微服务认证和授权有很多方案,
这里比较各种主流方案的优缺点,
为你的业务系统选择MAA方案提供指南
方案 优点 缺点 分布式会话管理 简单,成熟,服务器统一管理 扩展性比较差 客户令牌 单点登录 API网关令牌管理 第三方应用授权 SSL/TLS 双向认证 方案 分布式会话管理 会话信息由服务器存储
实现方式:
Sticky session Session replication Centralized session storage 客户令牌 令牌由客户持有
JWT: 头,负载和签名
头
{ "typ": "JWT", "alg": "HS256" } 负载
https://www.freecodecamp.org/news/rest-is-the-new-soap-97ff6c09896d/
setup <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> enable web client all endpoints are exposed to JMX and WEB clents
By default, all endpoints except for shutdown are enabled.
enable all endpoings
enable all endpoints accessed by web
management: endpoints: enabled-by-default: true web: exposure: include: "*" https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html
WebApplicationType spring: main: web-application-type: reactive NONE The application should not run as a web application and should not start an embedded web server.
SNAPSHOT // Snapshot is an internally consistent snapshot of xDS resources. // Consistentcy is important for the convergence as different resource types // from the snapshot may be delivered to the proxy in arbitrary order. type Snapshot struct { // Endpoints are items in the EDS response payload. Endpoints Resources // Clusters are items in the CDS response payload. Clusters Resources // Routes are items in the RDS response payload.
<dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-zuul</artifactId> </dependency> gateway with routing @EnableZuulServer is used when you want to build your own routing service and not use any Zuul prebuilt capabilities. An example of this would be if you wanted to use Zuul to integrate with a service discovery engine other than Eureka (for example, Consul). We’ll only use the @EnableZuulServer annotation in this book.
The Zuul proxy server is designed by default to work on the Spring products.
Microservices at Netflix Scale https://gotocon.com/dl/goto-amsterdam-2016/slides/RuslanMeshenberg_MicroservicesAtNetflixScaleFirstPrinciplesTradeoffsLessonsLearned.pdf
securing microservice with UAA
user accounting and authorizing service(UAA) Using JWT authentication without manually forwarding JWTs from request to internal request forces microservices to call other microservices over the gateway, which involves additional internal requests per one master requests. But even with forwarding, it’s not possible to cleanly separate user and machine authentication.
JWT (JSON Web Token) JWT (JSON Web Token) is an industry standard, easy-to-use method for securing applications in a microservices architecture.