Zuul-Api网关身份验证 [英] Zuul - Api Gateway Authentication
问题描述
我想在一些服务之前通过Spring Cloud作为API网关介绍Zuul.
I want to introduce Zuul through Spring Cloud as an API Gateway in front of a few services.
我对身份验证有一些设计疑问. 身份验证将由Spring Security处理,它在servlet过滤器链中的Zuul之前.
I have some design doubts around Authentication. The Authentication would be handled by Spring Security, which comes before Zuul in the servlet filter chain.
我的担心:
-
网关将位于许多服务的前面
the Gateway would sit in front of many services
某些服务可能会公开不需要身份验证的终结点
some services may expose endpoints which do not require authentication
某些服务可能会公开需要会话ID的端点,而某些服务会带有令牌",这是一个不透明的任意值(例如,如果您知道难以猜测"的网址,则下载文件) 在API Gateway/Spring Security中,您可以配置所有端点及其特定的身份验证要求.
some services may expose endpoints which need a Session Id and some with a token", an arbitrary opaque value (for example downloading a file if you know a "hard to guess" url) In the API Gateway/Spring Security you can configure all the endpoints with their specific authentication requirements.
在管理API网关方面:
In terms of managing the API Gateway:
- 您如何强制实际的服务团队为每个下游服务提供所需的设置?
- 如何在不停止整个网关的情况下允许网关中的身份验证设置频繁更改(根据服务需求)?
谢谢, 阿德里安
推荐答案
我们正在使用Spring Session在跨Zuul Edge Server的所有服务之间复制会话. Zuul将对用户进行身份验证,该用户将填充用户凭据,并将经过身份验证的用户插入会话中.然后将其复制到所有服务中,每个服务负责其自己的安全规则和设置.因此,实际上,Zuul所做的只是在春季安全性中寻找用户,而后端的服务正在根据其需求实施安全性规则.这样,您可以独立更改每个服务,从而使网关只是一个哑代理.
We are using Spring Session to replicate the session across all of our services that sit behind a Zuul Edge Server. Zuul will authenticate the user which populates the users credentials and inserts the authenticated user into the session. This is then replicated across all the services and each service is responsible for their own security rules and settings. So really, all Zuul is doing is looking the user up in spring security and the services on the backend are enforcing the security rules as they apply to their needs. This way, you can change each service independently making the Gateway just a dumb proxy.
Dave Syers教程中的一个很好的例子是关于 Spring Security和Angular JS应用.我还发布了另一个问题与此相关的示例包含了我们如何进行此操作的示例,这可能会有所帮助.
A good example of this is in Dave Syers tutorial about Spring Security and an Angular JS app. I also posted another question related to this which contained a sample of how we are doing this as well which might help.
这篇关于Zuul-Api网关身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
