spring-security - Zuul Gateway 通过 Eureka Server 启动时出现未经授权的异常
问题描述
我正在将 Spring Boot 从 1.5.12 迁移到 2.1.14。我们还必须迁移 Spring Cloud 依赖项。因此,为此我将 Spring cloud 版本从“Dalston.SR4”更改为“Greenwich.SR4”(Spring Boot 2.1.x 支持的版本)。
//implementation('org.springframework.boot:spring-boot-starter-security')
implementation('org.springframework.cloud:spring-cloud-starter-security')
implementation('org.springframework.cloud:spring-cloud-starter-oauth2')
//compile('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure')
implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
compile('org.springframework.boot:spring-boot-starter-web')
compile("org.springframework.cloud:spring-cloud-starter-netflix-eureka-server")
compile("org.springframework.cloud:spring-cloud-starter-netflix-eureka-client")
compile("org.springframework.cloud:spring-cloud-starter-netflix-zuul")
我有 Eureka Server 和 Zuul GateWay Application,它是微服务之一,将充当代理和 eureka 客户端,如下所示
Eureka Server:
----------------
@SpringBootApplication(exclude = {
HibernateJpaAutoConfiguration.class,
JndiConnectionFactoryAutoConfiguration.class,
DataSourceAutoConfiguration.class,
DataSourceTransactionManagerAutoConfiguration.class,
SecurityAutoConfiguration.class
})
@EnableEurekaServer
@ComponentScan("com.swp.service.eureka")
public class EurekaRegistryApplication {
public static void main(String[] args) {
SpringApplication springApplication = new SpringApplication(EurekaApplication.class);
springApplication.run(args);
}
application-eureka.properties:
-----------------------------
spring.application.name=eureka
server.port=8761
eureka.instance.hostname=localhost
eureka.client.registerWithEureka=false
eureka.client.fetchRegistry=false
eureka.client.serviceUrl.defaultZone=http://${eureka.instance.hostname}:${server.port}/eureka/
security.enabled=false
Zuul Gateway:
---------------
@SpringBootApplication(exclude = {
HibernateJpaAutoConfiguration.class,
JndiConnectionFactoryAutoConfiguration.class,
DataSourceAutoConfiguration.class,
DataSourceTransactionManagerAutoConfiguration.class,
SecurityAutoConfiguration.class
})
@EnableZuulProxy
@EnableDiscoveryClient
@ComponentScan("com.swp.swp.service.zuul")
public class SWPGatewayApplication {
public static void main(String[] args) {
SpringApplication springApplication = new SpringApplication(SWPGatewayApplication.class);
springApplication.run(args);
}
}
application-gateway.properties
-------------------------------
spring.application.name=zuul
server.port=8092
server.servlet.context-path=/swp-gateway
allowedOriginHeaders=http://localhost:9090
zuul.add-host-header=true
zuul.sensitiveHeaders=Cookie,Set-Cookie
zuul.host.connect-timeout-millis=300000
zuul.host.socket-timeout-millis=300000
zuul.routes.swp.path=/swpapp/**
zuul.routes.oauth.path=/authservice/**
zuul.routes.swp.serviceId=swpapp
zuul.routes.oauth.serviceId=oauthservice
ribbon.ReadTimeout=300000
ribbon.ConnectTimeout=300000
ribbon.eureka.enabled=true
hystrix.command.default.execution.isolation.thread.timeoutInMilliseconds=300000
eureka.client.registerWithEureka=false
eureka.client.serviceUrl.defaultZone=http://localhost:8761/eureka/
security.enabled=false
我们将 Spring Security 与 Oauth2 集成在一起,并拥有如下所示的授权服务器和资源服务器。
Authorization server:
---------------------
@Configuration
@EnableAuthorizationServer
@ConditionalOnProperty(name="EnableJwtToken", matchIfMissing=true, havingValue="false")
public class AuthServerConfig extends WebSecurityConfigurerAdapter implements AuthorizationServerConfigurer {
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Autowired
private AuthenticationManager authenticationManager;
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
logger.info("AuthorizationServerSecurityConfigurer", "Enter into AuthorizationServerSecurityConfigurer");
oauthServer.checkTokenAccess("isAuthenticated()").checkTokenAccess("permitAll()");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").permitAll();
}
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers("/**");
etc.. config for in memory auth and token generation.
}
Resource Server:
------------------
@Configuration
@EnableResourceServer
@EnableWebSecurity
@ConditionalOnProperty(name="EnableJWTSecurity", havingValue="false",matchIfMissing=true)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
logger.info("ResourceServerConfig","Inside HttpSecurity http configure");
/*http
.authorizeRequests().
antMatchers("/swp/**").
authenticated()
.anyRequest().permitAll();*/
http.authorizeRequests()
.antMatchers("/**")
.permitAll()
.antMatchers("/**")
.authenticated();
}
}
除了这些 MS,我还有其他一些微服务。当我启动作为 Eureka 服务器的 EurekaRegistry 应用程序时,我们没有错误并且能够成功启动它们。但是我们在运行 Zull Gateway 微服务时遇到问题,这会出现以下错误,要求授权。
25408 SWP DEBUG zuul org.apache.http.headers << Cache-Control: no-cache, no-store, max-age=0, must-revalidate
25408 SWP DEBUG zuul org.apache.http.headers << Pragma: no-cache
25408 SWP DEBUG zuul org.apache.http.headers 2020-07-10 02:37:22.909 << Expires: 0
25408 SWP DEBUG zuul org.apache.http.headers 2020-07-10 02:37:22.909 << X-Frame-Options: DENY
25408 SWP DEBUG zuul org.apache.http.headers 2020-07-10 02:37:22.909 << Content-Type: application/json;charset=UTF-8
25408 SWP DEBUG zuul org.apache.http.headers 2020-07-10 02:37:22.909 << Transfer-Encoding: chunked
25408 SWP DEBUG zuul org.apache.http.headers 2020-07-10 02:37:22.909 << Date: Fri, 10 Jul 2020 06:37:22 GMT
25408 SWP DEBUG zuul org.apache.http.headers 2020-07-10 02:37:22.909 << Keep-Alive: timeout=60
25408 SWP DEBUG zuul org.apache.http.headers 2020-07-10 02:37:22.909 << Connection: keep-alive
25408 SWP DEBUG zuul o.a.h.impl.client.DefaultHttpClient 2020-07-10 02:37:22.909 Connection can be kept alive for 60000 MILLISECONDS
25408 SWP DEBUG zuul o.a.h.impl.client.DefaultHttpClient 2020-07-10 02:37:22.909 Authentication required
25408 SWP DEBUG zuul o.a.h.impl.client.DefaultHttpClient 2020-07-10 02:37:22.909 localhost:8761 requested authentication
25408 SWP DEBUG zuul o.a.h.i.c.TargetAuthenticationStrategy 2020-07-10 02:37:22.909 Authentication schemes in the order of preference: [Negotiate, Kerberos, NTLM, CredSSP, Digest, Basic]
25408 SWP DEBUG zuul o.a.h.i.c.TargetAuthenticationStrategy 2020-07-10 02:37:22.912 Challenge for Negotiate authentication scheme not available
25408 SWP DEBUG zuul o.a.h.i.c.TargetAuthenticationStrategy 2020-07-10 02:37:22.912 Challenge for Kerberos authentication scheme not available
25408 SWP DEBUG zuul o.a.h.i.c.TargetAuthenticationStrategy 2020-07-10 02:37:22.912 Challenge for NTLM authentication scheme not available
25408 SWP DEBUG zuul o.a.h.i.c.TargetAuthenticationStrategy 2020-07-10 02:37:22.912 Challenge for CredSSP authentication scheme not available
25408 SWP DEBUG zuul o.a.h.i.c.TargetAuthenticationStrategy 2020-07-10 02:37:22.912 Challenge for Digest authentication scheme not available
25408 SWP DEBUG zuul org.apache.http.wire 2020-07-10 02:37:22.912 << "80[\r][\n]"
25408 SWP DEBUG zuul org.apache.http.wire 2020-07-10 02:37:22.912 << **"{"timestamp":"2020-07-10T06:37:22.908+0000","status":401,
"error":"Unauthorized","message":"Unauthorized","path":"/eureka/apps/"}"**
25408 SWP DEBUG zuul c.n.d.s.t.j.AbstractJerseyEurekaHttpClient 2020-07-10 02:37:22.912 Jersey HTTP GET http://localhost:8761/eureka//apps/?; statusCode=401
25408 SWP DEBUG zuul org.apache.http.wire 2020-07-10 02:37:22.912 << "[\r][\n]"
25408 SWP DEBUG zuul org.apache.http.wire 2020-07-10 02:37:22.912 << "0[\r][\n]"
25408 SWP DEBUG zuul org.apache.http.wire 2020-07-10 02:37:22.912 << "[\r][\n]"
25408 SWP DEBUG zuul c.n.d.s.MonitoredConnectionManager 2020-07-10 02:37:22.912 Released connection is reusable.
25408 SWP DEBUG zuul c.n.d.shared.NamedConnectionPool 2020-07-10 02:37:22.912 Releasing connection [{}->http://localhost:8761][null]
25408 SWP DEBUG zuul c.n.d.shared.NamedConnectionPool 2020-07-10 02:37:22.912 Pooling connection [{}->http://localhost:8761][null]; keep alive for 60000 MILLISECONDS
25408 SWP DEBUG zuul c.n.d.shared.NamedConnectionPool 2020-07-10 02:37:22.912 Notifying no-one, there are no waiting threads
25408 SWP DEBUG zuul c.n.d.s.t.d.RedirectingEurekaHttpClient 2020-07-10 02:37:22.912 Pinning to endpoint null
25408 SWP WARN zuul c.n.d.s.t.d.RetryableEurekaHttpClient 2020-07-10 02:37:22.912 Request execution failure with status code 401; retrying on another server if available
25408 SWP ERROR zuul c.netflix.discovery.DiscoveryClient 2020-07-10 02:37:22.912 DiscoveryClient_ZUUL/WGA10015LDITEGG.uswin.ad.swp.com:zuul:8092 - was unable to refresh its cache! status = Cannot execute request on any known server
com.netflix.discovery.shared.transport.TransportException: Cannot execute request on any known server
注意:这里我们没有尝试向我们的 Eureka 服务器注册 Eureka Clients。尝试通过 Zuul 网关访问其他微服务并使用属性禁用安全性:security.enabled=false。迁移之前 security.basic.enabled=false。我们尝试使用不同的组合尽可能禁用安全性,但仍然出现上述错误。
有人可以告诉我可能是什么问题。
提前致谢。
解决方案
推荐阅读
- node.js - fcm admin.messaging().sendToDevice(tokens, messagePayload, options) 正在触发两次 nodejs
- java - 从多对多删除。如何记住 URL 中的参数?
- math - 找出数字与 0.5 的接近程度
- kubernetes - 与库一起使用时,将公共库文件添加到配置映射中
- sql - 用于解释下拉列表的日期范围的 SQL 查询
- python - 使用太多“while True:”循环?
- android - Android ArrayList 问题
- python - 如何从 SQL 表查询中的两列创建 Python 字典?
- javascript - 如何在javascript中处理动态日期
- python - BeautifulSoup 不返回空评论,我该如何解决