我对使用Google OAuth2的spring安全相当陌生。
我试图整合Google认证,通过这样做,我从google接收token并将其重定向到我的Auth微服务,在我的db中注册用户,创建一个jwt token并将其设置为cookie。
但我的cookie没有被设置。
我的Zuul WebSecurityConfiguration为
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
// dont authenticate this particular request
.authorizeRequests()
.antMatchers("/", "/index.html", "/user-service/api/v1/sign-in/*").permitAll()
// all other requests need to be authenticated
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.anyRequest().authenticated();
}
}
我的Auth控制器是
@RestController
@RequestMapping("api/v1/sign-in")
public class UserController {
@Autowired
AuthServiceImpl authService;
@Autowired
JwtTokenUtil jwtTokenUtil;
@Autowired
MapperUtil mapperUtil;
@RequestMapping("google")
public UserDetails signIn(@RequestParam(name="code", required = true) String code, @RequestParam(name="state", required = true) String state,
@RequestParam(name="scope", required = true) String scope,
HttpServletResponse response) throws IOException {
// Receive jwt token from google
String authProviderToken = authService.verifyAuthProviderCode(code);
// Extracting user details from the token received above
UserDetails userDetails = mapperUtil.extractUserDetailsFromJwt(authProviderToken.split("\\.")[1]);
// Creating a jwtToken with userDetails inside it. No sensitive google data is set in userDetails
String jwtToken = jwtTokenUtil.generateToken(userDetails);
// Creating a cookie and storing the jwt token inside it
Cookie cookie = new Cookie("oauth_cookie", jwtToken);
cookie.setPath("/");
cookie.setComment("This cookie stores the spryly user authentication session");
cookie.setHttpOnly(true);
response.addCookie(cookie);
// I can see SET-COOKIE in the list of header names, but I cannot see it anywhere in the browser, as well as there is no cookie being set
response.getHeaderNames().forEach(System.out::println);
return userDetails;
}
}
我可以看到SET-COOKIE头在响应中,但浏览器中没有存储任何Cookie,响应中也没有任何SET-HEADER头。
我的Header响应是:
Cache-Control no-cache, no-store, max-age=0, must-revalidate
Connection keep-alive
Content-Type application/json
Date Mon, 11 May 2020 06:33:16 GMT
Expires 0
Keep-Alive timeout=60
Pragma no-cache
Transfer-Encoding chunked
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-XSS-Protection 1; mode=block
请注意,我仍然在localhost中尝试,因此我的连接只有http。
Cookie是Zuul的敏感头,覆盖它。
应用程序.yml
zuul:
sensitive-headers:Cookie,Set-Cookie,Authorization