Spring Cloud Gateway 低吞吐量,安全

Posted

技术标签:

【中文标题】Spring Cloud Gateway 低吞吐量,安全【英文标题】:Spring cloud gateway low throughput with security 【发布时间】:2021-08-28 07:37:18 【问题描述】:

我想使用基本身份验证来保护我的spring cloud gateway。但是我发现当我添加spring-boot-starter-security依赖和基本配置时,网关在性能测试中吞吐量很差。

具有安全性 - 53.2/秒 没有安全性 - 694.1/秒

怎么了?

pom.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
        <modelVersion>4.0.0</modelVersion>
        <parent>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-parent</artifactId>
            <version>2.3.11.RELEASE</version>
            <relativePath/> <!-- lookup parent from repository -->
        </parent>
        <groupId>com.example</groupId>
        <artifactId>demo-gateway</artifactId>
        <version>0.0.1</version>
        <name>demo-gateway</name>
        <description>Demo project for Spring Boot</description>
        <properties>
            <java.version>1.8</java.version>
            <spring-cloud.version>Hoxton.SR11</spring-cloud.version>
        </properties>
        <dependencies>
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-security</artifactId>
            </dependency>
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-webflux</artifactId>
            </dependency>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-starter-gateway</artifactId>
            </dependency>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-starter-loadbalancer</artifactId>
            </dependency>
            <dependency>
                <groupId>com.github.ben-manes.caffeine</groupId>
                <artifactId>caffeine</artifactId>
                <version>2.8.8</version>
            </dependency>
    
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
            </dependency>
    
            <dependency>
                <groupId>org.junit.platform</groupId>
                <artifactId>junit-platform-launcher</artifactId>
                <scope>test</scope>
            </dependency>
            <dependency>
                <groupId>org.junit.vintage</groupId>
                <artifactId>junit-vintage-engine</artifactId>
                <scope>test</scope>
            </dependency>
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-test</artifactId>
                <scope>test</scope>
                <exclusions>
                    <exclusion>
                        <groupId>org.junit.vintage</groupId>
                        <artifactId>junit-vintage-engine</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>
            <dependency>
                <groupId>io.projectreactor</groupId>
                <artifactId>reactor-test</artifactId>
                <scope>test</scope>
            </dependency>
        </dependencies>
        <dependencyManagement>
            <dependencies>
                <dependency>
                    <groupId>org.springframework.cloud</groupId>
                    <artifactId>spring-cloud-dependencies</artifactId>
                    <version>$spring-cloud.version</version>
                    <type>pom</type>
                    <scope>import</scope>
                </dependency>
                <dependency>
                    <groupId>org.junit</groupId>
                    <artifactId>junit-bom</artifactId>
                    <version>5.7.1</version>
                    <type>pom</type>
                    <scope>import</scope>
                </dependency>
            </dependencies>
        </dependencyManagement>
    
        <build>
            <finalName>$project.artifactId</finalName>
            <plugins>
                <plugin>
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-maven-plugin</artifactId>
                </plugin>
            </plugins>
    
            <pluginManagement>
                <plugins>
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-surefire-plugin</artifactId>
                        <version>2.22.2</version>
                        <configuration>
                            <includes>
                                <include>**/*Tests.java</include>
                                <include>**/*Test.java</include>
                            </includes>
                            <excludes>
                                <exclude>**/Abstract*.java</exclude>
                            </excludes>
                            <argLine>-Dfile.encoding=$project.build.sourceEncoding</argLine>
                        </configuration>
                    </plugin>
                </plugins>
            </pluginManagement>
        </build>
    
    </project>

安全配置

@EnableWebFluxSecurity
public class SecurityWebFluxConfig 

    @Bean
    public MapReactiveUserDetailsService authentication() 
        UserDetails user = User
                .withUsername("user")
                .password("password")
                .roles("USER")
                .build();
        return new MapReactiveUserDetailsService(user);
    

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) 
        return http.authorizeExchange()
                .anyExchange().authenticated()
                .and().httpBasic()
                .and().build();

【问题讨论】:

【参考方案1】:

您正在观察这一点,因为 Spring Security 利用自适应单向函数来存储密码。这些是故意占用资源的,这意味着为每个请求验证用户名和密码会显着降低应用程序的性能。 Spring Security(或任何其他库)无法加快密码验证速度,因为安全性是通过密集验证资源来获得的。

我鼓励您将长期凭据(即用户名和密码)交换为短期凭据(即会话、OAuth 令牌等),而不是使用 HTTP 基本身份验证。 可以快速验证短期凭证,而不会损失任何安全性。

在 Spring Security 参考文档的Password Storage section 中有对此的深入解释。

【讨论】:

链接已断开 感谢@ChardenDaxicen,已修复。

以上是关于Spring Cloud Gateway 低吞吐量,安全的主要内容,如果未能解决你的问题,请参考以下文章

聊聊spring cloud gateway的NettyConfiguration

Spring Cloud实战Spring Cloud GateWay服务网关

spring cloud gateway 如何工作

Spring Cloud Gateway集成

spring cloud gateway 的执行流程

spring cloud gateway 某些路由中跳过全局过滤器