0

I was trying to search, but did not find an answer suited to our situation.

Basically, we have zuul server as API gateway which does following responsibilites

+ Autheticate user, and create and maintain session with users
+ Sessions will be stored in redis (we are using spring session with redis)

I want to have all of resource servers having access to session information created by zuul server. But I could not get session information from resource servers. its alway return null, I have checked redis server and seen session is created by zuul server already

Note that we are using Netflix service discovery to forward request from Zuul respective service.

highly appreciate for any advice

Joey Trang
  • 1,105
  • 2
  • 23
  • 44

5 Answers5

1

actually I was missing the following code.

context.addZuulRequestHeader("Cookie", "SESSION=" +  httpSession.getId());

After adding above code to pass session_id in the cookie from zuul filter to respective micro-services, it is able to pickup the session_id from zuul filter.

Joey Trang
  • 1,105
  • 2
  • 23
  • 44
1

I had the same problem. But after I have configured the application.yml to set "sensitiveHeaders" to empty. My problem is solved! :)

zuul:
  routes:
    users:
      path: /myusers/**
      sensitiveHeaders:
      url: https://downstream

you can see more details at this link

poomcyber
  • 141
  • 1
  • 3
0

Even though you're storing session in Redis, session id is stored in cookie and must be delivered to your resource servers. But the default configuration of zuul is filtering out all cookie related headers.

The below is default configuration of zuul for senstive-headers those are not passed to downstream servers. zuul.sensitiveHeaders=Cookie,Set-Cookie,Authorization

To pass cookie related headers from zuul to your resources servers, You need to redefine it without cookie related headers like belows. zuul.sensitiveHeaders=Authorization

The above example is using global configuration. You can define it for each route. Please refer to the section "Cookies and Sensitive Headers" in the the linked doc : http://cloud.spring.io/spring-cloud-netflix/spring-cloud-netflix.html

If you also need to authorization header in your resources servers, you can define above configuration with blank list.

yongsung.yoon
  • 5,489
  • 28
  • 32
  • Thanks for your reply, the problem was fixed, now I am facing another issue whether I am not able to redirect to remoteULR from zuul filter. `context.setRouteHost( new URL());` Have you got any idea for this issue? – Joey Trang May 02 '17 at 09:33
0

make sure your are using filter more than 5

@Override
public int filterOrder() {
    return 10;
}

for more detail find the below example https://stackoverflow.com/a/54833734/11103297

Sampada
  • 2,931
  • 7
  • 27
  • 39
shubhranshu
  • 1
  • 1
0

When using Spring Session and Spring Security to protect APIs in a Microservice application, it is easy to set up to use the request header to resolve the session, the usage is very similar to the OAuth2 opaque token.

Declare a bean HttpSessionIdResolver.

 HeaderHttpSessionIdResolver.xAuthToken()

Note: this is for Spring MVC. It will resolve the HTTP header x-auth-token.

When a request is sent from client, in the gateway, pass the header x-auth-token to the downstream services/components.

An working example: hantsy/spring-microservice-sample (But I did not use Zuul like Gateway in this sample application, and simply I used Nginx as reserve proxy)

Hantsy
  • 8,006
  • 7
  • 64
  • 109