You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by li...@apache.org on 2019/06/22 03:22:58 UTC
[servicecomb-fence] 10/12: [SCB-1322]refactor code to allow authentication filters customization and adapt spring security Authentication architecture

This is an automated email from the ASF dual-hosted git repository.

liubao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/servicecomb-fence.git

commit 8b8c29c50301dff98a6e195760b6722e4a9f3f47
Author: liubao <bi...@qq.com>
AuthorDate: Sat Jun 22 10:57:17 2019 +0800

    [SCB-1322]refactor code to allow authentication filters customization and adapt spring security Authentication architecture
---
 .../server/PasswordTokenGranter.java               | 16 +++---
 .../server/RefreshTokenTokenGranter.java           | 13 ++---
 .../authentication/server/TokenEndpoint.java       |  2 +-
 ...nst.java => AuthenticationServerConstants.java} |  6 ++-
 .../authentication/token/TokenConfiguration.java   | 16 +++---
 .../servicecomb/authentication/jwt/JWTHeader.java  |  1 +
 .../token/AbstractOpenIDTokenStore.java            | 10 ++--
 .../token/InMemoryOpenIDTokenStore.java            |  3 ++
 .../util/{Constants.java => CommonConstants.java}  |  4 +-
 .../authentication/edge/AuthHandler.java           | 20 +++----
 .../authentication/edge/AuthenticationFilter.java  | 12 ++---
 .../authentication/edge/EdgeConfiguration.java     |  6 +--
 .../authentication/edge/TokenEndpoint.java         |  4 +-
 .../resource/AccessConfiguration.java              |  0
 .../resource/AccessConfigurationManager.java       |  0
 ...eptionExceptionToProducerResponseConverter.java |  0
 .../authentication/resource/AuthFilter.java}       | 27 ++--------
 .../authentication/resource/AuthFiltersBean.java}  | 34 ++++++------
 .../resource/AuthenticationAuthFilter.java}        | 55 +++++++------------
 .../ConfigBasedAuthoriaztionAuthFilter.java        | 61 ++++++++++++++++++++++
 .../resource/ResourceAuthHandler.java}             | 28 ++++------
 .../resource/SimpleAuthentication.java             |  4 --
 ....exception.ExceptionToProducerResponseConverter |  0
 .../src/main/resources/config/cse.handler.xml      |  0
 .../AuthenticationConfiguration.java               | 12 ++---
 .../authentication/AuthenticationTestCase.java     |  6 +--
 .../gateway/AuthenticationConfiguration.java       | 10 ++--
 .../resource/AuthenticationConfiguration.java      | 10 ++--
 28 files changed, 192 insertions(+), 168 deletions(-)

diff --git a/api/authentication-server/endpoint/src/main/java/org/apache/servicecomb/authentication/server/PasswordTokenGranter.java b/api/authentication-server/endpoint/src/main/java/org/apache/servicecomb/authentication/server/PasswordTokenGranter.java
index 6f893cd..45c8ca2 100644
--- a/api/authentication-server/endpoint/src/main/java/org/apache/servicecomb/authentication/server/PasswordTokenGranter.java
+++ b/api/authentication-server/endpoint/src/main/java/org/apache/servicecomb/authentication/server/PasswordTokenGranter.java
@@ -21,7 +21,7 @@ import java.util.Map;
 
 import org.apache.servicecomb.authentication.token.AbstractOpenIDTokenStore;
 import org.apache.servicecomb.authentication.token.OpenIDToken;
-import org.apache.servicecomb.authentication.util.Constants;
+import org.apache.servicecomb.authentication.util.CommonConstants;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -34,21 +34,21 @@ import com.netflix.config.DynamicPropertyFactory;
 @Component
 public class PasswordTokenGranter implements TokenGranter {
   @Autowired
-  @Qualifier(Constants.BEAN_AUTH_USER_DETAILS_SERVICE)
+  @Qualifier(CommonConstants.BEAN_AUTH_USER_DETAILS_SERVICE)
   private UserDetailsService userDetailsService;
 
   @Autowired
-  @Qualifier(Constants.BEAN_AUTH_PASSWORD_ENCODER)
+  @Qualifier(CommonConstants.BEAN_AUTH_PASSWORD_ENCODER)
   private PasswordEncoder passwordEncoder;
 
   @Autowired
-  @Qualifier(Constants.BEAN_AUTH_OPEN_ID_TOKEN_STORE)
+  @Qualifier(CommonConstants.BEAN_AUTH_OPEN_ID_TOKEN_STORE)
   private AbstractOpenIDTokenStore openIDTokenStore;
 
   @Override
   public TokenResponse grant(Map<String, String> parameters) {
-    String username = parameters.get(TokenConst.PARAM_USERNAME);
-    String password = parameters.get(TokenConst.PARAM_PASSWORD);
+    String username = parameters.get(AuthenticationServerConstants.PARAM_USERNAME);
+    String password = parameters.get(AuthenticationServerConstants.PARAM_PASSWORD);
 
     UserDetails userDetails = userDetailsService.loadUserByUsername(username);
     if (passwordEncoder.matches(password, userDetails.getPassword())) {
@@ -62,13 +62,13 @@ public class PasswordTokenGranter implements TokenGranter {
 
   @Override
   public String grantType() {
-    return TokenConst.GRANT_TYPE_PASSWORD;
+    return AuthenticationServerConstants.GRANT_TYPE_PASSWORD;
   }
 
   @Override
   public boolean enabled() {
     return DynamicPropertyFactory.getInstance()
-        .getBooleanProperty(Constants.CONFIG_GRANTER_PASSWORD_ENABLED, true)
+        .getBooleanProperty(AuthenticationServerConstants.CONFIG_GRANTER_PASSWORD_ENABLED, true)
         .get();
   }
 
diff --git a/api/authentication-server/endpoint/src/main/java/org/apache/servicecomb/authentication/server/RefreshTokenTokenGranter.java b/api/authentication-server/endpoint/src/main/java/org/apache/servicecomb/authentication/server/RefreshTokenTokenGranter.java
index 4b0f93f..77a9f98 100644
--- a/api/authentication-server/endpoint/src/main/java/org/apache/servicecomb/authentication/server/RefreshTokenTokenGranter.java
+++ b/api/authentication-server/endpoint/src/main/java/org/apache/servicecomb/authentication/server/RefreshTokenTokenGranter.java
@@ -22,7 +22,7 @@ import java.util.Map;
 import org.apache.servicecomb.authentication.token.AbstractOpenIDTokenStore;
 import org.apache.servicecomb.authentication.token.OpenIDToken;
 import org.apache.servicecomb.authentication.token.Token;
-import org.apache.servicecomb.authentication.util.Constants;
+import org.apache.servicecomb.authentication.util.CommonConstants;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -34,34 +34,35 @@ import com.netflix.config.DynamicPropertyFactory;
 @Component
 public class RefreshTokenTokenGranter implements TokenGranter {
   @Autowired
-  @Qualifier(Constants.BEAN_AUTH_USER_DETAILS_SERVICE)
+  @Qualifier(CommonConstants.BEAN_AUTH_USER_DETAILS_SERVICE)
   private UserDetailsService userDetailsService;
 
   @Autowired
-  @Qualifier(Constants.BEAN_AUTH_OPEN_ID_TOKEN_STORE)
+  @Qualifier(CommonConstants.BEAN_AUTH_OPEN_ID_TOKEN_STORE)
   private AbstractOpenIDTokenStore openIDTokenStore;
 
   @Override
   public boolean enabled() {
     return DynamicPropertyFactory.getInstance()
-        .getBooleanProperty("servicecomb.authentication.granter.refreshToken.enabled", true)
+        .getBooleanProperty(AuthenticationServerConstants.CONFIG_GRANTER_REFRESH_TOKEN_ENABLED, true)
         .get();
   }
 
   @Override
   public String grantType() {
-    return TokenConst.GRANT_TYPE_REFRESH_TOKEN;
+    return AuthenticationServerConstants.GRANT_TYPE_REFRESH_TOKEN;
   }
 
   @Override
   public TokenResponse grant(Map<String, String> parameters) {
-    String refreshTokenValue = parameters.get(TokenConst.PARAM_REFRESH_TOKEN);
+    String refreshTokenValue = parameters.get(AuthenticationServerConstants.PARAM_REFRESH_TOKEN);
 
     Token refreshToken = openIDTokenStore.readTokenByRefreshTokenValue(refreshTokenValue);
 
     if (refreshToken != null && !refreshToken.isExpired()) {
       UserDetails userDetails = userDetailsService.loadUserByUsername(refreshToken.username());
       OpenIDToken openIDToken = openIDTokenStore.createToken(userDetails);
+      openIDTokenStore.saveToken(openIDToken);
       return TokenResponse.fromOpenIDToken(openIDToken);
     }
     return null;
diff --git a/api/authentication-server/endpoint/src/main/java/org/apache/servicecomb/authentication/server/TokenEndpoint.java b/api/authentication-server/endpoint/src/main/java/org/apache/servicecomb/authentication/server/TokenEndpoint.java
index fa2ca32..fb849c1 100644
--- a/api/authentication-server/endpoint/src/main/java/org/apache/servicecomb/authentication/server/TokenEndpoint.java
+++ b/api/authentication-server/endpoint/src/main/java/org/apache/servicecomb/authentication/server/TokenEndpoint.java
@@ -37,7 +37,7 @@ public class TokenEndpoint implements TokenService {
   @Override
   @PostMapping(path = "/", consumes = MediaType.APPLICATION_FORM_URLENCODED)
   public TokenResponse getToken(@RequestBody Map<String, String> parameters) {
-    String grantType = parameters.get(TokenConst.PARAM_GRANT_TYPE);
+    String grantType = parameters.get(AuthenticationServerConstants.PARAM_GRANT_TYPE);
 
     for (TokenGranter granter : granters) {
       if (granter.enabled()) {
diff --git a/api/authentication-server/service/src/main/java/org/apache/servicecomb/authentication/server/TokenConst.java b/api/authentication-server/service/src/main/java/org/apache/servicecomb/authentication/server/AuthenticationServerConstants.java
similarity index 81%
rename from api/authentication-server/service/src/main/java/org/apache/servicecomb/authentication/server/TokenConst.java
rename to api/authentication-server/service/src/main/java/org/apache/servicecomb/authentication/server/AuthenticationServerConstants.java
index 915a515..193e6d8 100644
--- a/api/authentication-server/service/src/main/java/org/apache/servicecomb/authentication/server/TokenConst.java
+++ b/api/authentication-server/service/src/main/java/org/apache/servicecomb/authentication/server/AuthenticationServerConstants.java
@@ -17,7 +17,7 @@
 
 package org.apache.servicecomb.authentication.server;
 
-public class TokenConst {
+public class AuthenticationServerConstants {
   public static final String PARAM_GRANT_TYPE = "grant_type";
 
   public static final String PARAM_USERNAME = "username";
@@ -31,4 +31,8 @@ public class TokenConst {
   public static final String GRANT_TYPE_PASSWORD = "password";
   
   public static final String GRANT_TYPE_REFRESH_TOKEN = "refresh_token";
+  
+  public static final String CONFIG_GRANTER_PASSWORD_ENABLED = "servicecomb.authentication.granter.password.enabled";
+  
+  public static final String CONFIG_GRANTER_REFRESH_TOKEN_ENABLED = "servicecomb.authentication.granter.refreshToken.enabled";
 }
diff --git a/api/common/endpoint/src/main/java/org/apache/servicecomb/authentication/token/TokenConfiguration.java b/api/common/endpoint/src/main/java/org/apache/servicecomb/authentication/token/TokenConfiguration.java
index 94b1e21..8fd7375 100644
--- a/api/common/endpoint/src/main/java/org/apache/servicecomb/authentication/token/TokenConfiguration.java
+++ b/api/common/endpoint/src/main/java/org/apache/servicecomb/authentication/token/TokenConfiguration.java
@@ -17,7 +17,7 @@
 
 package org.apache.servicecomb.authentication.token;
 
-import org.apache.servicecomb.authentication.util.Constants;
+import org.apache.servicecomb.authentication.util.CommonConstants;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Bean;
@@ -28,17 +28,17 @@ import org.springframework.security.jwt.crypto.sign.SignerVerifier;
 
 @Configuration
 public class TokenConfiguration {
-  @Bean(name = {Constants.BEAN_AUTH_ACCESS_TOKEN_STORE,
-      Constants.BEAN_AUTH_REFRESH_TOKEN_STORE})
-  @Order(Constants.BEAN_DEFAULT_ORDER)
+  @Bean(name = {CommonConstants.BEAN_AUTH_ACCESS_TOKEN_STORE,
+      CommonConstants.BEAN_AUTH_REFRESH_TOKEN_STORE})
+  @Order(CommonConstants.BEAN_DEFAULT_ORDER)
   public SessionTokenStore sessionTokenStore() {
     return new SessionTokenStore();
   }
 
-  @Bean(name = {Constants.BEAN_AUTH_ID_TOKEN_STORE})
-  @Order(Constants.BEAN_DEFAULT_ORDER)
-  public JWTTokenStore jwtTokenStore(@Autowired @Qualifier(Constants.BEAN_AUTH_SIGNER) Signer signer,
-      @Autowired @Qualifier(Constants.BEAN_AUTH_SIGNATURE_VERIFIER) SignerVerifier signerVerifier) {
+  @Bean(name = {CommonConstants.BEAN_AUTH_ID_TOKEN_STORE})
+  @Order(CommonConstants.BEAN_DEFAULT_ORDER)
+  public JWTTokenStore jwtTokenStore(@Autowired @Qualifier(CommonConstants.BEAN_AUTH_SIGNER) Signer signer,
+      @Autowired @Qualifier(CommonConstants.BEAN_AUTH_SIGNATURE_VERIFIER) SignerVerifier signerVerifier) {
     return new JWTTokenStoreImpl(signer, signerVerifier);
   }
 }
diff --git a/api/common/service/src/main/java/org/apache/servicecomb/authentication/jwt/JWTHeader.java b/api/common/service/src/main/java/org/apache/servicecomb/authentication/jwt/JWTHeader.java
index 2cc797c..615d968 100644
--- a/api/common/service/src/main/java/org/apache/servicecomb/authentication/jwt/JWTHeader.java
+++ b/api/common/service/src/main/java/org/apache/servicecomb/authentication/jwt/JWTHeader.java
@@ -18,6 +18,7 @@
 package org.apache.servicecomb.authentication.jwt;
 
 public class JWTHeader {
+  //see: https://tools.ietf.org/html/rfc7519
   private String typ;
 
   private String alg;
diff --git a/api/common/service/src/main/java/org/apache/servicecomb/authentication/token/AbstractOpenIDTokenStore.java b/api/common/service/src/main/java/org/apache/servicecomb/authentication/token/AbstractOpenIDTokenStore.java
index 9bc43cf..52eaa74 100644
--- a/api/common/service/src/main/java/org/apache/servicecomb/authentication/token/AbstractOpenIDTokenStore.java
+++ b/api/common/service/src/main/java/org/apache/servicecomb/authentication/token/AbstractOpenIDTokenStore.java
@@ -17,22 +17,22 @@
 
 package org.apache.servicecomb.authentication.token;
 
-import org.apache.servicecomb.authentication.util.Constants;
+import org.apache.servicecomb.authentication.util.CommonConstants;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.security.core.userdetails.UserDetails;
 
 public abstract class AbstractOpenIDTokenStore implements OpenIDTokenStore {
   @Autowired
-  @Qualifier(Constants.BEAN_AUTH_ACCESS_TOKEN_STORE)
+  @Qualifier(CommonConstants.BEAN_AUTH_ACCESS_TOKEN_STORE)
   private TokenStore<SessionToken> accessTokenStore;
 
   @Autowired
-  @Qualifier(Constants.BEAN_AUTH_REFRESH_TOKEN_STORE)
+  @Qualifier(CommonConstants.BEAN_AUTH_REFRESH_TOKEN_STORE)
   private TokenStore<SessionToken> refreshTokenStore;
 
   @Autowired
-  @Qualifier(Constants.BEAN_AUTH_ID_TOKEN_STORE)
+  @Qualifier(CommonConstants.BEAN_AUTH_ID_TOKEN_STORE)
   private JWTTokenStore idTokenStore;
 
   @Override
@@ -43,7 +43,7 @@ public abstract class AbstractOpenIDTokenStore implements OpenIDTokenStore {
   @Override
   public OpenIDToken createToken(UserDetails userDetails) {
     OpenIDToken token = new OpenIDToken();
-    token.setTokenType(Constants.TOKEN_TYPE_BEARER);
+    token.setTokenType(CommonConstants.TOKEN_TYPE_BEARER);
     token.setAccessToken(accessTokenStore.createToken(userDetails));
     token.setRefreshToken(refreshTokenStore.createToken(userDetails));
     token.setIdToken(idTokenStore.createToken(userDetails));
diff --git a/api/common/service/src/main/java/org/apache/servicecomb/authentication/token/InMemoryOpenIDTokenStore.java b/api/common/service/src/main/java/org/apache/servicecomb/authentication/token/InMemoryOpenIDTokenStore.java
index 522e475..1a09f58 100644
--- a/api/common/service/src/main/java/org/apache/servicecomb/authentication/token/InMemoryOpenIDTokenStore.java
+++ b/api/common/service/src/main/java/org/apache/servicecomb/authentication/token/InMemoryOpenIDTokenStore.java
@@ -20,6 +20,9 @@ package org.apache.servicecomb.authentication.token;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
+/**
+ * In memory store, only used for testing or samples only. DO NOT use it in product.
+ */
 public class InMemoryOpenIDTokenStore extends AbstractOpenIDTokenStore {
   private static final Map<String, OpenIDToken> TOKENS = new ConcurrentHashMap<>();
 
diff --git a/api/common/service/src/main/java/org/apache/servicecomb/authentication/util/Constants.java b/api/common/service/src/main/java/org/apache/servicecomb/authentication/util/CommonConstants.java
similarity index 93%
rename from api/common/service/src/main/java/org/apache/servicecomb/authentication/util/Constants.java
rename to api/common/service/src/main/java/org/apache/servicecomb/authentication/util/CommonConstants.java
index 43c85b5..74e8fe6 100644
--- a/api/common/service/src/main/java/org/apache/servicecomb/authentication/util/Constants.java
+++ b/api/common/service/src/main/java/org/apache/servicecomb/authentication/util/CommonConstants.java
@@ -17,7 +17,7 @@
 
 package org.apache.servicecomb.authentication.util;
 
-public final class Constants {
+public final class CommonConstants {
   public static final String HTTP_HEADER_AUTHORIZATION = "Authorization";
 
   public static final String CONTEXT_HEADER_AUTHORIZATION = "Authorization";
@@ -52,5 +52,5 @@ public final class Constants {
   
   public static final String BEAN_AUTH_USER_DETAILS_SERVICE = "authUserDetailsService";
   
-  public static final String CONFIG_GRANTER_PASSWORD_ENABLED = "servicecomb.authentication.granter.password.enabled";
+  public static final String BEAN_AUTH_AUTH_FILTER = "authAuthFilter";
 }
diff --git a/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/AuthHandler.java b/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/AuthHandler.java
index 850b733..1d1c165 100644
--- a/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/AuthHandler.java
+++ b/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/AuthHandler.java
@@ -21,7 +21,7 @@ import org.apache.servicecomb.authentication.token.JWTToken;
 import org.apache.servicecomb.authentication.token.JWTTokenStore;
 import org.apache.servicecomb.authentication.token.OpenIDToken;
 import org.apache.servicecomb.authentication.token.OpenIDTokenStore;
-import org.apache.servicecomb.authentication.util.Constants;
+import org.apache.servicecomb.authentication.util.CommonConstants;
 import org.apache.servicecomb.core.Handler;
 import org.apache.servicecomb.core.Invocation;
 import org.apache.servicecomb.foundation.common.utils.BeanUtils;
@@ -31,15 +31,15 @@ import org.apache.servicecomb.swagger.invocation.exception.InvocationException;
 public class AuthHandler implements Handler {
   @Override
   public void handle(Invocation invocation, AsyncResponse asyncResponse) throws Exception {
-    String token = invocation.getContext(Constants.CONTEXT_HEADER_AUTHORIZATION);
-    String tokenType = invocation.getContext(Constants.CONTEXT_HEADER_AUTHORIZATION_TYPE);
+    String token = invocation.getContext(CommonConstants.CONTEXT_HEADER_AUTHORIZATION);
+    String tokenType = invocation.getContext(CommonConstants.CONTEXT_HEADER_AUTHORIZATION_TYPE);
     if (token == null) {
       asyncResponse.consumerFail(new InvocationException(403, "forbidden", "not authenticated"));
       return;
     }
 
-    if (Constants.CONTEXT_HEADER_AUTHORIZATION_TYPE_ID_TOKEN.equals(tokenType)) {
-      JWTTokenStore jwtTokenStore = BeanUtils.getBean(Constants.BEAN_AUTH_ID_TOKEN_STORE);
+    if (CommonConstants.CONTEXT_HEADER_AUTHORIZATION_TYPE_ID_TOKEN.equals(tokenType)) {
+      JWTTokenStore jwtTokenStore = BeanUtils.getBean(CommonConstants.BEAN_AUTH_ID_TOKEN_STORE);
       JWTToken jwtToken = jwtTokenStore.createTokenByValue(token);
       if (jwtToken == null || jwtToken.isExpired()) {
         asyncResponse.consumerFail(new InvocationException(403, "forbidden", "not authenticated"));
@@ -47,11 +47,11 @@ public class AuthHandler implements Handler {
       }
 
       // send id_token to services to apply state less validation
-      invocation.addContext(Constants.CONTEXT_HEADER_AUTHORIZATION, jwtToken.getValue());
+      invocation.addContext(CommonConstants.CONTEXT_HEADER_AUTHORIZATION, jwtToken.getValue());
       invocation.next(asyncResponse);
-    } else if (Constants.CONTEXT_HEADER_AUTHORIZATION_TYPE_SESSION_TOKEN.equals(tokenType)) {
-      OpenIDTokenStore openIDTokenStore = BeanUtils.getBean(Constants.BEAN_AUTH_OPEN_ID_TOKEN_STORE);
-
+    } else if (CommonConstants.CONTEXT_HEADER_AUTHORIZATION_TYPE_SESSION_TOKEN.equals(tokenType)) {
+      // TODO: session based are not fully tested now, just code snippet
+      OpenIDTokenStore openIDTokenStore = BeanUtils.getBean(CommonConstants.BEAN_AUTH_OPEN_ID_TOKEN_STORE);
 
       OpenIDToken tokenResonse = openIDTokenStore.readTokenByValue(token);
       if (tokenResonse == null || tokenResonse.isExpired()) {
@@ -60,7 +60,7 @@ public class AuthHandler implements Handler {
       }
 
       // send id_token to services to apply state less validation
-      invocation.addContext(Constants.CONTEXT_HEADER_AUTHORIZATION, tokenResonse.getIdToken().getValue());
+      invocation.addContext(CommonConstants.CONTEXT_HEADER_AUTHORIZATION, tokenResonse.getIdToken().getValue());
       invocation.next(asyncResponse);
     } else {
       asyncResponse.consumerFail(new InvocationException(403, "forbidden", "not authenticated"));
diff --git a/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/AuthenticationFilter.java b/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/AuthenticationFilter.java
index 6b5b8d7..8a31649 100644
--- a/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/AuthenticationFilter.java
+++ b/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/AuthenticationFilter.java
@@ -17,7 +17,7 @@
 
 package org.apache.servicecomb.authentication.edge;
 
-import org.apache.servicecomb.authentication.util.Constants;
+import org.apache.servicecomb.authentication.util.CommonConstants;
 import org.apache.servicecomb.common.rest.filter.HttpServerFilter;
 import org.apache.servicecomb.core.Invocation;
 import org.apache.servicecomb.foundation.vertx.http.HttpServletRequestEx;
@@ -34,14 +34,14 @@ public class AuthenticationFilter implements HttpServerFilter {
   public Response afterReceiveRequest(Invocation invocation, HttpServletRequestEx requestEx) {
     // Now support bearer id tokens authentication
     // TODO : add support for Cookies session tokens. 
-    String authentication = requestEx.getHeader(Constants.HTTP_HEADER_AUTHORIZATION);
+    String authentication = requestEx.getHeader(CommonConstants.HTTP_HEADER_AUTHORIZATION);
     if (authentication != null) {
       String[] tokens = authentication.split(" ");
       if (tokens.length == 2) {
-        if (tokens[0].equals(Constants.TOKEN_TYPE_BEARER)) {
-          invocation.addContext(Constants.CONTEXT_HEADER_AUTHORIZATION, tokens[1]);
-          invocation.addContext(Constants.CONTEXT_HEADER_AUTHORIZATION_TYPE,
-              Constants.CONTEXT_HEADER_AUTHORIZATION_TYPE_ID_TOKEN);
+        if (tokens[0].equals(CommonConstants.TOKEN_TYPE_BEARER)) {
+          invocation.addContext(CommonConstants.CONTEXT_HEADER_AUTHORIZATION, tokens[1]);
+          invocation.addContext(CommonConstants.CONTEXT_HEADER_AUTHORIZATION_TYPE,
+              CommonConstants.CONTEXT_HEADER_AUTHORIZATION_TYPE_ID_TOKEN);
         }
       }
     }
diff --git a/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/EdgeConfiguration.java b/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/EdgeConfiguration.java
index 502dc7e..4142c4f 100644
--- a/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/EdgeConfiguration.java
+++ b/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/EdgeConfiguration.java
@@ -17,15 +17,15 @@
 
 package org.apache.servicecomb.authentication.edge;
 
-import org.apache.servicecomb.authentication.util.Constants;
+import org.apache.servicecomb.authentication.util.CommonConstants;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 
 @Configuration
 public class EdgeConfiguration {
-  @Bean(name = {Constants.BEAN_AUTH_EDGE_TOKEN_RESPONSE_PROCESSOR})
-  @Order(Constants.BEAN_DEFAULT_ORDER)
+  @Bean(name = {CommonConstants.BEAN_AUTH_EDGE_TOKEN_RESPONSE_PROCESSOR})
+  @Order(CommonConstants.BEAN_DEFAULT_ORDER)
   public EdgeTokenResponseProcessor edgeTokenResponseProcessor() {
     return new DumyEdgeTokenResponseProcessor();
   }
diff --git a/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/TokenEndpoint.java b/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/TokenEndpoint.java
index 87f7696..8718a0c 100644
--- a/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/TokenEndpoint.java
+++ b/api/edge-service/endpoint/src/main/java/org/apache/servicecomb/authentication/edge/TokenEndpoint.java
@@ -21,7 +21,7 @@ import java.util.Map;
 import java.util.concurrent.CompletableFuture;
 
 import org.apache.servicecomb.authentication.server.TokenResponse;
-import org.apache.servicecomb.authentication.util.Constants;
+import org.apache.servicecomb.authentication.util.CommonConstants;
 import org.apache.servicecomb.provider.pojo.RpcReference;
 import org.apache.servicecomb.provider.rest.common.RestSchema;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -39,7 +39,7 @@ public class TokenEndpoint implements TokenService {
   private AuthenticationServerTokenEndpoint authenticationSererTokenEndpoint;
 
   @Autowired
-  @Qualifier(Constants.BEAN_AUTH_EDGE_TOKEN_RESPONSE_PROCESSOR)
+  @Qualifier(CommonConstants.BEAN_AUTH_EDGE_TOKEN_RESPONSE_PROCESSOR)
   private EdgeTokenResponseProcessor edgeTokenResponseProcessor;
 
   @Override
diff --git a/api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/AccessConfiguration.java b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AccessConfiguration.java
similarity index 100%
copy from api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/AccessConfiguration.java
copy to api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AccessConfiguration.java
diff --git a/api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/AccessConfigurationManager.java b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AccessConfigurationManager.java
similarity index 100%
rename from api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/AccessConfigurationManager.java
rename to api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AccessConfigurationManager.java
diff --git a/api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/AccessDeniedExceptionExceptionToProducerResponseConverter.java b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AccessDeniedExceptionExceptionToProducerResponseConverter.java
similarity index 100%
rename from api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/AccessDeniedExceptionExceptionToProducerResponseConverter.java
rename to api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AccessDeniedExceptionExceptionToProducerResponseConverter.java
diff --git a/api/common/service/src/main/java/org/apache/servicecomb/authentication/jwt/JWTHeader.java b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AuthFilter.java
similarity index 70%
copy from api/common/service/src/main/java/org/apache/servicecomb/authentication/jwt/JWTHeader.java
copy to api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AuthFilter.java
index 2cc797c..22b2436 100644
--- a/api/common/service/src/main/java/org/apache/servicecomb/authentication/jwt/JWTHeader.java
+++ b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AuthFilter.java
@@ -15,28 +15,11 @@
  * limitations under the License.
  */
 
-package org.apache.servicecomb.authentication.jwt;
-
-public class JWTHeader {
-  private String typ;
-
-  private String alg;
-
-  public String getTyp() {
-    return typ;
-  }
-
-  public void setTyp(String typ) {
-    this.typ = typ;
-  }
-
-  public String getAlg() {
-    return alg;
-  }
-
-  public void setAlg(String alg) {
-    this.alg = alg;
-  }
+package org.apache.servicecomb.authentication.resource;
 
+import org.apache.servicecomb.core.Invocation;
+import org.apache.servicecomb.swagger.invocation.exception.InvocationException;
 
+public interface AuthFilter {
+  void doFilter(Invocation invocation) throws InvocationException;
 }
diff --git a/api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/AccessConfiguration.java b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AuthFiltersBean.java
similarity index 61%
rename from api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/AccessConfiguration.java
rename to api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AuthFiltersBean.java
index 8167612..6e01029 100644
--- a/api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/AccessConfiguration.java
+++ b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AuthFiltersBean.java
@@ -17,21 +17,25 @@
 
 package org.apache.servicecomb.authentication.resource;
 
-import org.apache.servicecomb.config.inject.InjectProperties;
-import org.apache.servicecomb.config.inject.InjectProperty;
+import java.util.List;
 
-@InjectProperties(prefix = "servicecomb.authencation.access")
-public class AccessConfiguration {
-  @InjectProperty(keys = {
-      "needAuth.${schemaId}.${operationId}",
-      "needAuth.${schemaId}",
-      "needAuth"},
-      defaultValue = "true")
-  public boolean needAuth;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
 
-  @InjectProperty(keys = {
-      "roles.${schemaId}.${operationId}",
-      "roles.${schemaId}",
-      "roles"})
-  public String roles;
+@Component
+public class AuthFiltersBean implements InitializingBean {
+  @Autowired
+  private List<AuthFilter> authFilters;
+
+  private static List<AuthFilter> FILTERS;
+
+  public static List<AuthFilter> getAuthFilters() {
+    return FILTERS;
+  }
+
+  @Override
+  public void afterPropertiesSet() throws Exception {
+    FILTERS = authFilters;
+  }
 }
diff --git a/api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/ResourceAuthHandler.java b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AuthenticationAuthFilter.java
similarity index 62%
rename from api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/ResourceAuthHandler.java
rename to api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AuthenticationAuthFilter.java
index 73f0b1a..468f881 100644
--- a/api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/ResourceAuthHandler.java
+++ b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/AuthenticationAuthFilter.java
@@ -20,76 +20,57 @@ package org.apache.servicecomb.authentication.resource;
 import java.util.HashSet;
 import java.util.Set;
 
-import org.apache.commons.lang3.StringUtils;
 import org.apache.servicecomb.authentication.token.JWTToken;
 import org.apache.servicecomb.authentication.token.JWTTokenStore;
-import org.apache.servicecomb.authentication.util.Constants;
-import org.apache.servicecomb.core.Handler;
+import org.apache.servicecomb.authentication.util.CommonConstants;
 import org.apache.servicecomb.core.Invocation;
 import org.apache.servicecomb.foundation.common.utils.BeanUtils;
-import org.apache.servicecomb.swagger.invocation.AsyncResponse;
 import org.apache.servicecomb.swagger.invocation.exception.InvocationException;
+import org.springframework.core.annotation.Order;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.stereotype.Component;
 
-public class ResourceAuthHandler implements Handler {
+@Component
+@Order(0)
+public class AuthenticationAuthFilter implements AuthFilter {
 
   @Override
-  public void handle(Invocation invocation, AsyncResponse asyncResponse) throws Exception {
+  public void doFilter(Invocation invocation) throws InvocationException {
     AccessConfiguration config = AccessConfigurationManager.getAccessConfiguration(invocation);
 
     // by pass authentication
     if (!config.needAuth) {
-      invocation.next(asyncResponse);
+      // TODO : shall we do authorization without authenticated? 
+      createSecurityContext(new HashSet<>());
       return;
     }
 
-    String idTokenValue = invocation.getContext(Constants.CONTEXT_HEADER_AUTHORIZATION);
+    String idTokenValue = invocation.getContext(CommonConstants.CONTEXT_HEADER_AUTHORIZATION);
     if (idTokenValue == null) {
-      asyncResponse.consumerFail(new InvocationException(403, "forbidden", "not authenticated"));
-      return;
+      throw new InvocationException(403, "forbidden", "not authenticated");
     }
+
     // verify tokens
-    JWTTokenStore store = BeanUtils.getBean(Constants.BEAN_AUTH_ID_TOKEN_STORE);
+    JWTTokenStore store = BeanUtils.getBean(CommonConstants.BEAN_AUTH_ID_TOKEN_STORE);
     JWTToken idToken = store.createTokenByValue(idTokenValue);
     if (idToken == null) {
-      asyncResponse.consumerFail(new InvocationException(403, "forbidden", "not authenticated"));
-      return;
-    }
-
-    // check roles
-    if (!StringUtils.isEmpty(config.roles)) {
-      String[] roles = config.roles.split(",");
-      if (roles.length > 0) {
-        boolean valid = false;
-        Set<String> authorities = idToken.getClaims().getAuthorities();
-        for (String role : roles) {
-          if (authorities.contains(role)) {
-            valid = true;
-            break;
-          }
-        }
-        if (!valid) {
-          asyncResponse.consumerFail(new InvocationException(403, "forbidden", "not authenticated"));
-          return;
-        }
-      }
+      throw new InvocationException(403, "forbidden", "not authenticated");
     }
 
-    // pre method authentiation
     Set<GrantedAuthority> grantedAuthorities = new HashSet<>(idToken.getClaims().getAuthorities().size());
     idToken.getClaims().getAuthorities().forEach(v -> grantedAuthorities.add(new SimpleGrantedAuthority(v)));
+    createSecurityContext(grantedAuthorities);
+  }
+
+  private void createSecurityContext(Set<GrantedAuthority> grantedAuthorities) {
     SecurityContext sc = new SecurityContextImpl();
     Authentication authentication = new SimpleAuthentication(true, grantedAuthorities);
     sc.setAuthentication(authentication);
     SecurityContextHolder.setContext(sc);
-
-    // next
-    invocation.next(asyncResponse);
   }
-
 }
diff --git a/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/ConfigBasedAuthoriaztionAuthFilter.java b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/ConfigBasedAuthoriaztionAuthFilter.java
new file mode 100644
index 0000000..e9a6086
--- /dev/null
+++ b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/ConfigBasedAuthoriaztionAuthFilter.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.servicecomb.authentication.resource;
+
+import java.util.Collection;
+import java.util.HashSet;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.servicecomb.core.Invocation;
+import org.apache.servicecomb.swagger.invocation.exception.InvocationException;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+
+@Component
+@Order(100)
+public class ConfigBasedAuthoriaztionAuthFilter implements AuthFilter {
+
+  @Override
+  public void doFilter(Invocation invocation) throws InvocationException {
+    AccessConfiguration config = AccessConfigurationManager.getAccessConfiguration(invocation);
+    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+    // check roles
+    if (!StringUtils.isEmpty(config.roles)) {
+      String[] roles = config.roles.split(",");
+      if (roles.length > 0) {
+        boolean valid = false;
+        Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
+        Collection<String> authoritiesNames = new HashSet<String>();
+        authorities.forEach(a -> authoritiesNames.add(a.getAuthority()));
+        for (String role : roles) {
+          if (authoritiesNames.contains(role)) {
+            valid = true;
+            break;
+          }
+        }
+        if (!valid) {
+          throw new InvocationException(403, "forbidden", "not authenticated");
+        }
+      }
+    }
+  }
+
+}
diff --git a/api/common/service/src/main/java/org/apache/servicecomb/authentication/jwt/JWTHeader.java b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/ResourceAuthHandler.java
similarity index 62%
copy from api/common/service/src/main/java/org/apache/servicecomb/authentication/jwt/JWTHeader.java
copy to api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/ResourceAuthHandler.java
index 2cc797c..c47ae33 100644
--- a/api/common/service/src/main/java/org/apache/servicecomb/authentication/jwt/JWTHeader.java
+++ b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/ResourceAuthHandler.java
@@ -15,28 +15,18 @@
  * limitations under the License.
  */
 
-package org.apache.servicecomb.authentication.jwt;
+package org.apache.servicecomb.authentication.resource;
 
-public class JWTHeader {
-  private String typ;
+import org.apache.servicecomb.core.Handler;
+import org.apache.servicecomb.core.Invocation;
+import org.apache.servicecomb.swagger.invocation.AsyncResponse;
 
-  private String alg;
+public class ResourceAuthHandler implements Handler {
 
-  public String getTyp() {
-    return typ;
+  @Override
+  public void handle(Invocation invocation, AsyncResponse asyncResponse) throws Exception {
+    AuthFiltersBean.getAuthFilters().forEach(authFilter -> authFilter.doFilter(invocation));
+    invocation.next(asyncResponse);
   }
 
-  public void setTyp(String typ) {
-    this.typ = typ;
-  }
-
-  public String getAlg() {
-    return alg;
-  }
-
-  public void setAlg(String alg) {
-    this.alg = alg;
-  }
-
-
 }
diff --git a/api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/SimpleAuthentication.java b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/SimpleAuthentication.java
similarity index 99%
rename from api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/SimpleAuthentication.java
rename to api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/SimpleAuthentication.java
index a23404c..d1d192a 100644
--- a/api/resource-server/service/src/main/java/org/apache/servicecomb/authentication/resource/SimpleAuthentication.java
+++ b/api/resource-server/endpoint/src/main/java/org/apache/servicecomb/authentication/resource/SimpleAuthentication.java
@@ -23,10 +23,6 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 
 public class SimpleAuthentication implements Authentication {
-
-  /**
-   * 
-   */
   private static final long serialVersionUID = 6077733273349249822L;
 
   private boolean authenticated;
diff --git a/api/resource-server/service/src/main/resources/META-INF/services/org.apache.servicecomb.swagger.invocation.exception.ExceptionToProducerResponseConverter b/api/resource-server/endpoint/src/main/resources/META-INF/services/org.apache.servicecomb.swagger.invocation.exception.ExceptionToProducerResponseConverter
similarity index 100%
rename from api/resource-server/service/src/main/resources/META-INF/services/org.apache.servicecomb.swagger.invocation.exception.ExceptionToProducerResponseConverter
rename to api/resource-server/endpoint/src/main/resources/META-INF/services/org.apache.servicecomb.swagger.invocation.exception.ExceptionToProducerResponseConverter
diff --git a/api/resource-server/service/src/main/resources/config/cse.handler.xml b/api/resource-server/endpoint/src/main/resources/config/cse.handler.xml
similarity index 100%
rename from api/resource-server/service/src/main/resources/config/cse.handler.xml
rename to api/resource-server/endpoint/src/main/resources/config/cse.handler.xml
diff --git a/samples/AuthenticationServer/src/main/java/org/apache/servicecomb/authentication/AuthenticationConfiguration.java b/samples/AuthenticationServer/src/main/java/org/apache/servicecomb/authentication/AuthenticationConfiguration.java
index 49639ff..169f28b 100644
--- a/samples/AuthenticationServer/src/main/java/org/apache/servicecomb/authentication/AuthenticationConfiguration.java
+++ b/samples/AuthenticationServer/src/main/java/org/apache/servicecomb/authentication/AuthenticationConfiguration.java
@@ -21,7 +21,7 @@ import java.util.Arrays;
 
 import org.apache.servicecomb.authentication.token.AbstractOpenIDTokenStore;
 import org.apache.servicecomb.authentication.token.InMemoryOpenIDTokenStore;
-import org.apache.servicecomb.authentication.util.Constants;
+import org.apache.servicecomb.authentication.util.CommonConstants;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Bean;
@@ -38,27 +38,27 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 @Configuration
 public class AuthenticationConfiguration {
-  @Bean(name = Constants.BEAN_AUTH_PASSWORD_ENCODER)
+  @Bean(name = CommonConstants.BEAN_AUTH_PASSWORD_ENCODER)
   public PasswordEncoder authPasswordEncoder() {
     return new Pbkdf2PasswordEncoder();
   }
 
-  @Bean(name = {Constants.BEAN_AUTH_SIGNER, Constants.BEAN_AUTH_SIGNATURE_VERIFIER})
+  @Bean(name = {CommonConstants.BEAN_AUTH_SIGNER, CommonConstants.BEAN_AUTH_SIGNATURE_VERIFIER})
   public SignerVerifier authSignerVerifier() {
     // If using RSA, need to configure authSigner and authSignatureVerifier separately. 
     // If using MacSigner, need to protect the shared key by properly encryption.
     return new MacSigner("Please change this key.");
   }
 
-  @Bean(name = Constants.BEAN_AUTH_OPEN_ID_TOKEN_STORE)
+  @Bean(name = CommonConstants.BEAN_AUTH_OPEN_ID_TOKEN_STORE)
   public AbstractOpenIDTokenStore openIDTokenStore() {
     // TODO: Use in memory store for testing. Need to implement JDBC or Redis SessionIDTokenStore in product. 
     return new InMemoryOpenIDTokenStore();
   }
 
-  @Bean(name = Constants.BEAN_AUTH_USER_DETAILS_SERVICE)
+  @Bean(name = CommonConstants.BEAN_AUTH_USER_DETAILS_SERVICE)
   public UserDetailsService authUserDetailsService(
-      @Autowired @Qualifier(Constants.BEAN_AUTH_PASSWORD_ENCODER) PasswordEncoder passwordEncoder) {
+      @Autowired @Qualifier(CommonConstants.BEAN_AUTH_PASSWORD_ENCODER) PasswordEncoder passwordEncoder) {
     // TODO: Use in memory UserDetails, need to implement JDBC or others in product
     InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
     UserDetails uAdmin = new User("admin", passwordEncoder.encode("changeMyPassword"),
diff --git a/samples/Client/src/main/java/org/apache/servicecomb/authentication/AuthenticationTestCase.java b/samples/Client/src/main/java/org/apache/servicecomb/authentication/AuthenticationTestCase.java
index eb13bf1..0b7601f 100644
--- a/samples/Client/src/main/java/org/apache/servicecomb/authentication/AuthenticationTestCase.java
+++ b/samples/Client/src/main/java/org/apache/servicecomb/authentication/AuthenticationTestCase.java
@@ -18,7 +18,7 @@
 package org.apache.servicecomb.authentication;
 
 import org.apache.servicecomb.authentication.server.TokenResponse;
-import org.apache.servicecomb.authentication.util.Constants;
+import org.apache.servicecomb.authentication.util.CommonConstants;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
@@ -53,7 +53,7 @@ public class AuthenticationTestCase implements TestCase {
         BootEventListener.edgeServiceTokenEndpoint.postForObject("/",
             new HttpEntity<>(map, headers),
             TokenResponse.class);
-    TestMgr.check(Constants.TOKEN_TYPE_BEARER, token.getToken_type());
+    TestMgr.check(CommonConstants.TOKEN_TYPE_BEARER, token.getToken_type());
     TestMgr.check(true, token.getId_token().length() > 10);
     return token.getId_token();
   }
@@ -71,7 +71,7 @@ public class AuthenticationTestCase implements TestCase {
         BootEventListener.edgeServiceTokenEndpoint.postForObject("/",
             new HttpEntity<>(map, headers),
             TokenResponse.class);
-    TestMgr.check(Constants.TOKEN_TYPE_BEARER, token.getToken_type());
+    TestMgr.check(CommonConstants.TOKEN_TYPE_BEARER, token.getToken_type());
     TestMgr.check(true, token.getAccess_token().length() > 10);
 
     // refresh token
diff --git a/samples/EdgeService/src/main/java/org/apache/servicecomb/authentication/gateway/AuthenticationConfiguration.java b/samples/EdgeService/src/main/java/org/apache/servicecomb/authentication/gateway/AuthenticationConfiguration.java
index 62ab060..bd0b588 100644
--- a/samples/EdgeService/src/main/java/org/apache/servicecomb/authentication/gateway/AuthenticationConfiguration.java
+++ b/samples/EdgeService/src/main/java/org/apache/servicecomb/authentication/gateway/AuthenticationConfiguration.java
@@ -19,7 +19,7 @@ package org.apache.servicecomb.authentication.gateway;
 
 import org.apache.servicecomb.authentication.token.JWTTokenStore;
 import org.apache.servicecomb.authentication.token.JWTTokenStoreImpl;
-import org.apache.servicecomb.authentication.util.Constants;
+import org.apache.servicecomb.authentication.util.CommonConstants;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Bean;
@@ -30,16 +30,16 @@ import org.springframework.security.jwt.crypto.sign.SignerVerifier;
 
 @Configuration
 public class AuthenticationConfiguration {
-  @Bean(name = {Constants.BEAN_AUTH_SIGNER, Constants.BEAN_AUTH_SIGNATURE_VERIFIER})
+  @Bean(name = {CommonConstants.BEAN_AUTH_SIGNER, CommonConstants.BEAN_AUTH_SIGNATURE_VERIFIER})
   public SignerVerifier authSignerVerifier() {
     // If using RSA, need to configure authSigner and authSignatureVerifier separately. 
     // If using MacSigner, need to protect the shared key by properly encryption.
     return new MacSigner("Please change this key.");
   }
 
-  @Bean(name = Constants.BEAN_AUTH_ID_TOKEN_STORE)
-  public JWTTokenStore authIDTokenStore(@Autowired @Qualifier(Constants.BEAN_AUTH_SIGNER) Signer signer, 
-      @Autowired @Qualifier(Constants.BEAN_AUTH_SIGNATURE_VERIFIER) SignerVerifier signerVerifier) {
+  @Bean(name = CommonConstants.BEAN_AUTH_ID_TOKEN_STORE)
+  public JWTTokenStore authIDTokenStore(@Autowired @Qualifier(CommonConstants.BEAN_AUTH_SIGNER) Signer signer, 
+      @Autowired @Qualifier(CommonConstants.BEAN_AUTH_SIGNATURE_VERIFIER) SignerVerifier signerVerifier) {
     return new JWTTokenStoreImpl(signer, signerVerifier);
   }
 
diff --git a/samples/ResourceServer/src/main/java/org/apache/servicecomb/authentication/resource/AuthenticationConfiguration.java b/samples/ResourceServer/src/main/java/org/apache/servicecomb/authentication/resource/AuthenticationConfiguration.java
index b1dcb00..77d857e 100644
--- a/samples/ResourceServer/src/main/java/org/apache/servicecomb/authentication/resource/AuthenticationConfiguration.java
+++ b/samples/ResourceServer/src/main/java/org/apache/servicecomb/authentication/resource/AuthenticationConfiguration.java
@@ -19,7 +19,7 @@ package org.apache.servicecomb.authentication.resource;
 
 import org.apache.servicecomb.authentication.token.JWTTokenStore;
 import org.apache.servicecomb.authentication.token.JWTTokenStoreImpl;
-import org.apache.servicecomb.authentication.util.Constants;
+import org.apache.servicecomb.authentication.util.CommonConstants;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Bean;
@@ -30,16 +30,16 @@ import org.springframework.security.jwt.crypto.sign.SignerVerifier;
 
 @Configuration
 public class AuthenticationConfiguration {
-  @Bean(name = {Constants.BEAN_AUTH_SIGNER, Constants.BEAN_AUTH_SIGNATURE_VERIFIER})
+  @Bean(name = {CommonConstants.BEAN_AUTH_SIGNER, CommonConstants.BEAN_AUTH_SIGNATURE_VERIFIER})
   public SignerVerifier authSignerVerifier() {
     // If using RSA, need to configure authSigner and authSignatureVerifier separately. 
     // If using MacSigner, need to protect the shared key by properly encryption.
     return new MacSigner("Please change this key.");
   }
 
-  @Bean(name = Constants.BEAN_AUTH_ID_TOKEN_STORE)
-  public JWTTokenStore authIDTokenStore(@Autowired @Qualifier(Constants.BEAN_AUTH_SIGNER) Signer signer, 
-      @Autowired @Qualifier(Constants.BEAN_AUTH_SIGNATURE_VERIFIER) SignerVerifier signerVerifier) {
+  @Bean(name = CommonConstants.BEAN_AUTH_ID_TOKEN_STORE)
+  public JWTTokenStore authIDTokenStore(@Autowired @Qualifier(CommonConstants.BEAN_AUTH_SIGNER) Signer signer, 
+      @Autowired @Qualifier(CommonConstants.BEAN_AUTH_SIGNATURE_VERIFIER) SignerVerifier signerVerifier) {
     return new JWTTokenStoreImpl(signer, signerVerifier);
   }