SpringCloud確保服務只能通過gateway轉(zhuǎn)發(fā)訪問禁止直接調(diào)用接口訪問

SpringCloud確保服務只能通過gateway轉(zhuǎn)發(fā)訪問，禁止直接調(diào)用接口訪問前言在微服務體系架構中，網(wǎng)關承擔著重要的角色，在網(wǎng)關中可以添加各種過濾器，過濾請求，保證請求參數(shù)安全，限流等等。如果請求繞過了網(wǎng)關，那就等于繞過了重重關卡，直搗黃龍，所以，在分布式架構中，我們需要有一定的防范，來確保各個服務相互之間安全調(diào)用。正文思路1、在網(wǎng)關中給所有請求加上一個請求密鑰2、在服務添加過濾器，驗證密鑰首先在網(wǎng)關服務（gateway）中添加過濾器，給放行的請求頭上加上判斷package

com.hpsyche.hpsychegatewayserver.filter;

import

com.hpsyche.hpsychegatewayserver.utils.RedisUtil;

import

org.springframework.beans.factory.annotation.Autowired;

import

org.springframework.cloud.gateway.filter.GatewayFilterChain;

import

org.springframework.cloud.gateway.filter.GlobalFilter;

import

org.springframework.http.HttpStatus;

import

org.springframework.http.server.reactive.ServerHttpRequest;

import

org.springframework.util.StringUtils;

import

org.springframework.web.server.ServerWebExchange;

import

reactor.core.publisher.Mono;

/**

*

@author

Hpsyche

*/

public

class

TokenFilter

implements

GlobalFilter

{

@Autowired

private

RedisUtil

redisUtil;

@Override

public

Mono

filter(ServerWebExchange

exchange,

GatewayFilterChain

chain)

{

//token（用戶身份）判斷

................

ServerHttpRequest

req

=

exchange.getRequest().mutate()

.header("from",

"gateway").build();

return

chain.filter(exchange.mutate().request(req.mutate().build()).build());

}

}如果考慮到安全性的話，這里header的值也可以使用UUID，并保存至redis中，在其他服務中通過redis讀取判斷身份。搜索后端架構師公眾號回復“架構整潔”，送你一份驚喜禮包。在主服務，如auth授權服務上，添加全局攔截器，判斷header上是否有對應的value，是則否則，反之攔截。package

erceptor;

import

lombok.extern.slf4j.Slf4j;

import

mons.lang.StringUtils;

import

org.springframework.web.servlet.HandlerInterceptor;

import

javax.servlet.http.HttpServletRequest;

import

javax.servlet.http.HttpServletResponse;

import

java.io.PrintWriter;

/**

*

@author

Hpsyche

*/

@Slf4j

public

class

GlobalInterceptor

implements

HandlerInterceptor

{

@Override

public

boolean

preHandle(HttpServletRequest

request,

HttpServletResponse

response,

Object

obj)

throws

Exception

{

String

secretKey

=

request.getHeader("from");

if(!StringUtils.isNotBlank(secretKey)||secretKey.equals("gateway"){

response.setContentType("application/json;

charset=utf-8");

PrintWriter

writer

=

response.getWriter();

writer.write("error");

return

false;

}

return

true;

}

}此時，繞過網(wǎng)關，直接訪問auth服務的接口會返回error，即必須通過網(wǎng)關，我們的任務看似完成了。問題在項目中，發(fā)現(xiàn)了feign遠程調(diào)用會失敗，因為在fegin中調(diào)用不通過gateway，缺少from的請求頭，會被攔截器攔截，導致調(diào)用失敗。解決方案在auth-client（服務暴露方）添加請求頭，在供其他服務調(diào)用時添加header。package

com.hpsyche.hpsycheauthclient.config;

import

feign.RequestInterceptor;

import

feign.RequestTemplate;

import

org.springframework.context.annotation.Configuration;

/**

*

Feign調(diào)用的時候添加請求頭from

*/

@Configuration

public

class

FeignConfiguration

implements

RequestInterceptor

{

@Override

public

void

apply(RequestTemplate

requestTemplate)

{;

requestTemplate.header("from",

"gateway");

}

}同時，需要在service接口中添加configuration配置：package

com.hpsyche.hpsycheauthclient.api;

import

com.hpsyche.hpsychecommonscommon.vo.BaseResponse;

import

com.hpsyche.hpsycheauthclient.config.FeignConfiguration;

import

org.springframework.cloud.openfeign.FeignClient;

import

org.springframework.web.bind.annotation.PostMapping;

import

org.springframework.web.bind.annotation.RequestParam;

/**

*

@author

Hpsyche

*/

@FeignClient(value

=

"hpsyche-auth-server",configuration

=

FeignConfiguration.class)

public

interface

AuthService

{

@PostMapping("/auth/verifyUser")

BaseResponse

verifyUser(