Adding secured and unsecured paths on on API Gateway

Question

I have set up routes on API gateway + Oauth2 resource server. Some of them are accessible to everyone and some of them are secured. While the rest of my paths work as expected the register-user path, although defined to be public is not accessible to all. Here is how the routes are defined:

public RouteLocator routeLocator(RouteLocatorBuilder builder) {
    return builder.routes()
            //User registration service
            .route("register-user", routeSpec -> routeSpec
                    .path("/register")
                    .and()
                    .method(HttpMethod.POST)
                    .uri("http://localhost:8086/"))

            //User profile service
            .route("get-user-profile", routeSpec -> routeSpec
                    .path("/users/**")
                    .filters(fs -> fs.rewritePath("/users/(?<username>.*)", "/${username}"))
                    .uri("http://localhost:8085/"))

            // Decks service
            .route("get-deck", routeSpec -> routeSpec
                    .path("/decks/**")
                    .filters(fs -> fs.rewritePath("/decks/(?<deckId>.*)", "/${deckId}"))
                    .uri("http://localhost:8082/"))
            .route("create-deck", routeSpec -> routeSpec
                    .path("/decks")
                    .and()
                    .method(HttpMethod.POST)
                    .uri("http://localhost:8082/"))
            .route("update-deck", routeSpec -> routeSpec
                    .path("/decks")
                    .and()
                    .method(HttpMethod.PUT)
                    .filters(fs -> fs.rewritePath("/decks/(?<deckId>.*)", "/${deckId}"))
                    .uri("http://localhost:8082/"))
            .route("delete-deck", routeSpec -> routeSpec
                    .path("/decks")
                    .and()
                    .method(HttpMethod.DELETE)
                    .filters(fs -> fs.rewritePath("/decks/(?<deckId>.*)", "/${deckId}"))
                    .uri("http://localhost:8082/"))
            .route("save-deck", routeSpec -> routeSpec
                    .path("/decks/saved")
                    .and()
                    .method(HttpMethod.PUT)
                    .filters(fs -> fs.rewritePath("/decks/saved/(?<deckId>.*)", "/saved/${deckId}"))
                    .uri("http://localhost:8082/"))
            .route("remove-deck", routeSpec -> routeSpec
                    .path("/decks/saved")
                    .and()
                    .method(HttpMethod.DELETE)
                    .filters(fs -> fs.rewritePath("/decks/saved/(?<deckId>.*)", "/saved/${deckId}"))
                    .uri("http://localhost:8082/"))
            .route("get-saved-decks", routeSpec -> routeSpec
                    .path("/decks/saved")
                    .and()
                    .method(HttpMethod.GET)
                    .uri("http://localhost:8082/"))

            // Cards service
            .route("get-card", routeSpec -> routeSpec
                    .path("/cards/**")
                    .filters(fs -> fs.rewritePath("/cards/(?<cardId>.*)", "/${cardId}"))
                    .uri("http://localhost:8081/"))
            .route("create-card", routeSpec -> routeSpec
                    .path("/cards")
                    .and()
                    .method(HttpMethod.POST)
                    .uri("http://localhost:8081/"))
            .route("update-card", routeSpec -> routeSpec
                    .path("/cards")
                    .and()
                    .method(HttpMethod.PUT)
                    .filters(fs -> fs.rewritePath("/cards/(?<cardId>.*)", "/${cardId}"))
                    .uri("http://localhost:8081/"))
            .route("delete-card", routeSpec -> routeSpec
                    .path("/cards")
                    .and()
                    .method(HttpMethod.DELETE)
                    .filters(fs -> fs.rewritePath("/cards/(?<cardId>.*)", "/${cardId}"))
                    .uri("http://localhost:8081/"))
            .route("get-saved-cards", routeSpec -> routeSpec
                    .path("/cards/saved")
                    .and()
                    .method(HttpMethod.GET)
                    .uri("http://localhost:8081/"))
            .route("save-card", routeSpec -> routeSpec
                    .path("/cards/saved")
                    .and()
                    .method(HttpMethod.PUT)
                    .filters(fs -> fs.rewritePath("/cards/saved/(?<cardId>.*)", "/saved/${cardId}"))
                    .uri("http://localhost:8081/"))
            .route("remove-card", routeSpec -> routeSpec
                    .path("/cards/saved")
                    .and()
                    .method(HttpMethod.DELETE)
                    .filters(fs -> fs.rewritePath("/cards/saved/(?<cardId>.*)", "/saved/${cardId}"))
                    .uri("http://localhost:8081/"))     
            .build();
}

Here the get-user-profile route is accessible to all but register-user is not.

Here is the security config:

public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http.authorizeExchange()
    .pathMatchers("/decks", "/decks/saved", "/cards", "/cards/saved")
    .authenticated()
    .pathMatchers("/register", "/users/**", "/decks/**", "/cards/**").permitAll()
    .and()
    .oauth2ResourceServer()
    .jwt();

return http.build();

}

Note: I have used Spring Webflux.

what is `.route`? please update your code with a full example, and imports — Toerktumlare, Mar 26 '22 at 13:01
@Toerktumlare I have updated the question with the full routeLocator bean — Zaid Sheikh, Mar 26 '22 at 13:30
Since "/register-user" is a POST request it seems like you're missing the CSRF token. Take a look at https://stackoverflow.com/questions/19468209/spring-security-403-error for more details — Eleftheria Stein-Kousathana, Mar 31 '22 at 13:38

Adding secured and unsecured paths on on API Gateway

0 Answers0