Reputation: 1173
spring session sharing between zuul and resource servers
I was trying to search, but did not find an answer suited to our situation.
Basically, we have zuul server as API gateway which does following responsibilites
+ Autheticate user, and create and maintain session with users
+ Sessions will be stored in redis (we are using spring session with redis)
I want to have all of resource servers having access to session information created by zuul server. But I could not get session information from resource servers. its alway return null, I have checked redis server and seen session is created by zuul server already
Note that we are using Netflix service discovery to forward request from Zuul respective service.
highly appreciate for any advice
Upvotes: 0
Views: 3767
Answers (5)
Reputation: 9281
When using Spring Session and Spring Security to protect APIs in a Microservice application, it is easy to set up to use the request header to resolve the session, the usage is very similar to the OAuth2 opaque token.
Declare a bean HttpSessionIdResolver.
HeaderHttpSessionIdResolver.xAuthToken()
Note: this is for Spring MVC. It will resolve the HTTP header
x-auth-token.
When a request is sent from client, in the gateway, pass the header x-auth-token to the downstream services/components.
An working example: hantsy/spring-microservice-sample (But I did not use Zuul like Gateway in this sample application, and simply I used Nginx as reserve proxy)
Upvotes: 0
Reputation: 1
make sure your are using filter more than 5
@Override
public int filterOrder() {
return 10;
}
for more detail find the below example https://stackoverflow.com/a/54833734/11103297
Upvotes: 0
Reputation: 151
I had the same problem. But after I have configured the application.yml to set "sensitiveHeaders" to empty. My problem is solved! :)
zuul:
routes:
users:
path: /myusers/**
sensitiveHeaders:
url: https://downstreamyou can see more details at this link
Upvotes: 1
Reputation: 1173
actually I was missing the following code.
context.addZuulRequestHeader("Cookie", "SESSION=" + httpSession.getId());
After adding above code to pass session_id in the cookie from zuul filter to respective micro-services, it is able to pickup the session_id from zuul filter.
Upvotes: 1
Reputation: 5589
Even though you're storing session in Redis, session id is stored in cookie and must be delivered to your resource servers. But the default configuration of zuul is filtering out all cookie related headers.
The below is default configuration of zuul for senstive-headers those are not passed to downstream servers.
zuul.sensitiveHeaders=Cookie,Set-Cookie,Authorization
To pass cookie related headers from zuul to your resources servers, You need to redefine it without cookie related headers like belows.
zuul.sensitiveHeaders=Authorization
The above example is using global configuration. You can define it for each route. Please refer to the section "Cookies and Sensitive Headers" in the the linked doc : http://cloud.spring.io/spring-cloud-netflix/spring-cloud-netflix.html
If you also need to authorization header in your resources servers, you can define above configuration with blank list.
Upvotes: 0
Related Questions
- Using Zuul as an authentication gateway
- Spring-boot Zuul: Passing user ID between microservices
- Spring Cloud: How to manage requests on Zuul to another services?
- Spring OAuth Authorization Server behind Spring Cloud Zuul Proxy
- Spring Zuul Oauth2 Gateway/Resource Server
- ZUUL send basic authentication to downstream application
- Spring session scope bean reset between requests when accessing through zuul
- Spring Security Preauthorization Filter On Zuul To Establish and Share Session
- Spring session for microservices
- Sticky Sessions and Zuul in Spring Cloud