我们希望将HTTPS用于基于Feign和Ribbon的微服务通信.这些服务基于spring boot并且正确设置了tomcat.实例已在Eureka上的HTTPS URL和securePort上注册.但是,当我们通过Feign调用另一个微服务时,底层功能区无法识别协议并回退到HTTP.我可以通过将协议添加到FeignClient注释来解决这个问题,如下所示:
@FeignClient("https://users")
但似乎Zuul代理和Hystrix/Turbine也在内部使用Ribbon具有相同的HTTP回退问题.有没有办法集中配置Ribbon以使用HTTPS作为默认值或使用注册的eureka实例的securePort设置?
Eureka实例配置:
eureka.instance.hostname=localhost
eureka.instance.securePort = ${server.port}
eureka.instance.securePortEnabled = true
eureka.instance.nonSecurePortEnabled = false
eureka.instance.metadataMap.hostname = ${eureka.instance.hostname}
eureka.instance.metadataMap.securePort = ${server.port}
eureka.instance.homePageUrl = https://${eureka.instance.hostname}:${server.port}/
eureka.instance.statusPageUrl = https://${eureka.instance.hostname}:${server.port}/admin/info
通过这些设置,它在Eureka中看起来就像服务在HTTPS上运行一样.Zuul代理运行正常,但使用HTTP URL来调用服务.您必须通过在密钥库中提供服务器证书来在Spring Boots嵌入式Tomcat中启用SSL:
server.ssl.key-store=server.jks
server.ssl.key-store-password=<pw>
server.ssl.keyStoreType=jks
server.ssl.keyAlias=tomcat
server.ssl.key-password=<pw>
Tomcat只运行在HTTPS上,HTTP端口被阻止,但比我得到的:localhost:8081 failed to respond因为HTTP URL用于调用服务.通过设置ribbon.IsSecure=true用户服务URL正确生成,但Ribbon负载均衡器无法在Eureka中查找用户服务:Load balancer does not have available server for client: users.我users.ribbon.IsSecure=trueaslo 试图只在zuul代理中设置,但仍然得到相同的错误.
Caused by: com.netflix.client.ClientException: Load balancer does not have available server for client: user
at com.netflix.loadbalancer.LoadBalancerContext.getServerFromLoadBalancer(LoadBalancerContext.java:468)
at com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommand.java:184) …我们想要设置一个提供REST API的微服务,以便将其配置为OAuth2资源服务器.此服务还应充当具有客户端凭据授权的OAuth2客户端.这是配置:
spring.oauth2.client.id=clientCredentialsResource
spring.oauth2.client.accessTokenUri=http://localhost:9003/oauth/token
spring.oauth2.client.userAuthorizationUri=http://localhost:9003/oauth/authorize
spring.oauth2.client.grantType=client_credentials
spring.oauth2.client.clientId=<service-id>
spring.oauth2.client.clientSecret=<service-pw>
资源服务器部分工作正常.对于客户端部分,我们要使用Feign,Ribbon和Eureka:
@FeignClient("user")
public interface UserClient
{
@RequestMapping( method = RequestMethod.GET, value = "/user/{uid}")
Map<String, String> getUser(@PathVariable("uid") String uid);
}
基于问题的主旨https://github.com/spring-cloud/spring-cloud-security/issues/56我创建了一个假装请求拦截器,它在假装请求头中设置自动装配的OAuth2RestOperations模板中的访问令牌
@Autowired
private OAuth2RestOperations restTemplate;
template.header(headerName, String.format("%s %s", tokenTypeName, restTemplate.getAccessToken().toString()));
但这给了我调用用户服务的错误:
error="access_denied", error_description="Unable to obtain a new access token for resource 'clientCredentialsResource'. The provider manager is not configured to support it.
正如我所看到的,OAuth2ClientAutoConfiguration始终为Web应用程序创建AuthorizationCodeResourceDetails实例,但不创建仅用于非Web应用程序的必需ClientCredentialsResourceDetails.最后,no access token privider负责资源详细信息并且调用失败
AccessTokenProviderChain.obtainNewAccessTokenInternal(AccessTokenProviderChain.java:146)
我试图覆盖自动配置但失败了.有人可以给我一个提示怎么做?
spring spring-security spring-boot spring-security-oauth2 spring-cloud