| <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Apache Dubbo – 提升服务安全性</title><link>https://dubbo.apache.org/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/</link><description>Recent content in 提升服务安全性 on Apache Dubbo</description><generator>Hugo -- gohugo.io</generator><language>zh-cn</language><atom:link href="https://dubbo.apache.org/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/index.xml" rel="self" type="application/rss+xml"/><item><title>Overview: TLS支持</title><link>https://dubbo.apache.org/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/tls/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://dubbo.apache.org/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/tls/</guid><description> |
| <h2 id="特性说明">特性说明</h2> |
| <p>内置的 Dubbo Netty Server 和新引入的 gRPC 协议都提供了基于 TLS 的安全链路传输机制。</p> |
| <p>TLS 的配置都有统一的入口。</p> |
| <h2 id="使用场景">使用场景</h2> |
| <p>对全链路有加密需求的用户可以使用 TLS。</p> |
| <blockquote> |
| <p>参考用例 |
| <a href="https://github.com/apache/dubbo-samples/tree/master/4-governance/dubbo-samples-ssl">https://github.com/apache/dubbo-samples/tree/master/dubbo-samples-ssl</a></p> |
| </blockquote> |
| <h2 id="使用方式">使用方式</h2> |
| <h3 id="provider-端">Provider 端</h3> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>SslConfig sslConfig <span style="color:#719e07">=</span> <span style="color:#719e07">new</span> SslConfig(); |
| </span></span><span style="display:flex;"><span>sslConfig.setServerKeyCertChainPath(<span style="color:#2aa198">&#34;path to cert&#34;</span>); |
| </span></span><span style="display:flex;"><span>sslConfig.setServerPrivateKeyPath(args<span style="color:#719e07">[</span>1<span style="color:#719e07">]</span>); |
| </span></span><span style="display:flex;"><span><span style="color:#586e75">// 如果开启双向 cert 认证</span> |
| </span></span><span style="display:flex;"><span><span style="color:#719e07">if</span> (mutualTls) { |
| </span></span><span style="display:flex;"><span> sslConfig.setServerTrustCertCollectionPath(args<span style="color:#719e07">[</span>2<span style="color:#719e07">]</span>); |
| </span></span><span style="display:flex;"><span>} |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span>ProtocolConfig protocolConfig <span style="color:#719e07">=</span> <span style="color:#719e07">new</span> ProtocolConfig(<span style="color:#2aa198">&#34;dubbo/grpc&#34;</span>); |
| </span></span><span style="display:flex;"><span>protocolConfig.setSslEnabled(<span style="color:#cb4b16">true</span>); |
| </span></span></code></pre></div><p>如果要使用的是 gRPC 协议,在开启 TLS 时会使用到协议协商机制,因此必须使用支持 ALPN 机制的 Provider,推荐使用的是 netty-tcnative,具体可参见 gRPC Java 社区的 <a href="https://github.com/grpc/grpc-java/blob/master/SECURITY.md">总结</a></p> |
| <h3 id="consumer-端">Consumer 端</h3> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#719e07">if</span> (<span style="color:#719e07">!</span>mutualTls) {} |
| </span></span><span style="display:flex;"><span> sslConfig.setClientTrustCertCollectionPath(args<span style="color:#719e07">[</span>0<span style="color:#719e07">]</span>); |
| </span></span><span style="display:flex;"><span>} <span style="color:#719e07">else</span> { |
| </span></span><span style="display:flex;"><span> sslConfig.setClientTrustCertCollectionPath(args<span style="color:#719e07">[</span>0<span style="color:#719e07">]</span>); |
| </span></span><span style="display:flex;"><span> sslConfig.setClientKeyCertChainPath(args<span style="color:#719e07">[</span>1<span style="color:#719e07">]</span>); |
| </span></span><span style="display:flex;"><span> sslConfig.setClientPrivateKeyPath(args<span style="color:#719e07">[</span>2<span style="color:#719e07">]</span>); |
| </span></span><span style="display:flex;"><span>} |
| </span></span></code></pre></div><p>为尽可能保证应用启动的灵活性,TLS Cert 的指定还能通过 -D 参数或环境变量等方式来在启动阶段根据部署环境动态指定,参考 Dubbo <a href="https://dubbo.apache.org/zh-cn/docs/advanced/config-rule">配置读取规则</a></p> |
| <blockquote> |
| <p>在服务调用的安全性上,Dubbo 在后续的版本中会持续投入,其中服务发现/调用的鉴权机制预计在接下来的版本中就会和大家见面。</p> |
| </blockquote></description></item><item><title>Overview: 类检查机制</title><link>https://dubbo.apache.org/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/class-check/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://dubbo.apache.org/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/class-check/</guid><description> |
| <h2 id="特性说明">特性说明</h2> |
| <p>该机制保证服务提供方和服务消费方类之间的兼容性和安全。</p> |
| <h2 id="使用场景">使用场景</h2> |
| <p>防止由于类版本不匹配、方法签名不兼容或缺少类而可能发生的潜在问题。</p> |
| <h2 id="使用方式">使用方式</h2> |
| <p>支持版本 |
| Dubbo &gt;= 3.1.6</p> |
| <p>适用范围 |
| 目前序列化检查支持 Hessian2、Fastjson2 序列化以及泛化调用。其他的序列化方式暂不支持。</p> |
| <h3 id="检查模式">检查模式</h3> |
| <p>检查模式分为三个级别:<code>STRICT</code> 严格检查,<code>WARN</code> 告警,<code>DISABLE</code> 禁用。 |
| <code>STRICT</code> 严格检查:禁止反序列化所有不在允许序列化列表(白名单)中的类。 |
| <code>WARN</code> 告警:仅禁止序列化所有在不允许序列化列表中(黑名单)的类,同时在反序列化不在允许序列化列表(白名单)中类的时候通过日志进行告警。 |
| <code>DISABLE</code> 禁用:不进行任何检查。</p> |
| <p>3.1 版本中默认为 <code>WARN</code> 告警级别,3.2 版本中默认为 <code>STRICT</code> 严格检查级别。</p> |
| <p>通过 ApplicationConfig 配置:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>ApplicationConfig applicationConfig <span style="color:#719e07">=</span> <span style="color:#719e07">new</span> ApplicationConfig(); |
| </span></span><span style="display:flex;"><span>applicationConfig.setSerializeCheckStatus(<span style="color:#2aa198">&#34;STRICT&#34;</span>); |
| </span></span></code></pre></div><p>通过 Spring XML 配置:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:application</span> name=<span style="color:#2aa198">&#34;demo-provider&#34;</span> serialize-check-status=<span style="color:#2aa198">&#34;STRICT&#34;</span><span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div><p>通过 Spring Properties / dubbo.properties 配置:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>dubbo.application.serialize-check-status<span style="color:#719e07">=</span><span style="color:#2aa198">STRICT</span> |
| </span></span></code></pre></div><p>通过 System Property 配置:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>-Ddubbo.application.serialize-check-status<span style="color:#719e07">=</span><span style="color:#2aa198">STRICT</span> |
| </span></span></code></pre></div><p>配置成功后可以在日志中看到如下的提示:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>INFO utils.SerializeSecurityManager: [DUBBO] Serialize check level: STRICT |
| </span></span></code></pre></div><p>注:在同一个进程(Dubbo Framework Model)下的多个应用如果同时配置不同的检查模式,最终会生效“最宽松”的级别。如两个 Spring Context 同时启动,一个配置为 <code>STRICT</code>,另外一个配置为 <code>WARN</code>,则最终生效 <code>WARN</code> 级别的配置。</p> |
| <h3 id="serializable-接口检查">Serializable 接口检查</h3> |
| <p>Serializable 接口检查模式分为两个级别:<code>true</code> 开启,<code>false</code> 关闭。开启检查后会拒绝反序列化所有未实现 <code>Serializable</code> 的类。</p> |
| <p>Dubbo 中默认配置为 <code>true</code> 开启检查。</p> |
| <p>通过 ApplicationConfig 配置:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>ApplicationConfig applicationConfig <span style="color:#719e07">=</span> <span style="color:#719e07">new</span> ApplicationConfig(); |
| </span></span><span style="display:flex;"><span>applicationConfig.setCheckSerializable(<span style="color:#cb4b16">true</span>); |
| </span></span></code></pre></div><p>通过 Spring XML 配置:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:application</span> name=<span style="color:#2aa198">&#34;demo-provider&#34;</span> check-serializable=<span style="color:#2aa198">&#34;true&#34;</span><span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div><p>通过 Spring Properties / dubbo.properties 配置:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>dubbo.application.check-serializable<span style="color:#719e07">=</span><span style="color:#2aa198">true</span> |
| </span></span></code></pre></div><p>通过 System Property 配置:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>-Ddubbo.application.check-serializable<span style="color:#719e07">=</span><span style="color:#2aa198">true</span> |
| </span></span></code></pre></div><p>配置成功后可以在日志中看到如下的提示:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>INFO utils.SerializeSecurityManager: [DUBBO] Serialize check serializable: true |
| </span></span></code></pre></div><p>注 1:在同一个进程(Dubbo Framework Model)下的多个应用如果同时配置不同的 Serializable 接口检查模式,最终会生效“最宽松”的级别。如两个 Spring Context 同时启动,一个配置为 <code>true</code>,另外一个配置为 <code>false</code>,则最终生效 <code>false</code> 级别的配置。 |
| 注 2:目前暂未打通 Hessian2、Fastjson2 内置的 <code>Serializable</code> 检查配置。对于泛化调用,仅需要配置 <code>dubbo.application.check-serializable</code> 即可修改检查配置;对于 Hessian2 序列化,需要同时修改 <code>dubbo.application.check-serializable</code> 和 <code>dubbo.hessian.allowNonSerializable</code> 两个配置;对于 Fastjson2 序列化,目前暂不支持修改。</p> |
| <h3 id="自动扫描相关配置">自动扫描相关配置</h3> |
| <p>Dubbo 类自动扫描机制共有两个配置项:<code>AutoTrustSerializeClass</code> 是否启用自动扫描和 <code>TrustSerializeClassLevel</code> 类信任层级。</p> |
| <p>简单来说,在开启类自动扫描之后,Dubbo 会通过 <code>ReferenceConfig</code> 和 <code>ServiceConfig</code> 自动扫描接口所有可能会用到的相关类,并且递归信任其所在的 package。 <code>TrustSerializeClassLevel</code> 类信任层级可以用来限制最终信任的 package 层级。如 <code>io.dubbo.test.pojo.User</code> 在 <code>TrustSerializeClassLevel</code> 配置为 <code>3</code> 的时候,最终会信任 <code>io.dubbo.test</code> 这个 package 下所有的类。</p> |
| <p>Dubbo 中默认配置 <code>AutoTrustSerializeClass</code> 为 <code>true</code> 启用扫描, <code>TrustSerializeClassLevel</code> 为 <code>3</code>。</p> |
| <p>通过 ApplicationConfig 配置:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>ApplicationConfig applicationConfig <span style="color:#719e07">=</span> <span style="color:#719e07">new</span> ApplicationConfig(); |
| </span></span><span style="display:flex;"><span>applicationConfig.setAutoTrustSerializeClass(<span style="color:#cb4b16">true</span>); |
| </span></span><span style="display:flex;"><span>applicationConfig.setTrustSerializeClassLevel(3); |
| </span></span></code></pre></div><p>通过 Spring XML 配置:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:application</span> name=<span style="color:#2aa198">&#34;demo-provider&#34;</span> auto-trust-serialize-class=<span style="color:#2aa198">&#34;true&#34;</span> trust-serialize-class-level=<span style="color:#2aa198">&#34;3&#34;</span><span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div><p>通过 Spring Properties / dubbo.properties 配置:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>dubbo.application.auto-trust-serialize-class<span style="color:#719e07">=</span><span style="color:#2aa198">true</span> |
| </span></span><span style="display:flex;"><span>dubbo.application.trust-serialize-class-level<span style="color:#719e07">=</span><span style="color:#2aa198">3</span> |
| </span></span></code></pre></div><p>通过 System Property 配置:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>-Ddubbo.application.auto-trust-serialize-class<span style="color:#719e07">=</span><span style="color:#2aa198">true</span> |
| </span></span><span style="display:flex;"><span>-Ddubbo.application.trust-serialize-class-level<span style="color:#719e07">=</span><span style="color:#2aa198">3</span> |
| </span></span></code></pre></div><p>配置成功后可以通过 QoS 命令检查当前已经加载的可信类结果是否符合预期。</p> |
| <p>注:开启检查之后在启动的过程中会有一定的性能损耗。</p> |
| <h3 id="可信不可信类自定义配置">可信/不可信类自定义配置</h3> |
| <p>除了 Dubbo 自动扫描类之外,也支持通过资源文件的方式配置可信/不可信类列表。</p> |
| <p>配置方式:在资源目录(resource)下定义以下文件。</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span><span style="color:#586e75"># security/serialize.allowlist</span> |
| </span></span><span style="display:flex;"><span>io.dubbo.test |
| </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span><span style="color:#586e75"># security/serialize.blockedlist</span> |
| </span></span><span style="display:flex;"><span>io.dubbo.block |
| </span></span></code></pre></div><p>配置成功以后可以在日志看到以下提示:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-properties" data-lang="properties"><span style="display:flex;"><span>INFO <span style="color:#2aa198">utils.SerializeSecurityConfigurator: [DUBBO] Read serialize allow list from file:/Users/albumen/code/dubbo-samples/99-integration/dubbo-samples-serialize-check/target/classes/security/serialize.allowlist</span> |
| </span></span><span style="display:flex;"><span>INFO <span style="color:#2aa198">utils.SerializeSecurityConfigurator: [DUBBO] Read serialize blocked list from file:/Users/albumen/code/dubbo-samples/99-integration/dubbo-samples-serialize-check/target/classes/security/serialize.blockedlist</span> |
| </span></span></code></pre></div><p>配置优先级为:用户自定义可信类 = 框架内置可信类 &gt; 用户自定义不可信类 = 框架内置不可信类 &gt; 自动类扫描可信类。</p> |
| <h3 id="审计方式">审计方式</h3> |
| <p>Dubbo 支持通过 QoS 命令实时查看当前的配置信息以及可信/不可信类列表。目前共支持两个命令:<code>serializeCheckStatus</code> 查看当前配置信息,<code>serializeWarnedClasses</code> 查看实时的告警列表。</p> |
| <ol> |
| <li><code>serializeCheckStatus</code> 查看当前配置信息</li> |
| </ol> |
| <p>通过控制台直接访问:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>&gt; telnet 127.0.0.1 <span style="color:#2aa198">22222</span> |
| </span></span><span style="display:flex;"><span>Trying 127.0.0.1... |
| </span></span><span style="display:flex;"><span>Connected to localhost. |
| </span></span><span style="display:flex;"><span>Escape character is <span style="color:#2aa198">&#39;^]&#39;</span>. |
| </span></span><span style="display:flex;"><span> ___ __ __ ___ ___ ____ |
| </span></span><span style="display:flex;"><span> / _ <span style="color:#cb4b16">\ </span>/ / / // _ <span style="color:#719e07">)</span> / _ <span style="color:#719e07">)</span> / __ <span style="color:#cb4b16">\ </span> |
| </span></span><span style="display:flex;"><span> / // // /_/ // _ |/ _ |/ /_/ / |
| </span></span><span style="display:flex;"><span>/____/ <span style="color:#cb4b16">\_</span>___//____//____/ <span style="color:#cb4b16">\_</span>___/ |
| </span></span><span style="display:flex;"><span>dubbo&gt;serializeCheckStatus |
| </span></span><span style="display:flex;"><span>CheckStatus: WARN |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span>CheckSerializable: <span style="color:#b58900">true</span> |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span>AllowedPrefix: |
| </span></span><span style="display:flex;"><span>... |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span>DisAllowedPrefix: |
| </span></span><span style="display:flex;"><span>... |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span>dubbo&gt; |
| </span></span></code></pre></div><p>通过 http 请求 json 格式结果:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>&gt; curl http://127.0.0.1:22222/serializeCheckStatus |
| </span></span><span style="display:flex;"><span><span style="color:#719e07">{</span><span style="color:#2aa198">&#34;checkStatus&#34;</span>:<span style="color:#2aa198">&#34;WARN&#34;</span>,<span style="color:#2aa198">&#34;allowedPrefix&#34;</span>:<span style="color:#719e07">[</span>...<span style="color:#719e07">]</span>,<span style="color:#2aa198">&#34;checkSerializable&#34;</span>:true,<span style="color:#2aa198">&#34;disAllowedPrefix&#34;</span>:<span style="color:#719e07">[</span>...<span style="color:#719e07">]}</span> |
| </span></span></code></pre></div><ol start="2"> |
| <li><code>serializeWarnedClasses</code> 查看实时的告警列表</li> |
| </ol> |
| <p>通过控制台直接访问:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>&gt; telnet 127.0.0.1 <span style="color:#2aa198">22222</span> |
| </span></span><span style="display:flex;"><span>Trying 127.0.0.1... |
| </span></span><span style="display:flex;"><span>Connected to localhost. |
| </span></span><span style="display:flex;"><span>Escape character is <span style="color:#2aa198">&#39;^]&#39;</span>. |
| </span></span><span style="display:flex;"><span> ___ __ __ ___ ___ ____ |
| </span></span><span style="display:flex;"><span> / _ <span style="color:#cb4b16">\ </span>/ / / // _ <span style="color:#719e07">)</span> / _ <span style="color:#719e07">)</span> / __ <span style="color:#cb4b16">\ </span> |
| </span></span><span style="display:flex;"><span> / // // /_/ // _ |/ _ |/ /_/ / |
| </span></span><span style="display:flex;"><span>/____/ <span style="color:#cb4b16">\_</span>___//____//____/ <span style="color:#cb4b16">\_</span>___/ |
| </span></span><span style="display:flex;"><span>dubbo&gt;serializeWarnedClasses |
| </span></span><span style="display:flex;"><span>WarnedClasses: |
| </span></span><span style="display:flex;"><span>io.dubbo.test.NotSerializable |
| </span></span><span style="display:flex;"><span>io.dubbo.test2.NotSerializable |
| </span></span><span style="display:flex;"><span>io.dubbo.test2.OthersSerializable |
| </span></span><span style="display:flex;"><span>org.apache.dubbo.samples.NotSerializable |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span> |
| </span></span><span style="display:flex;"><span>dubbo&gt; |
| </span></span></code></pre></div><p>通过 http 请求 json 格式结果:</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>&gt; curl http://127.0.0.1:22222/serializeWarnedClasses |
| </span></span><span style="display:flex;"><span><span style="color:#719e07">{</span><span style="color:#2aa198">&#34;warnedClasses&#34;</span>:<span style="color:#719e07">[</span><span style="color:#2aa198">&#34;io.dubbo.test2.NotSerializable&#34;</span>,<span style="color:#2aa198">&#34;org.apache.dubbo.samples.NotSerializable&#34;</span>,<span style="color:#2aa198">&#34;io.dubbo.test.NotSerializable&#34;</span>,<span style="color:#2aa198">&#34;io.dubbo.test2.OthersSerializable&#34;</span><span style="color:#719e07">]}</span> |
| </span></span></code></pre></div><blockquote> |
| <p>建议及时关注 <code>serializeWarnedClasses</code> 的结果,通过返回结果是否非空来判断是否受到攻击。</p> |
| </blockquote></description></item><item><title>Overview: 权限控制</title><link>https://dubbo.apache.org/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/token-authorization/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://dubbo.apache.org/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/token-authorization/</guid><description> |
| <h2 id="特性说明">特性说明</h2> |
| <p>通过令牌验证在注册中心控制权限,以决定要不要下发令牌给消费者, |
| 可以防止消费者绕过注册中心访问提供者, |
| 另外通过注册中心可灵活改变授权方式,而不需修改或升级提供者。</p> |
| <p><img src="https://dubbo.apache.org/imgs/user/dubbo-token.jpg" alt="/user-guide/images/dubbo-token.jpg"></p> |
| <h2 id="使用场景">使用场景</h2> |
| <p>在一定程度上实现客户端和服务端的可信鉴权,避免任意客户端都可以访问,降低出现安全问题的风险。</p> |
| <h2 id="使用方式">使用方式</h2> |
| <h3 id="全局设置">全局设置</h3> |
| <p>开启令牌验证</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#586e75">&lt;!--随机token令牌,使用UUID生成--&gt;</span> |
| </span></span><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:provider</span> token=<span style="color:#2aa198">&#34;true&#34;</span> <span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div><p>或</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#586e75">&lt;!--固定token令牌,相当于密码--&gt;</span> |
| </span></span><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:provider</span> token=<span style="color:#2aa198">&#34;123456&#34;</span> <span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div><h3 id="服务级别设置">服务级别设置</h3> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#586e75">&lt;!--随机token令牌,使用UUID生成--&gt;</span> |
| </span></span><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:service</span> interface=<span style="color:#2aa198">&#34;com.foo.BarService&#34;</span> token=<span style="color:#2aa198">&#34;true&#34;</span> <span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div><p>或</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#586e75">&lt;!--固定token令牌,相当于密码--&gt;</span> |
| </span></span><span style="display:flex;"><span><span style="color:#268bd2">&lt;dubbo:service</span> interface=<span style="color:#2aa198">&#34;com.foo.BarService&#34;</span> token=<span style="color:#2aa198">&#34;123456&#34;</span> <span style="color:#268bd2">/&gt;</span> |
| </span></span></code></pre></div></description></item><item><title>Overview: 服务鉴权</title><link>https://dubbo.apache.org/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/auth/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://dubbo.apache.org/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/auth/</guid><description> |
| <h2 id="特性说明">特性说明</h2> |
| <p>类似支付之类的对安全性敏感的业务可能会有限制匿名调用的需求。在加固安全性方面,2.7.5 引入了基于 AK/SK 机制的认证鉴权机制,并且引入了鉴权服务中心,主要原理是消费端在请求需要鉴权的服务时,会通过 SK、请求元数据、时间戳、参数等信息来生成对应的请求签名,通过 Dubbo 的 Attahcment 机制携带到对端进行验签,验签通过才进行业务逻辑处理。如下图所示:</p> |
| <p><img src="https://dubbo.apache.org/imgs/docsv2.7/user/examples/auth/auth.png" alt="img"></p> |
| <h2 id="使用场景">使用场景</h2> |
| <p>部署新服务时,使用身份验证来确保只部署正确的服务,如果部署了未经授权的服务,则使用身份验证来拒绝访问并防止使用未经授权服务。</p> |
| <h2 id="使用方式">使用方式</h2> |
| <h3 id="接入方式">接入方式</h3> |
| <ol> |
| <li> |
| <p>使用者需要在微服务站点上填写自己的应用信息,并为该应用生成唯一的证书凭证。</p> |
| </li> |
| <li> |
| <p>之后在管理站点上提交工单,申请某个敏感业务服务的使用权限,并由对应业务管理者进行审批,审批通过之后,会生成对应的 AK/SK 到鉴权服务中心。</p> |
| </li> |
| <li> |
| <p>导入该证书到对应的应用下,并且进行配置。配置方式也十分简单,以注解方式为例:</p> |
| <h3 id="服务提供端">服务提供端</h3> |
| <p>只需要设置 <code>service.auth</code> 为 true,表示该服务的调用需要鉴权认证通过。<code>param.sign</code> 为 <code>true</code> 表示需要对参数也进行校验。</p> |
| <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#268bd2">@Service</span>(parameters <span style="color:#719e07">=</span> {<span style="color:#2aa198">&#34;service.auth&#34;</span>,<span style="color:#2aa198">&#34;true&#34;</span>,<span style="color:#2aa198">&#34;param.sign&#34;</span>,<span style="color:#2aa198">&#34;true&#34;</span>}) |
| </span></span><span style="display:flex;"><span><span style="color:#268bd2">public</span> <span style="color:#268bd2">class</span> <span style="color:#268bd2">AuthDemoServiceImpl</span> <span style="color:#268bd2">implements</span> AuthService { |
| </span></span><span style="display:flex;"><span>} |
| </span></span></code></pre></div><h3 id="服务消费端">服务消费端</h3> |
| <p>只需要配置好对应的证书等信息即可,之后会自动地在对这些需要认证的接口发起调用前进行签名操作,通过与鉴权服务的交互,用户无需在代码中配置 AK/SK 这些敏感信息,并且在不重启应用的情况下刷新 AK/SK,达到权限动态下发的目的。</p> |
| </li> |
| </ol> |
| <blockquote> |
| <p>该方案目前已经提交给 Dubbo 开源社区,并且完成了基本框架的合并,除了 AK/SK 的鉴权方式之外,通过 SPI 机制支持用户可定制化的鉴权认证以及适配公司内部基础设施的密钥存储。</p> |
| </blockquote></description></item></channel></rss> |