I found a Niu X idea on the Internet. When doing restful, if the business changes, you need to modify the controller every time. Later, it is convenient. The direct transmission method is actually more troublesome. You have to write the controller every time. The demand has changed and the interface has also changed. The result of this is that the maintenance cost is getting higher and higher. Direct service through spring to make him a controller will not write a lot of code. Source code: https://github.com/limingios/netFuture/tree/master/api gateway/idig8-api-gateway
background
In the era of mobile internet, a universal solution is being pursued. In fact, this solution may not exist. In fact, the back-end development challenges are increasing. There are many controllers in it. If the system becomes larger and larger, it will be difficult to maintain the results.
What is an API gateway
API Gateway is a lightweight java http interface component that can seamlessly convert common Serive methods into http interfaces. And from the following points to achieve the purpose of improving development efficiency and interface quality.
- Remove the mvc controller, and seamlessly connect the http request directly to the JAVA service interface
- Unified input and output format
- Unified exception specification
- Automatic detection of service interface regulations
- Responsible for the conversion of routing protocols
- Ordinary http interface
- Implementation of API Gateway Interface
At the beginning, one interface was developed for one controller, and 1,000 interfaces were developed for 1,000 controllers. Package parameters one by one, the quality has also been improved in a unified standard, and problems can be returned in a unified way. Irregular code will also be intercepted by the api gateway.
Code explanation
Only 5 categories, less than 500 lines of code. Developers like small and superb code most, not easy to be soft. Easy to understand, easy to use, thick and large code, very inconvenient to migrate, not easy to control and easy to soft.
- ApiGatewayHandler.java
converter and call loader- ApiGatewayServlet.java is
similar to an entry class of springboot- APIMapping.java
annotation exposure class- ApiRequest.java
request package class
5. ApiStore.java
API IOC large warehouse
Code flow chart
- Request parameter description:
| name | Types of | description |
|---|---|---|
| method | string | Method name |
| paramter | json | Business parameters |
| timestamp | long | Request timestamp |
- Implementation technology:
- java servlet
- spring Ioc
- Use of Json conversion tool
Business requirements for interface security
-
Interface security level grouping
- Blacklist group
My account information
- Whitelist group
Product display, product list
3. Display in the product
details of the black and white list group , the difference between logged in and unlogged
- Blacklist group
-
Authentication requirements based on Token security mechanism
- Login authentication
- Prevent business parameter string change
fiddler packet capture tool. can be realised.
- Protect sensitive user information
User Id is not transmitted on the network, it is replaced by token
- Anti-signature forgery
Both the client and the server have a set of tokens and secrets. When transmitting, they are not transmitted with secrets, but signed
- Token authentication mechanism overall structure
The overall architecture is divided into two parts: Token generation and authentication:
- Token generation refers to generating a Token and a secret key after a successful login, and storing them in the Token table together with user privacy information and client information, and returning the Token and Secret to the client.
- Token authentication means that when a client requests a service interface, the authentication center generates a signature based on the Token.
- Token table structure description:
In fact, if the token is added to the index, the query is faster, but compared to redis, it is definitely not as fast as redis.
| name | Types of | description | constraint |
|---|---|---|---|
| id | number | id primary key | Primary key, self-growth |
| memberId | number | Member ID | |
| accessToken | varchar(50) | Token | index |
| secret | varchar(50) | Key | |
| createdTime | datetime | Creation time | |
| expiresTime | datetime | Valid until | |
| clientIp | varchar(50) | Client IP | |
| clientType | varchar(50) | Client category | |
| eCode | varchar(50) | Equipment Identity | |
| uCode | varchar(50) | Device user ID |
- Specific parameters of the business request:
| name | Types of | description |
|---|---|---|
| method | string | Method name |
| param | json | Business parameters |
| token | string | token 值 |
| sign | string | Signature rule: md5(secret+method+param+token+secret+timestamp) |
| timestamp | long | Request time rub, allow 10 minutes error with server |
Signature rules:
- The specified sequence of splicing strings secret+method+param+token+timestamp+secret
- Use MD5 for encryption and convert to uppercase
Purpose of signing:
- Anti-tamper
- Anti-counterfeiting
The specific process of anti-reuse signature server signature verification:
The overall authentication process of signature authentication and API gateway
PS: The code directly looks at the source code, mainly to understand the idea. For performance, I suggest not to think about it. Performance issues can only be discussed after implementation. Performance issues are not absolute but relative. The most important thing is the idea of obtaining and generating signatures.