reverse proxy after SSO

[bhargaviaaa]

How to run ReverseProxyFilter after SSO is successfull. SSO is done using filter from external jar. Setting filter order to least precedence is not working. It is not taking to login page.

[mkopylec]

"Taking to login page" is probably done in the SSO filter by sending a redirect response (HTTP 301 with 'Location' header). The order of the ReverseProxyFilter can be set to either:

• before the SSO filter - then the SSO filter will not be invoked at all
• after the SSO filter - then the ReverseProxyFilter will not be invoked at all because the SSO filter will send the redirect response and break the filter chain invocation.

[mkopylec]

If the above is not your case, please provide some more details on how you expect Charon to work.

[codebje]

I have implemented this, using WebFlux. I used a typical SecurityWebFilterChain set to @Order(1) and set the Charon configuration to .filterOrder(2). The end result is that, depending on configuration in the security filter, an SSO login is required before proxying requests.

However, Charon's custom ClientRequest implementation introduces a wrinkle. Typically one might use the ServerOAuth2AuthorizedClientExchangeFilterFunction on a client request to introduce a Bearer token based on the OAuth2 user (or to redirect to the SSO provider if a fresh token is required), but like many filter functions this modifies the client request to add the appropriate header. It does so by calling ClientRequest.from(...) which in turn copies headers, attributes, body, http request consumer, and cookies from the existing request. The last part of that list is the problem, because attempting to read cookies from an HttpRequest throws an exception.

I have worked around it by first creating a ClientRequest by copying everything except cookies, then invoking the filter function - see below. I am not sure why HttpRequest doesn't forward the call to cookies down to its delegate, though: I think everything would just work as expected if it did.

    private static class NoCookesFilter implements ExchangeFilterFunction {
        @Override
        public Mono<ClientResponse> filter(ClientRequest request, ExchangeFunction next) {
            //noinspection ConstantConditions - disable @NotNull check for .httpRequest
            var noCookiesReq = ClientRequest.create(request.method(), request.url())
                    .headers(headers -> headers.addAll(request.headers()))
                    .attributes(attrs -> attrs.putAll(request.attributes()))
                    .body(request.body())
                    .httpRequest(request.httpRequest())
                    .build();
            return next.exchange(noCookiesReq);
        }
    }