@Service public class DocumentService { public Document findById(Long id) { // No security here! return documentRepository.findById(id); } } If any other service calls findById(1) – maybe from a scheduled job, a message listener, or another microservice – the authorization check is gone.
Sure, you removed HttpSession and added JWT tokens. But did you accidentally reintroduce state via your database? Every time you query a token_blacklist table or hit Redis to validate a session-like JWT, you’ve created state – and with it, scalability bottlenecks. But did you accidentally reintroduce state via your database
Most developers think they know Spring Security. You add the dependency, configure a UserDetailsService , maybe tweak some CORS settings, and call it done. But the third edition of Spring Security by Laurentiu Spilca reveals a harsh truth: that basic setup leaves your REST APIs and microservices dangerously exposed. You add the dependency, configure a UserDetailsService ,