotypes": [
"internal",
"pre_authorized_endpoints",
"resource_server"
],
"tagged_values": {
"Pre-authorized Endpoints": [
"/{id}"
],
"Port": 8083
}
}
],
"information_flows": [
{
"sender": "discovery_server",
"receiver": "gateway_server",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "database_gateway_server",
"receiver": "gateway_server",
"stereotypes": [
"jdbc",
"plaintext_credentials_link"
],
"tagged_values": {
"'Password'": "\"default\"",
" 'Username'": "\"default\""
}
},
{
"sender": "user",
"receiver": "gateway_server",
"stereotypes": [
"restful_http",
"authenticated_request"
],
"tagged_values": {}
},
{
"sender": "gateway_server",
"receiver": "user",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "auth_server",
"receiver": "discovery_server",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "database_auth_server",
"receiver": "auth_server",
"stereotypes": [
"jdbc",
"plaintext_credentials_link"
],
"tagged_values": {
"\"Username\"": "\"oauth2\"",
" \"Password\"": "\"oauth2\""
}
},
{
"sender": "gateway_server",
"receiver": "auth_server",
"stereotypes": [
"restful_http",
"auth_provider"
],
"tagged_values": {}
},
{
"sender": "account_service",
"receiver": "discovery_server",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "auth_server",
"receiver": "account_service",
"stereotypes": [
"restful_http",
"auth_provider"
],
"tagged_values": {}
},
{
"sender": "gateway_server",
"receiver": "account_service",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "customer_service",
"receiver": "discovery_server",
"stereotypes": [
"restful_http"
],
"tagged_values": {}
},
{
"sender": "customer_service",
"receiver": "account_service",
"stereotypes": [
"restful_http",
"authenticated_request",
"feign_connection",
"load_balanced_link"
],
"tagged_values": {
"'Load Balancer'": "\"Ribbon\""
}
},
{
"sender": "auth_server",
"receiver": "customer_service",
"stereotypes": [
"restful_http",
"auth_provider"
],
"tagged_values": {}
}
],
"external_entities": [
{
"name": "database_gateway_server",
"stereotypes": [
"external_database",
"entrypoint",
"exitpoint",
"plaintext_credentials"
],
"tagged_values": {
"Database": "MySQL",
"Password": "default",
"Username": "default"
}
},
{
"name": "user",
"stereotypes": [
"user_stereotype",
"entrypoint",
"exitpoint"
],
"tagged_values": {}
},
{
"name": "database_auth_server",
"stereotypes": [
"external_database",
"entrypoint",
"exitpoint",
"plaintext_credentials",
"tokenstore"
],
"tagged_values": {
"Database": "MySQL",
"Username": "oauth2",
"Password": "oauth2"
}
}
]
}
Model Items
The Application consists of a total of 99 elements:
| Element | Count |
|---|---|
| Services | 5 |
| External Entities | 3 |
| Information Flows | 13 |
| Annotations | 78 |
| Total Items | 99 |
Model Representations
Open the model in the following formats:
Traceability
Open the traceability information for all model items:
Security Rules
The following table shows the application’s adherence to the 17 architectural security rules. The last column provides model variants that adhere to the rule for each rule that is initially violated.
| Rule ID | Verdict | Evidence | Model Variant |
|---|---|---|---|
| R1 | Evidence | ||
| R2 | Evidence | Variant | |
| R3 | Evidence | ||
| R4 | Evidence | ||
| R5 | Evidence | ||
| R6 | Evidence | Variant | |
| R7 | Evidence | Variant | |
| R8 | Evidence | Variant | |
| R9 | Evidence | Variant | |
| R10 | Evidence | Variant | |
| R11 | Evidence | Variant | |
| R12 | Evidence | Variant | |
| R13 | Evidence | ||
| R14 | Evidence | ||
| R16 | Evidence | ||
| R17 | Evidence | Variant | |
| R18 | Evidence | Variant |
Evidence and explanations for rule decisions
R1
Rule is adhered to: User only communicates with the Zuul gateway server.
Artifacts:
- application.yml: Line: 2
R2
Rule is violated: Services communicate internally over plain HTTP. The communication is not authenticated.
Artifacts:
R3
Rule is adhered to: Authentication and authorization via OAuth2 is implemented at the AuthServer instance. The AuthServer is a separate service at platform level that provides authentication to all internal services.
Artifacts:
R4
Rule is adhered to: Users are authenticated using JWT Tokens and identified by a unique username. All endpoints can verify authorization scopes with the central AuthServer.
Artifacts:
- OAuth2Config.java: Line: 28
R5
Rule is adhered to: The authentication tokens are verified by the all services.
Artifacts:
R6
Rule is violated: No rate limiting of any means is deployed.
R7
Rule is violated: User external entities can call the gateway service using an unencrypted HTTP connection.
Artifacts:
- application.yml: Line: 2
R8
Rule is violated: All internal services communicate over insecure HTTP connections.
Artifacts:
R9
Rule is violated: No central logging system is deployed.
R10
Rule is violated: No central logging system is deployed. Two internal services perform local logging, however none of the logs are consumed and accessed through monitoring software.
Artifacts:
R11
Rule is violated: Logs are not sanitized, but no PII or secrets are explicitly logged.
Artifacts:
- UserDetailsServiceImpl.java: Line: 33
R12
Rule is violated: No logs are collected and no message broker is deployed.
R13
Rule is adhered to: The Zuul API gateway includes the Hystrix Circuit Breaker functionality.
R14
Rule is adhered to: The gateway server uses load balancing via Ribbon to access dependent services.
Artifacts:
- application.yml: Line: 16
R15
This rule is not applicable: Not a service mesh deployment.
R16
Rule is adhered to:
- Registry Service (Eureka Server) with @EnableEurekaServer present.
- Eureka is started on Port 8765 and can be deployed on a dedicated server.
Artifacts:
R17
Rule is violated: No HTTP basic password listed in any YML-Configuration of format username:password@here-location-of-eureka-server at “eureka.client.serviceUrl.defaultZone”.
Artifacts:
R18
Rule is violated: The OAuth client secrets and database access passwords are supplied via configuration files and hard-coded into the Java code.
Artifacts: