Security topic within TX domain can be split into two distinct parts.
Concept - overall business aspect of security
Technical - how specifically is a security applied
Concepts
Current structure of access is represented by:
Service access - each microservice approaching any service has full access to any resources. Therefore we just need to validate, that request is valid.
User access - each user has access only to its own accounts. Therefore we need to ensure, that user id is equal to id of the owner of the account.
Technical aspect
Technically, realisation would rely on library developed by IAM team and will not use Micronaut security. Both, authentication and authorisation will be therefore implemented programatically. Implementation follows description here.
Authentication would consist of calling authenticate method from IamAuthentication class. In case, this method does not throw an exception, we consider caller as authenticated.
Authorisation has to follow business rules of the domain. As mentioned before, we need to validate, whether caller is the service or user. In case of the user, we would lookup for owner of the account and compare id of authenticated user towards found owners Id. In case of mismatch, authentication exception is being thrown.
The other technical details are out of scope of this text, as they might change. Therefore there is need to follow the link to IAM library usage description mentioned also above.