Spring Cloud Gateway Security with JWT (JSON Web Token)

Introduction

In this tutorial I am going to show you an example on Spring Cloud Gateway Security with JWT. JSON Web Tokens (JWT) are an open, industry standard RFC 7519 method for representing claims securely between two parties. JWT.IO allows you to decode, verify and generate JWT.

The Spring Cloud Gateway sits in front of your microservices and receives requests from clients and redirect those requests to appropriate microservices. It is customary to add a security layer here for restricting to the unauthorized requests which are coming from clients.

All that everything that you work with sensitive user data, such as emails, phone numbers, addresses, credit cards, etc. are exposed to the Internet should be secured.

Another scenario occurs when you have lots of microservices and it is very difficult to maintain the specific port for each of the microservices, so you want to start microservices on random ports, then Spring Cloud Gateway is the solution to access those microservices.

In this example on securing API gateway I am going to show you how to authenticate a user using JWT but if you need to apply authorization based on user’s role then you can also check my other tutorial on how to apply Authentication and role based Authorization to secure your API using JWT.

Authentication/Authorization Flow

If a client makes a request to some secured resources with no authentication/authorization, then API Gateway rejects it and redirects the user to the Authorization Server to authorize himself in the system. Therefore the client has to get all the required grants and then make the request again with the grants to receive information from the secured resources.

  1. User signup at end-point /register with username, password and role(s).
  2. The user information are stored into database.
  3. User logs in at end-point /login using the username and password, which user used at step 1.
  4. User receives JWT (JSON Web Token) on successful login.
  5. User continues to access the end-points for which user has role(s) as long as the token is valid. User must send JWT in HTTP header with key/value as Authorization <generated JWT on signin>.
spring cloud gateway security with jwt

Prerequisites

Java at least 1.8, Maven 3.6.3, Spring Boot 2.5.0, JWT 0.9.1, Postman

Project Setup

Create a maven based microservices in your favorite IDE or tool.

Authentication Service

This authentication/authorization service will provide the JWT token if the user data exists in the server. This jwt token will be used for accessing further the secured API endpoints.

In this service the important part here is the JWT token which is generated based on the user’s credentials. For this example I am using just and id (or user id) that can be used to generate the JWT token. In ideal scenario you need to use more parameter to make the token more complex.

package com.roytuts.spring.boot.auth.service.util;

@Component
public class JwtUtil {

	@Value("${jwt.secret}")
	private String jwtSecret;

	@Value("${jwt.token.validity}")
	private long tokenValidity;

	public Claims getClaims(final String token) {
		try {
			Claims body = Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(token).getBody();
			return body;
		} catch (Exception e) {
			System.out.println(e.getMessage() + " => " + e);
		}
		return null;
	}

	public String generateToken(String id) {
		Claims claims = Jwts.claims().setSubject(id);
		long nowMillis = System.currentTimeMillis();
		long expMillis = nowMillis + tokenValidity;
		Date exp = new Date(expMillis);
		return Jwts.builder().setClaims(claims).setIssuedAt(new Date(nowMillis)).setExpiration(exp)
				.signWith(SignatureAlgorithm.HS512, jwtSecret).compact();
	}

	public void validateToken(final String token) throws JwtTokenMalformedException, JwtTokenMissingException {
		try {
			Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(token);
		} catch (SignatureException ex) {
			throw new JwtTokenMalformedException("Invalid JWT signature");
		} catch (MalformedJwtException ex) {
			throw new JwtTokenMalformedException("Invalid JWT token");
		} catch (ExpiredJwtException ex) {
			throw new JwtTokenMalformedException("Expired JWT token");
		} catch (UnsupportedJwtException ex) {
			throw new JwtTokenMalformedException("Unsupported JWT token");
		} catch (IllegalArgumentException ex) {
			throw new JwtTokenMissingException("JWT claims string is empty.");
		}
	}

}

The following REST controller class that exposes two endpoints for register and login. For this example I am not storing the client information anywhere but if your real project you must save the information for validating the user on subsequent requests.

package com.roytuts.spring.boot.auth.service.rest.controller;

@RestController
public class AuthRestController {

	@Autowired
	private JwtUtil jwtUtil;

	@PostMapping("/auth/login")
	public ResponseEntity<String> login(@RequestBody String userName) {
		String token = jwtUtil.generateToken(userName);

		return new ResponseEntity<String>(token, HttpStatus.OK);
	}

	@PostMapping("/auth/register")
	public ResponseEntity<String> register(@RequestBody String userName) {
		// Persist user to some persistent storage
		System.out.println("Info saved...");

		return new ResponseEntity<String>("Registered", HttpStatus.OK);
	}

}

Spring Cloud Gateway

The spring cloud gateway acts as a gate keeper that accepts/rejects the requests from clients based on the criteria configured in the gateway.

The important part in the gateway is the filter that performs the validation on the incoming requests and route the requests to the appropriate microservices.

In the below source code I have bypassed the endpoints /register and /login from security check. So these endpoints can be easily accessible without providing any authority.

package com.roytuts.spring.boot.cloud.gateway.filter;

@Component
public class JwtAuthenticationFilter implements GatewayFilter {

	@Autowired
	private JwtUtil jwtUtil;

	@Override
	public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
		ServerHttpRequest request = (ServerHttpRequest) exchange.getRequest();

		final List<String> apiEndpoints = List.of("/register", "/login");

		Predicate<ServerHttpRequest> isApiSecured = r -> apiEndpoints.stream()
				.noneMatch(uri -> r.getURI().getPath().contains(uri));

		if (isApiSecured.test(request)) {
			if (!request.getHeaders().containsKey("Authorization")) {
				ServerHttpResponse response = exchange.getResponse();
				response.setStatusCode(HttpStatus.UNAUTHORIZED);

				return response.setComplete();
			}

			final String token = request.getHeaders().getOrEmpty("Authorization").get(0);

			try {
				jwtUtil.validateToken(token);
			} catch (JwtTokenMalformedException | JwtTokenMissingException e) {
				// e.printStackTrace();

				ServerHttpResponse response = exchange.getResponse();
				response.setStatusCode(HttpStatus.BAD_REQUEST);

				return response.setComplete();
			}

			Claims claims = jwtUtil.getClaims(token);
			exchange.getRequest().mutate().header("id", String.valueOf(claims.get("id"))).build();
		}

		return chain.filter(exchange);
	}

}

Next I will show you how to route requests to appropriate microservices. Here I am using load balancing instead of host and port to access the microservices through gateway. For each route I am using the authentication filter so that the security gets applied as appropriately.

@Configuration
public class GatewayConfig {

	@Autowired
	private JwtAuthenticationFilter filter;

	@Bean
	public RouteLocator routes(RouteLocatorBuilder builder) {
		return builder.routes().route("auth", r -> r.path("/auth/**").filters(f -> f.filter(filter)).uri("lb://auth"))
				.route("alert", r -> r.path("/alert/**").filters(f -> f.filter(filter)).uri("lb://alert"))
				.route("echo", r -> r.path("/echo/**").filters(f -> f.filter(filter)).uri("lb://echo"))
				.route("hello", r -> r.path("/hello/**").filters(f -> f.filter(filter)).uri("lb://hello")).build();
	}

}

Note I have created JwtUtil class in both places – Auth Service and Spring Cloud Gateway, and I have also used the placeholder ${jwt.secret} that gets resolved through Spring’s @Value annotation. So this should ideally be configured through Spring Cloud Bus so that any change to this value will be reflected in all other services.

I have also created several other microservices such as, alert, echo and hello. I have also used Eureka server for service discovery purpose. You can download the whole source code from the Source Code location later.

All services when up and running you will find them on the Eureka service discovery page:

spring cloud gateway security with jwt

Testing the Application

Make sure you start all of your services including Eureka and Gateway.

To get the JWT token use the following details in Postman tool:

  • HTTP Method: POST
  • URL: http://localhost:8080/auth/login
  • Body: raw -> JSON
{
   "id": "Soumitra"
}

Click on the Send button in the Postman tool and you will get the JWT token:

spring cloud gateway security with jwt

While you are calling the secured microservices with valid JWT token then you will see the expected output from the service. For example, let’s test for the alert service:

spring cloud gateway security with jwt

If you are trying to access the microservice without having the Authorization token in header then you will see Unauthorized error:

spring cloud gateway security with jwt

If your JWT token gets expired and you are trying to access the service then you will see the following error:

spring cloud gateway security with jwt

That’s all about the example on Spring Cloud Gateway security with JWT (JSON Wen Token).

Source Code

Download

8 thoughts on “Spring Cloud Gateway Security with JWT (JSON Web Token)

  1. Hi.
    Good Tutorial. I have a question. What happens if do I try to access to microservices directly ? In others wors I don´t use the gateway to acess to microservices. Can I access ?

  2. Hi ! One question !
    In which part we should say “Only the user with X Role can access this URL” ?
    I dont understand if that should go in the Gateway Classes or in Spring Security.
    Thanks in advance!

  3. The filter at the gatway server redirects requests to the authentication service first before accessing the microservices.
    I have got following question. Hopefully you are kind to answer:
    How does a microservice get inforamtion about a login user, like username and authorities?

Leave a Reply

Your email address will not be published. Required fields are marked *