Use Zuul and Spring Security for a global authentication via the popular JWT token.

The service to issue the JWT token.

• The client POST {username,password} to /login.
• This service will authenticate the username and password via Spring Security, generate the token, and issue it to client.

Provide three simple services:

• /admin
• /user
• /guest

The Zuul gateway:

• Define Zuul routes to auth-center and backend-service.
• Verify JWT token.
• Define role-based auth via Spring Security:
  • /login is public to all.
  • /backend/admin can only be accessed by role ADMIN.
  • /backend/user can only be accessed by role USER.
  • /backend/guest is public to all.

mvn clean package

java -jar auth-center/target/auth-center-1.0.0.jar
java -jar backend-service/target/backend-service-1.0.0.jar
java -jar api-gateway/target/api-gateway-1.0.0.jar

curl -i -H "Content-Type: application/json" -X POST -d '{"username":"shuaicj","password":"shuaicj"}' http://localhost:8080/login

You will see the token in response header for user shuaicj. Note that the status code 401 will be returned if you provide incorrect username or password. And similarly, get token for user admin:

curl -i -H "Content-Type: application/json" -X POST -d '{"username":"admin","password":"admin"}' http://localhost:8080/login

The user admin is defined with two roles: USER and ADMIN, while shuaicj is only a USER.

The general command to verify if the auth works is as follows:

curl -i -H "Authorization: Bearer token-you-got-in-step-3" http://localhost:8080/backend/user

or without token:

curl -i http://localhost:8080/backend/user

You can change the token and the URL as need. To sum up, the following table represents all possible response status codes while sending requests to different URLs with different tokens: