I am on the development team working on a large-scale project that uses Spring-based microservices. We recently discovered the Spring Cloud project and are experimenting with the implementation of the services Netflix, Zuul, Eureka, Ribbon, etc.
In our environment, no one will have access to the domain in which our application will work until it is previously authorized through an external service. As soon as they get into our application, we can get the user ID through the header marker provided by the authorization service.
I would like to configure Zuul using Spring Security using a pre-authentication filter to establish a user session and use the Spring session to make the session available to all external microservices.
Is this a legitimate approach? The only information I can see about security on Zuul is the OAuth2 proxy token feature for internal services, but we don't need OAuth2. Is there a better way to establish a user session and share it through services in our internal architecture?
source
share