Zuul 代理和 Spring OAuth 重定向问题

Posted

技术标签:

【中文标题】Zuul 代理和 Spring OAuth 重定向问题【英文标题】:Zuul proxy and Spring OAuth redirection issue 【发布时间】:2017-04-24 20:10:04 【问题描述】:

我正在尝试从第三方 SSO 服务器获取 JWT 令牌。在第一次授权请求中需要一个额外的参数,例如

https://[third-party-sso-server]/oauth2/authorize?client_id=[my-client-id]&redirect_uri=http://localhost:8080/login&response_type=code&additional_param=[value]

但是 Spring Security 有标准的重定向 URI: https://[third-party-sso-server]/oauth2/authorize?client_id=[my-client-id]&redirect_uri=http://localhost:8080/login&response_type=code&state=[state-value] 所以我不能使用任何过滤器或 HeaderWriter 添加这个附加参数。而且我无法使用 DefaultRedirectStrategy 类更改重定向策略。 我的代码基于本教程https://spring.io/guides/tutorials/spring-boot-oauth2/#_social_login_manual

`

package hello;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.cloud.netflix.zuul.EnableZuulProxy;
import org.springframework.context.annotation.Bean;
import hello.filters.pre.SimpleFilter;
import org.springframework.boot.autoconfigure.security.oauth2.resource.UserInfoTokenServices;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import javax.servlet.Filter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.security.oauth2.client.OAuth2ClientContext;
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;

@SpringBootApplication
@EnableZuulProxy
@EnableOAuth2Client
public class GatewayApplication extends WebSecurityConfigurerAdapter 

    @Autowired
    OAuth2ClientContext oauth2ClientContext;

    public static void main(String[] args) 
        SpringApplication.run(GatewayApplication.class, args);
    

    @Bean
    public SimpleFilter simpleFilter() 
        return new SimpleFilter();
    

    private Filter ssoFilter() 
        OAuth2ClientAuthenticationProcessingFilter customFilter = new OAuth2ClientAuthenticationProcessingFilter("/login");
        OAuth2RestTemplate customTemplate = new OAuth2RestTemplate(thirdPartySso(), oauth2ClientContext);
        customFilter.setRestTemplate(customTemplate);
        customFilter.setTokenServices(new UserInfoTokenServices(myResource().getUserInfoUri(), thirdPartySso().getClientId()));
        return customFilter;
    

    @Bean
    @ConfigurationProperties("security.oauth2.client")
    public AuthorizationCodeResourceDetails thirdPartySso() 
        return new AuthorizationCodeResourceDetails();
    

    @Bean
    @ConfigurationProperties("security.oauth2.resource")
    public ResourceServerProperties myResource() 
        return new ResourceServerProperties();
    

    @Override
    public void configure(HttpSecurity http) throws Exception 
        // It doesn't work
        //http.headers().addHeaderWriter(new StaticHeadersWriter("Location","new location"));

        http.antMatcher("/**").addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class)
                .authorizeRequests().antMatchers("/").authenticated();

Spring Boot configuration file: 

server:
  port: 8090

zuul:
    routes :
        admin :
            path: /api/admin/**
            url : http://localhost:2222/admin            

security:
  oauth2:
    client:
      clientId: [clientid]
      clientSecret: [secret]
      accessTokenUri: https://[third-party-uri]/oauth2/token
      userAuthorizationUri: https://[third-party-uri]/adfs/oauth2/authorize
      useCurrentUri : false
      tokenName: accessToken
      authenticationScheme: query
      clientAuthenticationScheme: form
    resource:
      userInfoUri: http://localhost:5555/oauth2/token

spring:
  application:
    name: zuul-server

ribbon:
  eureka:
    enabled: false

`

【问题讨论】:

【参考方案1】:

我刚刚通过添加额外的过滤器解决了这个问题并更改了默认重定向策略

`

       ...
        @Override
            public void configure(HttpSecurity http) throws Exception 
                http.antMatcher("/**").addFilterBefore(ssoFilter(),       BasicAuthenticationFilter.class).addFilterAfter(oAuth2ClientContextFilterFilter(), SecurityContextPersistenceFilter.class)
                        .authorizeRequests().antMatchers("/").authenticated();
            

            public Filter oAuth2ClientContextFilterFilter() 
            
                OAuth2ClientContextFilter  filter = new OAuth2ClientContextFilter();
                filter.setRedirectStrategy(new CustomRedirectStrategy());
                return filter;
            
        ...

    public class CustomRedirectStrategy extends DefaultRedirectStrategy 

    @Override
    public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException 
        super.sendRedirect(request, response, url+"&additional_param=value");

`

【讨论】:

以上是关于Zuul 代理和 Spring OAuth 重定向问题的主要内容,如果未能解决你的问题,请参考以下文章

Zuul代理oAuth2在Spring Boot中未经授权

启用使用 spring cloud oauth2 访问 2 zuul 代理后面的资源

在 REST 微服务上使用 Zuul Proxy、Oauth2 实现身份验证和授权

Spring Security Oauth2:无效的重定向 url

使用 Spring boot、Eureka、Zuul、Spring Oauth 创建 OAuth 安全微服务的问题

Spring boot zuul错误重定向请求