[[_the_api_gateway_pattern_angular_js_and_spring_security_part_iv]]
= The API Gateway
In this section we continue <<_the_resource_server_angular_js_and_spring_security_part_iii,our discussion>> of how to use http://projects.spring.io/spring-security[Spring Security] with http://angular.io[Angular] in a "single page application". Here we show how to build an API Gateway to control the authentication and access to the backend resources using http://projects.spring.io/spring-cloud/[Spring Cloud]. This is the fourth in a series of sections, and you can catch up on the basic building blocks of the application or build it from scratch by reading the <<_spring_and_angular_js_a_secure_single_page_application,first section>>, or you can just go straight to the https://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/proxy[source code in Github]. In the <<_the_resource_server_angular_js_and_spring_security_part_iii,last section>> we built a simple distributed application that used https://github.com/spring-projects/spring-session/[Spring Session] to authenticate the backend resources. In this one we make the UI server into a reverse proxy to the backend resource server, fixing the issues with the last implementation (technical complexity introduced by custom token authentication), and giving us a lot of new options for controlling access from the browser client.
____
Reminder: if you are working through this section with the sample application, be sure to clear your browser cache of cookies and HTTP Basic credentials. In Chrome the best way to do that for a single server is to open a new incognito window.
____
== Creating an API Gateway
An API Gateway is a single point of entry (and control) for front end clients, which could be browser based (like the examples in this section) or mobile. The client only has to know the URL of one server, and the backend can be refactored at will with no change, which is a significant advantage. There are other advantages in terms of centralization and control: rate limiting, authentication, auditing and logging. And implementing a simple reverse proxy is really simple with http://projects.spring.io/spring-cloud/[Spring Cloud].
If you were following along in the code, you will know that the application implementation at the end of the <<_the_resource_server_angular_js_and_spring_security_part_iii,last section>> was a bit complicated, so it's not a great place to iterate away from. There was, however, a halfway point which we could start from more easily, where the backend resource wasn't yet secured with Spring Security. The source code for this is a separate project https://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/vanilla[in Github] so we are going to start from there. It has a UI server and a resource server and they are talking to each other. The resource server doesn't have Spring Security yet so we can get the system working first and then add that layer.
=== Declarative Reverse Proxy in One Line
To turn it into an API Gateway, the UI server needs one small tweak. Somewhere in the Spring configuration we need to add an `@EnableZuulProxy` annotation, e.g. in the main (only) https://github.com/spring-guides/tut-spring-security-and-angular-js/blob/master/proxy/ui/src/main/java/demo/UiApplication.java[application class]:
.UiApplication.java
[source,java]
----
@SpringBootApplication
@RestController
@EnableZuulProxy
public class UiApplication {
...
}
----
and in an external configuration file we need to map a local resource in the UI server to a remote one in the https://github.com/spring-guides/tut-spring-security-and-angular-js/blob/master/proxy/ui/src/main/resources/application.yml[external configuration] ("application.yml"):
.application.yml
[source,yaml]
----
security:
...
zuul:
routes:
resource:
path: /resource/**
url: http://localhost:9000
----
This says "map paths with the pattern /resource/** in this server to the same paths in the remote server at localhost:9000". Simple and yet effective (OK so it's 6 lines including the YAML, but you don't always need that)!
All we need to make this work is the right stuff on the classpath. For that purpose we have a few new lines in our Maven POM:
.pom.xml
[source,xml]
----
org.springframework.cloud
spring-cloud-dependencies
Dalston.SR4
pom
import
org.springframework.cloud
spring-cloud-starter-zuul
...
----
Note the use of the "spring-cloud-starter-zuul" - it's a starter POM just like the Spring Boot ones, but it governs the dependencies we need for this Zuul proxy. We are also using `<dependencyManagement>` because we want to be able to depend on all the versions of transitive dependencies being correct.
=== Consuming the Proxy in the Client
With those changes in place our application still works, but we haven't actually used the new proxy yet until we modify the client. Fortunately that's trivial. We just need to revert the change we made going from the "single" to the "vanilla" samples in <<_the_resource_server_angular_js_and_spring_security_part_iii,the last section>>:
.home.component.ts
[source,javascript]
----
constructor(private app: AppService, private http: HttpClient) {
http.get('resource').subscribe(data => this.greeting = data);
}
----
Now when we fire up the servers everything is working and the requests are being proxied through the UI (API Gateway) to the resource server.
=== Further Simplifications
Even better: we don't need the CORS filter any more in the resource server. We threw that one together pretty quickly anyway, and it should have been a red light that we had to do anything as technically focused by hand (especially where it concerns security). Fortunately it is now redundant, so we can just throw it away, and go back to sleeping at night!
== Securing the Resource Server
You might remember in the intermediate state that we started from there is no security in place for the resource server.
____
Aside: Lack of software security might not even be a problem if your network architecture mirrors the application architecture (you can just make the resource server physically inaccessible to anyone but the UI server). As a simple demonstration of that we can make the resource server only accessible on localhost. Just add this to `application.properties` in the resource server:
____
.application.properties
[source]
----
server.address: 127.0.0.1
----
____
Wow, that was easy! Do that with a network address that's only visible in your data center and you have a security solution that works for all resource servers and all user desktops.
____
Suppose that we decide we do need security at the software level (quite likely for a number of reasons). That's not going to be a problem, because all we need to do is add Spring Security as a dependency (in the https://github.com/spring-guides/tut-spring-security-and-angular-js/blob/master/proxy/resource/pom.xml[resource server POM]):
.pom.xml
[source,xml]
----
org.springframework.boot
spring-boot-starter-security
----
That's enough to get us a secure resource server, but it won't get us a working application yet, for the same reason that it didn't in <<_the_resource_server_angular_js_and_spring_security_part_iii,Part III>>: there is no shared authentication state between the two servers.
== Sharing Authentication State
We can use the same mechanism to share authentication (and CSRF) state as we did in the last, i.e. https://github.com/spring-projects/spring-session/[Spring Session]. We add the dependency to both servers as before:
.pom.xml
[source,xml]
----
org.springframework.session
spring-session
org.springframework.boot
spring-boot-starter-redis
----
but this time the configuration is much simpler because we can just add the same `Filter` declaration to both. First the UI server, declaring explicitly that we want all headers to be forwarded (i.e. none are "sensitive"):
.application.yml
[source,properties]
----
zuul:
routes:
resource:
sensitive-headers:
----
Then we can move on to the resource server. There are two small changes to make: one is to explicitly disable HTTP Basic in the resource server (to prevent the browser from popping up authentication dialogs):
.ResourceApplication.java
[source,java]
----
@SpringBootApplication
@RestController
class ResourceApplication extends WebSecurityConfigurerAdapter {
...
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().disable();
http.authorizeRequests().anyRequest().authenticated();
}
}
----
____
Aside: an alternative, which would also prevent the authentication dialog, would be to keep HTTP Basic but change the 401 challenge to something other than "Basic". You can do that with a one-line implementation of `AuthenticationEntryPoint` in the `HttpSecurity` configuration callback.
____
and the other is to explicitly ask for a non-stateless session creation policy in `application.properties`:
.application.properties
[source,properties]
----
security.sessions: NEVER
----
As long as redis is still running in the background (use the https://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/proxy/docker-compose.yml[`docker-compose.yml`] if you like to start it) then the system will work. Load the homepage for the UI at http://localhost:8080[http://localhost:8080] and login and you will see the message from the backend rendered on the homepage.
== How Does it Work?
What is going on behind the scenes now? First we can look at the HTTP requests in the UI server (and API Gateway):
|===
|Verb |Path |Status |Response
|GET |/ |200 |index.html
|GET |/*.js |200 |Assets form angular
|GET |/user |401 |Unauthorized (ignored)
|GET |/resource |401 |Unauthenticated access to resource
|GET |/user |200 |JSON authenticated user
|GET |/resource |200 |(Proxied) JSON greeting
|===
That's identical to the sequence at the end of <<_the_login_page_angular_js_and_spring_security_part_ii,Part II>> except for the fact that the cookie names are slightly different ("SESSION" instead of "JSESSIONID") because we are using Spring Session. But the architecture is different and that last request to "/resource" is special because it was proxied to the resource server.
We can see the reverse proxy in action by looking at the "/trace" endpoint in the UI server (from Spring Boot Actuator, which we added with the Spring Cloud dependencies). Go to http://localhost:8080/trace[http://localhost:8080/trace] in a new browser (if you don't have one already get a JSON plugin for your browser to make it nice and readable). You will need to authenticate with HTTP Basic (browser popup), but the same credentials are valid as for your login form. At or near the start you should see a pair of requests something like this:
NOTE: Try to use a different browser so that there is no chance of authentication crossover (e.g. use Firefox if yoused Chrome for testing the UI) - it won't stop the app from working, but it will make the traces harder to read if they contain a mixture of authentication from the same browser.
./trace
[source,javascript]
----
{
"timestamp": 1420558194546,
"info": {
"method": "GET",
"path": "/",
"query": ""
"remote": true,
"proxy": "resource",
"headers": {
"request": {
"accept": "application/json, text/plain, */*",
"x-xsrf-token": "542c7005-309c-4f50-8a1d-d6c74afe8260",
"cookie": "SESSION=c18846b5-f805-4679-9820-cd13bd83be67; XSRF-TOKEN=542c7005-309c-4f50-8a1d-d6c74afe8260",
"x-forwarded-prefix": "/resource",
"x-forwarded-host": "localhost:8080"
},
"response": {
"Content-Type": "application/json;charset=UTF-8",
"status": "200"
}
},
}
},
{
"timestamp": 1420558200232,
"info": {
"method": "GET",
"path": "/resource/",
"headers": {
"request": {
"host": "localhost:8080",
"accept": "application/json, text/plain, */*",
"x-xsrf-token": "542c7005-309c-4f50-8a1d-d6c74afe8260",
"cookie": "SESSION=c18846b5-f805-4679-9820-cd13bd83be67; XSRF-TOKEN=542c7005-309c-4f50-8a1d-d6c74afe8260"
},
"response": {
"Content-Type": "application/json;charset=UTF-8",
"status": "200"
}
}
}
},
----
The second entry there is the request from the client to the gateway on "/resource" and you can see the cookies (added by the browser) and the CSRF header (added by Angular as discussed in link:second[Part II]). The first entry has `remote: true` and that means it's tracing the call to the resource server. You can see it went out to a uri path "/" and you can see that (crucially) the cookies and CSRF headers have been sent too. Without Spring Session these headers would be meaningless to the resource server, but the way we have set it up it can now use those headers to re-constitute a session with authentication and CSRF token data. So the request is permitted and we are in business!
== Conclusion
We covered quite a lot in this section but we got to a really nice place where there is a minimal amount of boilerplate code in our two servers, they are both nicely secure and the user experience isn't compromised. That alone would be a reason to use the API Gateway pattern, but really we have only scratched the surface of what that might be used for (Netflix uses it for https://github.com/Netflix/zuul/wiki/How-We-Use-Zuul-At-Netflix[a lot of things]). Read up on http://projects.spring.io/spring-cloud/[Spring Cloud] to find out more on how to make it easy to add more features to the gateway. The <<_sso_with_oauth2_angular_js_and_spring_security_part_v,next section>> in this series will extend the application architecture a bit by extracting the authentication responsibilities to a separate server (the Single Sign On pattern).