0

I have define a JwtAuthenticationGatewayFilter in spring gateway, now I define a list that store the url need to ignore with token valid like this:

public static Predicate<ServerHttpRequest> isApiSecured;

    @PostConstruct
    public void initExcludePath(){
       isApiSecured = r -> {
            List<String> excludeList = loginExcludeUrl.getExclude();
            return excludeList.stream()
                .noneMatch(uri -> r.getURI().getPath().equals(uri));};
    }

the loginExcludeUrl.getExclude() will get the ignore urls list(hundreds or thousands). when in the filter using this function to know ignore the url or not:

if (isApiSecured.test(request)) {
     return authImpl(request, exchange, chain);
}

I am worry about when the ignore list increase, the whole website performance will slow down because every request should apply the list filter. is there any better way to ignore the url? Some of the url config like this:

login-check-path:
  exclude: 
    - /post/user/reg
    - /login
    - /post/user/login
    - /post/user/plugin/login
    - /post/user/sms
    - /post/auth/access_token/refresh
    - /post/auth/refresh_token/refresh
    - /post/article/newstories
    - /post/article/originalstories
    - /post/article/officialstories
    - /post/article/share
    - /post/article/read
    - /post/article/detail
    - /post/wechat/util/verifyWxToken
    - /post/wechat/login/getQRCodeUrl
    - /post/wechat/login/wxCallBack
    - /post/alipay/login/alipayCallBack
    - /post/alipay/login/getQRCodeUrl
    - /post/alipay/notification/v1/alipaySeverNotification
    - /post/websocket
    - /manage/admin/user/login
    - /dict/user/plugin/login
    - /dict/user/login
    - /dict/auth/access_token/refresh
    - /dict/auth/refresh_token/refresh
    - /fortune/user/login
    - /fortune/user/guest/login
    - /fortune/user/sms
    - /fortune/user/reg/verify
    - /fortune/auth/access-token/refresh
    - /tik/user/login
    - /tik/user/guest/login
    - /tik/user/sms
    - /tik/user/reg/verify
Dolphin
  • 29,069
  • 61
  • 260
  • 539

1 Answers1

1

Since you are centralizing all the requests of your company in one gateway, the only way to add or exclude some urls is mapping one by one and then the core should ask one by one if the incoming url should be secured or not.

Apply jwt on specific routes

As example, in case of Kong Gateway if you don't add explicitly the route, no body could consume the route because don't have public access enabled

In the other way, you can create the Api and then on each API you can decide to add the JWT plugin or not.

Sources:

So you don't need to add the exclusion one by one.

I think you could add only the routes you need using this yaml

spring:
  cloud:
    gateway:
      routes:
      - id: employeeModule
        uri: http://localhost:8081/
        predicates:
        - Path=/employee/**
      - id: consumerModule
        uri: http://localhost:8082/
        predicates:
        - Path=/consumer/**

Source: https://www.javainuse.com/spring/cloud-gateway

Use regex to exclude

Use regex could speed up the comparation

You could try something like the regex or matchers used in spring security:

So the code could look like this (not tested):

List<String> excludeRegexList = loginExcludeUrl.getExclude();

return excludeRegexList.stream()
.noneMatch(
regexPattern -> r.getURI().getPath().matches(regexPattern)
);};

Use a no relation or in-memory db

Instead to load the list of exclusions , you could use mongodb or redis, so you will be able to handle a lot of exclusions and query them to decide if the incoming url should be protected or not

Use another api gateway

You could use another gateway only for public or non-protected routes. You could even use a simple nginx because these endpoints should not be protected

I hope one of these options helps you

JRichardsz
  • 14,356
  • 6
  • 59
  • 94