当Auth Server重定向到SSO代理服务器时,它不知道登录成功

问题描述 投票:0回答:1

成功登录到身份验证服务器后,它将重定向回启用SSO的代理服务器,但代理服务器无法识别该用户已通过身份验证,因此它会弹出“第三方权限”页面,而不是将用户转发到最初请求的受保护用户资源。在第三方权限页面上单击“接受”后,您将被重定向到最初请求的受保护资源。

  1. 获取http://localhost:8085/angular-example/ 302响应标题:位置:http://localhost:8085/angular-example/响应标题:Set-Cookie:JSESSIONID = 15F0789B7182469477E5F713D64A9BF3;路径= /;仅Http
  2. 获取http://localhost:8085/login 302要求Cookie:JSESSIONID = 15F0789B7182469477E5F713D64A9BF3响应头:位置:http://localhost:8084/oauth/authorize?client_id=zuul-proxy-example&redirect_uri=http://localhost:8085/login&response_type=code&state=SdY74y
  3. 获取http://localhost:8084/oauth/authorize?client_id=zuul-proxy-example&redirect_uri=http://localhost:8085/login&response_type=code&state=SdY74y 302请求标头:Cookie:JSESSIONID = 15F0789B7182469477E5F713D64A9BF3响应标题:位置:http://localhost:8084/login响应标题:Set-Cookie:SESSION = Zjk5Y2Y5YTEtMjE2OC00MTRkLThmNGUtNGZlODFkOTI4MWNj;路径= /;仅Http; SameSite = Lax
  4. 获取http://localhost:8084/login 200请求标头:Cookie:JSESSIONID = 15F0789B7182469477E5F713D64A9BF3; SESSION = Zjk5Y2Y5YTEtMjE2OC00MTRkLThmNGUtNGZlODFkOTI4MWNj
  5. 获取http://localhost:8084/oauth/authorize?client_id=zuul-proxy-example&redirect_uri=http://localhost:8085/login&response_type=code&state=SdY74y 200请求标头:Cookie:JSESSIONID = 15F0789B7182469477E5F713D64A9BF3; SESSION = MmVhODcyMmMtZDc0MS00Njk3LTk4MTktYTg4MmJhYjI4YmQ2
  6. POSThttp://localhost:8084/oauth/authorize请求标头:Cookie:JSESSIONID = 15F0789B7182469477E5F713D64A9BF3; SESSION = MmVhODcyMmMtZDc0MS00Njk3LTk4MTktYTg4MmJhYjI4YmQ2响应标题:位置:http://localhost:8085/login?code=KjDZ7n&state=SdY74y响应标题:Set-Cookie:SESSION =;最大年龄= 0;过期时间=星期四,格林尼治标准时间1970年1月1日00:00:00;路径= /;仅Http; SameSite =拉克斯
  7. 获取http://localhost:8085/login?code=KjDZ7n&state=SdY74y 302请求标头:Cookie:JSESSIONID = 15F0789B7182469477E5F713D64A9BF3响应标题:位置:http://localhost:8085/angular-example/响应标题:Set-Cookie:JSESSIONID = C201DF4673C6644D0B62F166481386C3;路径= /;仅Http
  8. 获取http://localhost:8085/angular-example/ 200

这是配置为与工作中的Spring Boot 1.5.x身份验证服务器尽可能接近的Spring Boot 2.1.8.RELEASE Zuul代理服务器和Spring Boot 2身份验证服务器。

配置

  1. 克隆https://github.com/smitchell/spring-security-5-upgrade_sso-auth-server
  2. mvn spring-boot:run
  3. 克隆https://github.com/smitchell/cloud-foundry-angular-example
  4. mvn spring-boot:run
  5. 克隆https://github.com/smitchell/cloud-foundry-angular-example
  6. ng serve --baseHref = / angular-example /

复制步骤:

  1. 导航到http://localhost:8085/angular-example/
  2. 以“用户” /“密码”登录
  3. 出现第三方身份验证页面。单击同意。
  4. 显示Angular主页。

代理服务器

proxy:
  permitAll:
    matches: /login,/*.js,/favicon.ico,*.map,/*.css,/robots.txt
zuul:
  add-proxy-headers: true
  sensitiveHeaders: Cookie,Set-Cookie
  ignoredPatterns: /**/health/**,/**/mappings/**
  ignored-services: "*"
  routes:
    angular-example:
      path: /angular-example/**
      url: http://localhost:4200/angular-example/
    auth-service:
      path: /auth-example/**
      url: http://localhost:4202/auth-example
      sensitiveHeaders: Authorization
      stripPrefix: false
security:
  oauth2:
    client:
      accessTokenUri: http://localhost:8084/oauth/token
      userAuthorizationUri: http://localhost:8084/oauth/authorize
      clientId: zuul-proxy-example
      clientSecret: ####
server:
  port: 8085

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http
        .authorizeRequests()
            .antMatchers("/*.css","/*.js","/favicon.ico","/*.map","/robots.txt")
            .permitAll()
        .anyRequest().authenticated()
            .and()
        .logout()
            .invalidateHttpSession(true).permitAll()
            .logoutSuccessUrl("http://localhost:8085/angular-example/")
            .and()
        .csrf()
            .disable();
    // @formatter:on
  }

授权服务器配置

server:
  port: 8084
spring:
  datasource:
    url: jdbc:h2:mem:testdb;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1
  jpa:
    generate-ddl: true
    hibernate:
      ddl-auto: create
    open-in-view: false

  protected void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http
        .requestMatchers()
            .antMatchers("/",  "/oauth", "/login",  "/api/authenticate", "/oauth/authorize")
            .and()
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage( "/login")
            .permitAll()
            .and()
        .logout()
            .permitAll()
        .and()
            .addFilter(new JwtAuthenticationFilter(privateKey, authenticationManager()))
            .addFilter(new JwtAuthorizationFilter(privateKey, authenticationManager()));
    // @formatter:on
  }

最重要的是,我想了解为什么身份验证没有返回相同的状态参数,这阻止了代理服务器知道先前重定向到身份验证服务器的操作成功。

这里是我们的Spring Security 4身份验证服务器的单一登录,该服务器正在运行:

  1. 获取https://test.[hostname].com/[context路径] / 302响应标题:位置:http://test.[hostname].com/login响应头:服务器:cloudflare响应标头:set-cookie:__cfduid = dd164391fe59500752e3500ab3de6a23c1569423515; expires =星期四,格林尼治标准时间20年9月24日14:58:35;路径= /; 。域= [主机名] .COM;仅Http;安全
  2. 获取http://test.[hostname].com/login 301请求标头:Cookie:JSESSIONID = C0C62552AAE5F7E8A420EEDD1869AA2A; VCAP_ID = b87f667f-ec72-4a1d-6265-5979响应标题:位置:https://test.[hostname].com/login响应头:服务器:cloudflare
  3. 获取https://test.[hostname].com/login 302请求标头:Cookie:cfduid = dd164391fe59500752e3500ab3de6a23c1569423515; JSESSIONID = C0C62552AAE5F7E8A420EEDD1869AA2A; __VCAP_ID = b87f667f-ec72-4a1d-6265-5979响应头:位置:https://auth-service-test-[hostname].cfapps.io/oauth/authorize?client_id=proxy-service&redirect_uri=http://test.[hostname].com/login&response_type=code&state=N2mPnD
  4. 获取https://auth-service-test-[hostname].cfapps.io/oauth/authorize?client_id=proxy-service&redirect_uri=http://test.[hostname].com/login&response_type=code&state=N2mPnD 302响应标题:位置:https://auth-service-test-[hostname].cfapps.io/login响应标题:Set-Cookie:SESSION = 4d4be900-b461-4a57-b18b-c5e073e04b25;路径= /;安全;仅Http
  5. 获取https://auth-service-test-[hostname].cfapps.io/login请求标头:Cookie:SESSION = 4d4be900-b461-4a57-b18b-c5e073e04b25
  6. POSThttps://auth-service-test-[hostname].cfapps.io/login200请求标头:Cookie:SESSION = 4d4be900-b461-4a57-b18b-c5e073e04b25响应标题:位置:https://auth-service-test-[hostname].cfapps.io/oauth/authorize?client_id=proxy-service&redirect_uri=http://test.[hostname].com/login&response_type=code&state=N2mPnD响应标题:Set-Cookie:SESSION = 661f73be-a34a-4d3a-83d7-c8a8c682d392;路径= /;安全;仅Http
  7. 获取https://auth-service-test-[hostname].cfapps.io/oauth/authorize?client_id=proxy-service&redirect_uri=http://test.[hostname].com/login&response_type=code&state=N2mPnD 302请求标头:Cookie:SESSION = 661f73be-a34a-4d3a-83d7-c8a8c682d392响应标题:位置:http://test.[hostname].com/login?code=o8S3fA&state=N2mPnD响应标题:Set-Cookie:SESSION =;最大年龄= 0; Expires = Thu,1970年1月1日格林尼治标准时间;路径= /;安全;仅Http
  8. 获取http://test.[hostname].com/login?code=o8S3fA&state=N2mPnD 301请求标头:Cookie:JSESSIONID = C0C62552AAE5F7E8A420EEDD1869AA2A; VCAP_ID = b87f667f-ec72-4a1d-6265-5979响应头:位置:https://test.[hostname].com/login?code=o8S3fA&state=N2mPnD
  9. 获取https://test.[hostname].com/login?code=o8S3fA&state=N2mPnD 302请求标头:cookie:cfduid = dd164391fe59500752e3500ab3de6a23c1569423515; JSESSIONID = C0C62552AAE5F7E8A420EEDD1869AA2A; __VCAP_ID = b87f667f-ec72-4a1d-6265-5979响应标头:set-cookie:JSESSIONID = 8B0E676E8BFE337A598BE060EEA76126;路径= /;仅Http响应标头:set-cookie:VCAP_ID = b87f667f-ec72-4a1d-6265-5979;路径= /;仅Http
  10. 获取https://test.[hostname].com/[context路径] / 200
spring-security single-sign-on spring-security-oauth2
1个回答
0
投票
可以在代理中进行修复:

auto-approve-scopes: '.*' # <-- Not for production. 

-或-更改身份验证服务中的代理服务客户端:
clientDetails.setAutoApproveCsv("true");
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.