Search code examples
spring-bootspring-cloudnetflix-zuulnetflix-eureka

Zuul -> Eureka Server, Basic Authentication issue

I am able to hit the service, if the flow doesn't contain Basic Authorization.

If i use Basic Authorization, it throws "message": "Full authentication is required to access this resource"

Below are my observations:

In ZuulFilter, run() method, i get value for request.getHeader("Authorization") --> Basic c29tOnNvbzz==

but once it reaches the Micro Service, i am getting value as 'null', request.getHeader("Authorization") --> null

Using Spring Boot version : 1.4.0.RELEASE

This is my flow:
------------------

Zuul -> Service Discovery (Eureka Server) -> Service

Kindly help, not sure where the Authorization header is vanishing. 

Eureka Server yml file:
-------------------------
server.port:4001
eureka.instance.hostname=localhost
eureka.client.fetch-registry:false
eureka.client.register-with-eureka:false
eureka.client.serviceUrl.defaultZone: http://${eureka.instance.hostname}:${server.port}/eureka/
eureka.client.healthcheck.enabled=true

Zuul yml file:
-----------------
server:
  port: 8765
info:
  component: Edge Server
eureka:
  instance:
    leaseRenewalIntervalInSeconds: 3
    metadataMap:
      instanceId: ${spring.application.name}:${random.value}
  client:
    # Default values comes from org.springframework.cloud.netflix.eurek.EurekaClientConfigBean
    registryFetchIntervalSeconds: 5
    instanceInfoReplicationIntervalSeconds: 5
    initialInstanceInfoReplicationIntervalSeconds: 5

endpoints:
  restart:
    enabled: true
  shutdown:
    enabled: true
  health:
    sensitive: false

zuul.sensitive-headers: Cookie,Set-Cookie,Authorization

logging:
  level:
    ROOT: WARN
    se.callista: INFO

    # Get info regarding connection to the cofig server and retries if required
    org.springframework.cloud.config.client.ConfigServicePropertySourceLocator: INFO
    org.springframework.retry.support.RetryTemplate: DEBUG

    # Set INFO to see the allocated port
    org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer: INFO
---
eureka:
  instance:
    preferIpAddress: true
  client:
    serviceUrl:
      defaultZone: http://localhost:4001/eureka,http://localhost:4002/eureka
Solution

  • Authorization is by default a sensitive header, this means Zuul will not forward them. If you leave it out of the sensitive headers, Zuul will forward the header.

    zuul.sensitiveHeaders: Cookie,Set-Cookie

    It should also be camelCase instead of hyphenated.

    Extra info: https://github.com/spring-cloud/spring-cloud-netflix/blob/master/docs/src/main/asciidoc/spring-cloud-netflix.adoc#cookies-and-sensitive-headers