Spring Security Preauthorization Filter On Zuul To Establish and Share Session

spring spring-security spring-cloud spring-session netflix-zuul
Bal picture Bal · Sep 20, 2015 · Viewed 16.3k times · Source

I'm on a dev team working on a large scale project that uses Spring-based microservices. We've recently discovered the Spring Cloud project and are experimenting with implementing the Netflix services, Zuul, Eureka, Ribbon, etc.

In our environment, nobody will have access to the domain that our application will be running on until they have be pre-authorized through an external service. Once they reach our application, we will be able to obtain the user's identity through a header token provided by the authorization service.

I'd like to have Zuul set up with Spring Security using a preauthentication filter to establish the user's session, and use Spring Session to make the session available to all back-end microservices.

Is this a legitimate approach? The only information I can see about security on Zuul is the ability to proxy OAuth2 tokens to back-end services, but we have no need for OAuth2. Is there a better way to establish the user's session and share it across the services in our back-end architecture?

Answer

Michael Kowalski picture Michael Kowalski · Sep 24, 2015

Please have a look at the following Tutorial

You can jump into the code on GitHub

I was able to get the project up and running, and am now in the process of modifying the in-memory authentication to use Ldap. I am new to Java and found this tutorial pretty straight forward.

Yours,

Mike Kowalski

Related questions

How to get custom user info from OAuth2 authorization server /user endpoint

I have a resource server configured with @EnableResourceServer annotation and it refers to authorization server via user-info-uri parameter as follows: security: oauth2: resource: user-info-uri: http://localhost:9001/user Authorization server /user endpoint returns an extension of org.springframework.security.core.userdetails.…

Read More
Spring @EnableResourceServer vs @EnableOAuth2Sso

Most of the tutorials I've read so far uses @EnableOAuth2Sso instead of @EnableResourceServer on the API gateway. What are the differences? What the OAuth2Sso does in contrast? Details: I'm implementing a security/infra architecture for spring-based microservices and …

Read More
Unable to get EnableOauth2Sso Working -- BadCredentialsException: Could not obtain access token

I'm trying to get a simple Spring OAuth2 SSO application working and I've been unable to do so. Here's the steps and results of what's happened: Hit endpoint /user, which is secured by OAuth2 I get forwarded to a simple …

Read More