| <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Apache Dubbo – Improve service security</title><link>https://dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/</link><description>Recent content in Improve service security on Apache Dubbo</description><generator>Hugo -- gohugo.io</generator><language>en</language><atom:link href="https://dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/index.xml" rel="self" type="application/rss+xml"/><item><title>Docs3-V2: Dubbo Class Inspection Mechanism</title><link>https://dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/class-check/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/class-check/</guid><description> |
| <h2 id="supported-versions">Supported versions</h2> |
| <p>Dubbo &gt;= 3.1.6</p> |
| <h2 id="scope-of-application">Scope of application</h2> |
| <p>Currently, the serialization check supports Hessian2, Fastjson2 serialization and generalized calls. Other serialization methods are not currently supported.</p> |
| <h2 id="configuration-method">configuration method</h2> |
| <h3 id="1-check-mode">1. Check mode</h3> |
| <p>The inspection mode is divided into three levels: <code>STRICT</code> strict inspection, <code>WARN</code> warning, <code>DISABLED</code> disabled. |
| <code>STRICT</code> Strict checks: disallow deserialization of all classes that are not in the allowed serialization list (whitelist). |
| <code>WARN</code> warning: only prohibits serialization of all classes in the disallowed serialization list (blacklist), and alerts through logs when deserializing classes that are not in the allowed serialization list (whitelist). |
| <code>DISABLED</code> Disabled: Do not do any checks.</p> |
| <p>Version 3.1 defaults to <code>WARN</code> warning level, and version 3.2 defaults to <code>STRICT</code> strict checking level.</p> |
| <p>Configuration via ApplicationConfig:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>ApplicationConfig applicationConfig <span style="color:#719e07">=</span> <span style="color:#719e07">new</span> ApplicationConfig(); |
| </span></span><span style="display:flex;"><span>applicationConfig.setSerializeCheckStatus(<span style="color:#2aa198">&#34;STRICT&#34;</span>); |
| </span></span></code></pre></div><p>Configuration via Spring XML:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:application</span> name=<span style="color:#2aa198">&#34;demo-provider&#34;</span> serialize-check-status=<span style="color:#2aa198">&#34;STRICT&#34;</span><span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div><p>Configure via Spring Properties / dubbo.properties:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>dubbo.application.serialize-check-status<span style="color:#719e07">=</span><span style="color:#2aa198">STRICT</span> |
| </span></span></code></pre></div><p>Configure via System Property:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>-Ddubbo.application.serialize-check-status<span style="color:#719e07">=</span><span style="color:#2aa198">STRICT</span> |
| </span></span></code></pre></div><p>After the configuration is successful, you can see the following prompts in the log:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>INFO utils.SerializeSecurityManager: [DUBBO] Serialize check level: STRICT |
| </span></span></code></pre></div><p>Note: If multiple applications under the same process (Dubbo Framework Model) are configured with different inspection modes at the same time, the &ldquo;loosenest&rdquo; level will eventually take effect. If two Spring Contexts are started at the same time, one is configured as <code>STRICT</code> and the other is configured as <code>WARN</code>, the <code>WARN</code> level configuration will finally take effect.</p> |
| <h3 id="2-serializable-interface-check">2. Serializable interface check</h3> |
| <p>The Serializable interface check mode is divided into two levels: <code>true</code> is enabled, and <code>false</code> is disabled. When the check is turned on, it will refuse to deserialize all classes that do not implement <code>Serializable</code>.</p> |
| <p>The default configuration in Dubbo is <code>true</code> to enable the check.</p> |
| <p>Configuration via ApplicationConfig:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>ApplicationConfig applicationConfig <span style="color:#719e07">=</span> <span style="color:#719e07">new</span> ApplicationConfig(); |
| </span></span><span style="display:flex;"><span>applicationConfig.setCheckSerializable(<span style="color:#cb4b16">true</span>); |
| </span></span></code></pre></div><p>Configuration via Spring XML:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:application</span> name=<span style="color:#2aa198">&#34;demo-provider&#34;</span> check-serializable=<span style="color:#2aa198">&#34;true&#34;</span><span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div><p>Configure via Spring Properties / dubbo.properties:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>dubbo.application.check-serializable<span style="color:#719e07">=</span><span style="color:#2aa198">true</span> |
| </span></span></code></pre></div><p>Configure via System Property:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>-Ddubbo.application.check-serializable<span style="color:#719e07">=</span><span style="color:#2aa198">true</span> |
| </span></span></code></pre></div><p>After the configuration is successful, you can see the following prompts in the log:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>INFO utils.SerializeSecurityManager: [DUBBO] Serialize check serializable: true |
| </span></span></code></pre></div><p>Note 1: If multiple applications under the same process (Dubbo Framework Model) are configured with different Serializable interface inspection modes at the same time, the &ldquo;loosenest&rdquo; level will eventually take effect. If two Spring Contexts are started at the same time, one configured as <code>true</code> and the other configured as <code>false</code>, the <code>false</code> level configuration will finally take effect. |
| Note 2: At present, the built-in <code>Serializable</code> check configuration of Hessian2 and Fastjson2 has not been opened. For generalized calls, you only need to configure <code>dubbo.application.check-serializable</code> to modify the check configuration; for Hessian2 serialization, you need to modify <code>dubbo.application.check-serializable</code> and <code>dubbo.hessian.allowNonSerializable</code> at the same time</p> |
| <h3 id="3-automatically-scan-related-configurations">3. Automatically scan related configurations</h3> |
| <p>There are two configuration items in the Dubbo class automatic scanning mechanism: `AutoTrustSerializeClass</p> |
| <p>To put it simply, after automatic class scanning is enabled, Dubbo will automatically scan all related classes that may be used by the interface through <code>ReferenceConfig</code> and <code>ServiceConfig</code>, and recursively trust its package. `TrustSerializeClassLevel</p> |
| <p>The default configuration in Dubbo is `AutoTrustSerializeClass</p> |
| <p>Configuration via ApplicationConfig:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>ApplicationConfig applicationConfig <span style="color:#719e07">=</span> <span style="color:#719e07">new</span> ApplicationConfig(); |
| </span></span><span style="display:flex;"><span>applicationConfig.setAutoTrustSerializeClass(<span style="color:#cb4b16">true</span>); |
| </span></span><span style="display:flex;"><span>applicationConfig.setTrustSerializeClassLevel(3); |
| </span></span></code></pre></div><p>Configuration via Spring XML:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:application</span> name=<span style="color:#2aa198">&#34;demo-provider&#34;</span> auto-trust-serialize-class=<span style="color:#2aa198">&#34;true&#34;</span> trust-serialize-class-level=<span style="color:#2aa198">&#34;3&#34;</span><span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div><p>Configure via Spring Properties / dubbo.properties:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>dubbo.application.auto-trust-serialize-class<span style="color:#719e07">=</span><span style="color:#2aa198">true</span> |
| </span></span><span style="display:flex;"><span>dubbo.application.trust-serialize-class-level<span style="color:#719e07">=</span><span style="color:#2aa198">3</span> |
| </span></span></code></pre></div><p>Configure via System Property:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>-Ddubbo.application.auto-trust-serialize-class<span style="color:#719e07">=</span><span style="color:#2aa198">true</span> |
| </span></span><span style="display:flex;"><span>-Ddubbo.application.trust-serialize-class-level<span style="color:#719e07">=</span><span style="color:#2aa198">3</span> |
| </span></span></code></pre></div><p>After the configuration is successful, you can use the QoS command to check whether the results of the currently loaded trusted classes meet expectations.</p> |
| <p>Note: After the check is enabled, there will be a certain performance loss during the startup process.</p> |
| <h3 id="4-custom-configuration-of-trusteduntrusted-classes">4. Custom configuration of trusted/untrusted classes</h3> |
| <p>In addition to Dubbo&rsquo;s automatic scanning classes, it also supports configuration of trusted/untrusted class lists through resource files.</p> |
| <p>Configuration method: define the following files under the resource directory (resource).</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span><span style="color:#586e75"># security/serialize.allowlist</span> |
| </span></span><span style="display:flex;"><span>io.dubbo.test |
| </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span><span style="color:#586e75"># security/serialize.blockedlist</span> |
| </span></span><span style="display:flex;"><span>io.dubbo.block |
| </span></span></code></pre></div><p>After the configuration is successful, you can see the following prompts in the log:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>INFO <span style="color:#2aa198">utils.SerializeSecurityConfigurator: [DUBBO] Read serialize allow list from file:/Users/albumen/code/dubbo-samples/99-integration/dubbo-samples-serialize-check/target/classes/security/serialize.allowlist</span> |
| </span></span><span style="display:flex;"><span>INFO <span style="color:#2aa198">utils.SerializeSecurityConfigurator: [DUBBO] Read serialize blocked list from file:/Users/albumen/code/dubbo-samples/99-integration/dubbo-samples-serialize-check/target/classes/security/serialize.blockedlist</span> |
| </span></span></code></pre></div><p>The configuration priority is: user-defined trusted class = built-in trusted class of the framework &gt; user-defined untrusted class = built-in untrusted class of the framework &gt; automatic class scanning trusted class.</p> |
| <h2 id="audit-method">Audit method</h2> |
| <p>Dubbo supports real-time viewing of current configuration information and trusted/untrusted class lists through QoS commands. Currently supports two commands: <code>serializeCheckStatus</code> to view the current configuration information, <code>serializeWarnedClasses</code> to view the real-time alarm list.</p> |
| <ol> |
| <li><code>serializeCheckStatus</code> View the current configuration information</li> |
| </ol> |
| <p>Access directly through the console:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>&gt; telnet 127.0.0.1 <span style="color:#2aa198">22222</span> |
| </span></span><span style="display:flex;"><span>Trying 127.0.0.1... |
| </span></span><span style="display:flex;"><span>Connected to localhost. |
| </span></span><span style="display:flex;"><span>Escape character is <span style="color:#2aa198">&#39;^]&#39;</span>. |
| </span></span><span style="display:flex;"><span> ___ __ __ ___ ___ ____ |
| </span></span><span style="display:flex;"><span> / _ <span style="color:#cb4b16">\ </span>/ / / // _ <span style="color:#719e07">)</span> / _ <span style="color:#719e07">)</span> / __ <span style="color:#cb4b16">\ |
| </span></span></span><span style="display:flex;"><span><span style="color:#cb4b16"></span> / // // /_/ // _ |/ _ |/ /_/ / |
| </span></span><span style="display:flex;"><span>/____/ <span style="color:#cb4b16">\_</span>___//____//____/ <span style="color:#cb4b16">\_</span>___/ |
| </span></span><span style="display:flex;"><span>dubbo&gt;serializeCheckStatus |
| </span></span><span style="display:flex;"><span>CheckStatus: WARN |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span>CheckSerializable: <span style="color:#b58900">true</span> |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span>AllowedPrefix: |
| </span></span><span style="display:flex;"><span>... |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span>DisAllowedPrefix: |
| </span></span><span style="display:flex;"><span>... |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span>dubbo&gt; |
| </span></span></code></pre></div><p>Request the result in json format via http:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>&gt; curl http://127.0.0.1:22222/serializeCheckStatus |
| </span></span><span style="display:flex;"><span><span style="color:#719e07">{</span><span style="color:#2aa198">&#34;checkStatus&#34;</span>: <span style="color:#2aa198">&#34;WARN&#34;</span>,<span style="color:#2aa198">&#34;allowedPrefix&#34;</span>:<span style="color:#719e07">[</span>...<span style="color:#719e07">]</span>,<span style="color:#2aa198">&#34;checkSerializable&#34;</span>:true,<span style="color:#2aa198">&#34;disAllowedPrefix&#34;</span>:<span style="color:#719e07">[</span>...<span style="color:#719e07">]}</span> |
| </span></span></code></pre></div><ol start="2"> |
| <li><code>serializeWarnedClasses</code> view real-time warning list</li> |
| </ol> |
| <p>Access directly through the console:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>&gt; telnet 127.0.0.1 <span style="color:#2aa198">22222</span> |
| </span></span><span style="display:flex;"><span>Trying 127.0.0.1... |
| </span></span><span style="display:flex;"><span>Connected to localhost. |
| </span></span><span style="display:flex;"><span>Escape character is <span style="color:#2aa198">&#39;^]&#39;</span>. |
| </span></span><span style="display:flex;"><span> ___ __ __ ___ ___ ____ |
| </span></span><span style="display:flex;"><span> / _ <span style="color:#cb4b16">\ </span>/ / / // _ <span style="color:#719e07">)</span> / _ <span style="color:#719e07">)</span> / __ <span style="color:#cb4b16">\ |
| </span></span></span><span style="display:flex;"><span><span style="color:#cb4b16"></span> / // // /_/ // _ |/ _ |/ /_/ / |
| </span></span><span style="display:flex;"><span>/____/ <span style="color:#cb4b16">\_</span>___//____//____/ <span style="color:#cb4b16">\_</span>___/ |
| </span></span><span style="display:flex;"><span>dubbo&gt;serializeWarnedClasses |
| </span></span><span style="display:flex;"><span>Warned Classes: |
| </span></span><span style="display:flex;"><span>io.dubbo.test.NotSerializable |
| </span></span><span style="display:flex;"><span>io.dubbo.test2.NotSerializable |
| </span></span><span style="display:flex;"><span>io.dubbo.test2.OthersSerializable |
| </span></span><span style="display:flex;"><span>org.apache.dubbo.samples.NotSerializable |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span>dubbo&gt; |
| </span></span></code></pre></div><p>Request the result in json format via http:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>&gt; curl http://127.0.0.1:22222/serializeWarnedClasses |
| </span></span><span style="display:flex;"><span><span style="color:#719e07">{</span><span style="color:#2aa198">&#34;warnedClasses&#34;</span>:<span style="color:#719e07">[</span><span style="color:#2aa198">&#34;io.dubbo.test2.NotSerializable&#34;</span>,<span style="color:#2aa198">&#34;org.apache.dubbo.samples.NotSerializable&#34;</span>,<span style="color:#2aa198">&#34;io.dubbo.test.NotSerializable&#34;</span>,<span style="color:#2aa198">&#34;io.dubbo.test2.OthersSerializable&#34;</span><span style="color:#719e07">]}</span> |
| </span></span></code></pre></div><p>Note: It is recommended to pay attention to the result of <code>serializeWarnedClasses</code> in time, and judge whether it is attacked by whether the returned result is not empty.</p></description></item><item><title>Docs3-V2: TLS Support</title><link>https://dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/tls/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/tls/</guid><description> |
| <h2 id="feature-description">Feature description</h2> |
| <p>Both the built-in Dubbo Netty Server and the newly introduced gRPC protocol provide a TLS-based secure link transmission mechanism.</p> |
| <p>There is a unified entry for TLS configuration.</p> |
| <h2 id="scenes-to-be-used">scenes to be used</h2> |
| <p>Users who require encryption for the entire link can use TLS.</p> |
| <h2 id="reference-use-case">Reference use case</h2> |
| <p><a href="https://github.com/apache/dubbo-samples/tree/master/4-governance/dubbo-samples-ssl">https://github.com/apache/dubbo-samples/tree/master/dubbo-samples-ssl</a></p> |
| <h2 id="how-to-use">How to use</h2> |
| <h3 id="provider-side">Provider side</h3> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>SslConfig sslConfig <span style="color:#719e07">=</span> <span style="color:#719e07">new</span> SslConfig(); |
| </span></span><span style="display:flex;"><span>sslConfig.setServerKeyCertChainPath(<span style="color:#2aa198">&#34;path to cert&#34;</span>); |
| </span></span><span style="display:flex;"><span>sslConfig.setServerPrivateKeyPath(args<span style="color:#719e07">[</span>1<span style="color:#719e07">]</span>); |
| </span></span><span style="display:flex;"><span><span style="color:#586e75">// If two-way cert authentication is enabled</span> |
| </span></span><span style="display:flex;"><span><span style="color:#719e07">if</span> (mutualTls) { |
| </span></span><span style="display:flex;"><span> sslConfig.setServerTrustCertCollectionPath(args<span style="color:#719e07">[</span>2<span style="color:#719e07">]</span>); |
| </span></span><span style="display:flex;"><span>} |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span>ProtocolConfig protocolConfig <span style="color:#719e07">=</span> <span style="color:#719e07">new</span> ProtocolConfig(<span style="color:#2aa198">&#34;dubbo/grpc&#34;</span>); |
| </span></span><span style="display:flex;"><span>protocolConfig.setSslEnabled(<span style="color:#cb4b16">true</span>); |
| </span></span></code></pre></div><p>If you want to use the gRPC protocol, the protocol negotiation mechanism will be used when TLS is turned on, so you must use a Provider that supports the ALPN mechanism. The recommended one is netty-tcnative. For details, please refer to [Summary](https:/ /github.com/grpc/grpc-java/blob/master/SECURITY.md)</p> |
| <h3 id="consumer-side">Consumer side</h3> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#719e07">if</span> (<span style="color:#719e07">!</span>mutualTls) {} |
| </span></span><span style="display:flex;"><span> sslConfig.setClientTrustCertCollectionPath(args<span style="color:#719e07">[</span>0<span style="color:#719e07">]</span>); |
| </span></span><span style="display:flex;"><span>} <span style="color:#719e07">else</span> { |
| </span></span><span style="display:flex;"><span> sslConfig.setClientTrustCertCollectionPath(args<span style="color:#719e07">[</span>0<span style="color:#719e07">]</span>); |
| </span></span><span style="display:flex;"><span> sslConfig.setClientKeyCertChainPath(args<span style="color:#719e07">[</span>1<span style="color:#719e07">]</span>); |
| </span></span><span style="display:flex;"><span> sslConfig.setClientPrivateKeyPath(args<span style="color:#719e07">[</span>2<span style="color:#719e07">]</span>); |
| </span></span><span style="display:flex;"><span>} |
| </span></span></code></pre></div><p>In order to ensure the flexibility of application startup as much as possible, the specification of TLS Cert can also be dynamically specified during the startup phase according to the deployment environment through -D parameters or environment variables. Refer to Dubbo [Configuration Read Rules](/zh-cn/docs/advanced /config-rule)</p> |
| <blockquote> |
| <p>On the security of service calls, Dubbo will continue to invest in subsequent versions, and the authentication mechanism for service discovery/calling is expected to meet you in the next version.</p> |
| </blockquote></description></item><item><title>Docs3-V2: Access Control</title><link>https://dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/token-authorization/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/token-authorization/</guid><description> |
| <h2 id="feature-description">Feature description</h2> |
| <p>Control authority in the registration center through token verification to decide whether to issue tokens to consumers, |
| can prevent consumers from bypassing the registry to access the provider, |
| In addition, the authorization method can be flexibly changed through the registration center without modifying or upgrading the provider.</p> |
| <p><img src="https://dubbo.apache.org/imgs/user/dubbo-token.jpg" alt="/user-guide/images/dubbo-token.jpg"></p> |
| <h2 id="scenes-to-be-used">scenes to be used</h2> |
| <p>To a certain extent, the trusted authentication of the client and the server is realized, preventing any client from being able to access, and reducing the risk of security problems.</p> |
| <h2 id="how-to-use">How to use</h2> |
| <h3 id="global-settings">Global Settings</h3> |
| <p>Enable token verification</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#586e75">&lt;!--Random token token, generated using UUID --&gt;</span> |
| </span></span><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:provider</span> token=<span style="color:#2aa198">&#34;true&#34;</span> <span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div><p>or</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#586e75">&lt;!--Fixed token token, equivalent to password--&gt;</span> |
| </span></span><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:provider</span> token=<span style="color:#2aa198">&#34;123456&#34;</span> <span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div><h3 id="service-level-settings">Service Level Settings</h3> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#586e75">&lt;!--Random token token, generated using UUID --&gt;</span> |
| </span></span><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:service</span> interface=<span style="color:#2aa198">&#34;com.foo.BarService&#34;</span> token=<span style="color:#2aa198">&#34;true&#34;</span> <span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div><p>or</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#586e75">&lt;!--Fixed token token, equivalent to password--&gt;</span> |
| </span></span><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:service</span> interface=<span style="color:#2aa198">&#34;com.foo.BarService&#34;</span> token=<span style="color:#2aa198">&#34;123456&#34;</span> <span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div></description></item><item><title>Docs3-V2: Service Authentication</title><link>https://dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/auth/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/auth/</guid><description> |
| <h2 id="feature-description">Feature description</h2> |
| <p>Security-sensitive businesses like payments may have a need to limit anonymous calls. In terms of security enhancement, 2.7.5 introduces the authentication and authentication mechanism based on the AK/SK mechanism, and introduces the authentication service center. The main principle is that when the consumer requests a service that requires authentication, it will pass SK, request Data, timestamps, parameters and other information to generate the corresponding request signature, which is carried to the peer end through Dubbo&rsquo;s Attahcment mechanism for signature verification, and business logic processing is performed only after the signature verification is passed. As shown below:</p> |
| <p><img src="https://dubbo.apache.org/imgs/docsv2.7/user/examples/auth/auth.png" alt="img"></p> |
| <h2 id="scenes-to-be-used">scenes to be used</h2> |
| <h2 id="how-to-use">How to use</h2> |
| <h3 id="access-method">access method</h3> |
| <ol> |
| <li> |
| <p>Users need to fill in their application information on the microservice site and generate a unique certificate for the application.</p> |
| </li> |
| <li> |
| <p>Submit a work order on the management site to apply for the permission to use a certain sensitive business service, which will be approved by the corresponding business manager. After the approval is passed, the corresponding AK/SK will be generated and sent to the authentication service center.</p> |
| </li> |
| <li> |
| <p>Import the certificate to the corresponding application and configure it. The configuration method is also very simple. Take the annotation method as an example:</p> |
| <h3 id="service-provider">Service Provider</h3> |
| <p>You only need to set <code>service.auth</code> to true, which means that the call of the service needs to pass the authentication. <code>param.sign</code> is <code>true</code>, which means that the parameter needs to be verified.</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#268bd2">@Service</span>(parameters <span style="color:#719e07">=</span> {<span style="color:#2aa198">&#34;service.auth&#34;</span>,<span style="color:#2aa198">&#34;true&#34;</span>,<span style="color:#2aa198">&#34;param.sign&#34;</span>,<span style="color:#2aa198">&#34;true&#34;</span>}) |
| </span></span><span style="display:flex;"><span><span style="color:#268bd2">public</span> <span style="color:#268bd2">class</span> <span style="color:#268bd2">AuthDemoServiceImpl</span> <span style="color:#268bd2">implements</span> AuthService { |
| </span></span><span style="display:flex;"><span>} |
| </span></span></code></pre></div><h3 id="service-consumer">Service consumer</h3> |
| <p>You only need to configure the corresponding certificate and other information, and then the signature operation will be automatically performed before invoking these interfaces that require authentication. Through the interaction with the authentication service, the user does not need to configure sensitive information such as AK/SK in the code , and refresh the AK/SK without restarting the application to achieve the purpose of dynamically issuing permissions.</p> |
| </li> |
| </ol> |
| <p>The solution has been submitted to the Dubbo open source community, and the basic framework has been merged. In addition to the AK/SK authentication method, the SPI mechanism supports user-customizable authentication and encryption that adapts to the company&rsquo;s internal infrastructure. key storage.</p></description></item></channel></rss> |
