Backend Development 17 min read
Implementing Unified Authorization in Spring Cloud Gateway with OAuth2 Resource Server
This tutorial explains how to centralize URL‑level authentication in a Spring Cloud Gateway by integrating Spring Security OAuth2 Resource Server, defining custom authorization managers, handling token errors, forwarding JWT claims to downstream services, and configuring the gateway with YAML and Java code examples.
Selected Java Interview Questions
Selected Java Interview Questions
Background
When microservices proliferate, implementing identical authentication logic in each service becomes redundant; therefore, authentication can be centralized at the gateway layer while allowing individual services to perform additional checks if needed.
Requirements
All OPTION requests must be allowed.
Requests without a defined permission should be denied.
The user-provider service's findAllUsers endpoint requires the user.userInfo permission.
Additionally, the JWT token must be passed as a request header to downstream services, and Spring Security OAuth2 Resource Server must be integrated.
Pre‑conditions
A functional authentication server must be set up (see referenced Juejin articles).
Familiarity with Spring Security OAuth2 Resource Server configuration is required.
Project Structure
(Image omitted – shows the Maven module layout for the gateway project.)
Gateway Layer Implementation
1. Add Maven Dependencies
<dependency>
<groupId>com.alibaba.cloud</groupId>
<artifactId>spring-cloud-starter-alibaba-nacos-discovery</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-gateway</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-loadbalancer</artifactId>
</dependency>2. Custom Authorization Manager
package com.huan.study.gateway.config;
import com.google.common.collect.Maps;
import lombok.extern.slf4j.Slf4j;
import org.springframework.http.HttpMethod;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.ReactiveAuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import org.springframework.stereotype.Component;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.PathMatcher;
import org.springframework.util.StringUtils;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import javax.annotation.PostConstruct;
import java.util.Map;
import java.util.Objects;
/**
* Custom reactive authorization manager that decides whether a user has permission to access a resource.
*/
@Component
@Slf4j
public class CustomReactiveAuthorizationManager implements ReactiveAuthorizationManager<AuthorizationContext> {
/**
* In‑memory map of URL → required permission. In a real project this could be loaded from a database.
*/
private static final Map<String, String> AUTH_MAP = Maps.newConcurrentMap();
@PostConstruct
public void initAuthMap() {
AUTH_MAP.put("/user/findAllUsers", "user.userInfo");
AUTH_MAP.put("/user/addUser", "ROLE_ADMIN");
}
@Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, AuthorizationContext authorizationContext) {
ServerWebExchange exchange = authorizationContext.getExchange();
ServerHttpRequest request = exchange.getRequest();
String path = request.getURI().getPath();
PathMatcher pathMatcher = new AntPathMatcher();
String authorities = AUTH_MAP.get(path);
log.info("Access path:[{}], required permission:[{}]", path, authorities);
// Allow all OPTION requests
if (request.getMethod() == HttpMethod.OPTIONS) {
return Mono.just(new AuthorizationDecision(true));
}
// Deny if no permission is defined for the URL
if (!StringUtils.hasText(authorities)) {
return Mono.just(new AuthorizationDecision(false));
}
return authentication
.filter(Authentication::isAuthenticated)
.filter(a -> a instanceof JwtAuthenticationToken)
.cast(JwtAuthenticationToken.class)
.doOnNext(token -> {
System.out.println(token.getToken().getHeaders());
System.out.println(token.getTokenAttributes());
})
.flatMapIterable(AbstractAuthenticationToken::getAuthorities)
.map(GrantedAuthority::getAuthority)
.any(authority -> Objects.equals(authority, authorities))
.map(AuthorizationDecision::new)
.defaultIfEmpty(new AuthorizationDecision(false));
}
}3. Token Authentication Failure / Timeout Handler
package com.huan.study.gateway.config;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.DataBufferUtils;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import java.nio.charset.StandardCharsets;
/**
* Handles authentication failures such as illegal or expired tokens.
*/
public class CustomServerAuthenticationEntryPoint implements ServerAuthenticationEntryPoint {
@Override
public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException ex) {
return Mono.defer(() -> Mono.just(exchange.getResponse()))
.flatMap(response -> {
response.setStatusCode(HttpStatus.UNAUTHORIZED);
String body = "{\"code\":401,\"msg\":\"token不合法或过期\"}";
DataBuffer buffer = response.bufferFactory().wrap(body.getBytes(StandardCharsets.UTF_8));
return response.writeWith(Mono.just(buffer))
.doOnError(error -> DataBufferUtils.release(buffer));
});
}
}4. Access‑Denied Handler
package com.huan.study.gateway.config;
import lombok.extern.slf4j.Slf4j;
import org.springframework.context.annotation.Bean;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.DataBufferUtils;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import java.nio.charset.StandardCharsets;
/**
* Handles cases where an authenticated user lacks the required permission.
*/
@Slf4j
public class CustomServerAccessDeniedHandler implements ServerAccessDeniedHandler {
@Override
public Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException denied) {
ServerHttpRequest request = exchange.getRequest();
return exchange.getPrincipal()
.doOnNext(principal -> log.info("User:[{}] has no access to:[{}]", principal.getName(), request.getURI()))
.flatMap(principal -> {
ServerHttpResponse response = exchange.getResponse();
response.setStatusCode(HttpStatus.FORBIDDEN);
String body = "{\"code\":403,\"msg\":\"您无权限访问\"}";
DataBuffer buffer = response.bufferFactory().wrap(body.getBytes(StandardCharsets.UTF_8));
return response.writeWith(Mono.just(buffer))
.doOnError(error -> DataBufferUtils.release(buffer));
});
}
}5. Token Transfer Filter (pass JWT to downstream services)
package com.huan.study.gateway.config;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;
import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
/**
* Adds a custom header "tokenInfo" containing the JWT payload so downstream services can read it.
*/
public class TokenTransferFilter implements WebFilter {
private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
static {
OBJECT_MAPPER.registerModule(new Jdk8Module());
OBJECT_MAPPER.registerModule(new JavaTimeModule());
}
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
return ReactiveSecurityContextHolder.getContext()
.map(SecurityContext::getAuthentication)
.cast(JwtAuthenticationToken.class)
.flatMap(authentication -> {
ServerHttpRequest request = exchange.getRequest();
request = request.mutate()
.header("tokenInfo", toJson(authentication.getPrincipal()))
.build();
ServerWebExchange newExchange = exchange.mutate().request(request).build();
return chain.filter(newExchange);
});
}
public String toJson(Object obj) {
try {
return OBJECT_MAPPER.writeValueAsString(obj);
} catch (JsonProcessingException e) {
return null;
}
}
}6. Gateway Configuration (Java)
package com.huan.study.gateway.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.convert.converter.Converter;
import org.springframework.core.io.FileSystemResource;
import org.springframework.core.io.Resource;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtAuthenticationConverterAdapter;
import org.springframework.security.oauth2.server.resource.web.server.ServerBearerTokenAuthenticationConverter;
import org.springframework.security.web.server.SecurityWebFilterChain;
import reactor.core.publisher.Mono;
import java.io.IOException;
import java.nio.file.Files;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
/**
* Resource‑server configuration for the gateway.
*/
@Configuration
@EnableWebFluxSecurity
public class ResourceServerConfig {
@Autowired
private CustomReactiveAuthorizationManager customReactiveAuthorizationManager;
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) throws NoSuchAlgorithmException, IOException, InvalidKeySpecException {
http.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter())
.jwtDecoder(jwtDecoder())
.and()
.accessDeniedHandler(new CustomServerAccessDeniedHandler())
.authenticationEntryPoint(new CustomServerAuthenticationEntryPoint())
.bearerTokenConverter(new ServerBearerTokenAuthenticationConverter())
.and()
.authorizeExchange()
.pathMatchers("/auth/**", "/favicon.ico").permitAll()
.anyExchange().access(customReactiveAuthorizationManager)
.and()
.exceptionHandling()
.accessDeniedHandler(new CustomServerAccessDeniedHandler())
.authenticationEntryPoint(new CustomServerAuthenticationEntryPoint())
.and()
.csrf().disable()
.addFilterAfter(new TokenTransferFilter(), SecurityWebFiltersOrder.AUTHENTICATION);
return http.build();
}
/** Convert JWT to Spring Authentication */
public Converter<Jwt, ? extends Mono<? extends AbstractAuthenticationToken>> jwtAuthenticationConverter() {
JwtGrantedAuthoritiesConverter authoritiesConverter = new JwtGrantedAuthoritiesConverter();
authoritiesConverter.setAuthorityPrefix("");
authoritiesConverter.setAuthoritiesClaimName("scope");
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setPrincipalClaimName("sub");
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(authoritiesConverter);
return new ReactiveJwtAuthenticationConverterAdapter(jwtAuthenticationConverter);
}
/** Load RSA public key and build a JWT decoder */
public ReactiveJwtDecoder jwtDecoder() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
Resource resource = new FileSystemResource("/Users/huan/code/study/idea/spring-cloud-alibaba-parent/gateway-oauth2/new-authoriza-server-public-key.pem");
String publicKeyStr = String.join("", Files.readAllLines(resource.getFile().toPath()));
byte[] publicKeyBytes = Base64.getDecoder().decode(publicKeyStr);
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
RSAPublicKey rsaPublicKey = (RSAPublicKey) keyFactory.generatePublic(keySpec);
return NimbusReactiveJwtDecoder.withPublicKey(rsaPublicKey)
.signatureAlgorithm(SignatureAlgorithm.RS256)
.build();
}
}7. Gateway YAML Configuration
spring:
application:
name: gateway-auth
cloud:
nacos:
discovery:
server-addr: localhost:8847
gateway:
routes:
- id: user-provider
uri: lb://user-provider
predicates:
- Path=/user/**
filters:
- RewritePath=/user(?<segment>/?.*),${segment}
compatibility-verifier:
enabled: false
server:
port: 9203
debug: trueDemo
The client gateway holds the user.userInfo permission, allowing it to call /user/findAllUsers on the user-provider service. The gateway forwards the JWT token, and the downstream service returns mock user data together with the decoded token information.
Code Repository
All source files are available at https://gitee.com/huan1993/spring-cloud-alibaba-parent/tree/master/gateway-oauth2 .
Original Source
Signed-in readers can open the original source through BestHub's protected redirect.
Republication Notice
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Written by
Selected Java Interview Questions
A professional Java tech channel sharing common knowledge to help developers fill gaps. Follow us!
0 followers
Reader feedback
How this landed with the community
Rate this article
Was this worth your time?
Discussion
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.