When Enterprise Distributed Application Service (EDAS) microservices enforce service authentication, requests from a Microservices Engine (MSE) cloud-native gateway must carry valid identity credentials. Without them, EDAS rejects the request with HTTP 403. The edas-service-auth plug-in automatically injects the required identity and signature headers into every request the gateway sends to EDAS applications. You do not need to handle authentication logic manually.
How it works
EDAS supports two levels of service authentication:
Whitelist-based access control -- EDAS checks whether the requesting gateway is on the service authentication whitelist. If the gateway is not on the whitelist, EDAS returns HTTP 403.
Anti-replay protection -- In addition to the whitelist check, EDAS verifies a timestamp and hash-based message authentication code (HMAC) signature on each request. If the timestamp has expired or the signature is invalid, EDAS returns HTTP 403.
The edas-service-auth plug-in handles both levels automatically by appending the required identity and signature headers to every outbound request.
For background on EDAS service authentication, see Implement access control on Spring Cloud applications by using service authentication.
Configure the plug-in
Plug-in type: Authentication
Configuration fields
| Field | Type | Required | Default | Valid values | Description |
|---|---|---|---|---|---|
instanceId | string | Yes | -- | Must start with gw- | The gateway ID. Included in request headers to identify the gateway to EDAS. |
enableAntiReplay | bool | Yes | false | true, false | Enables anti-replay protection. When true, the plug-in adds a timestamp and HMAC signature to request headers for anti-replay verification. |
YAML example
Add the following YAML to the plug-in configuration:
# Gateway ID -- replace with your actual gateway ID
instanceId: gw-xxxxxxxxxx
# Enable anti-replay protection
enableAntiReplay: trueReplace gw-xxxxxxxxxx with your gateway ID.
Request headers injected by the plug-in
After the plug-in is enabled, the gateway appends the following headers to each request sent to EDAS:
| Header | Example value | Description |
|---|---|---|
__micro.service.mse.gateway.id__ | gw-xxxxxxxxxx | Gateway ID. Must match the instanceId value in the plug-in configuration. |
__micro.service.timestamp__ | 1676362179999 | Timestamp in milliseconds when the request was initiated. |
__micro.service.signature__ | 7bTXDwgHsIcz0c3ddAzzo1Pmzf + O07iOeGTque6OYbo= | The signature key. |
__micro.service.secretkey__ | fKiokSbOSbISFgjDxwRCUuOerBDguCXq | The generated signature. |