Hi,
I am working on integrating spring security to java-chassis to make developing
authentication and authorization management easier. Now I have finished the
framework and basic authorization management.
This work is shown in [1].
1. User's can create AuthenticationServer to manage users and roles and
their confidential information.
2. User's can add authentication in edge service.
3. User's can add authentication and authorization in ResouceServer.
This work project two ways to specify authorization,
using microservice.yaml like :
```
servicecomb:
authencation:
access:
needAuth: true
roles:
HandlerAuthEndpoint:
adminSayHello: ADMIN
```
or using method security
```
@PostMapping(path = "/adminSayHello")
@PreAuthorize("hasRole('ADMIN')")
public String adminSayHello(String name) {
return name;
} ```
This test cases are show in project Client, in AuthenticationTestCase.java .
I suggest to create a new project, servicecomb-security(or some other name), to
hosting common components that can be reused to develop authentication and
authorization.
Future plans of this project(informal):
1. Make OAUTH2 as the default implementation. JWT is the most effective
authentication mechanism for miscroservices, I think OAUTH2(or related Open
Connect ID) is the best choice. (based on spring security oauth2)
2. Add common framework to connect other OAUTH2 parties. (like
keycloak[2], or firebase[3])
3. Others based on user's feedback.
[1] https://github.com/apache/servicecomb-samples/tree/master/authentication
[2] https://www.keycloak.org/docs/latest/securing_apps/index.html
[3] https://firebase.google.com/docs/auth/
