spring-security – 使用Spring引导,Eureka,Zuul,Spring Oauth创建OAuth安全微服务的问题

我正在尝试使用Spring Boot,Eureka,Zuul和Spring OAuth进行Zuul反向代理设置.具体来说,我正在尝试从Zuul背后的OAuth服务器获取OAuth承载令牌.为此,我需要向重定向到我们的OAuth服务器的代理端点发出POST请求.此请求使用client_credentials授权类型,因此使用BasicAuth获取承载令牌.我已经证实我可以通过绕过Zuul获得令牌.

我一直无法获得我的预期结果,这是一个OAuth感知的反向代理,但本身没有必需的安全性.我在配置上尝试了一些不同的变化,但找不到金票.

这是我的Maven:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <parent>
    <groupId>com.mycompany.cloud</groupId>
    <artifactId>mycompany-cloud</artifactId>
    <version>0.0.2-SNAPSHOT</version>
  </parent>
  <artifactId>mycompany-cloud-zuul-proxy</artifactId>

  <dependencies>
    <dependency>
      <groupId>org.springframework.cloud</groupId>
      <artifactId>spring-cloud-starter-zuul</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.cloud</groupId>
      <artifactId>spring-cloud-starter-eureka</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.security.oauth</groupId>
      <artifactId>spring-security-oauth2</artifactId>
    </dependency>

    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-test</artifactId>
      <scope>test</scope>
    </dependency>
  </dependencies>

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-dependencies</artifactId>
        <version>Brixton.SR2</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
      <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-dependencies</artifactId>
        <version>1.3.5.RELEASE</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
    </dependencies>
  </dependencyManagement>

  <build>
    <plugins>
      <plugin>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-maven-plugin</artifactId>
        <executions>
          <execution>
            <goals>
              <goal>repackage</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</project>

我最初创建的配置只是

@SpringBootApplication
@EnableZuulProxy
@EnableEurekaClient
@EnableOAuth2Sso
public class ZuulProxyApplication {
  public static void main(final String[] args) {
    SpringApplication.run(ZuulProxyApplication.class, args);
  }
}

但这默认启用了基本身份验证安全性.我知道这是因为我会在任何POST请求中获得CSRF错误.设置security.enable-csrf = false并没有禁用它(我发现这很奇怪).设置security.basic.enabled = false也没有禁用任何安全也奇怪.我终于注意到@ EnableOAuth2Sso上的JavaDoc说如果没有提供WebSecurityConfigurerAdapter那么它将使用默认值.我尝试将@EnableWebSecurity添加到我的配置中,该配置应该添加了WebSecurityConfigurerAdapter,但我仍然在POST请求中收到CSRF错误.也许默认它使用isnlt意识到SecurityProperties.所以我最终得到了这个配置:

@SpringBootApplication
@EnableZuulProxy
@EnableEurekaClient
public class ZuulProxyApplication {

  public static void main(final String[] args) {
    SpringApplication.run(ZuulProxyApplication.class, args);
  }

  @Configuration
  @EnableOAuth2Sso
  @EnableWebSecurity
  @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
  protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    public void globalUserDetails(final AuthenticationManagerBuilder auth) throws Exception {
      // add no users
      auth.inMemoryAuthentication();
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
      http.csrf().disable();
    }

  }
}

以及以下属性:

spring:
  application:
    name: mycompany-cloud-zuul-proxy
    index: 0
security:
  oauth2:
    client:
      access-token-uri: http://mycompany-cloud-authorization-server/oauth/token
      user-authorization-uri: http://mycompany-cloud-authorization-server/oauth/authorize
  basic:
    enabled: false
  enable-csrf: false
  sessions: stateless
server:
  port: 9200
eureka:
  client:
    service-url:
      defaultZone: http://localhost:9100/eureka/

这很成功,它禁用了CSRF配置,我能够在没有收到CSRF错误的情况下向我的服务发出POST请求.但是,现在我的OAuth服务器拒绝了请求,因为请求中不再出现BasicAuth标头.似乎Zuul正在剥离标题.我误解了添加@ EnableOAuth2Sso注释会使应用程序OAuth知道并且它允许访问配置的OAuth服务器的方法,还是仅仅应用于承载令牌?将OAuth服务器置于代理服务器后面是否正常或者这不是预期的事情?我猜我错过了一些我尚未从文档中理解的重要知识和/或配置.

任何帮助在这里将不胜感激.

最佳答案

However, now my OAuth server is rejecting the requests because the BasicAuth header is no longer on the request

默认情况下,Spring cloud Zuul实现会出于安全目的剥离一些标头(请参阅Cookies and sensitive headers documentation)

因此,自从Spring cloud netflix 1.1以下标题Cookie,Set-Cookie,Authorization被认为是合理的标题

Is it normal to place your OAuth server behind the proxy or is that not an expected thing to do?

默认情况下,Spring云基本上没有设计为在代理(Zuul)后面有授权服务器(或OAuth服务器).在大多数示例和文档中,授权服务器是外部代理.

我亲自在代理https://github.com/kakawait/uaa-behind-zuul-sample后面创建了一个POC for Authorization,它可能(或不)帮助你.

转载注明原文:spring-security – 使用Spring引导,Eureka,Zuul,Spring Oauth创建OAuth安全微服务的问题 - 代码日志