目前我有一个 Spring Cloud Gateway 服务和许多其他服务。网关拦截每个请求,检查是否存在授权,并根据允许/拒绝访问特定资源。
我不断收到 401 Unauthorized,因此在启用调试消息后,我发现了以下内容
17-09-2023 13:41:43.189 [parallel-2] DEBUG o.s.w.s.s.DefaultWebSessionManager .org.springframework.web.server.session.DefaultWebSessionManager lambda$createWebSession$3 - Created new WebSession.
17-09-2023 13:41:43.190 [parallel-2] DEBUG o.s.s.w.s.c.WebSessionServerSecurityContextRepository .org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository lambda$load$1 - No SecurityContext found in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@1c19c273'
17-09-2023 13:41:43.196 [parallel-2] DEBUG o.s.s.w.s.u.m.OrServerWebExchangeMatcher .org.springframework.security.web.server.util.matcher.OrServerWebExchangeMatcher lambda$matches$0 - Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=POST}
17-09-2023 13:41:43.197 [parallel-2] DEBUG o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher .org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher lambda$matches$1 - Request 'POST /auth/authenticate-contractor' doesn't match 'POST /logout'
17-09-2023 13:41:43.198 [parallel-2] DEBUG o.s.s.w.s.u.m.OrServerWebExchangeMatcher .org.springframework.security.web.server.util.matcher.OrServerWebExchangeMatcher lambda$matches$2 - No matches found
17-09-2023 13:41:43.202 [parallel-2] DEBUG o.s.s.w.s.a.DelegatingReactiveAuthorizationManager .org.springframework.security.web.server.authorization.DelegatingReactiveAuthorizationManager lambda$check$1 - Checking authorization on '/auth' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager@2b6b1534
17-09-2023 13:41:43.205 [parallel-2] DEBUG o.s.s.w.s.c.WebSessionServerSecurityContextRepository .org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository lambda$load$1 - No SecurityContext found in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@1c19c273'
17-09-2023 13:41:43.207 [parallel-2] DEBUG o.s.s.w.s.a.AuthorizationWebFilter .org.springframework.security.web.server.authorization.AuthorizationWebFilter lambda$filter$3 - Authorization failed: Access Denied
17-09-2023 13:41:43.213 [parallel-2] DEBUG o.s.s.w.s.c.WebSessionServerSecurityContextRepository .org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository lambda$load$1 - No SecurityContext found in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@1c19c273'
17-09-2023 13:41:43.230 [parallel-2] DEBUG o.s.c.s.i.web.TraceWebFilter .org.springframework.cloud.sleuth.instrument.web.TraceWebFilter$MonoWebFilterTrace$WebFilterTraceSubscriber terminateSpan - Handled send of RealSpan(3c5c588d8857df88/3c5c588d8857df88)
17-09-2023 13:41:43.235 [parallel-2] DEBUG o.s.w.s.a.HttpWebHandlerAdapter .org.springframework.core.log.LogFormatUtils traceDebug - [787638e7-1] Completed 401 UNAUTHORIZED
我尝试使用
SecurityContextHolderReactiveSecurityContextHolder设置如下: 春季启动:
v2.7.14<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
这是我已经实现的自定义
WebFilter@Component
class AuthFilter(
private val firebaseAuth: FirebaseAuth
): WebFilter {
override fun filter(exchange: ServerWebExchange, chain: WebFilterChain): Mono<Void> {
val authentication = UsernamePasswordAuthenticationToken(
"ROLE_USER",
null,
listOf(SimpleGrantedAuthority("ROLE_USER"))
)
return ReactiveSecurityContextHolder.getContext()
.map { it.authentication = authentication }
.then(chain.filter(exchange))
}
}
这是安全配置
@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
class SecurityConfig(
private val firebaseAuth: FirebaseAuth
) {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.authorizeExchange()
.anyExchange().authenticated()
.and()
.addFilterAt(AuthFilter(firebaseAuth), SecurityWebFiltersOrder.AUTHENTICATION)
.build()
}
}
还可能缺少什么来修复未经授权的错误?