scdf2 uaa 请求失败从登录重定向到仪表板 [英] scdf2 uaa request failed redirect to dashboard from login
本文介绍了scdf2 uaa 请求失败从登录重定向到仪表板的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
使用 kubernetes 部署程序,我无法登录应用 uaa 服务安全性的 scdf2...使用 scdf 2.1.2 映像版本.
我从 uaa 服务进入/login 和/login?code=xxx 的循环,因为我认为 scdf2 无法获得令牌"..
过程:
1) UA 服务器的初始启动.
运行到 pod k8s 的 uaa 服务,使用以下配置[应用 https://github.com/making/uaa-on-kubernetes/blob/master/k8s/uaa.yml]
它需要一个使用证书和密钥部署的秘密.当我创建 csr 时,证书的 CN 值为uaa-service"作为有效的主机名然后,使用 https 和 certs 的 uaa-service:
apiVersion: v1种类:服务元数据:名称:uaa-service标签:应用程序:UA规格:类型:负载均衡器端口:- 端口:8443节点端口:8443名称:ua选择器:应用程序:UA---api 版本:应用程序/v1种类:部署元数据:名称:ua规格:复制品:1选择器:匹配标签:应用程序:UA模板:元数据:标签:应用程序:UA规格:初始化容器:- 图像:openjdk:8-jdk-slim名称:pem 到密钥库卷挂载:- 名称:密钥库卷挂载路径:/keystores- 名称:uaa-tls挂载路径:/uaa-tls命令:- sh- -c- |openssl pkcs12 -export \-name uaa-tls \-in/uaa-tls/tls.crt \-inkey/uaa-tls/tls.key \-out/keystores/uaa.p12 \-密码通行证:foobar密钥工具 -importkeystore \-destkeystore/keystores/uaa.jks \-srckeystore/keystores/uaa.p12 \-deststoretype pkcs12 \-srcstoretype pkcs12 \-别名 uaa-tls \-deststorepass changeme \-destkeypass changeme \-srcstorepass foobar \-srckeypass foobar \-不提示容器:- 名称:uaa图片:制作/uaa:4.13.0命令:- sh- -c- |mv/usr/local/tomcat/webapps/uaa.war/usr/local/tomcat/webapps/ROOT.warcatalina.sh 运行端口:- 容器端口:8443卷挂载:- 名称:uaa-config挂载路径:/uaa只读:真- 名称:服务器配置挂载路径:/usr/local/tomcat/conf/server.xml子路径:server.xml只读:真- 名称:密钥库卷挂载路径:/keystores只读:真环境:- 名称:_JAVA_OPTIONS值:-Djava.security.policy=unlimited -Djava.security.egd=file:/dev/./urandom"就绪探针:获取:路径:/healthz端口:8443方案:HTTPS初始延迟秒数:90超时秒数:30失败阈值:50周期秒数:60活性探针:获取:路径:/healthz端口:8443方案:HTTPS初始延迟秒数:90超时秒数:30周期秒数:60失败阈值:50卷:- 名称:uaa-config配置映射:名称:uaa-config项目:- 密钥:uaa.yml路径:uaa.yml- 关键:log4j.properties路径:log4j.properties- 名称:服务器配置配置映射:名称:uaa-config项目:- 关键:server.xml路径:server.xml- 名称:密钥库卷空目录:{}- 名称:uaa-tls秘密:秘密名称:uaa-tls# kubectl 创建秘密 tls uaa-tls --cert=uaa-service.crt --key=uaa-service.key---api版本:v1种类:ConfigMap元数据:名称:uaa-config数据:server.xml: |-<?xml version='1.0' encoding='utf-8'?><服务器端口=-1"><Listener className="org.apache.catalina.startup.VersionLoggerListener"/><Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/><Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/><Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/><Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/><服务名称="Catalina"><Connector class="org.apache.coyote.http11.Http11NioProtocol" protocol="HTTP/1.1" connectionTimeout="20000"方案=https"端口=8443"SSLEnabled="真"sslEnabledProtocols="TLSv1.2"密码=TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_GCM_"安全=真"客户端验证=假"sslProtocol="TLS"keystoreFile="/keystores/uaa.jks"keystoreType="PKCS12"keyAlias="uaa-tls"keystorePass="changeme"bindOnInit="false"/><连接器协议="org.apache.coyote.http11.Http11NioProtocol"连接超时=20000"端口=8989"地址="127.0.0.1"bindOnInit="true"/><Engine name="Catalina" defaultHost="localhost"><主机名=本地主机"appBase="webapps"unpackWARs="true"自动部署=假"failCtxIfServletStartFails="true"><Valve className="org.apache.catalina.valves.RemoteIpValve"remoteIpHeader="x-forwarded-for"protocolHeader="x-forwarded-proto" internalProxies="10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}"/><Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"prefix="localhost_access" suffix=".log" rotatable="false" pattern="%h %l %u %t "%r" %s %b"/></主机></引擎></服务></服务器>log4j.properties: |-PID=????log4j.rootCategory=信息,控制台log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppenderlog4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayoutlog4j.appender.CONSOLE.layout.ConversionPattern=[%d{yyyy-MM-dd HH:mm:ss.SSS}] uaa%X{context} - ${PID} [%t] .... %5p --- %c{1}: %m%nlog4j.category.org.springframework.security=INFOlog4j.category.org.cloudfoundry.identity=信息log4j.category.org.springframework.jdbc=INFOlog4j.category.org.apache.http.wire=INFOuaa.yml: |-日志记录:配置:/uaa/log4j.properties"require_https: 真scim:团体:zone.read:读取身份区域zone.write:创建和更新身份区域idps.read:检索身份提供者idps.write:创建和更新身份提供者clients.admin:创建、修改和删除 OAuth 客户端clients.write:创建和修改 OAuth 客户端clients.read:阅读有关 OAuth 客户端的信息clients.secret:更改 OAuth 客户端的密码scim.write:创建、修改和删除 SCIM 实体,即用户和组scim.read:读取所有 SCIM 实体,即用户和组scim.create:创建用户scim.userids:读取用户 ID 并通过 ID 检索用户scim.zones:控制用户管理区域的能力scim.invite:向用户发送邀请password.write:更改您的密码oauth.approval:管理批准的范围oauth.login:验证 UAA 之外的用户openid:访问个人资料信息,即电子邮件、名字和姓氏以及电话号码groups.update:更新组信息和成员资格uaa.user:作为UAA中的用户uaa.resource:服务受UAA保护的资源uaa.admin:作为整个UAA的管理员uaa.none:禁止充当用户uaa.offline_token:允许离线访问验证:客户:uaa_admin:权限:clients.read,clients.write,clients.secret,uaa.admin,scim.read,scim.write,password.write授权授权类型:client_credentials覆盖:真范围:'cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,dataflow.view,dataflow.create,dataflow.manage'秘密:uaa_secretid:uaa_admin用户:当局:- 开放ID- scim.me- cloud_controller.read- cloud_controller.write- cloud_controller_service_permissions.read- 密码.写- scim.userids- uaa.user- 批准.me- oauth.approvals- 个人资料- 角色- 用户属性- uaa.offline_token发行人:uri:https://uaa-service:8443登录:网址:https://uaa-service:8443entityBaseURL:https://uaa-service:8443entityID: cloudfoundry-saml-login萨姆:nameID: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'断言消费者指数:0符号元数据:真签名请求:真插座:连接管理器超时:10000soTimeout: 10000授权:网址:https://uaa-service:8443/oauth/authorize阿联酋航空:# 此登录服务器将连接到的 UAA 的主机名网址:https://uaa-service:8443令牌:网址:https://uaa-service:8443/oauth/token批准:网址:https://uaa-service:8443/approvals登录:网址:https://uaa-service:8443/authenticate有限的功能:启用:假白名单:端点:-/oauth/授权/**-/oauth/token/**-/check_token/**-/登录/**-/登录.do-/注销/**-/注销.do-/saml/**-/自动登录/**-/认证/**-/idp_discovery/**方法:- 获取- 头- 选项我认为要记住的重要价值观是(对 saml 有疑问):
发行人:uri:https://uaa-service:8443登录:网址:https://uaa-service:8443entityBaseURL:https://uaa-service:8443授权:网址:https://uaa-service:8443/oauth/authorize阿联酋航空:# 此登录服务器将连接到的 UAA 的主机名网址:https://uaa-service:8443令牌:网址:https://uaa-service:8443/oauth/token批准:网址:https://uaa-service:8443/approvals登录:网址:https://uaa-service:8443/authenticate好的,部署并运行 pod.记住 8443 表单 uaa_services 操作.
2)升级用户 admin 以及用户和角色映射的 uaa 配置.
因为我无法安装 uaac gem ...我使用 uaac 客户端运行 docker imagen:<代码>docker run --rm -it cf-uaac bash然后
<预><代码>>>>>我需要将 ip pod uaa-server 添加到 docker 镜像#echo "10.42.0.1 uaa-service" >>/etc/hosts#uaac --skip-ssl-validation 目标 https://uaa-service:8443未知密钥:Max-Age = 86400目标:http://uaa-service:8443#uaac 令牌客户端获取 uaa_admin -s uaa_secret未知密钥:Max-Age = 86400通过客户端凭据授权成功获取令牌.目标:http://uaa-service:8443上下文:uaa_admin,来自客户端 uaa_admin>>>好的,我有一个 uaa_admin 令牌来创建管理员用户、组等 ..>>>再次检查令牌是否有效# uaac 令牌解码注意:没有给出验证令牌签名的密钥jti: 8067e0122b20433ab817f684e7335d30子:uaa_admin权限:clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read范围:clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read客户端 ID:uaa_admincid:uaa_adminazp:uaa_admingrant_type:client_credentialsrev_sig:7216b9b8内部电话:1565017183经验:1565060383ISS:http://uaa-service:8443/oauth/tokenzid: uaaaud:scim uaa_admin 密码客户端 uaa**#uaac 用户添加 admin -p 密码 --emails admin@mk.comroot@bf98436ccc82:/# uaac 用户添加 admin -p 密码 --emails admin@mk.com用户帐号添加成功root@bf98436ccc82:/# uaac 用户添加用户 -p 密码 --emails user@mk.com用户帐号添加成功==========================================================================================================================================root@bf98436ccc82:/# uaac 组添加dataflow.view"编号:9796f596-e540-4f3b-a32c-90b1bac5d0cc元版本:0创建时间:2019-08-05T15:00:01.014Z最后修改时间:2019-08-05T15:00:01.014Z成员:模式:urn:scim:schemas:core:1.0显示名称:dataflow.viewzoneid:uaaroot@bf98436ccc82:/# uaac 组添加dataflow.create"编号:c798e762-bcae-4d1f-8eef-2f7083df2d45元版本:0创建时间:2019-08-05T15:00:01.495Z最后修改时间:2019-08-05T15:00:01.495Z成员:模式:urn:scim:schemas:core:1.0显示名称:dataflow.createzoneid:uaaroot@bf98436ccc82:/# uaac 组添加dataflow.manage"编号:47aeba32-db27-456c-aa12-d5492127fe1f元版本:0创建时间:2019-08-05T15:00:01.986Z最后修改时间:2019-08-05T15:00:01.986Z成员:模式:urn:scim:schemas:core:1.0显示名称:dataflow.managezoneid:uaa==========================================================================================================================================root@bf98436ccc82:/# uaac 成员添加 dataflow.view admin成功root@bf98436ccc82:/# uaac 成员添加 dataflow.create admin成功root@bf98436ccc82:/# uaac 成员添加 dataflow.manage admin成功==========================================================================================================================================root@bf98436ccc82:/# uaac 成员添加 dataflow.view 用户成功root@bf98436ccc82:/# uaac 成员添加 dataflow.create 用户成功root@bf98436ccc82:/# uaac 成员添加 dataflow.manage 用户成功>>>现在,将管理员映射到数据流 uua 客户端>>>重要的>>>重定向 url 必须与 http 原始请求相同>>>scdf2-data-flow-skipper:8844>>>这是我登录仪表板 scdf2 的 uri>>>我无法直接连接到 pod ... ssh 隧道而不是 ..# uaac 客户端添加数据流 \--name 数据流 \--scope cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,dataflow.view,dataflow.create,dataflow.manage \--authorized_grant_types 密码,authorization_code,client_credentials,refresh_token \--authorities uaa.resource \--redirect_uri http://scdf2-data-flow-server:8844/login\--autoapprove openid \--秘密数据流#uaac 客户端添加船长 \--name 船长 \--scope cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,dataflow.view,dataflow.create,dataflow.manage \--authorized_grant_types 密码,authorization_code,client_credentials,refresh_token \--authorities uaa.resource \--redirect_uri http://scdf2-data-flow-skipper:8844/login \--autoapprove openid \--秘密船长>>>>使用 curl 获取有效令牌并检查 uri 是否正常curl -k -v -d"username=admin&password=password&client_id=dataflow&grant_type=client_credentials" -u "dataflow:dataflow" https://uaa-service:8443/oauth/token * 0 毫秒后过期6(传输0x5632e4386dd0)* 正在尝试 10.42.0.1...* TCP_NODELAY 设置* 在 200 毫秒后过期 4(传输 0x5632e4386dd0)* 连接到 uaa-service (10.42.0.1) 端口 8443 (#0)* 使用 Basic 和用户数据流"进行服务器身份验证>POST/oauth/token HTTP/1.1>主机:uaa-service:8443>授权:基本 ZGF0YWZsb3c6ZGF0YWZsb3c=>用户代理:curl/7.64.0>接受:*/*>内容长度:81>内容类型:应用程序/x-www-form-urlencoded>* 上传完全发送:81 个字节中的 81 个<HTTP/1.1 200<缓存控制:无缓存,无存储,max-age=0,必须重新验证<编译指示:无缓存<过期时间:0<X-XSS-保护:1;模式=块<X-Frame-选项:拒绝<X-Content-Type-Options: nosniff<缓存控制:无存储<编译指示:无缓存<内容类型:application/json;charset=UTF-8<传输编码:分块<日期:2019 年 8 月 5 日星期一 15:02:21 GMT<* 到主机 uaa-service 的连接 #0 保持不变{ ACCESS_TOKEN": eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJlNmU3YzNiOWVkMmM0ZmI5ODQ5OWE3MmQ2N2EzMjMyYSIsInN1YiI6ImRhdGFmbG93IiwiYXV0aG9yaXRpZXMiOlsidWFhLnJlc291cmNlIl0sInNjb3BlIjpbInVhYS5yZXNvdXJjZSJdLCJjbGllbnRfaWQiOiJkYXRhZmxvdyIsImNpZCI6ImRhdGFmbG93IiwiYXpwIjoiZGF0YWZsb3ciLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6IjFkMmUwMjVjIiwiaWF0IjoxNTY1MDE3MzQxLCJleHAiOjE1NjUwNjA1NDEsImlzcyI6Imh0dHA6Ly91YWEtc2VydmljZTo4MDgwL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImRhdGFmbG93IiwidWFhIl19.G2f8bIMbUWJOz8kcZYtU37yYhTtMOEJlsrvJFINnUjo", token_type": 承载", expires_in":43199, 范围": uaa.resource", JTI": e6e7c3b9ed2c4fb98499a72d67a3232a"}根@ bf98436ccc82:/#此时,似乎 uaa 服务器运行正常,我可以从docker"进程中获取...让我们继续使用 pod...
3) 使用 security uaa 部署 skipper 和 scdf2.
Skipper 和 scdf2 使用相同的值部署(当然更改为 client_ide 值:
LOGGING_LEVEL_ROOT:调试KUBERNETES_NAMESPACE: (v1:metadata.namespace)服务器端口:8080SPRING_CLOUD_CONFIG_ENABLED:假SPRING_CLOUD_DATAFLOW_FEATURES_ANALYTICS_ENABLED:假SPRING_CLOUD_KUBERNETES_SECRETS_ENABLE_API:真SPRING_CLOUD_DATAFLOW_FEATURES_SCHEDULES_ENABLED:真SPRING_CLOUD_KUBERNETES_SECRETS_PATHS:/etc/secretsSPRING_CLOUD_KUBERNETES_CONFIG_NAME:scdf2-data-flow-serverSPRING_CLOUD_SKIPPER_CLIENT_SERVER_URI:http://${SCDF2_DATA_FLOW_SKIPPER_SERVICE_HOST}/apiSPRING_CLOUD_DATAFLOW_SERVER_URI:http://${SCDF2_DATA_FLOW_SERVER_SERVICE_HOST}:${SCDF2_DATA_FLOW_SERVER_SERVICE_PORT}SPRING_CLOUD_DATAFLOW_SECURITY_CF_USE_UAA:真SECURITY_OAUTH2_CLIENT_CLIENT_ID:数据流SECURITY_OAUTH2_CLIENT_CLIENT_SECRET:数据流SECURITY_OAUTH2_CLIENT_SCOPE:openidSPRING_CLOUD_DATAFLOW_SECURITY_AUTHORIZATION_MAP_OAUTH_SCOPES:真SECURITY_OAUTH2_CLIENT_ACCESS_TOKEN_URI:https://uaa-service:8443/oauth/tokenSECURITY_OAUTH2_CLIENT_USER_AUTHORIZATION_URI:https://uaa-service:8443/oauth/authorizeSECURITY_OAUTH2_RESOURCE_USER_INFO_URI: https://uaa-service:8443/userinfoSECURITY_OAUTH2_RESOURCE_TOKEN_INFO_URI:https://uaa-service:8443/check_tokenSPRING_APPLICATION_JSON: { "com.sun.net.ssl.checkRevocation": "false", "maven": { "local-repository": "myLocalrepoMK", "remote-repositories": { "mk-repository": {"url": "http://${NEXUS_SERVICE_HOST}:${NEXUS_SERVICE_PORT}/repository/maven-releases/","auth": {"username": "admin","password": "admin123"}},"spring-repo": {"url": "https://repo.spring.io/libs-release","auth": {"username": "","password": ""}},"spring-repo-snapshot": {"url": "https://repo.spring.io/libs-snapshot/","auth": {"username": "","password": ""}}}} }使用 8443 作为 pod 到 pod 之间的通信...和船长和 scdf2 配置映射:
管理:端点:网络:基本路径:/管理安全:角色:管理弹簧:云:数据流:安全:授权:map-oauth-scopes: 真角色映射:ROLE_CREATE:dataflow.createROLE_DEPLOY:dataflow.deployROLE_DESTROY:dataflow.destoyROLE_MANAGE:dataflow.manageROLE_MODIFY:dataflow.modifyROLE_SCHEDULE:dataflow.scheduleROLE_VIEW:dataflow.view启用:真规则:# 关于- 获取/关于=>hasRole('ROLE_VIEW')# 审计- GET/审计记录=>hasRole('ROLE_VIEW')- GET/审计记录/** =>hasRole('ROLE_VIEW')# 启动端点- 获取/管理/** =>hasRole('ROLE_MANAGE')此时,我想为什么我看不到定义的登录映射?我部署了skipper和scdf2,第一个问题是所有健康进程都是returno 401 .. ok ...让我们继续...
请求没有进展:<代码>http://scdf2-data-flow-server:8844/login?code=EFX6qfQMw&state=Fudfts
不要从 scdf2 绕过/login 页面并转到仪表板
请求挂在:<代码>http://scdf2-data-flow-server:8844/login&response_type=code&scope=openid&state=5HST0f
我认为所有 UAA 的进程都已终止并返回重定向以登录到 scdf 安全模型.
但是,发生了什么?
登录请求到达 scdf2,scdf2 检查 uaa 一切正确,然后再次返回作为新请求处理到 scdf2,再次向 uaa 服务器发送请求...
然后,使用调试日志重新启动 scdf ...请求现在是:
<代码>GET/login?code=W7luipeEGG&state=7yiI9S HTTP/1.1和日志记录:
2019-08-12 15:37:58.413 DEBUG 1 --- [nio-8080-exec-5] oatomcat.util.net.SocketWrapperBase : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@39c5463b:org.apache.tomcat.util.net.NioChannel@6160a9db:java.nio.channels.SocketChannel[连接本地=/127.0.0.1:8080远程=/127.0.0.1:58562]],从缓冲区读取:[0]2019-08-12 15:37:58.414 调试 1 --- [nio-8080-exec-5] org.apache.tomcat.util.net.NioEndpoint:套接字:[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@39c5463b:org.apache.tomcat.util.net.NioChannel@6160a9db:java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:58562]],直接读取插座:[593]2019-08-12 15:37:58.414 调试 1 --- [nio-8080-exec-5] o.a.coyote.http11.Http11InputBuffer:收到 [GET/login?code=W7luipeEGG&state=7yiI9S HTTP/1.1.1主机:scdf2-data-flow-server:8844连接:保持连接缓存控制:max-age=0升级不安全请求:1用户代理:Mozilla/5.0(Windows NT 10.0;Win64;x64)AppleWebKit/537.36(KHTML,如 Gecko)Chrome/76.0.3809.100 Safari/537.36DNT:1接受:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Sec-Fetch-Site:无接受编码:gzip、deflate接受语言:es-ES,es;q=0.9,en-US;q=0.8,en;q=0.7曲奇:JSESSIONID=077168452F9CCF4378715DC3FE20D4B2]2019 年 8 月 12 日 15:37:58.414 调试 1 --- [nio-8080-exec-5] o.a.t.util.http.Rfc6265CookieProcessor:Cookies:解析 b[]:JSESSIONID=077168452F9720F920D2019-08-12 15:37:58.414 调试 1 --- [nio-8080-exec-5] o.a.catalina.connector.CoyoteAdapter:请求的 cookie 会话 ID 是 077168452F9CCF4378715DC3BFE20D2019-08-12 15:37:58.414 调试 1 --- [nio-8080-exec-5] o.a.c.authenticator.AuthenticatorBase:安全检查请求 GET/login2019-08-12 15:37:58.414 调试 1 --- [nio-8080-exec-5] org.apache.catalina.realm.RealmBase:未定义适用的约束2019-08-12 15:37:58.414 调试 1 --- [nio-8080-exec-5] o.a.c.authenticator.AuthenticatorBase:不受任何约束2019-08-12 15:37:58.415 调试 1 --- [nio-8080-exec-5] org.apache.tomcat.util.http.Parameters:将编码设置为 UTF-82019-08-12 15:37:58.415 调试 1 --- [nio-8080-exec-5] org.apache.tomcat.util.http.Parameters:解码查询空 UTF-82019-08-12 15:37:58.416 DEBUG 1 --- [nio-8080-exec-5] org.apache.tomcat.util.http.Parameters:开始处理输入 [code=W7luipeEGG&state=7yiI9S]2019-08-12 15:37:58.425 错误 1 --- [nio-8080-exec-5] o.s.c.c.s.OAuthSecurityConfiguration:访问身份验证 REST 资源时发生错误.但是使用调试错误,现在我可以看到:
019-08-12 15:37:58.416 DEBUG 1 --- [nio-8080-exec-5] org.apache.tomcat.util.http.Parameters : 开始处理输入 [code=W7luipeEGG&state=7yiI9S]2019-08-12 15:37:58.425 错误 1 --- [nio-8080-exec-5] o.s.c.c.s.OAuthSecurityConfiguration:访问身份验证 REST 资源时发生错误.org.springframework.security.authentication.BadCredentialsException:无法获得访问令牌在 org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter.attemptAuthentication(OAuth2ClientAuthenticationProcessingFilter.java:107)在 org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)在 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)在 org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158)在org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter.attemptAuthentication(OAuth2ClientAuthenticationProcessingFilter.java:105)...省略了 66 个常用帧引起:org.springframework.web.client.ResourceAccessException:https://uaa-service:8443/oauth/token"的 POST 请求 I/O 错误:sun.security.validator.ValidatorException:PKIX 路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径;嵌套异常是 javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX 路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径在 org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:744)在 org.springframework.web.client.RestTemplate.execute(RestTemplate.java:691)在 org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:137)...省略了 72 个常用帧引起:javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX 路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径在 sun.security.ssl.Alerts.getSSLException(Alerts.java:192)在 sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)在 sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)在 sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)在 sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)在 sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)在 sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)在 sun.security.ssl.Handshaker.process_record(Handshaker.java:965)在 sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)在 sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)在 sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)在 sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)...省略了88个常用帧引起:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径在 sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)在 sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)在 java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)在 sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)...省略了 94 个常用帧2019-08-12 15:37:58.426 调试 1 --- [nio-8080-exec-5] o.a.c.c.C.[Tomcat].[localhost]:处理 ErrorPage[errorCode=0, location=/error]2019-08-12 15:37:58.427 DEBUG 1 --- [nio-8080-exec-5] o.a.c.c.C.[.[.[/].[dispatcherServlet] :禁用响应以进一步输出好的,现在我们得到了
<代码>sun.security.validator.ValidatorException:PKIX 路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径
似乎 jvm 需要更多信息来处理类似的 cacerts ...
那么,如何将新的 cacert 从 uaa-server 添加到来自 scdf2 的 jvm?
这是开始使用 scdf2 uaa 的新步骤吗?
我做错了什么?
是否需要将 uaa-service 证书从运行的 scdf2 添加到 pod jvm?
请帮忙!!!
解决方案
而且,问题是,
进入服务器部署,我删除了以下配置:
#- 名称:SECURITY_OAUTH2_CLIENT_SCOPE# 值:'openid'不要在任何地方应用任何关于范围的配置参数.
因为,如果scope被省略或者为null,所有的scope都会分配给客户端,不需要第三方权限确认...
警告,您可以使用此配置获取大量样本到 .. 测试中?
没有将任何关于 uaa 的配置应用到船长....只有 cacert 到 uaa 到 jks
Using kubernetes deployer, I cannot get login into scdf2 applying uaa service security... using scdf 2.1.2 image version.
I got a loop into /login and /login?code=xxx from uaa service because, I think, scdf2 cannot get "token"..
The process :
1) Initial launching of uaa server .
An uaa service running into a pod k8s, using the following config [applying https://github.com/making/uaa-on-kubernetes/blob/master/k8s/uaa.yml]
It needs a secret deployed with cert and key. When i've created the csr, with CN value for certificated is "uaa-service" as a valid hostname Then, uaa-service using https and certs:
apiVersion: v1
kind: Service
metadata:
name: uaa-service
labels:
app: uaa
spec:
type: LoadBalancer
ports:
- port: 8443
nodePort: 8443
name: uaa
selector:
app: uaa
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: uaa
spec:
replicas: 1
selector:
matchLabels:
app: uaa
template:
metadata:
labels:
app: uaa
spec:
initContainers:
- image: openjdk:8-jdk-slim
name: pem-to-keystore
volumeMounts:
- name: keystore-volume
mountPath: /keystores
- name: uaa-tls
mountPath: /uaa-tls
command:
- sh
- -c
- |
openssl pkcs12 -export \
-name uaa-tls \
-in /uaa-tls/tls.crt \
-inkey /uaa-tls/tls.key \
-out /keystores/uaa.p12 \
-password pass:foobar
keytool -importkeystore \
-destkeystore /keystores/uaa.jks \
-srckeystore /keystores/uaa.p12 \
-deststoretype pkcs12 \
-srcstoretype pkcs12 \
-alias uaa-tls \
-deststorepass changeme \
-destkeypass changeme \
-srcstorepass foobar \
-srckeypass foobar \
-noprompt
containers:
- name: uaa
image: making/uaa:4.13.0
command:
- sh
- -c
- |
mv /usr/local/tomcat/webapps/uaa.war /usr/local/tomcat/webapps/ROOT.war
catalina.sh run
ports:
- containerPort: 8443
volumeMounts:
- name: uaa-config
mountPath: /uaa
readOnly: true
- name: server-config
mountPath: /usr/local/tomcat/conf/server.xml
subPath: server.xml
readOnly: true
- name: keystore-volume
mountPath: /keystores
readOnly: true
env:
- name: _JAVA_OPTIONS
value: "-Djava.security.policy=unlimited -Djava.security.egd=file:/dev/./urandom"
readinessProbe:
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 90
timeoutSeconds: 30
failureThreshold: 50
periodSeconds: 60
livenessProbe:
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 90
timeoutSeconds: 30
periodSeconds: 60
failureThreshold: 50
volumes:
- name: uaa-config
configMap:
name: uaa-config
items:
- key: uaa.yml
path: uaa.yml
- key: log4j.properties
path: log4j.properties
- name: server-config
configMap:
name: uaa-config
items:
- key: server.xml
path: server.xml
- name: keystore-volume
emptyDir: {}
- name: uaa-tls
secret:
secretName: uaa-tls
# kubectl create secret tls uaa-tls --cert=uaa-service.crt --key=uaa-service.key
---
apiVersion: v1
kind: ConfigMap
metadata:
name: uaa-config
data:
server.xml: |-
<?xml version='1.0' encoding='utf-8'?>
<Server port="-1">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<Service name="Catalina">
<Connector class="org.apache.coyote.http11.Http11NioProtocol" protocol="HTTP/1.1" connectionTimeout="20000"
scheme="https"
port="8443"
SSLEnabled="true"
sslEnabledProtocols="TLSv1.2"
ciphers="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="/keystores/uaa.jks"
keystoreType="PKCS12"
keyAlias="uaa-tls"
keystorePass="changeme"
bindOnInit="false"/>
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="20000"
port="8989"
address="127.0.0.1"
bindOnInit="true"/>
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost"
appBase="webapps"
unpackWARs="true"
autoDeploy="false"
failCtxIfServletStartFails="true">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
protocolHeader="x-forwarded-proto" internalProxies="10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}"/>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access" suffix=".log" rotatable="false" pattern="%h %l %u %t "%r" %s %b"/>
</Host>
</Engine>
</Service>
</Server>
log4j.properties: |-
PID=????
log4j.rootCategory=INFO, CONSOLE
log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
log4j.appender.CONSOLE.layout.ConversionPattern=[%d{yyyy-MM-dd HH:mm:ss.SSS}] uaa%X{context} - ${PID} [%t] .... %5p --- %c{1}: %m%n
log4j.category.org.springframework.security=INFO
log4j.category.org.cloudfoundry.identity=INFO
log4j.category.org.springframework.jdbc=INFO
log4j.category.org.apache.http.wire=INFO
uaa.yml: |-
logging:
config: "/uaa/log4j.properties"
require_https: true
scim:
groups:
zones.read: Read identity zones
zones.write: Create and update identity zones
idps.read: Retrieve identity providers
idps.write: Create and update identity providers
clients.admin: Create, modify and delete OAuth clients
clients.write: Create and modify OAuth clients
clients.read: Read information about OAuth clients
clients.secret: Change the password of an OAuth client
scim.write: Create, modify and delete SCIM entities, i.e. users and groups
scim.read: Read all SCIM entities, i.e. users and groups
scim.create: Create users
scim.userids: Read user IDs and retrieve users by ID
scim.zones: Control a user's ability to manage a zone
scim.invite: Send invitations to users
password.write: Change your password
oauth.approval: Manage approved scopes
oauth.login: Authenticate users outside of the UAA
openid: Access profile information, i.e. email, first and last name, and phone number
groups.update: Update group information and memberships
uaa.user: Act as a user in the UAA
uaa.resource: Serve resources protected by the UAA
uaa.admin: Act as an administrator throughout the UAA
uaa.none: Forbid acting as a user
uaa.offline_token: Allow offline access
oauth:
clients:
uaa_admin:
authorities: clients.read,clients.write,clients.secret,uaa.admin,scim.read,scim.write,password.write
authorized-grant-types: client_credentials
override: true
scope: 'cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,dataflow.view,dataflow.create,dataflow.manage'
secret: uaa_secret
id: uaa_admin
user:
authorities:
- openid
- scim.me
- cloud_controller.read
- cloud_controller.write
- cloud_controller_service_permissions.read
- password.write
- scim.userids
- uaa.user
- approvals.me
- oauth.approvals
- profile
- roles
- user_attributes
- uaa.offline_token
issuer:
uri: https://uaa-service:8443
login:
url: https://uaa-service:8443
entityBaseURL: https://uaa-service:8443
entityID: cloudfoundry-saml-login
saml:
nameID: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
assertionConsumerIndex: 0
signMetaData: true
signRequest: true
socket:
connectionManagerTimeout: 10000
soTimeout: 10000
authorize:
url: https://uaa-service:8443/oauth/authorize
uaa:
# The hostname of the UAA that this login server will connect to
url: https://uaa-service:8443
token:
url: https://uaa-service:8443/oauth/token
approvals:
url: https://uaa-service:8443/approvals
login:
url: https://uaa-service:8443/authenticate
limitedFunctionality:
enabled: false
whitelist:
endpoints:
- /oauth/authorize/**
- /oauth/token/**
- /check_token/**
- /login/**
- /login.do
- /logout/**
- /logout.do
- /saml/**
- /autologin/**
- /authenticate/**
- /idp_discovery/**
methods:
- GET
- HEAD
- OPTIONS
I think that rhe important values to remember are ( in doubt about saml):
issuer:
uri: https://uaa-service:8443
login:
url: https://uaa-service:8443
entityBaseURL: https://uaa-service:8443
authorize:
url: https://uaa-service:8443/oauth/authorize
uaa:
# The hostname of the UAA that this login server will connect to
url: https://uaa-service:8443
token:
url: https://uaa-service:8443/oauth/token
approvals:
url: https://uaa-service:8443/approvals
login:
url: https://uaa-service:8443/authenticate
Ok, deployed and running the pod. Remember 8443 form uaa_services actions.
2) Upgrade uaa config for users admin and user and roles mappings.
Because i cannot get install uaac gem ... i run a docker imagen with uaac client:
docker run --rm -it cf-uaac bash
then
>>>> I need add the ip pod uaa-server to the docker image
#echo "10.42.0.1 uaa-service" >> /etc/hosts
#uaac --skip-ssl-validation target https://uaa-service:8443
Unknown key: Max-Age = 86400
Target: http://uaa-service:8443
#uaac token client get uaa_admin -s uaa_secret
Unknown key: Max-Age = 86400
Successfully fetched token via client credentials grant.
Target: http://uaa-service:8443
Context: uaa_admin, from client uaa_admin
>>> Ok i got a uaa_admin token to create admin user, group etc ..
>>> check token again is valid
# uaac token decode
Note: no key given to validate token signature
jti: 8067e0122b20433ab817f684e7335d30
sub: uaa_admin
authorities: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
scope: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
client_id: uaa_admin
cid: uaa_admin
azp: uaa_admin
grant_type: client_credentials
rev_sig: 7216b9b8
iat: 1565017183
exp: 1565060383
iss: http://uaa-service:8443/oauth/token
zid: uaa
aud: scim uaa_admin password clients uaa**
#uaac user add admin -p password --emails admin@mk.com
root@bf98436ccc82:/# uaac user add admin -p password --emails admin@mk.com
user account successfully added
root@bf98436ccc82:/# uaac user add user -p password --emails user@mk.com
user account successfully added
=========================================================================================================================================
root@bf98436ccc82:/# uaac group add "dataflow.view"
id: 9796f596-e540-4f3b-a32c-90b1bac5d0cc
meta
version: 0
created: 2019-08-05T15:00:01.014Z
lastmodified: 2019-08-05T15:00:01.014Z
members:
schemas: urn:scim:schemas:core:1.0
displayname: dataflow.view
zoneid: uaa
root@bf98436ccc82:/# uaac group add "dataflow.create"
id: c798e762-bcae-4d1f-8eef-2f7083df2d45
meta
version: 0
created: 2019-08-05T15:00:01.495Z
lastmodified: 2019-08-05T15:00:01.495Z
members:
schemas: urn:scim:schemas:core:1.0
displayname: dataflow.create
zoneid: uaa
root@bf98436ccc82:/# uaac group add "dataflow.manage"
id: 47aeba32-db27-456c-aa12-d5492127fe1f
meta
version: 0
created: 2019-08-05T15:00:01.986Z
lastmodified: 2019-08-05T15:00:01.986Z
members:
schemas: urn:scim:schemas:core:1.0
displayname: dataflow.manage
zoneid: uaa
=========================================================================================================================================
root@bf98436ccc82:/# uaac member add dataflow.view admin
success
root@bf98436ccc82:/# uaac member add dataflow.create admin
success
root@bf98436ccc82:/# uaac member add dataflow.manage admin
success
=========================================================================================================================================
root@bf98436ccc82:/# uaac member add dataflow.view user
success
root@bf98436ccc82:/# uaac member add dataflow.create user
success
root@bf98436ccc82:/# uaac member add dataflow.manage user
success
>>> Now, mapping admin to dataflow uua client
>>> Important
>>> The redirect url MUST THE SAME from http original request
>>> scdf2-data-flow-skipper:8844
>>> this is my login uri to dashboard scdf2
>>> i can't get direct connect to pod ... ssh tunnels insteads ..
# uaac client add dataflow \
--name dataflow \
--scope cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,dataflow.view,dataflow.create,dataflow.manage \
--authorized_grant_types password,authorization_code,client_credentials,refresh_token \
--authorities uaa.resource \
--redirect_uri http://scdf2-data-flow-server:8844/login\
--autoapprove openid \
--secret dataflow
#uaac client add skipper \
--name skipper \
--scope cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,dataflow.view,dataflow.create,dataflow.manage \
--authorized_grant_types password,authorization_code,client_credentials,refresh_token \
--authorities uaa.resource \
--redirect_uri http://scdf2-data-flow-skipper:8844/login \
--autoapprove openid \
--secret skipper
>>>> Using curl to get a valid token and check that uri's are ok
curl -k -v -d"username=admin&password=password&client_id=dataflow&grant_type=client_credentials" -u "dataflow:dataflow" https://uaa-service:8443/oauth/token * Expire in 0 ms for 6 (transfer 0x5632e4386dd0)
* Trying 10.42.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5632e4386dd0)
* Connected to uaa-service (10.42.0.1) port 8443 (#0)
* Server auth using Basic with user 'dataflow'
> POST /oauth/token HTTP/1.1
> Host: uaa-service:8443
> Authorization: Basic ZGF0YWZsb3c6ZGF0YWZsb3c=
> User-Agent: curl/7.64.0
> Accept: */*
> Content-Length: 81
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 81 out of 81 bytes
< HTTP/1.1 200
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Cache-Control: no-store
< Pragma: no-cache
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Mon, 05 Aug 2019 15:02:21 GMT
<
* Connection #0 to host uaa-service left intact
{"access_token":"eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJlNmU3YzNiOWVkMmM0ZmI5ODQ5OWE3MmQ2N2EzMjMyYSIsInN1YiI6ImRhdGFmbG93IiwiYXV0aG9yaXRpZXMiOlsidWFhLnJlc291cmNlIl0sInNjb3BlIjpbInVhYS5yZXNvdXJjZSJdLCJjbGllbnRfaWQiOiJkYXRhZmxvdyIsImNpZCI6ImRhdGFmbG93IiwiYXpwIjoiZGF0YWZsb3ciLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6IjFkMmUwMjVjIiwiaWF0IjoxNTY1MDE3MzQxLCJleHAiOjE1NjUwNjA1NDEsImlzcyI6Imh0dHA6Ly91YWEtc2VydmljZTo4MDgwL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImRhdGFmbG93IiwidWFhIl19.G2f8bIMbUWJOz8kcZYtU37yYhTtMOEJlsrvJFINnUjo","token_type":"bearer","expires_in":43199,"scope":"uaa.resource","jti":"e6e7c3b9ed2c4fb98499a72d67a3232a"}root@bf98436ccc82:/#
At this point, it seems that uaa server it is running ok and i can get from a "docker" process... let's continue using pods ...
3) Deploy skipper and scdf2 using security uaa.
Skipper and scdf2 are deployed using same values (changes into client_ide values of course:
LOGGING_LEVEL_ROOT: DEBUG
KUBERNETES_NAMESPACE: (v1:metadata.namespace)
SERVER_PORT: 8080
SPRING_CLOUD_CONFIG_ENABLED: false
SPRING_CLOUD_DATAFLOW_FEATURES_ANALYTICS_ENABLED: false
SPRING_CLOUD_KUBERNETES_SECRETS_ENABLE_API: true
SPRING_CLOUD_DATAFLOW_FEATURES_SCHEDULES_ENABLED: true
SPRING_CLOUD_KUBERNETES_SECRETS_PATHS: /etc/secrets
SPRING_CLOUD_KUBERNETES_CONFIG_NAME: scdf2-data-flow-server
SPRING_CLOUD_SKIPPER_CLIENT_SERVER_URI: http://${SCDF2_DATA_FLOW_SKIPPER_SERVICE_HOST}/api
SPRING_CLOUD_DATAFLOW_SERVER_URI: http://${SCDF2_DATA_FLOW_SERVER_SERVICE_HOST}:${SCDF2_DATA_FLOW_SERVER_SERVICE_PORT}
SPRING_CLOUD_DATAFLOW_SECURITY_CF_USE_UAA: true
SECURITY_OAUTH2_CLIENT_CLIENT_ID: dataflow
SECURITY_OAUTH2_CLIENT_CLIENT_SECRET: dataflow
SECURITY_OAUTH2_CLIENT_SCOPE: openid
SPRING_CLOUD_DATAFLOW_SECURITY_AUTHORIZATION_MAP_OAUTH_SCOPES: true
SECURITY_OAUTH2_CLIENT_ACCESS_TOKEN_URI: https://uaa-service:8443/oauth/token
SECURITY_OAUTH2_CLIENT_USER_AUTHORIZATION_URI: https://uaa-service:8443/oauth/authorize
SECURITY_OAUTH2_RESOURCE_USER_INFO_URI: https://uaa-service:8443/userinfo
SECURITY_OAUTH2_RESOURCE_TOKEN_INFO_URI: https://uaa-service:8443/check_token
SPRING_APPLICATION_JSON: { "com.sun.net.ssl.checkRevocation": "false", "maven": { "local-repository": "myLocalrepoMK", "remote-repositories": { "mk-repository": {"url": "http://${NEXUS_SERVICE_HOST}:${NEXUS_SERVICE_PORT}/repository/maven-releases/","auth": {"username": "admin","password": "admin123"}},"spring-repo": {"url": "https://repo.spring.io/libs-release","auth": {"username": "","password": ""}},"spring-repo-snapshot": {"url": "https://repo.spring.io/libs-snapshot/","auth": {"username": "","password": ""}}}} }
Using 8443 as comunication between pod to pod ...
And skipper and scdf2 config maps:
management:
endpoints:
web:
base-path: /management
security:
roles: MANAGE
spring:
cloud:
dataflow:
security:
authorization:
map-oauth-scopes: true
role-mappings:
ROLE_CREATE: dataflow.create
ROLE_DEPLOY: dataflow.deploy
ROLE_DESTROY: dataflow.destoy
ROLE_MANAGE: dataflow.manage
ROLE_MODIFY: dataflow.modify
ROLE_SCHEDULE: dataflow.schedule
ROLE_VIEW: dataflow.view
enabled: true
rules:
# About
- GET /about => hasRole('ROLE_VIEW')
# Audit
- GET /audit-records => hasRole('ROLE_VIEW')
- GET /audit-records/** => hasRole('ROLE_VIEW')
# Boot Endpoints
- GET /management/** => hasRole('ROLE_MANAGE')
At this point, i think why cannot i see a login mapping defined? I deploy skipper and scdf2 and the first problem is that all health process is returno 401 .. ok ... let's continue ...
Request not progress after :
http://scdf2-data-flow-server:8844/login?code=ETFX6qfQMw&state=Fudfts
Not bypass /login page from scdf2 and go to dashboard
The request hangs in:
http://scdf2-data-flow-server:8844/login&response_type=code&scope=openid&state=5HST0f
I think that all UAA's process are terminanted and back to redirect to login into scdf security model.
But, what is happens?
Login request arrive to scdf2, scdf2 check into uaa that all is correct and back again to process as new request into scdf2, that send again a request to uaa server ...
Then , restart scdf using debug logging ...
request is now :
GET /login?code=W7luipeEGG&state=7yiI9S HTTP/1.1
and logging :
2019-08-12 15:37:58.413 DEBUG 1 --- [nio-8080-exec-5] o.a.tomcat.util.net.SocketWrapperBase : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@39c5463b:org.apache.tomcat.util.net.NioChannel@6160a9db:java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:58562]], Read from buffer: [0]
2019-08-12 15:37:58.414 DEBUG 1 --- [nio-8080-exec-5] org.apache.tomcat.util.net.NioEndpoint : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@39c5463b:org.apache.tomcat.util.net.NioChannel@6160a9db:java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:58562]], Read direct from socket: [593]
2019-08-12 15:37:58.414 DEBUG 1 --- [nio-8080-exec-5] o.a.coyote.http11.Http11InputBuffer : Received [GET /login?code=W7luipeEGG&state=7yiI9S HTTP/1.1
Host: scdf2-data-flow-server:8844
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=077168452F9CCF4378715DC3FE20D4B2
]
2019-08-12 15:37:58.414 DEBUG 1 --- [nio-8080-exec-5] o.a.t.util.http.Rfc6265CookieProcessor : Cookies: Parsing b[]: JSESSIONID=077168452F9CCF4378715DC3FE20D4B2
2019-08-12 15:37:58.414 DEBUG 1 --- [nio-8080-exec-5] o.a.catalina.connector.CoyoteAdapter : Requested cookie session id is 077168452F9CCF4378715DC3FE20D4B2
2019-08-12 15:37:58.414 DEBUG 1 --- [nio-8080-exec-5] o.a.c.authenticator.AuthenticatorBase : Security checking request GET /login
2019-08-12 15:37:58.414 DEBUG 1 --- [nio-8080-exec-5] org.apache.catalina.realm.RealmBase : No applicable constraints defined
2019-08-12 15:37:58.414 DEBUG 1 --- [nio-8080-exec-5] o.a.c.authenticator.AuthenticatorBase : Not subject to any constraint
2019-08-12 15:37:58.415 DEBUG 1 --- [nio-8080-exec-5] org.apache.tomcat.util.http.Parameters : Set encoding to UTF-8
2019-08-12 15:37:58.415 DEBUG 1 --- [nio-8080-exec-5] org.apache.tomcat.util.http.Parameters : Decoding query null UTF-8
2019-08-12 15:37:58.416 DEBUG 1 --- [nio-8080-exec-5] org.apache.tomcat.util.http.Parameters : Start processing with input [code=W7luipeEGG&state=7yiI9S]
2019-08-12 15:37:58.425 ERROR 1 --- [nio-8080-exec-5] o.s.c.c.s.OAuthSecurityConfiguration : An error occurred while accessing an authentication REST resource.
but using debug error, now i can see:
019-08-12 15:37:58.416 DEBUG 1 --- [nio-8080-exec-5] org.apache.tomcat.util.http.Parameters : Start processing with input [code=W7luipeEGG&state=7yiI9S]
2019-08-12 15:37:58.425 ERROR 1 --- [nio-8080-exec-5] o.s.c.c.s.OAuthSecurityConfiguration : An error occurred while accessing an authentication REST resource.
org.springframework.security.authentication.BadCredentialsException: Could not obtain access token
at org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter.attemptAuthentication(OAuth2ClientAuthenticationProcessingFilter.java:107)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158)
at
org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter.attemptAuthentication(OAuth2ClientAuthenticationProcessingFilter.java:105)
... 66 common frames omitted
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://uaa-service:8443/oauth/token": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:744)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:691)
at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:137)
... 72 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 88 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 94 common frames omitted
2019-08-12 15:37:58.426 DEBUG 1 --- [nio-8080-exec-5] o.a.c.c.C.[Tomcat].[localhost] : Processing ErrorPage[errorCode=0, location=/error]
2019-08-12 15:37:58.427 DEBUG 1 --- [nio-8080-exec-5] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Disabling the response for further output
Ok, now we got
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
It seems that jvm needs more info into cacerts o similars ...
then, how can i add the new cacert from uaa-server to jvm from scdf2?
Is it the new step into get to start working scdf2 uaa ?
what am i doing wrong?
Do I need to add the uaa-service cert to pod jvm from scdf2 running?
please help !!!
解决方案
And, the problem was,
Into the server-deployment, I've remove the following config:
#- name: SECURITY_OAUTH2_CLIENT_SCOPE
# value: 'openid'
Do not apply any config parametrization about scope in anywhere.
Because, if scope is omitted or null, all scopes will be assigned to the client, and no needed confirmation for third party permission ...
Warning, you can get alot samples using this config into .. tested?
No apply any config about uaa into skipper.... only cacert to uaa into jks
这篇关于scdf2 uaa 请求失败从登录重定向到仪表板的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
