我使用 API网关模式:Angular JS和Spring Security(已成功引用Angular JS and Spring Security我的应用程序)实现了Spring安全性。
在我的应用程序中(分为 - Gateway + UI + Resource),我在' UI'中创建了一个.pdf file上传模块。在Gateway应用程序尝试将请求重定向到Resource应用程序时失败的应用程序(即使此文件上载功能在实现此API网关模式和安全性之前工作正常)。
来自' UI'的文件上传javascript代码申请如下:
if(idProofFile.files.length == 0)
{
$scope.alerts = [
{ type: 'danger', msg: 'No File(s) selected, please Browse and Select ID Proof File(s) first.' },
];
return;
}
else{
// Upload user's files::
//create form data to send via POST
var formData = new FormData();
for(var i=0; i< idProofFile.files.length; i++){
if(idProofFile.files[i].size > 31457280) // check for each file size should not be more than 30 MB = 30*1024*1024 bytes
{
$scope.alerts = [
{ type: 'danger', msg: 'The size of file: '+ idProofFile.files[i].name +' is more than 30 MB. Max limit of a file size is 30 MB.'}
];
return;
}
else{
var extension = idProofFile.files[i].name.substr(idProofFile.files[i].name.lastIndexOf('.') + 1).toLowerCase();
//alert(extension);
if (idProofFile.files[i].name.length > 0)
{
if (allowedExtensions.indexOf(extension) === -1)
{
$scope.alerts = [
{ type: 'danger', msg: 'Only PDF files are allowed. Selected file:- '+ idProofFile.files[i].name +' is a .'+extension+' file.'}
];
return;
}
}
}
formData.append("idProof",idProofFile.files[i]);
}
var request = new XMLHttpRequest();
request.open('POST', 'resource/upload_id_proof/' +$rootScope.loggedInUserPrimaryKeyId+'/'+$rootScope.loggedInUserId, false);
request.send(formData);
Spring&#39; Gateway&#39;申请如下:
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/update_new_user/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().authorizeRequests()
//.antMatchers("/index.html", "/", "/login", "/message", "/home")
//.antMatchers("/index.html", "/", "/login", "/message", "/home", "/css", "/font-awesome/**", "/fonts", "/img/**", "/js/**", "/less", "/mail").permitAll()
.antMatchers("/index.html", "/", "/css/**", "/font-awesome/**", "/fonts", "/img/**", "/js/**", "/less", "/mail").permitAll()
//.antMatchers("/ui/", "/ui/public/js/**", "/ui/js/**").permitAll()
.antMatchers("/ui/public/**").hasAnyAuthority("Admin", "SuperAdmin", "Owner", "Tenant")
.antMatchers("/ui/private/projectadmin/**").hasAuthority("Admin")
.antMatchers("/ui/private/superadmin/**").hasAuthority("SuperAdmin")
.antMatchers("/ui/private/owner/**").hasAuthority("Owner")
.antMatchers("/ui/private/tenant/**").hasAuthority("Tenant")
.anyRequest().authenticated()
.and()
.csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null
&& !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
}
来自&#39;资源&#39;的控制器代码应用程序:
@RequestMapping(value="/upload_id_proof/{userPrimaryKeyId}/{userId}", method = RequestMethod.POST)
public @ResponseBody String uploadIdProof(
//@RequestParam(value = "infoClient") String infoClientString,
@RequestParam(value = "idProof") MultipartFile[] idProofFiles,
@PathVariable Long userPrimaryKeyId,
@PathVariable String userId) {
请求在网关&#39;申请而不是转发给资源&#39;应用。网关的例外情况是&#39;如下:
**Invalid CSRF token found for localhost:8080/resource/upload_id_proof/40/11**
详细日志:
2016-04-29 10:00:05.797 DEBUG 6020 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/configprops.*']
2016-04-29 10:00:05.797 DEBUG 6020 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/configprops.*'
2016-04-29 10:00:05.797 DEBUG 6020 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/configprops/']
2016-04-29 10:00:05.797 DEBUG 6020 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/configprops/'
2016-04-29 10:00:05.797 DEBUG 6020 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
2016-04-29 10:00:05.797 DEBUG 6020 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-04-29 10:00:05.797 DEBUG 6020 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-04-29 10:00:05.800 DEBUG 6020 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@493c907: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@493c907: Principal: org.springframework.security.core.userdetails.User@620: Username: 11; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: Owner; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd3270: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: b6cd10df-a20e-49ae-9212-d32e7520db8f; Granted Authorities: Owner'
2016-04-29 10:00:05.800 DEBUG 6020 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-04-29 10:00:05.800 DEBUG 6020 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3439c41
2016-04-29 10:00:05.800 DEBUG 6020 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2016-04-29 10:00:05.800 DEBUG 6020 --- [nio-8080-exec-1] o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://localhost:8080/resource/upload_id_proof/40/11
2016-04-29 10:00:05.802 DEBUG 6020 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
我尝试通过网关应用中的以下代码忽略csrf:
http.httpBasic().and()
.csrf().ignoringAntMatchers("/resource/upload_id_proof/**");
此次没有任何问题日志,但请求未转发到“资源”中的控制器。应用程序,现在日志如下:
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/resource/upload_id_proof/**'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.web.util.matcher.OrRequestMatcher : matched
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.NegatedRequestMatcher : matches = false
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.util.matcher.AndRequestMatcher : Did not match
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 at position 5 of 13 in additional filter chain; firing Filter: ''
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/logout'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 at position 7 of 13 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fb6efb77: Principal: org.springframework.security.core.userdetails.User@620: Username: 11; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: Owner; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 8902a97c-cd54-4c78-92e4-383270fd97c7; Granted Authorities: Owner'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/index.html'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/css/**'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/font-awesome/**'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/fonts'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/img/**'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/js/**'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/less'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/mail'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/ui/public/**'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/ui/private/projectadmin/**'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/ui/private/superadmin/**'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/ui/private/owner/**'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/resource/upload_id_proof/40/11'; against '/ui/private/tenant/**'
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /resource/upload_id_proof/40/11; Attributes: [authenticated]
2016-04-29 10:56:32.165 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fb6efb77: Principal: org.springframework.security.core.userdetails.User@620: Username: 11; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: Owner; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 8902a97c-cd54-4c78-92e4-383270fd97c7; Granted Authorities: Owner
2016-04-29 10:56:32.166 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@442f6da3, returned: 1
2016-04-29 10:56:32.166 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2016-04-29 10:56:32.166 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2016-04-29 10:56:32.166 DEBUG 5912 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /resource/upload_id_proof/40/11 reached end of additional filter chain; proceeding with original chain
2016-04-29 10:56:32.283 DEBUG 5912 --- [nio-8080-exec-4] tRepository$SaveToSessionResponseWrapper : Skip invoking on
2016-04-29 10:56:32.283 DEBUG 5912 --- [nio-8080-exec-4] tRepository$SaveToSessionResponseWrapper : Skip invoking on
2016-04-29 10:56:32.285 DEBUG 5912 --- [nio-8080-exec-4] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2016-04-29 10:56:32.285 DEBUG 5912 --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
除了这个文件上传功能外,所有其他模块在API网关模式下运行良好,我在互联网上找不到这个问题的帮助,请帮我继续查询资源&#39;应用