Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using Zuul as an authentication gateway

Tags:

spring-boot

spring-cloud

microservices

netflix-zuul

gateway

Background

I want to implement the design presented in this article.

It can be summarised by the diagram below: Security Architecture

  1. The client first authenticate with the IDP (OpenID Connect/OAuth2)
  2. The IDP returns an access token (opaque token with no user info)
  3. The client makes a call through the API gateway use the access token in the Authorization header
  4. The API gateway makes a request to the IDP with the Access Token
  5. The IDP verifies that the Access Token is valid and returns user information in JSON format
  6. The API Gateway store the user information in a JWT and sign it with a private key. The JWT is then passed to the downstream service which verifies the JWT using the public key
  7. If a service must call another service to fulfil the request it passes the JWT along which serves as authentication and authorisation for the request

What I have so far

I have most of that done using:

  • Spring cloud as a global framework
  • Spring boot to launch individual services
  • Netflix Zuul as the API gateway

I have also written a Zuul PRE filter that checks for an Access Token, contacts the IDP and create a JWT. The JWT is then added to the header for the request forwarded to the downstream service.

Problem

Now my question is quite specific to Zuul and its filters. If authentication fails in the API gateway for any reason, how can I can stop the routing and respond directly with a 401 without continuing the filter chain and forwarding the call?

At the moment if authentication fails the filter won't add the JWT to the header and the 401 will come from the downstream service. I was hoping my gateway could prevent this unnecessary call.

I tried to see how I could use com.netflix.zuul.context.RequestContextto do this but the documentation is quite poor and I couldn't find a way.

like image 912
phoenix7360 Avatar asked May 12 '16 07:05

phoenix7360

People also ask

Is Zuul a gateway?

Zuul is a gateway service that provides dynamic routing, monitoring, resiliency, security, and more.

Is Zuul API gateway deprecated?

Zuul 1 and Archaius 1 have both been superseded by later versions that are not backward compatible. The following Spring Cloud Netflix modules and corresponding starters will be placed into maintenance mode: spring-cloud-netflix-archaius. spring-cloud-netflix-hystrix-contract.

Why do we need Zuul API gateway?

Zuul is built to enable dynamic routing, monitoring, resiliency, and security. It can also route the requests to multiple Amazon Auto Scaling Groups. For Example, /api/products are mapped to the product service and /api/user is mapped to the user service.

Does Netflix use Zuul?

For example, / may be mapped to your web application, /api/users is mapped to the user service and /api/shop is mapped to the shop service. Zuul is a JVM-based router and server-side load balancer from Netflix. Netflix uses Zuul for the following: Authentication.

2 Answers

You could try setting setSendZuulResponse(false) in the current context. This should not route the request. You could also call removeRouteHost() from the context, which would achieve the same. You could usesetResponseStatusCode to set the 401 status code.

like image 193
mbragg02 Avatar answered Oct 12 '22 12:10

mbragg02

Add the following within your run method, it will solve this problem

ctx.setSendZuulResponse(false); ctx.setResponseStatusCode(401);
like image 41
Yongxin Zhang Avatar answered Oct 12 '22 12:10

Yongxin Zhang
Sign in to Comment

Related questions

Get a reference to currently active dataSource in Spring Boot
Spring boot 404 error custom error response ReST
How to set enableLoggingRequestDetails='true' in Spring Boot
Thymeleaf + CSS+SpringBoot
Remote monitoring with visualvm and JMX
Why does change from Spring boot version 2.1.4 to 2.1.5 gives unknown configuration Maven error?
Spring Boot: Configuration Class is simply ignored and not loaded
Swagger with Spring Boot 2.0 leads to 404 error page
JSON parse error: Can not construct instance of io.starter.topic.Topic
Avoiding default basic-error-controller from swagger api [duplicate]
Autowiring BuildProperties bean from Gradle - NoSuchBeanDefinitionException
Spring boot - configure EntityManager
Process finished with exit code 1 Spring Boot Intellij
SpringBoot error: Registered driver with driverClassName=oracle.jdbc.driver.OracleDriver was not found, trying direct instantiation
Maven Plugin not found in IntelliJ IDE
Spring Boot with redirecting with single page angular2
For Spring Boot 1.2.3, how to set ignore null value in JSON serialization?
Spring boot doesn't load data to initialize database using data.sql
Unable to get EnableOauth2Sso Working -- BadCredentialsException: Could not obtain access token
How to deploy AngularJS app and Spring Restful API service on the same domain/server?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!