Shulou(Shulou.com)06/03 Report--

This article mainly explains "how to prevent requests from bypassing the gateway to directly access the back-end service". The explanation in the article is simple, clear and easy to learn and understand. let's study and learn how to prevent requests from bypassing the gateway to access the back-end service directly.

Solution

I think there are three main solutions to prevent direct request for back-end services by bypassing the gateway:

Deploy using Kubernetes

When deploying the SpringCloud architecture using Kubernetes, we configure NodePort for the Service of the gateway, and the Service of other backend services uses ClusterIp, so that the gateway can only be accessed outside the cluster.

Network isolation

The back-end ordinary services are deployed in the private network, and only gateway applications are allowed to access the back-end services through firewall policies.

Application layer interception

When requesting the backend service, the interceptor verifies whether the request comes from the gateway, and indicates that access is not allowed if it does not come from the gateway.

Here we focus on intercepting this solution at the application layer.

Realization idea

In fact, the idea of implementation is very simple: add an additional Header to the request header when the request passes through the gateway, and write an interceptor in the back-end service to determine whether the request header is consistent with the request Header set at the gateway. If not, access is not allowed and prompts are given.

Of course, to prevent the need to write this interceptor in every back-end service, we can write it in a common starter so that the back-end service can reference it. And for flexibility, you can decide whether to allow only back-end service access through configuration.

Next, let's look at the core code. (the code involves SpringBoot's routine of writing public Starter. I'm sure those of you who have read my blog will, because it has been mentioned in detail in the previous article. )

The implementation process is to write the gateway filter @ Component in the gateway cloud-gateway module

@ Order (0)

Public class GatewayRequestFilter implements GlobalFilter {

@ Override

Public Mono filter (ServerWebExchange exchange, GatewayFilterChain chain) {

Byte [] token = Base64Utils.encode ((CloudConstant.GATEWAY_TOKEN_VALUE) .getBytes ())

String [] headerValues = {new String (token)}

ServerHttpRequest build = exchange.getRequest ()

.mutate ()

.header (CloudConstant.GATEWAY_TOKEN_HEADER, headerValues)

.build ()

ServerWebExchange newExchange = exchange.mutate () .request (build) .build ()

Return chain.filter (newExchange)

}

}

Add an additional Header when the request passes through the gateway, so that it can be directly set to a fixed value here.

Establish a common Starter module cloud-component-security-starter

Write a configuration class to flexibly control whether the service is allowed to bypass gateway @ Data

@ ConfigurationProperties (prefix = "javadaily.cloud")

Public class CloudSecurityProperties {

/ * *

* whether resources can only be obtained through the gateway

* default is True

, /

Private Boolean onlyFetchByGateway = Boolean.TRUE

} write an interceptor to verify whether the request has passed through the gateway public class ServerProtectInterceptor implements HandlerInterceptor {

Private CloudSecurityProperties properties

@ Override

Public boolean preHandle (@ NonNull HttpServletRequest request, @ NonNull HttpServletResponse response, @ NonNull Object handler) {

If (! properties.getOnlyFetchByGateway ()) {

Return true

}

String token = request.getHeader (CloudConstant.GATEWAY_TOKEN_HEADER)

String gatewayToken = new String (Base64Utils.encode (CloudConstant.GATEWAY_TOKEN_VALUE.getBytes ()

If (StringUtils.equals (gatewayToken, token)) {

Return true

} else {

ResultData resultData = new ResultData ()

ResultData.setSuccess (false)

ResultData.setStatus (HttpServletResponse.SC_FORBIDDEN)

ResultData.setMessage ("Please access resources through the gateway")

WebUtils.writeJson (response,resultData)

Return false

}

}

Public void setProperties (CloudSecurityProperties properties) {

This.properties = properties

}

} configure interceptor public class CloudSecurityInterceptorConfigure implements WebMvcConfigurer {

Private CloudSecurityProperties properties

@ Autowired

Public void setProperties (CloudSecurityProperties properties) {

This.properties = properties

}

@ Bean

Public HandlerInterceptor serverProtectInterceptor () {

ServerProtectInterceptor interceptor = new ServerProtectInterceptor ()

Interceptor.setProperties (properties)

Return interceptor

}

@ Override

Public void addInterceptors (InterceptorRegistry registry) {

Registry.addInterceptor (serverProtectInterceptor ())

}

} write the starter load class @ EnableConfigurationProperties (CloudSecurityProperties.class)

Public class CloudSecurityAutoConfigure {

@ Bean

Public CloudSecurityInterceptorConfigure cloudSecurityInterceptorConfigure () {

Return new CloudSecurityInterceptorConfigure ()

}

} establish the resource file spring.factories, and configure Bean's auto-loading org.springframework.boot.autoconfigure.EnableAutoConfiguration=\

Com.javadaily.component.security.configure.CloudSecurityAutoConfigure adds an attribute configuration to the backend service profile. By default, you can only access javadaily through the gateway:

Cloud:

OnlyFetchByGateway: true

After the above steps, a common Starter module is built.

The backend service can refer to this common Starter module. Take account-service as an example.

Com.jianzh6.cloud

Cloud-component-security-starter

Realize the effect

Direct access to the backend service interface

Http://localhost:8010/account/getByCode/jianzh6

Return the result:

{

"message": "Please access resources through the gateway"

"status":

"success": false

"timestamp": 1611660015830

} Thank you for your reading. the above is the content of "how to prevent requests from bypassing the gateway to directly access the back-end service". After the study of this article, I believe you have a deeper understanding of how to prevent requests from bypassing the gateway to directly access the back-end service, and the specific usage needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.