[General][Java SDK (Component)] Security Road Map

[mitpjones]

Pre-check

• I am sure that all the content I provide is in English.

Apache Dubbo Component

Java SDK (apache/dubbo)

Details

Hi,

could someone please comment on the future plans regarding the security of service calls and authentication mechanisms. There is a comment in https://dubbo.apache.org/en/overview/mannual/java-sdk/tasks/security/tls/

"Regarding the security of service calls, Dubbo will continue to invest in this area in future versions, with authentication mechanisms for service discovery/calls expected to be available in upcoming releases."

I understand that historically Apache Dubbo was developed for use within an secure Intranet. However companies often employ third party tools/consultants to run security audits using scanners etc which highlight the lack of TLS(1) and authentication etc.

After trying some samples I am struggling to understand what Token Authorization https://github.com/apache/dubbo-docs/blob/master/dubbo-user-book-en/demos/token-authorization.md actually does. Is it's purpose to restrict a client from accessing a provider?

Assuming a non Spring based solution, can someone please guide me to documentation/examples of how to add some sort of authentication mechanism to Apache Dubbo. At the moment I am considering adding a custom filter but feel that this is likely a problem already solved.

1. It looks as though TLS is broken [Bug] The sample code dubbo samples SSL on the official website cannot pass one-way authentication, but can be executed normally with two-way authentication configuration #14638.

Thanks,

Tim

Code of Conduct

• I agree to follow this project's Code of Conduct