Expose public and private endpoint through Spring Cloud Gateway

Question

I'm using Spring Cloud Gateway like entrypoint for my infrastructure. The gateway is configured with keycloak to validate Authentication header with following configuration

spring:
  security:
    oauth2:
      resource-server:
        jwt:
          jwk-set-uri: https://httpd.keycloak.local:443/keycloak/realms/myRealm/protocol/openid-connect/certs

An example Route is the following

spring:
  cloud:
    gateway:
      routes:
        - id: my-route
          uri: http://service.local:8020
          predicates:
            - Path=/myPath/api/myRoute/test
          filters:
            - name: StripPrefix
              args:
                parts: 2

How can I define, into yml file, this route public and another one authenticated through jwk-uri directed to keycloak?

Answer 1

I see nothing about security rules in spring-cloud-gateway configuration doc.

I believe you'll have to either:

• let all traffic go through gateway and handle security on each service
• write a web-security configuration class and define a SecurityWebFilterChain bean.
• use spring-addons-webflux-jwt-resource-server to define permitAll() routes from properties (other routes requirering user to be authenticated)

Only last solution would work with yaml file configuration only: in pom, replace spring-boot-starter-oauth2-resource-server with

        <dependency>
            <groupId>com.c4-soft.springaddons</groupId>
            <artifactId>spring-addons-webflux-jwt-resource-server</artifactId>
            <version>${com.c4-soft.springaddons.version}</version>
        </dependency>

in yaml, replace spring.security.oauth2.resource-server with

com.c4-soft.springaddons.security:
  jwt-issuers:
    - location: https://httpd.keycloak.local:443/keycloak/realms/myRealm
  permit-all:
    - /myPath/api/myRoute/test
    - /public/**

Note that trying to access "non-public" routes without valid authorization would result in 401 (unauthorized) and not in 302 (redirect to login). In my opinion, client should unsure requests to protected routes are issued with Authorization header or handle unauthorized with a redirection to authorization-server and a retry.

Also note that spring-security-oauth2-webflux-addons will auto-configure more than just permit-all routes (CORS, CSRF and authorities mapping for instance).

Last, I haven't tried it yet with spring-cloud-gateway. please let me know how it goes ;-)