1. 首页
  2. 问答
  3. 春云Zuul API网关不会转发JWT令牌无状态会话

春云Zuul API网关不会转发JWT令牌无状态会话

2017-09-07 91 views
2

我试图实现使用春季启动1.5.6.RELEASE春云Dalston.SR3微服务架构的后端,将通过移动消耗/网络端点。春云Zuul API网关不会转发JWT令牌无状态会话

API网关应用

@SpringBootApplicatio 
@EnableEurekaClient 
@EnableZuulProxy 
public class GatewayApplication { 

    public static void main(String[] args) { 
     SpringApplication.run(GatewayApplication.class, args); 
    } 
}

API安全

@Configuration 
@EnableWebSecurity 
@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER) 
@EnableOAuth2Sso 
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { 

    @Override 
    public void configure(HttpSecurity http) throws Exception { 

     // @formatter:off 
     http 
      .sessionManagement() 
       .sessionCreationPolicy(SessionCreationPolicy.STATELESS) 
      .and() 
       .authorizeRequests() 
        .antMatchers("/sign-up", "/login") 
         .permitAll() 
       .anyRequest() 
        .authenticated() 
      .and() 
       .csrf() 
        .ignoringAntMatchers("/sign-up", "/login") 
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); 
     // @formatter:on 
    } 
}

摇篮安全相关的依赖

// Spring OAuth2 security 
    compile("org.springframework.boot:spring-boot-starter-security") 
    compile("org.springframework.security.oauth:spring-security-oauth2") 
    compile("org.springframework.cloud:spring-cloud-starter-oauth2") 
    compile("org.springframework.security:spring-security-jwt")

Zuul路线

zuul: 
    ignoredServices: '*' 
    routes: 
    user-service: 
     path: /user-service/** 
     stripPrefix: false 
     serviceId: user-webservice 
     sensitiveHeaders: 
    task-service: 
     path: /task-service/** 
     stripPrefix: false 
     serviceId: task-webservice 
     sensitiveHeaders: 
    user: 
     path: /userauth/** 
     stripPrefix: false 
     serviceId: auth-server 
     sensitiveHeaders:

我能够得到授权服务器的访问令牌(无状态会话 - 没有JSESSIONID的cookie)

卷曲-D - --request POST -u极致:acmesecret “http://localhost:8899/userauth/oauth/token?grant_type=password&username= < ...> &密码= < ...> “

{ ”的access_token“:” eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MDQ3ODg4NzgsInVzZXJfbmFtZSI6IjcyMTk2MTk2NDEiLCJhdXRob3JpdGllcyI6WyJST0xFX1BBVElFTlQiXSwianRpIjoiZThhMzBjNmQtZjA2MS00MWEzLWEyZGItYTZiN2ZjYTI5ODk1IiwiY2xpZW50X2lkIjoiYWNtZSIsInNjb3BlIjpbIm9wZW5pZCJdfQ.AhF_kqfsRYM1t1HVT ........

我可以使用访问令牌从授权服务器或其他资源请求数据

卷曲-D - --request GET -H “授权:承载 eyJhbGciOiJSUzI1 ......” http://localhost:8899/userauth/me

{ “权威”:[{ “权威”: “ROLE_P .........}

卷曲-D - --request GET -H” 授权:承载 eyJhbGciOiJSUzI1NiIsInR5 ... ....“http://localhost:8081/user-service/

[{“名字”:“阿尼尔” .....}]

然而,对于通过API网关路由相同的请求时,它未能在网关本身和被过滤为AnonymousAuthenticationToken。

卷曲-D - --request GET -H “授权:承载 eyJhbGciOiJSUzI1 ....” http://localhost:8765/user-service/

HTTP/1.1 302设置Cookie: XSRF-TOKEN = b5a1c34e-e83c-47EA -86a6-13a237c027d4;路径= /地点: http://localhost:8765/login

我是假设与@EnableZuulProxy@EnableOAuth2Sso,Zuul会照顾转发承载令牌到下游服务,但情况并非如此。我已经有一个工作示例,使用HTTP会话和浏览器重定向来获取API网关传递令牌 - https://github.com/anilallewar/microservices-basics-spring-boot

但我很努力让它与无状态会话一起工作,任何指针可能缺少Zuul API网关方面?

来源

2017-09-07 Anil Allewar

+0

你有这个工作?我陷入了同样的问题。 你能否摆脱一些光线? – rohit

回答

1

Zuul默认将授权标头视为敏感标头,并且不会将其传递给下游请求。要覆盖这一点,你可以在Zuul配置包括全局的(适用于所有航线)修改sensitiveHeaders

zuul: 
    # exclude Authorization from sensitive headers 
    sensitiveHeaders: Cookie,Set-Cookie 
    ignoredServices: '*'

或特定路线:

zuul: 
    ignoredServices: '*' 
    routes: 
    user-service: 
     path: /user-service/** 
     stripPrefix: false 
     serviceId: user-webservice 
     # exclude Authorization from sensitive headers 
     sensitiveHeaders: Cookie,Set-Cookie

要了解更多有关问题,检查这个问题:

Authorization header not passed by ZuulProxy starting with Brixton.RC1

来源

2017-09-22 14:22:34

+0

如果您查看原始问题,则敏感标头已设置为空(sensitiveHeaders:)。这绝对不是问题。 –

0

我是假设与@EnableZuulProxy和@Ena bleuuth2Sso,Zuul会小心地将不记名令牌转发给下游服务,但这不会发生。

我认为同样的事情,但在我的(痛苦)的经验,@ EnableOAuth2Sso确保与SSO和块甚至从获取到下游业务的承载令牌的请求的所有端点。我不得不改变我的网关以禁用导致我的资源的路由的身份验证,以便带有令牌令牌的请求可以通过。

尝试增加/user-service/**/task-service/**permitAll()匹配:

@Override 
public void configure(HttpSecurity http) throws Exception { 

    // @formatter:off 
    http 
     .sessionManagement() 
      .sessionCreationPolicy(SessionCreationPolicy.STATELESS) 
     .and() 
      .authorizeRequests() 
       .antMatchers("/sign-up", "/login", "/task-service/**", "/user-service/**") 
        .permitAll() 
      .anyRequest() 
       .authenticated() 
     .and() 
      .csrf() 
       .ignoringAntMatchers("/sign-up", "/login") 
       .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); 
    // @formatter:on 
}

来源

2017-12-18 01:26:54

相关问题

 相关问题