Spring 使用 ZooKeeper 启动 Security 4 - 安全集成问题
Spring Boot Security 4 with ZooKeeper - Security integration issue
spring 应用程序已使用 spring 云桥与 ZooKeeper 集成。它在没有安全保护的情况下正常工作。
我在我的应用程序中使用了默认安全配置 (spring-boot-sample-web-secure)(计划自定义是否默认 conf 将工作。)。第一次出现错误 未找到预期的 CSRF 令牌 - 从我的 事件总线
中删除了 CSRF 过滤器
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/home").permitAll().anyRequest().authenticated()
.and()
.antMatcher("/inner/service/event/bus").csrf().disable().anonymous()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().permitAll();
}
}
但是由于通过 Zookeeper 的内部服务,我遇到了其他问题
com.netflix.hystrix.exception.HystrixRuntimeException: publishEvent timed-out and no fallback available.
at com.netflix.hystrix.AbstractCommand.call(AbstractCommand.java:801)
at com.netflix.hystrix.AbstractCommand.call(AbstractCommand.java:785)
at rx.internal.operators.OperatorOnErrorResumeNextViaFunction.onError(OperatorOnErrorResumeNextViaFunction.java:139)
at rx.internal.operators.OperatorDoOnEach.onError(OperatorDoOnEach.java:71)
at rx.internal.operators.OperatorDoOnEach.onError(OperatorDoOnEach.java:71)
at rx.internal.operators.OperatorDoOnEach.onError(OperatorDoOnEach.java:71)
at com.netflix.hystrix.AbstractCommand$DeprecatedOnFallbackHookApplication.onError(AbstractCommand.java:1514)
at com.netflix.hystrix.AbstractCommand$FallbackHookApplication.onError(AbstractCommand.java:1404)
at com.netflix.hystrix.HystrixCommand.call(HystrixCommand.java:314)
at com.netflix.hystrix.HystrixCommand.call(HystrixCommand.java:306)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.Observable.unsafeSubscribe(Observable.java:8460)
at rx.internal.operators.OperatorOnErrorResumeNextViaFunction.onError(OperatorOnErrorResumeNextViaFunction.java:141)
at rx.internal.operators.OperatorDoOnEach.onError(OperatorDoOnEach.java:71)
at rx.internal.operators.OperatorDoOnEach.onError(OperatorDoOnEach.java:71)
at com.netflix.hystrix.AbstractCommand$HystrixObservableTimeoutOperator.run(AbstractCommand.java:951)
at com.netflix.hystrix.strategy.concurrency.HystrixContextRunnable.call(HystrixContextRunnable.java:41)
at com.netflix.hystrix.strategy.concurrency.HystrixContextRunnable.call(HystrixContextRunnable.java:37)
at com.netflix.hystrix.strategy.concurrency.HystrixContextRunnable.run(HystrixContextRunnable.java:57)
at com.netflix.hystrix.AbstractCommand$HystrixObservableTimeoutOperator.tick(AbstractCommand.java:971)
at com.netflix.hystrix.util.HystrixTimer.run(HystrixTimer.java:98)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access1(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.util.concurrent.TimeoutException: null
at com.netflix.hystrix.AbstractCommand.call(AbstractCommand.java:596)
at com.netflix.hystrix.AbstractCommand.call(AbstractCommand.java:577)
at rx.internal.operators.OperatorOnErrorResumeNextViaFunction.onError(OperatorOnErrorResumeNextViaFunction.java:139)
... 15 common frames omitted
关于如何修复它的任何想法或者我需要调查什么以获得解决方案的想法?
虽然 Spring Discovery 使用 heart-beating 的应用程序 health/ping url,但从允许除您的业务服务以外的所有内容开始是有意义的。
进一步 fine-tuning 我建议将 RibbonClient(Spring Discovery 用作 HTTP 传输)设置为 Logger.Level.FULL,获取所有交互然后允许它们。
您还可以通过一些请求 header 提供所有发现交互,这应该是 Spring 安全部门可识别和允许的。
spring 应用程序已使用 spring 云桥与 ZooKeeper 集成。它在没有安全保护的情况下正常工作。 我在我的应用程序中使用了默认安全配置 (spring-boot-sample-web-secure)(计划自定义是否默认 conf 将工作。)。第一次出现错误 未找到预期的 CSRF 令牌 - 从我的 事件总线
中删除了 CSRF 过滤器public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/home").permitAll().anyRequest().authenticated()
.and()
.antMatcher("/inner/service/event/bus").csrf().disable().anonymous()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().permitAll();
}
}
但是由于通过 Zookeeper 的内部服务,我遇到了其他问题
com.netflix.hystrix.exception.HystrixRuntimeException: publishEvent timed-out and no fallback available.
at com.netflix.hystrix.AbstractCommand.call(AbstractCommand.java:801)
at com.netflix.hystrix.AbstractCommand.call(AbstractCommand.java:785)
at rx.internal.operators.OperatorOnErrorResumeNextViaFunction.onError(OperatorOnErrorResumeNextViaFunction.java:139)
at rx.internal.operators.OperatorDoOnEach.onError(OperatorDoOnEach.java:71)
at rx.internal.operators.OperatorDoOnEach.onError(OperatorDoOnEach.java:71)
at rx.internal.operators.OperatorDoOnEach.onError(OperatorDoOnEach.java:71)
at com.netflix.hystrix.AbstractCommand$DeprecatedOnFallbackHookApplication.onError(AbstractCommand.java:1514)
at com.netflix.hystrix.AbstractCommand$FallbackHookApplication.onError(AbstractCommand.java:1404)
at com.netflix.hystrix.HystrixCommand.call(HystrixCommand.java:314)
at com.netflix.hystrix.HystrixCommand.call(HystrixCommand.java:306)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:50)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.Observable.unsafeSubscribe(Observable.java:8460)
at rx.internal.operators.OperatorOnErrorResumeNextViaFunction.onError(OperatorOnErrorResumeNextViaFunction.java:141)
at rx.internal.operators.OperatorDoOnEach.onError(OperatorDoOnEach.java:71)
at rx.internal.operators.OperatorDoOnEach.onError(OperatorDoOnEach.java:71)
at com.netflix.hystrix.AbstractCommand$HystrixObservableTimeoutOperator.run(AbstractCommand.java:951)
at com.netflix.hystrix.strategy.concurrency.HystrixContextRunnable.call(HystrixContextRunnable.java:41)
at com.netflix.hystrix.strategy.concurrency.HystrixContextRunnable.call(HystrixContextRunnable.java:37)
at com.netflix.hystrix.strategy.concurrency.HystrixContextRunnable.run(HystrixContextRunnable.java:57)
at com.netflix.hystrix.AbstractCommand$HystrixObservableTimeoutOperator.tick(AbstractCommand.java:971)
at com.netflix.hystrix.util.HystrixTimer.run(HystrixTimer.java:98)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access1(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.util.concurrent.TimeoutException: null
at com.netflix.hystrix.AbstractCommand.call(AbstractCommand.java:596)
at com.netflix.hystrix.AbstractCommand.call(AbstractCommand.java:577)
at rx.internal.operators.OperatorOnErrorResumeNextViaFunction.onError(OperatorOnErrorResumeNextViaFunction.java:139)
... 15 common frames omitted
关于如何修复它的任何想法或者我需要调查什么以获得解决方案的想法?
虽然 Spring Discovery 使用 heart-beating 的应用程序 health/ping url,但从允许除您的业务服务以外的所有内容开始是有意义的。
进一步 fine-tuning 我建议将 RibbonClient(Spring Discovery 用作 HTTP 传输)设置为 Logger.Level.FULL,获取所有交互然后允许它们。
您还可以通过一些请求 header 提供所有发现交互,这应该是 Spring 安全部门可识别和允许的。