If you do not want specific applications to call your microservice application, you can configure rules to authenticate applications. Only the applications that match the authentication rules are allowed to call your application.

Background information

The following example shows how to use service authentication in Spring Cloud.

  • Service authentication unconfigured

    Consumers 1, 2, and 3 and the provider belong to the same namespace. By default, Consumers 1, 2, and 3 can call all the paths (Paths 1, 2, and 3) of the provider.

  • Service authentication configured
    • Configure an authentication rule for all the paths.

      You can configure an authentication rule for all the paths of the provider. For example, you can configure a blacklist for Consumer 1 to prevent it from calling the paths of the provider, and configure a whitelist for Consumers 2 and 3 to allow them to call the paths of the provider.

    • Configure an authentication rule for a specific path.

      You can also configure an authentication rule for a specific path of the provider. For example, you can configure a blacklist for Consumer 2 to prevent it from calling Path 2 of the provider because the path involves core business or data. Then, Consumer 2 can call only Paths 1 and 3 of the provider.

    The following figure shows the call process with authentication rules configured.

Create a service authentication rule

  1. Log on to the EDAS console.
  2. In the left-side navigation pane, choose Microservice Governance > Spring Cloud.
  3. In the navigation tree of Spring Cloud, click Service Authentication.
  4. On the Service Authentication page, click Create Rules.
  5. In the Create Rules panel, configure the service authentication parameters and click OK.
    Service Authentication > Create Rules

    The following table describes the parameters.

    Parameter Description
    Namespaces The region and Namespaces to which the service belongs.
    Rule Name The name of the service authentication rule. The name can be a maximum of 64 characters in length, and can contain letters, digits, underscores (_), and hyphens (-).
    The Callee The called application.
    Callee Framework The framework that is used by the called application. For this example, select Spring Cloud.
    Add All Interface Rules
    Notice You can add a common rule for each interface only once.
    Callee Interface Default value: All Path. You cannot change the value of this parameter.
    Authentication Method The type of the service authentication rule. Valid values: Whitelist (Allow Calls) and Blacklist (Call Denied).
    Caller The application that must be authenticated before it can call the service. You can click Add Caller to add multiple applications.
    Add Specified Interface Rule
    Notice The rule added for a specific interface is not appended. Instead, the rule overwrites the common rule added for the interface. Exercise caution when you configure this parameter.
    Callee Path The path of the called application.
    Authentication Method The type of the service authentication rule. Valid values: Whitelist (Allow Calls) and Blacklist (Call Denied).
    Caller The application that must be authenticated before it can call the service. You can click Add Caller to add multiple applications.
    Default State Specifies whether to enable the rule.
    • On: The rule is enabled after it is created. This is the default value.
    • Off: The rule is not enabled after it is created. If you want to enable the rule, find it on the Service Authentication page and click Open in the Operation column.

Verify the result

After the service authentication rule is created and enabled, check whether the rule takes effect.

What to do next

After you create a service authentication rule, you can click Edit, Close, or Open in the Operation column to manage the rule. If the service authentication rule is no longer required, you can click Delete to delete the rule.