zuul背后的springboot微服务运行没有设置cookie
Springboot Microservice running behind zuul not setting cookies
我对使用 Google OAuth2 的 spring 安全性还很陌生。
我正在尝试集成 Google 身份验证,通过这样做,我从 google 接收令牌并将其重定向到我的身份验证 micro-service,注册我数据库中的用户,创建一个 jwt 令牌并将其设置为 cookie。
但是我的 cookie 没有设置。
我的 Zuul WebSecurityConfiguration 是
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
// dont authenticate this particular request
.authorizeRequests()
.antMatchers("/", "/index.html", "/user-service/api/v1/sign-in/*").permitAll()
// all other requests need to be authenticated
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.anyRequest().authenticated();
}
}
我的授权控制器是
@RestController
@RequestMapping("api/v1/sign-in")
public class UserController {
@Autowired
AuthServiceImpl authService;
@Autowired
JwtTokenUtil jwtTokenUtil;
@Autowired
MapperUtil mapperUtil;
@RequestMapping("google")
public UserDetails signIn(@RequestParam(name="code", required = true) String code, @RequestParam(name="state", required = true) String state,
@RequestParam(name="scope", required = true) String scope,
HttpServletResponse response) throws IOException {
// Receive jwt token from google
String authProviderToken = authService.verifyAuthProviderCode(code);
// Extracting user details from the token received above
UserDetails userDetails = mapperUtil.extractUserDetailsFromJwt(authProviderToken.split("\.")[1]);
// Creating a jwtToken with userDetails inside it. No sensitive google data is set in userDetails
String jwtToken = jwtTokenUtil.generateToken(userDetails);
// Creating a cookie and storing the jwt token inside it
Cookie cookie = new Cookie("oauth_cookie", jwtToken);
cookie.setPath("/");
cookie.setComment("This cookie stores the spryly user authentication session");
cookie.setHttpOnly(true);
response.addCookie(cookie);
// I can see SET-COOKIE in the list of header names, but I cannot see it anywhere in the browser, as well as there is no cookie being set
response.getHeaderNames().forEach(System.out::println);
return userDetails;
}
}
我可以在响应中看到 SET-COOKIE header,但是浏览器中没有存储 cookie,也没有任何 header SET-HEADER回应
我的 Header 回复是:
Cache-Control no-cache, no-store, max-age=0, must-revalidate
Connection keep-alive
Content-Type application/json
Date Mon, 11 May 2020 06:33:16 GMT
Expires 0
Keep-Alive timeout=60
Pragma no-cache
Transfer-Encoding chunked
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-XSS-Protection 1; mode=block
请注意,我仍在本地主机上尝试,因此我的连接仅为 http。
Cookie是Zuul中的敏感头,覆盖掉它。
application.yml
zuul:
sensitive-headers:Cookie,Set-Cookie,Authorization
引用
我对使用 Google OAuth2 的 spring 安全性还很陌生。
我正在尝试集成 Google 身份验证,通过这样做,我从 google 接收令牌并将其重定向到我的身份验证 micro-service,注册我数据库中的用户,创建一个 jwt 令牌并将其设置为 cookie。
但是我的 cookie 没有设置。
我的 Zuul WebSecurityConfiguration 是
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
// dont authenticate this particular request
.authorizeRequests()
.antMatchers("/", "/index.html", "/user-service/api/v1/sign-in/*").permitAll()
// all other requests need to be authenticated
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.anyRequest().authenticated();
}
}
我的授权控制器是
@RestController
@RequestMapping("api/v1/sign-in")
public class UserController {
@Autowired
AuthServiceImpl authService;
@Autowired
JwtTokenUtil jwtTokenUtil;
@Autowired
MapperUtil mapperUtil;
@RequestMapping("google")
public UserDetails signIn(@RequestParam(name="code", required = true) String code, @RequestParam(name="state", required = true) String state,
@RequestParam(name="scope", required = true) String scope,
HttpServletResponse response) throws IOException {
// Receive jwt token from google
String authProviderToken = authService.verifyAuthProviderCode(code);
// Extracting user details from the token received above
UserDetails userDetails = mapperUtil.extractUserDetailsFromJwt(authProviderToken.split("\.")[1]);
// Creating a jwtToken with userDetails inside it. No sensitive google data is set in userDetails
String jwtToken = jwtTokenUtil.generateToken(userDetails);
// Creating a cookie and storing the jwt token inside it
Cookie cookie = new Cookie("oauth_cookie", jwtToken);
cookie.setPath("/");
cookie.setComment("This cookie stores the spryly user authentication session");
cookie.setHttpOnly(true);
response.addCookie(cookie);
// I can see SET-COOKIE in the list of header names, but I cannot see it anywhere in the browser, as well as there is no cookie being set
response.getHeaderNames().forEach(System.out::println);
return userDetails;
}
}
我可以在响应中看到 SET-COOKIE header,但是浏览器中没有存储 cookie,也没有任何 header SET-HEADER回应
我的 Header 回复是:
Cache-Control no-cache, no-store, max-age=0, must-revalidate
Connection keep-alive
Content-Type application/json
Date Mon, 11 May 2020 06:33:16 GMT
Expires 0
Keep-Alive timeout=60
Pragma no-cache
Transfer-Encoding chunked
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-XSS-Protection 1; mode=block
请注意,我仍在本地主机上尝试,因此我的连接仅为 http。
Cookie是Zuul中的敏感头,覆盖掉它。
application.yml
zuul:
sensitive-headers:Cookie,Set-Cookie,Authorization
引用