ShareSecurityContext 如何在 Spring Cloud 中使用 Hystrix 工作?
[英]How does shareSecurityContext work in Spring Cloud with Hystrix?
问题描述
I'm learning how Spring Cloud works and using one of most popular technical stacks for it: Eureka, Zuul, Hystrix, Ribbon, Feign.
我正在学习 Spring Cloud 的工作原理并使用其中一种最流行的技术堆栈:Eureka、Zuul、Hystrix、Ribbon、Feign。 Except of registry, config server and gateway my services have the following dependencies with Spring Cloud version 2.2.1.RELEASE:除了注册中心、配置服务器和网关,我的服务与 Spring Cloud 版本 2.2.1.RELEASE 具有以下依赖关系:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-config</artifactId>
<version>${spring-cloud.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
<version>${spring-cloud.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-sleuth</artifactId>
<version>${spring-cloud.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-openfeign</artifactId>
<version>${spring-cloud.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-hystrix</artifactId>
<version>${spring-cloud.version}</version>
</dependency>
I do authorization with JWT on gateway and want to use the same Authorization object on other services.我在网关上使用 JWT 进行授权,并希望在其他服务上使用相同的授权对象。 Obvious way for doing it is to transfer my JWT with a header but I've read in docs that Hystrix can propagate the whole security context with just one property hystrix.shareSecurityContext=true .这样做的明显方法是使用标头传输我的 JWT,但我在文档中读到 Hystrix 可以仅使用一个属性hystrix.shareSecurityContext=true传播整个安全上下文。 I've tried to do it with Feign Client and Zuul, but SecurityContext on requested service contains just anonymousUser.我试过用 Feign Client 和 Zuul 来做,但请求服务上的 SecurityContext 只包含anonymousUser。
I spent two days for understanding how it works but I didn't.我花了两天时间了解它是如何工作的,但我没有。 In logs of Feign I don't see any headers with something like Principal.在 Feign 的日志中,我没有看到任何带有 Principal 之类的标题。
So here is my question: is it possible to transfer security context with Zuul and Feign if second service runs in other docker container or on other server?所以这是我的问题:如果第二个服务在其他 docker 容器或其他服务器上运行,是否可以使用 Zuul 和 Feign 传输安全上下文? If not what is the best praxis for transferring data about authorized user?如果不是,传输有关授权用户的数据的最佳实践是什么?
Thanks!谢谢!
1 个解决方案
解决方案1
0 2020-11-19 06:39:57
It has been 8 months since you posted the question but I will answer it anyways.自从您发布问题以来已经 8 个月了,但无论如何我都会回答。 As you know, services are distributed in nature and so they may not share the JVM or even they may not be developed in java at all.如您所知,服务本质上是分布式的,因此它们可能不共享 JVM,甚至可能根本不是用 Java 开发的。 The purpose of JWT token is to secure such distributed services so whatever communication happens between them regarding Security, happens through authorization header only. JWT 令牌的目的是保护此类分布式服务,因此它们之间发生的有关安全性的任何通信都仅通过授权标头发生。 In authorization header one service passes the JWT Token (bearer only) to other service and that service validates the token , reads information from it, and so on.在授权标头中,一个服务将 JWT 令牌(仅承载)传递给其他服务,该服务验证令牌,从中读取信息,等等。 The hystrix.shareContext has another purpose however.然而 hystrix.shareContext 有另一个目的。 In Spring when the application context is created, by default it doesn't pass it to Hystrix Thread.在 Spring 中,当创建应用程序上下文时,默认情况下它不会将其传递给 Hystrix 线程。 To make it available to Hystrix, this property is set to true which essentially changes concurrency strategy of hystrix.为了使其可用于 Hystrix,此属性设置为 true,这从本质上改变了 hystrix 的并发策略。 So, it is passing Security context to "Hystrix's thread" which is part of the same service and not other service.因此,它将安全上下文传递给“Hystrix 的线程”,它是同一服务的一部分,而不是其他服务的一部分。
Hope this solves your query.希望这能解决您的疑问。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.