feat:support auth. (#1479)

CHANGELOG.md

@@ -39,3 +39,4 @@
 - [feat:add admin http handler.](https://github.com/Tencent/spring-cloud-tencent/pull/1450)
 - [feat:upgrade spring cloud 2023 version.](https://github.com/Tencent/spring-cloud-tencent/pull/1451)
 - [feat:support concurrency rate limit.](https://github.com/Tencent/spring-cloud-tencent/pull/1455)
+- [feat:support auth.](https://github.com/Tencent/spring-cloud-tencent/pull/1479)

pom.xml

@@ -48,6 +48,7 @@
 		<module>spring-cloud-starter-tencent-polaris-circuitbreaker</module>
 		<module>spring-cloud-starter-tencent-polaris-router</module>
 		<module>spring-cloud-starter-tencent-polaris-contract</module>
+		<module>spring-cloud-starter-tencent-polaris-auth</module>
 		<module>spring-cloud-tencent-plugin-starters</module>
 		<module>spring-cloud-tencent-dependencies</module>
 		<module>spring-cloud-starter-tencent-all</module>

spring-cloud-starter-tencent-all/pom.xml

@@ -54,6 +54,11 @@
 			<groupId>com.tencent.cloud</groupId>
 			<artifactId>spring-cloud-starter-tencent-trace-plugin</artifactId>
 		</dependency>
+
+		<dependency>
+			<groupId>com.tencent.cloud</groupId>
+			<artifactId>spring-cloud-starter-tencent-polaris-auth</artifactId>
+		</dependency>
 	</dependencies>
 
 	<build>

spring-cloud-starter-tencent-metadata-transfer/src/main/java/com/tencent/cloud/metadata/core/DecodeTransferMetadataReactiveFilter.java

@@ -97,8 +97,6 @@ public class DecodeTransferMetadataReactiveFilter implements WebFilter, Ordered
 
 		TransHeadersTransfer.transfer(serverHttpRequest);
 		return webFilterChain.filter(serverWebExchange)
-				.doOnError(throwable -> LOG.error("handle metadata[{}] error.",
-						MetadataContextHolder.get(), throwable))
 				.doFinally((type) -> MetadataContextHolder.remove());
 	}
 

spring-cloud-starter-tencent-polaris-auth/pom.xml

@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xmlns="http://maven.apache.org/POM/4.0.0"
+		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<parent>
+		<artifactId>spring-cloud-tencent</artifactId>
+		<groupId>com.tencent.cloud</groupId>
+		<version>${revision}</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+	<modelVersion>4.0.0</modelVersion>
+	<artifactId>spring-cloud-starter-tencent-polaris-auth</artifactId>
+	<name>Spring Cloud Starter Tencent Polaris Auth</name>
+
+	<dependencies>
+		<!-- Spring Cloud Tencent dependencies start -->
+		<dependency>
+			<groupId>com.tencent.cloud</groupId>
+			<artifactId>spring-cloud-tencent-rpc-enhancement</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>com.tencent.cloud</groupId>
+			<artifactId>spring-cloud-starter-tencent-metadata-transfer</artifactId>
+		</dependency>
+		<!-- Spring Cloud Tencent dependencies end -->
+
+		<!-- Polaris dependencies start -->
+		<dependency>
+			<groupId>com.tencent.polaris</groupId>
+			<artifactId>polaris-auth-factory</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>com.tencent.polaris</groupId>
+			<artifactId>auth-block-allow-list</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>com.tencent.polaris</groupId>
+			<artifactId>polaris-test-common</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>com.tencent.polaris</groupId>
+			<artifactId>polaris-test-mock-discovery</artifactId>
+			<scope>test</scope>
+			<exclusions>
+				<exclusion>
+					<groupId>junit</groupId>
+					<artifactId>junit</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<!-- Polaris dependencies end -->
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+			<optional>true</optional>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-webflux</artifactId>
+			<optional>true</optional>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-actuator</artifactId>
+			<optional>true</optional>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-actuator-autoconfigure</artifactId>
+			<optional>true</optional>
+		</dependency>
+
+		<dependency>
+			<groupId>org.mockito</groupId>
+			<artifactId>mockito-inline</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>org.mockito</groupId>
+			<artifactId>mockito-core</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>net.bytebuddy</groupId>
+			<artifactId>byte-buddy</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+</project>

spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/AuthConfigModifier.java

@@ -0,0 +1,46 @@
+/*
+ * Tencent is pleased to support the open source community by making spring-cloud-tencent available.
+ *
+ * Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * Licensed under the BSD 3-Clause License (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed
+ * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+ * CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package com.tencent.cloud.polaris.auth.config;
+
+import com.tencent.cloud.common.constant.OrderConstant;
+import com.tencent.cloud.polaris.context.PolarisConfigModifier;
+import com.tencent.polaris.factory.config.ConfigurationImpl;
+
+/**
+ * Config modifier for auth.
+ *
+ * @author Haotian Zhang
+ */
+public class AuthConfigModifier implements PolarisConfigModifier {
+
+	private final PolarisAuthProperties polarisAuthProperties;
+
+	public AuthConfigModifier(PolarisAuthProperties polarisAuthProperties) {
+		this.polarisAuthProperties = polarisAuthProperties;
+	}
+
+	@Override
+	public void modify(ConfigurationImpl configuration) {
+		configuration.getProvider().getAuth().setEnable(polarisAuthProperties.isEnabled());
+	}
+
+	@Override
+	public int getOrder() {
+		return OrderConstant.Modifier.AUTH_ORDER;
+	}
+}

spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthAutoConfiguration.java

@@ -0,0 +1,86 @@
+/*
+ * Tencent is pleased to support the open source community by making spring-cloud-tencent available.
+ *
+ * Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * Licensed under the BSD 3-Clause License (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed
+ * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+ * CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package com.tencent.cloud.polaris.auth.config;
+
+import com.tencent.cloud.common.constant.OrderConstant;
+import com.tencent.cloud.polaris.auth.filter.AuthReactiveFilter;
+import com.tencent.cloud.polaris.auth.filter.AuthServletFilter;
+import com.tencent.cloud.polaris.context.PolarisSDKContextManager;
+import com.tencent.cloud.polaris.context.config.PolarisContextAutoConfiguration;
+
+import org.springframework.boot.autoconfigure.AutoConfigureAfter;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import static com.tencent.cloud.polaris.auth.filter.AuthServletFilter.AUTH_FILTER_BEAN_NAME;
+import static jakarta.servlet.DispatcherType.ASYNC;
+import static jakarta.servlet.DispatcherType.ERROR;
+import static jakarta.servlet.DispatcherType.FORWARD;
+import static jakarta.servlet.DispatcherType.INCLUDE;
+import static jakarta.servlet.DispatcherType.REQUEST;
+
+/**
+ * Auto configuration for auth.
+ *
+ * @author Haotian Zhang
+ */
+@Configuration(proxyBeanMethods = false)
+@AutoConfigureAfter(PolarisContextAutoConfiguration.class)
+public class PolarisAuthAutoConfiguration {
+
+	/**
+	 * Create when web application type is SERVLET.
+	 */
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
+	protected static class AuthServletFilterConfig {
+
+		@Bean
+		@ConditionalOnMissingBean
+		public AuthServletFilter authServletFilter(PolarisSDKContextManager polarisSDKContextManager) {
+			return new AuthServletFilter(polarisSDKContextManager.getAuthAPI());
+		}
+
+		@Bean
+		public FilterRegistrationBean<AuthServletFilter> authFilterRegistrationBean(
+				AuthServletFilter authServletFilter) {
+			FilterRegistrationBean<AuthServletFilter> registrationBean = new FilterRegistrationBean<>(
+					authServletFilter);
+			registrationBean.setDispatcherTypes(ASYNC, ERROR, FORWARD, INCLUDE, REQUEST);
+			registrationBean.setName(AUTH_FILTER_BEAN_NAME);
+			registrationBean.setOrder(OrderConstant.Server.Servlet.AUTH_FILTER_ORDER);
+			return registrationBean;
+		}
+	}
+
+	/**
+	 * Create when web application type is REACTIVE.
+	 */
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
+	protected static class AuthReactiveFilterConfig {
+
+		@Bean
+		public AuthReactiveFilter authReactiveFilter(PolarisSDKContextManager polarisSDKContextManager) {
+			return new AuthReactiveFilter(polarisSDKContextManager.getAuthAPI());
+		}
+	}
+}

spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthProperties.java

@@ -0,0 +1,39 @@
+/*
+ * Tencent is pleased to support the open source community by making spring-cloud-tencent available.
+ *
+ * Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * Licensed under the BSD 3-Clause License (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed
+ * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+ * CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package com.tencent.cloud.polaris.auth.config;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+/**
+ * The properties for auth.
+ *
+ * @author Haotian Zhang
+ */
+@ConfigurationProperties("spring.cloud.polaris.auth")
+public class PolarisAuthProperties {
+
+	private boolean enabled = true;
+
+	public boolean isEnabled() {
+		return enabled;
+	}
+
+	public void setEnabled(boolean enabled) {
+		this.enabled = enabled;
+	}
+}

spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthPropertiesAutoConfiguration.java

@@ -0,0 +1,39 @@
+/*
+ * Tencent is pleased to support the open source community by making spring-cloud-tencent available.
+ *
+ * Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * Licensed under the BSD 3-Clause License (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed
+ * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+ * CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package com.tencent.cloud.polaris.auth.config;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * Properties auto configuration of auth.
+ *
+ * @author Haotian Zhang
+ */
+@Configuration(proxyBeanMethods = false)
+@EnableConfigurationProperties(PolarisAuthProperties.class)
+public class PolarisAuthPropertiesAutoConfiguration {
+
+	@Bean
+	@ConditionalOnMissingBean
+	public AuthConfigModifier authConfigModifier(PolarisAuthProperties polarisAuthProperties) {
+		return new AuthConfigModifier(polarisAuthProperties);
+	}
+}

spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/config/PolarisAuthPropertiesBootstrapConfiguration.java

@@ -0,0 +1,34 @@
+/*
+ * Tencent is pleased to support the open source community by making spring-cloud-tencent available.
+ *
+ * Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * Licensed under the BSD 3-Clause License (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed
+ * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+ * CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package com.tencent.cloud.polaris.auth.config;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+
+/**
+ * Autoconfiguration of auth at bootstrap phase.
+ *
+ * @author Haotian Zhang
+ */
+@Configuration(proxyBeanMethods = false)
+@ConditionalOnProperty("spring.cloud.polaris.enabled")
+@Import(PolarisAuthPropertiesAutoConfiguration.class)
+public class PolarisAuthPropertiesBootstrapConfiguration {
+
+}

spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/filter/AuthReactiveFilter.java

@@ -0,0 +1,70 @@
+/*
+ * Tencent is pleased to support the open source community by making spring-cloud-tencent available.
+ *
+ * Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * Licensed under the BSD 3-Clause License (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed
+ * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+ * CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package com.tencent.cloud.polaris.auth.filter;
+
+import com.tencent.cloud.common.constant.OrderConstant;
+import com.tencent.cloud.common.metadata.MetadataContext;
+import com.tencent.cloud.polaris.auth.utils.AuthenticateUtils;
+import com.tencent.polaris.api.plugin.auth.AuthResult;
+import com.tencent.polaris.auth.api.core.AuthAPI;
+import com.tencent.polaris.auth.api.rpc.AuthResponse;
+import reactor.core.publisher.Mono;
+
+import org.springframework.core.Ordered;
+import org.springframework.core.io.buffer.DataBuffer;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.server.reactive.ServerHttpResponse;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilter;
+import org.springframework.web.server.WebFilterChain;
+
+import static org.springframework.core.io.buffer.DefaultDataBufferFactory.DEFAULT_INITIAL_CAPACITY;
+
+/**
+ * Reactive filter to authenticate.
+ *
+ * @author Haotian Zhang
+ */
+public class AuthReactiveFilter implements WebFilter, Ordered {
+
+	private final AuthAPI authAPI;
+
+	public AuthReactiveFilter(AuthAPI authAPI) {
+		this.authAPI = authAPI;
+	}
+
+	@Override
+	public int getOrder() {
+		return OrderConstant.Server.Reactive.AUTH_FILTER_ORDER;
+	}
+
+	@Override
+	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
+		AuthResponse authResponse = AuthenticateUtils.authenticate(authAPI, MetadataContext.LOCAL_NAMESPACE,
+				MetadataContext.LOCAL_SERVICE, exchange.getRequest().getURI().getPath(), "HTTP",
+				exchange.getRequest().getMethod().name());
+		if (authResponse != null && authResponse.getAuthResult().getCode()
+				.equals(AuthResult.Code.AuthResultForbidden)) {
+			ServerHttpResponse response = exchange.getResponse();
+			response.setRawStatusCode(HttpStatus.FORBIDDEN.value());
+			DataBuffer dataBuffer = response.bufferFactory().allocateBuffer(DEFAULT_INITIAL_CAPACITY);
+			return response.writeWith(Mono.just(dataBuffer));
+		}
+		return chain.filter(exchange);
+	}
+}

spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/filter/AuthServletFilter.java

@@ -0,0 +1,67 @@
+/*
+ * Tencent is pleased to support the open source community by making spring-cloud-tencent available.
+ *
+ * Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * Licensed under the BSD 3-Clause License (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed
+ * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+ * CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package com.tencent.cloud.polaris.auth.filter;
+
+import java.io.IOException;
+
+import com.tencent.cloud.common.constant.OrderConstant;
+import com.tencent.cloud.common.metadata.MetadataContext;
+import com.tencent.cloud.polaris.auth.utils.AuthenticateUtils;
+import com.tencent.polaris.api.plugin.auth.AuthResult;
+import com.tencent.polaris.auth.api.core.AuthAPI;
+import com.tencent.polaris.auth.api.rpc.AuthResponse;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.core.annotation.Order;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+/**
+ * Servlet filter to authenticate.
+ *
+ * @author Haotian Zhang
+ */
+@Order(OrderConstant.Server.Servlet.AUTH_FILTER_ORDER)
+public class AuthServletFilter extends OncePerRequestFilter {
+
+	/**
+	 * Default Filter Registration Bean Name Defined .
+	 */
+	public static final String AUTH_FILTER_BEAN_NAME = "authFilterRegistrationBean";
+
+	private final AuthAPI authAPI;
+
+	public AuthServletFilter(AuthAPI authAPI) {
+		this.authAPI = authAPI;
+	}
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+		AuthResponse authResponse = AuthenticateUtils.authenticate(authAPI, MetadataContext.LOCAL_NAMESPACE,
+				MetadataContext.LOCAL_SERVICE, request.getRequestURI(), "HTTP", request.getMethod());
+		if (authResponse != null && authResponse.getAuthResult().getCode()
+				.equals(AuthResult.Code.AuthResultForbidden)) {
+			response.setStatus(HttpStatus.FORBIDDEN.value());
+			return;
+		}
+		filterChain.doFilter(request, response);
+	}
+}

spring-cloud-starter-tencent-polaris-auth/src/main/java/com/tencent/cloud/polaris/auth/utils/AuthenticateUtils.java

@@ -0,0 +1,53 @@
+/*
+ * Tencent is pleased to support the open source community by making spring-cloud-tencent available.
+ *
+ * Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
+ *
+ * Licensed under the BSD 3-Clause License (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed
+ * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+ * CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package com.tencent.cloud.polaris.auth.utils;
+
+import com.tencent.cloud.common.metadata.MetadataContextHolder;
+import com.tencent.polaris.api.plugin.auth.AuthResult;
+import com.tencent.polaris.auth.api.core.AuthAPI;
+import com.tencent.polaris.auth.api.rpc.AuthRequest;
+import com.tencent.polaris.auth.api.rpc.AuthResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Utils for authenticate.
+ *
+ * @author Haotian Zhang
+ */
+public final class AuthenticateUtils {
+
+	private static final Logger LOG = LoggerFactory.getLogger(AuthenticateUtils.class);
+
+	private AuthenticateUtils() {
+
+	}
+
+	public static AuthResponse authenticate(AuthAPI authAPI, String namespace, String service, String path, String protocol, String method) {
+		// build auth request
+		AuthRequest authRequest = new AuthRequest(namespace, service, path, protocol, method, MetadataContextHolder.get());
+
+		try {
+			return authAPI.authenticate(authRequest);
+		}
+		catch (Throwable throwable) {
+			LOG.error("fail to invoke authenticate of AuthAPI with AuthRequest[{}].", authRequest, throwable);
+			return new AuthResponse(new AuthResult(AuthResult.Code.AuthResultOk));
+		}
+	}
+}

spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -0,0 +1,10 @@
+{
+  "properties": [
+    {
+      "name": "spring.cloud.polaris.auth.enabled",
+      "type": "java.lang.Boolean",
+      "defaultValue": true,
+      "description": "Enable polaris auth or not."
+    }
+  ]
+}

spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/spring.factories

@@ -0,0 +1,2 @@
+org.springframework.cloud.bootstrap.BootstrapConfiguration=\
+  com.tencent.cloud.polaris.auth.config.PolarisAuthPropertiesBootstrapConfiguration

spring-cloud-starter-tencent-polaris-auth/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports

@@ -0,0 +1,2 @@
+com.tencent.cloud.polaris.auth.config.PolarisAuthPropertiesAutoConfiguration
+com.tencent.cloud.polaris.auth.config.PolarisAuthAutoConfiguration

spring-cloud-tencent-commons/src/main/java/com/tencent/cloud/common/constant/OrderConstant.java

@@ -90,10 +90,15 @@ public class OrderConstant {
 			 */
 			public static final int ENHANCED_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 10;
 
+			/**
+			 * Order of auth filter.
+			 */
+			public static final int AUTH_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 11;
+
 			/**
 			 * Order of rate-limit filter.
 			 */
-			public static final int RATE_LIMIT_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 10;
+			public static final int RATE_LIMIT_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 12;
 		}
 
 		/**
@@ -110,10 +115,15 @@ public class OrderConstant {
 			 */
 			public static final int ENHANCED_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 10;
 
+			/**
+			 * Order of auth filter.
+			 */
+			public static final int AUTH_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 11;
+
 			/**
 			 * Order of rate-limit filter.
 			 */
-			public static final int RATE_LIMIT_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 10;
+			public static final int RATE_LIMIT_FILTER_ORDER = Ordered.HIGHEST_PRECEDENCE + 12;
 		}
 	}
 
@@ -157,6 +167,11 @@ public class OrderConstant {
 		 */
 		public static Integer RATE_LIMIT_ORDER = 2;
 
+		/**
+		 * Order of auth configuration modifier.
+		 */
+		public static Integer AUTH_ORDER = 2;
+
 		/**
 		 * Order of config configuration modifier.
 		 */

spring-cloud-tencent-commons/src/main/java/com/tencent/cloud/common/metadata/MetadataContextHolder.java

@@ -165,10 +165,10 @@ public final class MetadataContextHolder {
 				}
 			}
 			// caller disposable metadata to caller custom disposable metadata
-			MetadataContainer metadataContainerDownstream = metadataManager.getMetadataContainer(MetadataType.CUSTOM, true);
+			MetadataContainer metadataContainerDownstream = metadataManager.getMetadataContainer(MetadataType.CUSTOM, false);
 			if (!CollectionUtils.isEmpty(dynamicDisposableMetadata)) {
 				for (Map.Entry<String, String> entry : dynamicDisposableMetadata.entrySet()) {
-					metadataContainerDownstream.putMetadataStringValue(entry.getKey(), entry.getValue(), TransitiveType.DISPOSABLE);
+					metadataContainerDownstream.putMetadataStringValue(entry.getKey(), entry.getValue(), TransitiveType.NONE);
 				}
 			}
 			// caller application metadata to caller application disposable metadata

spring-cloud-tencent-coverage/pom.xml

@@ -69,6 +69,11 @@
 			<artifactId>spring-cloud-starter-tencent-polaris-contract</artifactId>
 		</dependency>
 
+		<dependency>
+			<groupId>com.tencent.cloud</groupId>
+			<artifactId>spring-cloud-starter-tencent-polaris-auth</artifactId>
+		</dependency>
+
 		<dependency>
 			<groupId>com.tencent.cloud</groupId>
 			<artifactId>spring-cloud-starter-tencent-discovery-adapter-plugin</artifactId>

spring-cloud-tencent-dependencies/pom.xml

@@ -162,6 +162,12 @@
 				<version>${revision}</version>
 			</dependency>
 
+			<dependency>
+				<groupId>com.tencent.cloud</groupId>
+				<artifactId>spring-cloud-starter-tencent-polaris-auth</artifactId>
+				<version>${revision}</version>
+			</dependency>
+
 			<dependency>
 				<groupId>com.tencent.cloud</groupId>
 				<artifactId>spring-cloud-starter-tencent-all</artifactId>

spring-cloud-tencent-examples/tsf-example/provider-demo/pom.xml

@@ -32,6 +32,11 @@
 			<artifactId>spring-cloud-starter-tencent-polaris-ratelimit</artifactId>
 		</dependency>
 
+		<dependency>
+			<groupId>com.tencent.cloud</groupId>
+			<artifactId>spring-cloud-starter-tencent-polaris-auth</artifactId>
+		</dependency>
+
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>

spring-cloud-tencent-polaris-context/pom.xml

@@ -135,6 +135,11 @@
 			</exclusions>
 		</dependency>
 
+		<dependency>
+			<groupId>com.tencent.polaris</groupId>
+			<artifactId>polaris-auth-factory</artifactId>
+		</dependency>
+
 		<dependency>
 			<groupId>com.tencent.polaris</groupId>
 			<artifactId>polaris-client</artifactId>

spring-cloud-tencent-polaris-context/src/main/java/com/tencent/cloud/polaris/context/PolarisSDKContextManager.java

@@ -30,6 +30,8 @@ import com.tencent.polaris.api.core.ProviderAPI;
 import com.tencent.polaris.api.utils.CollectionUtils;
 import com.tencent.polaris.assembly.api.AssemblyAPI;
 import com.tencent.polaris.assembly.factory.AssemblyAPIFactory;
+import com.tencent.polaris.auth.api.core.AuthAPI;
+import com.tencent.polaris.auth.factory.AuthAPIFactory;
 import com.tencent.polaris.circuitbreak.api.CircuitBreakAPI;
 import com.tencent.polaris.circuitbreak.factory.CircuitBreakAPIFactory;
 import com.tencent.polaris.client.api.SDKContext;
@@ -64,6 +66,7 @@ public class PolarisSDKContextManager {
 	private volatile static RouterAPI routerAPI;
 	private volatile static CircuitBreakAPI circuitBreakAPI;
 	private volatile static LimitAPI limitAPI;
+	private volatile static AuthAPI authAPI;
 	private volatile static AssemblyAPI assemblyAPI;
 	private final PolarisContextProperties properties;
 	private final Environment environment;
@@ -117,6 +120,12 @@ public class PolarisSDKContextManager {
 					limitAPI = null;
 				}
 
+				// destroy AuthAPI
+				if (Objects.nonNull(authAPI)) {
+					((AutoCloseable) authAPI).close();
+					authAPI = null;
+				}
+
 				// destroy AssemblyAPI
 				if (Objects.nonNull(assemblyAPI)) {
 					((Destroyable) assemblyAPI).destroy();
@@ -198,6 +207,11 @@ public class PolarisSDKContextManager {
 		return limitAPI;
 	}
 
+	public AuthAPI getAuthAPI() {
+		initService();
+		return authAPI;
+	}
+
 	public AssemblyAPI getAssemblyAPI() {
 		return assemblyAPI;
 	}
@@ -254,6 +268,9 @@ public class PolarisSDKContextManager {
 				// init LimitAPI
 				limitAPI = LimitAPIFactory.createLimitAPIByContext(serviceSdkContext);
 
+				// init AuthAPI
+				authAPI = AuthAPIFactory.createAuthAPIByContext(serviceSdkContext);
+
 				// init AssemblyAPI
 				assemblyAPI = AssemblyAPIFactory.createAssemblyAPIByContext(serviceSdkContext);