Quick Start
Quick Start
This section demonstrates how to use Istio to publish security governance config to Spring Cloud Alibaba application and use the config to do security governance. The Spring Cloud Alibaba security governance module supports security governance of Spring MVC and Spring WebFlux applications.
Preparation
Install K8s
Please refer to tools chapter of K8s document.
Enable Istio on K8s
Please refer to install chapter of Istio document.
Demo
Connect to Istio
Before launching the example for demonstration, let’s look at how a Spring Cloud application accesses Istio and provides security governance. This section is only for you to understand how to use it. The config has been filled in this example and you may not need to modify it.
- Modify
pom.xml
to introduce Istio resource transform and Spring Cloud Alibaba security governance module:
- Configure Istio related metadata in the
src/main/resources/application
yml configuration file:
HINT:The POD in which your deployed application does not need to be automatically injected by Istio because the various governance modules of Spring Cloud Alibaba will be used to replace the functions of the Envoy Proxy.
Demostration
The following are some simple examples of security governance rule configurations:
IP Blocks
The following command is used to deliver an security governance rule to the demo application through Istio. This rule restricts the source IP addresses that can access the application:
You can validate the rules by sending request to the auth interface of this demo:
In this example, if the source IP of the request is 127.0.0.1, then the application returns:
This indicates that the request is denied. If the source IP of the request is not ‘127.0.0.1’, then the application returns:
It indicates that the request has been authenticated by application and some meta data of the request will be returned.
After that, we delete the security governance rule for the IP Blocks:
Then request the auth interface of this demo again, we can find that the application will return the following message because the security governance rule has been deleted:
Request Header security governance
We use the following command to deliver an security governance rule to the demo application through Istio. This rule restricts the request header for accessing the application:
Then send a HTTP request with a user-agent header to verify whether the rule is valid:
Since this request carries a correct HTTP Header, it will return:
Then send a HTTP request without a user-agent header to verify whether the rule is valid:
Since this request don’t carry a correct HTTP Header, it will return:
After that, we remove the rule for requests header security governance:
Then request the auth interface of this demo again, we can find that the application will return the following message because the security governance rule has been deleted:
JWT security governance
We use the following command to deliver an security governance rule to the demo application through Istio. This rule restricts the JWT token value that must be carried to access the application:
A Http request with a correct JWT token is then sent to verify that the rule is valid:
Since this request carries a correct JWT token, it will return:
A Http request with an invalid JWT token is then sent to verify that the rule is valid:
Since this request carries a invalid JWT token, it will return:
After that, we remove the rule for JWT security governance:
Then request the auth interface of this demo again, we can find that the application will return the following message because the security governance rule has been deleted: