And*_*rff 5 spring spring-security spring-session spring-cloud
我正在尝试使用Spring Cloud的Zuul,Eureka和我自己的服务来实现微服务架构.我有多个具有UI和服务的服务,每个服务都可以使用x509安全性对用户进行身份验证.现在我正试图将Zuul放在这些服务面前.由于Zuul无法将客户端证书转发到后端,我认为下一个最好的方法是在Zuul的前门验证用户身份,然后使用Spring Session在后端服务中复制其身份验证状态.我已经按照Dave Syer 的教程进行了操作,它几乎可以工作,但不是第一次请求.这是我的基本设置:
如果清除所有会话并重新开始并尝试命中代理,则它会使用zuul服务器的证书将请求发送到后端.然后,后端服务根据该用户证书查找用户,并认为用户是服务器,而不是在Zuul代理中经过身份验证的用户.如果您只是刷新页面,那么您突然成为后端的正确用户(在Zuul代理中进行身份验证的用户).我正在检查的方法是在后端控制器中打印出Principal用户.所以在第一次请求时,我看到了服务器用户,在第二次请求时,我看到了真实用户.如果我在后端禁用x509,在第一次请求时,我得到403,然后刷新,它让我进去.
看起来会话没有足够快地复制到后端,所以当用户在前端进行身份验证时,它在Zuul转发请求时没有进入后端.
有没有办法保证会话在第一个请求(即会话创建)上被复制?或者我错过了一步以确保其正常工作?
以下是一些重要的代码段:
Zuul代理:
@SpringBootApplication
@Controller
@EnableAutoConfiguration
@EnableZuulProxy
@EnableRedisHttpSession
public class ZuulEdgeServer {
public static void main(String[] args) {
new SpringApplicationBuilder(ZuulEdgeServer.class).web(true).run(args);
}
}
Zuul配置:
info:
component: Zuul Server
endpoints:
restart:
enabled: true
shutdown:
enabled: true
health:
sensitive: false
zuul:
routes:
service1: /**
logging:
level:
ROOT: INFO
# org.springframework.web: DEBUG
net.acesinc: DEBUG
security.sessions: ALWAYS
server:
port: 8443
ssl:
key-store: classpath:dev/localhost.jks
key-store-password: thepassword
keyStoreType: JKS
keyAlias: localhost
clientAuth: want
trust-store: classpath:dev/localhost.jks
ribbon:
IsSecure: true
后端服务:
@SpringBootApplication
@EnableAutoConfiguration(exclude = { DataSourceAutoConfiguration.class, ThymeleafAutoConfiguration.class, org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class })
@EnableEurekaClient
@EnableRedisHttpSession
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
后端服务配置:
spring.jmx.default-domain: ${spring.application.name}
server:
port: 8444
ssl:
key-store: classpath:dev/localhost.jks
key-store-password: thepassword
keyStoreType: JKS
keyAlias: localhost
clientAuth: want
trust-store: classpath:dev/localhost.jks
#Change the base url of all REST endpoints to be under /rest
spring.data.rest.base-uri: /rest
security.sessions: NEVER
logging:
level:
ROOT: INFO
# org.springframework.web: INFO
# org.springframework.security: DEBUG
net.acesinc: DEBUG
eureka:
instance:
nonSecurePortEnabled: false
securePortEnabled: true
securePort: ${server.port}
homePageUrl: https://${eureka.instance.hostname}:${server.port}/
secureVirtualHostName: ${spring.application.name}
其中一个后端控制器:
@Controller
public class SecureContent1Controller {
private static final Logger log = LoggerFactory.getLogger(SecureContent1Controller.class);
@RequestMapping(value = {"/secure1"}, method = RequestMethod.GET)
@PreAuthorize("isAuthenticated()")
public @ResponseBody String getHomepage(ModelMap model, Principal p) {
log.debug("Secure Content for user [ " + p.getName() + " ]");
model.addAttribute("pageName", "secure1");
return "You are: [ " + p.getName() + " ] and here is your secure content: secure1";
}
}
感谢 Shobull 向我指出Justin Taylor对这个问题的答案。为了完整起见,我也想把完整的答案放在这里。这是一个由两部分组成的解决方案:
@EnableRedisHttpSession(redisFlushMode = RedisFlushMode.IMMEDIATE)立即将会话数据保存到 Redis 中。文档在这里。用于将会话添加到当前请求标头的简单 Zuul 过滤器:
import com.netflix.zuul.ZuulFilter;
import com.netflix.zuul.context.RequestContext;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.session.Session;
import org.springframework.session.SessionRepository;
import org.springframework.stereotype.Component;
@Component
public class SessionSavingZuulPreFilter extends ZuulFilter {
@Autowired
private SessionRepository repository;
private static final Logger log = LoggerFactory.getLogger(SessionSavingZuulPreFilter.class);
@Override
public String filterType() {
return "pre";
}
@Override
public int filterOrder() {
return 1;
}
@Override
public boolean shouldFilter() {
return true;
}
@Override
public Object run() {
RequestContext context = RequestContext.getCurrentContext();
HttpSession httpSession = context.getRequest().getSession();
Session session = repository.getSession(httpSession.getId());
context.addZuulRequestHeader("Cookie", "SESSION=" + httpSession.getId());
log.trace("ZuulPreFilter session proxy: {}", session.getId());
return null;
}
}
这两个都应该在你的 Zuul 代理中。
| 归档时间: |
|
| 查看次数: |
4665 次 |
| 最近记录: |