Securing service endpoints using session authentication
In session-based authentication, the user state is stored at the server side. When a user logs in to the server, the server starts the session and issues a session ID in a cookie. The server uses the session ID to uniquely identify a session from the session quorum. Any subsequent user requests must have this session ID passed as a cookie to resume the session:
As shown in the preceding figure, in a session-based authentication strategy, the server does the heavy lifting of keeping a track of the session. A client must provide a valid session ID to resume the session.
To learn how to secure a microservice using session-based authentication, we will experiment on the pet-owner
microservice. To begin, we will need to enable security by adding the following dependencies to the pom.xml
project:
<!-- Micronaut security --> ...