2

Is there any manual reference or approach for applying security on API gateway in spring cloud? I have built a gateway using spring cloud and added the routes, now I need to add security where requests are validated with Auth Server (WSO2 Identity Server) before the requests reach the endpoints. I would like to know if there is a way so that my API gateway contacts the Authentication Server (WSO2 identity server) to validate requests? How the configurations must be done?

What I'm trying to do is build an API gateway that handles both routing and security using the WSO2 Identity server so any share of knowledge, references, or best practices to handle security in API gateway can help.

Please find below the code I have written for the API gateway:

1- Spring boot dependencies

'org.springframework.cloud:spring-cloud-starter-circuitbreaker-resilience4j'

'org.springframework.cloud:spring-cloud-starter-gateway'

'org.springframework.boot:spring-boot-starter-test'

'org.springframework.cloud:spring-cloud-starter-contract-stub-runner'

'org.springframework.boot:spring-boot-starter-security'

'org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.1.RELEASE'

'org.springframework.boot:spring-boot-starter-web'

2- Routing Configuration (application.yml)

spring:

main:

web-application-type: reactive
allow-bean-definition-overriding: true

config:

import: ''

cloud:

gateway:

  routes:

    - id: demo-ms1
      uri: http://localhost:8081/
      predicates:
        - Path=/api/demo1

    - id: demo-ms2
      uri: http://localhost:8082/
      predicates:
        - Path=/api/demo2/**

3- Security Configuration for WSO2 (application.yml)

security:

oauth2:

resource:
  user-info-uri: https://localhost:9443/oauth2/userinfo
  token-info-uri: https://localhost:9443/oauth2/introspect
  filter-order: '3'
  prefer-token-info: 'true'
client:
  client-secret: admin
  client-id: admin
  user-authorization-uri: https://localhost:9443/oauth2/token/authorize
  access-token-uri: https://localhost:9443/oauth2/token
  scope: openid

4- Resource Server Configuration Class

package com.gateway.demoGateway.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;

import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;

import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;

import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;

@Configuration

@EnableResourceServer

public class ResourceServerConfig extends ResourceServerConfigurerAdapter{

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http.requestMatcher(new RequestHeaderRequestMatcher("Authorization"))
                .authorizeRequests().anyRequest().fullyAuthenticated();

    }

}

5- Spring boot main application class

@SpringBootApplication

@EnableOAuth2Sso

@EnableWebSecurity

public class DemoGatewayApplication {

    public static void main(String[] args) {

        SpringApplication.run(DemoGatewayApplication.class, args);

    }

}
Hussein Zaraket
  • 35
  • 7
Majd Haidar
  • 21
  • 3
  • 1
    Please note that the legacy [`spring-security-oauth` project](https://spring.io/projects/spring-security-oauth) is [deprecated](https://spring.io/blog/2020/05/07/end-of-life-for-spring-security-oauth). Please migrate to a supported version of Spring Security for OAuth 2.0 support. Spring Cloud Gateway is only available for reactive applications. To add Spring Security to a reactive application, you can follow [this section](https://docs.spring.io/spring-security/reference/reactive/index.html) of the official reference documentation. – Eleftheria Stein-Kousathana Jan 03 '22 at 15:28

0 Answers0