Spring Boot OAuth 始终重定向到 HTTP(IBM Cloud CF + Spring Boot 2)
Spring Boot OAuth Always redirecting to HTTP (IBM Cloud CF + Spring Boot 2)
在 IBM Cloud CF Java Buildpack 上使用 Spring Boot OAuth 2...
https://github.com/ericis/oauth-cf-https-issue
*我已经尝试了以下所有组合。
使用这个配置,应用程序陷入无限的重定向循环,OAuth重定向策略将它发送到http,然后这个配置将它发送到https.
http.requiresChannel().anyRequest().requiresSecure()
没有这个配置,用户可以通过http登录(不需要)。
完整配置:
http.
requiresChannel().anyRequest().requiresSecure().
authorizeRequests().
// allow access to...
antMatchers("favicon.ico", "/login", "/loginFailure", "/oauth2/authorization/ghe")
.permitAll().anyRequest().authenticated().and().oauth2Login().
// Codify "spring.security.oauth2.client.registration/.provider"
clientRegistrationRepository(this.clientRegistrationRepository()).
// setup OAuth2 client service to use clientRegistrationRepository
authorizedClientService(this.authorizedClientService()).
successHandler(this.successHandler()).
// customize login pages
loginPage("/login").failureUrl("/loginFailure").
userInfoEndpoint().
// customize the principal
userService(this.userService());
我也试过:
要使用的服务器配置https
server:
useForwardHeaders: true
tomcat:
protocolHeader: x-forwarded-proto
Servlet 过滤器
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
@Component
public class HttpToHttpsFilter implements Filter {
private static final Logger log = LoggerFactory.getLogger(HttpToHttpsFilter.class);
private static final String HTTP = "http";
private static final String SCHEME_HTTP = "http://";
private static final String SCHEME_HTTPS = "https://";
private static final String LOCAL_ID = "0:0:0:0:0:0:0:1";
private static final String LOCALHOST = "localhost";
@Value("${local.ip}")
private String localIp;
public HttpToHttpsFilter() {
// Sonar
}
@Override
public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain)
throws IOException, ServletException {
final HttpServletRequest request = (HttpServletRequest) req;
final HttpServletResponse response = (HttpServletResponse) res;
// http, not localhost, not localhost ipv6, not local IP
if (HTTP.equals(request.getScheme()) &&
!LOCALHOST.equals(request.getRemoteHost()) &&
!LOCAL_ID.equals(request.getRemoteHost()) &&
(this.localIp != null && !this.localIp.equals(request.getRemoteHost()))) {
final String query = request.getQueryString();
String oldLocation = request.getRequestURL().toString();
if (query != null) {
oldLocation += "?" + query;
}
final String newLocation = oldLocation.replaceFirst(SCHEME_HTTP, SCHEME_HTTPS);
try {
log.info("HTTP redirect from {} to {} ", oldLocation, newLocation);
response.sendRedirect(newLocation);
} catch (IOException e) {
log.error("Cannot redirect to {} {} ", newLocation, e);
}
} else {
chain.doFilter(req, res);
}
}
@Override
public void destroy() {
// Sonar
}
@Override
public void init(FilterConfig arg0) throws ServletException {
// Sonar
}
}
依赖关系
dependencies {
//
// BASICS
// health and monitoring
// compile('org.springframework.boot:spring-boot-starter-actuator')
// security
compile('org.springframework.boot:spring-boot-starter-security')
// configuration
compile('org.springframework.boot:spring-boot-configuration-processor')
//
// WEB
// web
compile('org.springframework.boot:spring-boot-starter-web')
// thymeleaf view render
compile('org.springframework.boot:spring-boot-starter-thymeleaf')
// thymeleaf security extras
compile('org.thymeleaf.extras:thymeleaf-extras-springsecurity4')
//
// OAUTH
// OAuth client
compile('org.springframework.security:spring-security-oauth2-client')
// OAuth lib
compile('org.springframework.security:spring-security-oauth2-jose')
// OAuth config
compile('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.0.0.RELEASE')
//
// CLOUD
// cloud connectors (e.g. vcaps)
compile('org.springframework.boot:spring-boot-starter-cloud-connectors')
//
// TOOLS
runtime('org.springframework.boot:spring-boot-devtools')
//
// TEST
// test
testCompile('org.springframework.boot:spring-boot-starter-test')
// security test
testCompile('org.springframework.security:spring-security-test')
}
已解决。有关与此相关的问题的详细信息,请访问:
https://github.com/spring-projects/spring-security/issues/5535#issuecomment-407413944
正在运行的示例项目:https://github.com/ericis/oauth-cf-https-issue
简答:
应用程序需要明确配置才能识别代理 headers。我尝试过配置,但最终不得不使用最近添加到 Spring.
的 ForwardedHeaderFilter class 实例
@Bean
FilterRegistrationBean<ForwardedHeaderFilter> forwardedHeaderFilter() {
final FilterRegistrationBean<ForwardedHeaderFilter> filterRegistrationBean = new FilterRegistrationBean<ForwardedHeaderFilter>();
filterRegistrationBean.setFilter(new ForwardedHeaderFilter());
filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return filterRegistrationBean;
}
即使不涉及 OAuth 行为,应用程序也可能始终在当前设置的环境中陷入无限循环。
虽然您可以告诉服务器使用转发 headers,
server:
useForwardHeaders: true
Tomcat 不会信任来自所有来源的 x-forwarded-* headers。默认情况下,某些 IP 地址被视为内部 IP 地址 (RemoteIpValve#internalProxies)。
但是,在您使用的环境中,报告的代理 IP 地址可能不在此范围内。您可以使用以下配置允许所有 IP 地址:
server:
tomcat:
internal-proxies: .*
这允许所有代理,但如果无法直接访问该应用程序,则可以满足您的需要。
因为使用 Spring 5,决定采用下一个解决方案(安全配置):
http
.addFilterBefore(new ForwardedHeaderFilter(), OAuth2AuthorizationRequestRedirectFilter.class)
x-forwarded-* header 参数现在处理正确。
在 IBM Cloud CF Java Buildpack 上使用 Spring Boot OAuth 2...
https://github.com/ericis/oauth-cf-https-issue
*我已经尝试了以下所有组合。
使用这个配置,应用程序陷入无限的重定向循环,OAuth重定向策略将它发送到http,然后这个配置将它发送到https.
http.requiresChannel().anyRequest().requiresSecure()
没有这个配置,用户可以通过http登录(不需要)。
完整配置:
http.
requiresChannel().anyRequest().requiresSecure().
authorizeRequests().
// allow access to...
antMatchers("favicon.ico", "/login", "/loginFailure", "/oauth2/authorization/ghe")
.permitAll().anyRequest().authenticated().and().oauth2Login().
// Codify "spring.security.oauth2.client.registration/.provider"
clientRegistrationRepository(this.clientRegistrationRepository()).
// setup OAuth2 client service to use clientRegistrationRepository
authorizedClientService(this.authorizedClientService()).
successHandler(this.successHandler()).
// customize login pages
loginPage("/login").failureUrl("/loginFailure").
userInfoEndpoint().
// customize the principal
userService(this.userService());
我也试过:
要使用的服务器配置
httpsserver: useForwardHeaders: true tomcat: protocolHeader: x-forwarded-protoServlet 过滤器
import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Component; @Component public class HttpToHttpsFilter implements Filter { private static final Logger log = LoggerFactory.getLogger(HttpToHttpsFilter.class); private static final String HTTP = "http"; private static final String SCHEME_HTTP = "http://"; private static final String SCHEME_HTTPS = "https://"; private static final String LOCAL_ID = "0:0:0:0:0:0:0:1"; private static final String LOCALHOST = "localhost"; @Value("${local.ip}") private String localIp; public HttpToHttpsFilter() { // Sonar } @Override public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) throws IOException, ServletException { final HttpServletRequest request = (HttpServletRequest) req; final HttpServletResponse response = (HttpServletResponse) res; // http, not localhost, not localhost ipv6, not local IP if (HTTP.equals(request.getScheme()) && !LOCALHOST.equals(request.getRemoteHost()) && !LOCAL_ID.equals(request.getRemoteHost()) && (this.localIp != null && !this.localIp.equals(request.getRemoteHost()))) { final String query = request.getQueryString(); String oldLocation = request.getRequestURL().toString(); if (query != null) { oldLocation += "?" + query; } final String newLocation = oldLocation.replaceFirst(SCHEME_HTTP, SCHEME_HTTPS); try { log.info("HTTP redirect from {} to {} ", oldLocation, newLocation); response.sendRedirect(newLocation); } catch (IOException e) { log.error("Cannot redirect to {} {} ", newLocation, e); } } else { chain.doFilter(req, res); } } @Override public void destroy() { // Sonar } @Override public void init(FilterConfig arg0) throws ServletException { // Sonar } }
依赖关系
dependencies {
//
// BASICS
// health and monitoring
// compile('org.springframework.boot:spring-boot-starter-actuator')
// security
compile('org.springframework.boot:spring-boot-starter-security')
// configuration
compile('org.springframework.boot:spring-boot-configuration-processor')
//
// WEB
// web
compile('org.springframework.boot:spring-boot-starter-web')
// thymeleaf view render
compile('org.springframework.boot:spring-boot-starter-thymeleaf')
// thymeleaf security extras
compile('org.thymeleaf.extras:thymeleaf-extras-springsecurity4')
//
// OAUTH
// OAuth client
compile('org.springframework.security:spring-security-oauth2-client')
// OAuth lib
compile('org.springframework.security:spring-security-oauth2-jose')
// OAuth config
compile('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.0.0.RELEASE')
//
// CLOUD
// cloud connectors (e.g. vcaps)
compile('org.springframework.boot:spring-boot-starter-cloud-connectors')
//
// TOOLS
runtime('org.springframework.boot:spring-boot-devtools')
//
// TEST
// test
testCompile('org.springframework.boot:spring-boot-starter-test')
// security test
testCompile('org.springframework.security:spring-security-test')
}
已解决。有关与此相关的问题的详细信息,请访问: https://github.com/spring-projects/spring-security/issues/5535#issuecomment-407413944
正在运行的示例项目:https://github.com/ericis/oauth-cf-https-issue
简答:
应用程序需要明确配置才能识别代理 headers。我尝试过配置,但最终不得不使用最近添加到 Spring.
的ForwardedHeaderFilter class 实例
@Bean
FilterRegistrationBean<ForwardedHeaderFilter> forwardedHeaderFilter() {
final FilterRegistrationBean<ForwardedHeaderFilter> filterRegistrationBean = new FilterRegistrationBean<ForwardedHeaderFilter>();
filterRegistrationBean.setFilter(new ForwardedHeaderFilter());
filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return filterRegistrationBean;
}
即使不涉及 OAuth 行为,应用程序也可能始终在当前设置的环境中陷入无限循环。
虽然您可以告诉服务器使用转发 headers,
server:
useForwardHeaders: true
Tomcat 不会信任来自所有来源的 x-forwarded-* headers。默认情况下,某些 IP 地址被视为内部 IP 地址 (RemoteIpValve#internalProxies)。
但是,在您使用的环境中,报告的代理 IP 地址可能不在此范围内。您可以使用以下配置允许所有 IP 地址:
server:
tomcat:
internal-proxies: .*
这允许所有代理,但如果无法直接访问该应用程序,则可以满足您的需要。
因为使用 Spring 5,决定采用下一个解决方案(安全配置):
http
.addFilterBefore(new ForwardedHeaderFilter(), OAuth2AuthorizationRequestRedirectFilter.class)
x-forwarded-* header 参数现在处理正确。