5
私はSpring Boot Cloud + OAuth2 Authシステムを使用していますが、認証方法に問題があります。私のサーバで認証しようとすると、Zuulゲートウェイはヘッダparamsを送信しませんが、oauthサーバに直接認証しようとすると問題はありません。この問題はZuulゲートウェイ経由で認証しようとした場合にのみ発生します。スプリングクラウドZuul + OAuthエラーCORS
認証応答:
ましたerror_description: "フル認証がこのリソースにアクセスするために必要とされる"
要求ヘッダー:Zuulリクエストにロギング
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
Accept-Language:pt,en-US;q=0.8,en;q=0.6
Authorization:Basic <MySecretToken>
Cache-Control:no-cache
Connection:keep-alive
Content-Length:0
DNT:1
Host:localhost:8181
Origin:http://localhost:9980
Pragma:no-cache
Referer:http://localhost:9980/login
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.11 Safari/537.36
のOAuthサーバー:
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]541da561
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/logout'
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.sprin[email protected]90556c3e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]1de6: RemoteIpAddress: 192.168.1.40; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/oauth/token'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /oauth/token?password=myPassword&grant_type=password&username=system; Attributes: [fullyAuthenticated]
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.sprin[email protected]90556c3e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]1de6: RemoteIpAddress: 192.168.1.40; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-03-07 16:41:37.838 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.access.vote.AffirmativeBased : Voter: org.sp[email protected]59b8fe9, returned: -1
2016-03-07 16:41:37.846 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
フィルタ5/11ではフィルタを実行する必要がありますが、フィルタは実行していないことに注意してください。今
ルック一部のサーバーのが、ゲートウェイなしのログ:
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]541da561
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/logout'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-03-07 16:51:16.644 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'gateway'
2016-03-07 16:51:16.645 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Authentication success: org.springframew[email protected]b0a7f710: Principal: [email protected]: Username: gateway; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframew[email protected]b0a7f710: Principal: [email protected]: Username: gateway; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.w[email protected]727809f6
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
今すぐ2番目のログを見て、あなたは、11のフィルタ5にフィルターが受け入れられたことがわかります。ここで
ゲートウェイモジュールの設定情報は、次のとおりです。
https://gist.github.com/tiarebalbi/07aaa61f84d3ea3822e0
アップデート:ゲートウェイで使用CorsFilter以下
: https://gist.github.com/tiarebalbi/ce5f6fc9691e1a6e3aaa
デバッグ情報:
私が気づいたのは、ゲートウェイがすべてのヘッダーパラメータを受信するが、認証サーバーは受信しないということです。
ゲートウェイ:
のOAuthサーバー:
ソリューション:
iはDを見た文書の確認Sensitivesヘッダーについてのエスケープと、hereとhereと表示されているように、認証はリストの1つであり、このために他のサービスに送信されませんでした。更新後の
コード:
zuul:
ignored-services: "*"
prefix: /v1
routes:
auth-server:
path: /auth/**
sensitiveHeaders: Cookie,Set-Cookie