2016-03-07 39 views
5

Używam systemu Spring Boot Cloud + OAuth2 Auth, ale mam problem z metodą auth. Kiedy próbuję uwierzytelnić się z moim serwerem, bramka Zuul nie wysyła parametrów nagłówka, ale jeśli spróbuję uwierzytelnić się bezpośrednio na moim serwerze oauth, nie mam problemu. Problem występuje tylko wtedy, gdy próbuję uwierzytelnić się przez bramkę Zuul.Wiosenna chmura Zuul + błąd OAuth CORS

Auth Response:

ERROR_DESCRIPTION: "Pełny wymagana jest autoryzacja dostępu do tego zasobu"

Zapytanie Header:

Accept:application/json, text/plain, */* 
Accept-Encoding:gzip, deflate 
Accept-Language:pt,en-US;q=0.8,en;q=0.6 
Authorization:Basic <MySecretToken> 
Cache-Control:no-cache 
Connection:keep-alive 
Content-Length:0 
DNT:1 
Host:localhost:8181 
Origin:http://localhost:9980 
Pragma:no-cache 
Referer:http://localhost:9980/login 
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.11 Safari/537.36 

OAuth Server rejestrowanie z Zuul kupna:

2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy  : /oauth/token?password=myPassword&grant_type=password&username=system at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy  : /oauth/token?password=myPassword&grant_type=password&username=system at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy  : /oauth/token?password=myPassword&grant_type=password&username=system at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter' 
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]541da561 
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy  : /oauth/token?password=myPassword&grant_type=password&username=system at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter' 
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/logout' 
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy  : /oauth/token?password=myPassword&grant_type=password&username=system at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' 
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy  : /oauth/token?password=myPassword&grant_type=password&username=system at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy  : /oauth/token?password=myPassword&grant_type=password&username=system at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy  : /oauth/token?password=myPassword&grant_type=password&username=system at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.sprin[email protected]90556c3e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]1de6: RemoteIpAddress: 192.168.1.40; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' 
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy  : /oauth/token?password=myPassword&grant_type=password&username=system at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter' 
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy  : /oauth/token?password=myPassword&grant_type=password&username=system at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy  : /oauth/token?password=myPassword&grant_type=password&username=system at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/oauth/token' 
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /oauth/token?password=myPassword&grant_type=password&username=system; Attributes: [fullyAuthenticated] 
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.s[email protected]: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]1de6: RemoteIpAddress: 192.168.1.40; SessionId: null; Granted Authorities: ROLE_ANONYMOUS 
2016-03-07 16:41:37.838 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.access.vote.AffirmativeBased  : Voter: org.sp[email protected]59b8fe9, returned: -1 
2016-03-07 16:41:37.846 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.ExceptionTranslationFilter  : Access is denied (user is anonymous); redirecting to authentication entry point 

Zauważa, że ​​w filtrze 5 z 11 filtr musi zostać wykonany, ale tak nie było.

Look teraz dziennik z jakimś serwerze, ale bez bramy:

2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy  : /oauth/token?grant_type=password&username=system&password=myPassword at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy  : /oauth/token?grant_type=password&username=system&password=myPassword at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy  : /oauth/token?grant_type=password&username=system&password=myPassword at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter' 
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]541da561 
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy  : /oauth/token?grant_type=password&username=system&password=myPassword at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter' 
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/logout' 
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy  : /oauth/token?grant_type=password&username=system&password=myPassword at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' 
2016-03-07 16:51:16.644 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'gateway' 
2016-03-07 16:51:16.645 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.authentication.ProviderManager  : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider 
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Authentication success: org.springframew[email protected]b0a7f710: Principal: [email protected]: Username: gateway; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER 
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy  : /oauth/token?grant_type=password&username=system&password=myPassword at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy  : /oauth/token?grant_type=password&username=system&password=myPassword at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy  : /oauth/token?grant_type=password&username=system&password=myPassword at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframew[email protected]b0a7f710: Principal: [email protected]: Username: gateway; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER' 
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy  : /oauth/token?grant_type=password&username=system&password=myPassword at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter' 
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.w[email protected]727809f6 
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy  : /oauth/token?grant_type=password&username=system&password=myPassword at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy  : /oauth/token?grant_type=password&username=system&password=myPassword at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 

Spójrzmy teraz na drugim dzienniku, widać, że w filtrze 5 z 11 filtr został zaakceptowany.

Oto informacja Brama konfiguracja modułu:

https://gist.github.com/tiarebalbi/07aaa61f84d3ea3822e0


Aktualizacja:

Poniżej CorsFilter używane w bramie: https://gist.github.com/tiarebalbi/ce5f6fc9691e1a6e3aaa

Debug Informacji:

Zauważyłem, że brama odbiera wszystkie parametry nagłówka, ale serwer uwierzytelniania nie.

Brama:

Parameters in the Gateway

OAuth Serwer:

OAuthServer


Rozwiązanie:

Przeglądając dokument Widziałem d Opis nagłówków Sensitives i jak widzimy, here i here Autoryzacja jest jedną z list i dlatego nie została wysłana do innych serwisów.

Kod po aktualizacji:

zuul: 
    ignored-services: "*" 
    prefix: /v1 
    routes: 
    auth-server: 
     path: /auth/** 
     sensitiveHeaders: Cookie,Set-Cookie 

Odpowiedz

1

Tak, dodając sensitive-headers pracował!

zuul.routes.myApi1.path=/api/** 
zuul.routes.myApi1.url=http://localhost:8090/myApi/ 
zuul.sensitive-headers=Cookie,Set-Cookie