spring session sharing between zuul and resource servers

spring cloud security oauth2 zuul example
zuul api gateway
zuul authentication filter example
zuul route filter example
spring cloud gateway, sticky session
spring cloud zuul
zuul proxy
zuul routes endpoint

I was trying to search, but did not find an answer suited to our situation.

Basically, we have zuul server as API gateway which does following responsibilites

+ Autheticate user, and create and maintain session with users
+ Sessions will be stored in redis (we are using spring session with redis)

I want to have all of resource servers having access to session information created by zuul server. But I could not get session information from resource servers. its alway return null, I have checked redis server and seen session is created by zuul server already

Note that we are using Netflix service discovery to forward request from Zuul respective service.

highly appreciate for any advice

actually I was missing the following code.

context.addZuulRequestHeader("Cookie", "SESSION=" +  httpSession.getId());

After adding above code to pass session_id in the cookie from zuul filter to respective micro-services, it is able to pickup the session_id from zuul filter.

Securing Spring Cloud Services, The article explains the challenges of securing Spring Cloud services Sharing sessions gives us the ability to log users in our gateway service article, copy the resource/static folder from the gateway project on Github to your project. zuul.routes.discovery.sensitive-headers=Set-Cookie,Authorization. Zuul for Spring Cloud comes with a number of ZuulFilter beans enabled by default in both proxy and server mode. See the Zuul filters package for the list of filters that you can enable. If you want to disable one, set zuul.<SimpleClassName>.<filterType>.disable=true.

Even though you're storing session in Redis, session id is stored in cookie and must be delivered to your resource servers. But the default configuration of zuul is filtering out all cookie related headers.

The below is default configuration of zuul for senstive-headers those are not passed to downstream servers. zuul.sensitiveHeaders=Cookie,Set-Cookie,Authorization

To pass cookie related headers from zuul to your resources servers, You need to redefine it without cookie related headers like belows. zuul.sensitiveHeaders=Authorization

The above example is using global configuration. You can define it for each route. Please refer to the section "Cookies and Sensitive Headers" in the the linked doc : http://cloud.spring.io/spring-cloud-netflix/spring-cloud-netflix.html

If you also need to authorization header in your resources servers, you can define above configuration with blank list.

Handle Security in Zuul, with OAuth2 and JWT, Learn about how you can use the Zuul edge service in conjunction with While this is great from a continuous deployment and management point of to manage CORS (Cross-Origin Resource Sharing) and a diverse set of endpoints. The Resource Server – located at /spring-security-oauth-resource/**,� Zuul is a JVM based router and server side load balancer by Netflix. It provides a single entry to our system, which allows a browser, mobile app, or other user interface to consume services from multiple hosts without managing cross-origin resource sharing (CORS) and authentication for each one.

I had the same problem. But after I have configured the application.yml to set "sensitiveHeaders" to empty. My problem is solved! :)

      path: /myusers/**
      url: https://downstream

Api Gateway Part 2: Handling Authentication with Spring Boot, Zuul , It comprises of creating connecting microservices using Zuul, service discovery using We will use Spring Security, Spring Session for this. Multi-Project development: Sharing common code in modules for Well, this Security Module will need UserDetails object from Spring Security. server.port=8092� Zuul Server. Run this app as a normal Spring Boot app. If you run from this project it will be on port 8765 (per the application.yml).Also run eureka and the stores and customers samples from the customer-stores sample.

make sure your are using filter more than 5

public int filterOrder() {
    return 10;

for more detail find the below example https://stackoverflow.com/a/54833734/11103297

Secure a Spring Microservices Architecture with Spring Security and , You can set it up to automatically propagate your access tokens from one This tutorial shows you how to use Spring Security with OAuth and Okta Authorization Servers, click the Authorization Servers tab and edit the default one . email security.oauth2.resource.user-info-uri=https://{yourOktaDomain}/� Zuul will also be configured with Spring Security in order to provide edge security across all our APIs. Netflix Eureka Eureka has a server and client component.

Advanced Microservices Security with Spring and OAuth2, We have two microservices, OAuth2 authentication server, and Eureka discovery service behind Zuul gateway. Image title. Gateway. Let's start� We'll begin by explaining the differences between an OAuth2 Client and an OAuth2 Resource Server. Afterwards, we'll talk a little about what these annotations can do for us and demonstrate their usage with an example using Zuul and a simple API.

Multiple UI Applications and a Gateway: Single Page , It is the same as the “spring-session” Resource server in Part III: just a -d style= web \ -d style=security -d style=cloud-zuul -d name=gateway \ -d style=redis | tar - xzvf - Starting from the blank Initializr application, we add the Spring (single Gateway controlling authentication, and shared session token� TL;DR the UI and resource servers do not have a common origin, so they cannot share cookies (even though we can use Spring Session to force them to share sessions). Conclusion We have duplicated the features of the application in Part II of this series : a home page with a greeting fetched from a remote backend, with login and logout links in a

Securing Services with Spring Cloud Gateway, The Resource Server is a regular Spring Boot application hidden behind the The API Gateway is built with Spring Cloud Gateway and delegates the the users “Cookie” header from the request during the routing operation� Perhaps a less common approach is to configure the Spring Session application as a peer member in the Geode cluster using the Peer-To-Peer (P2P) topology. In this configuration, the Spring Session application would be an actual server (or data node) in the Geode cluster, and not a cache client as before.

  • Thanks for your reply, the problem was fixed, now I am facing another issue whether I am not able to redirect to remoteULR from zuul filter. context.setRouteHost( new URL(<remoteURL>)); Have you got any idea for this issue?