堆栈内存溢出
  简体   繁体   English

Springboot如何在Zuul微服务上验证token

[英]Springboot how to validate token on Zuul microservice

 原文  2020-04-30 16:28:29       java/ spring-boot/ jwt/ netflix-zuul

问题描述

I am new to Springboot and im trying to filter requests through a Zuul API gateway however i get the error below:我是 Springboot 的新手,我试图通过 Zuul API 网关过滤请求,但是我收到以下错误:

AnonymousAuthenticationToken cannot be cast to org.aacctt.ms.auth.security.JWTAuthentication AnonymousAuthenticationToken 无法转换为 org.aacctt.ms.auth.security.JWTAuthentication

When i put a breakpoint i get a null header/token string value when the request reaches the authentication service from zuul gateway, this happens for protected requests that require an authorization token.当我放置断点时,当请求从 zuul 网关到达身份验证服务时,我得到一个 null 标头/令牌字符串值,这发生在需要授权令牌的受保护请求上。

My aim is to be able to verify the token sent by clients so that i can allow the client's request to protected endpoints or reject it.我的目标是能够验证客户端发送的令牌,以便我可以允许客户端对受保护端点的请求或拒绝它。

Im not sure what im doing wrong here is my code:我不确定我在这里做错了什么是我的代码:

Auth Service认证服务


@Component
public class JWTAuthorizationFilter extends GenericFilterBean {

    private static final Logger LOG = LoggerFactory.getLogger(JWTAuthorizationFilter.class);

    private static final String HEADER_STRING = "Authorization";
    public static final String TOKEN_PREFIX = "Bearer ";

    @Value("${jwt.encryption.secret}")
    private String SECRET;

    @Value("${jwt.access.token.expiration.seconds}")
    private long EXPIRATION_TIME_IN_SECONDS;


    public String generateAccessToken(long userId) {
        return JWT.create()
                .withSubject(String.valueOf(userId))
                .withIssuedAt(new Date())
                .withExpiresAt(new Date(System.currentTimeMillis() + EXPIRATION_TIME_IN_SECONDS * 1000))
                .sign(Algorithm.HMAC256(SECRET.getBytes()));
    }



    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;

        String header = httpRequest.getHeader(HEADER_STRING);  // this is null

        if (header == null || !header.startsWith(TOKEN_PREFIX)) {
            chain.doFilter(httpRequest, httpResponse);
            return;
        }

        SecurityContextHolder.getContext().setAuthentication(getAuthentication(header));
        chain.doFilter(httpRequest, httpResponse);
    }

    private Authentication getAuthentication(String token) {

        final String username;
        try {
            DecodedJWT jwt = JWT.require(Algorithm.HMAC256(SECRET.getBytes()))
                    .build()
                    .verify(token.replace(TOKEN_PREFIX, ""));
            username = jwt.getSubject();
        } catch (JWTVerificationException e) {
            LOG.debug("Invalid JWT", e);
            return null;
        }

        final Long userId;
        try {
            userId = Long.valueOf(username);
        } catch (NumberFormatException e) {
            LOG.debug("Invalid JWT. Username is not an user ID");
            return null;
        }

        LOG.debug("Valid JWT. User ID: " + userId);

        return new JWTAuthentication(userId);
    }

}

在此处输入图像描述

WebSecurityConfig网络安全配置


@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private final JWTAuthorizationFilter jwtAuthorizationFilter;

    public WebSecurityConfig(JWTAuthorizationFilter jwtAuthorizationFilter) {
        this.jwtAuthorizationFilter = jwtAuthorizationFilter;
    }

    @Bean
    public AuthenticationEntryPoint authenticationEntryPoint() {
        return (request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().disable();
        http.csrf().disable();
        http.addFilterAfter(jwtAuthorizationFilter, BasicAuthenticationFilter.class);
        http.authorizeRequests()
                .antMatchers("/**").permitAll()
                .antMatchers(AccountController.PATH_POST_SIGN_UP).permitAll()
                .antMatchers(AccountController.PATH_POST_REFRESH).permitAll()
                .antMatchers(AccountController.PATH_POST_LOGIN).permitAll()
                .antMatchers("/v2/api-docs",
                        "/swagger-resources/configuration/ui",
                        "/swagger-resources",
                        "/swagger-resources/configuration/security",
                        "/swagger-ui.html",
                        "/webjars/**").permitAll()
                .anyRequest().authenticated()
        ;
         http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

}

JWTAuthentication JWT身份验证

public class JWTAuthentication implements Authentication {

    private final long userId;

    public JWTAuthentication(long userId) {
        this.userId = userId;
    }

    @Override public Collection<? extends GrantedAuthority> getAuthorities() {
        return Collections.emptySet();
    }

    @Override public Object getCredentials() {
        return null;
    }

    @Override public Object getDetails() {
        return null;
    }

    public long getUserId() {
        return userId;
    }

    @Override public Long getPrincipal() {
        return userId;
    }

    @Override public boolean isAuthenticated() {
        return true;
    }

    @Override public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
        throw new UnsupportedOperationException("JWT authentication is always authenticated");
    }

    @Override public String getName() {
        return String.valueOf(userId);
    }
}

SecurityService安保服务

@Service
public class SecurityService {

    public long getLoggedUserId() {
        JWTAuthentication authentication = (JWTAuthentication) SecurityContextHolder.getContext().getAuthentication();
        return authentication.getUserId();
    }

}

Zuul Gateway祖尔网关


public class AuthorizationFilter extends BasicAuthenticationFilter {

    private static final Logger LOG = LoggerFactory.getLogger(AuthorizationFilter.class);
    private static final String HEADER_STRING = "Authorization";
    public static final String TOKEN_PREFIX = "Bearer ";

    Environment environment;

    public AuthorizationFilter(AuthenticationManager authManager, Environment environment) {
        super(authManager);
        this.environment = environment;
    }


    @Override
    protected void doFilterInternal(HttpServletRequest req,
            HttpServletResponse res,
            FilterChain chain) throws IOException, ServletException {

        String authorizationHeader = req.getHeader(environment.getProperty("authorization.token.header.name"));

        if (authorizationHeader == null || !authorizationHeader.startsWith(environment.getProperty("authorization.token.header.prefix"))) {
            chain.doFilter(req, res);
            return;
        }

        UsernamePasswordAuthenticationToken authentication = getAuthentication(req);

        SecurityContextHolder.getContext().setAuthentication(authentication);
        chain.doFilter(req, res);
    }  

    private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest req) {

        String token = req.getHeader(HEADER_STRING);

        final String username;
        try {
            DecodedJWT jwt = JWT.require(Algorithm.HMAC256(environment.getProperty("token.secret").getBytes()))
                    .build()
                    .verify(token.replace(TOKEN_PREFIX, ""));
            username = jwt.getSubject();
        } catch (JWTVerificationException e) {
            LOG.debug("Invalid JWT", e);
            return null;
        }

        final Long userId;
        try {
            userId = Long.valueOf(username);
        } catch (NumberFormatException e) {
            LOG.debug("Invalid JWT. Username is not an user ID");
            return null;
        }

        LOG.debug("Valid JWT. User ID: " + userId);

         return new UsernamePasswordAuthenticationToken(userId, null, new ArrayList<>());

     }
}

1 个解决方案

解决方案1
 2 已采纳  2020-04-30 18:14:40

The issue is the sensitive header, Authorization is sensitive header by default in Zuul, you just need to override the sensitive headers.问题是敏感的 header, Authorization在 Zuul 中默认是敏感的 header,您只需要覆盖敏感的标头即可。

zuul:
  sensitive-headers:
  -

By setting this property in Zuul gateway application.yml it route request to auth service with the Authorization header通过在 Zuul 网关 application.yml 中设置此属性,它将请求路由到Authorization服务 header

Reference only:仅供参考:

Auth Service reference身份验证服务参考

JWT based authentication https://github.com/nikhilmalavia/SpringBootJWT.git基于 JWT 的身份验证https://github.com/nikhilmalavia/SpringBootJWT.git

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何验证微服务的请求源 - How to validate request source for a microservice 如何从微服务获取http响应状态码-zuul [java] - How to get http response status code from microservice - zuul [java] 如何通过zuul或任意api网关调用安全的微服务端点 - How to call a secure microservice endpoint through zuul or any api gateway 无法从Spring Boot微服务模块中的Zuul标头获取JWT令牌 - Cannot get JWT Token from Zuul Header in Spring Boot Microservice Module Spring Boot微服务Zuul未运行 - Spring boot microservice Zuul is not running 调试到底层微服务的 Zuul 路由 - Debug Zuul route to underlying microservice 为springboot微服务创建一个pojo - Creating a pojo for springboot microservice 如何在java springboot微服务中非常有效地处理碎片化的请求? - How to handle the fragmented requests very efficiently in java springboot microservice? 如何使用微服务多个实例刷新请求令牌 - How to refresh request token with microservice multiple instances SpringBoot微服务如何使用java配置在应用上下文中设置属性 - SpringBoot microservice How to set properties in application context using java configuration
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM