So, we've locked down chat, images, and comments. But what about the Config Server itself? Seeing how critical it is with each microservice's configuration details, we need to insulate ourselves from a malevolent Config Server being stood up in its place.
The simplest thing to do is to add Spring Security to our Config Server. So, let's do it!
compile('org.springframework.boot:spring-boot-starter-security')
By default, Spring Security will set username to user and password to something random. Since we can't be updating the other services every time we restart, let's override that with a fixed password, as follows:
@Bean UserDetailsService userDetailsService() { return new InMemoryUserDetailsManager( User .withUsername("user") ...