Feign request interceptor and security context

[vajda]

I have read the following discussion #56
I tried solution which joaoevangelista posted on gist. However, it seems that configuration is never registered. I'm using 1.1.0.M3 spring-cloud-starters.

I tried with this solution:

 @Bean
    public RequestInterceptor requestTokenBearerInterceptor() {
        return new RequestInterceptor() {
            @Override
            public void apply(RequestTemplate requestTemplate) {
                OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) SecurityContextHolder.getContext().getAuthentication().getDetails();

                requestTemplate.header("Authorization", "bearer " + details.getTokenValue());
            }
        };
    }

This one executs, but it seems that this is triggered in different thread and context does not have any authentication.
Line before invoking my feign client context is present.

Any thoughts?

[miguelfgar]

@vajda I found something similar using OAuth2FeignRequestInterceptor. The thing is if you are using Hystrix it will execute the code in a separate thread if you are using isolation mode "thread". Have you tried with isolation mode "semaphore"? Then you will have the context available, however the code is executed in the local thread and so is blocking it.
You can have a look here, I have an issue / question opened about it:
#89

Regards!

[daniellavoie]

I came across an excellent blog post from Juan Naverrete (post here) explaining how we can pass the SecurityContext from a servlet request to the hystrix thread running our command. I've tested it with a feign client using hystrix and came to the expected result.

I'm considering preparing a PR for a feature that will setup this mecanism automatically for a feign client. What do you think about it ?

[spencergibb]

@daniellavoie I'd be interested to see what you come up with.

[daniellavoie]

@spencergibb The implementation is quite simple. My only headache is to figure which project should hold the optional AutoConfiguration. I mean, it's a setup dedicated to configure Feign to access security information in a hystrix context. Looking at the source code of spring-cloud-security, I'm having the feeling that this is not the right place. spring-cloud-security aims at handling OAuth2.

I supposed I should try to stick it somewhere inside the spring-cloud-starter-feign infrastructure. The targeted module of this feature is Feign. Spring Boot conditionnal dependencies detection should do the trick to handle the special Feign + Spring Security + Hystrix case.

[spencergibb]

Feign sounds like a good place to start.

[daniellavoie]

Hi @spencergibb

I am currently having a dilemma and you and @dsyer might need to state here. The implementation I made leverages on Hystrix command execution hook. Hystrix only allow a single command hook to be registered at a time. I'm currently setting up the Feign / Hyxtrix security bridge with an AutoConfiguration class that registers a CommandHook who links the security context between feign and hystrix threads.

The problem with this implementation is that Spring Cloud Netflix users who want to activate this feature won't be able to register a custom hook. Would a documented extendable Hook class be acceptable ?