All Products
Search
Document Center

Enterprise Distributed Application Service:Implement access control on Spring Cloud applications by using service authentication

Last Updated:Nov 15, 2023

If a microservice-oriented application requires high security and you want to restrict access to it from other applications, you can authenticate the applications that call the microservice-oriented application. This ensures that only the applications that match the authentication rules can call the microservice-oriented application.

Background information

This topic uses an example to introduce scenarios where Spring Cloud service authentication is performed.

  • Do not configure service authentication

    Consumers 1, 2, and 3 and a service provider are deployed in the same namespace. By default, Consumers 1, 2, and 3 can call all the paths (Paths 1, 2, and 3) of the provider.

    Do not configure service authentication
  • Configure service authentication

    • Configure an authentication rule for all the paths.

      You can configure an authentication rule for all the paths of the provider. For example, you can configure a blacklist for Consumer 1 to prevent it from calling the paths of the provider, and configure a whitelist for Consumers 2 and 3 to allow them to call the paths of the provider.

    • Configure an authentication rule for a specific path.

      You can also configure an authentication rule for a specific path of the provider. For example, you can configure a blacklist for Consumer 2 to prevent it from calling Path 2 of the provider because the path involves core business or core data. Then, Consumer 2 can call only Paths 1 and 3 of the provider.

    The following figure shows the application call process after you configure the authentication rules.

    Service authentication configured

Create a service authentication rule

  1. Log on to the EDAS console.

  2. In the left-side navigation pane, choose Traffic Management > Microservices Governance > Spring Cloud.

  3. In the left-side navigation tree of Spring Cloud, click Service Authentication.

  4. On the Service Authentication page, click Create rules.

  5. On the Create rules page, set the parameters for the service authentication rule, and click OK.

    Service Authentication  /> Create rules

    Parameters for the service authentication rule:

    Parameter

    Description

    Microservice Namespaces

    The region and the microservice namespace where the microservice is deployed.

    Rule name

    The name of the service authentication rule. The name can be a maximum of 64 characters in length, and can contain letters, digits, underscores (_), and hyphens (-).

    The callee

    The application to be called.

    Callee framework

    The framework that is used by the application. In this example, select Spring Cloud.

    Add all interface rules

    Important

    The global rule that applies to all paths. You can create only one global rule for all paths.

    Callee interface

    The paths to which the rule applies. The value is fixed to All Path.

    Authentication method

    The service authentication method. Valid values: Whitelist (allow calls) and Blacklist (call denied). Select an option as needed.

    Caller

    The caller application to be authenticated. Click Add caller to select multiple applications.

    Add specified interface rule

    Important

    The rule that applies to a specific path. Such a rule is not appended. Instead, the rule overwrites the global rule for the paths. Exercise caution when you set this parameter.

    Callee Path

    The path of the application to be called.

    Authentication method

    The service authentication method. Valid values: Whitelist (allow calls) and Blacklist (call denied). Select an option as needed.

    Caller

    The caller application to be authenticated. Click Add caller to select multiple applications.

    Default State

    Specifies whether to enable the rule. Valid values:

    • On: The rule is enabled immediately after you create it. This is the default value.

    • Off: The rule is not enabled after it is created. To enable the rule, find the rule on the Service Authentication page and click Open in the Operation column.

Verify the results

After the service authentication rule is created and enabled, check whether the rule takes effect.

What to do next

After you create a service authentication rule, you can click Edit, Close, or Open in the Operation column to manage the rule. If the service authentication rule is no longer required, you can click Delete in the Operation column to delete the rule.