我试图实现使用春季启动1.5.6.RELEASE和春云Dalston.SR3微服务架构的后端,将通过移动消耗/网络端点。春云Zuul API网关不会转发JWT令牌无状态会话
API网关应用
@SpringBootApplicatio
@EnableEurekaClient
@EnableZuulProxy
public class GatewayApplication {
public static void main(String[] args) {
SpringApplication.run(GatewayApplication.class, args);
}
}
API安全
@Configuration
@EnableWebSecurity
@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
@EnableOAuth2Sso
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/sign-up", "/login")
.permitAll()
.anyRequest()
.authenticated()
.and()
.csrf()
.ignoringAntMatchers("/sign-up", "/login")
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
// @formatter:on
}
}
摇篮安全相关的依赖
// Spring OAuth2 security
compile("org.springframework.boot:spring-boot-starter-security")
compile("org.springframework.security.oauth:spring-security-oauth2")
compile("org.springframework.cloud:spring-cloud-starter-oauth2")
compile("org.springframework.security:spring-security-jwt")
Zuul路线
zuul:
ignoredServices: '*'
routes:
user-service:
path: /user-service/**
stripPrefix: false
serviceId: user-webservice
sensitiveHeaders:
task-service:
path: /task-service/**
stripPrefix: false
serviceId: task-webservice
sensitiveHeaders:
user:
path: /userauth/**
stripPrefix: false
serviceId: auth-server
sensitiveHeaders:
我能够得到授权服务器的访问令牌(无状态会话 - 没有JSESSIONID的cookie)
卷曲-D - --request POST -u极致:acmesecret “http://localhost:8899/userauth/oauth/token?grant_type=password&username= < ...> &密码= < ...> “
{ ”的access_token“:” eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MDQ3ODg4NzgsInVzZXJfbmFtZSI6IjcyMTk2MTk2NDEiLCJhdXRob3JpdGllcyI6WyJST0xFX1BBVElFTlQiXSwianRpIjoiZThhMzBjNmQtZjA2MS00MWEzLWEyZGItYTZiN2ZjYTI5ODk1IiwiY2xpZW50X2lkIjoiYWNtZSIsInNjb3BlIjpbIm9wZW5pZCJdfQ.AhF_kqfsRYM1t1HVT ........
我可以使用访问令牌从授权服务器或其他资源请求数据
卷曲-D - --request GET -H “授权:承载 eyJhbGciOiJSUzI1 ......” http://localhost:8899/userauth/me
{ “权威”:[{ “权威”: “ROLE_P .........}
卷曲-D - --request GET -H” 授权:承载 eyJhbGciOiJSUzI1NiIsInR5 ... ....“http://localhost:8081/user-service/
[{“名字”:“阿尼尔” .....}]
然而,对于通过API网关路由相同的请求时,它未能在网关本身和被过滤为AnonymousAuthenticationToken。
卷曲-D - --request GET -H “授权:承载 eyJhbGciOiJSUzI1 ....” http://localhost:8765/user-service/
HTTP/1.1 302设置Cookie: XSRF-TOKEN = b5a1c34e-e83c-47EA -86a6-13a237c027d4;路径= /地点: http://localhost:8765/login
我是假设与@EnableZuulProxy
和@EnableOAuth2Sso
,Zuul会照顾转发承载令牌到下游服务,但情况并非如此。我已经有一个工作示例,使用HTTP会话和浏览器重定向来获取API网关传递令牌 - https://github.com/anilallewar/microservices-basics-spring-boot
但我很努力让它与无状态会话一起工作,任何指针可能缺少Zuul API网关方面?
你有这个工作?我陷入了同样的问题。 你能否摆脱一些光线? – rohit