Reputation: 2087
Spring Security Preauthorization Filter On Zuul To Establish and Share Session
I'm on a dev team working on a large scale project that uses Spring-based microservices. We've recently discovered the Spring Cloud project and are experimenting with implementing the Netflix services, Zuul, Eureka, Ribbon, etc.
In our environment, nobody will have access to the domain that our application will be running on until they have be pre-authorized through an external service. Once they reach our application, we will be able to obtain the user's identity through a header token provided by the authorization service.
I'd like to have Zuul set up with Spring Security using a preauthentication filter to establish the user's session, and use Spring Session to make the session available to all back-end microservices.
Is this a legitimate approach? The only information I can see about security on Zuul is the ability to proxy OAuth2 tokens to back-end services, but we have no need for OAuth2. Is there a better way to establish the user's session and share it across the services in our back-end architecture?
Upvotes: 4
Views: 17017
Answers (2)
Reputation: 24568
Like you, I didn't have a need for OAuth and found out of the box Zuul lacking auth support without OAuth. I wanted to invoke the auth service without losing the Spring Cloud discovery and client side load balancing abilities. I achieved that by decorating the RibbonRoutingFilter as follows later. Note that this approach requires the original RibbonRoutingFilter to be disabled which can be done with one line in the application.yml: zuul.RibbonRoutingFilter.route.disable: true
Basically, I back up the original service id and overwrite it with the auth service id before delegating the request to the original RibbonRoutingFilter. If the auth is successful, I restore the original service id and delegate the request again to the original RibbonRoutingFilter. If the auth is unsuccessful, I return an error. Full code on my GitHub: AuthAwareRoutingFilter.java
Upvotes: -1
Reputation: 467
Please have a look at the following Tutorial
You can jump into the code on GitHub
I was able to get the project up and running, and am now in the process of modifying the in-memory authentication to use Ldap. I am new to Java and found this tutorial pretty straight forward.
Yours,
Mike Kowalski
Upvotes: 4
Related Questions
- spring session sharing between zuul and resource servers
- Basic Authentication service called By Zuul
- Spring OAuth Authorization Server behind Spring Cloud Zuul Proxy
- Zuul filter requests
- Spring Zuul Oauth2 Gateway/Resource Server
- ZUUL send basic authentication to downstream application
- Spring cloud Zuul pass JWT downstream
- Spring Cloud Zuul gateway 401 basic authentication
- Zuul - Api Gateway Authentication
- Sticky Sessions and Zuul in Spring Cloud