How to secure spring cloud eureka service with basic auth?

Solved!

TL;DR The problem was the CSRF and for some reason spring couldn't authenticate user configured in application.yml

So I had to override configure methods from WebSecurityConfigurerAdapter to disable csrf and create inMemory user. Also removed spring.security.user attributes from application.yml.

Eureka server application.yml now looks like:

---
spring:
  profiles: primary
  application:
    name: eureka-server-clustered   
server:
  port: 8011  
eureka:
  instance:
    hostname: eureka-primary       
  client:
    registerWithEureka: true
    fetchRegistry: true        
    serviceUrl:
      defaultZone: http://admin:admin@eureka-secondary:8012/eureka,http://admin:admin@eureka-tertiary:8013/eureka
---
spring:
  profiles: secondary
  application:
    name: eureka-server-clustered      
server:
  port: 8012
eureka:
  instance:
    hostname: eureka-secondary       
  client:
    registerWithEureka: true
    fetchRegistry: true        
    serviceUrl:
      defaultZone: http://admin:admin@eureka-primary:8013/eureka,http://admin:admin@eureka-tertiary:8011/eureka

---
spring:
  profiles: tertiary
  application:
    name: eureka-server-clustered     
server:
  port: 8013
eureka:
  instance:
    hostname: eureka-tertiary       
  client:
    registerWithEureka: true
    fetchRegistry: true    
    serviceUrl:
      defaultZone: http://admin:admin@eureka-primary:8011/eureka,http://admin:admin@eureka-secondary:8012/eureka

Newly created WebSecurityConfig class:

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
        .passwordEncoder(NoOpPasswordEncoder.getInstance())
        .withUser("admin").password("admin")
        .authorities("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
                .disable()
            .authorizeRequests()
              .anyRequest().authenticated()
              .and()
              .httpBasic();
    }
}

Tags:

Spring

Spring Security

Spring Boot

Spring Cloud

Netflix Eureka

Recent Posts