Add Zuul support

Author: Matt Raible

spring-boot+cloud/api-gateway/pom.xml

@@ -42,7 +42,7 @@
         </dependency>
         <dependency>
             <groupId>org.springframework.cloud</groupId>
-            <artifactId>spring-cloud-starter-oauth2</artifactId>
+            <artifactId>spring-cloud-starter-netflix-zuul</artifactId>
         </dependency>
         <dependency>
             <groupId>com.okta.spring</groupId>

spring-boot+cloud/api-gateway/src/main/java/com/example/apigateway/ApiGatewayApplication.java

@@ -5,10 +5,10 @@
 import lombok.Data;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.cloud.client.circuitbreaker.EnableCircuitBreaker;
 import org.springframework.cloud.client.discovery.EnableDiscoveryClient;
+import org.springframework.cloud.netflix.zuul.EnableZuulProxy;
 import org.springframework.cloud.openfeign.EnableFeignClients;
 import org.springframework.cloud.openfeign.FeignClient;
 import org.springframework.context.annotation.Bean;
@@ -17,12 +17,7 @@
 import org.springframework.hateoas.Resources;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.oauth2.client.DefaultOAuth2ClientContext;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
-import org.springframework.security.oauth2.client.OAuth2ClientContext;
-import org.springframework.security.oauth2.client.OAuth2RestTemplate;
-import org.springframework.security.oauth2.client.token.DefaultAccessTokenRequest;
-import org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsResourceDetails;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -38,6 +33,7 @@
 @EnableFeignClients
 @EnableCircuitBreaker
 @EnableDiscoveryClient
+@EnableZuulProxy
 @SpringBootApplication
 public class ApiGatewayApplication {
 
@@ -81,19 +77,8 @@ public RequestInterceptor getUserFeignClientInterceptor(OAuth2AuthorizedClientSe
     }
 
     @Bean
-    @ConfigurationProperties("spring.security.oauth2.client")
-    public ClientCredentialsResourceDetails oauth2RemoteResource() {
-        return new ClientCredentialsResourceDetails();
-    }
-
-    @Bean
-    public OAuth2ClientContext oauth2ClientContext() {
-        return new DefaultOAuth2ClientContext(new DefaultAccessTokenRequest());
-    }
-
-    @Bean
-    public OAuth2RestTemplate restTemplate() {
-        return new OAuth2RestTemplate(oauth2RemoteResource(), oauth2ClientContext());
+    public AuthorizationHeaderFilter authHeaderFilter(OAuth2AuthorizedClientService clientService) {
+        return new AuthorizationHeaderFilter(clientService);
     }
 }
 

spring-boot+cloud/api-gateway/src/main/java/com/example/apigateway/AuthorizationHeaderFilter.java

@@ -0,0 +1,66 @@
+package com.example.apigateway;
+
+import com.netflix.zuul.ZuulFilter;
+import com.netflix.zuul.context.RequestContext;
+import org.springframework.core.Ordered;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
+
+import java.util.Optional;
+
+import static org.springframework.cloud.netflix.zuul.filters.support.FilterConstants.PRE_TYPE;
+
+public class AuthorizationHeaderFilter extends ZuulFilter {
+
+    private final OAuth2AuthorizedClientService clientService;
+
+    public AuthorizationHeaderFilter(OAuth2AuthorizedClientService clientService) {
+        this.clientService = clientService;
+    }
+
+    @Override
+    public String filterType() {
+        return PRE_TYPE;
+    }
+
+    @Override
+    public int filterOrder() {
+        return Ordered.LOWEST_PRECEDENCE;
+    }
+
+    @Override
+    public boolean shouldFilter() {
+        return true;
+    }
+
+    @Override
+    public Object run() {
+        RequestContext ctx = RequestContext.getCurrentContext();
+        Optional<String> authorizationHeader = getAuthorizationHeader();
+        authorizationHeader.ifPresent(s -> ctx.addZuulRequestHeader("Authorization", s));
+        return null;
+    }
+
+    private Optional<String> getAuthorizationHeader() {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        OAuth2AuthenticationToken oauthToken = (OAuth2AuthenticationToken) authentication;
+        OAuth2AuthorizedClient client = clientService.loadAuthorizedClient(
+                oauthToken.getAuthorizedClientRegistrationId(),
+                oauthToken.getName());
+
+        OAuth2AccessToken accessToken = client.getAccessToken();
+
+        if (accessToken == null) {
+            return Optional.empty();
+        } else {
+            String tokenType = accessToken.getTokenType().getValue();
+            String authorizationHeaderValue = String.format("%s %s", tokenType, accessToken.getTokenValue());
+            return Optional.of(authorizationHeaderValue);
+        }
+    }
+}

spring-boot+cloud/api-gateway/src/main/resources/application.properties

@@ -2,10 +2,13 @@ spring.application.name=api-gateway
 okta.oauth2.issuer=https://dev-737523.oktapreview.com/oauth2/default
 okta.oauth2.client-id=0oafx05pu2pxhjgkC0h7
 okta.oauth2.client-secret=ozxBeuk7nE-oLhkUvINe1cxR3LITquTp7Jt2NvX7
-okta.oauth2.scopes=openid,profile,offline_access
 feign.hystrix.enabled=true
 hystrix.shareSecurityContext=true
 
-spring.security.oauth2.client.provider.okta.issuer-uri=${okta.oauth2.issuer}
-spring.security.oauth2.client.registration.okta.client-id=${okta.oauth2.client-id}
-spring.security.oauth2.client.registration.okta.client-secret=${okta.oauth2.client-secret}
+zuul.routes.car-service.path=/cars
+zuul.routes.car-service.url=http://localhost:8090
+
+zuul.routes.home.path=/home
+zuul.routes.home.url=http://localhost:8090
+
+zuul.sensitive-headers=Cookie,Set-Cookie

spring-boot+cloud/car-service/src/main/java/com/example/carservice/HomeController.java

@@ -0,0 +1,23 @@
+package com.example.carservice;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.security.Principal;
+
+@RestController
+public class HomeController {
+
+    private final static Logger log = LoggerFactory.getLogger(HomeController.class);
+
+    @GetMapping("/home")
+    public String howdy(Principal principal) {
+        String username = principal.getName();
+        JwtAuthenticationToken token = (JwtAuthenticationToken) principal;
+        log.info("claims: " + token.getTokenAttributes());
+        return "Hello, " + username;
+    }
+}