[#1099] adjusting new logic and configuration for security #1104
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## 2021.0.x #1104 +/- ##
=============================================
- Coverage 1.90% 1.80% -0.10%
+ Complexity 29 28 -1
=============================================
Files 209 209
Lines 4094 4091 -3
Branches 360 358 -2
=============================================
- Hits 78 74 -4
- Misses 4006 4007 +1
Partials 10 10 ☔ View full report in Codecov by Sentry. |
| AuthenticationAdapter authenticationAdapter) throws Exception { | ||
| String token = request.getHeader(Const.AUTH_TOKEN); | ||
| AuthenticationAdapter authenticationAdapter, String headerTokenKey) throws Exception { | ||
| String token = request.getHeader(headerTokenKey); | ||
| if (StringUtils.isEmpty(token)) { | ||
| token = InvocationContextHolder.getOrCreateInvocationContext().getContext(Const.AUTH_TOKEN); |
There was a problem hiding this comment.
Don't fallback to X-Auth-Token, throws error here directly.
There was a problem hiding this comment.
microservice call microservice is X-Auth-Token, no affected with header token.
| @@ -54,15 +54,12 @@ public boolean isAllowed(AuthRequestExtractor extractor) throws Exception { | |||
|
|
|||
| private boolean checkDeny(String serviceName, AuthRequestExtractor extractor) { | |||
| if (securityPolicyProperties.matchDeny(serviceName, extractor.uri(), extractor.method())) { | |||
| // both permissive and enforcing model need print logs(send alarm info). | |||
| LOGGER.info("[autoauthz unauthorized request] consumer={}, provider={}, path={}, method={}, timestamp={}", | |||
There was a problem hiding this comment.
logging level should be WARN if denied in permissive
| @@ -54,15 +54,12 @@ public boolean isAllowed(AuthRequestExtractor extractor) throws Exception { | |||
|
|
|||
| private boolean checkDeny(String serviceName, AuthRequestExtractor extractor) { | |||
| if (securityPolicyProperties.matchDeny(serviceName, extractor.uri(), extractor.method())) { | |||
| // both permissive and enforcing model need print logs(send alarm info). | |||
| LOGGER.info("[autoauthz unauthorized request] consumer={}, provider={}, path={}, method={}, timestamp={}", | |||
There was a problem hiding this comment.
Please change "unauthorized request" to "[autoauthz] request denied. consumer={} ....."
There was a problem hiding this comment.
use security team context
| @@ -72,15 +69,12 @@ private boolean checkAllowAndDeny(String serviceName, AuthRequestExtractor extra | |||
| if (securityPolicyProperties.matchAllow(serviceName, extractor.uri(), extractor.method())) { | |||
| return !checkDeny(serviceName, extractor); | |||
| } else { | |||
| // both permissive and enforcing model need print logs(send alarm info). | |||
| LOGGER.info("[autoauthz unauthorized request] consumer={}, provider={}, path={}, method={}, timestamp={}", | |||
There was a problem hiding this comment.
same as above. Logging level shoud be WARN and message should be "request denied ...."
1、策略uri配置/*时,客户端对应方法类型的请求都通过;
2、开启安全策略校验,但是没有设置策略或者安全策略白名单为空时,打印告警日志(发送告警信息),宽容模式请求通过,强制模式,请求拦截;
3、header中获取token的key调整为支持配置,默认为X-SM-Token。