Java Spring Cloud Zuul Proxy 背后的 Spring OAuth 授权服务器
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/30327269/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring OAuth Authorization Server behind Spring Cloud Zuul Proxy
提问by Tobias Kremer
I am currently developing a application based on a micro service architecture. We use a API-Gateway implemented using Spring Cloud Netfix's Zuul Server to route the requests to our micro services.
我目前正在开发基于微服务架构的应用程序。我们使用使用 Spring Cloud Netfix 的 Zuul Server 实现的 API-Gateway 将请求路由到我们的微服务。
To realize single sign on for all our services I am currently working on an OAuth2 server set up using Spring Cloud Security. The server is basically just copy and past of the implementation in Dave Syer's Repo: https://github.com/dsyer/spring-security-angular/tree/master/oauth2/authserver
为了实现我们所有服务的单点登录,我目前正在使用 Spring Cloud Security 设置 OAuth2 服务器。服务器基本上只是 Dave Syer 的 Repo 中实现的复制和过去:https: //github.com/dsyer/spring-security-angular/tree/master/oauth2/authserver
The main difference is that I want to route the requests to my OAuth server through the Zuul Proxy. This way I will not have to directly expose my OAuth Server and can add and remove Login Server dynamically.
主要区别在于我想通过 Zuul 代理将请求路由到我的 OAuth 服务器。这样我就不必直接公开我的 OAuth 服务器,并且可以动态添加和删除登录服务器。
The problem is I do not seam to understand how to correctly configure this setup. When I try to access a protected resource on the OAuth server I am forwarded to the login page. This of course is as expected. But I can not figure out how to set the hostname and port used when forwarding. What I want to happen is the server to forward to an endpoint on the Zuul server that will get proxied back to the OAuth server. (The Zuul API-Gateway should be the only server the client ever talks to. Everything else will be hidden.)
问题是我不明白如何正确配置此设置。当我尝试访问 OAuth 服务器上的受保护资源时,我被转发到登录页面。这当然符合预期。但是我不知道如何设置转发时使用的主机名和端口。我想要发生的是服务器转发到 Zuul 服务器上的端点,该端点将被代理回 OAuth 服务器。(Zuul API-Gateway 应该是客户端与之对话的唯一服务器。其他所有内容都将被隐藏。)
As it is the host and port are read from the HttpServletRequestin LoginUrlAuthenticationEntryPoint. But the request the server sees is the request send by the Zuul proxy. So I am forwarded to an internal IP not an endpoint on the proxy.
因为它是从HttpServletRequestin读取主机和端口LoginUrlAuthenticationEntryPoint。但是服务器看到的请求是Zuul代理发送的请求。所以我被转发到一个内部 IP 而不是代理上的端点。
I tried to set the URL of the login page in WebSecurityConfigurerAdapter.configure(HttpSecurity)to the absolut URL of my Zuul Proxy. But this just caused my application to complain about too many redirects. (Might have caused a loop there.)
我试图将登录页面WebSecurityConfigurerAdapter.configure(HttpSecurity)的 URL 设置为我的 Zuul 代理的绝对 URL。但这只是导致我的应用程序抱怨重定向过多。(可能在那里造成了一个循环。)
What would be the best way to set this up?
设置它的最佳方法是什么?
- Do I have to implement some kind of own forwarding strategy by overriding a bean?
- Is there a configuration option I am missing?
- Is my idea itself wrong? (In his answer to How to avoid redirect to another host with Zuul?Dave Syer says you would not normally proxy this but does not explain why.)
- 我是否必须通过覆盖 bean 来实现某种自己的转发策略?
- 是否有我缺少的配置选项?
- 我的想法本身有错吗?(在他对如何避免使用 Zuul 重定向到另一台主机的回答中?Dave Syer 说你通常不会代理它,但没有解释原因。)
采纳答案by Kakawait
Update: POC can be found here https://github.com/kakawait/uaa-behind-zuul-sample
更新:POC 可以在这里找到https://github.com/kakawait/uaa-behind-zuul-sample
Did you try following setup (on zuulserver):
您是否尝试过以下设置(在zuul服务器上):
zuul:
routes:
uaa-service:
path: /uaa/**
stripPrefix: false
security:
# Disable Spring Boot basic authentication
basic:
enabled: false
oauth2:
sso:
loginPath: /login
client:
accessTokenUri: https://<zuul hostname>/uaa/oauth/token
userAuthorizationUri: https://<zuul hostname>/uaa/oauth/authorize
...
Basically it works on my project only thing I have to do is to disable CSRFprotection on /uaa/oauth/tokenroute.
基本上它适用于我的项目,我唯一要做的就是禁用路由CSRF保护/uaa/oauth/token。
Auth server should be on
身份验证服务器应该打开
server:
# Use different context-path to avoid session cookie overlapping
context-path: /uaa
Tested using Spring-Cloud.Brixton.M3
测试使用 Spring-Cloud.Brixton.M3
Thank to @thomas-letsch, you should tweak you security like following (sample)
感谢@thomas-letsch,你应该像下面这样调整你的安全性(示例)
public void configure(HttpSecurity http) throws Exception {
http.logout().and()
.antMatcher("/**").authorizeRequests()
.antMatchers("/index.html", "/home.html", "/", "/uaa/oauth/**").permitAll()
.anyRequest().authenticated().and()
.csrf().csrfTokenRepository(getCSRFTokenRepository()).ignoringAntMatchers("/uaa/??oauth/token").and()
.addFilterAfter(createCSRFHeaderFilter(), CsrfFilter.class);
}
回答by Jérémie
As far as I understand your question, spring-cloud-security(for the EnableOauth2Ssopart) and spring-cloud(for zuul), this is not possible to proxy the calls to the authorization server using zuul.
The main reason being that spring-cloud-securitysecures the Gateway independently (and before accounting for) Zuul routing's logic.
据我了解您的问题,spring-cloud-security(对于EnableOauth2Sso部分)和spring-cloud(对于 zuul),这不可能使用 zuul 代理对授权服务器的调用。主要原因是spring-cloud-security独立地保护网关(并且在考虑之前)Zuul 路由的逻辑。
Which means that the (sample configuration from Dave Syer's OAuth2example) spring.oauth2.client.*configuration
这意味着(来自 Dave Syer 的OAuth2示例的示例spring.oauth2.client.*配置)配置
spring:
oauth2:
client:
accessTokenUri: http://localhost:9999/uaa/oauth/token
userAuthorizationUri: http://localhost:9999/uaa/oauth/authorize
clientId: acme
clientSecret: acmesecret
is considered beforeallowing any access to the Zuul's routes zuul.routes.*
在允许任何访问 Zuul 的路线之前考虑zuul.routes.*
Moreover this setup enables the client agentto store two Cookies: one for the Gateway and one for the Authorization Server.
此外,此设置使客户端代理能够存储两个 Cookie:一个用于网关,另一个用于授权服务器。
I hope this helps.
我希望这有帮助。
