I'm on a dev team working on a large scale project that uses Spring-based microservices. We've recently discovered the Spring Cloud project and are experimenting with implementing the Netflix services, Zuul, Eureka, Ribbon, etc.
In our environment, nobody will have access to the domain that our application will be running on until they have be pre-authorized through an external service. Once they reach our application, we will be able to obtain the user's identity through a header token provided by the authorization service.
I'd like to have Zuul set up with Spring Security using a preauthentication filter to establish the user's session, and use Spring Session to make the session available to all back-end microservices.
Is this a legitimate approach? The only information I can see about security on Zuul is the ability to proxy OAuth2 tokens to back-end services, but we have no need for OAuth2. Is there a better way to establish the user's session and share it across the services in our back-end architecture?springspring-securityspring-cloudspring-sessionnetflix-zuul
Like you, I didn't have a need for OAuth and found out of the box Zuul lacking auth support without OAuth. I wanted to invoke the auth service without losing the Spring Cloud discovery and client side load balancing abilities. I achieved that by decorating the
RibbonRoutingFilter as follows later. Note that this approach requires the original
RibbonRoutingFilter to be disabled which can be done with one line in the
Basically, I back up the original service id and overwrite it with the auth service id before delegating the request to the original
RibbonRoutingFilter. If the auth is successful, I restore the original service id and delegate the request again to the original
RibbonRoutingFilter. If the auth is unsuccessful, I return an error. Full code on my GitHub: AuthAwareRoutingFilter.java