Spring Cloud Zuul Proxy背后的Spring OAuth授权服务器 [英] Spring OAuth Authorization Server behind Spring Cloud Zuul Proxy

问题描述

我目前正在开发基于微服务架构的应用程序。我们使用一个使用Spring Cloud Netfix的Zuul Server实现的API网关将请求路由到我们的微服务。

I am currently developing a application based on a micro service architecture. We use a API-Gateway implemented using Spring Cloud Netfix's Zuul Server to route the requests to our micro services.

为了实现我目前工作的所有服务的单点登录在使用Spring Cloud Security设置的OAuth2服务器上。服务器基本上只是在Dave Syer的Repo中实现的复制和过去： https://github.com/dsyer/spring-security-angular/tree/master/oauth2/authserver

To realize single sign on for all our services I am currently working on an OAuth2 server set up using Spring Cloud Security. The server is basically just copy and past of the implementation in Dave Syer's Repo: https://github.com/dsyer/spring-security-angular/tree/master/oauth2/authserver

主要区别在于我想要的通过Zuul代理将请求路由到我的OAuth服务器。这样我就不必直接暴露我的OAuth服务器，并可以动态添加和删除Login Server。

The main difference is that I want to route the requests to my OAuth server through the Zuul Proxy. This way I will not have to directly expose my OAuth Server and can add and remove Login Server dynamically.

问题是我不了解如何正确配置此设置。当我尝试访问OAuth服务器上的受保护资源时，我将转发到登录页面。这当然是预期的。但我无法弄清楚如何设置转发时使用的主机名和端口。我想要发生的是服务器转发到Zuul服务器上的端点，该端点将被代理回到OAuth服务器。 （Zuul API-Gateway应该是客户端与之交谈的唯一服务器。其他所有内容都将被隐藏。）

The problem is I do not seam to understand how to correctly configure this setup. When I try to access a protected resource on the OAuth server I am forwarded to the login page. This of course is as expected. But I can not figure out how to set the hostname and port used when forwarding. What I want to happen is the server to forward to an endpoint on the Zuul server that will get proxied back to the OAuth server. (The Zuul API-Gateway should be the only server the client ever talks to. Everything else will be hidden.)

因为它是从主机和端口读取的 中的HttpServletRequest > LoginUrlAuthenticationEntryPoint 。但是服务器看到的请求是Zuul代理发送的请求。所以我被转发到内部IP而不是代理端点。

As it is the host and port are read from the HttpServletRequest in LoginUrlAuthenticationEntryPoint. But the request the server sees is the request send by the Zuul proxy. So I am forwarded to an internal IP not an endpoint on the proxy.

我试图在 WebSecurityConfigurerAdapter.configure中设置登录页面的URL （HttpSecurity）到我的Zuul代理的绝对URL。但这只是导致我的应用程序抱怨太多的重定向。 （可能会在那里引起循环。）

I tried to set the URL of the login page in WebSecurityConfigurerAdapter.configure(HttpSecurity) to the absolut URL of my Zuul Proxy. But this just caused my application to complain about too many redirects. (Might have caused a loop there.)

最好的设置方法是什么？

What would be the best way to set this up?

• 我是否必须通过覆盖bean来实现某种自己的转发策略？


• 是有一个我缺少的配置选项？


• 我的想法本身是错的吗？ （在回答如何为了避免与Zuul重定向到另一个主机？ Dave Syer说你通常不代理这个但不解释原因。）

• Do I have to implement some kind of own forwarding strategy by overriding a bean?
• Is there a configuration option I am missing?
• Is my idea itself wrong? (In his answer to How to avoid redirect to another host with Zuul? Dave Syer says you would not normally proxy this but does not explain why.)

推荐答案

更新：POC可以在这里找到 https://github.com/kakawait/uaa-behind-zuul-sample

Update: POC can be found here https://github.com/kakawait/uaa-behind-zuul-sample

您是否尝试过以下设置（在 zuul 服务器上）：

Did you try following setup (on zuul server):

zuul:
  routes:
    uaa-service:
      path: /uaa/**
      stripPrefix: false

security:
  # Disable Spring Boot basic authentication
  basic:
    enabled: false
  oauth2:
    sso:
      loginPath: /login
    client:
      accessTokenUri: https://<zuul hostname>/uaa/oauth/token
      userAuthorizationUri: https://<zuul hostname>/uaa/oauth/authorize
      ...

基本上它适用于我的项目我唯一需要做的就是在 / uaa / oauth / token CSRF 保护$ c> route。

Basically it works on my project only thing I have to do is to disable CSRF protection on /uaa/oauth/token route.

Auth服务器应该打开

Auth server should be on

server:
  # Use different context-path to avoid session cookie overlapping
  context-path: /uaa

使用测试Spring-Cloud.Brixton.M3

感谢 @ thomas-letsch ，你应该像下面的那样调整你的安全性（样本）

Thank to @thomas-letsch, you should tweak you security like following (sample)

public void configure(HttpSecurity http) throws Exception { 
    http.logout().and()
        .antMatcher("/**").authorizeRequests() 
        .antMatchers("/index.html", "/home.html", "/", "/uaa/oauth/**").permitAll() 
        .anyRequest().authenticated().and() 
        .csrf().csrfTokenRepository(getCSRFTokenRepository()).ignoringAntMatchers("/uaa/‌​oauth/token").and() 
        .addFilterAfter(createCSRFHeaderFilter(), CsrfFilter.class); 
} 

这篇关于Spring Cloud Zuul Proxy背后的Spring OAuth授权服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！