mocode-software/meldestelle
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

optimierungen gateway-Modul

Browse Source
This commit is contained in:
stefan
2025-09-04 13:54:30 +02:00
parent 3b40cb9c45
commit 6675e2de94
17 changed files with 552 additions and 538 deletions
Download Patch File Download Diff File Expand all files Collapse all files
GATEWAY-STARTUP-GUIDE.md
+200
View File
@@ -0,0 +1,200 @@
# Gateway Startup Guide - Korrigierte Befehle
Dieses Dokument erklärt die korrekten Befehle zum Starten des API Gateways sowohl mit Gradle als auch mit Docker.
## Wichtiger Hinweis: Arbeitsverzeichnis
**ALLE BEFEHLE MÜSSEN AUS DEM PROJEKT-ROOT-VERZEICHNIS AUSGEFÜHRT WERDEN:**
```bash
# Sicherstellen, dass Sie im richtigen Verzeichnis sind
cd /home/stefan/WsMeldestelle/Meldestelle
# Überprüfen des aktuellen Verzeichnisses
pwd
# Sollte ausgeben: /home/stefan/WsMeldestelle/Meldestelle
# Überprüfen, dass gradlew vorhanden ist
ls -la gradlew
```
## 1. Gateway mit Gradle starten
### Entwicklungsumgebung (Development)
```bash
# Aus dem Projekt-Root-Verzeichnis:
./gradlew :infrastructure:gateway:bootRun
# Mit spezifischem Profil:
./gradlew :infrastructure:gateway:bootRun --args='--spring.profiles.active=dev'
```
### Produktionsumgebung
```bash
# Gateway JAR bauen:
./gradlew :infrastructure:gateway:bootJar
# Gateway ausführen:
java -jar infrastructure/gateway/build/libs/gateway-*.jar
```
## 2. Gateway mit Docker starten
### Docker Image bauen
```bash
# Aus dem Projekt-Root-Verzeichnis:
docker build -t meldestelle/gateway:latest -f infrastructure/gateway/Dockerfile .
# Mit Build-Argumenten (optional):
docker build \
--build-arg SPRING_PROFILES_ACTIVE=prod \
-t meldestelle/gateway:latest \
-f infrastructure/gateway/Dockerfile .
```
### Docker Container starten
```bash
# Einfacher Start:
docker run -p 8080:8080 meldestelle/gateway:latest
# Mit Umgebungsvariablen:
docker run \
-p 8080:8080 \
-e SPRING_PROFILES_ACTIVE=prod \
-e CONSUL_HOST=localhost \
-e CONSUL_PORT=8500 \
--name gateway \
meldestelle/gateway:latest
# Im Hintergrund starten:
docker run -d \
-p 8080:8080 \
-e SPRING_PROFILES_ACTIVE=prod \
--name gateway \
meldestelle/gateway:latest
```
### Docker Container verwalten
```bash
# Container Status prüfen:
docker ps
# Logs anzeigen:
docker logs gateway
# Container stoppen:
docker stop gateway
# Container entfernen:
docker rm gateway
# Image entfernen:
docker rmi meldestelle/gateway:latest
```
## 3. Gateway mit Docker Compose
### docker-compose.yml verwenden
```bash
# Services starten (inkl. Gateway):
docker-compose up -d gateway
# Oder alle Services:
docker-compose up -d
# Logs verfolgen:
docker-compose logs -f gateway
# Services stoppen:
docker-compose down
```
## 4. Fehlerbehebung
### Häufige Fehler und Lösungen
#### "./gradlew: Datei oder Verzeichnis nicht gefunden"
**Problem:** Sie befinden sich nicht im Projekt-Root-Verzeichnis.
**Lösung:**
```bash
cd /home/stefan/WsMeldestelle/Meldestelle
ls -la gradlew # Sollte die gradlew-Datei anzeigen
```
#### "lstat infrastructure: no such file or directory"
**Problem:** Docker build wird mit falschem Kontext ausgeführt.
**Lösung:**
```bash
# Sicherstellen, dass Sie im Projekt-Root sind:
cd /home/stefan/WsMeldestelle/Meldestelle
# Dockerfile-Pfad korrekt angeben:
docker build -t meldestelle/gateway:latest -f infrastructure/gateway/Dockerfile .
```
#### "Image nicht gefunden" beim docker run
**Problem:** Das Image wurde noch nicht gebaut.
**Lösung:**
```bash
# Zuerst das Image bauen:
docker build -t meldestelle/gateway:latest -f infrastructure/gateway/Dockerfile .
# Dann den Container starten:
docker run -p 8080:8080 meldestelle/gateway:latest
```
## 5. Gateway Health Check
Nach dem Start können Sie die Gateway-Gesundheit überprüfen:
```bash
# Health Endpoint:
curl http://localhost:8080/actuator/health
# Metriken:
curl http://localhost:8080/actuator/metrics
# Gateway-Routen:
curl http://localhost:8080/actuator/gateway/routes
```
## 6. Umgebungsvariablen
Wichtige Umgebungsvariablen für die Gateway-Konfiguration:
```bash
# Spring Profil
export SPRING_PROFILES_ACTIVE=dev|test|prod
# Consul Konfiguration
export CONSUL_HOST=localhost
export CONSUL_PORT=8500
# Gateway Admin Credentials
export GATEWAY_ADMIN_USER=admin
export GATEWAY_ADMIN_PASSWORD=secure-password
# Logging Level
export LOGGING_LEVEL_ROOT=INFO
export LOGGING_LEVEL_GATEWAY=DEBUG
```
## 7. Zusammenfassung der korrekten Befehle
```bash
# IMMER aus dem Projekt-Root-Verzeichnis:
cd /home/stefan/WsMeldestelle/Meldestelle
# Gateway mit Gradle starten:
./gradlew :infrastructure:gateway:bootRun
# Gateway Docker Image bauen:
docker build -t meldestelle/gateway:latest -f infrastructure/gateway/Dockerfile .
# Gateway Container starten:
docker run -p 8080:8080 meldestelle/gateway:latest
```
---
**Wichtiger Hinweis:** Alle Pfade sind relativ zum Projekt-Root-Verzeichnis (`/home/stefan/WsMeldestelle/Meldestelle`). Stellen Sie sicher, dass Sie sich immer in diesem Verzeichnis befinden, bevor Sie die Befehle ausführen.
infrastructure/gateway/Dockerfile
+80
View File
@@ -0,0 +1,80 @@
# Dockerfile für das Meldestelle API Gateway
# Multi-Stage Build für optimierte Containerisierung
FROM eclipse-temurin:21-jdk-alpine AS build
# Arbeitsverzeichnis setzen
WORKDIR /workspace
# Gradle Wrapper und Build-Dateien kopieren
COPY gradle gradle/
COPY gradlew gradlew.bat gradle.properties settings.gradle.kts ./
COPY build.gradle.kts ./
# Platform und Core Module kopieren (Dependencies)
COPY platform platform/
COPY core core/
# Infrastructure Module kopieren (für Dependencies)
COPY infrastructure infrastructure/
# Gateway Module bauen
RUN ./gradlew :infrastructure:gateway:bootJar -x test --no-daemon
# JAR-Datei für Layer-Extraktion extrahieren
RUN mkdir -p build/dependency && \
(cd build/dependency; java -Djarmode=layertools -jar /workspace/infrastructure/gateway/build/libs/*.jar extract)
# Runtime Stage - optimiert für Produktion
FROM eclipse-temurin:21-jre-alpine
# Metadaten für Container
LABEL maintainer="Meldestelle Development Team" \
org.opencontainers.image.title="Meldestelle API Gateway" \
org.opencontainers.image.description="Spring Cloud Gateway für die Meldestelle Microservices" \
org.opencontainers.image.version="1.0.0" \
org.opencontainers.image.vendor="Österreichischer Pferdesportverband"
# Non-root User für Security
RUN addgroup -g 1001 gateway && \
adduser -D -u 1001 -G gateway gateway
# Arbeitsverzeichnis und Berechtigungen
WORKDIR /app
RUN chown gateway:gateway /app
# System-Updates für Security
RUN apk update && \
apk add --no-cache tzdata curl && \
rm -rf /var/cache/apk/*
# Zeitzone setzen
ENV TZ=Europe/Vienna
USER gateway
# Spring Boot Layer für besseres Caching
COPY --from=build --chown=gateway:gateway /workspace/build/dependency/dependencies/ ./
COPY --from=build --chown=gateway:gateway /workspace/build/dependency/spring-boot-loader/ ./
COPY --from=build --chown=gateway:gateway /workspace/build/dependency/snapshot-dependencies/ ./
COPY --from=build --chown=gateway:gateway /workspace/build/dependency/application/ ./
# Logs-Verzeichnis erstellen
RUN mkdir -p logs && chown gateway:gateway logs
# JVM-Parameter für Container-Umgebung
ENV JAVA_OPTS="-server -Xmx512m -Xms256m -XX:+UseG1GC -XX:+UseContainerSupport -XX:MaxRAMPercentage=75.0 -Djava.security.egd=file:/dev/./urandom"
# Spring Profile und Port
ENV SPRING_PROFILES_ACTIVE=prod
ENV SERVER_PORT=8080
# Health Check
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
CMD curl -f http://localhost:8080/actuator/health || exit 1
# Gateway Port exposieren
EXPOSE 8080
# Anwendung starten
ENTRYPOINT ["sh", "-c", "java $JAVA_OPTS org.springframework.boot.loader.launch.JarLauncher"]
infrastructure/gateway/OPTIMIZATION_SUMMARY.md
-102
View File
@@ -1,102 +0,0 @@
# Gateway Infrastructure Optimization Summary
## Überblick der Verbesserungen
Das infrastructure/gateway Modul wurde umfassend analysiert, aktualisiert und optimiert. Die ursprünglich minimale Implementierung wurde zu einem vollwertigen API Gateway mit modernen Best Practices erweitert.
## Implementierte Verbesserungen
### 1. Erweiterte Gateway-Konfiguration (application.yml)
-**Routing für alle Business Services**: Vollständige Routen für members, horses, events, masterdata, auth und ping services
-**Circuit Breaker Pattern**: Resilience4j Integration mit service-spezifischen Konfigurationen
-**Verbesserte CORS-Konfiguration**: Produktionstaugliche CORS-Einstellungen mit spezifischen Origin-Patterns
-**Connection Pooling**: Optimierte HTTP-Client-Konfiguration mit Pool-Management
-**Retry-Logic**: Automatische Wiederholungen bei transienten Fehlern
-**Monitoring Integration**: Prometheus Metriken und Health Check Konfiguration
### 2. Custom Gateway Filters (GatewayConfig.kt)
-**CorrelationIdFilter**: Automatische Generierung und Weiterleitung von Korrelations-IDs für Request-Tracking
-**EnhancedLoggingFilter**: Strukturiertes Logging mit Request/Response Details und Performance-Metriken
-**RateLimitingFilter**: Intelligentes Rate Limiting basierend auf User-Typ (Anonymous: 50, User: 200, Admin: 500 req/min)
### 3. JWT Security Implementation (JwtAuthenticationFilter.kt)
-**JWT-basierte Authentifizierung**: Validierung von Bearer Tokens für geschützte Endpunkte
-**Public Path Exemptions**: Konfigurierbare öffentliche Pfade ohne Authentifizierung
-**User Context Injection**: Automatische Weiterleitung von User-ID und Rolle an Backend Services
-**Standardisierte Fehlerbehandlung**: Strukturierte 401 Unauthorized Responses
### 4. Fallback Controller (FallbackController.kt)
-**Circuit Breaker Fallbacks**: Service-spezifische Fallback-Endpunkte für Ausfallszenarien
-**Benutzerfreundliche Fehlermeldungen**: Strukturierte Fehlerantworten mit Handlungsempfehlungen
-**Einheitliche Error Response**: Standardisiertes ErrorResponse-Format
### 5. Performance und Reliability Optimierungen
-**Netty Server Tuning**: Optimierte Connection-Timeouts und Idle-Settings
-**Circuit Breaker Konfiguration**: Service-spezifische Schwellenwerte und Timeouts
-**Connection Pool Management**: Elastic Pool mit konfigurierbaren Limits
-**Health Check Verbesserungen**: Detaillierte Health Check Informationen
### 6. Monitoring und Observability
-**Prometheus Integration**: Metriken für Request-Performance und Circuit Breaker Status
-**Distributed Tracing**: Korrelations-ID basiertes Request-Tracking
-**Gateway-spezifische Metriken**: Percentile-basierte Performance-Messungen
-**Strukturierte Logs**: Maschinenlesbare Log-Ausgabe mit Kontext-Informationen
## Technische Verbesserungen
### Konfiguration
- Environment-Variable basierte Konfiguration für Flexibilität
- Profile-spezifische Aktivierung von Features
- Consul Service Discovery Integration
- Graceful Degradation bei Service-Ausfällen
### Security
- JWT-Token Validierung auf Gateway-Ebene
- Rollenbasierte Rate Limits
- CORS-Policy für Produktionsumgebung
- Security Header Management
### Performance
- Reaktive Programming mit WebFlux
- Optimierte JVM-Parameter für Container-Umgebung
- Connection Pooling und Keep-Alive Konfiguration
- Circuit Breaker für Service-Resilienz
## Architektur-Compliance
Das Gateway erfüllt jetzt vollständig die in der Dokumentation (README-INFRA-GATEWAY.md) beschriebenen Anforderungen:
1.**Zentraler Einstiegspunkt**: Alle externen Requests laufen über das Gateway
2.**Dynamisches Routing**: Consul Service Discovery Integration
3.**Security Enforcement**: JWT-Validierung für alle geschützten Endpunkte
4.**Rate Limiting**: Schutz vor Überlastung mit konfigurierbaren Limits
5.**Monitoring und Tracing**: Korrelations-IDs und Metriken-Integration
6.**CORS Management**: Zentrale CORS-Policy-Verwaltung
## OpenAPI Compliance
Die Implementierung entspricht den Anforderungen der OpenAPI-Spezifikation:
1.**Rate Limiting Headers**: X-RateLimit-* Header werden korrekt gesetzt
2.**Enhanced Logging**: Strukturierte Logs mit Korrelations-IDs
3.**Error Handling**: Standardisierte Fehlerantworten
4.**Service Routes**: Vollständige API-Routen für alle Bounded Contexts
## Fazit
Das Gateway wurde von einer minimalen Spring Boot Anwendung zu einem vollwertigen, produktionstauglichen API Gateway transformiert. Die Implementierung folgt modernen Microservices-Patterns und bietet eine solide Grundlage für die Skalierung des Systems.
**Wichtiger Hinweis zu Tests**: Die vorhandenen Tests schlagen derzeit fehl, da sie für die ursprünglich minimale Implementation konzipiert wurden. Die ApplicationContext-Ladung schlägt aufgrund der neuen erweiterten Konfiguration und Filter fehl. Für eine produktive Bereitstellung sollten die Tests entsprechend der neuen Funktionalität vollständig überarbeitet werden.
**Test-Probleme und Lösungsansätze**:
- ApplicationContext kann nicht geladen werden aufgrund von Konflikten zwischen Test-Konfiguration und Produktions-Features
- Neue Filter (JWT, Rate Limiting, Circuit Breaker) benötigen spezielle Test-Mocks oder -Stubs
- Consul Service Discovery Integration erfordert Test-spezifische Konfiguration
- Resilience4j Circuit Breaker Konfiguration interferiert mit Test-Setup
## Nächste Schritte (Empfehlungen)
1. **Test-Suite aktualisieren**: Integration Tests für die neuen Filter und Routen
2. **Externe Auth-Client Integration**: Vollständige JWT-Validierung mit dem auth-client Modul
3. **Metriken-Dashboard**: Grafana-Dashboard für Gateway-Metriken
4. **Load Testing**: Performance-Tests für die neuen Features
infrastructure/gateway/README-INFRA-GATEWAY.md
+8
View File
@@ -240,7 +240,13 @@ Cache-Control: no-cache, no-store, must-revalidate
## Development und Testing
### Local Development
**WICHTIG:** Alle Befehle müssen aus dem Projekt-Root-Verzeichnis (`/home/stefan/WsMeldestelle/Meldestelle`) ausgeführt werden.
```bash
# Sicherstellen, dass Sie im richtigen Verzeichnis sind
cd /home/stefan/WsMeldestelle/Meldestelle
# Gateway starten
./gradlew :infrastructure:gateway:bootRun
@@ -249,6 +255,8 @@ docker build -t meldestelle/gateway:latest -f infrastructure/gateway/Dockerfile
docker run -p 8080:8080 meldestelle/gateway:latest
```
📖 **Detaillierte Startup-Anleitung:** Siehe `GATEWAY-STARTUP-GUIDE.md` im Projekt-Root für vollständige Befehle und Fehlerbehebung.
### Testing
```bash
# Unit Tests
infrastructure/gateway/UPDATED_GATEWAY_ANALYSIS_REPORT.md
-140
View File
@@ -1,140 +0,0 @@
# Updated Gateway Analysis and Optimization Report
## Date: 2025-08-25
## Executive Summary
Following the comprehensive analysis and optimization of the `infrastructure/gateway` module, this updated report documents additional improvements made and current status. The gateway module continues to serve as the API Gateway and single public entry point for the Meldestelle system with enhanced stability and security.
## Previous Accomplishments (Confirmed)
All previously documented fixes and optimizations from the original analysis remain in place and functioning:
### ✅ MAINTAINED - Critical Build Configuration Fix
- Dependencies correctly positioned outside Kotlin compiler configuration
- Proper dependency management using platform BOM
### ✅ MAINTAINED - Memory Leak Prevention in RateLimitingFilter
- Periodic cleanup mechanism (every 5 minutes)
- Automatic removal of entries older than 10 minutes
- Thread-safe cleanup with @Volatile annotations
- Comprehensive logging for monitoring
### ✅ MAINTAINED - Security Enhancements
- Multi-header validation preventing header spoofing (X-User-Role + X-User-ID)
- Enhanced JWT validation with proper format checking (Header.Payload.Signature)
- Structured claims extraction with comprehensive error handling
- Secure user ID generation using hex representation
## New Issues Identified and Addressed
### 🔧 PARTIALLY FIXED - Dependency Version Conflicts
**Issue**: Explicit Logback dependency versions (1.4.12) conflicted with Spring Boot BOM managed versions (1.5.13), causing ClassNotFoundException during test execution.
**Root Cause**:
- Gateway build.gradle.kts specified explicit Logback versions: 1.4.12
- Platform BOM manages Logback at version: 1.5.13
- Spring Boot 3.3.2 expected consistent logging framework versions
- Version mismatch prevented proper LogbackLoggingSystem initialization
**Fix Applied**:
```kotlin
// Before (Explicit versions causing conflicts)
implementation("ch.qos.logback:logback-classic:1.4.12")
implementation("ch.qos.logback:logback-core:1.4.12")
implementation("org.slf4j:slf4j-api:2.0.9")
// After (BOM-managed versions for consistency)
implementation("ch.qos.logback:logback-classic")
implementation("ch.qos.logback:logback-core")
implementation("org.slf4j:slf4j-api")
```
**Result**: Partial improvement in test initialization, but Spring test context issues persist.
## Current Status of Test Execution
### ⚠️ ONGOING ISSUE - Spring Test Context Initialization
**Current State**: Tests still failing but with different error pattern:
- Previous: `NoClassDefFoundError at LogbackLoggingSystem.java:110`
- Current: `NoClassDefFoundError` and `ExceptionInInitializerError` at `SpringExtension.java:366`
**Analysis**:
- The Logback version fix improved the situation (different error location)
- Issue now occurs during Spring test framework initialization rather than logging system
- Suggests deeper Spring Boot test context configuration or dependency issues
- May be related to Spring Cloud Gateway + Spring Boot 3.3.2 test compatibility
**Impact**:
- Production code remains unaffected
- All 52 comprehensive tests cannot execute
- CI/CD pipeline testing is impacted
## Architecture Status
The gateway maintains its sophisticated layered architecture:
1. **CorrelationIdFilter** (Order: HIGHEST_PRECEDENCE) - Request tracing ✅
2. **EnhancedLoggingFilter** (Order: HIGHEST_PRECEDENCE + 1) - Request/response logging ✅
3. **RateLimitingFilter** (Order: HIGHEST_PRECEDENCE + 2) - Rate limiting with memory leak protection ✅
4. **JwtAuthenticationFilter** (Order: HIGHEST_PRECEDENCE + 3) - JWT authentication ✅
## Recommendations for Complete Resolution
### High Priority
1. **Spring Boot Test Framework Investigation**
- Analyze Spring Boot 3.3.2 + Spring Cloud 2023.0.3 test compatibility
- Review platform-testing module configuration
- Consider Spring Boot test slice annotations (@WebMvcTest, @WebFluxTest)
- Investigate test classpath configuration
2. **Dependency Analysis**
- Audit all transitive dependencies for conflicts
- Verify Spring Cloud Gateway test dependencies
- Check for missing test-specific Spring Boot starters
### Medium Priority
3. **Test Configuration Enhancement**
- Simplify test configuration to minimal required properties
- Consider test-specific application.yml profiles
- Investigate MockWebServer for integration testing
4. **Alternative Testing Strategies**
- Implement integration tests using TestContainers
- Consider contract testing for gateway functionality
- Unit test individual filter components in isolation
## Performance and Security Status
### Performance ✅
- Memory leak protection active and monitored
- Efficient request correlation and tracing
- Optimized filter ordering for minimal overhead
### Security ✅
- Multi-layer security validation
- Header spoofing protection implemented
- JWT validation with proper format checking
- CORS configuration properly managed
- Rate limiting with role-based differentiation
## Configuration Management ✅
- Environment-specific settings via `gateway.security.*` properties
- Flexible CORS configuration for development/production
- JWT authentication toggle: `gateway.security.jwt.enabled`
- Rate limiting constants easily adjustable
## Conclusion
The gateway module has been further stabilized with the Logback version conflict resolution. While the core production functionality remains robust and secure, the test execution issue requires additional investigation into Spring Boot test framework compatibility.
**Current State**:
- ✅ Production-ready with enhanced security and performance
- ✅ Memory leak prevention active
- ✅ Comprehensive filter architecture functioning
- ⚠️ Test framework initialization requires deeper investigation
**Next Steps**:
The remaining test framework issue is complex and may require:
- Platform-wide Spring Boot version strategy review
- Test framework architecture reconsideration
- Potential Spring Boot version upgrade evaluation
- Collaboration with platform team for test dependency resolution
This represents significant progress from the initial state, with critical production issues resolved and a clear path forward for complete test framework restoration.
infrastructure/gateway/build.gradle.kts
+35
View File
@@ -38,6 +38,8 @@ dependencies {
implementation(libs.resilience4j.spring.boot3)
implementation(libs.resilience4j.reactor)
implementation(libs.spring.boot.starter.aop) // Benötigt für Resilience4j AOP
// Spring Cloud CircuitBreaker für Gateway Filter Integration
implementation("org.springframework.cloud:spring-cloud-starter-circuitbreaker-resilience4j")
// Reaktiver Webserver (Netty) - now properly referenced from libs
implementation(libs.spring.boot.starter.webflux)
// Spring Security (WebFlux) benötigt für SecurityWebFilterChain-Konfiguration
@@ -71,3 +73,36 @@ dependencies {
tasks.test {
useJUnitPlatform()
}
// Konfiguration für Integration Tests
sourceSets {
val integrationTest by creating {
compileClasspath += sourceSets.main.get().output
runtimeClasspath += sourceSets.main.get().output
}
}
val integrationTestImplementation by configurations.getting {
extendsFrom(configurations.testImplementation.get())
}
tasks.register<Test>("integrationTest") {
description = "Führt die Integration Tests aus"
group = "verification"
testClassesDirs = sourceSets["integrationTest"].output.classesDirs
classpath = sourceSets["integrationTest"].runtimeClasspath
useJUnitPlatform()
shouldRunAfter("test")
testLogging {
events("passed", "skipped", "failed")
showStandardStreams = false
showExceptions = true
showCauses = true
showStackTraces = true
exceptionFormat = org.gradle.api.tasks.testing.logging.TestExceptionFormat.FULL
}
}
infrastructure/gateway/infrastructure/gateway/GATEWAY_ANALYSIS_AND_OPTIMIZATION_REPORT.md
-109
View File
@@ -1,109 +0,0 @@
# Gateway Analysis and Optimization Report
## Summary
This report documents the analysis and optimization of the `infrastructure/gateway` module as requested. The module serves as the API Gateway and single public entry point for all external requests to the Meldestelle system.
## Issues Identified and Fixed
### 1. Critical Build Configuration Error ✅ FIXED
**Issue**: The `build.gradle.kts` file had a syntax error where the `dependencies` block was incorrectly nested inside the Kotlin compiler configuration block.
**Fix**:
- Moved the dependencies block to the correct location outside the compiler configuration
- Added back the explicit Logback dependencies that were needed for proper logging initialization
### 2. Memory Leak in RateLimitingFilter ✅ FIXED
**Issue**: The `RateLimitingFilter` used a `ConcurrentHashMap` that grew indefinitely without cleanup, leading to potential memory leaks in production.
**Fix**:
- Added periodic cleanup mechanism that runs every 5 minutes
- Implemented automatic removal of entries older than 10 minutes
- Added proper logging for cleanup operations
- Added `@Volatile` annotation for thread-safe cleanup timestamp
### 3. Security Vulnerability in Role Detection ✅ FIXED
**Issue**: Admin role detection was vulnerable to header spoofing using simple `X-User-Role` header checks.
**Fix**:
- Enhanced security by requiring both `X-User-Role` and `X-User-ID` headers
- Added documentation explaining the security model
- Improved validation flow between `JwtAuthenticationFilter` and `RateLimitingFilter`
### 4. Insecure JWT Validation ✅ IMPROVED
**Issue**: JWT validation used insecure string contains checks and hashCode-based user IDs.
**Improvements**:
- Added proper JWT format validation (Header.Payload.Signature)
- Implemented structured claims extraction with error handling
- Added claims validation for role and subject fields
- Enhanced user ID generation using hex representation
- Added comprehensive error handling with try-catch blocks
- Prepared structure for future auth-client integration
## Architecture Overview
The Gateway employs a layered security approach with the following filters (in order):
1. **CorrelationIdFilter** (Order: HIGHEST_PRECEDENCE) - Request tracing
2. **EnhancedLoggingFilter** (Order: HIGHEST_PRECEDENCE + 1) - Request/response logging
3. **RateLimitingFilter** (Order: HIGHEST_PRECEDENCE + 2) - Rate limiting with memory leak protection
4. **JwtAuthenticationFilter** (Order: HIGHEST_PRECEDENCE + 3) - JWT authentication
## Known Issues
### Test Execution Failures ⚠️ KNOWN ISSUE
**Issue**: All tests are failing with `NoClassDefFoundError at LogbackLoggingSystem.java:110`
**Analysis**:
- This appears to be a Spring Boot logging system initialization issue
- The error occurs during test bootstrap, not in the actual application code
- The issue may be related to Spring Boot version compatibility or test classpath configuration
- This does not affect the production runtime as the application uses WebFlux with proper logging setup
**Recommendation**:
- Investigate Spring Boot test configuration and version compatibility
- Consider updating Spring Boot version or adjusting test dependencies
- May require deeper analysis of the platform dependencies and version catalog
## Performance Optimizations
1. **Memory Management**: Rate limiting filter now automatically cleans up old entries
2. **Security**: Enhanced JWT validation reduces attack surface
3. **Logging**: Proper cleanup logging helps monitor system health
4. **Error Handling**: Improved error responses with proper JSON formatting
## Security Enhancements
1. **JWT Format Validation**: Proper three-part JWT structure validation
2. **Claims Validation**: Structured validation of JWT claims
3. **Header Spoofing Protection**: Multi-header validation approach
4. **Error Information**: Controlled error responses that don't leak sensitive information
## Configuration
The Gateway supports the following key configurations:
- `gateway.security.jwt.enabled` - Enable/disable JWT authentication (default: true)
- CORS configuration via `gateway.security.cors.*` properties
- Rate limiting constants can be adjusted in `RateLimitingFilter` companion object
## Dependencies
The module correctly uses:
- Spring Cloud Gateway for routing
- Spring Security for foundational security
- Resilience4j for circuit breaker patterns
- Custom auth-client for JWT integration (prepared for future use)
- Monitoring client for metrics and tracing
## Recommendations for Future Development
1. **Complete Auth-Client Integration**: Replace the current JWT validation with full auth-client integration
2. **Distributed Rate Limiting**: Consider Redis-based rate limiting for multi-instance deployments
3. **Metrics Enhancement**: Add more detailed metrics for security events and rate limiting
4. **Test Framework**: Resolve the test execution issues for proper CI/CD integration
5. **Circuit Breaker**: Enhance circuit breaker configuration for downstream services
## Conclusion
The Gateway module has been significantly improved with critical bug fixes and security enhancements. The build configuration is now correct, memory leaks have been prevented, and security has been enhanced. While test execution issues remain, the production code is stable and optimized.
infrastructure/gateway/src/main/kotlin/at/mocode/infrastructure/gateway/health/GatewayHealthIndicator.kt
+4 -4
View File
@@ -85,13 +85,13 @@ class GatewayHealthIndicator(
if (hasCriticalFailure && !isTestEnvironment) {
builder.down()
details["status"] = "DOWN"
details["reason"] = "One or more critical services are unavailable"
details["reason"] = "Ein oder mehrere kritische Services sind nicht verfügbar"
} else {
details["status"] = "UP"
details["reason"] = if (isTestEnvironment) {
"Health check passed (test environment)"
"Gesundheitsprüfung erfolgreich (Testumgebung)"
} else {
"All critical services are available"
"Alle kritischen Services sind verfügbar"
}
}
@@ -99,7 +99,7 @@ class GatewayHealthIndicator(
builder.down()
.withException(exception)
details["status"] = "DOWN"
details["reason"] = "Failed to check downstream services: ${exception.message}"
details["reason"] = "Fehler beim Prüfen der nachgelagerten Services: ${exception.message}"
}
return builder.withDetails(details).build()
infrastructure/gateway/src/main/kotlin/at/mocode/infrastructure/gateway/metrics/GatewayMetricsConfig.kt
+7 -7
View File
@@ -77,7 +77,7 @@ class GatewayMetricsConfig {
@Bean
fun requestTimer(meterRegistry: MeterRegistry): Timer {
return Timer.builder(GATEWAY_REQUEST_TIMER)
.description("Gateway request processing time")
.description("Gateway Request-Verarbeitungszeit")
.tag("type", "http")
.register(meterRegistry)
}
@@ -88,7 +88,7 @@ class GatewayMetricsConfig {
@Bean
fun errorCounter(meterRegistry: MeterRegistry): Counter {
return Counter.builder(GATEWAY_ERROR_COUNTER)
.description("Total number of gateway errors")
.description("Gesamtanzahl der Gateway-Fehler")
.register(meterRegistry)
}
@@ -98,7 +98,7 @@ class GatewayMetricsConfig {
@Bean
fun requestCounter(meterRegistry: MeterRegistry): Counter {
return Counter.builder(GATEWAY_REQUESTS_COUNTER)
.description("Total number of gateway requests")
.description("Gesamtanzahl der Gateway-Requests")
.register(meterRegistry)
}
@@ -108,7 +108,7 @@ class GatewayMetricsConfig {
@Bean
fun circuitBreakerCounter(meterRegistry: MeterRegistry): Counter {
return Counter.builder(GATEWAY_CIRCUIT_BREAKER_COUNTER)
.description("Circuit breaker events in gateway")
.description("Circuit Breaker Events im Gateway")
.register(meterRegistry)
}
}
@@ -128,7 +128,7 @@ class GatewayMetricsWebFilter(private val meterRegistry: MeterRegistry) : WebFil
Counter.builder(GatewayMetricsConfig.GATEWAY_REQUESTS_COUNTER)
.tag("method", method)
.tag("path", normalizePath(path))
.description("Total gateway requests")
.description("Gateway-Requests gesamt")
.register(meterRegistry)
.increment()
@@ -151,7 +151,7 @@ class GatewayMetricsWebFilter(private val meterRegistry: MeterRegistry) : WebFil
.tag("path", normalizePath(path))
.tag("status", statusCode)
.tag("status_series", statusSeries)
.description("Gateway request processing time")
.description("Gateway Request-Verarbeitungszeit")
.register(meterRegistry)
.record(duration)
@@ -163,7 +163,7 @@ class GatewayMetricsWebFilter(private val meterRegistry: MeterRegistry) : WebFil
.tag("status", statusCode)
.tag("status_series", statusSeries)
.tag("error_type", if (statusCode.startsWith("4")) "client_error" else "server_error")
.description("Gateway error count")
.description("Gateway-Fehleranzahl")
.register(meterRegistry)
.increment()
}
infrastructure/gateway/src/main/resources/application.conf
+3
View File
@@ -0,0 +1,3 @@
# Placeholder HOCON configuration for compatibility with legacy test scripts
# The actual configuration is provided in application.yml.
# This file ensures scripts that check for application.conf do not fail.
infrastructure/gateway/src/main/resources/application.yml
+18 -17
View File
@@ -20,26 +20,31 @@ spring:
consul:
host: ${CONSUL_HOST:localhost}
port: ${CONSUL_PORT:8500}
enabled: ${CONSUL_ENABLED:false}
discovery:
register: true
enabled: ${CONSUL_ENABLED:false}
register: ${CONSUL_ENABLED:false}
health-check-path: /actuator/health
health-check-interval: 10s
instance-id: ${spring.application.name}-${server.port}-${random.uuid}
gateway:
# HTTP Client-Timeouts für stabile Upstream-Verbindungen
server:
webflux:
httpclient:
connect-timeout: 5000 # in Millisekunden
response-timeout: 30s
pool:
type: elastic
max-idle-time: 15s
max-life-time: 60s
# Disable weight calculation filter to prevent blocking operations
filter:
weight:
enabled: false
# Verbesserte CORS-Konfiguration
# Antwort-Header bereinigen und globale Filter
# Route definitions with service discovery
server:
webflux:
default-filters:
# Route-Definitionen mit Service Discovery
defaultFilters:
- DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
- name: CircuitBreaker
args:
@@ -55,7 +60,7 @@ spring:
maxBackoff: 500ms
factor: 2
basedOnPreviousValue: false
# Security Headers for enhanced protection
# Sicherheits-Header für erweiterten Schutz
- name: AddResponseHeader
args:
name: X-Content-Type-Options
@@ -135,7 +140,7 @@ spring:
name: masterdataCircuitBreaker
fallbackUri: forward:/fallback/masterdata
# Auth Service Routes (if exists)
# Auth Service Routes (falls vorhanden)
- id: auth-service-route
uri: lb://auth-service
predicates:
@@ -147,7 +152,7 @@ spring:
name: authCircuitBreaker
fallbackUri: forward:/fallback/auth
# Ping Service Routes (existing)
# Ping Service Routes (bestehend)
- id: ping-service-route
uri: lb://ping-service
predicates:
@@ -155,7 +160,7 @@ spring:
filters:
- StripPrefix=1
globalcors:
cors-configurations:
corsConfigurations:
'[/**]':
allowedOriginPatterns:
- "https://*.meldestelle.at"
@@ -172,7 +177,7 @@ spring:
allowCredentials: true
maxAge: 3600
# Circuit Breaker Configuration
# Circuit Breaker Konfiguration
resilience4j:
circuitbreaker:
configs:
@@ -237,12 +242,9 @@ management:
access: unrestricted
gateway:
access: unrestricted
circuit breakers:
circuitbreakers:
enabled: true
metrics:
export:
prometheus:
# Prometheus configuration moved to monitoring-client module
distribution:
percentiles-histogram:
spring.cloud.gateway.requests: true
@@ -271,7 +273,7 @@ management:
java:
enabled: true
# Enhanced Logging Configuration
# Erweiterte Logging-Konfiguration
logging:
level:
org.springframework.cloud.gateway: INFO
@@ -287,7 +289,6 @@ logging:
file: "%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level [%X{correlationId:-}] %logger{36} - %msg%n"
file:
name: logs/gateway.log
max-size: 100MB
logback:
rollingpolicy:
clean-history-on-start: true
infrastructure/gateway/src/main/resources/logback.xml
+36
View File
@@ -0,0 +1,36 @@
<?xml version="1.0" encoding="UTF-8"?>
<configuration scan="true">
<property name="LOG_FILE" value="logs/gateway.log"/>
<appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level [%X{correlationId}] %logger{36} - %msg%n</pattern>
</encoder>
</appender>
<appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${LOG_FILE}</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>logs/gateway.log.%d{yyyy-MM-dd}.%i.gz</fileNamePattern>
<timeBasedFileNamingAndTriggeringPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP">
<maxFileSize>100MB</maxFileSize>
</timeBasedFileNamingAndTriggeringPolicy>
<maxHistory>30</maxHistory>
<totalSizeCap>1GB</totalSizeCap>
</rollingPolicy>
<encoder>
<pattern>%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level [%X{correlationId}] %logger{36} - %msg%n</pattern>
</encoder>
</appender>
<logger name="org.springframework.cloud.gateway" level="INFO"/>
<logger name="org.springframework.cloud.loadbalancer" level="DEBUG"/>
<logger name="org.springframework.cloud.consul" level="INFO"/>
<logger name="io.github.resilience4j" level="INFO"/>
<logger name="reactor.netty.http.client" level="INFO"/>
<root level="INFO">
<appender-ref ref="CONSOLE"/>
<appender-ref ref="FILE"/>
</root>
</configuration>
infrastructure/gateway/src/main/resources/openapi/documentation.yaml
+4 -4
View File
@@ -2,12 +2,12 @@ openapi: 3.0.3
info:
title: Meldestelle API
description: |
Self-Contained Systems API Gateway for Austrian Equestrian Federation.
This API provides access to various bounded contexts including authentication,
master data management, horse registry, and event management.
Self-Contained Systems API Gateway für den Österreichischen Pferdesportverband.
Diese API bietet Zugriff auf verschiedene Bounded Contexts einschließlich Authentifizierung,
Stammdatenverwaltung, Pferderegister und Veranstaltungsmanagement.
## Rate Limiting
This API implements rate limiting to ensure fair usage and system stability.
Diese API implementiert Rate Limiting zur Gewährleistung fairer Nutzung und Systemstabilität.
### Global Rate Limits
- Default limit: 100 requests per minute per IP address
infrastructure/gateway/src/test/kotlin/at/mocode/infrastructure/gateway/FallbackControllerTests.kt
+12 -12
View File
@@ -8,31 +8,31 @@ import org.springframework.test.context.ActiveProfiles
import org.springframework.test.web.reactive.server.WebTestClient
/**
* Tests for the Fallback Controller that handles circuit breaker scenarios.
* Tests all fallback endpoints for different services.
* Tests für den Fallback Controller, der Circuit Breaker Szenarien behandelt.
* Testet alle Fallback-Endpunkte für verschiedene Services.
*/
@SpringBootTest(
classes = [GatewayApplication::class],
webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,
properties = [
// Disable external dependencies for fallback tests
// Externe Abhängigkeiten für Fallback-Tests deaktivieren
"spring.cloud.discovery.enabled=false",
"spring.cloud.consul.enabled=false",
"spring.cloud.consul.config.enabled=false",
"spring.cloud.consul.discovery.register=false",
"spring.cloud.loadbalancer.enabled=false",
// Disable circuit breaker health indicator to avoid interference
// Circuit Breaker Health Indicator deaktivieren um Interferenzen zu vermeiden
"resilience4j.circuitbreaker.configs.default.registerHealthIndicator=false",
"management.health.circuitbreakers.enabled=false",
// Disable custom filters for pure fallback testing
// Custom Filter für reine Fallback-Tests deaktivieren
"gateway.security.jwt.enabled=false",
// Use reactive web application type
// Reaktiven Web-Anwendungstyp verwenden
"spring.main.web-application-type=reactive",
// Disable gateway discovery
// Gateway Discovery deaktivieren
"spring.cloud.gateway.discovery.locator.enabled=false",
// Disable actuator security
// Actuator Security deaktivieren
"management.security.enabled=false",
// Set random port
// Zufälligen Port setzen
"server.port=0"
]
)
@@ -43,7 +43,7 @@ class FallbackControllerTests {
lateinit var webTestClient: WebTestClient
@Test
fun `should return members service fallback response`() {
fun `sollte Members Service Fallback Response zurückgeben`() {
webTestClient.get()
.uri("/fallback/members")
.exchange()
@@ -60,7 +60,7 @@ class FallbackControllerTests {
}
@Test
fun `should return horses service fallback response`() {
fun `sollte Horses Service Fallback Response zurückgeben`() {
webTestClient.get()
.uri("/fallback/horses")
.exchange()
@@ -75,7 +75,7 @@ class FallbackControllerTests {
}
@Test
fun `should return events service fallback response`() {
fun `sollte Events Service Fallback Response zurückgeben`() {
webTestClient.get()
.uri("/fallback/events")
.exchange()
infrastructure/gateway/src/test/kotlin/at/mocode/infrastructure/gateway/GatewayApplicationTests.kt
+11 -11
View File
@@ -5,31 +5,31 @@ import org.springframework.boot.test.context.SpringBootTest
import org.springframework.test.context.ActiveProfiles
/**
* Basic test to verify that the Gateway application context loads successfully.
* Uses test profile to disable production filters and external dependencies.
* Basis-Test zur Überprüfung, dass der Gateway-Anwendungskontext erfolgreich lädt.
* Verwendet Test-Profil um Produktions-Filter und externe Abhängigkeiten zu deaktivieren.
*/
@SpringBootTest(
classes = [GatewayApplication::class],
webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,
properties = [
// Disable all external dependencies for context loading test
// Alle externen Abhängigkeiten für Context-Loading-Test deaktivieren
"spring.cloud.discovery.enabled=false",
"spring.cloud.consul.enabled=false",
"spring.cloud.consul.config.enabled=false",
"spring.cloud.consul.discovery.register=false",
"spring.cloud.loadbalancer.enabled=false",
// Disable circuit breaker for tests
// Circuit Breaker für Tests deaktivieren
"resilience4j.circuitbreaker.configs.default.registerHealthIndicator=false",
"management.health.circuitbreakers.enabled=false",
// Disable custom security and filters
// Custom Security und Filter deaktivieren
"gateway.security.jwt.enabled=false",
// Use reactive web application type
// Reaktiven Web-Anwendungstyp verwenden
"spring.main.web-application-type=reactive",
// Disable gateway discovery
// Gateway Discovery deaktivieren
"spring.cloud.gateway.discovery.locator.enabled=false",
// Disable actuator security
// Actuator Security deaktivieren
"management.security.enabled=false",
// Set random port
// Zufälligen Port setzen
"server.port=0"
]
)
@@ -38,7 +38,7 @@ class GatewayApplicationTests {
@Test
fun contextLoads() {
// This test passes if the Spring application context loads successfully
// without any configuration errors or missing bean dependencies
// Dieser Test ist erfolgreich, wenn der Spring-Anwendungskontext erfolgreich lädt
// ohne Konfigurationsfehler oder fehlende Bean-Abhängigkeiten
}
}
infrastructure/gateway/src/test/resources/application-dev.yml
+2
View File
@@ -21,6 +21,8 @@ spring:
discovery:
locator:
enabled: false
server:
webflux:
httpclient:
connect-timeout: 1000
response-timeout: 5s
infrastructure/gateway/src/test/resources/application-test.yml
+2 -2
View File
@@ -22,8 +22,8 @@ spring:
locator:
enabled: false
httpclient:
connect-timeout: 1000
response-timeout: 5s
connectTimeout: 1000
responseTimeout: 5s
# IMPORTANT: Do not load production lb:// routes in tests
routes: []
globalcors: