CODEWITHSUNDEEP
springspring-securityoauthnetflix-zuul
Murray
Murray

Reputation: 313

Spring Zuul Oauth2 Gateway/Resource Server

Is it possible to use Zuul as a "fake" resource server, checking OAuth2 scope before returning proxy'd content?

Something like:

incoming request (with token) -> Zuul proxy + resource server -> internal API (insecure)

The internal API service Could then be freed from any security concerns, with the Zuul proxy service acting as a gateway. All of the above would be Spring applications, if that makes a difference.

Upvotes: 0

Views: 1260

Answers (1)

jayant mishra
jayant mishra

Reputation: 694

absolutely

you have to configure configuration for resource server as well Create a bean ResourceServerConfig that extends ResourceServerConfigurerAdapter and override configure(HttpSecurity security) method. Annotate it with @EnableResourceServer annotation.

something like this 

@Configuration
@EnableResourceServer
public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                .and()
                .authorizeRequests()
                // .antMatchers("/swagger*", "/v2/**")
                // .access("#oauth2.hasScope('read')")
                .anyRequest()
                .permitAll();
    }

    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        return defaultTokenServices;
    }

    @Bean
    public TokenStore tokenStore() {

        return new JwtTokenStore(accessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
         converter.setSigningKey("123");

//        Resource resource = new ClassPathResource("publicKey.txt");
//        String publicKey = null;
//
//        try {
//            publicKey = IOUtils.toString(resource.getInputStream(), Charset.defaultCharset());
//        } catch (final IOException e) {
//            throw new RuntimeException(e);
//        }
//        converter.setVerifierKey(publicKey);
        return converter;
    }
}

Upvotes: 1

Related Questions