When you want to improve the security of a microservice-oriented application, you can configure authentication for other applications so that only the applications that match the authentication rule can call the microservice-oriented application.

Background information

The following example shows how to use service authentication in Spring Cloud.

Consumers 1, 2, and 3 and a provider belong to the same namespace. Consumers 1, 2, and 3 can call all the paths (Paths 1, 2, and 3) of the provider by default.

You can set an authentication rule for all the paths of the provider. For example, set a blacklist for Consumer 1 to prevent it from calling the provider's all paths, and set a whitelist for Consumers 2 and 3 to allow them to call the provider's paths.

You can also configure authentication for specified paths. In all-interface authentication mode, Consumers 2 and 3 can access all paths of the provider. If Path 2 involves core business or data that cannot be called by Consumer 2, you can set a blacklist for Consumer 2 to prevent it from calling Path 2. Then, Consumer 2 can only call Paths 1 and 3.

The following figure shows the call process with authentication rules configured.

Create a service authentication rule

  1. In the left-side navigation pane of Spring Cloud, click Service Authentication.
  2. On the Service Authentication page, click Create Rules.
  3. On the Create Rules page, set service authentication parameters, and click OK.

    Service authentication rule parameters:

    Parameter Description
    Namespaces The region and Namespaces where the service is located.
    Rule Name The name of the authentication rule. It can contain uppercase or lowercase letters, digits, underscores (_), and hyphens (-). It can be up to 64 characters in length.
    Callee Framework The framework used by the called application. Select Spring Cloud.
    Called Party The called application.
    Add All Interface Rules
    Notice You can add a common rule for all interfaces only once.
    Called Party
    • Spring Cloud: The default value is All Paths, which cannot be changed.
    • Dubbo: The default value is All Services /All Interfaces, which cannot be changed.
    Authentication Mode The service authentication mode. Values: Whitelist (Allow Call) and Blacklist (Deny Call). Select an option as needed.
    Caller The application that requires authentication for calling the service. Click Add Caller to select multiple applications.
    Add Specified Interface Rule
    Notice The rules added to the specified interface are not appended. Instead, they overwrite the common rules (if any) for all interfaces.
    Callee Interface Callee Framework includes Spring Cloud and Dubbo. The setting of Callee Interface varies depending on the selected framework.
    • Spring Cloud: the path to the called application.
    • Dubbo: the service and interface of the called application.
    Authentication Mode The service authentication mode. Values: Whitelist (Allow Call) and Blacklist (Deny Call). Select an option as needed.
    Caller The application that requires authentication for calling the service. Click Add Caller to select multiple applications.
    State Specifies whether to enable the rule.
    • On (default value): the rule is enabled once created.
    • Off: the rule is not enabled once created. To enable the rule, find it on the Service Authentication page and click Enable in the Operating column.

Verify the result

After the service authentication rule is configured and enabled, verify whether it takes effect as needed.

What to do next

After creating a service authentication rule, you can edit, close (based on the rule status), or enable the rule. If service authentication is no longer required, delete the rule. The operations are simple and not described here.