Skip to content
This repository has been archived by the owner on Apr 5, 2022. It is now read-only.

Manage cookies for backends in zuul proxy #41

Open
dsyer opened this issue Feb 10, 2015 · 5 comments
Open

Manage cookies for backends in zuul proxy #41

dsyer opened this issue Feb 10, 2015 · 5 comments
Labels
enhancement

Comments

@dsyer
Copy link
Contributor

dsyer commented Feb 10, 2015

The only way cookies work right now is if the backends don't send "set-cookie" headers. It would be cleaner to allow that as well but if the "set-cookie" header appears on backend responses, store them in a sane way on the proxy and replay them to the same backend on the next request.
@jhoelter
Copy link

@dsyer Any Updates regarding a spring-cloud-security Cookie Store for Zuul please?

As I read here, and tested my self using spring-boot 1.3.3.RELEASE and spring-cloud-dependencies Brixton.RC1, it looks like the Cookies are still completely ignored at the moment. i.e. The proxied HTTP Response Headers Set-Cookie will be lost on any subsequent request to the proxied Service. As clearly adviced here.

Would you have any idea how to implement this?
The only solution I can think of at the moment, is to implement two custom ZuulFilters. One of type post which stores the Cookies somehow using RedisOperationsSessionRepository, and another one of type pre, which adds them back in subsequent requests to the same proxied service, like you did in OAuth2TokenRelayFilter.

Thanks in advance for your thoughts

@jhoelter
Copy link

@dsyer actually, I am wondering, what you mean with

The only way cookies work right now is if the backends don't send "set-cookie" headers.

May I ask you how exactly did you get cookies sent from backend services working?

@dsyer
Copy link
Contributor Author

dsyer commented Mar 31, 2016

May I ask you how exactly did you get cookies sent from backend services working?

I didn't. What I meant was, they only work if they are not coming from the backend. It's a bit better in Brixton, since cookies are ignored by default in the backend requests, and you can control the headers a bit. Backend authentication is best handled with tokens or Spring Session right now.

@jhoelter
Copy link

@dsyer Thanks for your reply Dave.

Backend authentication is best handled with tokens or Spring Session right now.

This means, it is currently not possible to terminate the Cookie-authentication based Backends using spring-cloud-security out of the box, if I understand you correctly.

May I ask you how you would add such a support? Using pre and post ZuulFilter as suggested in my first comment?

@dsyer
Copy link
Contributor Author

dsyer commented Mar 31, 2016

Yes, ZuulFilters would be my tool of choice. Probably a shared repository (with a redis implementation) would be useful as well, but it might be sufficient to keep it in memory for a lot of use cases.

@borlafu borlafu mentioned this issue Apr 1, 2016
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dsyer @jhoelter