spring-securityspring-cloudspring-cloud-security

Spring Cloud Security - Allow requests without authentication


I have an application that allows users to sign up for an account. Our Authentication and User service is UAA, so I need to be able to communicate with its secure endpoints without a user actually being present.

How do I set up Spring Cloud Security to allow calls to be made from 1 Microservice to Another, which then communicates with UAA to create the user?

So, there are 2 primary microservices that are in play. The first one hosts the web application and forwards calls with Zuul to the second microservice. This microservice communicates with UAA and handles any other application specific user requests.

I have this WebSecurityConfigurerAdapter on the first microservice (LandingPage)

@SpringBootApplication
@EnableZuulProxy
@EnableOAuth2Sso
@EnableEurekaClient
@EnableAutoConfiguration
public class LandingPageUiApplication extends WebSecurityConfigurerAdapter {

    public static void main(String[] args) {
        SpringApplication.run(LandingPageUiApplication.class, args);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().anyRequest().permitAll();
    }
}

and this in the second microservice (UserInformation):

@SpringBootApplication
@EnableCircuitBreaker
@EnableFeignClients
public class UserInformationServiceApplication {

    public static void main(String[] args) {
        SpringApplication.run(UserInformationServiceApplication.class, args);
    }

    @Bean
    public ModelMapper modelMapper() {
        return new ModelMapper();
    }
}

Unfortunately, I am having a hard time accessing a REST endpoint on the first Microservice as well as not being able to forward anything to the second one. I generally receive a 401 response code. Their respective application.yaml files are set up to communicate with UAA as a Client and a Resouce server

LandingPage Application.yaml

spring:
  application:
    name: Landing Page
  aop:
    proxy-target-class: true

security:
  oauth2:
    client:
      accessTokenUri: http://localhost:8080/uaa/oauth/token
      userAuthorizationUri: http://localhost:8080/uaa/oauth/authorize
      clientId: landing-page
      clientSecret: landing-page-secret
      scope: openid,uaa.admin,uaa.user
    resource:
      userInfoUri: http://localhost:8080/uaa/userinfo

zuul:
  routes:
    users:
      serviceId: USER-INFO-SERVICE
      path: /users/**

server:
  port: 8081

eureka:
  instance:
    hostname: 127.0.0.1
    nonSecurePort: ${server.port}
    leaseRenewalIntervalInSeconds: 10
    metadataMap:
      instanceId: ${spring.application.name}:${server.port}
  client:
    serviceUrl:
      defaultZone: http://localhost:8761/eureka/
    region: default
    registryFetchIntervalSeconds: 5

and the UserInfoSerevice Application.yaml

server:
  port: 0

security:
  oauth2:
    client:
      clientId: user-info-service
      clientSecret: app-secret
    resource:
      jwt:
        keyUri: http://localhost:8080/uaa/token_key


spring:
  application:
    name: user-info-service
  profiles: development,default
  datasource:
    url: jdbc:h2:mem:AZ;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
    driverClassName: org.h2.Driver
    username: sa
    password:
    database-platform: org.hibernate.dialect.H2Dialect


eureka:
  instance:
    hostname: 127.0.0.1
    nonSecurePort: ${server.port}
    leaseRenewalIntervalInSeconds: 10
    metadataMap:
      instanceId: ${spring.application.name}:${server.port}
  client:
    serviceUrl:
      defaultZone: http://localhost:8761/eureka/
    region: default
    registryFetchIntervalSeconds: 5

Any help is greatly appreciated.


Solution

  • The answer was to put this WebConfigAdapter setting in the parent MS:

        @Configuration
        @EnableOAuth2Sso
        @EnableAutoConfiguration
        protected static class TestConfiguration extends WebSecurityConfigurerAdapter {
    
    
            @Override
            public void configure(HttpSecurity http) throws Exception {
                http.csrf().disable().antMatcher("/**")
                    .authorizeRequests()
                    .anyRequest().permitAll();
            }
    
        }
    

    and the following in the child MS:

        @Configuration
        @Order(-10)
        @EnableOAuth2Client
        @EnableAutoConfiguration
        protected static class TestConfiguration extends WebSecurityConfigurerAdapter {
    
    
            @Override
            public void configure(HttpSecurity http) throws Exception {
                http.csrf().disable().anonymous().authenticationFilter(new AnonymousAuthenticationFilter("HALLO")) //allow anonymous access
                        .and()
                        .authorizeRequests()
                        .antMatchers("/**")
                        .permitAll();
            }
        }