Previous to say certified by the token can know who the current user is the gateway to and from the micro-services, as well as transmission of information between the user context of micro- and micro-service token information service, which is an authorization to talk about.
First, the simplest case ACL access control
What user privileges written directly in the scope, as long as judges in the program you'd like to access a method, whether it has access permissions that apply to this simple scenario.
Use @PreAuthorize ( "") annotation marks Controller method, you can control which requests have access to this service. Note that the order is necessary to add comment comment enter into force on the startup class: @EnableGlobalMethodSecurity (prePostEnabled = to true) to take effect.
value value, there are two expressions:
1, @PreAuthorize ( "# oauth2.hasScope ( 'Fly')") represent, scope contains "fly" token before they can access the service. The application for the client, not to a specific individual.
2, @PreAuthorize ( "hasRole ( 'ROLE_USER')") specific to each individual, which includes the role of this person, you can visit this role in the authentication server UserDetailsService class loadUserByUsername method get in.
实验@PreAuthorize("#oauth2.hasScope('fly')") :
OrderService with the client through the gateway, access token
The scope of this token contains only read, write, but to create an order service requires token contains fly the scope to access, use this token to create gateway access service orders by:
Creates order service access control expression replaced @PreAuthorize ( "# oauth2.hasScope ( 'write')") can be a normal visit.
实验@PreAuthorize("#hasRole('ROLE_USER')") :
Get a token through the gateway
Create service orders, there ROLE_USER role in order to access
UserDetailsService authentication server, write permissions dead, only ROLE_ADMIN
Create an order through the gateway to take the token
Access control annotation replaced @PreAuthorize ( "hasRole ( 'ROLE_ADMIN')"), you can create a normal call to order service.
Use @PreAuthorize handle simple annotations role is very convenient, but no way to deal with complex scenes. If the permission is always changing, and this is not suitable, because the access control is hard-coded in the Controller, and each modification permission information, you had to restart the service.
Second, do complex at the gateway access control
Assuming that already have a permission system, how to pick up with the Gateway?
1, in the configuration class GatewaySecurityConfig needs to be done following modifications
a) specify the access rule
In GatewaySecurityConfig.configure (HttpSecurity http) method, the configuration http.access ( "# permissionService.hasPermission (request, authorization)"), specify the access rule, permissionService need to implement, it returns a Boolean value, true- access; false- no authority, pass in two parameters, the current request parameter 1-, 2- parameter the current user.
b) New PermissionService interfaces and implementation classes that implement their own access control logic.
c) a new expression processing GatewayWebSecurityExpressionHandler
Specifies that only the access rule http.access ( "# permissionService.hasPermission (request, authorization)") is useless, because Spring did not know, so I have to create a new category: GatewayWebSecurityExpressionHandler (expression processor), dealing with authority the expression processor in setting the variable, the variable name is permissionService, the variable value is
a custom permission process category permissionService
d) specifies the expression processor
GatewaySecurityConfig.configure (ResourceServerSecurityConfigurer resources) in the specified resources.expressionHandler (gatewayWebSecurityExpressionHandler) expression processor
Through the gateway application token access through the gateway service order is created, half of the possibility of access failure, half the likelihood of success.
So far the project framework is as follows:
There should be a privilege of service, privilege service is a micro-service, authentication service + permissions = Security Center service.
Permissions are currently in control of the gateway, so there may be ultra vires:
For example, you have access to order service, no access to the inventory service, but the service orders and inventory service calls, so that the ultra vires.
How to solve this override it:
a) can be on each micro-service, all calls redis check permissions, practice practice and top presentation at the gateway is the same, but it is not recommended that all services rely micro redis a large number of coupling.
b) 95% of the fine-grained permissions are doing at the gateway, permission to call each other during the service of micro, only a black and white lists of coarse-grained control, such as your billing service, there is a white list, allowing only order service to call, other people can not adjust. (Described later sentinel how convenient control of black and white lists). Calls between micro-services gateway do not like fine-grained control, (you can adjust this service, you can tune the service), but there must be a black and white list control on it, under control of those micro-services inter can call on it.
Code: https://github.com/lhy1234/springcloud-security/tree/chapt-6-3-permission If you give a little help to the stars, right