TokenRelayGatewayFilterFactory 保护所有 URL's
TokenRelayGatewayFilterFactory protecting all URL's
我有一个项目 https://github.com/ndrone/sample-gateway-oauth2login/tree/feature/allowAllToHealth,我正在尝试允许特定的 URL 对任何请求它的人开放。在这种情况下,它是 Actuator 的健康端点,同时保护所有其他 Actuator 端点。我发现 TokenRelayGatewayFilterFactory 被应用于所有路线,尽管它只设置为应用于一条路线。不确定我错了什么。
资源服务中的安全配置
@EnableWebFluxSecurity
public class SecurityConfig {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
http.authorizeExchange().pathMatchers("/manage/health").permitAll();
http
.authorizeExchange()
.pathMatchers("/resource", "/manage/**").hasAuthority("SCOPE_resource.read")
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
}
网关路由
@Controller
@SpringBootApplication
public class GatewayApplication {
@Autowired
private TokenRelayGatewayFilterFactory filterFactory;
@Bean
public RouteLocator customRouteLocator(RouteLocatorBuilder builder) {
//@formatter:off
return builder.routes()
.route("resource-health", r -> r.path("/resource/manage/health")
.filters(f -> f.stripPrefix(1))
.uri("http://localhost:9000"))
.route("resource-actuator-protected", r -> r.path("/resource/manage/**")
.filters(f -> f.stripPrefix(1).filter(filterFactory.apply()))
.uri("http://localhost:9000"))
.route("resource", r -> r.path("/resource")
.filters(f -> f.filter(filterFactory.apply()))
.uri("http://localhost:9000"))
.build();
//@formatter:on
}
@GetMapping("/")
public String index(Model model,
@RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient,
@AuthenticationPrincipal OAuth2User oauth2User) {
model.addAttribute("userName", oauth2User.getName());
model.addAttribute("clientName", authorizedClient.getClientRegistration().getClientName());
model.addAttribute("userAttributes", oauth2User.getAttributes());
return "index";
}
public static void main(String[] args) {
SpringApplication.run(GatewayApplication.class, args);
}
}
因为我没有在网关中详细说明的 spring 安全配置。 Spring 安全保护所有网址。从 jgrandja 深入研究示例和他们的分支来源,我需要添加以下内容。
/**
* This code duplicates {@link org.springframework.boot.actuate.autoconfigure.security.reactive.ReactiveManagementWebSecurityAutoConfiguration}
* and enhances with oauth2Login() specific configuration
*
* and with changes defined by jgrandja @see <a href="https://github.com/jgrandja/oauth2login-gateway/commit/51a28f91b7a71d71522d14d0cb5f1fa717033f42">OAuth</a>
*
* @author nd26434 on 2019-06-21.
*/
@Configuration
@ConditionalOnClass({ EnableWebFluxSecurity.class, WebFilterChainProxy.class })
@ConditionalOnMissingBean({ SecurityWebFilterChain.class, WebFilterChainProxy.class })
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
@AutoConfigureBefore(ReactiveSecurityAutoConfiguration.class)
@AutoConfigureAfter({ HealthEndpointAutoConfiguration.class,
InfoEndpointAutoConfiguration.class, WebEndpointAutoConfiguration.class,
ReactiveOAuth2ClientAutoConfiguration.class,
ReactiveOAuth2ResourceServerAutoConfiguration.class })
class SecurityConfig {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
// @formatter:off
// gateway actuator
http.authorizeExchange()
.matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll();
// gateway resource actuator
http.authorizeExchange().pathMatchers("/manage/health").permitAll();
return http.authorizeExchange()
.anyExchange().authenticated()
.and()
.oauth2Login()
.and()
.exceptionHandling()
// NOTE:
// This configuration is needed to perform the auto-redirect to UAA for authentication.
.authenticationEntryPoint(new RedirectServerAuthenticationEntryPoint("/oauth2/authorization/login-client"))
.and()
.build();
// @formatter:on
}
}
工作分支:https://github.com/ndrone/sample-gateway-oauth2login/tree/feature/allowAllToHealth
我有一个项目 https://github.com/ndrone/sample-gateway-oauth2login/tree/feature/allowAllToHealth,我正在尝试允许特定的 URL 对任何请求它的人开放。在这种情况下,它是 Actuator 的健康端点,同时保护所有其他 Actuator 端点。我发现 TokenRelayGatewayFilterFactory 被应用于所有路线,尽管它只设置为应用于一条路线。不确定我错了什么。
资源服务中的安全配置
@EnableWebFluxSecurity
public class SecurityConfig {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
http.authorizeExchange().pathMatchers("/manage/health").permitAll();
http
.authorizeExchange()
.pathMatchers("/resource", "/manage/**").hasAuthority("SCOPE_resource.read")
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
}
网关路由
@Controller
@SpringBootApplication
public class GatewayApplication {
@Autowired
private TokenRelayGatewayFilterFactory filterFactory;
@Bean
public RouteLocator customRouteLocator(RouteLocatorBuilder builder) {
//@formatter:off
return builder.routes()
.route("resource-health", r -> r.path("/resource/manage/health")
.filters(f -> f.stripPrefix(1))
.uri("http://localhost:9000"))
.route("resource-actuator-protected", r -> r.path("/resource/manage/**")
.filters(f -> f.stripPrefix(1).filter(filterFactory.apply()))
.uri("http://localhost:9000"))
.route("resource", r -> r.path("/resource")
.filters(f -> f.filter(filterFactory.apply()))
.uri("http://localhost:9000"))
.build();
//@formatter:on
}
@GetMapping("/")
public String index(Model model,
@RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient,
@AuthenticationPrincipal OAuth2User oauth2User) {
model.addAttribute("userName", oauth2User.getName());
model.addAttribute("clientName", authorizedClient.getClientRegistration().getClientName());
model.addAttribute("userAttributes", oauth2User.getAttributes());
return "index";
}
public static void main(String[] args) {
SpringApplication.run(GatewayApplication.class, args);
}
}
因为我没有在网关中详细说明的 spring 安全配置。 Spring 安全保护所有网址。从 jgrandja 深入研究示例和他们的分支来源,我需要添加以下内容。
/**
* This code duplicates {@link org.springframework.boot.actuate.autoconfigure.security.reactive.ReactiveManagementWebSecurityAutoConfiguration}
* and enhances with oauth2Login() specific configuration
*
* and with changes defined by jgrandja @see <a href="https://github.com/jgrandja/oauth2login-gateway/commit/51a28f91b7a71d71522d14d0cb5f1fa717033f42">OAuth</a>
*
* @author nd26434 on 2019-06-21.
*/
@Configuration
@ConditionalOnClass({ EnableWebFluxSecurity.class, WebFilterChainProxy.class })
@ConditionalOnMissingBean({ SecurityWebFilterChain.class, WebFilterChainProxy.class })
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
@AutoConfigureBefore(ReactiveSecurityAutoConfiguration.class)
@AutoConfigureAfter({ HealthEndpointAutoConfiguration.class,
InfoEndpointAutoConfiguration.class, WebEndpointAutoConfiguration.class,
ReactiveOAuth2ClientAutoConfiguration.class,
ReactiveOAuth2ResourceServerAutoConfiguration.class })
class SecurityConfig {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
// @formatter:off
// gateway actuator
http.authorizeExchange()
.matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll();
// gateway resource actuator
http.authorizeExchange().pathMatchers("/manage/health").permitAll();
return http.authorizeExchange()
.anyExchange().authenticated()
.and()
.oauth2Login()
.and()
.exceptionHandling()
// NOTE:
// This configuration is needed to perform the auto-redirect to UAA for authentication.
.authenticationEntryPoint(new RedirectServerAuthenticationEntryPoint("/oauth2/authorization/login-client"))
.and()
.build();
// @formatter:on
}
}
工作分支:https://github.com/ndrone/sample-gateway-oauth2login/tree/feature/allowAllToHealth