shuaicj / zuul-auth-example Goto Github PK

View Code? Open in Web Editor NEW

275.0 25.0 171.0 23 KB

Use Zuul and Spring Security for a global authentication.

License: MIT License

Java 100.00%

zuul spring-security jwt-authentication

zuul-auth-example's Introduction

Zuul Auth Example

Use Zuul and Spring Security for a global authentication via the popular JWT token.

Modules

1. auth-center

The service to issue the JWT token.

The client POST {username,password} to /login.
This service will authenticate the username and password via Spring Security, generate the token, and issue it to client.

2. backend-service

Provide three simple services:

/admin
/user
/guest

3. api-gateway

The Zuul gateway:

Define Zuul routes to auth-center and backend-service.
Verify JWT token.
Define role-based auth via Spring Security:
- /login is public to all.
- /backend/admin can only be accessed by role ADMIN.
- /backend/user can only be accessed by role USER.
- /backend/guest is public to all.

Run and Verify

1. Compile and package

mvn clean package

2. Start services

java -jar auth-center/target/auth-center-1.0.0.jar
java -jar backend-service/target/backend-service-1.0.0.jar
java -jar api-gateway/target/api-gateway-1.0.0.jar

3. Get tokens

curl -i -H "Content-Type: application/json" -X POST -d '{"username":"shuaicj","password":"shuaicj"}' http://localhost:8080/login

You will see the token in response header for user shuaicj. Note that the status code 401 will be returned if you provide incorrect username or password. And similarly, get token for user admin:

curl -i -H "Content-Type: application/json" -X POST -d '{"username":"admin","password":"admin"}' http://localhost:8080/login

The user admin is defined with two roles: USER and ADMIN, while shuaicj is only a USER.

4. Verify

The general command to verify if the auth works is as follows:

curl -i -H "Authorization: Bearer token-you-got-in-step-3" http://localhost:8080/backend/user

or without token:

curl -i http://localhost:8080/backend/user

You can change the token and the URL as need. To sum up, the following table represents all possible response status codes while sending requests to different URLs with different tokens:

	/backend/admin	/backend/user	/backend/guest
`admin` token (role `USER` `ADMIN`)	200	200	200
`shuaicj` token (role `USER`)	403	200	200
no token	401	401	200

zuul-auth-example's People

Contributors

Stargazers

Watchers

Forkers

jiulingchen dgsaigit rama41222 hanjoongcho jackyin5918 backwizard linchangyi jaystevency skybat007 yunhhsuper kennywzhang harry1992joy mikove3y alonelaval sangkyunyoon stevejrong idefav alexchiu1986 ye13jian deniswsrosa ishmum123 yaoyouwei maclong1989 spdeepak andrew8305 coderfruit 172226325 flackyang chenjie193 allu1249 computational-advertising chenrui2014 maling-tech jinglongwu anwaaralikhan yaozd mauriziocasciano suliangbo learnthread yutao7026 hepengshuai avishekdas ramanjineyuluv lovegrave rocketonly yourvid boylin1 raj23manj qfttxq neilbowman666 tc2952 maqiang 474846718 jaysonyun wojiaxiaoyueyue leadnt jack-guan zzzgd qingchensun mysky528 dualven wangguiyu wmr049 carlos-ricci gleisoncs chenxiaoshou furkankav lzh1208 yangshiyu rajsrivastava2 jiahuijie aiminho yuhaibao324 petros0 gennadymv anthonykim1985 wanghualiang q11744311 gsujanth zzzhangjian sddf2012 kameshbrao yayaritaa juliencauwet shangor lf328359263 gaoyulin rojorabelisoa kmlkrks chandan-amt tomato2009 husgithub itouba coolkingzhang jovaniac chinafengqiang sokoobo mufukuri nighteagle82 rengerden

zuul-auth-example's Issues

facing problem in running api-gateway application

When trying to run api-gateway application getting the below error:
2018-06-25 16:29:39.378 WARN 13824 --- [ main] ationConfigEmbeddedWebApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanDefinitionStoreException: Failed to process import candidates for configuration class [org.springframework.cloud.netflix.zuul.ZuulProxyConfiguration]; nested exception is java.lang.IllegalStateException: Failed to introspect annotated methods on class org.springframework.cloud.netflix.zuul.RibbonCommandFactoryConfiguration$HttpClientRibbonConfiguration
2018-06-25 16:29:39.381 ERROR 13824 --- [ main] o.s.b.f.s.DefaultListableBeanFactory : Destroy method on bean with name 'org.springframework.boot.autoconfigure.internalCachingMetadataReaderFactory' threw an exception

java.lang.IllegalStateException: ApplicationEventMulticaster not initialized - call 'refresh' before multicasting events via the context: org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@1c93084c: startup date [Mon Jun 25 16:29:39 IST 2018]; root of context hierarchy
at org.springframework.context.support.AbstractApplicationContext.getApplicationEventMulticaster(AbstractApplicationContext.java:404) [spring-context-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.context.support.ApplicationListenerDetector.postProcessBeforeDestruction(ApplicationListenerDetector.java:97) ~[spring-context-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.beans.factory.support.DisposableBeanAdapter.destroy(DisposableBeanAdapter.java:253) ~[spring-beans-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroyBean(DefaultSingletonBeanRegistry.java:578) [spring-beans-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroySingleton(DefaultSingletonBeanRegistry.java:554) [spring-beans-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.destroySingleton(DefaultListableBeanFactory.java:961) [spring-beans-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroySingletons(DefaultSingletonBeanRegistry.java:523) [spring-beans-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.destroySingletons(DefaultListableBeanFactory.java:968) [spring-beans-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.destroyBeans(AbstractApplicationContext.java:1033) [spring-context-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:555) [spring-context-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:737) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:370) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:314) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1162) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1151) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at shuaicj.example.security.gateway.Application.main(Application.java:20) [classes/:na]

2018-06-25 16:29:39.393 ERROR 13824 --- [ main] o.s.boot.SpringApplication : Application startup failed

can you please help me out

common help

"C:\Program Files\Java\jdk1.8.0_201\bin\java.exe" -Dmaven.multiModuleProjectDirectory=C:\Users\Joel\Documents\GitHub\zuul-auth-example\api-gateway "-Dmaven.home=C:\Program Files\JetBrains\IntelliJ IDEA 2018.3.5\plugins\maven\lib\maven3" "-Dclassworlds.conf=C:\Program Files\JetBrains\IntelliJ IDEA 2018.3.5\plugins\maven\lib\maven3\bin\m2.conf" "-javaagent:C:\Program Files\JetBrains\IntelliJ IDEA 2018.3.5\lib\idea_rt.jar=52738:C:\Program Files\JetBrains\IntelliJ IDEA 2018.3.5\bin" -Dfile.encoding=UTF-8 -classpath "C:\Program Files\JetBrains\IntelliJ IDEA 2018.3.5\plugins\maven\lib\maven3\boot\plexus-classworlds-2.5.2.jar" org.codehaus.classworlds.Launcher -Didea.version=2018.3.5 package
[INFO] Scanning for projects...
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building api-gateway 1.0.0
[INFO] ------------------------------------------------------------------------
[WARNING] The POM for shuaicj.example.security:common:jar:1.0.0 is missing, no dependency information available
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.671 s
[INFO] Finished at: 2019-03-13T17:27:12-05:00
[INFO] Final Memory: 19M/307M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project api-gateway: Could not resolve dependencies for project shuaicj.example.security:api-gateway:jar:1.0.0: Failure to find shuaicj.example.security:common:jar:1.0.0 in https://repo.maven.apache.org/maven2 was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException

Process finished with exit code 1

El proyecto esta todo.

loopholes in backend-service security

localhost:8080/backend/admin or /user works fine, it requires authorization.
But by adding "/" at the end or url like "localhost:8080/backend/admin/" it bypasses the security.

Issue with Authentication

making a post request on localhost:8080/login with username and password. It results in 401 code.

token user/password?

Hi!

Thanks for this good plain example, it feels good to be able to look over some examples here... because of examples like this I thank God.

Comparing with another one that too follows the JWT standard:
https://medium.com/@nydiarra/secure-a-spring-boot-rest-api-with-json-web-token-reference-to-angular-integration-e57a25806c50
I get the question of why has that one a token client/password, like:
curl client:secret@localhost:8080/oauth/token -d grant_type=password -d username=user -d password=pwd
And this examplle does not uses one at all. In the auth-center's application.yaml there is a secret but couldn't find the client and seems like this example simplifies this step. But isn't this client/secret thing a JWT standard?

Thanks for clarifying!

不同模块的类可以交叉编译吗？

作者大大：
您好。
拜读您的代码，发现有A模块使用B模块类的情况，请问此情况交叉编译可以通过吗？将不同子模块部署在微服务容器中的时候会不会影响其作用域？
谢谢。

Database integration

你好 shuaicj，

非常感谢你的例子，精简又实用。你代码里面的东西我基本上都看明白了，不过作为一个Spring Boot菜鸟，我不太明白如何将数据库跟你的代码关联起来。目前我运行你的代码无法正常得到token，总是返回401错误，我猜是由于缺少数据库配置导致的吧？毕竟提交上去的用户名和密码要验证的，不过我没看到验证用户名密码这部分的代码在哪里。

我不知道是否可以直接在这里以issue的方式提问，所以麻烦再稍微解释一下这里面的逻辑。是否缺少了一些东西，还是说哪里我仍然没看懂，望指教。

多谢！

Hi shuaicj,

Thanks for your example. I've read all the code but I still haven't figured out the way I can connect your code to a database instance. Currently when posting username and password to “/login”, I always get a 401 error. I guess that's probably because the project hasn't really been connected to a database, and there's no way it can verify the username and password I sent.

So can you please kindly elaborate more on the database integration, or show me how I can resolve the 401 issue? I'm a noob to spring boot, and I will appreciate if you can point out if there's anything I missed.

Thank you!

How to get the logged user in the backend app?

I am not sure how to get the user login in the backend app, any hints?