Spring Cloud Gateway擷取認證使用者資訊
文章目錄
- Spring Cloud Gateway擷取認證使用者資訊
-
- 前言
- 與Spring Security內建
-
- 添加依賴
- 配置類
- 擷取認證使用者資訊
-
- 擷取登入使用者
- 頁面無限重定向登入頁面解決方法
- 總結
前言
該文章,用于記錄Spring Cloud Gateway與Spring Security內建過程,以及內建過程中遇到的部分問題。
與Spring Security內建
添加依賴
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-gateway</artifactId>
<version>2.2.9.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
配置類
/**
* 認證成功後處理,此處偷懶,将使用者資訊,使用JSON格式字元串添加請求頭。
* 後續會基于JWS生成Token。
*/
@Bean
public ServerAuthenticationSuccessHandler successHandler() {
return (exchange, authentication) -> {
UserDetails user = (UserDetails) authentication.getPrincipal();
Map<String, Object> tokenInfo = new HashMap<>();
tokenInfo.put("USER_NAME", user.getUsername());
tokenInfo.put("AUTHORITIES", user.getAuthorities());
ServerHttpResponse response = exchange.getExchange().getResponse();
exchange.getExchange().getRequest().mutate().header("X-AUTHENTICATION-TOKEN", JSONObject.toJSONString(tokenInfo));
ResponseEntity<Map<String, Object>> responseEntity = new ResponseEntity<>(tokenInfo, HttpStatus.OK);
return response.writeWith(Mono.just(response.bufferFactory().wrap(JSON.toJSONBytes(responseEntity))));
};
}
/**
* 認證失敗處理
*/
@Bean
public ServerAuthenticationFailureHandler failureHandler() {
return (exchange, exception) -> {
ServerHttpResponse response = exchange.getExchange().getResponse();
Map<String, Object> responseBody = new HashMap<>(2);
responseBody.put("ERROR_CODE", "000000");
responseBody.put("ERROR_TYPE", exception.getClass().getName());
responseBody.put("ERROR_MESSAGE", exception.getMessage());
ResponseEntity<Map<String, Object>> responseEntity = new ResponseEntity<>(responseBody, HttpStatus.INTERNAL_SERVER_ERROR);
response.setStatusCode(HttpStatus.FORBIDDEN);
return response.writeWith(Mono.just(response.bufferFactory().wrap(JSON.toJSONBytes(responseEntity))));
};
}
/**
* 無權限處理配置
*/
@Bean
public ServerAccessDeniedHandler accessDeniedHandler() {
return (exchange, accessDeniedException) -> {
ServerHttpResponse response = exchange.getResponse();
Map<String, Object> responseBody = new HashMap<>(2);
responseBody.put("ERROR_CODE", "000000");
responseBody.put("ERROR_MESSAGE", "請求未授權");
ResponseEntity<Map<String, Object>> responseEntity = new ResponseEntity<>(responseBody, HttpStatus.FORBIDDEN);
response.setStatusCode(HttpStatus.FORBIDDEN);
return response.writeWith(Mono.just(response.bufferFactory().wrap(JSON.toJSONBytes(responseEntity))));
};
}
/**
* 類似于Spring MVC模式下,AuthenticationManager
*/
@Bean
public ReactiveAuthenticationManager authenticationManager(UserDetailsManager userDetailsManager,
PasswordEncoder passwordEncoder) {
return authentication -> {
final String username = authentication.getName();
final String password = (String) authentication.getCredentials();
return Mono.just(userDetailsManager.loadUserByUsername(username))
.filter(user -> passwordEncoder.matches(password, user.getPassword()))
.switchIfEmpty(Mono.defer(() -> Mono.error(new BadCredentialsException("Invalid Credentials"))))
.map(user -> new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities()));
};
}
/**
* 簡易版UserDetailsManager實作類,此處僅用于模拟使用者資訊,真實情況,請使用資料庫存儲。
*/
@Bean
public UserDetailsManager userDetailsService(PasswordEncoder passwordEncoder) {
UserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(new User("que",
passwordEncoder.encode("123456"), Arrays.asList(new SimpleGrantedAuthority("ADMIN"))));
return manager;
}
@Bean
public PasswordEncoder passwordEncoder() {
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
@Bean
public ServerSecurityContextRepository contextRepository() {
return new MemoryCacheSecurityContextRepository(5, TimeUnit.MINUTES);
// return new WebSessionServerSecurityContextRepository();
}
/**
* Security核心配置資訊
* 将上述配置的ServerAuthenticationSuccessHandler、ServerAuthenticationFailureHandler、ServerAccessDeniedHandler、
* ReactiveAuthenticationManager、ServerSecurityContextRepository配置進ServerHttpSecurity。
* 配置方式,與Spring MVC模式下的Security配置類似。
*/
@Bean
public SecurityWebFilterChain securityFilterChain(ServerHttpSecurity httpSecurity,
ServerAuthenticationSuccessHandler accessHandler,
ServerAuthenticationFailureHandler failureHandler,
ServerAccessDeniedHandler accessDeniedHandler,
ReactiveAuthenticationManager authenticationManager,
ServerSecurityContextRepository securityContextRepository) {
return httpSecurity.formLogin()
.authenticationManager(authenticationManager)
.authenticationSuccessHandler(accessHandler)
// .securityContextRepository(securityContextRepository)
.authenticationFailureHandler(failureHandler)
.and().csrf().disable()
.exceptionHandling().accessDeniedHandler(accessDeniedHandler)
.and()
// 此處用于存儲認證後的Authentication。
// 預設使用WebSessionServerSecurityContextRepository。
// 該Repository為ReactiveSecurityContextHolder擷取認證資訊的資料來源。細節,後續部分介紹。
.securityContextRepository(securityContextRepository)
// 配置自定義攔截器
.addFilterAt(authFilter, SecurityWebFiltersOrder.LOGIN_PAGE_GENERATING)
.authorizeExchange(exchange -> {
exchange.pathMatchers("/login").permitAll()
.anyExchange().authenticated();
})
.build();
}
擷取認證使用者資訊
Web模式下(Spring Cloud Gateway 使用WebFlux),可通過SecurityContextHolder.getContext擷取Authentication資訊。此處無法使用該方式擷取Authentication。原因在于Web模式下,若使用http.formLogin進行認證的話,請求通過UsernamePasswordAuthenticationFilter過濾器後,于successfulAuthentication(AbstractAuthenticationProcessingFilter類)存儲認證資訊。
protected void successfulAuthentication(HttpServletRequest request,
HttpServletResponse response, FilterChain chain, Authentication authResult)
throws IOException, ServletException {
if (logger.isDebugEnabled()) {
logger.debug("Authentication success. Updating SecurityContextHolder to contain: "
+ authResult);
}
// 存儲認證成功後的Authentication
SecurityContextHolder.getContext().setAuthentication(authResult);
rememberMeServices.loginSuccess(request, response, authResult);
// Fire event
if (this.eventPublisher != null) {
eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(
authResult, this.getClass()));
}
successHandler.onAuthenticationSuccess(request, response, authResult);
}
而WebFlux,使用WebFilter完成請求過濾,不會走Web模式下的Filter,認證資訊,也就不會存儲進SecurityContextHolder。
同樣的,針對于WebFilter,Spring Security也提供ReactiveSecurityContextHolder存儲Authentication,即也是通過過濾器,設定、擷取Authentication。其底層,則是使用ServerSecurityContextRepository完成。
public class ReactorContextWebFilter implements WebFilter {
private final ServerSecurityContextRepository repository;
public ReactorContextWebFilter(ServerSecurityContextRepository repository) {
Assert.notNull(repository, "repository cannot be null");
this.repository = repository;
}
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
return chain.filter(exchange)
.subscriberContext(c -> c.hasKey(SecurityContext.class) ? c :
withSecurityContext(c, exchange)
);
}
private Context withSecurityContext(Context mainContext, ServerWebExchange exchange) {
return mainContext.putAll(this.repository.load(exchange)
.as(ReactiveSecurityContextHolder::withSecurityContext));
}
}
擷取登入使用者
完成上述操作後,即完成Security的配置。接下來,實作一個請求,用于測試Security配置。此處,通過ReactiveSecurityContextHolder.getContext()擷取登入使用者資訊,其底層,使用ServerSecurityContextRepository.load方法,擷取Authentication。
@Slf4j
@RestController
@RequestMapping("quelongjiang/gatewayController")
public class GatewayController {
@GetMapping("info/{id}")
public Mono<String> info(@PathVariable Integer id) throws InterruptedException {
return ReactiveSecurityContextHolder.getContext()
.filter(securityContext -> securityContext != null)
.map(securityContext -> securityContext.getAuthentication())
.map(auth -> this.getAuthUserName(auth) + ", Request Argument is " + id);
}
// 擷取登入使用者名稱
protected String getAuthUserName(Authentication auth) {
if (!auth.isAuthenticated()) {
return "Not Authentication";
}
else {
Object principal = auth.getPrincipal();
if (principal instanceof UserDetails) {
return ((UserDetails) principal).getUsername();
}
else {
return String.valueOf(principal);
}
}
}
}
頁面無限重定向登入頁面解決方法
在securityFilterChain配置方法處,細心的讀者會發現,有兩行代碼用于設定ServerSecurityContextRepository,其中第一行被注釋掉。若把改行注釋取消,同時将下面那行securityContextRepository(securityContextRepository)注釋的話,會出現,需要認證的請求,永遠會重定向到登入頁面,即使已經完成認證。
該問題的原因,需通過ServerHttpSecurity看起。在ServerHttpSecurity類中,存在securityContextRepository三個方法。而目前需通過第一個方法設定,用于設定ServerHttpSecurity.securityContextRepository屬性。該屬性,為後續3個屬性配置的預設值。
當該屬性不為null時,則FormLoginSpec.securityContextRepository使用該屬性,否則使用WebSessionServerSecurityContextRepository實作類,配置ReactorContextWebFilter。
當存在自定義ServerSecurityContextRepository實作類時,按照最初配置方式,其實配置進的是FormLoginSpec.securityContextRepository,這樣會導緻基于httpSecurity.formLogin,完成使用者登入時,Authentication儲存的是自定義的Repository,而ReactorContextWebFilter,則使用WebSessionServerSecurityContextRepository擷取Authentication,導緻擷取不到Authentication,進而導緻請求直接重定向到登入頁面。
private WebFilter securityContextRepositoryWebFilter() {
ServerSecurityContextRepository repository = this.securityContextRepository == null ?
new WebSessionServerSecurityContextRepository() : this.securityContextRepository;
WebFilter result = new ReactorContextWebFilter(repository);
return new OrderedWebFilter(result, SecurityWebFiltersOrder.REACTOR_CONTEXT.getOrder());
}
總結
- Spring Cloud Gateway(WebFlux),通過SecurityWebFilterChain配置過濾器、認證等資訊。
- 自定義ServerSecurityContextRepository時,需要配置進SecurityWebFilterChain,使其生效。
- ServerSecurityContextRepository,需要配置進SecurityWebFilterChain.securityContextRepository屬性,才能使認證、ReactorContextWebFilter過濾器,使用同一個Repository擷取Authentication資訊,用于避免請求重定向到登入頁面的問題。