Permission control is an important function in a system. Zhang San can only access specific features of input Zhang San, John Doe cannot access specific menus that belong to Zhao Liu. This requires the entire system to do a perfect authority control system. The system should have a pin to distinguish between users, permissions, roles and other necessary functions.
This series of tutorials
"MicroServices" easy to fix springcloud micro-service Directory
"MicroServices" easy to fix springcloud Micro Service Catalog-Standalone Blog
This series is a serial article and it is strongly recommended that you read the previous few before reading this article. In the previous section we talked about API Gateway Zuul, for Spring Cloud, Zuul in addition to the API interface can be unified exposure, but also have permissions to control the relevant functions.
Single-instance application privilege control
In the absence of the introduction of the spring cloud complete system, the application developed for the monomer Springboot can intercept the path by using the SPRINGMVC self-contained interceptor, intercept the specific parameters in the request, and if it can be accessed legally, Returns 403 if it is not legal.
Introduction to Spring Cloud Zuul filters
For the component Zuul, in fact, with the function of authorization authentication, that is Zuulfilter filter. Zuulfilter is the core component in Zuul, which, by inheriting the abstract class, overwrite several key methods to achieve the role of custom dispatch requests.
Start takeoff
Before taking off, or that sentence, we recommend looking at the front blog post first. This is also based on an extension of the API Gateway feature, so in order to avoid conflicts with the previous article Neutron project, we create a new subproject and then copy the code of the Api-gateway-zuul project.
Configuring the Accesstokenfilter File
Under the new subproject, we create a package config, and then create the Accesstokenfilter file below with the following list:
Import Com.netflix.zuul.zuulfilter;import Com.netflix.zuul.context.requestcontext;import javax.servlet.http.httpservletrequest;/** * Created by Administrator on 2017/12/21. */public class Accesstokenfilter extends Zuulfilter {@Override public String FilterType () {return ' pre ';//Before FILTER} @Override public int filterorder () {return 0;//priority is 0, the higher the number, the lower the priority} @Override public Boolea n Shouldfilter () {return true;//whether to execute the filter, here is true, it is necessary to filter} @Override public Object run () {REQUESTC Ontext CTX = Requestcontext.getcurrentcontext (); HttpServletRequest request = Ctx.getrequest (); String username = request.getparameter ("token"); if (null! = Username && username.equals ("www.hanyahong.com")) {//Temporary simplification test ctx.setsendzuulresponse (true); Route the request Ctx.setresponsestatuscode (200); Ctx.set ("Issuccess", true);//Set value, you can use return null for multiple filters; } else {Ctx.setsendZuulresponse (false);//filter the request, do not route it Ctx.setresponsestatuscode (403);//Return error code ctx.setresponsebody ("{\ "result\": \ "Request illegal!the token is null\"} ");//Return error content Ctx.set (" Issuccess ", false); return null; } }}
Description
Filterorder: filter execution order, specifying Shouldfilter by number : does the filter need to perform true to execute false to not execute **run?? * Filter specific logic **filtertype?? * Filter type, divided into pre, error, post, route> Pre: Filterroute before request execution: Processing request, routing post: Filtererror executed after request processing: Filter executed when error occurs
The official website gives a four types of:
Inject Accesstoeknfilter
Creating a filter yourself requires manual loading into the container for unified management. In the Main method Application.java , you can add the following code:
/** * 加载过滤器 * @return */ @Bean public AccessTokenFilter accessFilter() { return new AccessTokenFilter(); }
Start and test
Start the subproject Cloud-hyh-discovery-eureka ,cloud-hyh-service-1 , and the new subproject for the API gateway you just created, respectively. First , you can access http://localhost:8081/to see if the service has been started.
second , the gateway accesses the **/ribbon/name** interface in the SERVICE-1 service to see if access is allowed. Http://localhost:8080/cloud-service/ribbon/name. You can see the browser prompt by visiting:
{"result":"Request illegal!the token is null"}
Finally, access to the url,http://localhost:8080/cloud-service/ribbon/name?token=www.hanyahong.com with permission authentication can see that the browser can pass validation, enter the API in the subsystem, and return the relevant results.
千万之路刚开始-www.hanyahong.com-beijing该服务器端口8071
Description
The general token is processed in a series of encryption, and is generally placed on the request header. Cross-domain issues are designed if the front and back ends are detached. This we will be in the back of an article dedicated to cross-domain access to the detailed explanation. In addition, there are many places that need to be configured in the actual application, it is not so simple configuration. This hope in the actual project, you can experience.
Source
This article source: Http://www.hanyahong.com/Github Source: Https://github.com/hanyahong/spring-cloud-microservice forwarding Please indicate the source!
"MicroServices" Seven: Easy to fix springcloud micro-service-API permissions control