
Dubbo Security is based on spring security built rpc communication authentication module , following spring security configuration to complete the client and server authorization access through the Spring security context authorization information .

service call

  • Scene one: A,B,C dependency Dubbo Spring Security. B and C enable authorization config. During the invocation process, B will perform authorization check first, and if the verification is successful, it will call C for verification.

  • Scene two: A,C dependency Dubbo Spring Security. A calls B and during the process of B calling C, the authorization information will be transparently passed through. C will receive the authorization information and perform authorization verification.

configuration pom





provider enable security

@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class ProviderApplication {

  • dubbo-samples

custom serialization

  • Add a configuration class.
public class SecuritySerializationConfig {

    public DefaultObjectMapperCodecCustomer objectMapperCodecCustomer() {
        return new DefaultObjectMapperCodecCustomer();
public class DefaultObjectMapperCodecCustomer implements ObjectMapperCodecCustomer {
    public void customize(ObjectMapperCodec objectMapperCodec) {
         //Add custom codec


  • Most implementations of Authentication objects for Spring Security use a parameterized constructor. If you customize the Authentication object and use a parameterized constructor, you must register the deserializer for the ObjectMapper when deserializing.In a Dubbo application, you can use the ObjectMapperCodecCustomer extension to customize the serialization and deserialization of objects。

  • If you do not have a custom implementation of deserializer errors, Dubbo ignores the current error

  • In spring security, custom deserialization implementation references UsernamePasswordAuthenticationTokenDeserializer