Zuul route to secured microservice results to 401 response

Question

i have created a Zuul proxy that routes request to a secured endpoint in a microservice (basic auth).

My Zuul proxy runs on port 8888.

My Secured Microservice has an endpoint /api/foo with a username:password authentication via Spring Security. With a service id equal to secure-service.

Now whenever i access http://localhost:8888/secure-service/api/foo, the browser prompt me to enter my username and password (proof that it really routes to secure-service). But then after entering, it just keeps on asking my credentials. i also tried accessing it via curl, curl http://username:password@localhost:8888/secure-service/api/foo and i get 401 response.

Why is that happening?

Then i tried removing spring security dependencies and configuration on my secured-service and everything works fine. But i really want to have basic authentication.

Thank you for reading.

Answer 1

i finally found the answer :) There's a configuration Property in Zuul called zuul.sensitive-headers

This property is a collection of strings that contains headers that will not be included to pass to microservices. And currently, Spring Cloud Zuul (ver 2.2.1.RELEASE) by default sets these 3 values.

Cookie,Set-Cookie,Authorization

For the love of God, they put Authorization as one of sensitive headers that's why you will keep getting 401 unauthorized response whenever Zuul tries to route to a secured microservice.

The solution is just to remove Authorization in Config Property in your Zuul Application.

zuul.sensitive-headers=Cookie,Set-Cookie

Hope it helps.