Tim Tim - 2 months ago 21
Java Question

Authorization header not passed by ZuulProxy starting with Brixton.RC1

In switching from Spring Cloud

my ZuulProxy no longer passes
headers downstream to my proxied services.

There's various actors in play in my setup, but most all of them are fairly simple:
- AuthorizationServer: runs separately; hands out JWTs to clients
- Clients: get JWTs from OAuth server; each with access to a subset of resources.
- ResourceServers: consume JWTs for access decisions
- MyZuulProxy: proxies various resource servers; should relay JWTs.

It should be noted that MyZuulProxy has no security dependencies whatsoever; It passed the
Authorization: Bearer {JWT}
header it receives to the ResourceServers, pre-RC1. MyZuulProxy is explicitly not a Client itself, and does not use
or similar at the moment.

What could I do to get MyZuulProxy to relay the JWTs to the ResourceServers again when using Spring Cloud Brixton.RC1?

There's very little code to post: It's just
in three different jars. My Clients are not Spring applications.

Tim Tim

Update: Fixed in https://github.com/spring-cloud/spring-cloud-netflix/pull/963/files

Sensitive headers can also be set globally setting zuul.sensitiveHeaders. If sensitiveHeaders is set on a route, this will override the global sensitiveHeaders setting.

So use:

# Pass Authorization header downstream
  sensitive-headers: Cookie,Set-Cookie

So pending a fix for https://github.com/spring-cloud/spring-cloud-netflix/issues/944, jebeaudet was kind enough to provide a workaround:

public class RelayTokenFilter extends ZuulFilter {

public Object run() {
    RequestContext ctx = RequestContext.getCurrentContext();

    // Alter ignored headers as per: https://gitter.im/spring-cloud/spring-cloud?at=56fea31f11ea211749c3ed22
    Set<String> headers = (Set<String>) ctx.get("ignoredHeaders");
    // We need our JWT tokens relayed to resource servers

    return null;

public boolean shouldFilter() {
    return true;

public String filterType() {
    return "pre";

public int filterOrder() {
    return 10000;