These are chat archives for spring-cloud/spring-cloud

1st
Apr 2016
Tim te Beek
@timtebeek
Apr 01 2016 16:11
can anyone help out on this issue here? My Authorization headers are no longer relayed by my ZuulProxy since Brixton.RC1
Marcos Barbero
@marcosbarbero
Apr 01 2016 16:21
@timtebeek take a look in Cookies and sensitive headers docs maybe that’s your case.
Tim te Beek
@timtebeek
Apr 01 2016 16:23
thanks yes I'd seen that, but I don't manually define my routes (I proxy ~25 eureka services).. and it didn't work trying to get that to work globally
Dave Syer
@dsyer
Apr 01 2016 16:25
There might be a missing feature?
"ignoredHeaders" would work I think
Tim te Beek
@timtebeek
Apr 01 2016 16:27
the docs on that say i.e. leave them out of downstream requests and drop them from downstream responses)link
so I took that to mean the opposite of what I want.. (all help appreciated)
Dave Syer
@dsyer
Apr 01 2016 16:29
Are you using Spring Cloud Security?
Tim te Beek
@timtebeek
Apr 01 2016 16:31
the zuul proxy jar has no security dependency whatsoever.. and pre-RC1 it just relayed the Authorization header to the proxied services
Dave Syer
@dsyer
Apr 01 2016 16:31
Yeah, that changed.
It's not a very secure default
So we thought it best to change it
Tim te Beek
@timtebeek
Apr 01 2016 16:32
since my zuul proxy is not a client itself (it proxies for ~6 external clients) I'd set it up this way
is there any way for me to revert to the old behaviour, or achieve the same relay effect in a new way?
Dave Syer
@dsyer
Apr 01 2016 16:33
Spring Cloud Security adds a ZuulFilter hat handles authorization
So that might be a way
I'm looking...
Jacques-Etienne Beaudet
@jebeaudet
Apr 01 2016 16:34
it looks hardcoded in ZuulRoute at the moment, I believe the only way would be a Pre filter that removes Authorization in the ignoredHeaders key of the RequestContext
it has to run after PreDecorationFilter
he's the one injecting the list of ignored headers with ctx.put("ignoredHeaders", route.getSensitiveHeaders()); (line 78)
Tim te Beek
@timtebeek
Apr 01 2016 16:35
I can confirm that manually defining my route and setting zuul.routes.myservice.sensitive-headers: Cookie,Set-Cookie passes the Authorization header
Jacques-Etienne Beaudet
@jebeaudet
Apr 01 2016 16:36
yes that's expected, the problem is that the DiscoveryClientRouteLocator instantiate a plain ZuulRoute at line 125 (with the defaults sensitive headers)
Tim te Beek
@timtebeek
Apr 01 2016 16:37
so a way to set the sensitive headers globally would help here..
or did I fail to pick up on an alternative approach?
Dave Syer
@dsyer
Apr 01 2016 16:37
No, I think that's about right
I thought that the "ignoredHeaders" would be equivalent, but maybe not
Tim te Beek
@timtebeek
Apr 01 2016 16:39
from what I've read the ignoredHeaders are akin to droppedHeaders, both up and downstream..
Dave Syer
@dsyer
Apr 01 2016 16:39
Yes, so you would want to make sure "Authorization" is not on the list
But I don't think that helps
Tim te Beek
@timtebeek
Apr 01 2016 16:40
and that's on the list since it's a default sensitive header, that's only configurable per route, not globally..
Dave Syer
@dsyer
Apr 01 2016 16:40
Your best workaround for now is to configure each route individually
Tim te Beek
@timtebeek
Apr 01 2016 16:40
should I file an issue to make sensitive headers configurable globally?
Dave Syer
@dsyer
Apr 01 2016 16:41
(or add a custom filter like @jebeaudet suggested)
Yes, please create an issue
Tim te Beek
@timtebeek
Apr 01 2016 16:57
Great, spring-cloud/spring-cloud-netflix#944 created
Jacques-Etienne Beaudet
@jebeaudet
Apr 01 2016 18:00
thx for the credit :D
you should link the issue and/or explain the situation in your SO post in case someone has the same question as you @timtebeek
Tim te Beek
@timtebeek
Apr 01 2016 19:59
Thank you for the help! It was easy enough to work around this way.. I'll keep the filter until an actual fix arrives.. :)
Tim te Beek
@timtebeek
Apr 01 2016 20:05
I'm just now wondering what the "usual" approach to something like this is.. I really like spring-cloud, but I'm a bit isolated from other spring cloud users/developers, so I'm not that aware what the typical usage is..
is it more geared towards serving your frontend from a spring-boot app that also serves as a proxy for its own resource servers?
David Welch
@dwelch2344
Apr 01 2016 20:25
What's the best way to intercept a failed call from a Zuul endpoint and handle it in the Zuul project? We want to catch upstream errors (like 401's) and spit out an html page via Zuul
Dave Syer
@dsyer
Apr 01 2016 21:08
@dwelch2344 I think you can just do the normal spring boot thing in the gateway
Our Zuul filters send errors to the /error endpoint by default