π Zero-Trust API Gateway A production-grade API Gateway built with Spring Boot 3.x that implements Zero-Trust security architecture . Every incoming request is verified at multiple levels before reaching backend services.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β INCOMING REQUEST β
ββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ZERO-TRUST FILTER CHAIN β
β β
β ββββββββββββ ββββββββββββββββ ββββββββββββββββ ββββββββββββ β
β β IP FilterββββΆβJWT Auth FilterββββΆβRateLimit Flt.ββββΆβRole Auth β β
β β (Order 1)β β (Order 2) β β (Order 3) β β(Order 4) β β
β ββββββββββββ ββββββββββββββββ ββββββββββββββββ ββββββββββββ β
β Redis:Block JWT Validate Redis:Counter Role Check β
β PostgreSQL: + Blacklist + INCR/EXPIRE ADMIN/PRO/ β
β Whitelist Check Per-User FREE β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PROXY / ROUTING LAYER β
β β
β /api/users/* βββΆ User Service (port 8081) β
β /api/orders/* βββΆ Order Service (port 8082) β
β /api/payments/* βββΆ Payment Service (port 8083) β
β β
β Headers Added: X-User-ID, X-User-Role, X-Request-ID, X-Forwarded β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Layer
Technology
Backend
Spring Boot 3.4, Spring Security, WebFlux
Cache
Redis 7 (rate limiting, token blacklist)
Database
PostgreSQL 16 (audit logs, IP rules)
Frontend
React 18, Tailwind CSS, Recharts
Auth
JWT (jjwt) β Access 15m + Refresh 7d
DevOps
Docker, Docker Compose
zero-trust-gateway/
βββ gateway-service/ # Spring Boot API Gateway
β βββ src/main/java/com/gateway/
β βββ config/ # SecurityConfig, RedisConfig, RoutingConfig
β βββ filter/ # IpFilter, JwtAuthFilter, RateLimitFilter, RoleAuthFilter
β βββ service/ # TokenService, RateLimitService, IpService, AuditLogService
β βββ controller/ # AuthController, AdminController, ProxyController
β βββ model/ # User, AuditLog, IpRule
β βββ repository/ # JPA Repositories
βββ dummy-backend/ # Simulated microservices
βββ admin-dashboard/ # React Admin Dashboard
β βββ src/
β βββ pages/ # Dashboard, IpManager, TokenMonitor, RateLimitConfig
β βββ components/ # Sidebar, RequestChart, LiveRequestFeed
βββ docker-compose.yml
βββ init-db.sql
Docker & Docker Compose
Java 17+ (for local development)
Node.js 18+ (for frontend development)
Run with Docker (recommended) # Clone & start all services# Services will be available at:# Gateway: http://localhost:8080# Dashboard: http://localhost:3000# PostgreSQL: localhost:5432# Redis: localhost:6379Run Locally (development) # 1. Start Redis & PostgreSQL# 2. Start the dummy backendcd dummy-backend
./mvnw spring-boot:run
# 3. Start the gatewaycd gateway-service
./mvnw spring-boot:run
# 4. Start the React dashboardcd admin-dashboard
npm install && npm run dev
Username
Password
Role
Akhil
Akhil9664
ADMIN
testuser
user12345
FREE
curl -X POST http://localhost:8080/auth/login \
-H " Content-Type: application/json" ' {"username":"Akhil","password":"Akhil9664"}' curl -X POST http://localhost:8080/auth/refresh \
-H " Content-Type: application/json" ' {"refreshToken":"<your-refresh-token>"}' curl -X POST http://localhost:8080/auth/logout \
-H " Authorization: Bearer <your-access-token>"
Method
Endpoint
Description
POST
/auth/registerRegister new user
POST
/auth/loginLogin β tokens
POST
/auth/refreshRotate tokens
POST
/auth/logoutBlacklist current token
Method
Endpoint
Description
GET
/admin/statsDashboard metrics
GET
/admin/live-feedLast 50 requests
GET
/admin/logsPaginated audit logs
GET
/admin/ip-rulesList IP rules
POST
/admin/ip-rules/blockBlock an IP
POST
/admin/ip-rules/unblockUnblock an IP
POST
/admin/ip-rules/whitelistWhitelist an IP
POST
/admin/tokens/revokeRevoke a token
GET
/admin/rate-limitsView rate limits
PUT
/admin/rate-limitsUpdate rate limits
Pattern
Target
/api/users/**User Service :8081
/api/orders/**Order Service :8082
/api/payments/**Payment Service :8083
ποΈ Redis Key Patterns
Key Pattern
Type
TTL
Purpose
rate_limit:{userId}:{yyyyMMddHHmm}Integer
60s
Request counter per minute
blacklist:token:{tokenHash}String
Token's remaining TTL
Revoked token flag
ip:blocked:{ipAddress}String
60min
Blocked IP with reason
ip:failed_attempts:{ipAddress}Integer
60min
Failed auth attempt counter
refresh_token:{userId}String
7 days
Latest refresh token hash
π‘οΈ Security Features
IP Filtering β Redis blocklist + PostgreSQL whitelist, auto-block after 10 failed auth attemptsJWT Validation β Signature + expiry + blacklist check on every requestRate Limiting β Tiered limits (FREE=100, PRO=1000, ADMIN=unlimited), 429 with Retry-AfterRole Authorization β Admin endpoints locked to ADMIN roleToken Rotation β One-time-use refresh tokens with reuse detection (theft protection)Audit Logging β Async logging of every request to PostgreSQLCORS β Configured for dashboard origin only
π Admin Dashboard Pages
Live Dashboard β Requests/min chart, error rate, top endpoints, active users, live feedIP Manager β Block/unblock/whitelist IPs, auto-blocked IPs section, searchToken Monitor β Active sessions, revoke tokens, audit log viewerRate Limit Config β View and edit tier limits in real-time
This project is for educational and demonstration purposes.