Spring Security Preauthorization Filter On Zuul To Establish and Share Session

Bal Source

I'm on a dev team working on a large scale project that uses Spring-based microservices. We've recently discovered the Spring Cloud project and are experimenting with implementing the Netflix services, Zuul, Eureka, Ribbon, etc.

In our environment, nobody will have access to the domain that our application will be running on until they have be pre-authorized through an external service. Once they reach our application, we will be able to obtain the user's identity through a header token provided by the authorization service.

I'd like to have Zuul set up with Spring Security using a preauthentication filter to establish the user's session, and use Spring Session to make the session available to all back-end microservices.

Is this a legitimate approach? The only information I can see about security on Zuul is the ability to proxy OAuth2 tokens to back-end services, but we have no need for OAuth2. Is there a better way to establish the user's session and share it across the services in our back-end architecture?



answered 3 years ago Michael Kowalski #1

Please have a look at the following Tutorial

You can jump into the code on GitHub

I was able to get the project up and running, and am now in the process of modifying the in-memory authentication to use Ldap. I am new to Java and found this tutorial pretty straight forward.


Mike Kowalski

answered 2 years ago Abhijit Sarkar #2

Like you, I didn't have a need for OAuth and found out of the box Zuul lacking auth support without OAuth. I wanted to invoke the auth service without losing the Spring Cloud discovery and client side load balancing abilities. I achieved that by decorating the RibbonRoutingFilter as follows later. Note that this approach requires the original RibbonRoutingFilter to be disabled which can be done with one line in the application.yml: zuul.RibbonRoutingFilter.route.disable: true

Basically, I back up the original service id and overwrite it with the auth service id before delegating the request to the original RibbonRoutingFilter. If the auth is successful, I restore the original service id and delegate the request again to the original RibbonRoutingFilter. If the auth is unsuccessful, I return an error. Full code on my GitHub: AuthAwareRoutingFilter.java

comments powered by Disqus