Role of gateway in TM Forum projects

This article will provide you answers to what is a gateway, and why is it essential in telecommunications projects based on TM Forum standards.

As Devapo, we are an active TM Forum member who have signed the ODA Manifesto. This means we have all the necessary knowledge and tools to implement a solution based on this innovative framework into telecom infrastructure. Below I will provide you an example of how to start using gateway.

Roles of gateways in projects based on TM Forum standards

The concept of a “gateway” has become an integral element of complex projects and infrastructures built on TM Forum standards. A gateway plays a crucial role in ensuring smooth communication between various networks, systems, or protocols. It serves as a point of entry and exit. Enables the transfer of data from one environment to another, regardless of their diversity or complexity.

In the context of telecommunications projects based on TM Forum standards, these solutions are highly significant in modern communication systems. They bring benefits to network operators and end-users.
In telecommunications projects based on TM Forum standards, gateways play a crucial role due to several reasons:

• Interoperability: Gateways facilitate the seamless exchange of data between disparate networks, protocols, and systems. By that ensures compatibility and smooth operation across the entire ecosystem.
  
• Service Orchestration: TM Forum frameworks emphasize service orchestration, enabling the efficient delivery and management of telecommunications services. Gateways serve as integration points. Various services and applications converge, allowing for centralized control and coordination of complex service delivery workflows.
  
• Protocol Conversion: Telecommunications networks often use diverse communication protocols and technologies. Gateways act as protocol converters, translating data between different formats and standards to ensure compatibility and interoperability across heterogeneous environments. This capability is particularly essential in multi-vendor and multi-technology networks, where seamless communication between different equipment and systems is required.
  
• Security and Policy Enforcement: In telecommunications projects, security and policy enforcement are paramount. Gateways incorporate security mechanisms and policy enforcement functionalities to protect sensitive data, authenticate users, and enforce access control policies. By acting as gatekeepers, these gateways help safeguard the integrity and confidentiality of telecommunications networks and services.
  
• Scalability and Flexibility: TM Forum-based telecommunications projects often need to scale to accommodate growing demands and evolving technologies. Gateways provide scalability by efficiently handling increasing volumes of data traffic and supporting the integration of new services and technologies. Moreover, they offer flexibility by adapting to changing network requirements and business needs without requiring extensive modifications to existing infrastructure.

The Use of Spring Cloud Gateway in telecom project

In the context of telecommunications projects based on TMForum standards, it’s common to utilize programming platforms that allow for rapid and efficient implementation of gateways. One popular option is leveraging Spring Cloud gateway, a reactive framework for the Spring platform.

Spring Cloud gateway project offers libraries for constructing an API Gateway using Spring WebFlux or Spring WebMVC. Spring Cloud Gateway aims to deliver a straightforward yet powerful method for routing to APIs while addressing cross-cutting concerns like security, monitoring/metrics, and resilience.

Try it yourself

Let’s take a look at some code. To start using the gateway in the Spring Boot , you must place the following dependency in the pom.xml file:

<dependency>
   <groupId>org.springframework.cloud</groupId>
   <artifactId>spring-cloud-starter-gateway</artifactId>
</dependency>

To use LDAP authentication, you need to additionally include these dependencies.

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-security</artifactId>
</dependency>

<dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-ldap</artifactId>
</dependency>

Now let’s create a configuration class.

@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class SecurityConfig {
}

The @EnableWebFluxSecurity annotation is used in Spring WebFlux applications to enable security configuration for reactive web endpoints. When this annotation is added to a configuration class, it indicates that the application will use Spring Security’s features. It secures the endpoints in a reactive way. User’s can then create one or more ServerHttpSecurity Bean instances

Boost security

The @EnableReactiveMethodSecurity is used to enable the method level security. 

Let’s add securityWebFilter bean responsible for constructing a filter chain that manages security for incoming requests.

@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
   return http
       .csrf().disable()
       .authenticationManager(authenticationManager())
       .authorizeExchange()
    .pathMatchers("/productOrderingManagement/**").hasAnyAuthority(devapoProductOrderingUserGroup, devapoProductOrderingAdminGroup, devapoAdmin)
       .pathMatchers("/geographicAddressManagement/**").hasAuthority(devapoAdmin)
       .pathMatchers("/partyManagement/**").hasAuthority(devapoAdmin)
       .and()
       .exceptionHandling()
       .authenticationEntryPoint(new CustomAuthenticationEntryPoint())
       .and()
       .httpBasic()
       .and()
       .build();
}

This code sets up security rules for different URL patterns, specifies required authorities for accessing certain endpoints, and configures exception handling and authentication mechanisms for a Spring WebFlux application using Spring Security.

We will add some beans to our configuration.

@Bean
public ReactiveAuthenticationManager authenticationManager() {
   AuthenticationManager authenticationManager = new ProviderManager(List.of(ldapAuthenticationProvider()));
   return new ReactiveAuthenticationManagerAdapter(authenticationManager);
}

@Bean
public DefaultSpringSecurityContextSource contextSource() {
   DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource(url);
   contextSource.setBase(searchBase);
   contextSource.setUserDn(managerDn);
   contextSource.setPassword(managerPassword);
   return contextSource;
}

@Bean
public LdapBindAuthenticator bindAuthenticator() {
   LdapBindAuthenticator ldapBindAuthenticator = new LdapBindAuthenticator(contextSource());
   ldapBindAuthenticator.setUserSearch(ldapUserSearch());
   return ldapBindAuthenticator;
}

@Bean
public LdapUserSearch ldapUserSearch() {
   return new FilterBasedLdapUserSearch("", searchFilter, contextSource());
}

@Bean
public ActiveDirectoryLdapAuthenticationProvider ldapAuthenticationProvider() {
   ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(domain, url);
   provider.setConvertSubErrorCodesToExceptions(true);
   provider.setUseAuthenticationRequestCredentials(true);
   return provider;
}

These beans are used to configure LDAP authentication in a Spring application. Let’s break down each bean:

1. The authenticationManager bean creates a reactive authentication manager that utilizes an LDAP authentication provider for authenticating users.
2. The contextSource bean initializes a default Spring Security context source with specified URL, search base, manager DN, and manager password for LDAP authentication.
3. The bindAuthenticator bean configures an LDAP bind authenticator using the previously defined context source and sets up user search functionality.
4. The ldapUserSearch bean constructs an LDAP user search with a filter-based approach using the provided search filter and context source.
5. The ldapAuthenticationProvider bean creates an Active Directory LDAP authentication provider with specified domain and URL. Enables the conversion of sub-error codes to exceptions and utilizing authentication request credentials for authentication.

Next, we can add custom authorization error handling.

@Component
public class CustomAuthenticationEntryPoint implements ServerAuthenticationEntryPoint, Serializable {

   @Override
   public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException ex) {
       ServerHttpResponse response = exchange.getResponse();

       response.setStatusCode(org.springframework.http.HttpStatus.UNAUTHORIZED);
       response.getHeaders().setContentType(MediaType.APPLICATION_JSON);

       String message = "Authentication failed: " + ex.getMessage();
       String jsonResponse = "{\"error\": \"" + message + "\"}";

       byte[] responseBytes = jsonResponse.getBytes();
       DataBufferFactory dataBufferFactory = response.bufferFactory();
       DataBuffer buffer = dataBufferFactory.wrap(responseBytes);

       return response.writeAndFlushWith(Mono.just(Mono.just(buffer)));
   }
}

This class provides a custom mechanism for handling authentication failures by returning a JSON response with an appropriate error message when authentication fails. Also, we can extend bind error handling by extending BindAuthenticator class:

public class LdapBindAuthenticator extends BindAuthenticator {

   public LdapBindAuthenticator(BaseLdapPathContextSource contextSource) {
       super(contextSource);
   }

   @Override
   protected void handleBindException(String userDn, String username, Throwable cause) {
       super.handleBindException(userDn, username, cause);
       if (cause.getMessage().contains("data 775")) {
           throw new LockedException(messages.getMessage(
               "LdapAuthenticationProvider.locked", "User account is locked"), cause);
       }
   }
}

This class enhances the functionality of the BindAuthenticator class. Provides customized error handling specifically tailored for LDAP authentication, such as detecting and handling account lockout errors.

Missing puzzle – Routing

Routing is a fundamental aspect of web application development, especially when using frameworks like Spring Cloud Gateway. In the context of Spring Cloud Gateway, routes serve as essential conduits for directing incoming requests to various endpoints within the application. Let’s delve deeper into the significance of routing in this framework.

In Spring Cloud Gateway, routes act as navigational paths that guide incoming requests to their respective destinations. These destinations can include different microservices, API endpoints, or backend servers, making routes pivotal in orchestrating how the application handles incoming traffic.

Importance of Routing with Spring Cloud Gateway:

1. Dynamic Traffic Distribution: Spring Cloud Gateway empowers developers to dynamically distribute incoming traffic among different backend services or instances. By configuring routes, load balancing strategies can be applied to ensure optimal resource utilization and responsiveness across the application.
2. Flexible Endpoint Management: With Spring Cloud Gateway, routes provide a flexible mechanism for managing endpoints and APIs. Through route definitions, developers can specify conditions based on request attributes like URL paths, headers, or query parameters. By that enabling precise control over how requests are routed and processed.
3. Centralized Configuration: Spring Cloud Gateway facilitates centralized route configuration, allowing developers to define and manage routing rules in a single location. This centralized approach streamlines maintenance and ensures consistency across the application’s routing logic.
4. Request and Response Transformation: Routes in Spring Cloud Gateway support various filters and transformations that can modify incoming requests or outgoing responses. This capability enables developers to implement cross-cutting concerns such as authentication, logging, rate limiting, or content manipulation in a reusable and configurable manner.

Routing plays a pivotal role in Spring Cloud Gateway by providing a dynamic, flexible, and centralized mechanism for directing incoming requests to their intended destinations. By leveraging routing capabilities effectively, developers can optimize resource utilization, enhance application scalability, and implement robust cross-cutting concerns with ease.

Routes configuration

We can configure routes in application.yml:

spring:
 cloud:
   gateway:
     routes:
       - id: product_ordering_management_route
         uri: http://localhost:8081
         predicates:
           - Path=/productOrderingManagement/**
         filters:
           - RewritePath=/productOrderingManagement/, /
       - id: geographic_address_management
         uri: http://localhost:8082
         predicates:
           - Path=/geographicAddressManagement/**
         filters:
           - RewritePath=/geographicAddressManagement/, /
       - id: part_management_route
         uri: http://localhost:8083
         predicates:
           - Path=/partyManagement/**
         filters:
           - RewritePath=/partyManagement/, /

These properties configure Spring Cloud Gateway to route requests based on specific paths to different backend services, while also modifying the request path as needed before forwarding it to the target service.

Additionally, Spring Cloud Gateway offers a plethora of other filters. As a result they can be seamlessly integrated into these routes. These filters allow developers to implement a wide range of functionalities such as request/response transformation, rate limiting, circuit breaking, authentication, and more, providing extensive customization and enhancing the capabilities of the gateway.

This is a fully functional gateway with multiple routes, LDAP authentication, and error handling capabilities.