Spring Kafka Trusted Packages Feature – Spring Kafka 可信软件包功能

最后修改: 2023年 12月 12日

中文/混合/英文(键盘快捷键:t)

1. Introduction

1.导言

In this tutorial, we’ll review the Spring Kafka trusted packages feature. We’ll see the motivation behind it, along with its usage. All with practical examples, as always.

在本教程中,我们将回顾 Spring Kafka 的可信包功能。我们将了解其背后的动机及其用法。一如既往,所有内容都将结合实际示例。

2. Prerequisite

2.先决条件

In general, the Spring Kafka module allows us, as users, to specify some metadata about the POJO we’re sending. It usually takes the form of the Kafka message headers. For instance, if we’ll configure the ProducerFactory in this way:

一般来说,Spring Kafka 模块允许我们作为用户指定一些关于我们发送的 POJO 的元数据。它通常采用 Kafka 消息头的形式。例如,如果我们这样配置ProducerFactory

@Bean
public ProducerFactory<Object, SomeData> producerFactory() {
    JsonSerializer<SomeData> jsonSerializer = new JsonSerializer<>();
    jsonSerializer.setAddTypeInfo(true);
    return new DefaultKafkaProducerFactory<>(
      producerFactoryConfig(),
      new StringOrBytesSerializer(),
      jsonSerializer
    );
}

@Data
@AllArgsConstructor
static class SomeData {

    private String id;
    private String type;
    private String status;
    private Instant timestamp;
}

Then we’ll produce a new message into a topic, for example, using KafkaTemplate configured with producerFactory above:

然后,例如,我们将使用上述 producerFactory 配置的 KafkaTemplate 在主题中生成一条新消息:

public void sendDataIntoKafka() {
    SomeData someData = new SomeData("1", "active", "sent", Instant.now());
    kafkaTemplate.send(new ProducerRecord<>("sourceTopic", null, someData));
}

Then, in this case, we’ll get the following message in the console of the Kafka consumer:

在这种情况下,我们会在 Kafka 消费者的控制台中收到以下信息:

CreateTime:1701021806470 __TypeId__:com.baeldung.example.SomeData null {"id":"1","type":"active","status":"sent","timestamp":1701021806.153965150}

As we can see, the type information of the POJO that is inside the message is in the headers. This is, of course, the Spring Kafka feature recognized by Spring only. Meaning, these headers are just metadata from Kafka or other framework’s points of view. Therefore, we can assume here that both the consumer and the producer use Spring to handle Kafka messaging.

我们可以看到,消息中 POJO 的类型信息就在头信息中。当然,这是 Spring Kafka 独有的特性。也就是说,从 Kafka 或其他框架的角度来看,这些头只是元数据。因此,我们可以假设消费者和生产者都使用 Spring 来处理 Kafka 消息。

3. Trusted Packages Feature

3.可信软件包功能

Having said that, we may say that, in some cases, this is quite a useful feature. When messages in the topic have different payload schema, then hinting at the payload type for the consumer will be great.

尽管如此,我们还是可以说,在某些情况下,这是一个非常有用的功能。当主题中的消息具有不同的有效载荷模式时,为消费者提示有效载荷类型将非常有用。

message

However, in general, we know what messages in terms of their schemas can occur in the topic. So, this might be a great idea, to restrict the possible payload schemas consumer will accept. This is what the Spring Kafka trusted packages feature is about.

不过,一般来说,我们知道主题中会出现哪些模式的信息。因此,限制消费者可能接受的有效载荷模式可能是个好主意。这就是 Spring Kafka 可信包功能的意义所在。

4. Usages Samples

4.使用样本

Trusted packages Spring Kafka feature is configured on the deserializer level. If trusted packages are configured, then Spring will make a lookup into the type headers of the incoming message. Then, it will check that all of the provided types in the message are trusted – both key and value.

信任包 Spring Kafka 功能是在反序列化器级别配置的。如果配置了可信包,Spring 就会对传入消息的类型头进行查找。然后,它会检查消息中提供的所有类型(包括键和值)是否都是可信的。

It essentially means that Java classes of key and value, specified in the corresponding headers, must reside inside trusted packages. If everything is ok, then Spring passes the message into further deserialization. If the headers are not present, then Spring will just deserialize the object and won’t check the trusted packages:

这主要意味着,相应标头中指定的键和值的 Java 类必须位于受信任的包内。如果一切正常,Spring 会将消息传递给进一步的反序列化。如果头文件不存在,Spring 将直接反序列化对象,而不会检查受信任的包:

@Bean
public ConsumerFactory<String, SomeData> someDataConsumerFactory() {
    JsonDeserializer<SomeData> payloadJsonDeserializer = new JsonDeserializer<>();
    payloadJsonDeserializer.addTrustedPackages("com.baeldung.example");
    return new DefaultKafkaConsumerFactory<>(
      consumerConfigs(),
      new StringDeserializer(),
      payloadJsonDeserializer
    );
}

It also may be worth mentioning, that Spring can trust all packages if we substitute the concrete packages with star (*):

值得一提的是,如果我们用星号 (*) 代替具体的软件包,Spring 可以信任所有软件包:

JsonDeserializer<SomeData> payloadJsonDeserializer = new JsonDeserializer<>();
payloadJsonDeserializer.trustedPackages("*");

However, in such cases, the usage of trusted packages does not do anything and just incurs additional overhead. Let’s now jump into the motivation behind the feature we just saw.

然而,在这种情况下,使用可信软件包并没有任何作用,只会产生额外的开销。现在,让我们来了解一下我们刚才看到的功能背后的动机。

5.1. First Motivation: Consistency

5.1.第一个动机:一致性

This feature is great because of two major reasons. First, we can fail fast if something goes wrong in the cluster. Imagine that a particular producer will accidentally publish messages in a topic that he is not supposed to publish. It can cause a lot of problems, especially if we succeed at deserializing the incoming message. In this case, the whole system behavior can be undefined.

这项功能之所以出色,主要有两个原因。首先,如果集群中出现问题,我们可以快速故障。试想一下,如果某个生产者不小心在一个主题中发布了他不该发布的消息。这会导致很多问题,尤其是当我们成功反序列化了传入的消息时。在这种情况下,整个系统的行为都可能是未定义的。

So if the producer publishes messages with type information included and the consumer knows what types it trusts, then this all can be avoided. This, of course, assumes that the producer’s message type is different from the one that the consumer expects. But this assumption is pretty fair since this producer shouldn’t publish messages into this topic at all.

因此,如果生产者发布的信息包含类型信息,而消费者知道它信任的类型,那么这一切都可以避免。当然,前提是生产者的信息类型与消费者所期望的不同。但这一假设是非常合理的,因为生产者根本就不应该向这个主题发布信息。

5.2. Second Motivation: Security

5.2.第二个动机:安全性

But what is most important is the security concern. In our previous example, we emphasized that the producer has published messages into the topic unintentionally. But that could be an intentional attack as well. The malicious producer might intentionally publish a message into a particular topic in order to exploit the deserialization vulnerabilities. So by preventing the deserialization of unwanted messages, Spring provides additional security measures to reduce security risks.

但最重要的还是安全问题。在前面的示例中,我们强调制作者无意中向主题发布了消息。但这也可能是一种有意攻击。恶意生产者可能故意将消息发布到特定主题中,以利用反序列化漏洞。因此,通过防止不需要的消息反序列化,Spring 提供了额外的安全措施来降低安全风险。

What is really important to understand here is that the trusted packages feature is not a solution for the “headers spoofing” attack. In this case, the attacker manipulates the headers of a message to deceive the recipient into believing that the message is legitimate and originated from a trusted source. So by providing the correct type headers, the attacker may deceive Spring, and the latter will proceed with message deserialization. But this problem is quite complex and is not a topic of the discussion. In general, Spring merely provides an additional security measure to minimize the risk of the hacker’s success.

这里真正需要理解的是,可信数据包功能并不能解决 “标题欺骗 “攻击。在这种情况下,攻击者会篡改消息的标题,欺骗收件人,使其相信消息是合法的,并且来自受信任的来源。因此,通过提供正确的类型标头,攻击者可以欺骗 Spring,后者将继续进行消息反序列化。但这个问题相当复杂,不是讨论的主题。一般来说,Spring 只是提供了一种额外的安全措施,以尽量降低黑客得逞的风险。

6. Conclusion

6.结论

In this article, we explored the Spring Kafka trusted packages feature. This feature provides additional consistency and security to our distributed messaging system. Still, it is critical to keep in mind, that trusted packages are still vulnerable to header spoofing attacks. Still, Spring Kafka does a great job at providing additional security measures.

在本文中,我们探讨了 Spring Kafka 的可信包功能。该功能为我们的分布式消息系统提供了额外的一致性和安全性。不过,关键是要记住,受信任的包仍然容易受到头欺骗攻击。不过,Spring Kafka 在提供额外的安全措施方面还是做得很出色的。

As always, the source code for this article is available over on GitHub.

与往常一样,本文的源代码可在 GitHub 上获取。