Spring Cloud Zuul + OAuth 错误 CORS

Question

Spring Cloud Zuul + OAuth 错误 CORS

springauthenticationoauthspring-cloudnetflix-zuul

6

我正在使用Spring Boot Cloud + OAuth2认证系统，但在认证方法中遇到了问题。当我尝试通过我的服务器进行身份验证时，Zuul网关未发送头部参数，但如果我直接尝试通过我的OAuth服务器进行身份验证，则没有问题。问题仅在我尝试通过Zuul网关进行身份验证时才会发生。

认证响应：

错误描述：“需要完整身份验证才能访问此资源”

请求头：

Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
Accept-Language:pt,en-US;q=0.8,en;q=0.6
Authorization:Basic <MySecretToken>
Cache-Control:no-cache
Connection:keep-alive
Content-Length:0
DNT:1
Host:localhost:8181
Origin:http://localhost:9980
Pragma:no-cache
Referer:http://localhost:9980/login
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.11 Safari/537.36

使用Zuul请求记录OAuth服务器日志:

2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy        : /oauth/token?password=myPassword&grant_type=password&username=system at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy        : /oauth/token?password=myPassword&grant_type=password&username=system at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy        : /oauth/token?password=myPassword&grant_type=password&username=system at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@541da561
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy        : /oauth/token?password=myPassword&grant_type=password&username=system at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/token'; against '/logout'
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy        : /oauth/token?password=myPassword&grant_type=password&username=system at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy        : /oauth/token?password=myPassword&grant_type=password&username=system at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy        : /oauth/token?password=myPassword&grant_type=password&username=system at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy        : /oauth/token?password=myPassword&grant_type=password&username=system at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.AnonymousAuthenticationFilter  : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90556c3e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1de6: RemoteIpAddress: 192.168.1.40; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy        : /oauth/token?password=myPassword&grant_type=password&username=system at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy        : /oauth/token?password=myPassword&grant_type=password&username=system at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy        : /oauth/token?password=myPassword&grant_type=password&username=system at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/token'; against '/oauth/token'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /oauth/token?password=myPassword&grant_type=password&username=system; Attributes: [fullyAuthenticated]
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@90556c3e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1de6: RemoteIpAddress: 192.168.1.40; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-03-07 16:41:37.838 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@59b8fe9, returned: -1
2016-03-07 16:41:37.846 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is anonymous); redirecting to authentication entry point

注意，在筛选器11个过滤器中的第5个必须被执行，但未被执行。

现在查看某些服务器的日志，但不使用网关：

2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token?grant_type=password&username=system&password=myPassword at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token?grant_type=password&username=system&password=myPassword at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token?grant_type=password&username=system&password=myPassword at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@541da561
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token?grant_type=password&username=system&password=myPassword at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth/token'; against '/logout'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token?grant_type=password&username=system&password=myPassword at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-03-07 16:51:16.644 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter  : Basic Authentication Authorization header found for user 'gateway'
2016-03-07 16:51:16.645 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter  : Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@b0a7f710: Principal: org.springframework.security.core.userdetails.User@f4ba4644: Username: gateway; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token?grant_type=password&username=system&password=myPassword at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token?grant_type=password&username=system&password=myPassword at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token?grant_type=password&username=system&password=myPassword at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@b0a7f710: Principal: org.springframework.security.core.userdetails.User@f4ba4644: Username: gateway; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token?grant_type=password&username=system&password=myPassword at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@727809f6
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token?grant_type=password&username=system&password=myPassword at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy        : /oauth/token?grant_type=password&username=system&password=myPassword at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'

现在看一下第二个日志，你会发现在11个筛选器中的第5个筛选器被接受了。

以下是网关模块设置信息：

https://gist.github.com/tiarebalbi/07aaa61f84d3ea3822e0

更新：

以下是网关使用的CorsFilter： https://gist.github.com/tiarebalbi/ce5f6fc9691e1a6e3aaa

调试信息：

我注意到网关接收到了所有的头部参数，但是认证服务器没有接收到。

网关：

OAuth 服务器：

解决方案：

查看文档后，我注意到敏感头部的描述，正如我们可以在这里和这里看到的，Authorization 是敏感头部列表中的一项，因此它没有被发送给其他服务。

更新后的代码：

zuul:
  ignored-services: "*"
  prefix: /v1
  routes:
    auth-server:
      path: /auth/**
      sensitiveHeaders: Cookie,Set-Cookie

- Tiarê Balbi

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- Percy Vega · Accepted Answer

是的，添加 sensitive-headers 工作了！

zuul.routes.myApi1.path=/api/**
zuul.routes.myApi1.url=http://localhost:8090/myApi/
zuul.sensitive-headers=Cookie,Set-Cookie