Authorization header not passed by ZuulProxy starting with Brixton.RC1

java spring-cloud spring-security-oauth2 spring-cloud-netflix
Tim picture Tim · Apr 1, 2016 · Viewed 12.3k times · Source

In switching from Spring Cloud Brixton.M5 to Brixton.RC1 my ZuulProxy no longer passes Authorization headers downstream to my proxied services.

There's various actors in play in my setup, but most all of them are fairly simple: - AuthorizationServer: runs separately; hands out JWTs to clients - Clients: get JWTs from OAuth server; each with access to a subset of resources. - ResourceServers: consume JWTs for access decisions - MyZuulProxy: proxies various resource servers; should relay JWTs.

It should be noted that MyZuulProxy has no security dependencies whatsoever; It passed the Authorization: Bearer {JWT} header it receives to the ResourceServers, pre-RC1. MyZuulProxy is explicitly not a Client itself, and does not use @EnableOAuth2SSO or similar at the moment.

What could I do to get MyZuulProxy to relay the JWTs to the ResourceServers again when using Spring Cloud Brixton.RC1?

There's very little code to post: It's just @EnableZuulProxy, @EnableAuthorizationServer and @EnableResourceServer in three different jars. My Clients are not Spring applications.

Answer

Tim picture Tim · Apr 1, 2016

Update: Fixed in https://github.com/spring-cloud/spring-cloud-netflix/pull/963/files

Sensitive headers can also be set globally setting zuul.sensitiveHeaders. If sensitiveHeaders is set on a route, this will override the global sensitiveHeaders setting.

So use:

# Pass Authorization header downstream
zuul:
  sensitiveHeaders: Cookie,Set-Cookie

So pending a fix for https://github.com/spring-cloud/spring-cloud-netflix/issues/944, jebeaudet was kind enough to provide a workaround:

@Component
public class RelayTokenFilter extends ZuulFilter {

    @Override
    public Object run() {
        RequestContext ctx = RequestContext.getCurrentContext();

        // Alter ignored headers as per: https://gitter.im/spring-cloud/spring-cloud?at=56fea31f11ea211749c3ed22
        Set<String> headers = (Set<String>) ctx.get("ignoredHeaders");
        // We need our JWT tokens relayed to resource servers
        headers.remove("authorization");

        return null;
    }

    @Override
    public boolean shouldFilter() {
        return true;
    }

    @Override
    public String filterType() {
        return "pre";
    }

    @Override
    public int filterOrder() {
        return 10000;
    }
}

Related questions

Spring Security with OAuth2 and JWT: Encoded password does not look like BCrypt

I am trying to implement a spring AuthorizationServer with JWT. I was able to produce JWT tokens and login until I added BCrypt to the mix. Now, when I am trying to login, I get "Bad credentials" from the API. …

Read More
What is the difference between putting a property on application.yml or bootstrap.yml in spring boot?

What is the difference between putting a property on application.yml or bootstrap.yml in spring boot? In logging.config case, the application works different.

Read More
Spring Cloud Configuration Server not working with local properties file

I have been playing around with the Spring Cloud project on github located here: https://github.com/spring-cloud/spring-cloud-config However I have been running into some problems getting it to read a local properties file instead of pulling the properties …

Read More