JHipster 微服务 CORS

【问题标题】:JHipster Microservice CORSJHipster 微服务 CORS
【发布时间】:2021-08-26 17:43:13
【问题描述】:

有没有办法通过网关访问微服务 API 而无需身份验证?例如,如果我有一个需要从微服务 API 读取数据的公共登录页面。我启用了 CORS 并通过 Swagger 测试了 API,它在网关应用程序中运行良好;但是,如果我使用 CURL 调用 API,则会收到未经授权的错误。

这是我要执行的 CURL 命令:

curl -X 'GET' \
  'http://localhost:8080/services/tajvoteservice/api/landing-page-by-organizations' \
  -H 'accept: */*' \
  -H 'X-XSRF-TOKEN: 5d3e3faf-3a3d-4905-bdea-f5ce305d3672'

这是我得到的错误:

{"type":"https://www.jhipster.tech/problem/problem-with-message","title":"Unauthorized","status":401,"detail":"Not Authenticated","path":"/services/tajvoteservice/api/landing-page-by-organizations","message":"error.http.401"}%

这是我的 SecurityConfiguration.java 配置方法:

    @Override
    public void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            .csrf()
            .disable()
            .exceptionHandling()
                .authenticationEntryPoint(problemSupport)
                .accessDeniedHandler(problemSupport)
        .and()
            .headers()
            .contentSecurityPolicy(jHipsterProperties.getSecurity().getContentSecurityPolicy())
        .and()
            .referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
        .and()
            .featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'self'; payment 'none'")
        .and()
            .frameOptions()
            .deny()
        .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
            .authorizeRequests()
            .antMatchers("/api/auth-info").permitAll()
            .antMatchers("/api/admin/**").hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/api/landing-page-by-organizations/**").permitAll()
            .antMatchers("/api/**").authenticated()
            .antMatchers("/management/health").permitAll()
            .antMatchers("/management/health/**").permitAll()
            .antMatchers("/management/info").permitAll()
            .antMatchers("/management/prometheus").permitAll()
            .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
        .and()
            .oauth2ResourceServer()
                .jwt()
                .jwtAuthenticationConverter(authenticationConverter())
                .and()
            .and()
                .oauth2Client();
        // @formatter:on
    }

请指教。

【问题讨论】:

  • 你检查过哪个应用触发了http 401:网关还是服务?
  • 感谢您的提问。它来自网关。我通过关闭服务并运行 CURL 命令对此进行了测试;我仍然遇到同样的错误。
  • 但是您添加到 SecurityConfiguration 的 permitAll() 来自微服务,对吧?您是否尝试在网关中做同样的事情?蚂蚁匹配器应该类似于“/services/tajvoteservice/api/landing-page-by-organizations”。另外,我不明白你为什么在关于授权的问题中提到 CORS。
  • 我的 CORS 问题是:对于仅来自 www.travelodgefloridacity.com 上托管的客户端的“GET”请求,我如何限制对“saathratri.com/services/tajvoteservice/api/…”的访问? Marziou 先生概述的解决方案及其在此 StackOverflow 线程中显示的实现代码向任何连接到 Internet 的客户端打开资源“saathratri.com/services/tajvoteservice/api/…”。

标签: spring-boot jhipster jhipster-gateway


【解决方案1】:

谢谢 Marziou 先生。我在网关的 SecurityConfiguration.java 中的 springSecurityFilterChain 方法中添加了路径匹配器:

          .pathMatchers("/services/tajvoteservice/api/landing-page-by-organizations/**").permitAll()

所以我的网关SecurityConfiguration的springSecurityFilterChain方法如下:

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        // @formatter:off
        http
            .securityMatcher(new NegatedServerWebExchangeMatcher(new OrServerWebExchangeMatcher(
                pathMatchers("/app/**", "/i18n/**", "/content/**", "/swagger-ui/**", "/swagger-resources/**", "/v2/api-docs", "/v3/api-docs", "/test/**"),
                pathMatchers(HttpMethod.OPTIONS, "/**")
            )))
            .csrf()
                .csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
        .and()
            // See https://github.com/spring-projects/spring-security/issues/5766
            .addFilterAt(new CookieCsrfFilter(), SecurityWebFiltersOrder.REACTOR_CONTEXT)
            .addFilterAt(new SpaWebFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
            .exceptionHandling()
                .accessDeniedHandler(problemSupport)
                .authenticationEntryPoint(problemSupport)
        .and()
            .headers()
            .contentSecurityPolicy(jHipsterProperties.getSecurity().getContentSecurityPolicy())
            .and()
                .referrerPolicy(ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
            .and()
                .featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'self'; payment 'none'")
            .and()
                .frameOptions().disable()
        .and()
            .authorizeExchange()
            .pathMatchers("/").permitAll()
            .pathMatchers("/*.*").permitAll()
            .pathMatchers("/api/auth-info").permitAll()
            .pathMatchers("/services/tajvoteservice/api/landing-page-by-organizations/**").permitAll()
            .pathMatchers("/api/admin/**").hasAuthority(AuthoritiesConstants.ADMIN)
            .pathMatchers("/api/**").authenticated()
            .pathMatchers("/services/**").authenticated()
            .pathMatchers("/management/health").permitAll()
            .pathMatchers("/management/health/**").permitAll()
            .pathMatchers("/management/info").permitAll()
            .pathMatchers("/management/prometheus").permitAll()
            .pathMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN);

        http.oauth2Login()
            .and()
            .oauth2ResourceServer()
                .jwt()
                .jwtAuthenticationConverter(jwtAuthenticationConverter());
        http.oauth2Client();

        // WebFlux
        http.redirectToHttps(redirect -> redirect
            .httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")));

        // @formatter:on
        return http.build();
    }

现在我可以运行 CURL 命令了:

curl -X 'GET' \
  'http://localhost:8080/services/tajvoteservice/api/landing-page-by-organizations/acfad1dd-2570-4900-a5c2-8f496f88527c'

瞧,我有带有组织信息的 JSON 数据!

再次感谢 Marziou 先生!

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 2018-01-02
    • 2016-11-22
    • 1970-01-01
    • 2018-03-29
    • 2018-12-10
    • 2018-08-06
    • 2017-07-12
    • 2022-08-13
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode