Spring Security Cloud：通过ZUUL网关安全设置的UI服务

Question

I am having a problem setting up correctly my authentication and authorization correctly in my UI service.

I currently have the following setup (all utilizing Spring.* and Spring Cloud.*):

- Config Service;
- Registry Service;
- Gateway Service (Zuul);
- Authentication Service (Spring Cloud Security, JWT);
- Company backend service (db <-> rest);
- Ui service;

In terms of backend security everything is working as it should: you request a JWT token with credentials through a gateway from an authentication service and if all matches it is presented back via REST.

Company service is aware of the new token and validates it when it is presented.

The problem is with the UI service. What I'm doing currently is using Spring Boot and Thymeleaf and manually constructing HttpHeaders, HttpEntity and Cookie objects without utilizing Spring Cloud Security in the frontend part in order to get to certain parts of the webapp. This is a lot of stupid unnecessary code. I understand that I couldn't understand how I can integrate Spring Cloud security into my UI service.

This is an example of one of the controller methods (very ugly):

@RequestMapping("/firms")
public String firm (Model model,
                    HttpServletRequest servletRequest,
                    HttpServletResponse servletResponse,
                    HttpSession httpSession) throws IOException {
    final String returnPage;
    Cookie cookie = authService.findCookie(servletRequest, servletResponse);
    HttpHeaders httpHeaders = authService.createJwtAuthHeader(cookie);
    HttpEntity requestEntity = new HttpEntity(httpHeaders);
    ResponseEntity <UserObject> userObjectResponse = authService.createUserResponseEntity(requestEntity, servletResponse);
    authService.setUserSessionDetails(userObjectResponse, httpSession);
    if (userObjectResponse != null && userObjectResponse.getBody() != null) {
        log.info(CommonMessages.GOT_COOKIE_FROM_AUTH_SERVICE.toString(), cookie.getName());
        returnPage = "firm";

    } else {
        log.error(CommonMessages.NO_COOKIES_FOUND_NO_ACCESS_REDIRECTING.toString());
        httpSession.setAttribute("authorized", false);
        returnPage = "error";
    }
    return returnPage;
} 

Maybe somebody encountered a similar problem and found a resource or an example which I could use in order to integrate Spring Cloud Security correctly into my UI service?

Thanks!

Answer 1

Here is a handy example that you may want to take a look into: https://github.com/ddewaele/spring-cloud-security-samples/blob/master/sample1/gateway/src/main/resources/application.yml

The main idea here is to mark your service with @EnableOAuth2Sso so it could behave as OAuth 2.0 Client . This means that it will do the following things:

• Redirect users to the Authorization Server, so they can enter their credentials there.
• Expects the end user to be redirected back from Authorization Server with Authorization Code after the credentials have been entered successfully. This authorization code will be exchanged for Access Token automatically.
• Make it possible to call other microservices with OAuth2RestTemplate that injects Access Token automatically to your outcoming requests. In this case, the microservice that you are calling must be annotated with @EnableResourceServer which means that it will require Access Token in order to process requests.

For more information on this topic, you can take a look at another my post here .