Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Question] Spring Oauth2 Authentication AWS behind Zuul

See original GitHub issue

Hi,

I have a question / problem. I’ve checked everything I could but didn’t find a solution. I hope you can help me. My problem is similiar to this issue, I have the same setup:


https://url.net/service
  |-> AWS load balancer
      - adds X-Forwarded-* 
      - converts" https to http
      |-> http://localhost:10000/service
          - Finds correct service for given path
          |-> Service get hit and I see the correct header in the log but the service 
              does not redirect me to  the "X-Forwarded-Host" but to https://localhost/login

Zuul log:

Request url: /uaa
Request header: x-forwarded-for XXX.XXX.XXX.XXX (AWS standard)
Request header: x-forwarded-port 443
Request header: x-forwarded-proto https

Service log:

Request url: /uaa
Request header: x-forwarded-host XXX.XXX.XXX.XXX (same as  the zuul x-forwarded-for header. I configured server.tomcat.remote-ip-header: X-Forwarded-Host)
Request header: x-forwarded-port 443
Request header: x-forwarded-proto: https
Request header: x-forwarded-prefix: /uaa

Everything looks ok for me. But it does not work as I would expect… My problem is that the default LoginUrlAuthenticationEntryPoint does not care about the headers and redirects unauthenticated users to http://localhost/login. This issue might fix it in the future but does not help me right now 😓. The debug log says it o.s.s.web.DefaultRedirectStrategy: Redirecting to ‘https://localhost/login’. Also there is another log entry that shows that the header are not supported o.s.s.w.s.HttpSessionRequestCache: DefaultSavedRequest added to session: DefaultSavedRequest[https://localhost/server]

I have

server.use-forward-headers: true

activated for zuul and the service - but it does not help at all.

Another strange thing is that the zuul server redirects the user correctly. Not to http:localhost/login but the X-Forwarded-For server with /login path.

I have no ideas anymore. Could you please point me in the right direction?

Edit: If I do curl http://localhost:10100/service/login on the sercver I see that the location response header is the correct location path, but spring security does not redirect me to the provided host… Im totally confused. Somewhere down the line the X-Forwarded-{For/Host} header gets lost?

Edit 2: If I config

server.tomcat.remote-ip-header: X-Forwarded-Host

I don’t see the request header logged anymore instead the header X-Forwarded-For XXX.XXX.XXX is logged… If I configure

server.tomcat.remote-ip-header: X-Forwarded-For

I don’t see the request header logged anymore instead the header X-Forwarded-Host is logged… Wtf?

Issue Analytics

State:
Created 7 years ago
Comments:11 (2 by maintainers)

Top GitHub Comments

2reactions

Writtschercommented, Apr 14, 2016

@Order(2)
@Component
@SuppressWarnings("unchecked")
public class CorrectHeadersFilter extends ZuulFilter {

    @Override
    public String filterType() {
        return "pre";
    }

    @Override
    public int filterOrder() {
        return 10000;
    }

    @Override
    public boolean shouldFilter() {
        return true;
    }

    @Override
    public Object run() {
        RequestContext currentContext = RequestContext.getCurrentContext();

        currentContext.addZuulRequestHeader("host",  currentContext.getRequest()
                .getHeader("host"));

        // XXX
        currentContext.getZuulRequestHeaders().remove("x-forwarded-prefix");

        ((Set<String>) currentContext.get("ignoredHeaders")).clear();// XXX
        return null;
    }

}

Three things happening here:

I just put the ‘host’ header back into the ‘host’ header (could also use ‘X-Forwarded-For’ since the AWS Loadbalancer provides it out of the box, but the ‘host’ header is the same and I don’t want to rely on any AWS headers). If I remove this line then zuul puts ‘localhost’ into the ‘host’ header and this yields into redirects to ‘localhost/context/login’ instead of ‘mydomain/context/login’.
My backend services are configured to use ‘X-Fowarded-xx’ headers and zuul provides them. My backend services have a context (server.context-path). This means if I don’t remove the “X-Forwarded-Prefix” spring oauth2 redirects me to my auth server with a wrong redirect uri. It’s always “mydomain/context/context/login”. Removing this header fixes it. Removing the context path is not an option. Removing the ‘use forwarded headers’ configuration does not work as spring oauth2 constructs a wrong redirect uri.
Zuul configures ignored / sensitive headers (Cookie, Set-Cookie, Authorization). These headers are removed from the request / response. Since all of our services have a frontend and rely on a session we need cookies (JSESSIONID).

This fixes our problems for now. We are not 100% sure that these “fixes” are ok but it is ok for now.

0reactions

spencergibbcommented, Oct 5, 2016

Closing this due to inactivity. Please re-open if there’s more to discuss.