在验证

时间:2016-04-13 18:26:32

标签: spring spring-security spring-boot spring-cloud spring-security-oauth2

我正在尝试设计一个OAuth2身份验证系统来保护各种后端API。我开始下载并安装the three interconnected Spring Boot / Cloud / OAuth2 apps in this github project

但我的项目需要两个主要的架构变化:

1.) The main portal UI must be running in Node.js, so that users can  
    view a public site and also login using a Node.js-hosted app that  
    makes REST calls to a backend authentication server, without feeling  
    like they are being redirected anywhere for authentication.   

2.) My app requires multi-factor authentication, so I need to create (or  
    at least customize) my own endpoints on the `authserver` app instead  
    of relying to the standard password authentication endpoint.

需要进行哪些具体更改,以便我的Node.js托管的UI应用可以与authserver应用和resource应用成功互动?

目前,将AngularJS登录代码添加到我自己的Node.js门户网站应用程序或github示例中的ui应用程序会导致FireFox控制台在AngularJS代码尝试调用时显示以下错误消息在authserver上运行的port 9000应用:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading  
the remote resource at http://localhost:9000/login-form. (Reason: CORS  
header 'Access-Control-Allow-Origin' missing). <unknown>

Cross-Origin Request Blocked: The Same Origin Policy disallows reading  
the remote resource at http://localhost:9000/login-form. (Reason: CORS  
request failed).

调用我添加到/login-form端点的新authserver端点的AngularJS代码是:

$scope.credentials = {};

$scope.loginError = false;
$scope.showLogin = false;

$scope.loginShow = function() {
    $scope.showLogin = true;
    console.log('filler to add break point for debugger.');
};

$scope.loginLocal = function() {
    console.log('Just filler to add a break point in debugger.');
        var funcJSON = { 'type': 'Message',
                 'content1': $scope.credentials.username,
                 'content2': $scope.credentials.password
    };
        console.log('filler to add break point.');
    $http.post('http://localhost:9999/uaa/login-form', funcJSON).then(function(response) {
        if(response.data.content1==='success'){
            $scope.Oauthenticated = true;
            console.log('filler to add a break point');
        }else {
            $scope.Oauthenticated = false;
            $scope.loginError = true;
            console.log('filler to add break point');
        }
    });
};

FireFox调试器显示在顶部显示的FireFox控制台中抛出错误的上述AngularJS代码行是:

$http.post('http://localhost:9999/uaa/login-form', funcJSON).then(function(response) {

我为/login-form应用中的AuthserverApplication.java文件和you can read my entire new AuthserverApplication.java file at a file sharing site by clicking on this link添加了新的authserver结束点。

我愿意在Spring Boot中运行主门户UI应用程序。我已经读过这需要使用@EnableSidecar注释。但是,我在上面得到了相同的错误消息,无论新登录表单是从上面的github链接中的Spring Cloud ui应用程序中运行,还是从我的Node.js托管的门户UI中运行。 那么我需要更改什么来设置从我的Node.js托管门户网站应用程序管理此身份验证的安全方式?

正在进行的研究:

Per @ Ulises&#39;建议,我添加了代码来覆盖AuthserverApplication.java的方法。我还仔细检查了网址并略微修改了$http.post(...调用的网址(我在OP上面进行了上线更改以避免混淆。结果是 FireFox控制台中的相同错误,以及authserver应用程序的Spring Boot日志中的请求的显式日志。

你可以read my new AuthserverApplication.java class including @Ulises's suggestion at a file sharing site by clicking this link进行调用的Node.js托管应用正在port 7000上运行。

你可以read the entire Spring Boot log for the request at a file sharing site by clicking on this link

同样,当我将建议的方法更改为:

@Override
public void addCorsMappings(CorsRegistry registry) {
    registry.addMapping("/login-form").allowedOrigins("http://localhost*");
}

我得到the Spring Boot error log that you can read at a file sharing site by clicking on this link。 FireFox调试器的Network选项卡出现401错误,包含以下原始标题:

请求标题:

Host: localhost:9999
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://localhost:7000
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type,x-requested-with
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

回复标题:

Cache-Control: no-cache, no-store, max-age=0, must-revalidate, no-store
Content-Type: application/xhtml+xml;charset=UTF-8
Date: Wed, 13 Apr 2016 09:32:40 GMT
Expires: 0
Pragma: no-cache, no-cache
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
WWW-Authenticate: Bearer realm="null", error="unauthorized", error_description="Full authentication is required to access this resource"
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
x-content-type-options: nosniff

即使我将以下方法添加到LoginConfig内的AuthserverApplication.java内部类以尝试让Spring Security忽略/login-form端点,同样的新错误仍然存​​在:

@Override
public void configure(WebSecurity webSecurity) throws Exception {
    webSecurity.ignoring().antMatchers("/login-form", "/error");
}

我目前正在阅读the Spring OAuth2 Developer's Guide at this link,其中提及sample apps on github at this link。但是,示例应用程序使用的JSP已过时,并未解决此OP中描述的用例。

1 个答案:

答案 0 :(得分:0)

来自AuthServerApplication的{​​{1}}覆盖方法addCorsMapping(CorsRegistry),如下所示:

WebMvcConfigurerAdapter

或者你来自哪里的原点。您还可以将 @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/login-form").allowedOrigins("http://localhost:9000"); } 用于所有内容和/或添加任何细粒度配置

相关问题
最新问题