Menu
In switching from Spring Cloud Brixton.M5 to Brixton.RC1 my ZuulProxy no longer passes Authorization headers downstream to my proxied services.
There's various actors in play in my setup, but most all of them are fairly simple: - AuthorizationServer: runs separately; hands out JWTs to clients - Clients: get JWTs from OAuth server; each with access to a subset of resources. - ResourceServers: consume JWTs for access decisions - MyZuulProxy: proxies various resource servers; should relay JWTs.
It should be noted that MyZuulProxy has no security dependencies whatsoever; It passed the Authorization: Bearer {JWT} header it receives to the ResourceServers, pre-RC1. MyZuulProxy is explicitly not a Client itself, and does not use @EnableOAuth2SSO or similar at the moment.
What could I do to get MyZuulProxy to relay the JWTs to the ResourceServers again when using Spring Cloud Brixton.RC1?
There's very little code to post: It's just @EnableZuulProxy, @EnableAuthorizationServer and @EnableResourceServer in three different jars. My Clients are not Spring applications.
422
Creating Zuul Server ApplicationAdd the @EnableZuulProxy annotation on your main Spring Boot application. The @EnableZuulProxy annotation is used to make your Spring Boot application act as a Zuul Proxy server. You will have to add the Spring Cloud Starter Zuul dependency in our build configuration file.
To enable it, annotate a Spring Boot main class with @EnableZuulProxy . Doing so causes local calls to be forwarded to the appropriate service.
Zuul is an edge service that proxies requests to multiple backing services. It provides a unified “front door” to your system, which allows a browser, mobile app, or other user interface to consume services from multiple hosts without managing cross-origin resource sharing (CORS) and authentication for each one.
Setting up Zuul API Gateway Server There are three steps to set up the Zuul API Gateway: Create a component for the Zuul API Gateway. Decide the things that the Zuul API Gateway should do. All the important requests are configured to pass through the Zuul API Gateway.
Update: Fixed in https://github.com/spring-cloud/spring-cloud-netflix/pull/963/files
Sensitive headers can also be set globally setting
zuul.sensitiveHeaders. IfsensitiveHeadersis set on a route, this will override the globalsensitiveHeaderssetting.
So use:
# Pass Authorization header downstream
zuul:
sensitiveHeaders: Cookie,Set-Cookie
So pending a fix for https://github.com/spring-cloud/spring-cloud-netflix/issues/944, jebeaudet was kind enough to provide a workaround:
@Component
public class RelayTokenFilter extends ZuulFilter {
@Override
public Object run() {
RequestContext ctx = RequestContext.getCurrentContext();
// Alter ignored headers as per: https://gitter.im/spring-cloud/spring-cloud?at=56fea31f11ea211749c3ed22
Set<String> headers = (Set<String>) ctx.get("ignoredHeaders");
// We need our JWT tokens relayed to resource servers
headers.remove("authorization");
return null;
}
@Override
public boolean shouldFilter() {
return true;
}
@Override
public String filterType() {
return "pre";
}
@Override
public int filterOrder() {
return 10000;
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With