Search code examples
javaauthenticationjwtmicroservices

Why is Authorization Header missing?

I have Eureka and connected services Zuul:8090, AuthService:[any_port].

I send ../login request to Zuul he send to AuthSercice. Then AuthSerice put into Header JWT Authentication. 

@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
    String token = Jwts.builder()
            .setSubject( ((User) authResult.getPrincipal()).getUsername())
            .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
            .signWith(SignatureAlgorithm.HS512, SECRET)
            .compact();

    response.addHeader("Authorization", "Bearer "+ token); // this is missing
    response.addHeader("Authorization2", "Bearer " + token); // ok
}

I do request on Postman. Request result

First I tried to use JWT in Monoliths. There wasn't any problem, and Authorization Token can be added.

Why is Authorization Header missing?

Solution

  • It is because of a built-in mechanism in Zuul -- it automatically filters out sensitive headers, such as Authorization and Cookies, to protect sensitive information from being forwarded to downstream services. That is why you can not get the header with the name Authorization.

    if you want your downstream services to receive them anyway, just define the filter by yourself in your Zuul config file, instead of using default.

     zuul:
  routes:
    users:
      path: your url pattern
      sensitiveHeaders: //put nothing here!! leave it blank, the filter will be off
      url: downstream url

    Here is spring official explanation on sensitive headers: document