content/references/java-chassis/zh_CN/featured-topics/application-porter/authentication.html

<!DOCTYPE html> <html class="writer-html5" lang="en" > <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="shortcut icon" href="../../img/favicon.ico" /> <title>Authentication - ServiceComb Java Chassis 开发指南</title> <link rel="stylesheet" href="../../css/theme.css" /> <link rel="stylesheet" href="../../css/theme_extra.css" /> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.5.0/styles/github.min.css" /> <script> // Current page data var mkdocs_page_name = "Authentication"; var mkdocs_page_input_path = "featured-topics/application-porter/authentication.md"; var mkdocs_page_url = null; </script> <script src="../../js/jquery-3.6.0.min.js" defer></script>  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.5.0/highlight.min.js"></script> <script>hljs.initHighlightingOnLoad();</script> </head> <body class="wy-body-for-nav" role="document"> <div class="wy-grid-for-nav"> <nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav"> <div class="wy-side-scroll"> <div class="wy-side-nav-search"> <a href="../../index.html" class="icon icon-home"> ServiceComb Java Chassis 开发指南 </a> </div> <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu"> <ul> <li class="toctree-l1"><a class="reference internal" href="../../toc.html">目录</a> </li> </ul> <ul> <li class="toctree-l1"><a class="reference internal" href="../../index.html">概述</a> </li> </ul> <ul> <li class="toctree-l1"><a class="reference internal" href="../../start/catalog.html">快速入门</a> </li> </ul> <ul> <li class="toctree-l1"><a class="reference internal" href="../../start/design.html">设计选型参考</a> </li> </ul> <ul> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/definition/service-definition.html">微服务定义</a> </li> </ul> <ul> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/catalog.html">开发服务提供者</a> </li> </ul> <ul> <li class="toctree-l1"><a class="reference internal" href="../../build-consumer/catalog.html">开发服务消费者</a> </li> </ul> <ul> <li class="toctree-l1"><a class="reference internal" href="../../general-development/catalog.html">通用功能开发</a> </li> </ul> <p class="caption"><span class="caption-text">多样化的通信协议功能参考</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../transports/introduction.html">多协议介绍</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../transports/rest-over-servlet.html">REST over Servlet</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../transports/rest-over-vertx.html">REST over Vertx</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../transports/http2.html">REST over HTTP2</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../transports/highway-rpc.html">Highway</a> </li> </ul> <p class="caption"><span class="caption-text">多样化的服务注册与发现功能参考</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../registry/introduction.html">注册发现说明</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../registry/service-center.html">使用服务中心</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../registry/local-registry.html">本地注册发现</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../registry/distributed.html">去中心化注册发现</a> </li> </ul> <p class="caption"><span class="caption-text">管理服务配置</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../config/general-config.html">通用配置说明</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../config/read-config.html">在程序中读取配置信息</a> </li> </ul> <p class="caption"><span class="caption-text">服务治理功能参考</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../references-handlers/intruduction.html">处理链介绍</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../references-handlers/loadbalance.html">负载均衡</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../references-handlers/ratelimit.html">限流</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../references-handlers/router.html">灰度发布</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../references-handlers/fault-injection.html">故障注入</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../references-handlers/governance.html">流量特征治理</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../references-handlers/fail-retry.html">快速失败和重试</a> </li> </ul> <p class="caption"><span class="caption-text">网关功能参考</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../edge/open-service.html">介绍</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../edge/by-servicecomb-sdk.html">使用 Edge Service 做网关</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../edge/zuul.html">使用 `zuul` 和 `spring cloud gateway` 做网关</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../edge/nginx.html">nginx 网关简单介绍</a> </li> </ul> <p class="caption"><span class="caption-text">安全特性参考</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../references-handlers/publickey.html">公钥认证</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../security/tls.html">使用TLS通信</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../security/shi-yong-rsa-ren-zheng.html">使用RSA认证</a> </li> </ul> <p class="caption"><span class="caption-text">服务打包和运行</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../packaging/standalone.html">以standalone模式打包</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../packaging/web-container.html">以WEB容器模式打包</a> </li> </ul> <p class="caption"><span class="caption-text">专题文章</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../using-java-chassis-in-spring-boot/using-java-chassis-in-spring-boot.html">在Spring Boot中使用java chassis</a> </li> <li class="toctree-l1"><a class="reference internal" href="../features.html">新功能介绍系列文章</a> </li> <li class="toctree-l1"><a class="reference internal" href="../compatibility.html">兼容问题和兼容性策略</a> </li> <li class="toctree-l1"><a class="reference internal" href="../upgrading.html">升级指导系列文章</a> </li> <li class="toctree-l1"><a class="reference internal" href="../performance.html">性能问题分析和调优</a> </li> </ul> <p class="caption"><span class="caption-text">常用配置项参考</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../config-reference/rest-transport-client.html">REST Transport Client 配置项</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../config-reference/config-center-client.html">Config Center Client 配置项</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../config-reference/service-center-client.html">Service Center Client 配置项</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../config-reference/kie-client.html">ServiceComb Kie Client 配置项</a> </li> </ul> <p class="caption"><span class="caption-text">常见问题</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../question-and-answer/faq.html">FAQ</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../question-and-answer/question_answer.html">Q & A</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../question-and-answer/interface-compatibility.html">微服务接口兼容常见问题</a> </li> </ul> </div> </div> </nav> <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"> <nav class="wy-nav-top" role="navigation" aria-label="Mobile navigation menu"> <i data-toggle="wy-nav-top" class="fa fa-bars"></i> <a href="../../index.html">ServiceComb Java Chassis 开发指南</a> </nav> <div class="wy-nav-content"> <div class="rst-content"><div role="navigation" aria-label="breadcrumbs navigation"> <ul class="wy-breadcrumbs"> <li><a href="../../index.html" class="icon icon-home" alt="Docs"></a> »</li> <li>Authentication</li> <li class="wy-breadcrumbs-aside"> </li> </ul> <hr/> </div> <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article"> <div class="section" itemprop="articleBody"> <p>传统的WEB容器都提供了会话管理，在微服务架构下，这些会话管理存在很多的限制，如果需要做到弹性扩缩容，则需要做大量的定制。在porter中，我们使用user-service做会话管理，可以通过login和session两个接口创建和获取会话信息。会话信息持久化到数据库中，从而实现微服务本身的无状态，微服务可以弹性扩缩容。在更大规模并发或者高性能要求的情况下，可以考虑将会话信息存储到高速缓存。</p> <pre><code>@PostMapping(path = "/login", produces = MediaType.APPLICATION_JSON_VALUE) public SessionInfo login(@RequestParam(name = "userName") String userName, @RequestParam(name = "password") String password) @GetMapping(path = "/session", produces = MediaType.APPLICATION_JSON_VALUE) public SessionInfo getSession(@RequestParam(name = "sessionId") String sessionId) </code></pre> <p>同时新增了会话管理的数据表设计：</p> <pre><code>CREATE TABLE `T_SESSION` ( `ID` INTEGER(8) NOT NULL AUTO_INCREMENT COMMENT '唯一标识', `SESSION_ID` VARCHAR(64) NOT NULL COMMENT '临时会话ID', `USER_NAME` VARCHAR(64) NOT NULL COMMENT '用户名称', `ROLE_NAME` VARCHAR(64) NOT NULL COMMENT '角色名称', `CREATION_TIME` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT '创建时间', `ACTIVE_TIME` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT '最近活跃时间', PRIMARY KEY (`ID`) ); </code></pre> <p>会话管理和认证都在gateway-service进行，鉴权则需要使用到用户信息。为了让微服务获取用户信息的时候，不至于再查询user-service，我们利用了Context机制，在Context里面存储了session信息，所有的微服务都可以直接从Context里面取到session信息，非常方便和灵活。完成这个功能有如下几个关键步骤：</p> <ul> <li>gateway-service进行HTTP协议到Invocation的转换</li> </ul> <p>这个通过重载EdgeInvocation的createInvocation实现。将会话ID通过Context传递给handler。如果开发者需要实现诸如增加响应头，设计Cookie等操作，则可以通过重载sendResponse来实现。</p> <pre><code>EdgeInvocation invoker = new EdgeInvocation() { // 认证鉴权：构造Invocation的时候，设置会话信息。如果是认证请求，则添加Cookie。 protected void createInvocation(Object[] args) { super.createInvocation(args); // 既从cookie里面读取会话ID，也从header里面读取，方便各种独立的测试工具联调 String sessionId = context.request().getHeader("session-id"); if (sessionId != null) { this.invocation.addContext("session-id", sessionId); } else { Cookie sessionCookie = context.getCookie("session-id"); if (sessionCookie != null) { this.invocation.addContext("session-id", sessionCookie.getValue()); } } } }; </code></pre> <ul> <li>通过handler来进行认证和会话管理</li> </ul> <p>对于ui界面，不提供认证，用户可以直接访问。对于REST接口需要进行认证，因此我们将认证和会话管理的功能在Hanlder中实现。下面的代码对user-service的login接口直接转发请求，其他请求先经过会话校验，再进行转发。</p> <p><strong><em>注意</em></strong>: 在网关执行的Hanlder逻辑，是reactive模式的，不能使用阻塞调用，否则会导致线程阻塞。</p> <pre><code>public class AuthHandler implements Handler { private UserServiceClient userServiceClient = BeanUtils.getBean("UserServiceClient"); // session expires in 10 minutes, cache for 1 seconds to get rid of concurrent scenarios. private Cache<String, String> sessionCache = CacheBuilder.newBuilder() .expireAfterAccess(30, TimeUnit.SECONDS) .build(); @Override public void handle(Invocation invocation, AsyncResponse asyncResponse) throws Exception { if (invocation.getMicroserviceName().equals("user-service") && (invocation.getOperationName().equals("login") || (invocation.getOperationName().equals("getSession")))) { // login：return session id, set cookie by javascript invocation.next(asyncResponse); } else { // check session String sessionId = invocation.getContext("session-id"); if (sessionId == null) { throw new InvocationException(403, "", "session is not valid."); } String sessionInfo = sessionCache.getIfPresent(sessionId); if (sessionInfo != null) { try { // session info stored in InvocationContext. Microservices can get it. invocation.addContext("session-id", sessionId); invocation.addContext("session-info", sessionInfo); invocation.next(asyncResponse); } catch (Exception e) { asyncResponse.complete(Response.failResp(new InvocationException(500, "", e.getMessage()))); } return; } // In edge, handler is executed in reactively. Must have no blocking logic. CompletableFuture<SessionInfo> result = userServiceClient.getGetSessionOperation().getSession(sessionId); result.whenComplete((info, e) -> { if (result.isCompletedExceptionally()) { asyncResponse.complete(Response.failResp(new InvocationException(403, "", "session is not valid."))); } else { if (info == null) { asyncResponse.complete(Response.failResp(new InvocationException(403, "", "session is not valid."))); return; } try { // session info stored in InvocationContext. Microservices can get it. invocation.addContext("session-id", sessionId); String sessionInfoStr = JsonUtils.writeValueAsString(info); invocation.addContext("session-info", sessionInfoStr); invocation.next(asyncResponse); sessionCache.put(sessionId, sessionInfoStr); } catch (Exception ee) { asyncResponse.complete(Response.failResp(new InvocationException(500, "", ee.getMessage()))); } } }); } } } </code></pre> <p>启用该Hanlder，需要增加cse.handler.xml文件</p> <pre><code><config> <handler id="auth" class="org.apache.servicecomb.samples.porter.gateway.AuthHandler" /> </config> </code></pre> <p>并且在microservice.yaml中启用auth，将新增加的auth处理链放到流控之后。</p> <pre><code>servicecomb: handler: chain: Consumer: default: internalAccess,auth,qps-flowcontrol-consumer,loadbalance </code></pre> <ul> <li>给删除文件增加鉴权</li> </ul> <p>在上面的步骤中，已经将会话信息设置到Context里面，file-service可以方便的使用这些信息进行鉴权操作。</p> <pre><code>@DeleteMapping(path = "/delete", produces = MediaType.APPLICATION_JSON_VALUE) public boolean deleteFile(@RequestParam(name = "id") String id) { String session = ContextUtils.getInvocationContext().getContext("session-info"); if (session == null) { throw new InvocationException(403, "", "not allowed"); } else { SessionInfo sessionInfo = null; try { sessionInfo = JsonUtils.readValue(session.getBytes("UTF-8"), SessionInfo.class); } catch (Exception e) { throw new InvocationException(403, "", "session not allowed"); } if (sessionInfo == null || !sessionInfo.getRoleName().equals("admin")) { throw new InvocationException(403, "", "not allowed"); } } return fileService.deleteFile(id); } </code></pre> <p>到这里为止，认证、会话管理和鉴权的逻辑基本已经完成了。可以通过Postman等工具进行流程相关的测试。</p> <pre><code>#### 会话管理接口调用示例，调用删除文件接口。使用guest用户的会话的情况。 #Request DELETE http://localhost:9090/api/file-service/delete?id=ba6bd8a2-d31a-42cd-a1be-9fb3d6ab4c82 session-id: 1be646c0-50cb-4c0a-968d-2a512775f5e8 #Response { "message": "not allowed" } </code></pre> <h1 id="js">开发JS脚本管理会话</h1> <p>首先需要提供登陆框，让用户输入用户名密码：</p> <pre><code><div class="form"> <h2>登录</h2> <input id="username" type="text" name="Username" placeholder="Username"> <input id="paasword" type="password" name="Password" placeholder="Password" > <input type="button" value="Login" onclick="loginAction()"> </div> </code></pre> <p>实现登陆逻辑。登陆首先调用后台登陆接口，登陆成功后设置会话cookie:</p> <pre><code>function loginAction() { var username = document.getElementById("username").value; var password = document.getElementById("paasword").value; var formData = {}; formData.userName = username; formData.password = password; $.ajax({ type: 'POST', url: "/api/user-service/login", data: formData, success: function (data) { setCookie("session-id", data.sessiondId, false); window.alert('登陆成功！'); }, error: function(data) { console.log(data); window.alert('登陆失败！' + data); }, async: true }); } </code></pre> </div> </div><footer> <hr/> <div role="contentinfo">  </div> Built with <a href="https://www.mkdocs.org/">MkDocs</a> using a <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. </footer> </div> </div> </section> </div> <div class="rst-versions" role="note" aria-label="Versions"> <span class="rst-current-version" data-toggle="rst-current-version"> </span> </div> <script>var base_url = '../..';</script> <script src="../../js/theme_extra.js" defer></script> <script src="../../js/theme.js" defer></script> <script src="../../search/main.js" defer></script> <script defer> window.onload = function () { SphinxRtdTheme.Navigation.enable(true); }; </script> </body> </html>

content/references/java-chassis/zh_CN/featured-topics/application-porter/authentication.html (396 lines of code) (raw):