Spring Cloud Zuul + Undertow + OAuth2:无法登录到Zuul
[英]Spring Cloud Zuul + Undertow + OAuth2: Cannot log in to Zuul
问题描述
We are using Spring Boot v2.0.4 + Spring Cloud (Finchley release). 
我们正在使用Spring Boot v2.0.4 + Spring Cloud(Finchley版本)。
We have deployed Zuul, Auth Server, Eureka, and Config Server, each in their own separate applications / processes. 我们已经在各自独立的应用程序/进程中部署了Zuul,Auth Server,Eureka和Config Server。 We have half a dozen of our own services deployed. 我们已经部署了六个自己的服务。 We are using OAuth2 authentication for all services. 我们正在对所有服务使用OAuth2身份验证。 We are using the embedded undertow container for all apps. 我们正在对所有应用程序使用嵌入式underwow容器。
When Zuul uses the embedded Undertow container, we can not log in- the login page is redisplayed even though the credentials are correct. 当Zuul使用嵌入式Undertow容器时,我们无法登录-即使凭据正确,登录页面也会重新显示。 When Zuul is switched to use the embedded Tomcat container, everything works correctly- logging in brings the user to the correct page. 当Zuul切换为使用嵌入式Tomcat容器时,一切正常运行-登录将用户带到正确的页面。 (All other apps use Undertow in both cases.) (在这两种情况下,所有其他应用程序都使用Undertow。)
When we debug the requests coming through Zuul for Tomcat vs Undertow, we see that the SPRING_SECURITY_CONTEXT session attribute is being set for Tomcat but is not being set for Undertow. 当我们调试通过Zuul发送的Tomcat与Undertow的请求时,我们看到为Tomcat设置了SPRING_SECURITY_CONTEXT会话属性,但未为Undertow设置。 I assume this means that the user will be redirected back to the login page, which is why we are seeing that behavior. 我认为这意味着用户将被重定向回登录页面,这就是我们看到这种行为的原因。
We know that it is an issue with Zuul + Tomcat vs. Undertow, since the configuration of all other apps remains exactly the same. 我们知道Zuul + Tomcat vs. Undertow是一个问题,因为所有其他应用程序的配置都完全相同。
Any ideas? 有任何想法吗? We are really scratching our heads over this one. 我们真的为这个问题scratch之以鼻。
1 个解决方案
解决方案1
0 2018-09-07 14:03:31
It turned out this was caused by JSESSIONID cookie name conflict between Zuul and Auth Server. 原来,这是由Zuul和Auth Server之间的JSESSIONID cookie名称冲突引起的。 Because Tomcat container has different handling than Wildfly for multiple Set-Cookies of the same name (which is in violation of RFC6265), we are only seeing it now. 因为对于同名的多个Set-Cookie,Tomcat容器的处理方式与Wildfly不同(这违反了RFC6265),所以我们现在才看到它。
I should have mentioned that we configured auth server to be behind the Zuul proxy, hence the multiple JSESSIONID cookies. 我应该提到我们将身份验证服务器配置为在Zuul代理之后,因此配置了多个JSESSIONID cookie。
We fixed this for now by renaming the JSESSIONID cookie name on all back-end servers. 我们现在通过在所有后端服务器上重命名JSESSIONID cookie名称来解决此问题。 We will investigate the best way to do this for production deployment going forward, perhaps by using Spring Session. 我们将研究可能的最佳方法,以便将来进行生产部署,方法可能是使用Spring Session。 Any suggestions welcome. 任何建议欢迎。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.