Spring Cloud Zuul Proxy 背后的 Spring OAuth 授权服务器 [英] Spring OAuth Authorization Server behind Spring Cloud Zuul Proxy

问题描述

我目前正在开发基于微服务架构的应用程序.我们使用使用 Spring Cloud Netfix 的 Zuul 服务器实现的 API 网关将请求路由到我们的微服务.

I am currently developing a application based on a micro service architecture. We use a API-Gateway implemented using Spring Cloud Netfix's Zuul Server to route the requests to our micro services.

为了实现我们所有服务的单点登录，我目前正在使用 Spring Cloud Security 设置 OAuth2 服务器.服务器基本上只是 Dave Syer 的 Repo 中实现的复制和过去:https://github.com/dsyer/spring-security-angular/tree/master/oauth2/authserver

To realize single sign on for all our services I am currently working on an OAuth2 server set up using Spring Cloud Security. The server is basically just copy and past of the implementation in Dave Syer's Repo: https://github.com/dsyer/spring-security-angular/tree/master/oauth2/authserver

主要区别在于我想通过 Zuul 代理将请求路由到我的 OAuth 服务器.这样我就不必直接公开我的 OAuth 服务器，并且可以动态添加和删除登录服务器.

The main difference is that I want to route the requests to my OAuth server through the Zuul Proxy. This way I will not have to directly expose my OAuth Server and can add and remove Login Server dynamically.

问题是我不明白如何正确配置此设置.当我尝试访问 OAuth 服务器上的受保护资源时，我被转发到登录页面.这当然符合预期.但是我不知道如何设置转发时使用的主机名和端口.我想要发生的是服务器转发到 Zuul 服务器上的端点，该端点将被代理回 OAuth 服务器.(Zuul API-Gateway 应该是客户端与之对话的唯一服务器.其他一切都将隐藏.)

The problem is I do not seam to understand how to correctly configure this setup. When I try to access a protected resource on the OAuth server I am forwarded to the login page. This of course is as expected. But I can not figure out how to set the hostname and port used when forwarding. What I want to happen is the server to forward to an endpoint on the Zuul server that will get proxied back to the OAuth server. (The Zuul API-Gateway should be the only server the client ever talks to. Everything else will be hidden.)

因为它是从 LoginUrlAuthenticationEntryPoint 中的 HttpServletRequest 读取主机和端口.但是服务器看到的请求是Zuul代理发送的请求.所以我被转发到一个内部 IP，而不是代理上的端点.

As it is the host and port are read from the HttpServletRequest in LoginUrlAuthenticationEntryPoint. But the request the server sees is the request send by the Zuul proxy. So I am forwarded to an internal IP not an endpoint on the proxy.

我尝试将 WebSecurityConfigurerAdapter.configure(HttpSecurity) 中登录页面的 URL 设置为我的 Zuul 代理的绝对 URL.但这只是导致我的应用程序抱怨重定向过多.(可能在那里造成了循环.)

I tried to set the URL of the login page in WebSecurityConfigurerAdapter.configure(HttpSecurity) to the absolut URL of my Zuul Proxy. But this just caused my application to complain about too many redirects. (Might have caused a loop there.)

设置它的最佳方法是什么?

What would be the best way to set this up?

• 我是否必须通过覆盖 bean 来实现某种自己的转发策略?
• 是否有我遗漏的配置选项?
• 我的想法本身有错吗?(在他对 How避免使用 Zuul 重定向到另一个主机? Dave Syer 说你通常不会代理它，但没有解释原因.)

• Do I have to implement some kind of own forwarding strategy by overriding a bean?
• Is there a configuration option I am missing?
• Is my idea itself wrong? (In his answer to How to avoid redirect to another host with Zuul? Dave Syer says you would not normally proxy this but does not explain why.)

推荐答案

更新:可以在此处找到 POC https://github.com/kakawait/uaa-behind-zuul-sample

Update: POC can be found here https://github.com/kakawait/uaa-behind-zuul-sample

您是否尝试过以下设置(在 zuul 服务器上):

Did you try following setup (on zuul server):

zuul:
  routes:
    uaa-service:
      path: /uaa/**
      stripPrefix: false

security:
  # Disable Spring Boot basic authentication
  basic:
    enabled: false
  oauth2:
    sso:
      loginPath: /login
    client:
      accessTokenUri: https://<zuul hostname>/uaa/oauth/token
      userAuthorizationUri: https://<zuul hostname>/uaa/oauth/authorize
      ...

基本上它适用于我的项目，我唯一要做的就是禁用 /uaa/oauth/token 路由上的 CSRF 保护.

Basically it works on my project only thing I have to do is to disable CSRF protection on /uaa/oauth/token route.

身份验证服务器应该打开

Auth server should be on

server:
  # Use different context-path to avoid session cookie overlapping
  context-path: /uaa

使用 Spring-Cloud.Brixton.M3

感谢 @thomas-letsch，您应该像以下(示例)一样调整安全性

Thank to @thomas-letsch, you should tweak you security like following (sample)

public void configure(HttpSecurity http) throws Exception { 
    http.logout().and()
        .antMatcher("/**").authorizeRequests() 
        .antMatchers("/index.html", "/home.html", "/", "/uaa/oauth/**").permitAll() 
        .anyRequest().authenticated().and() 
        .csrf().csrfTokenRepository(getCSRFTokenRepository()).ignoringAntMatchers("/uaa/‌​oauth/token").and() 
        .addFilterAfter(createCSRFHeaderFilter(), CsrfFilter.class); 
} 

这篇关于Spring Cloud Zuul Proxy 背后的 Spring OAuth 授权服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！