Zuul - Api Gateway Authentication

Adrian Ivan picture Adrian Ivan · Nov 25, 2015 · Viewed 32.8k times · Source

I want to introduce Zuul through Spring Cloud as an API Gateway in front of a few services.

I have some design doubts around Authentication. The Authentication would be handled by Spring Security, which comes before Zuul in the servlet filter chain.

My concern:

  • the Gateway would sit in front of many services

  • some services may expose endpoints which do not require authentication

  • some services may expose endpoints which need a Session Id and some with a token", an arbitrary opaque value (for example downloading a file if you know a "hard to guess" url) In the API Gateway/Spring Security you can configure all the endpoints with their specific authentication requirements.

In terms of managing the API Gateway:

  • how do you enforce the actual Service Teams to provide the required settings per downstream service?
  • how do you allow frequent Authentication settings changes in the Gateway (as per service needs) without having to stop the entire Gateway?

Thanks, Adrian

Answer

Andrew Serff picture Andrew Serff · Nov 25, 2015

We are using Spring Session to replicate the session across all of our services that sit behind a Zuul Edge Server. Zuul will authenticate the user which populates the users credentials and inserts the authenticated user into the session. This is then replicated across all the services and each service is responsible for their own security rules and settings. So really, all Zuul is doing is looking the user up in spring security and the services on the backend are enforcing the security rules as they apply to their needs. This way, you can change each service independently making the Gateway just a dumb proxy.

A good example of this is in Dave Syers tutorial about Spring Security and an Angular JS app. I also posted another question related to this which contained a sample of how we are doing this as well which might help.