Personal project related issues

Time:2021-1-16

Restful

Eureka Registry – microservice management

The deployment of Eureka in the project

  • Eureka client is deployed on the micro service to complete the service registration and discovery
    • Add Eureka dependency
    • stay application.yml Configure Eureka
    • Add the@EnableDiscoveryClientannotation
  • Create Eureka server server, responsible for the management of micro service node information and status
  • The microservice calls the address of another microservice from the server and calls it remotely

Feign remote call

  • Feign integrates the ribbon to realize the load balancing call of the client
  • Start class addition@EnableFeignClientsannotation
  • When a microservice wants to use other microservices, it can use the@FeignClient(value = '')Specify the name of the microservice to be called. Feign gets the service from the registry and calls it remotely through the load balancing algorithm.
  • Use in interface methods@GetMapping(""), specify the URL of the call,
  • The remote microservice method is called in service.

load balancing

Load balance of loadbalance client

Technical scheme of course Preview

It mainly previews the course details page.

  • Need as fast page access as possible
    • Using nginx as a web server to directly access the HTML static pages generated by CMS service, the performance is very good (3000 / s). You need to store CMS static pages in nginix. A small amount of dynamic data is obtained by accessing the server.
    • A large number of static pages will also increase the difficulty of maintenance.
    • If you use Tomcat as a server, although redis cache can speed up the cache speed, Tomcat’s performance is not high (300 / s) when accessing with high concurrency.

Some details

  • In the actual running environment, multiple Eureka servers should be deployed to ensure the high availability of services

ElasticSearch

  • Elasticsearch is a highly scalable distributed search server based on Lucene, which supports out of the box use.
  • Elasticsearch hides the complexity of Lucene and provides restful interface to operate index and search.
  • Good scalability, can deploy hundreds of server clusters
  • Fast search (near real time) even if index data is large

index structure

The logical structure is inverted index table. include:

  • A list of all non repeating words in a document
  • Documents searched (document form)
  • The relationship between participle and document

The reason why it is an inverted index is to find the corresponding document by keywords, and get a document list by document matching degree; while the normal search is to find keywords in the document, and finally get keywords.

Search method

  • Users search keywords on the front end
  • The front end requests the project server through HTTP
  • The server requests es cluster to search through HTTP restful
  • Es retrieve data from the index library

Es usage process

  • Create index library
  • Create mapping
  • create documents
  • Search for documents

The above steps are implemented through the Java API provided by es in the actual project.

Some details

  • Use IK word segmentation for Chinese word segmentation, and use IK when indexing_ max_ Word is used for fine-grained word segmentation; IK is used for search_ Smart improves search accuracy
  • In the mapping: text type field needs word segmentation; keyword type does not need word segmentation, accurate query; value type should choose the one with small range as far as possible
  • Es updates documents in the following order: first retrieve the documents, mark the original documents as deleted, create new documents, delete old documents, and create new documents to rebuild the index.

User authentication

Single sign on Technology

  • The authentication system needs to be extracted independently. When users visit other systems, they need to use the authentication system to authenticate.
  • Using redisManage user identities.

Oauth2

Certification process

Oauth2 is a user resource authorization protocol.

  • Client (browser) application for authentication
  • Resource holder (user) authorization
  • After obtaining the authorization code, the client requests the authorization server (wechat authentication) to issue a token
  • After obtaining the token, the client can access the resource service (the resource of the resource owner)

Authorization mode

  • Authorization code mode: apply for token through authorization code (third party login)
  • Password mode: apply for token directly through user name and password (login with user password)

User authentication architecture in project

Spring Security + Oauth2

Principle:

Authentication: are you qualified to access the system

  • The user requests the authentication service to complete the authentication in the front-end interface.
  • The authentication service issues the user identity token, which means the identity is legal.
  • The user carries the token to request the resource service, which must go through the gateway first.
  • The gateway verifies that the user’s identity token is legal. If it is not legal, it means that the user has not logged in. If it is legal, it will continue to access.

Enter microservice: authorize access and verify whether you have permission to access certain resources

  • The resource service obtains the token and verifies the token to complete the authorization.
  • When the resource service completes the authorization, it responds to the resource information.

Implementation process in the project:

This project uses spring Security + oauth2 to complete user authentication and user authorization. The authentication and authorization process is as follows:

1. The user requests the authentication service to complete the identity authentication.

  • Authentication service can query user information by calling user center service remotely

    2. The authentication service issues the user identity token and JWT token through spring security,Having an identity token means that the identity is legal, and JWT token is used to complete the authorization.
  • Spring security is through a URL to apply for a token/oauth/token, call the exchange method of esttemplate to apply for a token
  • The user token is saved to cookie and JWT token is saved to redis

3. Users carry JWT token to request resource service.

4. The gateway verifies that the user’s identity token is legal. If it is not legal, it means that the user has not logged in. If it is legal, it will continue to access.

5. The resource service obtains the JWT token and completes the authorization according to the JWT token.

6. The user exits, requests authentication service, clears the token in redis, and deletes the token in cookie

Using redis to store the user’s identity token has the following functions:

1. After the server clears the token, even if the client requests to carry the token, it is invalid.

2. Because the JWT token is too long to be stored in a cookie, the JWT token is stored in redis, and the client requests the server to obtain it and store it in the client.

The application token is implemented by spring security

The process is as follows:

  • Front end request authentication
  • Authentication service applies for token through spring security (password mode)
  • Spring security requests user account and password (userdetail)
  • If the requested user exists, compare the password. Password match, issue token

token

  • Verification token: when the user logs in for the first time, a new token is generated by password and user name
  • Refresh token: when the current token is about to expire, the refresh token will be used automatically to avoid the user logging in again

JWT token

Every time the resource service gets the traditional token, it needs to verify the validity of the token through the authentication service, which has low performance. Because the JWT token itself carries the user’s relevant information (such as the user’s permissions), the resource service can complete the identity verification by itself without the help of the authentication service. (see the structure for the specific principle)

Advantages of JWT token:

1. JWT is based on JSON, which is very convenient for parsing.

2. Rich content can be customized in the token, which is easy to expand.

3. Through asymmetric encryption algorithm and digital signature technology, JWT can prevent tampering and has high security.

4. Resource services can be authorized without relying on authentication services by using JWT.

But the token is long and takes up a large storage space.

structure

  • Header:Including the type of token (i.e. JWT) and the hash algorithm used (e.g. HMAC sha256 or RSA)
  • Payload:Load and content is also a JSON object, which is a place to store valid information. It can store ready-made fields provided by JWT, such as ISS (signer), exp (expiration time stamp), sub (user-oriented), etc., and it can also customize fields.
  • Signature:Used to prevent JWT content from being tampered with.

    This part uses base64url to encode the first two parts. After encoding, it uses dot (.) connection to form a string. Finally, it uses the signature algorithm declared in header to sign.
  • If the second part is tampered with, after using the agreed algorithm for signature, it will be found that it is different from its own signature, which will cause authentication failure. The third part of the signature can not be tampered, because it includes a secret key used by the signature, and the tamperer cannot know.

Zuul gateway

It is equivalent to an interceptor. Only when the user checks successfully can the microservice be accessed.

Zuul and nginx need to be used together in the actual project. Nginx’s role is reverse proxy and load balancing; zuul’s role is to ensure the secure access of microservice, intercept microservice requests, verify the legitimacy and load balancing.

  • You should identify @ enablezoulproxy on the startup class
  • stay application.yml Configure each micro service route in the
  • To achieve identity verification through zuulfilter, you need to connect redis to obtain token information

Note: the gateway checks the identity token, and the microservice uses the JWT token for user authorization

User and micro service authorization

By parsing JWT user information, micro service can implement method based authorization or fine-grained authorization according to user information.

Method authorization

  • When generating JWT token, write the user’s permission in the token
  • Add the annotation preauthorize to the resource service method and specify the permissions required for this method
    • @PreAuthorize("hasAuthority('course_find_list')")
  • Access is normal when a method with permission is requested
  • Access is denied when a method without permission is requested

Fine grained authorization

  • Different users have the same operation authority, but the range of data they can operate is different.
    • An example: user a and user B are both teaching institutions. They both have “my course” permission, but the data queried by the two users are different.
  • What are the fine-grained authorizations for this project?
    • For my courses, teaching institutions are only allowed to query the course information of their own teaching institutions.
    • In my course selection, students are only allowed to query their own course selection.
  • How to implement fine grained authorization?
  • Fine grained authorization involves different business logic, which is usually implemented in the service layer. It checks according to different users, queries different data or operates different data according to different parameters.

Authentication between microservices

When micro services are called, they also need to carry JWT token for authorization.

For example, course management and CMS all need authorization to access.

Solution: use feign interceptor to realize remote call and carry JWT.

-Define interceptor in common project

-Define feign interceptor bean in microservice startup class

This work adoptsCC agreementReprint must indicate the author and the link of this article

Recommended Today

SDS of redis data structure

SDS(simple dynamic string), simple dynamic string. S and it’s called hacking string. Where hack is stored is the length of the string and the remaining space in SDS. The implementation of SDS insds.cIn the middle. C language string uses a character array of length N + 1 to represent the string of length N, and […]