Shulou(Shulou.com)06/03 Report--

This article mainly explains how to prohibit direct access to back-end services in SpringCloud Alibaba micro-service practice. The explanation in this article is simple, clear and easy to learn and understand. Please follow the editor's train of thought to study and learn how to prohibit direct access to back-end services in SpringCloud Alibaba micro-service practice.

Preface

After using the SpringCloud architecture, we hope that all requests can be accessed through the gateway. Without any processing, we can bypass the gateway and directly access the backend service. As follows, we can also obtain data by directly accessing the back-end service by bypassing the gateway.

So our topic today is how to prevent requests from bypassing the gateway to directly access back-end services?

Solution

I think there are three main solutions to prevent direct request for back-end services by bypassing the gateway:

Deploy using Kubernetes

When deploying the SpringCloud architecture using Kubernetes, we configure NodePort for the Service of the gateway, and the Service of other backend services uses ClusterIp, so that the gateway can only be accessed outside the cluster.

Network isolation

The back-end ordinary services are deployed in the private network, and only gateway applications are allowed to access the back-end services through firewall policies.

Application layer interception

When requesting the backend service, the interceptor verifies whether the request comes from the gateway, and indicates that access is not allowed if it does not come from the gateway.

Here we focus on intercepting this solution at the application layer.

Realization idea

In fact, the idea of implementation is very simple: add an additional Header to the request header when the request passes through the gateway, and write an interceptor in the back-end service to determine whether the request header is consistent with the request Header set at the gateway. If not, access is not allowed and prompts are given.

Of course, to prevent the need to write this interceptor in every back-end service, we can write it in a common starter so that the back-end service can reference it. And for flexibility, you can decide whether to allow only back-end service access through configuration.

Next, let's look at the core code. (the code involves SpringBoot's routine of writing public Starter. I'm sure those of you who have read my blog will, because it has been discussed in detail in the previous article.)

Realization process

Write a gateway filter in the gateway cloud-gateway module

@ Component @ Order (0) public class GatewayRequestFilter implements GlobalFilter {@ Override public Mono filter (ServerWebExchange exchange, GatewayFilterChain chain) {byte [] token = Base64Utils.encode ((CloudConstant.GATEWAY_TOKEN_VALUE) .getBytes ()); String [] headerValues = {new String (token)} ServerHttpRequest build = exchange.getRequest () .mutate () .header (CloudConstant.GATEWAY_TOKEN_HEADER, headerValues) .build (); ServerWebExchange newExchange = exchange.mutate () .request (build) .build (); return chain.filter (newExchange);}}

Add an additional Header when the request passes through the gateway, so that it can be directly set to a fixed value here.

Establish a common Starter module cloud-component-security-starter

Write a configuration class to flexibly control whether the service is allowed to bypass the gateway

@ Data @ ConfigurationProperties (prefix = "javadaily.cloud") public class CloudSecurityProperties {/ * whether resources can only be obtained through gateways * default is True * / private Boolean onlyFetchByGateway = Boolean.TRUE;}

Write an interceptor to verify whether the request has passed through the gateway

Public class ServerProtectInterceptor implements HandlerInterceptor {private CloudSecurityProperties properties; @ Override public boolean preHandle (@ NonNull HttpServletRequest request, @ NonNull HttpServletResponse response, @ NonNull Object handler) {if (! properties.getOnlyFetchByGateway ()) {return true;} String token = request.getHeader (CloudConstant.GATEWAY_TOKEN_HEADER); String gatewayToken = new String (Base64Utils.encode (CloudConstant.GATEWAY_TOKEN_VALUE.getBytes () If (StringUtils.equals (gatewayToken, token)) {return true;} else {ResultData resultData = new ResultData (); resultData.setSuccess (false); resultData.setStatus (HttpServletResponse.SC_FORBIDDEN); resultData.setMessage ("Please access resources through gateway"); WebUtils.writeJson (response,resultData); return false }} public void setProperties (CloudSecurityProperties properties) {this.properties = properties;}}

Configure interceptor

Public class CloudSecurityInterceptorConfigure implements WebMvcConfigurer {private CloudSecurityProperties properties; @ Autowired public void setProperties (CloudSecurityProperties properties) {this.properties = properties;} @ Bean public HandlerInterceptor serverProtectInterceptor () {ServerProtectInterceptor interceptor = new ServerProtectInterceptor (); interceptor.setProperties (properties); return interceptor;} @ Override public void addInterceptors (InterceptorRegistry registry) {registry.addInterceptor (serverProtectInterceptor ());}}

Write starter load classes

EnableConfigurationProperties (CloudSecurityProperties.class) public class CloudSecurityAutoConfigure {@ Bean public CloudSecurityInterceptorConfigure cloudSecurityInterceptorConfigure () {return new CloudSecurityInterceptorConfigure ();}}

Establish the resource file spring.factories and configure the automatic loading of Bean

Org.springframework.boot.autoconfigure.EnableAutoConfiguration=\ com.javadaily.component.security.configure.CloudSecurityAutoConfigure

Add attribute configuration to the backend service profile. By default, it can only be accessed through the gateway.

Javadaily: cloud: onlyFetchByGateway: true

After the above steps, a common Starter module is built.

The backend service can refer to this common Starter module. Take account-service as an example.

Com.jianzh6.cloud cloud-component-security-starter

Realize the effect

Direct access to the backend service interface

Http://localhost:8010/account/getByCode/jianzh6

Return the result:

"message": "Please access resources through the gateway", "status": 403, "success": false, "timestamp": 1611660015830} Thank you for reading. This is the content of "how to prohibit direct access to back-end services in SpringCloud Alibaba micro-services". After the study of this article, I believe you have a deeper understanding of how to prohibit direct access to back-end services in SpringCloud Alibaba micro-services. The specific use situation still needs to be verified by practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.