How does shareSecurityContext work in Spring Cloud with Hystrix?

Question

I'm learning how Spring Cloud works and using one of most popular technical stacks for it: Eureka, Zuul, Hystrix, Ribbon, Feign. Except of registry, config server and gateway my services have the following dependencies with Spring Cloud version 2.2.1.RELEASE:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-config</artifactId>
    <version>${spring-cloud.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
    <version>${spring-cloud.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-sleuth</artifactId>
    <version>${spring-cloud.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-openfeign</artifactId>
    <version>${spring-cloud.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-netflix-hystrix</artifactId>
    <version>${spring-cloud.version}</version>
</dependency>

I do authorization with JWT on gateway and want to use the same Authorization object on other services. Obvious way for doing it is to transfer my JWT with a header but I've read in docs that Hystrix can propagate the whole security context with just one property hystrix.shareSecurityContext=true . I've tried to do it with Feign Client and Zuul, but SecurityContext on requested service contains just anonymousUser.

I spent two days for understanding how it works but I didn't. In logs of Feign I don't see any headers with something like Principal.

So here is my question: is it possible to transfer security context with Zuul and Feign if second service runs in other docker container or on other server? If not what is the best praxis for transferring data about authorized user?

Thanks!

Answer 1

It has been 8 months since you posted the question but I will answer it anyways. As you know, services are distributed in nature and so they may not share the JVM or even they may not be developed in java at all. The purpose of JWT token is to secure such distributed services so whatever communication happens between them regarding Security, happens through authorization header only. In authorization header one service passes the JWT Token (bearer only) to other service and that service validates the token , reads information from it, and so on. The hystrix.shareContext has another purpose however. In Spring when the application context is created, by default it doesn't pass it to Hystrix Thread. To make it available to Hystrix, this property is set to true which essentially changes concurrency strategy of hystrix. So, it is passing Security context to "Hystrix's thread" which is part of the same service and not other service.

Hope this solves your query.