Spring Boot OAuth 总是重定向到 HTTP (IBM Cloud CF + Spring Boot 2)

Question

Spring Boot OAuth 总是重定向到 HTTP (IBM Cloud CF + Spring Boot 2)

javaspring-bootspring-securityibm-cloudspring-security-oauth2

5

在IBM Cloud CF Java Buildpack上使用Spring Boot OAuth 2...

请查看https://github.com/ericis/oauth-cf-https-issue。

下面是各种尝试组合的结果：

使用以下配置时，应用程序会陷入无限重定向循环，OAuth重定向策略将其发送到 http，然后这个配置将其发送到https。 http.requiresChannel().anyRequest().requiresSecure() 如果不使用此配置，用户可以通过 http 登录（不希望出现这种情况）。

完整配置如下：

http.
  requiresChannel().anyRequest().requiresSecure().
  authorizeRequests().
    // allow access to...
    antMatchers("favicon.ico", "/login", "/loginFailure", "/oauth2/authorization/ghe")
    .permitAll().anyRequest().authenticated().and().oauth2Login().
    // Codify "spring.security.oauth2.client.registration/.provider"
    clientRegistrationRepository(this.clientRegistrationRepository()).
    // setup OAuth2 client service to use clientRegistrationRepository
    authorizedClientService(this.authorizedClientService()).
    successHandler(this.successHandler()).
    // customize login pages
    loginPage("/login").failureUrl("/loginFailure").
    userInfoEndpoint().
      // customize the principal
      userService(this.userService());

我还尝试了以下方法：

Server configuration to use https

server:
  useForwardHeaders: true
  tomcat:
    protocolHeader: x-forwarded-proto

Servlet filter

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

@Component
public class HttpToHttpsFilter implements Filter {

  private static final Logger log = LoggerFactory.getLogger(HttpToHttpsFilter.class);

  private static final String HTTP = "http";
  private static final String SCHEME_HTTP = "http://";
  private static final String SCHEME_HTTPS = "https://";
  private static final String LOCAL_ID = "0:0:0:0:0:0:0:1";
  private static final String LOCALHOST = "localhost";

  @Value("${local.ip}")
  private String localIp;

  public HttpToHttpsFilter() {
    // Sonar
  }

  @Override
  public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain)
      throws IOException, ServletException {

    final HttpServletRequest request = (HttpServletRequest) req;

    final HttpServletResponse response = (HttpServletResponse) res;

    // http, not localhost, not localhost ipv6, not local IP
    if (HTTP.equals(request.getScheme()) && 
        !LOCALHOST.equals(request.getRemoteHost()) && 
        !LOCAL_ID.equals(request.getRemoteHost()) && 
        (this.localIp != null && !this.localIp.equals(request.getRemoteHost()))) {

      final String query = request.getQueryString();

      String oldLocation = request.getRequestURL().toString();

      if (query != null) {
        oldLocation += "?" + query;
      }

      final String newLocation = oldLocation.replaceFirst(SCHEME_HTTP, SCHEME_HTTPS);

      try {

        log.info("HTTP redirect from {} to {} ", oldLocation, newLocation);

        response.sendRedirect(newLocation);

      } catch (IOException e) {
        log.error("Cannot redirect to {} {} ", newLocation, e);
      }
    } else {
      chain.doFilter(req, res);
    }
  }

  @Override
  public void destroy() {
    // Sonar
  }

  @Override
  public void init(FilterConfig arg0) throws ServletException {
    // Sonar
  }
}

依赖关系

dependencies {

    //
    // BASICS

    // health and monitoring
    // compile('org.springframework.boot:spring-boot-starter-actuator')

    // security
    compile('org.springframework.boot:spring-boot-starter-security')

    // configuration
    compile('org.springframework.boot:spring-boot-configuration-processor')

  //
  // WEB

  // web
  compile('org.springframework.boot:spring-boot-starter-web')

  // thymeleaf view render
  compile('org.springframework.boot:spring-boot-starter-thymeleaf')

  // thymeleaf security extras
  compile('org.thymeleaf.extras:thymeleaf-extras-springsecurity4')

  //
  // OAUTH

  // OAuth client
  compile('org.springframework.security:spring-security-oauth2-client')

  // OAuth lib
  compile('org.springframework.security:spring-security-oauth2-jose')

  // OAuth config
  compile('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.0.0.RELEASE')

  //
  // CLOUD

  // cloud connectors (e.g. vcaps)
  compile('org.springframework.boot:spring-boot-starter-cloud-connectors')

    //
    // TOOLS

    runtime('org.springframework.boot:spring-boot-devtools')

    //
    // TEST

    // test
    testCompile('org.springframework.boot:spring-boot-starter-test')

    // security test
    testCompile('org.springframework.security:spring-security-test')
}

- Eric Swanson

3个回答

2

在当前的环境下，即使没有OAuth行为参与，该应用程序很可能会一直卡在无限循环中。

虽然您可以告诉服务器使用转发头，

server:
  useForwardHeaders: true

Tomcat不会信任所有来源的x-forwarded-*头信息。默认情况下，某些IP地址被视为内部地址（RemoteIpValve#internalProxies）。

然而，在您使用的环境中，报告的代理IP地址可能不在此范围内。您可以使用以下配置允许所有IP地址：

server:
  tomcat:
    internal-proxies: .*

如果没有直接访问应用程序的方式，这将允许所有代理，但如果符合您的需求，则可能是可接受的。

- James Justinic

我没有尝试server.tomcat.internal-proxies设置，因为默认值是基于正则表达式的动态范围，将该值设置为.*会带来安全风险，不应在生产中使用。 - Eric Swanson

1

Spring Boot会自动配置Tomcat的RemoteIpValve，并且可以通过server.tomcat.remote-ip-header和server.tomcat.protocol-header进行配置（https://docs.spring.io/spring-boot/docs/current/reference/html/howto-security.html#howto-enable-https）。Spring 5使用ForwardedHeaderFilter简化了这个过程（https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-5.x#forwarded-headers）。您的回答对于旧版本非常有用和有效。由于Spring Boot 2需要Spring Framework 5，我将把ForwardedHeaderFilter作为官方答案。 - Eric Swanson

1

由于使用了Spring 5，决定采用以下解决方案（安全配置）：

        http
            .addFilterBefore(new ForwardedHeaderFilter(), OAuth2AuthorizationRequestRedirectFilter.class)

x-forwarded-* header参数现在已正确处理。

- Taraskin

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- Eric Swanson · Accepted Answer

这个问题已经解决。有关此问题的详细信息，请参阅：https://github.com/spring-projects/spring-security/issues/5535#issuecomment-407413944 现在正在运行的示例项目：https://github.com/ericis/oauth-cf-https-issue 简短回答：

应用程序需要显式配置以了解代理头。尽管我尝试过配置，但最终必须使用最近添加到Spring的ForwardedHeaderFilter类的实例。

@Bean
FilterRegistrationBean<ForwardedHeaderFilter> forwardedHeaderFilter() {

    final FilterRegistrationBean<ForwardedHeaderFilter> filterRegistrationBean = new FilterRegistrationBean<ForwardedHeaderFilter>();

    filterRegistrationBean.setFilter(new ForwardedHeaderFilter());
    filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);

    return filterRegistrationBean;
}