Spring Security Cloud: UI service through a ZUUL gateway security setup

Question

I am having a problem setting up correctly my authentication and authorization correctly in my UI service.

I currently have the following setup (all utilizing Spring.* and Spring Cloud.*):

- Config Service;
- Registry Service;
- Gateway Service (Zuul);
- Authentication Service (Spring Cloud Security, JWT);
- Company backend service (db <-> rest);
- Ui service;

In terms of backend security everything is working as it should: you request a JWT token with credentials through a gateway from an authentication service and if all matches it is presented back via REST.

Company service is aware of the new token and validates it when it is presented.

The problem is with the UI service. What I'm doing currently is using Spring Boot and Thymeleaf and manually constructing HttpHeaders, HttpEntity and Cookie objects without utilizing Spring Cloud Security in the frontend part in order to get to certain parts of the webapp. This is a lot of stupid unnecessary code. I understand that I couldn't understand how I can integrate Spring Cloud security into my UI service.

This is an example of one of the controller methods (very ugly):

@RequestMapping("/firms")
public String firm (Model model,
                    HttpServletRequest servletRequest,
                    HttpServletResponse servletResponse,
                    HttpSession httpSession) throws IOException {
    final String returnPage;
    Cookie cookie = authService.findCookie(servletRequest, servletResponse);
    HttpHeaders httpHeaders = authService.createJwtAuthHeader(cookie);
    HttpEntity requestEntity = new HttpEntity(httpHeaders);
    ResponseEntity <UserObject> userObjectResponse = authService.createUserResponseEntity(requestEntity, servletResponse);
    authService.setUserSessionDetails(userObjectResponse, httpSession);
    if (userObjectResponse != null && userObjectResponse.getBody() != null) {
        log.info(CommonMessages.GOT_COOKIE_FROM_AUTH_SERVICE.toString(), cookie.getName());
        returnPage = "firm";

    } else {
        log.error(CommonMessages.NO_COOKIES_FOUND_NO_ACCESS_REDIRECTING.toString());
        httpSession.setAttribute("authorized", false);
        returnPage = "error";
    }
    return returnPage;
}

Maybe somebody encountered a similar problem and found a resource or an example which I could use in order to integrate Spring Cloud Security correctly into my UI service?

Thanks!

Did you find http://docs.spring.io/spring-security/site/docs/4.2.3.RELEASE/reference/htmlsingle/#access-control-using-preauthorize-and-postauthorize ? — Jeff, Jun 19 '17 at 18:28
@Jeff For that to work I need to integrate my current setup with Spring Cloud Security in the UI service. And I do not know how to do that. — Deniss M., Jun 19 '17 at 18:30
When the frontend does a request to the backend it has to pass the token, this is done in the Authorization header. Ill try to find an example — Jeff, Jun 19 '17 at 18:34
Thymeleaf provides integration it seems: http://www.thymeleaf.org/doc/articles/springsecurity.html. But I got no experience there.. — Jeff, Jun 19 '17 at 18:44
@Jeff I'm sorry, but here it is another question. I need to understand how custom spring cloud security is setup when I have an Oauth Spring cloud authorisation microservice. — Deniss M., Jun 19 '17 at 19:00

score 1 · Accepted Answer · edited Oct 07 '21 at 11:07

Here is a handy example that you may want to take a look into: https://github.com/ddewaele/spring-cloud-security-samples/blob/master/sample1/gateway/src/main/resources/application.yml

The main idea here is to mark your service with @EnableOAuth2Sso so it could behave as OAuth 2.0 Client. This means that it will do the following things:

Redirect users to the Authorization Server, so they can enter their credentials there.
Expects the end user to be redirected back from Authorization Server with Authorization Code after the credentials have been entered successfully. This authorization code will be exchanged for Access Token automatically.
Make it possible to call other microservices with OAuth2RestTemplate that injects Access Token automatically to your outcoming requests. In this case, the microservice that you are calling must be annotated with @EnableResourceServer which means that it will require Access Token in order to process requests.

For more information on this topic, you can take a look at another my post here.

Can I somehow contact you about this topic? I would really need your advice, if possible! — Deniss M., Jun 22 '17 at 15:13
Yeah, sure. Feel free to join this group: https://chat.stackoverflow.com/rooms/147391/spring-cloud-security — Danylo Zatorsky, Jun 22 '17 at 16:02

Spring Security Cloud: UI service through a ZUUL gateway security setup

1 Answers1