In the previous chapter, you learned how to turn our application into a fully asynchronous, message-based app using WebSockets.

Security is hard. Even among the experts. Rob Winch, the lead for Spring Security, has stated in multiple forums, "Do not implement security on your own." A classic example is when someone wrote a utility to crack password-protected Microsoft Word documents. It had an intentional delay so that it didn't operate in subsecond time. Get it? The author of the tool didn't want to show how easy it was to break a Word document.

Suffice it to say, there are lots of attack vectors. Especially on the web. The fact that our applications partially run in a remote location (the browser) on someone else's machine leaves little in guarantees. In fact, whole books have been written on Spring Security. We can't cover everything, but we will cover Just Enough™ to secure our microservice-based social media platform.

In this chapter, we will cover the following topics:

• Using Spring Session to share state between services
• Creating a Gateway API
• Securing the chat microservice
• Securing the images microservice
• Authorizing methods
• Securing WebSockets
• Securing the Config Server
• Securing the Eureka Server