java 从 Brixton.RC1 开始的 ZuulProxy 未通过授权标头
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/36359915/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Authorization header not passed by ZuulProxy starting with Brixton.RC1
提问by Tim
In switching from Spring Cloud Brixton.M5to Brixton.RC1my ZuulProxy no longer passes Authorizationheaders downstream to my proxied services.
在从 Spring Cloud 切换Brixton.M5到Brixton.RC1我的 ZuulProxy 时,不再将Authorization标头下游传递给我的代理服务。
There's various actors in play in my setup, but most all of them are fairly simple: - AuthorizationServer: runs separately; hands out JWTs to clients - Clients: get JWTs from OAuth server; each with access to a subset of resources. - ResourceServers: consume JWTs for access decisions - MyZuulProxy: proxies various resource servers; should relay JWTs.
在我的设置中有各种角色在起作用,但大多数都相当简单: - AuthorizationServer:单独运行;将 JWT 分发给客户端 - 客户端:从 OAuth 服务器获取 JWT;每个都可以访问资源的子集。- ResourceServers:使用 JWT 进行访问决策 - MyZuulProxy:代理各种资源服务器;应该中继 JWT。
It should be noted that MyZuulProxy has no security dependencies whatsoever; It passed the Authorization: Bearer {JWT}header it receives to the ResourceServers, pre-RC1. MyZuulProxy is explicitly not a Client itself, and does not use @EnableOAuth2SSOor similar at the moment.
需要注意的是,MyZuulProxy 没有任何安全依赖;它将Authorization: Bearer {JWT}收到的标头传递给 ResourceServers,pre-RC1。MyZuulProxy 本身明确不是客户端,目前不使用@EnableOAuth2SSO或类似。
What could I do to get MyZuulProxy to relay the JWTs to the ResourceServers again when using Spring Cloud Brixton.RC1?
使用 Spring Cloud Brixton.RC1 时,我该怎么做才能让 MyZuulProxy 再次将 JWT 中继到 ResourceServers?
There's very little code to post: It's just @EnableZuulProxy, @EnableAuthorizationServerand @EnableResourceServerin three different jars. My Clients are not Spring applications.
要发布的代码很少:它只是@EnableZuulProxy,@EnableAuthorizationServer并且@EnableResourceServer在三个不同的 jar 中。我的客户不是 Spring 应用程序。
回答by Tim
Update: Fixed in https://github.com/spring-cloud/spring-cloud-netflix/pull/963/files
更新:在https://github.com/spring-cloud/spring-cloud-netflix/pull/963/files 中修复
Sensitive headers can also be set globally setting
zuul.sensitiveHeaders. IfsensitiveHeadersis set on a route, this will override the globalsensitiveHeaderssetting.
敏感标题也可以全局设置
zuul.sensitiveHeaders。如果sensitiveHeaders在路由上设置,这将覆盖全局sensitiveHeaders设置。
So use:
所以使用:
# Pass Authorization header downstream
zuul:
sensitiveHeaders: Cookie,Set-Cookie
So pending a fix for https://github.com/spring-cloud/spring-cloud-netflix/issues/944, jebeaudetwas kind enough to provide a workaround:
因此,在修复https://github.com/spring-cloud/spring-cloud-netflix/issues/944 之前,jebeaudet提供了一种解决方法:
@Component
public class RelayTokenFilter extends ZuulFilter {
@Override
public Object run() {
RequestContext ctx = RequestContext.getCurrentContext();
// Alter ignored headers as per: https://gitter.im/spring-cloud/spring-cloud?at=56fea31f11ea211749c3ed22
Set<String> headers = (Set<String>) ctx.get("ignoredHeaders");
// We need our JWT tokens relayed to resource servers
headers.remove("authorization");
return null;
}
@Override
public boolean shouldFilter() {
return true;
}
@Override
public String filterType() {
return "pre";
}
@Override
public int filterOrder() {
return 10000;
}
}
回答by Abhilash
Set the sensitiveHeaders globally helped me solve the issue
全局设置sensitiveHeaders帮助我解决了问题
zuul:
sensitiveHeaders: Cookie,Set-Cookie
Please note that the property name is sensitiveHeadersnotsensitive-headers[I use spring-cloud-starter-zuul version:1.3.1.RELEASE ]
请注意,属性名称是sensitiveHeaders而不是sensitive-headers[我使用的是spring-cloud-starter-zuul version:1.3.1.RELEASE]
