{"id":99108,"date":"2019-10-14T12:47:10","date_gmt":"2019-10-14T09:47:10","guid":{"rendered":"http:\/\/www.javacodegeeks.com\/?p=99108"},"modified":"2019-10-23T12:12:58","modified_gmt":"2019-10-23T09:12:58","slug":"secure-reactive-microservices-with-spring-cloud-gateway","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/2019\/10\/secure-reactive-microservices-with-spring-cloud-gateway.html","title":{"rendered":"Secure Reactive Microservices with Spring Cloud Gateway"},"content":{"rendered":"

Friends don\u2019t let friends write user auth. Tired of managing your own users?<\/strong> Try Okta\u2019s API and Java SDKs today. Authenticate, manage, and secure users in any application within minutes.<\/a><\/span><\/p>\n

So you wanna go full reactive, eh? Great! Reactive programming is an increasingly popular way to make your applications more efficient. Instead of making a call to a resource and waiting on a response, reactive applications asynchronously receive a response. This allows them to free up processing power, only perform processing when necessary, and scale more effectively than other systems.<\/p>\n

The Java ecosystem has its fair share of reactive frameworks, including Play Framework, Ratpack, Vert.x, and Spring WebFlux. Like Reactive programming, a microservices architecture can help large teams scale quickly and is possible to build using any of the awesome aforementioned frameworks.<\/p>\n

Today I\u2019d like to show you how you can build a reactive microservices architecture using Spring Cloud Gateway, Spring Boot, and Spring WebFlux. We\u2019ll leverage Spring Cloud Gateway as API gateways are often important components in a cloud-native microservices architecture, providing the aggregation layer for all your backend microservices.<\/p>\n

This tutorial shows you how to build a microservice with a REST API that returns a list of new cars. You\u2019ll use Eureka for service discovery and Spring Cloud Gateway to route requests to the microservice. Then you\u2019ll integrate Spring Security so only authenticated users can access your API gateway and microservice.<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

Prerequisites<\/strong>: HTTPie<\/a> (or cURL), Java<\/a> 11+, and an internet connection.<\/p>\n

Spring Cloud Gateway vs. Zuul<\/h2>\n

Zuul is Netflix\u2019s API gateway. First released in 2013, Zuul was not originally reactive, but Zuul 2 is a ground-up rewrite to make it reactive. Unfortunately, Spring Cloud does not support Zuul 2<\/a> and it likely never will.<\/p>\n

Spring Cloud Gateway is now the preferred API gateway implementation from the Spring Cloud Team. It\u2019s built on Spring 5, Reactor, and Spring WebFlux. Not only that, it also includes circuit breaker integration, service discovery with Eureka, and is much<\/strong> easier to integrate with OAuth 2.0!<\/p>\n

Let\u2019s dig in.<\/p>\n

Create a Spring Cloud Eureka Server Project<\/h2>\n

Start by creating a directory to hold all your projects, for example, spring-cloud-gateway<\/code>. Navigate to it in a terminal window and create a discovery-service<\/code> project that includes Spring Cloud Eureka Server as a dependency.<\/p>\n

http https:\/\/start.spring.io\/starter.zip javaVersion==11 artifactId==discovery-service \\\n  name==eureka-service baseDir==discovery-service \\\n  dependencies==cloud-eureka-server | tar -xzvf -\n<\/pre>\n
\n
 The command above uses HTTPie<\/a>. I highly recommend installing it. You can also use curl<\/code>. Run curl https:\/\/start.spring.io<\/a><\/code> to see the syntax. <\/p>\n<\/blockquote>\n
Add @EnableEurekaServer<\/code> on its main class to enable it as a Eureka server.<\/p>\n
import org.springframework.cloud.netflix.eureka.server.EnableEurekaServer;\n\n@EnableEurekaServer\n@SpringBootApplication\npublic class EurekaServiceApplication {...}\n<\/pre>\n
Add the following properties to the project\u2019s src\/main\/resources\/application.properties<\/code> file to configure its port and turn off Eureka registration.<\/p>\n
server.port=8761\neureka.client.register-with-eureka=false\n<\/pre>\n
To make the discovery-service<\/code> run on Java 11+, add a dependency on JAXB.<\/p>\n
<dependency>\n    <groupId>org.glassfish.jaxb<\/groupId>\n    <artifactId>jaxb-runtime<\/artifactId>\n<\/dependency>\n<\/pre>\n
Start the project using .\/mvnw spring-boot:run<\/code> or by running it in your IDE.<\/p>\n
Create a Spring Cloud Gateway Project<\/h2>\n
Next, create an api-gateway<\/code> project that includes a handful of Spring Cloud dependencies.<\/p>\n
http https:\/\/start.spring.io\/starter.zip javaVersion==11 artifactId==api-gateway \\\n  name==api-gateway baseDir==api-gateway \\\n  dependencies==actuator,cloud-eureka,cloud-feign,cloud-gateway,cloud-hystrix,webflux,lombok | tar -xzvf -\n<\/pre>\n
We\u2019ll come back to configuring this project in a minute.<\/p>\n
Create a Reactive Microservice with Spring WebFlux<\/h2>\n
The car microservice will contain a significant portion of this example\u2019s code because it contains a fully-functional REST API that supports CRUD (Create, Read, Update, and Delete).<\/p>\n
Create the car-service<\/code> project using start.spring.io:<\/p>\n
http https:\/\/start.spring.io\/starter.zip javaVersion==11 artifactId==car-service \\\n  name==car-service baseDir==car-service \\\n  dependencies==actuator,cloud-eureka,webflux,data-mongodb-reactive,flapdoodle-mongo,lombok | tar -xzvf -\n<\/pre>\n
The dependencies<\/code> argument is interesting in this command. You can see that Spring WebFlux is included, as is MongoDB. Spring Data provides reactive drivers for Redis and Cassandra as well.<\/p>\n
You may also be interested in R2DBC<\/a> (Reactive Relational Database Connectivity) – an endeavor to bring a reactive programming API to SQL databases. I did not use it in this example because it\u2019s not yet available on start.spring.io.<\/p>\n
Build a REST API with Spring WebFlux<\/h2>\n
I\u2019m a big fan of VWs, especially classic ones like the bus and the bug. Did you know that VW has a bunch of electric vehicles coming out in the next few years? I\u2019m really excited by the ID Buzz! It has classic curves and is all-electric. It even has 350+ horsepower!<\/p>\n
In case you\u2019re not familiar with the ID Buzz, here\u2019s a photo from Volkswagen<\/a>.<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
Let\u2019s have some fun with this API example and use the electric VWs for our data set. This API will track the various car names and release dates.<\/p>\n
Add Eureka registration, sample data initialization, and a reactive REST API to src\/main\/java\/\u2026\u200b\/CarServiceApplication.java<\/code>:<\/p>\n
package com.example.carservice;\n\nimport lombok.AllArgsConstructor;\nimport lombok.Data;\nimport lombok.NoArgsConstructor;\nimport lombok.extern.slf4j.Slf4j;\nimport org.springframework.boot.ApplicationRunner;\nimport org.springframework.boot.SpringApplication;\nimport org.springframework.boot.autoconfigure.SpringBootApplication;\nimport org.springframework.cloud.netflix.eureka.EnableEurekaClient;\nimport org.springframework.context.annotation.Bean;\nimport org.springframework.data.annotation.Id;\nimport org.springframework.data.mongodb.core.mapping.Document;\nimport org.springframework.data.mongodb.repository.ReactiveMongoRepository;\nimport org.springframework.http.HttpStatus;\nimport org.springframework.http.ResponseEntity;\nimport org.springframework.web.bind.annotation.*;\nimport reactor.core.publisher.Flux;\nimport reactor.core.publisher.Mono;\n\nimport java.time.LocalDate;\nimport java.time.Month;\nimport java.util.Set;\nimport java.util.UUID;\n\n@EnableEurekaClient (1)\n@SpringBootApplication\n@Slf4j (2)\npublic class CarServiceApplication {\n\n    public static void main(String[] args) {\n        SpringApplication.run(CarServiceApplication.class, args);\n    }\n\n    @Bean (3)\n    ApplicationRunner init(CarRepository repository) {\n        \/\/ Electric VWs from https:\/\/www.vw.com\/electric-concepts\/\n        \/\/ Release dates from https:\/\/www.motor1.com\/features\/346407\/volkswagen-id-price-on-sale\/\n        Car ID = new Car(UUID.randomUUID(), \"ID.\", LocalDate.of(2019, Month.DECEMBER, 1));\n        Car ID_CROZZ = new Car(UUID.randomUUID(), \"ID. CROZZ\", LocalDate.of(2021, Month.MAY, 1));\n        Car ID_VIZZION = new Car(UUID.randomUUID(), \"ID. VIZZION\", LocalDate.of(2021, Month.DECEMBER, 1));\n        Car ID_BUZZ = new Car(UUID.randomUUID(), \"ID. BUZZ\", LocalDate.of(2021, Month.DECEMBER, 1));\n        Set<Car> vwConcepts = Set.of(ID, ID_BUZZ, ID_CROZZ, ID_VIZZION);\n\n        return args -> {\n            repository\n                    .deleteAll() (4)\n                    .thenMany(\n                            Flux\n                                    .just(vwConcepts)\n                                    .flatMap(repository::saveAll)\n                    )\n                    .thenMany(repository.findAll())\n                    .subscribe(car -> log.info(\"saving \" + car.toString())); (5)\n        };\n    }\n}\n\n@Document\n@Data\n@NoArgsConstructor\n@AllArgsConstructor\nclass Car { (6)\n    @Id\n    private UUID id;\n    private String name;\n    private LocalDate releaseDate;\n}\n\ninterface CarRepository extends ReactiveMongoRepository<Car, UUID> { \n} (7)\n\n@RestController\nclass CarController { (8)\n\n    private CarRepository carRepository;\n\n    public CarController(CarRepository carRepository) {\n        this.carRepository = carRepository;\n    }\n\n    @PostMapping(\"\/cars\")\n    @ResponseStatus(HttpStatus.CREATED)\n    public Mono<Car> addCar(@RequestBody Car car) { (9)\n        return carRepository.save(car);\n    }\n\n    @GetMapping(\"\/cars\")\n    public Flux<Car> getCars() { (10)\n        return carRepository.findAll();\n    }\n\n    @DeleteMapping(\"\/cars\/{id}\")\n    public Mono<ResponseEntity<Void>> deleteCar(@PathVariable(\"id\") UUID id) {\n        return carRepository.findById(id)\n                .flatMap(car -> carRepository.delete(car)\n                        .then(Mono.just(new ResponseEntity<Void>(HttpStatus.OK)))\n                )\n                .defaultIfEmpty(new ResponseEntity<>(HttpStatus.NOT_FOUND));\n    }\n}\n<\/pre>\n
    \n
  1.  Add the @EnableEurekaClient<\/code> annotation for service discovery <\/li>\n
  2.  @Slf4j<\/code> is a handy annotation from Lombok to enable logging in a class <\/li>\n
  3.  ApplicationRunner<\/code> bean to populate MongoDB with default data <\/li>\n
  4.  Delete all existing data in MongoDB so new data is not additive <\/li>\n
  5.  Subscribe to results so both deleteAll()<\/code> and saveAll()<\/code> are invoked <\/li>\n
  6. Car<\/code> class with Spring Data NoSQL and Lombok annotations to reduce boilerplate<\/li>\n
  7.  CarRepository<\/code> interface that extends ReactiveMongoRepository<\/code>, giving you CRUDability with hardly any code! <\/li>\n
  8.  CarController<\/code> class that uses CarRepository<\/code> to perform CRUD actions <\/li>\n
  9.  Spring WebFlux returns a Mono<\/code> publisher for single objects <\/li>\n
  10.  Return a Flex<\/code> publisher for multiple objects <\/li>\n<\/ol>\n
    \n
     If you\u2019re using an IDE to build your projects, you\u2019ll need to setup Lombok for your IDE<\/a>. <\/p>\n<\/blockquote>\n
    You\u2019ll also need to modify the car-service<\/code> project\u2019s application.properties<\/code> to set its name and port.<\/p>\n
    spring.application.name=car-service\nserver.port=8081\n<\/pre>\n
    Run MongoDB<\/h3>\n
    The easiest way to run MongoDB is to remove the test<\/code> scope from the flapdoodle dependency in car-service\/pom.xml<\/code>. This will cause your app to start an embedded MongoDB dependency.<\/p>\n
    <dependency>\n    <groupId>de.flapdoodle.embed<\/groupId>\n    <artifactId>de.flapdoodle.embed.mongo<\/artifactId>\n    <!--<scope>test<\/scope>-->\n<\/dependency>\n<\/pre>\n
    You can also install and run MongoDB using Homebrew.<\/p>\n
    brew tap mongodb\/brew\nbrew install mongodb-community@4.2\nmongod\n<\/pre>\n
    Or, use Docker:<\/p>\n
    docker run -d -it -p 27017:27017 mongo\n<\/pre>\n
    Stream Data with WebFlux<\/h3>\n
    This completes everything you need to do to build a REST API with Spring WebFlux.
     
    <\/div> <\/div><\/p>\n
    “But wait!” you might say. “I thought WebFlux was all about streaming data?”<\/p>\n
    In this particular example, you can still stream data from the \/cars<\/code> endpoint, but not in a browser.<\/p>\n
    A browser has no way to consume a stream other than using Server-Sent Events or WebSockets. Non-browser clients however can get a JSON stream by sending an Accept<\/code> header with a value of application\/stream+json<\/code> (thanks to Rajeev Singh<\/a> for the tip).<\/p>\n
    You could<\/em> test everything works at this point by firing up your browser and using HTTPie to make requests. However, it\u2019s much better to write automated tests!<\/p>\n
    Test Your WebFlux API with WebTestClient<\/h3>\n
    WebClient ships as part of Spring WebFlux and can be useful for making reactive requests, receiving responses, and populating objects with the payload. A companion class, WebTestClient, can be used to test your WebFlux API. It contains request methods that are similar to WebClient, as well as methods to check the response body, status, and headers.<\/p>\n
    Modify the src\/test\/java\/\u2026\u200b\/CarServiceApplicationTests.java<\/code> class in the car-service<\/code> project to contain the code below.<\/p>\n
    package com.example.carservice;\n\nimport org.junit.Test;\nimport org.junit.runner.RunWith;\nimport org.springframework.beans.factory.annotation.Autowired;\nimport org.springframework.boot.test.context.SpringBootTest;\nimport org.springframework.http.MediaType;\nimport org.springframework.test.context.junit4.SpringRunner;\nimport org.springframework.test.web.reactive.server.WebTestClient;\nimport reactor.core.publisher.Mono;\n\nimport java.time.LocalDate;\nimport java.time.Month;\nimport java.util.Collections;\nimport java.util.UUID;\n\n@RunWith(SpringRunner.class)\n@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,\n        properties = {\"spring.cloud.discovery.enabled = false\"})\npublic class CarServiceApplicationTests {\n\n    @Autowired\n    CarRepository carRepository;\n\n    @Autowired\n    WebTestClient webTestClient;\n\n    @Test\n    public void testAddCar() {\n        Car buggy = new Car(UUID.randomUUID(), \"ID. BUGGY\", LocalDate.of(2022, Month.DECEMBER, 1));\n\n        webTestClient.post().uri(\"\/cars\")\n                .contentType(MediaType.APPLICATION_JSON_UTF8)\n                .accept(MediaType.APPLICATION_JSON_UTF8)\n                .body(Mono.just(buggy), Car.class)\n                .exchange()\n                .expectStatus().isCreated()\n                .expectHeader().contentType(MediaType.APPLICATION_JSON_UTF8)\n                .expectBody()\n                .jsonPath(\"$.id\").isNotEmpty()\n                .jsonPath(\"$.name\").isEqualTo(\"ID. BUGGY\");\n    }\n\n    @Test\n    public void testGetAllCars() {\n        webTestClient.get().uri(\"\/cars\")\n                .accept(MediaType.APPLICATION_JSON_UTF8)\n                .exchange()\n                .expectStatus().isOk()\n                .expectHeader().contentType(MediaType.APPLICATION_JSON_UTF8)\n                .expectBodyList(Car.class);\n    }\n\n    @Test\n    public void testDeleteCar() {\n        Car buzzCargo = carRepository.save(new Car(UUID.randomUUID(), \"ID. BUZZ CARGO\",\n                LocalDate.of(2022, Month.DECEMBER, 2))).block();\n\n        webTestClient.delete()\n                .uri(\"\/cars\/{id}\", Collections.singletonMap(\"id\", buzzCargo.getId()))\n                .exchange()\n                .expectStatus().isOk();\n    }\n}\n<\/pre>\n
    To prove it works, run .\/mvnw test<\/code>. Give yourself a pat on the back when your tests pass!<\/p>\n
    \n
    \"\"<\/figure>\n<\/div>\n
    \n
     If you\u2019re on Windows, use mvnw test<\/code>. <\/p>\n<\/blockquote>\n
    Use Spring Cloud Gateway with Reactive Microservices<\/h2>\n
    To edit all three projects in the same IDE window, I find it useful to create an aggregator pom.xml<\/code>. Create a pom.xml<\/code> file in the parent directory of your projects and copy the XML below into it.<\/p>\n
    <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<project xmlns=\"http:\/\/maven.apache.org\/POM\/4.0.0\" xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\n    xsi:schemaLocation=\"http:\/\/maven.apache.org\/POM\/4.0.0 http:\/\/maven.apache.org\/xsd\/maven-4.0.0.xsd\">\n    <modelVersion>4.0.0<\/modelVersion>\n    <groupId>com.okta.developer<\/groupId>\n    <artifactId>reactive-parent<\/artifactId>\n    <version>1.0.0-SNAPSHOT<\/version>\n    <packaging>pom<\/packaging>\n    <name>reactive-parent<\/name>\n    <modules>\n        <module>discovery-service<\/module>\n        <module>car-service<\/module>\n        <module>api-gateway<\/module>\n    <\/modules>\n<\/project>\n<\/pre>\n
    After creating this file, you should be able to open it in your IDE as a project and navigate between projects easily.<\/p>\n
    In the api-gateway<\/code> project, add @EnableEurekaClient<\/code> to the main class to make it Eureka-aware.<\/p>\n
    import org.springframework.cloud.netflix.eureka.EnableEurekaClient;\n\n@EnableEurekaClient\n@SpringBootApplication\npublic class ApiGatewayApplication {...}\n<\/pre>\n
    Then, modify the src\/main\/resources\/application.properties<\/code> file to configure the application name.<\/p>\n
    spring.application.name=gateway\n<\/pre>\n
    Create a RouteLocator<\/code> bean in ApiGatewayApplication<\/code> to configure routes. You can configure Spring Cloud Gateway with YAML, but I prefer Java.<\/p>\n
    package com.example.apigateway;\n\nimport org.springframework.boot.SpringApplication;\nimport org.springframework.boot.autoconfigure.SpringBootApplication;\nimport org.springframework.cloud.gateway.route.RouteLocator;\nimport org.springframework.cloud.gateway.route.builder.RouteLocatorBuilder;\nimport org.springframework.cloud.netflix.eureka.EnableEurekaClient;\nimport org.springframework.context.annotation.Bean;\n\n@EnableEurekaClient\n@SpringBootApplication\npublic class ApiGatewayApplication {\n\n    public static void main(String[] args) {\n        SpringApplication.run(ApiGatewayApplication.class, args);\n    }\n\n    @Bean\n    public RouteLocator customRouteLocator(RouteLocatorBuilder builder) {\n        return builder.routes()\n                .route(\"car-service\", r -> r.path(\"\/cars\")\n                        .uri(\"lb:\/\/car-service\"))\n                .build();\n    }\n}\n<\/pre>\n
    After making these code changes, you should be able to start all three Spring Boot apps and hit http:\/\/localhost:8080\/cars<\/a><\/code>.<\/p>\n
    $ http :8080\/cars\nHTTP\/1.1 200 OK\nContent-Type: application\/json;charset=UTF-8\ntransfer-encoding: chunked\n\n[\n    {\n        \"id\": \"ff48f617-6cba-477c-8e8f-2fc95be96416\",\n        \"name\": \"ID. CROZZ\",\n        \"releaseDate\": \"2021-05-01\"\n    },\n    {\n        \"id\": \"dd6c3c32-724c-4511-a02c-3348b226160a\",\n        \"name\": \"ID. BUZZ\",\n        \"releaseDate\": \"2021-12-01\"\n    },\n    {\n        \"id\": \"97cfc577-d66e-4a3c-bc40-e78c3aab7261\",\n        \"name\": \"ID.\",\n        \"releaseDate\": \"2019-12-01\"\n    },\n    {\n        \"id\": \"477632c8-2206-4f72-b1a8-e982e6128ab4\",\n        \"name\": \"ID. VIZZION\",\n        \"releaseDate\": \"2021-12-01\"\n    }\n]\n<\/pre>\n
    Add a REST API to Retrieve Your Favorite Cars<\/h3>\n
    Create a \/fave-cars<\/code> endpoint that strips out cars that aren\u2019t your favorite.<\/p>\n
    First, add a load-balanced WebClient.Builder<\/code> bean.<\/p>\n
    @Bean\n@LoadBalanced\npublic WebClient.Builder loadBalancedWebClientBuilder() {\n    return WebClient.builder();\n}\n<\/pre>\n
    Then add a Car<\/code> POJO and a FaveCarsController<\/code> below the ApiGatewayApplication<\/code> class in the same file.<\/p>\n
    public class ApiGatewayApplication {...}\nclass Car {...}\nclass FaveCarsController {...}\n<\/pre>\n
    Use WebClient to retrieve the cars and filter out the ones you don\u2019t love.<\/p>\n
    @Data\nclass Car {\n    private String name;\n    private LocalDate releaseDate;\n}\n\n@RestController\nclass FaveCarsController {\n\n    private final WebClient.Builder carClient;\n\n    public FaveCarsController(WebClient.Builder carClient) {\n        this.carClient = carClient;\n    }\n\n    @GetMapping(\"\/fave-cars\")\n    public Flux<Car> faveCars() {\n        return carClient.build().get().uri(\"lb:\/\/car-service\/cars\")\n                .retrieve().bodyToFlux(Car.class)\n                .filter(this::isFavorite);\n    }\n\n    private boolean isFavorite(Car car) {\n        return car.getName().equals(\"ID. BUZZ\");\n    }\n}\n<\/pre>\n
    If you\u2019re not using an IDE that auto-imports for you, you\u2019ll want to copy\/paste the following into the top of ApiGatewayApplication.java<\/code>:<\/p>\n
    import org.springframework.web.bind.annotation.GetMapping;\nimport org.springframework.web.bind.annotation.RestController;\nimport org.springframework.web.reactive.function.client.WebClient;\nimport reactor.core.publisher.Flux;\n<\/pre>\n
    Restart your gateway app to see the http:\/\/localhost:8080\/fave-cars<\/a><\/code> endpoint only returns the ID Buzz.<\/p>\n
    \n
    \"\"<\/figure>\n<\/div>\n
    What about Failover with Hystrix?<\/h3>\n
    Spring Cloud Gateway only supports Hystrix<\/a> at the time of this writing. Spring Cloud deprecated direct support for Hystrix in favor of Spring Cloud Circuit Breaker<\/a>. Unfortunately, this library hasn\u2019t had a GA release yet, so I decided not to use it.<\/p>\n
    To use Hystrix with Spring Cloud Gateway, you can add a filter to your car-service<\/code> route, like so:<\/p>\n
    .route(\"car-service\", r -> r.path(\"\/cars\")\n        .filters(f -> f.hystrix(c -> c.setName(\"carsFallback\")\n                .setFallbackUri(\"forward:\/cars-fallback\")))\n        .uri(\"lb:\/\/car-service\/cars\"))\n.build();\n<\/pre>\n
    Then create a CarsFallback<\/code> controller to handle the \/cars-fallback<\/code> route.<\/p>\n
    @RestController\nclass CarsFallback {\n\n    @GetMapping(\"\/cars-fallback\")\n    public Flux<Car> noCars() {\n        return Flux.empty();\n    }\n}\n<\/pre>\n
    First, restart your gateway and confirm http:\/\/localhost:8080\/cars<\/a><\/code> works. Then shut down the car service, try again, and you\u2019ll see it now returns an empty array. Restart the car service and you\u2019ll see the list populated again.<\/p>\n
    You\u2019ve built a resilient and reactive microservices architecture with Spring Cloud Gateway and Spring WebFlux. Now let\u2019s see how to secure it!<\/p>\n
    What about Feign with Spring Cloud Gateway?<\/h3>\n
    If you\u2019d like to use Feign in a WebFlux app, see the feign-reactive<\/a> project. I did not have a need for Feign in this particular example.<\/p>\n
    Secure Spring Cloud Gateway with OAuth 2.0<\/h2>\n
    OAuth 2.0 is an authorization framework for delegated access to APIs. OIDC (or OpenID Connect) is a thin layer on top of OAuth 2.0 that provides authentication. Spring Security has excellent support for both frameworks and so does Okta!<\/p>\n
    You can use OAuth 2.0 and OIDC without a cloud identity provider by building your own server or by using an open-source implementation. However, wouldn\u2019t you rather just use something that\u2019s always on<\/em>, like Okta?<\/p>\n
    If you already have an Okta account, see the Create a Web Application in Okta<\/strong> sidebar below. Otherwise, we created a Maven plugin that configures a free Okta developer account + an OIDC app (in under a minute!).<\/p>\n
    To use it run: .\/mvnw com.okta:okta-maven-plugin:setup<\/code> to create an account and configure your Spring Boot app to work with Okta.<\/p>\n
    Create a Web Application in Okta<\/p>\n
    Log in to your Okta Developer account (or sign up<\/a> if you don\u2019t have an account).<\/p>\n
      \n
    1. From the Applications<\/strong> page, choose Add Application<\/strong>.<\/li>\n
    2. On the Create New Application page, select Web<\/strong>.<\/li>\n
    3. Give your app a memorable name, add http:\/\/localhost:8080\/login\/oauth2\/code\/okta<\/a><\/code> as a Login redirect URI, select Refresh Token<\/strong> (in addition to Authorization Code<\/strong>), and click Done<\/strong>.<\/li>\n<\/ol>\n
      Copy the issuer (found under API<\/strong> > Authorization Servers<\/strong>), client ID, and client secret into application.properties<\/code> for both projects.<\/p>\n
      okta.oauth2.issuer=$issuer\nokta.oauth2.client-id=$clientId\nokta.oauth2.client-secret=$clientSecret\n<\/pre>\n
      Next, add the Okta Spring Boot starter<\/a> and Spring Cloud Security to your gateway\u2019s pom.xml<\/code>:<\/p>\n
      <dependency>\n    <groupId>com.okta.spring<\/groupId>\n    <artifactId>okta-spring-boot-starter<\/artifactId>\n    <version>1.2.1<\/version>\n<\/dependency>\n<dependency>\n    <groupId>org.springframework.cloud<\/groupId>\n    <artifactId>spring-cloud-security<\/artifactId>\n<\/dependency>\n<\/pre>\n
      This is all you need to do to add OIDC login with Okta! Restart your Gateway app and navigate to http:\/\/localhost:8080\/fave-cars<\/a><\/code> in your browser to be redirected to Okta for user authorization.<\/p>\n
      \n
      \"\"<\/figure>\n<\/div>\n
      Make Your Gateway an OAuth 2.0 Resource Server<\/h3>\n
      You likely won\u2019t build the UI for your app on the gateway itself. You\u2019ll probably use a SPA or mobile app instead. To configure your gateway to operate as a resource server (that looks for an Authorization<\/code> header with a bearer token), add a new SecurityConfiguration<\/code> class in the same directory as your main class.<\/p>\n
      package com.example.apigateway;\n\nimport org.springframework.context.annotation.Bean;\nimport org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;\nimport org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;\nimport org.springframework.security.config.web.server.ServerHttpSecurity;\nimport org.springframework.security.web.server.SecurityWebFilterChain;\n\n@EnableWebFluxSecurity\n@EnableReactiveMethodSecurity\npublic class SecurityConfiguration {\n\n    @Bean\n    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {\n        \/\/ @formatter:off\n        http\n            .authorizeExchange()\n                .anyExchange().authenticated()\n                .and()\n            .oauth2Login()\n                .and()\n            .oauth2ResourceServer()\n                .jwt();\n        return http.build();\n        \/\/ @formatter:on\n    }\n}\n<\/pre>\n
      CORS with Spring Cloud Gateway<\/h3>\n
      If you\u2019re using a SPA for your UI, you\u2019ll want to configure CORS as well. You can do this by adding a CorsWebFilter<\/code> bean to this class.<\/p>\n
      @Bean\nCorsWebFilter corsWebFilter() {\n    CorsConfiguration corsConfig = new CorsConfiguration();\n    corsConfig.setAllowedOrigins(List.of(\"*\"));\n    corsConfig.setMaxAge(3600L);\n    corsConfig.addAllowedMethod(\"*\");\n    corsConfig.addAllowedHeader(\"*\");\n\n    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();\n    source.registerCorsConfiguration(\"\/**\", corsConfig);\n\n    return new CorsWebFilter(source);\n}\n<\/pre>\n
      Make sure your imports match the ones below.<\/p>\n
      import org.springframework.web.cors.CorsConfiguration;\nimport org.springframework.web.cors.reactive.CorsWebFilter;\nimport org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;\n<\/pre>\n
      Spring Cloud Gateway\u2019s documentation explains how to configure CORS with YAML<\/a> or with WebFluxConfigurer<\/code><\/a>. Unfortunately, I was unable to get either one to work.<\/p>\n
      Test Your Gateway with WebTestClient and JWT<\/h2>\n
      If you configured CORS in your gateway, you can test it works with WebTestClient. Replace the code in ApiGatewayApplicationTests<\/code> with the following.<\/p>\n
      import java.util.Map;\nimport java.util.function.Consumer;\n\nimport static org.mockito.ArgumentMatchers.anyString;\nimport static org.mockito.Mockito.when;\n\n@RunWith(SpringRunner.class)\n@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,\n        properties = {\"spring.cloud.discovery.enabled = false\"})\npublic class ApiGatewayApplicationTests {\n\n    @Autowired\n    WebTestClient webTestClient;\n\n    @MockBean (1)\n    ReactiveJwtDecoder jwtDecoder;\n\n    @Test\n    public void testCorsConfiguration() {\n        Jwt jwt = jwt(); (2)\n        when(this.jwtDecoder.decode(anyString())).thenReturn(Mono.just(jwt)); (3)\n        WebTestClient.ResponseSpec response = webTestClient.put().uri(\"\/\")\n                .headers(addJwt(jwt)) (4)\n                .header(\"Origin\", \"http:\/\/example.com\")\n                .exchange();\n\n        response.expectHeader().valueEquals(\"Access-Control-Allow-Origin\", \"*\");\n    }\n\n    private Jwt jwt() {\n        return new Jwt(\"token\", null, null,\n                Map.of(\"alg\", \"none\"), Map.of(\"sub\", \"betsy\"));\n    }\n\n    private Consumer<HttpHeaders> addJwt(Jwt jwt) {\n        return headers -> headers.setBearerAuth(jwt.getTokenValue());\n    }\n}\n<\/pre>\n
        \n
      1.  Mock ReactiveJwtDecoder<\/code> so you can set expectations and return mocks when it decodes <\/li>\n
      2.  Create a new JWT <\/li>\n
      3.  Return the same JWT when it\u2019s decoded <\/li>\n
      4. Add the JWT to the Authorization<\/code> header with a Bearer<\/code> prefix<\/li>\n<\/ol>\n
        I like how WebTestClient<\/code> allows you to set the security headers so easily!<\/p>\n
        You\u2019ve configured Spring Cloud Gateway to use OIDC login and function as an OAuth 2.0 resource server, but the car service is still available on port 8081<\/code>. Let\u2019s fix that so only the gateway can talk to it.<\/p>\n
        Secure Gateway to Microservice Communication<\/h2>\n
        Add the Okta Spring Boot starter to car-service\/pom.xml<\/code>:<\/p>\n
        <dependency>\n    <groupId>com.okta.spring<\/groupId>\n    <artifactId>okta-spring-boot-starter<\/artifactId>\n    <version>1.2.1<\/version>\n<\/dependency>\n<\/pre>\n
        Copy the okta.*<\/code> properties from the gateway\u2019s application.properties<\/code> to the car service\u2019s. Then create a SecurityConfiguration<\/code> class to make the app an OAuth 2.0 resource server.<\/p>\n
        package com.example.carservice;\n\nimport com.okta.spring.boot.oauth.Okta;\nimport org.springframework.context.annotation.Bean;\nimport org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;\nimport org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;\nimport org.springframework.security.config.web.server.ServerHttpSecurity;\nimport org.springframework.security.web.server.SecurityWebFilterChain;\n\n@EnableWebFluxSecurity\n@EnableReactiveMethodSecurity\npublic class SecurityConfiguration {\n\n    @Bean\n    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {\n        \/\/ @formatter:off\n        http\n            .authorizeExchange()\n                .anyExchange().authenticated()\n                .and()\n            .oauth2ResourceServer()\n                .jwt();\n\n        Okta.configureResourceServer401ResponseBody(http);\n\n        return http.build();\n        \/\/ @formatter:on\n    }\n}\n<\/pre>\n
        That\u2019s it! Restart your car service application and it\u2019s now protected from anonymous intruders.<\/p>\n
        $ http :8081\/cars\nHTTP\/1.1 401 Unauthorized\nCache-Control: no-cache, no-store, max-age=0, must-revalidate\nContent-Type: text\/plain\n...\n\n401 Unauthorized\n<\/pre>\n
        Test Your Microservice with WebTestClient and JWT<\/h2>\n
        The tests you added in the car-service<\/code> project will no longer work now that you\u2019ve enabled security. Modify the code in CarServiceApplicationTests.java<\/code> to add JWT access tokens to each request.<\/p>\n
        package com.example.carservice;\n\nimport org.junit.Test;\nimport org.junit.runner.RunWith;\nimport org.springframework.beans.factory.annotation.Autowired;\nimport org.springframework.boot.test.context.SpringBootTest;\nimport org.springframework.boot.test.mock.mockito.MockBean;\nimport org.springframework.http.HttpHeaders;\nimport org.springframework.http.MediaType;\nimport org.springframework.security.oauth2.jwt.Jwt;\nimport org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;\nimport org.springframework.test.context.junit4.SpringRunner;\nimport org.springframework.test.web.reactive.server.WebTestClient;\nimport reactor.core.publisher.Mono;\n\nimport java.time.LocalDate;\nimport java.time.Month;\nimport java.util.Map;\nimport java.util.UUID;\nimport java.util.function.Consumer;\n\nimport static org.mockito.ArgumentMatchers.anyString;\nimport static org.mockito.Mockito.when;\n\n@RunWith(SpringRunner.class)\n@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,\n        properties = {\"spring.cloud.discovery.enabled = false\"})\npublic class CarServiceApplicationTests {\n\n    @Autowired\n    CarRepository carRepository;\n\n    @Autowired\n    WebTestClient webTestClient;\n\n    @MockBean\n    ReactiveJwtDecoder jwtDecoder;\n\n    @Test\n    public void testAddCar() {\n        Car buggy = new Car(UUID.randomUUID(), \"ID. BUGGY\", LocalDate.of(2022, Month.DECEMBER, 1));\n\n        Jwt jwt = jwt();\n        when(this.jwtDecoder.decode(anyString())).thenReturn(Mono.just(jwt));\n\n        webTestClient.post().uri(\"\/cars\")\n                .contentType(MediaType.APPLICATION_JSON_UTF8)\n                .accept(MediaType.APPLICATION_JSON_UTF8)\n                .headers(addJwt(jwt))\n                .body(Mono.just(buggy), Car.class)\n                .exchange()\n                .expectStatus().isCreated()\n                .expectHeader().contentType(MediaType.APPLICATION_JSON_UTF8)\n                .expectBody()\n                .jsonPath(\"$.id\").isNotEmpty()\n                .jsonPath(\"$.name\").isEqualTo(\"ID. BUGGY\");\n    }\n\n    @Test\n    public void testGetAllCars() {\n        Jwt jwt = jwt();\n        when(this.jwtDecoder.decode(anyString())).thenReturn(Mono.just(jwt));\n\n        webTestClient.get().uri(\"\/cars\")\n                .accept(MediaType.APPLICATION_JSON_UTF8)\n                .headers(addJwt(jwt))\n                .exchange()\n                .expectStatus().isOk()\n                .expectHeader().contentType(MediaType.APPLICATION_JSON_UTF8)\n                .expectBodyList(Car.class);\n    }\n\n    @Test\n    public void testDeleteCar() {\n        Car buzzCargo = carRepository.save(new Car(UUID.randomUUID(), \"ID. BUZZ CARGO\",\n                LocalDate.of(2022, Month.DECEMBER, 2))).block();\n\n        Jwt jwt = jwt();\n        when(this.jwtDecoder.decode(anyString())).thenReturn(Mono.just(jwt));\n\n        webTestClient.delete()\n                .uri(\"\/cars\/{id}\", Map.of(\"id\", buzzCargo.getId()))\n                .headers(addJwt(jwt))\n                .exchange()\n                .expectStatus().isOk();\n    }\n\n    private Jwt jwt() {\n        return new Jwt(\"token\", null, null,\n                Map.of(\"alg\", \"none\"), Map.of(\"sub\", \"dave\"));\n    }\n\n    private Consumer<HttpHeaders> addJwt(Jwt jwt) {\n        return headers -> headers.setBearerAuth(jwt.getTokenValue());\n    }\n}\n<\/pre>\n
        Run the test again and everything should pass!<\/p>\n
        Mock JWT Support in Spring Security 5.2<\/h2>\n
        Kudos to Josh Cummings<\/a> for his help with JWTs and WebTestClient. Josh gave me a preview of the mock JWT support coming in Spring Security 5.2.<\/p>\n
        this.webTestClient.mutateWith(jwt()).post(...)\n<\/pre>\n
        Josh also provided an example test showing how to mock a JWT\u2019s subject, scope, and claims<\/a>. This code is based on new functionality in Spring Security 5.2.0.M3.<\/p>\n
        The future is bright for OAuth 2.0 and JWT support in Spring Security land! \ud83d\ude0e<\/p>\n
        Relay the Access Token: Gateway to Microservice<\/h2>\n
        You only need to make one small change for your gateway to talk to this protected service. It\u2019s incredibly easy and I \u2764\ufe0f it!<\/p>\n
        In ApiGatewayApplication.java<\/code>, add a filter that applies the TokenRelayGatewayFilterFactory<\/code> from Spring Cloud Security.<\/p>\n
        import org.springframework.cloud.security.oauth2.gateway.TokenRelayGatewayFilterFactory;\n\n@Bean\npublic RouteLocator customRouteLocator(RouteLocatorBuilder builder,\n                                       TokenRelayGatewayFilterFactory filterFactory) {\n    return builder.routes()\n            .route(\"car-service\", r -> r.path(\"\/cars\")\n                    .filters(f -> f.filter(filterFactory.apply()))\n                    .uri(\"lb:\/\/car-service\/cars\"))\n            .build();\n}\n<\/pre>\n
        \n
         This relay factory does not automatically refresh access tokens<\/a> (yet). <\/p>\n<\/blockquote>\n
        Restart your API gateway and you should be able to view http:\/\/localhost:8080\/cars<\/a><\/code> and have everything work as expected.<\/p>\n
        Pretty sweet, don\u2019t you think?!<\/p>\n
        Learn More about Spring Cloud Gateway and Reactive Microservices with Spring<\/h2>\n
        I\u2019ve barely scratched the surface of what Spring Cloud Gateway is capable of. If you\u2019re building reactive microservices, I\u2019d suggest you take a look at it.<\/p>\n
        See the Spring Cloud Gateway<\/a> project page for more information, including documentation. I also found these tutorials useful:<\/p>\n