Spring Cloud Eureka with Spring security

Question

I have a project using a eureka server and client. The Eureka server is using spring security and users accessing any URL should authenticate themselves. This also applies on the Eureka clients.

The current configuration looks like the following:

Eureka Server:

Java:

@SpringBootApplication
@EnableEurekaServer
@EnableZuulProxy
@Controller
public class UiApplication {

    @GetMapping("/user")
    @ResponseBody
    public Principal user(Principal user) {
        return user;
    }

    @GetMapping(value = "/{path:[^\\.]*}")
    public String redirect() {
        return "forward:/";
    }

    public static void main(String[] args) {
        SpringApplication.run(UiApplication.class, args);
    }

    @Configuration
    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
    protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            // @formatter:off
            http
                .httpBasic().and()
                .logout().and()
                .authorizeRequests()
                .antMatchers("/index.html", "/", "/home", "/login").permitAll()
                    .anyRequest().authenticated()
                    .and()
                .csrf()
                    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
            // @formatter:on
        }
    }

}

Config:

security:
  basic:
    enabled: true
  user:
    password: password
spring:
  application:
    name: main
  session:
    store-type: redis
zuul:
  routes:
    resource:
      path: /resource/**
      #url: http://localhost:9000
      sensitive-headers:

eureka:
  instance:
    hostname: localhost
  client:
    registerWithEureka: true
    fetchRegistry: true
    serviceUrl:
      defaultZone: http://user:password@localhost:8080/eureka/

Already when starting the server I get an exception, because the eureka client is enabled for the server and tries to connect, but can't because of authentication problems. The exception is the following:

com.netflix.discovery.shared.transport.TransportException: Cannot execute request on any known server

If I disable spring security in the server properties everything works fine. How do I authenticate the eureka client if spring security is activated?

Answer 1

You need to explicitly disable CSRF protection Declare the following definitions in the Sprint class:

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.cloud.netflix.eureka.server.EnableEurekaServer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@SpringBootApplication
@EnableEurekaServer
public class EurekaClientApplication {

    @EnableWebSecurity
    static class WebSecurityConfig extends WebSecurityConfigurerAdapter {

        /**
         * disable CSRF
         * @param http
         * @throws Exception
         */
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable();
        }
    }

    public static void main(String[] args) {
        SpringApplication.run(EurekaClientApplication.class, args);
    }
}

Answer 2

Use this below security configuration. Also in your ZUUL server change it to @EnableEurekaClient from @EnableEurekaServer

package com.debopam.discovery;


import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;

/**
 * @author Debopam
 *
 */
@Configuration
@EnableWebSecurity
@Order(1)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
        .withUser("discUser").password("discPassword").roles("SYSTEM")
        .and()
        .withUser("admin").password("admin").roles("ADMIN")
        .and()
        .withUser("actuator").password("actuator").roles("ACTUATOR");
        ;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement()
                        .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).and()
                        .httpBasic().and()/*disable().*/
                        .authorizeRequests()
                            .antMatchers(HttpMethod.GET, "/") .hasRole("ADMIN")
                            .antMatchers("/manage/health**").permitAll()
                            .antMatchers("/manage/**").hasRole("ACTUATOR")
                            .antMatchers("/eureka/css/**","/eureka/images/**","/eureka/fonts/**", "/eureka/js/**").permitAll()
                            .antMatchers("/eureka/**").hasRole("SYSTEM")
                        .anyRequest().denyAll()
                .and().csrf().disable();
    }
}