0

I've setup a microservice architecture with one UAA, one Gateway and one service (single web application) as described here https://jhipster.github.io/using-uaa/

After a user authenticates in this webapp there are several links like this one 

<a href="/zuulfitler/route?url=http://www.google.com" target="_blank"
>google</a>

When a user clicks there is a zuul "route" filter that checks if the request has the proper rights and then route to the destination url.

The problem is when the request is intercepted by zuul the user is shown as not authenticated because the Authorization http header with the bearer token has not been injected because the request has not been made by $http object.

See: https://jhipster.github.io/using-uaa/#jhipster-uaa

This bearer token is injected as authorization header into each request performed by the AngularJS $http object.

How can i inject the http header when i click on the link ?

Thank you in advance.

DropTheCode
  • 465
  • 1
  • 7
  • 14

1 Answers1

1

you just can make the token value accessible to some controler, and build links such as:

<a ng-href="/zuulfilter/route?url=http://google.com&access_token={{ctrl.accessToken}}" target="_blank">google</a>

while passing the token via url rather than header, which is recognized by spring cloud security, too.

David Steiman
  • 3,055
  • 2
  • 16
  • 22
  • Thank you this is a possible solution. I didn't know that spring security will automatically recognize the token if passed via url. The problem is that the token is exposed and can be saved inside the webserver logs. There isn't another way ? – DropTheCode Oct 17 '16 at 09:08
  • I only think of some iframe or proxying stuff, as you want to open a new tab with custom headers, this is almost the only way I see to go on. You may consider to secure your webserver logs then – David Steiman Oct 17 '16 at 11:50