- Microservices based on Netflix-Tools
- Service Discovery - Eureka
- Circuit Breaker - Hystrix
- Client Side Load Balancer - Ribbon
- REST Client - Feign
- Router and Filter - Zuul
- How to create microservices in devonfw?
- devonfw archetypes
- Create New Microservices infrastructure application
- Create New Microservices Application
- How to use microservices in devonfw
- How to modify the UserDetails information
- How to start with a microservice
- Calls between microservices
Devonfw microservices approach is based on Spring Cloud Netflix, that provides all the main components for microservices integrated within Spring Boot context.
In the following schema we can see an overview of the structure of components in a Devon application based on the Spring Cloud Netflix solution for microservices.
Let’s explain each component
Eureka is a server to register and locate the microservices. The main function for Eureka is to register the different instances of the microservices, its location, its state and other metadata.
It works in a simple way, during the start of each microservice, this communicates with the Eureka server to notify its availability and to send the metadata. The microservice will continue to notify its status to the Eureka server every 30 seconds (default time on Eureka server properties). This value can be changed in the configuration of the component.
If after 3 periods, Eureka does not receive notification of any of the microservices, it will be considered as unavailable and will eliminate its registration.
In addition, it serves as a catalog to locate a specific microservice when routing a request to it.
Hystrix is a library that implements the Circuit Breaker pattern. Its main functionality is to improve the reliability of the system, isolating the entry points of the microservices, preventing the cascading failure from the lower levels of the application all the way up to the user.
In addition to that, it allows developers to provide a fallback in case of error. Hystrix manages the requests to a service, and in case that the microservice doesn’t response, allows to implement an alternative to the request.
Ribbon is a library designed as client side load balancer. Its main feature is to integrate with Eureka to discover the instances of the microservices and their metadata. In that way the Ribbon is able to calculate which of the available instances of a microservice is the most appropriate for the client, when facing a request.
Feign is a REST client to make calls to other microservices. The strength of Feign is that it integrates seamlessly with Ribbon and Hystrix, and its implementation is through annotations, which greatly facilitates this task to the developer.
Using annotations, Spring-cloud generates, automatically, a fully configured REST client.
Zuul is the entry point of the apps based on Spring-cloud microservices. It allows dynamic routing, load balancing, monitoring and securing of requests. By default Zuul uses Ribbon to locate, through Eureka, the instances of the microservice that it wants to invoke and sends the requests within a Hystrix Command, taking advantage of its functionality.
Follow the instructions in the link below to set up devonfw distribution
Next, install devonfw modules and dependencies
Open the devonfw console by executing the batch file console.bat from the devonfw distribution. It is a pre-configured console which automatically uses the software and configuration provided by the devonfw distribution.
Run the following command in the console to change directory to devonfw module
cd workspaces\examples\devonfw
To install modules and dependencies, you need to execute the following command:
mvn --projects bom,modules/microservices/microservices,modules/microservices/microservice-archetype,modules/microservices/microservice-infra-archetype --also-make install
Now, you can use the Microservices archetype given below to create Microservices.
Now, you can use the Microservices archetype given below to create Microservices.
In order to generate microservices in a devonfw project we can choose between two approaches:
generate a new devon4j application and implement one by one all the needed components (based on Spring Cloud).
generate a new devon4j application through the custom microservice archetype included in the devonfw distributions.
That second approach, using the devonfw microservices archetype, will generate automatically all the basic structure and components to start developing the microservices based application.
To simplify starting with projects based on microservices, devonfw includes two archetypes to generate pre-configured projects that include all the basic components of the Spring Cloud implementation.
archetypes-microservices-infra: generates a project with the needed infrastructure services to manage microservices. Includes the Eureka service, Zuul service and the authentication service.
archetypes-microservices: generates a simple project pre-configured to work as a microservice.
To generate a new microservices infrastructure application through the devonfw archetype you only need to open a devonfw console (console.bat script) and follow the same steps described in getting started creating new devonfw devon4j application. But, instead of using the standard archetype, we must provide the special infrastructure archetype archetype-microservice-infra
. Remember to provide your own values for DgroupId, DartifactId, Dversion and Dpackage parameters, Also provide the -DarchetypeVersion with latest value:
mvn -DarchetypeVersion=2.4.0 -DarchetypeGroupId=com.devonfw.microservices -DarchetypeArtifactId=microservices-infra-archetype archetype:generate -DgroupId=com.capgemini -DartifactId=sampleinfra -Dversion=0.1-SNAPSHOT -Dpackage=com.capgemini.sampleinfra
Once the Maven command has finished an application with the following modules should be created:
This module contains the needed classes and configuration to start a Eureka server.
This service runs by default on port 8761 although ti can be changed in the application.properties
file of the project.
This module contains all the needed classes and configuration to start a Zuul server, that will be in charge of the routing and filter of the requests.
This service by default runs on port 8081 but, as we already mentioned, it can be changed through the file application.properties
of the project.
This module runs an authentication and authorization mock microservice that allows to generate a security token to make calls to the rest of microservices. This module is only providing a basic structure, the security measures must be implemented fitting the requirements of each project (authentication through DB, SSO, LDAP, OAuth,…)
This service runs by default on port 9999, although, as in previous services, it can be edited in the application.properties
To generate a new microservice project through the devonfw archetype, as in previous archetype example, you can follow the instructions explained in getting started creating new devonfw devon4j application. But, instead of using the standard archetype, we must provide the special microservices archetype archetype-microservices
. Open a devonfw console (console.bat script) and launch a Maven command like the following (provide your own values for DgroupId, DartifactId, Dversion and Dpackage parameters, also provide the -DarchetypeVersion with latest value):
mvn -DarchetypeVersion=2.4.0 -DarchetypeGroupId=com.devonfw.microservices -DarchetypeArtifactId=microservices-archetype archetype:generate -DgroupId=com.capgemini -DartifactId=sampleapp1 -Dversion=0.1-SNAPSHOT -Dpackage=com.capgemini.sampleapp1
That command generates a simple application containing the source code for the microservice. By default, the pom.xml
includes the devon-microservices
module, that contains the security configuration, jwt interceptors, Hystrix, Ribbon and FeignClient configuration and some properties common to all microservices.
The created microservice runs by default on port 9001 and has the context-path
with the same name than the project. This parameters can be changed through the 'application.properties' file of the project.
In the following sections we are going to provide some patterns to manage microservices in devonfw using the archetype, alongside the options that each of the available modules offer.
We are going to review the general options for the Eureka service. If you are interested in getting more details you can visit the official site for Spring Cloud Eureka clients.
To create an Eureka server you only need to create a new Spring Boot application and add the @EnableEurekaServer
to the main class.
The provided archetype
public class EurekaBootApp {
public static void main(String[] args) {
new SpringApplicationBuilder(EurekaBootApp.class).web(true).run(args);
The basic properties that must be configured for Eureka server are:
port: in which port the service will run. The default port is the 8761 and you have to keep in mind that the connection to this port is specially critical as all the microservices must be able to connect to this
. Remember that Eureka generates and manages the microservices catalog, so it`s crucial to allow the microservices to register in this component. -
url: which URL manages as area.
eureka.instance.hostname=localhost eureka.instance.port=8761 server.port=${eureka.instance.port} eureka.client.serviceUrl.defaultZone=http://${eureka.instance.hostname}:${eureka.instance.port}/eureka/
The way to connect a microservice to Eureka server is really simple. You only will need to specify the host:port
where the server is located and annotate the Spring Boot class with @EnableMicroservices
Instead of using that
public class MicroserviceBootApp {
public static void main(String[] args) {
SpringApplication.run(MicroserviceBootApp.class, args);
eureka.instance.hostname=localhost eureka.instance.port=8761 eureka.client.serviceUrl.defaultZone=http://${eureka.instance.hostname}:${eureka.instance.port}/eureka/
With this the application will register automatically in Eureka and will be validated each 30 seconds. This value can be changed editing the property eureka.instance.leaseRenewalIntervalInSeconds
in application.properties
file. It must be taken into account that each Eureka client will maintain a cache of Eureka records to avoid calling the service every time it is necessary to access another microservice. This cache is reloaded every 30 seconds, this value can also be edited through property eureka.client.registryFetchIntervalSeconds
in application.properties
We are going to show an overview to the options of the Zuul service, if you want to know more details about this particular service visit the official site of Spring Cloud.
Zuul is the component in charge for router and filtering the requests to the microservices system. It works as a gateway that, through a rule engine, redirects the requests to the suitable microservice. In addition, it can be used as a security filter as it can implement PRE-Filters and POST-Filters.
To create a basic Zuul server you only need to create a new Spring Boot application and add the @EnableZuulProxy
public class ZuulBootApp {
public static void main(String[] args) {
SpringApplication.run(ZuulBootApp.class, args);
To allow Zuul to redirect the requests we need to connect Zuul with the previously created Eureka service, to allow him to register and access to the catalog of microservices created by Eureka.
Also, if we are going to use the Zuul service from a web browser, we must configure the CORS filter to allow connections from any source. This is really easy to implement by adding the following Java Bean to our ZuulBootApp class:
public CorsFilter corsFilter() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
final CorsConfiguration config = new CorsConfiguration();
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
To configure the Zuul service we need to define a series of properties that we will describe below:
server.port=8081 spring.application.name=zuulserver eureka.instance.hostname=localhost eureka.instance.port=8761 eureka.client.serviceUrl.defaultZone=http://${eureka.instance.hostname}:${eureka.instance.port}/eureka/ microservices.context-path=/demo zuul.routes.security.path=${microservices.context-path}/services/rest/security/** zuul.routes.security.serviceId=AUTH zuul.routes.security.stripPrefix=false zuul.routes.login.path=${microservices.context-path}/services/rest/login zuul.routes.login.serviceId=AUTH zuul.routes.login.stripPrefix=false zuul.ignoredServices='*' zuul.sensitive-headers= ribbon.eureka.enabled=true hystrix.command.default.execution.timeout.enabled=false
: Is the port where the Zuul service is listening. -
: The name of the service the will be sent to Eureka. -
: The properties for the register of the Eureka client. -
: The configuration of a concrete route. -
: The path used for a redirection. -
: ID of the service where the request will be redirected. It must match the propertyspring.application.name
in the microservice. -
: by default set tofalse
. With this property we configure if the part of the route that has matched the request must be cutted out. i.e., if the path is /sample/services/rest/foomanagement/∗∗ and the property is set totrue
it will redirect to the microservice but it will only send the path **, the root/sample/services/rest/foomanagement/
will be removed. -
: Configures which services without result in the routes, must be ignored. -
: Configures which headers must be ignored. This property must be set to empty, otherwise Zuul will ignore security authorization headers and the json web token will not work. -
: Configures if the Ribbon should be used to route the requests. -
: Enables or disables the timeout parameter to consider a microservices as unavailable. By default the value for this property is 1 second. Any request that takes more than this will be consider failed. By default in the archetype this property is disabled.
Having an Eureka client activated, the Zuul service will refresh its content every 30 seconds, so a just registered service may still have not been cached in Zuul. On the contrary, if a service is unavailable, 3 cycles of 30 seconds must pass before Eureka sets its register as dead, and other 30 seconds for Zuul to refresh its cache.
The most commonly used authentication in micro-service environments is authentication based on json web tokens, since the server does not need to store any type of user information (stateless) and therefore favors the scalability of the microservices.
The Otherwise, the autentication and authorization can happen in the main application, that will perform the authentication and will generate the JWT.
In this case, the main microservice or application will perform the authentication and generate the JWT, without using service-auth
It works as follows:
The user is authenticated in our application, either through a user / password access, or through a third provider.
This authentication request is launched against the Zuul server which will redirect it to an instance of the microservice.
The microservice will check the user, retrieve their roles and metadata and generate two tokens: one with user access information and another needed to refresh the access token. This information will be returned to the client.
The client is now able to call the microservice, adding the authorization token to the header of the request.
It works as follows:
The user is authenticated in our application, either through a user / password access, or through a third provider.
This authentication request is launched against the Zuul server which will redirect it to an instance of the Auth microservice.
The Auth microservice will check the user, retrieve their roles and metadata and generate two tokens: one with user access information and another needed to refresh the access token. This information will be returned to the client.
The service-auth
service is already prepared to listen to the /login
path and generate the two mentioned tokens. To do so we can use the JsonWebTokenUtility
class that is implemented in devonfw
UserDetailsJsonWebTokenAbstract clientTo = new UserDetailsJsonWebTokenTo();
clientTo.setRoles(new ArrayList<>(Arrays.asList("DEMO")));
clientTo.setExpirationDate(buildExpirationDate(this.expirationTime * 60 * 1000L));
return new ResponseEntity<>(new JwtHeaderTo(this.jsonWebTokenUtility.createJsonWebTokenAccess(clientTo),
this.expirationTime * 60 * 1000L), HttpStatus.OK);
In our example you can make a POST request to: http://localhost:8081/service-auth/services/rest/login
This will generate a response like the following
"accessToken": "eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJkZW1vIiwiZmlyc3ROYW1lIjoiZGVtbyIsImxhc3ROYW1lIjoiZGVtbyIsImV4cCI6MTQ4Nzg3NTAyMSwicm9sZXMiOlsiREVNTyJdfQ.aEdJWEpyvRlO8nF_rpSMSM7NXjRIyeJF425HRt8imCTsq4iGiWbmi1FFZ6pydMwKjd-Uw1-ZGf2WF58qjWc4xg",
"refreshToken": "eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJkZW1vIiwiZmlyc3ROYW1lIjoiZGVtbyIsImxhc3ROYW1lIjoiZGVtbyIsImV4cCI6MTQ4Nzg3NTAyMSwicm9sZXMiOlsiUkVGUkVTSF9KV1QiXX0.YtK8Bh07O-h1GTsyTK36YHxkGniyiTlxnazZXi8tT-RtUxxW8We8cdiYJn6tw0RoFkOyr1F5EzvkGyU0HNoLyw",
"expirationTime": 900000,
"accessHeaderName": "Authorization",
"refreshHeaderName": "Authorization-Refresh"
The client now should store, in the header defined in accessHeaderName
, the token included as accessToken
When using There is very sensitive information being sent (username and password) between the different services that anyone could read if the channel is not properly secured.
When configuring the service-auth
module is very important to have into account the following aspects:
The expiration date of the token can be configured in the properties file with the property
(will appear in minutes). -
The key for the token generation can be configured also in the properties file using the property
which will have a Base64 encoded value. -
The roles inserted in the token should be the list of the access roles of the user. Doing this we avoid that each microservice has to look for the roles that belong to a profile.
If you want to use a specific UserDetails for the project, with new fields, you must extend the behavior as explained in here.
From now on, the client will be able to make calls to the microservices, sending the access token in the header of the request.
Once the request reaches the microservice, the app must validate the token and register the user in the security context. These operations will be automatic as long as the microservice has enabled the security inherited from the JsonWebTokenSecurityConfig
class. This is done using the following code:
public class WebSecurityConfig extends JsonWebTokenSecurityConfig {
public JsonWebTokenUtility getJsonWebTokenUtility() {
return new JsonWebTokenUtility();
protected void setupAuthorization(HttpSecurity http) throws Exception {
// authenticate all other requests
In addition, devonfw has already implemented the needed interceptors and filters to resend the security header each time that a microservice calls other microservice of the ecosystem.
When validating the token, it is also checked its expiration date, so it is highly recommended that the client refresh from time to time the token, in order to update its expiration date. This is done by launching a request to /refresh_jwt
within the service-auth
module and sending both the access token and the refresh token in the header.
If for any reason an attempt is made to access a business operation without having a valid token, or without sufficient role level permission to execute that operation, the microservice response will be Forbidden.
In order to modify the UserDetails information we will need to accomplish two steps: modify the authentication service to generate the authentication token with the custom attributes embedded, and modify the pre-authentication filter of the microservices to convert the token into an Object with the custom attributes available.
We must modify the service-auth
that is in charge of logging the user and generate the security token.
The first thing to do is to create a UserDetails class that contains the required attributes and custom attributes. In the code sample we will call this class UserDetailsJsonWebTokenCustomTo, and must either implement the generic UserDetailsJsonWebTokenAbstract interface or extend it from the current UserDetailsJsonWebTokenTo class, since the services are prepared to work with it. In the example, we will add two new attributes firstName
and lastName
public class UserDetailsJsonWebTokenCustomTo extends UserDetailsJsonWebTokenTo {
private String firstName;
private String lastName;
public String getFirstName() {
return this.firstName;
public String getLastName() {
return this.lastName;
public void setFirstName(String firstName) {
this.firstName = firstName;
public void setLastName(String lastName) {
this.lastName = lastName;
In case that the UserDetailsJsonWebTokenAbstract
interface is implemented, in addition to the new attributes the rest of the interface must be implemented.
The next step would be to override the component that performs the conversions Token→UserDetails and UserDetails→Token. This component is the JsonWebTokenUtility
, so you should create a new class that extends from this, in the example we will call it JsonWebTokenUtilityCustom
. In this new class, you must overwrite the only two methods that are allowed to perform the conversions, to add writing and reading operations for the new custom attributes.
public class JsonWebTokenUtilityCustom extends JsonWebTokenUtility {
protected UserDetailsJsonWebTokenAbstract addCustomPropertiesClaimsToUserDetails(Claims claims) {
UserDetailsJsonWebTokenCustomTo userDetails = new UserDetailsJsonWebTokenCustomTo();
userDetails.setFirstName(claims.get("firstName", String.class));
userDetails.setLastName(claims.get("lastName", String.class));
return userDetails;
protected void addCustomPropertiesUserDetailsToJwt(UserDetailsJsonWebTokenAbstract authTokenDetailsDTO, JwtBuilder jBuilder) {
UserDetailsJsonWebTokenCustomTo userDetails = (UserDetailsJsonWebTokenCustomTo) authTokenDetailsDTO;
jBuilder.claim("firtName", userDetails.getFirstName());
jBuilder.claim("lastName", userDetails.getLastName());
Now you should enable that new converter to replace the default one. In the WebSecurityConfig
class you must change the related @Bean
to start using this new class
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
public JsonWebTokenUtility getJsonWebTokenUtility() {
return new JsonWebTokenUtilityCustom();
Finally, in the login process the new attributes should be filled in when creating the user. In our example in the class SecuritymanagementRestServiceImpl
UserDetailsJsonWebTokenCustomTo clientTo = new UserDetailsJsonWebTokenCustomTo();
clientTo.setRoles(new ArrayList<>(Arrays.asList("DEMO")));
clientTo.setExpirationDate(buildExpirationDate(this.expirationTime * 60 * 1000L));
return new ResponseEntity<>(new JwtHeaderTo(this.jsonWebTokenUtility.createJsonWebTokenAccess(clientTo),
this.jsonWebTokenUtility.createJsonWebTokenRefresh(clientTo), //
this.expirationTime * 60 * 1000L), HttpStatus.OK);
Once a token with custom attributes has been obtained, the steps to read it and put it in the security context are very simple. The changes shown in this point should be reproduced in those microservices where you want to use the new custom attributes. The steps to follow are those:
Create a
class that contains the new attributes, as was done in the previous section. The ideal would be to reuse the same class. -
Create a
class that extends the implementation of the token generator, just as it was done in the previous section. Again, the ideal would be to reuse the same class. -
Configure the creation of this new
in theWebSecurityConfig
class just like in the previous section.
With these three steps you can use the new security object with the custom attributes. One way to use it could be as follows:
UserDetailsJsonWebToken principal = (UserDetailsJsonWebToken) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
UserDetailsJsonWebTokenCustomTo userDetails = (UserDetailsJsonWebTokenCustomTo) principal.getUserDetailsJsonWebTokenAbstract();
Once the microservice has been created through its archetype, you need to have a series of points in mind to configure it correctly:
The microservice must have the
starter in itspom.xml
configuration to be able to use the interceptors and the generic configuration.
It should be annotated in its initial class with
, this will activate the annotations for Eureka client, CircuitBreaker and the client Feign. All of this is configured in the properties file. -
This is a bootified application so in the
file you will have to define which one is the boot class. -
You must consider the boot configuration: port and context-path. In development, each microservice must have a different port, to avoid colliding with other microservices, while the context-path is recommended to be the same, to simplify the Zuul configurations and calls between microservices.
You can use
annotations in the services methods to secure them, as long as the Web security inherited fromJsonWebTokenSecurityConfig
has been enabled, since it is the responsible for putting the UserDetails generated from the token into the security context. -
All microservices must share the security key to encrypt and decrypt the token. And, specially, it should be the same as the
, which will be responsible for generating the initial token. -
In the Zuul module, the routes must be well configured to be able to route certain URLs to the new created microservices. So, if we have added a sampleapp1 with
we will need to map that service in the Zuul’sapplication.properties
file adding
The rest will be treated as if it were a normal Web application, which exposes some services through a REST API.
In order to invoke a microservice manually, you would need to implement the following steps:
Obtain the instances of the microservice you want to invoke.
Choose which of all instances is the most optimal for the client.
Retrieve the security token from the source request.
Create a REST client that invokes the instance by passing the generated security token.
Intercept the response in case it causes an error, to avoid a cascade propagation.
Thanks to the combination of Feign, Hystrix, Ribbon, Eureka and devonfw it is possible to make a call to another microservice in a declarative, very simple and almost automatic way.
You only need to create an interface with the methods that need to be invoked. This interface must be annotated with @FeignClient
and each of the methods created must have a path and a method in the @RequestMapping
annotation. An example interface might be as follows:
@FeignClient(value = "foo")
public interface FooClient {
@RequestMapping(method = RequestMethod.GET, value = "/${server.context-path}/services/rest/foomanagement/v1/foo")
FooMessageTo foo();
It is important to highlight the following aspects:
annotation comes along with the name of the microservice to be invoked. The correct and optimal would be to use the name of the microservice, but it is also possible to launch the request to the Zuul server. In the latter case it would be the server itself that would perform the load balancing and self-discovery of the most appropriate microservice, but have in mind that, doing this, the proxy server is also unnecessarily overloaded with unnecessary requests. -
annotation must have the same method and path as expected on target, otherwise the request will be thrown and no response will be found. -
The input and output parameters will be mapped to json, so they may not be exactly the same classes in both destination and source. It will depend on how you want to send and retrieve the information.
Once the interface is created and annotated, in order to use the calls, it would be enough to inject the component into the object from which we want to use it and invoke any of its methods. Spring Cloud will automatically generate the required bean.
FooClient fooClient;
public FooMessageTo ivokeFooClient() {
return this.fooClient.foo();
With these two annotations, almost all the functionality is covered automatically: search in Eureka, choice of the best instance through Ribbon, registration of the token and creation of the REST client. Only would be necessary to control the response in case of failure. The idea is to allow, in case of failure or fall of the invoked microservice, from the origin of the invocation is executed an alternative plan. This is as simple as activating the fallback
in the @FeignClient
annotation and assigning a class that will be invoked in case the REST client response fails.
@FeignClient(value = "foo", fallback = FooClientHystrixFallback.class)
public interface FooClient {
@RequestMapping(method = RequestMethod.GET, value = "/${server.context-path}/services/rest/foomanagement/v1/foo")
FooMessageTo foo();
Finally, you will need to create a class annotated with @Component
that implements the interface of the Feign client. Within this implementation you can add the desired functionality in case the invocation to the REST client fails.
public class FooClientHystrixFallback implements FooClient {
public FooMessageTo foo() {
return new FooMessageTo("Fail Message");