search

kakawait / uaa-behind-zuul-sample

Spring AuthorizationServer load balanced behind Zuul
320 stars 156 forks source link

failower + gui #1

Closed bilak closed 8 years ago

bilak commented 8 years ago

Hi, Thanks for this nice project, It gave me a lot to setup my applications. Now I'm thinking about adding next module and it should be GUI (based on angular2).

I have some questions and would like to discuss it.

  1. How to work with csrf while angular application will also need csrf token and I bet that the token generated by gateway wont work unless I somehow hack to GUI application.
  2. What about failower in this situation (with GUI). What if gateway goes down and I wold like to redirect user to second node/cluster? Is there a simple way how to do that? I was thinking about spring session support to store session to redis/jdbc, but I'm not sure if this is right direction.

Thanks in advance

kakawait commented 8 years ago

I'm happy that project is useful for something else!

About

How to work with csrf while angular application will also need csrf token and I bet that the token generated by gateway wont work unless I somehow hack to GUI application.

If I understand well the problem is that Gateway is holding and managing CSRF token, so how Gui-service can access to the token in order to transfer it to client?

Any cases I can't answer you today. I will try to think about asap.

PS: I never used Angular2, could you please describe me how Angular2 store token/retrieve (inside Header, Cookie, HTML tags)?

What about failower in this situation (with GUI). What if gateway goes down and I wold like to redirect user to second node/cluster? Is there a simple way how to do that? I was thinking about spring session support to store session to redis/jdbc, but I'm not sure if this is right direction.

Yes problem is same for Gateway and UAA, if you want to provide failover mechanism you need to share state (here session). So yes storing session on shared dedicated storage like Redis is a good way to do.

However for Gateway another direction is to improve current architecture to transform stateful Gateway to stateless Gateway. Today I'm using JWT to store identity on client side, session is only used by CSRF...

bilak commented 8 years ago

@kakawait if you look here you can find something simillar to my current configuration. One thing I have to change is to add a gateway. Project is configured to store oauth tokens inside jdbc. I'll try to change it today and maybe we can find the solution on this simple project.

kakawait commented 8 years ago

About CSRF you may need to create post ZuulFilter that add X-CSRF-TOKEN header on every response.

@bilak Please create a branch for drafting Gateway and we can try to work on it after

bilak commented 8 years ago

@kakawait here is the branch.

There are following issues:

  1. When you want to login using uaa, there is error with csrf token. I don't know how to avoid this. I just changed the CsrfHeaderFilter to add header to response instead of cookie - it would be better for me to work with header. There could be some issue with thymeleaf maybe. I've tried to change token name in the uaa, but that didn't helped me.
  2. The UI is not implemented using angular2, but I'll try to add there something later (today or tomorrow)

If you need something more, just let me know.

Thanks

kakawait commented 8 years ago

I don't think I will have time to work on it this week but I will check that asap