CODEWITHSUNDEEP
spring-bootsingle-sign-onnetflix-zuul
Joey Trang
Joey Trang

Reputation: 1173

redirect to remote URL from spring zuul filter

I am trying to implement an API gateway using zuul proxy server. Basically, what I want to achieve is that when a client send a request to resouce server through the gateway, the gateway simply check whether client session exist, if not it will redirect to SSO server for authentication. However the Zuul filter always get into resouce severs without redirecting to the SSO sever.

below are a snipped code to redirect to remote SSO

public Object run() {
    try {
        RequestContext context = RequestContext.getCurrentContext();
        HttpServletRequest request = RequestContext.getCurrentContext().getRequest();
        HttpServletResponse response = RequestContext.getCurrentContext().getResponse();
        // step 1: check to see whether session exist, if not redirect to federation for authentication
        // if session already exist then adding sessionId to cookie to forwarding to targeting service


       // TODO: comment out for now.
        HttpSession currentSession = context.getRequest().getSession(false);
        String samlAuthenWithRelayUrl = populateFedUrlWithRelay(request);


        if (currentSession==null){

            // redirect to federation with relay URL
            context.setRouteHost( new URL(samlAuthenWithRelayUrl));
           //response.sendRedirect(samlAuthenWithRelayUrl);
        } else{
            HttpSession httpSession =request.getSession();
            context.addZuulRequestHeader(AppConstants.PHOENIX_COOKIE, "SESSION=" +  httpSession.getId());

        }

    } catch (Exception ex) {
        log.error(ex.getMessage(), ex);

        //  redirect to error page
    }

    return null;

}

Please advise if any missing part to achieve my goal, Thanks.

Upvotes: 0

Views: 2365

Answers (1)

Aritz
Aritz

Reputation: 31649

The API gateway should never redirect to Single Sign On service, IMO. The gateway is not intended to be accessed from a browser, but from a REST client library or from tools like Postman. If authentication fails, it should return a 401 response, not 302.

UNRELATED: Read if you have some kind of server side web UI framework that consumes the REST API (such as JSF)

For requests done to the view (UI Service), I had a similar problem with Zuul and Keycloak SSO. I just couldn't get the UI service behind Zuul have the OpenIdConnect standard flow properly executed. I ended up using Zuul just for the Rest API and letting the end user browser make requests to the UI service directly (I have a single instance).

Here you have my problem described in the Keycloak mailing list and what I tried to fix it in this Github repo.

Upvotes: 2

Related Questions