Design and Implementation of a SpringBoot‑Based API Gateway with High Performance, High Availability, and Security

Background & Goals

In the era of micro‑service architecture, an API gateway is a fundamental component. While open‑source gateways such as Zuul and Spring Cloud Gateway are widely used, this article explores how to implement a lightweight gateway based solely on SpringBoot, focusing on core capabilities, performance, high availability and security.

Core Capabilities

Authentication and authorization

Routing and forwarding

Standardized responses

Custom exception handling

High Performance & High Availability

To achieve low latency, the gateway uses NIO2 (AIO) for I/O and integrates Alibaba Sentinel for rate‑limiting, circuit‑breaking and degradation. Tomcat is customized to use the Http11Nio2Protocol which improves throughput by more than 20 % under heavy concurrency.

Implementation Details

Pre‑routing Filters

Example of an IP blacklist filter:

/**
 * 黑名单IP过滤器
 */
@Component
@WebFilter(urlPatterns = "/*", filterName = "backListFilter")
@Slf4j
public class BackListFilter implements Filter, Ordered {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        Filter.super.init(filterConfig);
    }
    @Override
    public void destroy() {
        Filter.super.destroy();
    }
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        String remoteAddress = "";
        String blackList = "";
        if (blackList.contains(remoteAddress)) {
            HttpServletResponse response = (HttpServletResponse) servletResponse;
            response.setStatus(HttpStatus.FORBIDDEN.value());
            PrintWriter out = response.getWriter();
            out.write("request refused");
            return;
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }
    @Override
    public int getOrder() {
        // 设置Filter执行顺序（越小优先级越高）
        return 0;
    }
}

Routing Filters

Routing uses Apache HttpClient with a connection pool, custom time‑outs and a retry handler. The RestTemplate bean is configured as follows:

@Configuration
public class RestTemplateConfig {
    @Value("${httpclient.connection-request-timeout}")
    private Integer connectionRequestTimeout;
    @Value("${httpclient.connect-timeout}")
    private Integer connectTimeout;
    @Value("${httpclient.socket-timeout}")
    private Integer socketTimeout;

    @Bean
    public RestTemplate restTemplate() {
        return new RestTemplate(httpRequestFactory());
    }

    @Bean
    public ClientHttpRequestFactory httpRequestFactory() {
        HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient());
        // 缓冲请求数据，默认值是true。通过POST或者PUT大量发送数据时，建议将此属性更改为false，以免耗尽内存。
        factory.setBufferRequestBody(false);
        return factory;
    }

    @Bean
    public HttpClient httpClient() {
        Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create()
                .register("http", PlainConnectionSocketFactory.getSocketFactory())
                .register("https", SSLConnectionSocketFactory.getSocketFactory())
                .build();
        PoolingHttpClientConnectionManager manager = new PoolingHttpClientConnectionManager(registry);
        // 1、连接管理
        manager.setMaxTotal(200); // 设置整个连接池最大连接数 根据自己的场景决定
        manager.setDefaultMaxPerRoute(100); // 路由是对maxTotal的细分
        // 2、请求相关配置
        RequestConfig requestConfig = RequestConfig.custom()
                .setConnectionRequestTimeout(connectionRequestTimeout) // 从连接池中获取连接的超时时间
                .setConnectTimeout(connectTimeout) // 连接上服务器(握手成功)的时间
                .setSocketTimeout(socketTimeout) // 服务器返回数据(response)的时间
                .build();
        // 3、重试机制
        HttpRequestRetryHandler retryHandler = (e, retryTimes, context) -> {
            // 重试次数最多2次
            if (retryTimes > CommonConstant.HTTPCLIENT_RETRY_TIMES) {
                return false;
            }
            // 请求发生一些IO类型的异常时，进行重试
            if (e instanceof UnknownHostException || e instanceof ConnectTimeoutException
                    || !(e instanceof SSLException) || e instanceof NoHttpResponseException) {
                return true;
            }
            return false;
        };
        // 4、设置默认的Header
        List<Header> headers = new ArrayList<>();
        headers.add(new BasicHeader("Accept-Encoding", "gzip,deflate"));
        headers.add(new BasicHeader("Connection", "Keep-Alive"));
        // 创建httpclient对象
        return HttpClientBuilder.create()
                .setDefaultRequestConfig(requestConfig)
                .setConnectionManager(manager)
                .setRetryHandler(retryHandler)
                .setDefaultHeaders(headers)
                .build();
    }
}

Response & Error Filters

Responses are normalized based on the Content‑Type header, and a global exception handler converts custom authentication exceptions into HTTP 401 responses.

public class AuthResultException extends RuntimeException {
    private static final long serialVersionUID = 1L;
    /**
     * 设置异常对应的Http状态码，业务错误码，业务提示信息，可指定是否生成详细的错误信息
     */
    public AuthResultException(ResultCode resultCode) {
        super(resultCode.getMessage());
    }
}

@ControllerAdvice
public class GlobalExceptionHandler {
    @ExceptionHandler(Exception.class)
    @ResponseBody
    public void handleException(HttpServletRequest request, HttpServletResponse response, Exception e) {
        // 鉴权自定义异常，返回401
        if (e instanceof AuthResultException) {
            result.setErrcode(110002);
            result.setMessage("未登录或用户不存在");
            response.setStatus(HttpStatus.UNAUTHORIZED.value());
        }
    }
}

Summary

The gateway is built on DDD‑style micro‑domains (pre‑routing, routing, response, error), leverages NIO2 for I/O, uses Sentinel for resilience, and provides configurable IP black‑listing and logging controls to balance security and observability.