0

I have a project https://github.com/ndrone/sample-gateway-oauth2login/tree/feature/allowAllToHealth That I am trying to allow specific URL's open to anyone that request it. In this case, it is the health endpoint of Actuator while protect all other Actuator endpoints. What I am finding is that the TokenRelayGatewayFilterFactory is being applied to all routes when though it is only set to be applied to one route. Not sure what I got wrong.

SecurityConfig in the Resource Service

@EnableWebFluxSecurity
public class SecurityConfig {

@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {

    http.authorizeExchange().pathMatchers("/manage/health").permitAll();
    http
        .authorizeExchange()
            .pathMatchers("/resource", "/manage/**").hasAuthority("SCOPE_resource.read")
            .anyExchange().authenticated()
            .and()
        .oauth2ResourceServer()
            .jwt();
        return http.build();
        }
}

Gateway Routes

@Controller
@SpringBootApplication
public class GatewayApplication {

@Autowired
private TokenRelayGatewayFilterFactory filterFactory;

@Bean
public RouteLocator customRouteLocator(RouteLocatorBuilder builder) {
    //@formatter:off
    return builder.routes()
            .route("resource-health", r -> r.path("/resource/manage/health")
                    .filters(f -> f.stripPrefix(1))
                    .uri("http://localhost:9000"))
            .route("resource-actuator-protected", r -> r.path("/resource/manage/**")
                    .filters(f -> f.stripPrefix(1).filter(filterFactory.apply()))
                    .uri("http://localhost:9000"))
            .route("resource", r -> r.path("/resource")
                    .filters(f -> f.filter(filterFactory.apply()))
                    .uri("http://localhost:9000"))
            .build();
    //@formatter:on
}

@GetMapping("/")
public String index(Model model,
                    @RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient,
                    @AuthenticationPrincipal OAuth2User oauth2User) {
    model.addAttribute("userName", oauth2User.getName());
    model.addAttribute("clientName", authorizedClient.getClientRegistration().getClientName());
    model.addAttribute("userAttributes", oauth2User.getAttributes());
    return "index";
}

public static void main(String[] args) {
    SpringApplication.run(GatewayApplication.class, args);
}

}
ndrone
  • 3,524
  • 2
  • 23
  • 37
  • What do you see that makes you think it applies to everything? – spencergibb Jun 18 '19 at 16:43
  • @spencergibb When I open the URL http://localhost:8080//resource/manage/health it redirects me to the login page. If I go directly to the resource http://localhost:9000/mange/health it does give me health endpoint results with a 200 – ndrone Jun 20 '19 at 14:46
  • Doesn't your spring security configuration do that? – spencergibb Jun 20 '19 at 18:35
  • @spencergibb I don't comprehend your question... The security config on the resource-server is working as expected http://localhost:9000/manage/health is open all other actuator endpoints are protected and returning 401. If I take that same request through the gateway http://localhost:8080/manage/health it redirects me to the uaa login page. Which should not happen because it is open, and the `TokenRelayGatewayFilterFactory` is not applied to that routes filter chain. – ndrone Jun 20 '19 at 19:54
  • @spencergibb after a bit of digging I realized that the gateway has actuator endpoints active so I tried reaching http://localhost:8080/actuator/health for the gateway and it also redirected me to the uaa login page. So is it safe to say the gateways **default** security config is to protect all endpoints/routes? Is there an example that I should be looking at that shows how to configure it in gateway? – ndrone Jun 20 '19 at 20:53

1 Answers1

0

Since I didn't have a spring security configuration detailed out in the gateway. Spring Security protected all urls. Digging into the sample more and the source of their fork from jgrandja I needed to add the following.

/**
 * This code duplicates {@link org.springframework.boot.actuate.autoconfigure.security.reactive.ReactiveManagementWebSecurityAutoConfiguration}
 * and enhances with oauth2Login() specific configuration
 *
 * and with changes defined by jgrandja @see <a href="https://github.com/jgrandja/oauth2login-gateway/commit/51a28f91b7a71d71522d14d0cb5f1fa717033f42">OAuth</a>
 *
 * @author nd26434 on 2019-06-21.
 */
@Configuration
@ConditionalOnClass({ EnableWebFluxSecurity.class, WebFilterChainProxy.class })
@ConditionalOnMissingBean({ SecurityWebFilterChain.class, WebFilterChainProxy.class })
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
@AutoConfigureBefore(ReactiveSecurityAutoConfiguration.class)
@AutoConfigureAfter({ HealthEndpointAutoConfiguration.class,
        InfoEndpointAutoConfiguration.class, WebEndpointAutoConfiguration.class,
        ReactiveOAuth2ClientAutoConfiguration.class,
        ReactiveOAuth2ResourceServerAutoConfiguration.class })
class SecurityConfig {

    @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        // @formatter:off
        // gateway actuator
        http.authorizeExchange()
                        .matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll();
        // gateway resource actuator
        http.authorizeExchange().pathMatchers("/manage/health").permitAll();
        return http.authorizeExchange()
                        .anyExchange().authenticated()
                        .and()
                    .oauth2Login()
                        .and()
                    .exceptionHandling()
                        // NOTE:
                        // This configuration is needed to perform the auto-redirect to UAA for authentication.
                        .authenticationEntryPoint(new RedirectServerAuthenticationEntryPoint("/oauth2/authorization/login-client"))
                        .and()
                    .build();
        // @formatter:on
    }
}

The working branch: https://github.com/ndrone/sample-gateway-oauth2login/tree/feature/allowAllToHealth

ndrone
  • 3,524
  • 2
  • 23
  • 37