ZuulProxy未从Brixton.RC1开始传递授权标头 [英] Authorization header not passed by ZuulProxy starting with Brixton.RC1

问题描述

从Spring Cloud Brixton.M5 切换到 Brixton.RC1 我的ZuulProxy不再通过授权我的代理服务下游的标头。

In switching from Spring Cloud Brixton.M5 to Brixton.RC1 my ZuulProxy no longer passes Authorization headers downstream to my proxied services.

在我的设置中有各种各样的演员，但大多数都非常简单：
- AuthorizationServer：单独运行;向客户发放JWT
- 客户：从OAuth服务器获取JWT;每个人都可以访问一部分资源。
- ResourceServers：使用JWT进行访问决策
- MyZuulProxy：代理各种资源服务器;应该转发JWT。

There's various actors in play in my setup, but most all of them are fairly simple: - AuthorizationServer: runs separately; hands out JWTs to clients - Clients: get JWTs from OAuth server; each with access to a subset of resources. - ResourceServers: consume JWTs for access decisions - MyZuulProxy: proxies various resource servers; should relay JWTs.

应该注意的是，MyZuulProxy没有任何安全依赖性;它传递了它接收到资源服务器（RC1之前）的授权：Bearer {JWT} 标头。 MyZuulProxy显然不是客户端本身，目前不使用 @ EnableOAuth2SSO 或类似。

It should be noted that MyZuulProxy has no security dependencies whatsoever; It passed the Authorization: Bearer {JWT} header it receives to the ResourceServers, pre-RC1. MyZuulProxy is explicitly not a Client itself, and does not use @EnableOAuth2SSO or similar at the moment.

什么可以我使用Spring Cloud Brixton.RC1让MyZuulProxy再次将JWT中继到ResourceServers？

What could I do to get MyZuulProxy to relay the JWTs to the ResourceServers again when using Spring Cloud Brixton.RC1?

发布的代码非常少：它只是 @EnableZuulProxy ， @EnableAuthorizationServer 和 @EnableResourceServer 在三个不同的罐子里。我的客户端不是Spring应用程序。

There's very little code to post: It's just @EnableZuulProxy, @EnableAuthorizationServer and @EnableResourceServer in three different jars. My Clients are not Spring applications.

推荐答案

更新：已修复 https://github.com/spring-cloud/spring-cloud-netflix/pull/963/files

敏感标题也可以全局设置 zuul.sensitiveHeaders 。如果在路线上设置 sensitiveHeaders ，则会覆盖全局 sensitiveHeaders 设置。

Sensitive headers can also be set globally setting zuul.sensitiveHeaders. If sensitiveHeaders is set on a route, this will override the global sensitiveHeaders setting.

所以使用：

# Pass Authorization header downstream
zuul:
  sensitiveHeaders: Cookie,Set-Cookie

---

等待修复 https://github.com / spring-cloud / spring-cloud-netflix / issues / 944 ， jebeaudet 非常友好地提供了解决方法：

---

So pending a fix for https://github.com/spring-cloud/spring-cloud-netflix/issues/944, jebeaudet was kind enough to provide a workaround:

@Component
public class RelayTokenFilter extends ZuulFilter {

    @Override
    public Object run() {
        RequestContext ctx = RequestContext.getCurrentContext();

        // Alter ignored headers as per: https://gitter.im/spring-cloud/spring-cloud?at=56fea31f11ea211749c3ed22
        Set<String> headers = (Set<String>) ctx.get("ignoredHeaders");
        // We need our JWT tokens relayed to resource servers
        headers.remove("authorization");

        return null;
    }

    @Override
    public boolean shouldFilter() {
        return true;
    }

    @Override
    public String filterType() {
        return "pre";
    }

    @Override
    public int filterOrder() {
        return 10000;
    }
}

这篇关于ZuulProxy未从Brixton.RC1开始传递授权标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！