I have been using JWT as authentication token for my projects in the last few years. I’ve always had a question: where exactly should the server-side issued JWT be stored? Only the browser scenario is discussed here, in which there are three options. Cookies The server side can send the JWT token to the browser through a cookie, and the browser will automatically bring the JWT token in the cookie header when requesting the server-side interface, and the server side can verify the JWT token in the cookie header to achieve authentication.
Certain business requirements require tracking our interface access, i.e. logging the requests and responses. The basic logging dimension contains request parameters (path query parameters, request body), request path (uri), request method (method), request headers (headers), and response status, response headers, and even contains sensitive response bodies, etc. Today summarizes several methods, you can choose as needed. How request tracking is implemented Gateways Many gateway facilities have httptrace capabilities that help
Spring Authorization Server 0.2.2 is released, this version is mainly about optimizations and bug fixes, the more important new feature is Client authentication support for JWT assertions. Release Notes New features JdbcOAuth2AuthorizationService now supports large database fields. Deprecated OAuth2TokenIntrospectionClaimAccessor, will use Spring Security 5.6 implementation. Deprecate JwtEncoder related classes and use Spring Security jose library implementation. The token field in the JdbcOAuth2AuthorizationService now supports clob and text data types. Token revocation logic is now customizable.
Maven 1 2 3 4 <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-mongodb</artifactId> </dependency> Multiple Data Source Configuration Configuration file. 1 2 3 4 5 6 7 8 spring: data: mongodb: uri: mongodb://192.168.150.154:17017 database: ewell-label mongodb-target: uri: mongodb://192.168.150.154:17017 database: ewell-label-target java configuration Master data source 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
In the HTTP protocol, when a client initiates an HTTP request, it can carry a request header Accept to tell the server which response types the client can accept (MIME), either one or more. It is now common for front- and back-end separation to use this. 1 Accept:application/json For Spring MVC framework to accept the corresponding Accept will be based on a certain policy to find the corresponding HttpMessageConverter to handle the format of the response data.
Initial understanding of the resource server in OAuth 2.0 Resource Server is exactly what and how to use few tutorials to talk specifically about this stuff, today we will talk about the concept first, to lay a foundation for subsequent use. The shortcomings of the traditional security approach The traditional way to protect an application is to get the credentials (JWT is one of them) given by the server through
Theme, click to change a theme for the site, I believe we have used a similar function, this is actually very similar to the internationalization function, the code is actually very similar, today we will run through it. Considering that some of you may not have used Theme yet, let’s talk about the usage here first, and then we will do the source code analysis. 1. One click to switch
When we talk about RPC (Remote Procedure Call Protocol), what pops into your mind is probably RESTful API, Dubbo, WebService, Java RMI, CORBA and so on. In fact, RabbitMQ also provides us with RPC function, and it is very easy to use. Today I’ll share with you a simple case of how to implement a simple RPC call with Spring Boot+RabbitMQ. Some readers may have misunderstandings about RabbitMQ’s implementation of
As we all know, the underlying AOP is dynamic proxies, and there are two ways to implement dynamic proxies in Java: JDK-based dynamic proxy Dynamic proxy based on Cglib The biggest difference between these two is that JDK-based dynamic proxies require the object being proxied to implement an interface, while Cglib-based dynamic proxies do not require the object being proxied to implement an interface. So, how is AOP implemented in Spring?
This article looks at the configuration of OAuth 2.0 Authorization Server related filters. In turn, it provides a better understanding of the entire architecture of Spring Authorization Server. Modular configuration of Spring Security Currently OAuth2.0 Client, Resource Server, Authorization Server these are already modularized in the Spring Security system. So how do they achieve flexible modularity? After analyzing the configuration I found a few similarities below. These are the core
Last November 8 Spring officials have strongly recommended to use Spring Authorization Server to replace the outdated Spring Security OAuth2.0. With not much time left before Spring Security OAuth2.0 ends its lifecycle, it’s time to make a change. Now that Spring Authorization Server is in production readiness, it’s time to learn it. The current Spring Security architecture Spring Security 5.x modularizes OAuth2.0 Client and OAuth2.0 Resource Server. Spring Security is a mandatory dependency.
A different world In a normal Spring Web project, it is very easy to get the Request object and many libraries provide static methods to get it. The code to get it is as follows. 1 2 3 ServletRequestAttributes requestAttributes = (ServletRequestAttributes)RequestContextHolder.getRequestAttributes(); // get the request HttpServletRequest request = requestAttributes.getRequest(); The class RequestContextHolder provides static methods, which means you can call it from anywhere. And it uses ThreadLocal to hold the Request object, which means that different threads can get their own Request objects.
In the process of Spring Cloud microservice invocation, you need to deal with token relaying, which is the only way to ensure the delivery of user authentication information in the invocation chain. Today we will share how to implement token relay in Feign. Token Relay To be clear, this means that the Token token is passed on between services to ensure that the resource server can properly authenticate the caller.
Spent a few days to transform the project from Spring Boot monolithic project into Spring Cloud microservices. To be honest, the current volume of business is far from microservices, standalone can completely hold. But can not help the leadership above the daily urging, forget it, let’s do it. The hardest part is not the technology The most time consuming part of switching from standalone to microservices is not in the technology upgrade.
Today we share with you the timeout and retry configuration of feign. Timeout 1 2 3 4 5 6 feign: client: config: default: connectTimeout: 1000 readTimeout: 1000 The following points need to be noted. The connection timeout (connectTimeout) and the read timeout (readTimeout) will take effect when configured at the same time. The timeout unit is milliseconds. The timeout can be defined individually according to the service name. For example, if the provider-get service provides a query interface, the timeout can be set shorter as follows.
What is the Hystrix Isolation Policy? Official documentation: https://github.com/Netflix/Hystrix/wiki/Configuration#executionisolationstrategy Executing an isolation policy This property instructs HystrixCommand.run() which isolation policy to execute, being one of the following two options. THREAD - it is executed on a separate thread, and concurrent requests are limited by the number of threads in the thread pool SEMAPHORE - it is executed on the calling thread, and concurrent requests are limited by the amount of semaphore Problem When the isolation policy is THREAD, there is no way to get the value in ThreadLocal.
When we configure OAuth2, we will configure the resource server and authentication server. When our authorization service and authentication service are not in the same service, we can consider using RemoteTokenServices. If they are in the same service, you don’t need to configure tokenServices, because when ResourceServerConfigurerAdapter is configured, if tokenServices is not configured, a default DefaultTokenServices will be automatically configured. . The two tokenService classes both implement the ResourceServerTokenServices
Let’s take a look at the overall microservice architecture that we have built as part of this spring cloud series. If you have not followed this Spring Cloud series from the beginning, check this index page and bookmark it if needed — Spring Cloud Tutorials. Why Spring Cloud Config? When we build a service, there are many values that we don’t want to hardcode and rather read from property files, for instance, endpoints, encrypted values, etc.
1. Overview 1. What is SkyWalking? Application performance monitoring tool for distributed systems, designed for microservices, cloud-native architectures and container-based (Docker, K8s, Mesos) architectures. Provides distributed tracing, service grid telemetry analysis, metric aggregation and visualization all-in-one solution. Official website address: http://skywalking.apache.org/ 2. SkyWalking features Multiple monitoring tools, language probes and Service Mesh Multilingual automated probes, Java, .NET Core and Node.JS Lightweight and efficient, no need for big data Modularity, with