SpringCloud Alibaba Microservices Practice: Gateway Authorization VS Microservices Authorization

[[386274]]

This article is reprinted from the WeChat public account "JAVA Daily Record", the author is single tone. Please contact the JAVA Daily Record public account for reprinting this article.

In the SpringCloud architecture, there are two ways to implement authorization:

• Authorization at the gateway level
• Authorization by the backend microservice itself

Both methods have implementation solutions in this series of articles, so the question is: which one is the best solution and which one is more reasonable?

I'm sorry, but you may not get the answer you want after reading this article, because the conclusion is that there is no optimal solution. Both solutions have their own advantages and disadvantages, and you can only choose the corresponding solution based on your own business. In this article, we will make a simple comparison between the two solutions so that everyone can have a reference for making a decision.

Solution Comparison

First, let's look at the principles of the two solutions: If you have any questions about the specific implementation methods, you can refer to this article:

SpringCloud Alibaba Microservices Practice 19 - Integrated RBAC Authorization

Gateway Authorization

Gateway-based authorization is also called path matcher-based authorization. When a request passes through the gateway, it verifies whether the path of the current request is in the resource path owned by the user.

When authorization is based on a path matcher, it is necessary to consider the RESTful-style access path, such as /account-service/blog/user/{id} or /account-service/blog/**, etc. Therefore, authorization at the gateway is mainly based on wildcard matching.

Microservice authorization

Microservice authorization is also called method-based interception. The corresponding method identifier is marked on the resource and then assigned to the user. The corresponding annotation is used to determine whether the current user has permission to access this method on the request method. For example, the @PreAuthorize("hasAuthority('')") annotation in SpringSecurity and the @RequiresPermissions('') annotation in Shiro. Whether it is SpringSecurity or Shiro, their implementation principle is based on keyword exact matching.

Advantages and disadvantages comparison

Gateway Authorization

advantage

The advantage of using gateway authorization is obvious. All backend microservices only need to be ordinary services and no longer need to rely on permissions.

shortcoming

The performance of wildcard matching in the gateway is relatively poor. The wildcard needs to be split, matching the prefix first, and then matching the wildcard after the prefix matches. Here you can see the implementation logic of org.springframework.util.AntPathMatcher#doMatch().

For RESTful-style URL paths, permissions cannot be finely controlled

For example, a microservice has the following API

 GET /v1/pb/ user   
 
 POST /v1/pb/ user   
 
 PUT /v1/pb/ user  

In this way, when the gateway obtains the user request path through the request.getURI().getPath() method, it is the same address. After granting a user the /v1/pb/user permission, he has three different permissions: GET, PUT, and POST. Obviously, this cannot meet the requirements of fine-grained permission control.

As for how to solve this problem, I wrote an article to discuss it. Students who are interested can take a look: SpringCloud Alibaba Microservices Practice 25 - Restful Interface Interception

Microservice authorization

advantage:

The disadvantages of gateway authorization mentioned above are actually the advantages of microservice authorization. It is completely matched based on method interception, consumes very little CPU, and there is no RestFul problem.

shortcoming:

The implementation is relatively complicated. All resource server related configurations need to be introduced in the SpringSecurity Oauth2 system, so a separate resource server module is generally established. This is also a problem that needs to be solved in the next article of the series.

in conclusion

Here we try to summarize the two implementation solutions. If the system functions and business modules are not many, the gateway authorization mode can be used. This is the simplest and most convenient implementation. Although the Restful style cannot fine-tune the permission control problem, we can solve it by adding a Method field.

If your system is large and there are many resources that need to be authorized, it is recommended to adopt the microservice authorization model. In order to avoid the need for each microservice to handle the logic of permission verification, we also need to extract a common permission authentication module for the backend service to reference.