Tôi đang sử dụng hệ thống Xác thực đám mây khởi động đám mây + OAuth2, nhưng tôi đang gặp sự cố trong phương thức xác thực. Khi tôi cố gắng xác thực với máy chủ của tôi, cổng Zuul không gửi thông số tiêu đề, nhưng nếu tôi cố gắng xác thực trực tiếp với máy chủ oauth của tôi, tôi không gặp vấn đề gì. Vấn đề chỉ xảy ra khi tôi cố gắng xác thực thông qua cổng Zuul.Spring Cloud Zuul + Lỗi OAuth CORS
Auth đáp ứng:
ERROR_DESCRIPTION: "xác thực đầy đủ là cần thiết để truy cập vào tài nguyên này"
Tiêu đề yêu cầu:
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
Accept-Language:pt,en-US;q=0.8,en;q=0.6
Authorization:Basic <MySecretToken>
Cache-Control:no-cache
Connection:keep-alive
Content-Length:0
DNT:1
Host:localhost:8181
Origin:http://localhost:9980
Pragma:no-cache
Referer:http://localhost:9980/login
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.11 Safari/537.36
OAuth server Logging với yêu cầu Zuul:
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]541da561
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/logout'
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.sprin[email protected]90556c3e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]1de6: RemoteIpAddress: 192.168.1.40; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/oauth/token'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /oauth/token?password=myPassword&grant_type=password&username=system; Attributes: [fullyAuthenticated]
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.sprin[email protected]90556c3e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]1de6: RemoteIpAddress: 192.168.1.40; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-03-07 16:41:37.838 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.access.vote.AffirmativeBased : Voter: org.sp[email protected]59b8fe9, returned: -1
2016-03-07 16:41:37.846 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
Lưu ý rằng trong bộ lọc 5 của 11 bộ lọc phải được thực hiện, nhưng nó không được.
Look nay là nhật ký của một số máy chủ nhưng không có cổng:
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]541da561
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/logout'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-03-07 16:51:16.644 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'gateway'
2016-03-07 16:51:16.645 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Authentication success: org.springframew[email protected]b0a7f710: Principal: [email protected]: Username: gateway; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframew[email protected]b0a7f710: Principal: [email protected]: Username: gateway; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.w[email protected]727809f6
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
Bây giờ nhìn vào các bản ghi thứ hai, bạn sẽ thấy rằng trong các bộ lọc 5 trong tổng số 11 bộ lọc đã được chấp nhận.
Dưới đây là thông tin Cổng mô-đun thiết lập:
https://gist.github.com/tiarebalbi/07aaa61f84d3ea3822e0
Cập nhật:
Bên dưới CorsFilter được sử dụng trong các cửa ngõ: https://gist.github.com/tiarebalbi/ce5f6fc9691e1a6e3aaa
gỡ lỗi thông tin:
Điều tôi nhận thấy là cổng nhận được tất cả thông số tiêu đề, nhưng máy chủ xác thực thì không.
Gateway:
OAuth Server:
Giải pháp:
Rà soát các tài liệu tôi thấy các d escription về các tiêu đề nhạy cảm và như chúng ta có thể thấy here và here ủy quyền là một trong những danh sách và vì điều này nó không được gửi đến các dịch vụ khác.
Mã sau khi cập nhật:
zuul:
ignored-services: "*"
prefix: /v1
routes:
auth-server:
path: /auth/**
sensitiveHeaders: Cookie,Set-Cookie