Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.1k views
in Technique[技术] by (71.8m points)

spring boot - Using Zuul as an authentication gateway

Background

I want to implement the design presented in this article.

It can be summarised by the diagram below: Security Architecture

  1. The client first authenticate with the IDP (OpenID Connect/OAuth2)
  2. The IDP returns an access token (opaque token with no user info)
  3. The client makes a call through the API gateway use the access token in the Authorization header
  4. The API gateway makes a request to the IDP with the Access Token
  5. The IDP verifies that the Access Token is valid and returns user information in JSON format
  6. The API Gateway store the user information in a JWT and sign it with a private key. The JWT is then passed to the downstream service which verifies the JWT using the public key
  7. If a service must call another service to fulfil the request it passes the JWT along which serves as authentication and authorisation for the request

What I have so far

I have most of that done using:

  • Spring cloud as a global framework
  • Spring boot to launch individual services
  • Netflix Zuul as the API gateway

I have also written a Zuul PRE filter that checks for an Access Token, contacts the IDP and create a JWT. The JWT is then added to the header for the request forwarded to the downstream service.

Problem

Now my question is quite specific to Zuul and its filters. If authentication fails in the API gateway for any reason, how can I can stop the routing and respond directly with a 401 without continuing the filter chain and forwarding the call?

At the moment if authentication fails the filter won't add the JWT to the header and the 401 will come from the downstream service. I was hoping my gateway could prevent this unnecessary call.

I tried to see how I could use com.netflix.zuul.context.RequestContextto do this but the documentation is quite poor and I couldn't find a way.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

You could try setting setSendZuulResponse(false) in the current context. This should not route the request. You could also call removeRouteHost() from the context, which would achieve the same. You could usesetResponseStatusCode to set the 401 status code.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...