Hi, I think you make a good point for creating a new repo for the security support of servicecomb. We could start a vote if there is no any other objection for it.
Willem Jiang Twitter: willemjiang Weibo: 姜宁willem On Tue, May 14, 2019 at 9:28 AM Liubao (A) <[email protected]> wrote: > > I thought about it before. When I work on the demos, I found it's best to > create a new repo for following reasons > > 1. The common parts distributed in ResourceServer, Gateway and > AuthenticationServer, it's not easy to have only one dependency. > 2. This project is focus on JWT based authentications for microservices and > java-chassis, we are not planning to make it very common like spring security > did. Because there are so many variants in security management, we have to > focus on the most important part now. Create a new project will make us > easier to have other different implementations in future. > 3. This project will acting a reference implementation now, developers may > use source code directly and possibly make some changes to the source code to > fulfill business usage. In the near future, we may not release any formal > version of the project. Although, our goal is to make this project the best > authentication choice. > 4. This project may be used in older versions of java-chassis, I will tag the > project based on 1.2.0, or future version like 1.3.0. > 5. This project depends on spring security, spring jwt and spring oauth2 now, > but java-chassis runtime may not depends on spring. Make this project a > module will take java-chassis very complicated. Because this is a new > project, I only want to support the latest spring 5. > > -----邮件原件----- > 发件人: Willem Jiang [mailto:[email protected]] > 发送时间: 2019年5月13日 22:16 > 收件人: dev <[email protected]> > 主题: Re: [PROPOSAL]start a new project to add security support for java-chassis > > Just a quick question why do we need to create a new git repo for the > authentication? > Can we just add a module in java-chassis? > > Willem Jiang > > Twitter: willemjiang > Weibo: 姜宁willem > > On Mon, May 13, 2019 at 4:51 PM Liubao (A) <[email protected]> wrote: > > > > Hi, > > > > I am working on integrating spring security to java-chassis to make > > developing authentication and authorization management easier. Now I have > > finished the framework and basic authorization management. > > > > This work is shown in [1]. > > > > > > 1. User's can create AuthenticationServer to manage users and roles > > and their confidential information. > > > > 2. User's can add authentication in edge service. > > > > 3. User's can add authentication and authorization in ResouceServer. > > This work project two ways to specify authorization, > > > > using microservice.yaml like : > > > > > > > > ``` > > > > servicecomb: > > > > authencation: > > > > access: > > > > needAuth: true > > > > roles: > > > > HandlerAuthEndpoint: > > > > adminSayHello: ADMIN > > > > ``` > > > > > > > > or using method security > > > > ``` > > > > @PostMapping(path = "/adminSayHello") > > > > @PreAuthorize("hasRole('ADMIN')") > > > > public String adminSayHello(String name) { > > > > return name; > > > > } ``` > > > > > > This test cases are show in project Client, in > > AuthenticationTestCase.java . > > > > I suggest to create a new project, servicecomb-security(or some other > > name), to hosting common components that can be reused to develop > > authentication and authorization. > > > > Future plans of this project(informal): > > > > > > 1. Make OAUTH2 as the default implementation. JWT is the most > > effective authentication mechanism for miscroservices, I think OAUTH2(or > > related Open Connect ID) is the best choice. (based on spring security > > oauth2) > > > > 2. Add common framework to connect other OAUTH2 parties. (like > > keycloak[2], or firebase[3]) > > > > 3. Others based on user's feedback. > > > > > > [1] > > https://github.com/apache/servicecomb-samples/tree/master/authenticati > > on [2] https://www.keycloak.org/docs/latest/securing_apps/index.html > > [3] https://firebase.google.com/docs/auth/ > > > > > > > > > >
