Spring 云安全 - 允许未经身份验证的请求
Spring Cloud Security - Allow requests without authentication
我有一个允许用户注册帐户的应用程序。我们的身份验证和用户服务是 UAA,因此我需要能够在用户不在场的情况下与其安全端点进行通信。
如何设置 Spring Cloud Security 以允许从 1 个微服务调用另一个微服务,然后与 UAA 通信以创建用户?
因此,有 2 个主要微服务在起作用。第一个托管 Web 应用程序并将 Zuul 调用转发给第二个微服务。此微服务与 UAA 通信并处理任何其他特定于应用程序的用户请求。
我在第一个微服务 (LandingPage) 上有这个 WebSecurityConfigurerAdapter
@SpringBootApplication
@EnableZuulProxy
@EnableOAuth2Sso
@EnableEurekaClient
@EnableAutoConfiguration
public class LandingPageUiApplication extends WebSecurityConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(LandingPageUiApplication.class, args);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().anyRequest().permitAll();
}
}
第二个微服务 (UserInformation) 中的这个:
@SpringBootApplication
@EnableCircuitBreaker
@EnableFeignClients
public class UserInformationServiceApplication {
public static void main(String[] args) {
SpringApplication.run(UserInformationServiceApplication.class, args);
}
@Bean
public ModelMapper modelMapper() {
return new ModelMapper();
}
}
不幸的是,我很难访问第一个微服务上的 REST 端点,也无法将任何内容转发到第二个微服务。我通常会收到 401 响应代码。它们各自的 application.yaml 文件被设置为作为客户端和资源服务器与 UAA 通信
着陆页Application.yaml
spring:
application:
name: Landing Page
aop:
proxy-target-class: true
security:
oauth2:
client:
accessTokenUri: http://localhost:8080/uaa/oauth/token
userAuthorizationUri: http://localhost:8080/uaa/oauth/authorize
clientId: landing-page
clientSecret: landing-page-secret
scope: openid,uaa.admin,uaa.user
resource:
userInfoUri: http://localhost:8080/uaa/userinfo
zuul:
routes:
users:
serviceId: USER-INFO-SERVICE
path: /users/**
server:
port: 8081
eureka:
instance:
hostname: 127.0.0.1
nonSecurePort: ${server.port}
leaseRenewalIntervalInSeconds: 10
metadataMap:
instanceId: ${spring.application.name}:${server.port}
client:
serviceUrl:
defaultZone: http://localhost:8761/eureka/
region: default
registryFetchIntervalSeconds: 5
和 UserInfoService Application.yaml
server:
port: 0
security:
oauth2:
client:
clientId: user-info-service
clientSecret: app-secret
resource:
jwt:
keyUri: http://localhost:8080/uaa/token_key
spring:
application:
name: user-info-service
profiles: development,default
datasource:
url: jdbc:h2:mem:AZ;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
driverClassName: org.h2.Driver
username: sa
password:
database-platform: org.hibernate.dialect.H2Dialect
eureka:
instance:
hostname: 127.0.0.1
nonSecurePort: ${server.port}
leaseRenewalIntervalInSeconds: 10
metadataMap:
instanceId: ${spring.application.name}:${server.port}
client:
serviceUrl:
defaultZone: http://localhost:8761/eureka/
region: default
registryFetchIntervalSeconds: 5
非常感谢任何帮助。
答案是将这个 WebConfigAdapter 设置放在父 MS 中:
@Configuration
@EnableOAuth2Sso
@EnableAutoConfiguration
protected static class TestConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable().antMatcher("/**")
.authorizeRequests()
.anyRequest().permitAll();
}
}
以及子 MS 中的以下内容:
@Configuration
@Order(-10)
@EnableOAuth2Client
@EnableAutoConfiguration
protected static class TestConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable().anonymous().authenticationFilter(new AnonymousAuthenticationFilter("HALLO")) //allow anonymous access
.and()
.authorizeRequests()
.antMatchers("/**")
.permitAll();
}
}
我有一个允许用户注册帐户的应用程序。我们的身份验证和用户服务是 UAA,因此我需要能够在用户不在场的情况下与其安全端点进行通信。
如何设置 Spring Cloud Security 以允许从 1 个微服务调用另一个微服务,然后与 UAA 通信以创建用户?
因此,有 2 个主要微服务在起作用。第一个托管 Web 应用程序并将 Zuul 调用转发给第二个微服务。此微服务与 UAA 通信并处理任何其他特定于应用程序的用户请求。
我在第一个微服务 (LandingPage) 上有这个 WebSecurityConfigurerAdapter
@SpringBootApplication
@EnableZuulProxy
@EnableOAuth2Sso
@EnableEurekaClient
@EnableAutoConfiguration
public class LandingPageUiApplication extends WebSecurityConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(LandingPageUiApplication.class, args);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().anyRequest().permitAll();
}
}
第二个微服务 (UserInformation) 中的这个:
@SpringBootApplication
@EnableCircuitBreaker
@EnableFeignClients
public class UserInformationServiceApplication {
public static void main(String[] args) {
SpringApplication.run(UserInformationServiceApplication.class, args);
}
@Bean
public ModelMapper modelMapper() {
return new ModelMapper();
}
}
不幸的是,我很难访问第一个微服务上的 REST 端点,也无法将任何内容转发到第二个微服务。我通常会收到 401 响应代码。它们各自的 application.yaml 文件被设置为作为客户端和资源服务器与 UAA 通信
着陆页Application.yaml
spring:
application:
name: Landing Page
aop:
proxy-target-class: true
security:
oauth2:
client:
accessTokenUri: http://localhost:8080/uaa/oauth/token
userAuthorizationUri: http://localhost:8080/uaa/oauth/authorize
clientId: landing-page
clientSecret: landing-page-secret
scope: openid,uaa.admin,uaa.user
resource:
userInfoUri: http://localhost:8080/uaa/userinfo
zuul:
routes:
users:
serviceId: USER-INFO-SERVICE
path: /users/**
server:
port: 8081
eureka:
instance:
hostname: 127.0.0.1
nonSecurePort: ${server.port}
leaseRenewalIntervalInSeconds: 10
metadataMap:
instanceId: ${spring.application.name}:${server.port}
client:
serviceUrl:
defaultZone: http://localhost:8761/eureka/
region: default
registryFetchIntervalSeconds: 5
和 UserInfoService Application.yaml
server:
port: 0
security:
oauth2:
client:
clientId: user-info-service
clientSecret: app-secret
resource:
jwt:
keyUri: http://localhost:8080/uaa/token_key
spring:
application:
name: user-info-service
profiles: development,default
datasource:
url: jdbc:h2:mem:AZ;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
driverClassName: org.h2.Driver
username: sa
password:
database-platform: org.hibernate.dialect.H2Dialect
eureka:
instance:
hostname: 127.0.0.1
nonSecurePort: ${server.port}
leaseRenewalIntervalInSeconds: 10
metadataMap:
instanceId: ${spring.application.name}:${server.port}
client:
serviceUrl:
defaultZone: http://localhost:8761/eureka/
region: default
registryFetchIntervalSeconds: 5
非常感谢任何帮助。
答案是将这个 WebConfigAdapter 设置放在父 MS 中:
@Configuration
@EnableOAuth2Sso
@EnableAutoConfiguration
protected static class TestConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable().antMatcher("/**")
.authorizeRequests()
.anyRequest().permitAll();
}
}
以及子 MS 中的以下内容:
@Configuration
@Order(-10)
@EnableOAuth2Client
@EnableAutoConfiguration
protected static class TestConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable().anonymous().authenticationFilter(new AnonymousAuthenticationFilter("HALLO")) //allow anonymous access
.and()
.authorizeRequests()
.antMatchers("/**")
.permitAll();
}
}