You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@servicecomb.apache.org by "Liubao (A)" <ba...@huawei.com> on 2019/05/14 01:21:55 UTC
答复: [PROPOSAL]start a new project to add security support for java-chassis
I thought about it before. When I work on the demos, I found it's best to create a new repo for following reasons
1. The common parts distributed in ResourceServer, Gateway and AuthenticationServer, it's not easy to have only one dependency.
2. This project is focus on JWT based authentications for microservices and java-chassis, we are not planning to make it very common like spring security did. Because there are so many variants in security management, we have to focus on the most important part now. Create a new project will make us easier to have other different implementations in future.
3. This project will acting a reference implementation now, developers may use source code directly and possibly make some changes to the source code to fulfill business usage. In the near future, we may not release any formal version of the project. Although, our goal is to make this project the best authentication choice.
4. This project may be used in older versions of java-chassis, I will tag the project based on 1.2.0, or future version like 1.3.0.
5. This project depends on spring security, spring jwt and spring oauth2 now, but java-chassis runtime may not depends on spring. Make this project a module will take java-chassis very complicated. Because this is a new project, I only want to support the latest spring 5.
-----邮件原件-----
发件人: Willem Jiang [mailto:willem.jiang@gmail.com]
发送时间: 2019年5月13日 22:16
收件人: dev <de...@servicecomb.apache.org>
主题: Re: [PROPOSAL]start a new project to add security support for java-chassis
Just a quick question why do we need to create a new git repo for the authentication?
Can we just add a module in java-chassis?
Willem Jiang
Twitter: willemjiang
Weibo: 姜宁willem
On Mon, May 13, 2019 at 4:51 PM Liubao (A) <ba...@huawei.com> wrote:
>
> Hi,
>
> I am working on integrating spring security to java-chassis to make developing authentication and authorization management easier. Now I have finished the framework and basic authorization management.
>
> This work is shown in [1].
>
>
> 1. User's can create AuthenticationServer to manage users and roles and their confidential information.
>
> 2. User's can add authentication in edge service.
>
> 3. User's can add authentication and authorization in ResouceServer. This work project two ways to specify authorization,
>
> using microservice.yaml like :
>
>
>
> ```
>
> servicecomb:
>
> authencation:
>
> access:
>
> needAuth: true
>
> roles:
>
> HandlerAuthEndpoint:
>
> adminSayHello: ADMIN
>
> ```
>
>
>
> or using method security
>
> ```
>
> @PostMapping(path = "/adminSayHello")
>
> @PreAuthorize("hasRole('ADMIN')")
>
> public String adminSayHello(String name) {
>
> return name;
>
> } ```
>
>
> This test cases are show in project Client, in AuthenticationTestCase.java .
>
> I suggest to create a new project, servicecomb-security(or some other name), to hosting common components that can be reused to develop authentication and authorization.
>
> Future plans of this project(informal):
>
>
> 1. Make OAUTH2 as the default implementation. JWT is the most effective authentication mechanism for miscroservices, I think OAUTH2(or related Open Connect ID) is the best choice. (based on spring security oauth2)
>
> 2. Add common framework to connect other OAUTH2 parties. (like keycloak[2], or firebase[3])
>
> 3. Others based on user's feedback.
>
>
> [1]
> https://github.com/apache/servicecomb-samples/tree/master/authenticati
> on [2] https://www.keycloak.org/docs/latest/securing_apps/index.html
> [3] https://firebase.google.com/docs/auth/
>
>
>
>
>
Re: [PROPOSAL]start a new project to add security support for java-chassis
Posted by Willem Jiang <wi...@gmail.com>.
Hi,
I think you make a good point for creating a new repo for the security
support of servicecomb.
We could start a vote if there is no any other objection for it.
Willem Jiang
Twitter: willemjiang
Weibo: 姜宁willem
On Tue, May 14, 2019 at 9:28 AM Liubao (A) <ba...@huawei.com> wrote:
>
> I thought about it before. When I work on the demos, I found it's best to create a new repo for following reasons
>
> 1. The common parts distributed in ResourceServer, Gateway and AuthenticationServer, it's not easy to have only one dependency.
> 2. This project is focus on JWT based authentications for microservices and java-chassis, we are not planning to make it very common like spring security did. Because there are so many variants in security management, we have to focus on the most important part now. Create a new project will make us easier to have other different implementations in future.
> 3. This project will acting a reference implementation now, developers may use source code directly and possibly make some changes to the source code to fulfill business usage. In the near future, we may not release any formal version of the project. Although, our goal is to make this project the best authentication choice.
> 4. This project may be used in older versions of java-chassis, I will tag the project based on 1.2.0, or future version like 1.3.0.
> 5. This project depends on spring security, spring jwt and spring oauth2 now, but java-chassis runtime may not depends on spring. Make this project a module will take java-chassis very complicated. Because this is a new project, I only want to support the latest spring 5.
>
> -----邮件原件-----
> 发件人: Willem Jiang [mailto:willem.jiang@gmail.com]
> 发送时间: 2019年5月13日 22:16
> 收件人: dev <de...@servicecomb.apache.org>
> 主题: Re: [PROPOSAL]start a new project to add security support for java-chassis
>
> Just a quick question why do we need to create a new git repo for the authentication?
> Can we just add a module in java-chassis?
>
> Willem Jiang
>
> Twitter: willemjiang
> Weibo: 姜宁willem
>
> On Mon, May 13, 2019 at 4:51 PM Liubao (A) <ba...@huawei.com> wrote:
> >
> > Hi,
> >
> > I am working on integrating spring security to java-chassis to make developing authentication and authorization management easier. Now I have finished the framework and basic authorization management.
> >
> > This work is shown in [1].
> >
> >
> > 1. User's can create AuthenticationServer to manage users and roles and their confidential information.
> >
> > 2. User's can add authentication in edge service.
> >
> > 3. User's can add authentication and authorization in ResouceServer. This work project two ways to specify authorization,
> >
> > using microservice.yaml like :
> >
> >
> >
> > ```
> >
> > servicecomb:
> >
> > authencation:
> >
> > access:
> >
> > needAuth: true
> >
> > roles:
> >
> > HandlerAuthEndpoint:
> >
> > adminSayHello: ADMIN
> >
> > ```
> >
> >
> >
> > or using method security
> >
> > ```
> >
> > @PostMapping(path = "/adminSayHello")
> >
> > @PreAuthorize("hasRole('ADMIN')")
> >
> > public String adminSayHello(String name) {
> >
> > return name;
> >
> > } ```
> >
> >
> > This test cases are show in project Client, in AuthenticationTestCase.java .
> >
> > I suggest to create a new project, servicecomb-security(or some other name), to hosting common components that can be reused to develop authentication and authorization.
> >
> > Future plans of this project(informal):
> >
> >
> > 1. Make OAUTH2 as the default implementation. JWT is the most effective authentication mechanism for miscroservices, I think OAUTH2(or related Open Connect ID) is the best choice. (based on spring security oauth2)
> >
> > 2. Add common framework to connect other OAUTH2 parties. (like keycloak[2], or firebase[3])
> >
> > 3. Others based on user's feedback.
> >
> >
> > [1]
> > https://github.com/apache/servicecomb-samples/tree/master/authenticati
> > on [2] https://www.keycloak.org/docs/latest/securing_apps/index.html
> > [3] https://firebase.google.com/docs/auth/
> >
> >
> >
> >
> >