SpringCloudGateway针对白名单接口携带Token,网关直接认证失败问题解决

SpringCloudGateway针对白名单接口携带Token,网关直接认证失败问题解决

1、问题描述

  之前使用SpringCloudGateway整合SpringSecurity进行Oauth2的认证授权操作时,由于需要在网关设置白名单,从而针对白名单的URL不需要进行认证授权,直接放行,在项目开发过程中,发现存在一个问题,就是白名单的路径接口不携带token访问时,可以正常访问,网关放行,但是当白名单路径的接口在请求头中携带不正确的token进行访问时,网关会直接报认证失败。

说明:下图只是为了描述问题所用,不必纠结。

图一:白名单不携带token访问,网关正常放行

图二:白名单请求携带不正确的token访问,网关认证失败

 2、问题解决

  由于白名单请求不携带token访问,网关可以正常放行,那么可不可以在白名单访问时,直接移除请求头中的Authorization信息,重写请求访问呢,后来查阅相关资料,发现此方案可行,具体操作如下,仅供参考!

2.1、在SpringCloudGateway网关项目添加自定义过滤器

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpHeaders;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.stereotype.Component;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.PathMatcher;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

import java.util.List;

/**
 * 白名单路径访问时需要移除请求头认证信息
 *
 * @author 星空流年
 */
@Component
public class WhiteListAuthorizationFilter implements WebFilter {

    @Resource
    private WhiteListProperties properties;

    @Override
    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
        ServerHttpRequest request = exchange.getRequest();
        String path = request.getURI().getPath();
        PathMatcher pathMatcher = new AntPathMatcher();
        //白名单路径移除请求头认证信息
        List<String> urls = properties.getUrls();
        for (String url : urls) {
            if (pathMatcher.match(url, path)) {
                request = exchange.getRequest().mutate().header(HttpHeaders.AUTHORIZATION, "").build();
                exchange = exchange.mutate().request(request).build();
                return chain.filter(exchange);
            }
        }
        return chain.filter(exchange);
    }
}

备注:获取白名单配置信息类如下

import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.stereotype.Component;

import java.util.List;

/**
 * 白名单放行路径
 *
 * @author 星空流年
 */
@ConfigurationProperties(prefix = "whitelist")
@Component
@RefreshScope
public class WhiteListProperties {
    private List<String> urls;

    public List<String> getUrls() {
        return urls;
    }

    public void setUrls(List<String> urls) {
        this.urls = urls;
    }

    @Override
    public String toString() {
        return "WhiteListProperties{" +
                "urls=" + urls +
                '}';
    }
}

2.2、在默认的认证过滤器之前添加自定义的过滤器

  把自定义的过滤器配置到默认的认证过滤器之前,在ResourceServerConfig中进行配置。

  ResourceServerConfig这里做的工作是将鉴权管理器AuthorizationManager配置到资源服务器,进行请求白名单放行、无权访问和无效token的自定义异常响应等操作。

  注意:自定义过滤器添加位置

import cn.hutool.core.util.ArrayUtil;
import cn.hutool.json.JSONUtil;
import lombok.AllArgsConstructor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.convert.converter.Converter;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.DataBufferUtils;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtAuthenticationConverterAdapter;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
import reactor.core.publisher.Mono;

import javax.annotation.Resource;
import java.nio.charset.StandardCharsets;

/**
 * 资源服务器配置
 *
 * @author 星空流年
 */
@AllArgsConstructor
@Configuration
@EnableWebFluxSecurity
public class ResourceServerConfig {

    @Resource
    private AuthorizationManager authorizationManager;

    @Resource
    private WhiteListProperties properties;

    @Resource
    private WhiteListAuthorizationFilter authenticationFilter;

    private static final Logger log = LoggerFactory.getLogger(ResourceServerConfig.class);

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        http.oauth2ResourceServer().jwt().jwtAuthenticationConverter(jwtAuthenticationConverter());
        http.oauth2ResourceServer().authenticationEntryPoint(authenticationEntryPoint());
        http.addFilterBefore(authenticationFilter, SecurityWebFiltersOrder.AUTHENTICATION);

        http.authorizeExchange().pathMatchers(ArrayUtil.toArray(properties.getUrls(), String.class)).permitAll().anyExchange().access(authorizationManager)
            .and().exceptionHandling().accessDeniedHandler(accessDeniedHandler()).authenticationEntryPoint(authenticationEntryPoint())
            .and().csrf().disable();

        return http.build();
    }

    /**
     * 未授权
     *
     * @return
     */
    @Bean
    ServerAccessDeniedHandler accessDeniedHandler() {
        return (exchange, denied) -> Mono.defer(() -> Mono.just(exchange.getResponse()))
                                         .flatMap(response -> {
                                             response = responseInfo(response);
                                             String body = JSONUtil.toJsonStr(Result.fail(RestStatus.INVALID_TOKEN.getCode(), "访问未授权, 请确认令牌有效性!"));
                                             log.error("访问未授权, 响应信息为: {}", body);
                                             DataBuffer buffer = response.bufferFactory().wrap(body.getBytes(StandardCharsets.UTF_8));
                                             return response.writeWith(Mono.just(buffer)).doOnError(error -> DataBufferUtils.release(buffer));
                                         });
    }

    /**
     * token无效或者已过期自定义响应
     *
     * @return
     */
    @Bean
    ServerAuthenticationEntryPoint authenticationEntryPoint() {
        return (exchange, e) -> Mono.defer(() -> Mono.just(exchange.getResponse()))
                                    .flatMap(response -> {
                                        response = responseInfo(response);
                                        String body = JSONUtil.toJsonStr(Result.fail(RestStatus.INVALID_TOKEN.getCode(), "令牌缺失或者无效或者已过期,请确认!"));
                                        log.error("令牌缺失或者无效或者已过期, header:{},响应信息为: {}", exchange.getRequest().getHeaders(), body);
                                        DataBuffer buffer = response.bufferFactory().wrap(body.getBytes(StandardCharsets.UTF_8));
                                        return response.writeWith(Mono.just(buffer)).doOnError(error -> DataBufferUtils.release(buffer));
                                    });
    }

    /**
     * 重新定义R 权限管理器
     * <p>
     * 说明:
     * ServerHttpSecurity没有将jwt中authorities的负载部分当做Authentication
     * 需要把jwt的Claim中的authorities加入
     * 方案:重新定义R 权限管理器,默认转换器JwtGrantedAuthoritiesConverter
     *
     * @return
     */
    @Bean
    public Converter<Jwt, Mono<AbstractAuthenticationToken>> jwtAuthenticationConverter() {
        JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
        jwtGrantedAuthoritiesConverter.setAuthorityPrefix(AuthConstants.AUTHORITY_PREFIX);
        jwtGrantedAuthoritiesConverter.setAuthoritiesClaimName(AuthConstants.AUTHORITY_CLAIM_NAME);

        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);
        return new ReactiveJwtAuthenticationConverterAdapter(jwtAuthenticationConverter);
    }

    /**
     * 设置响应信息
     *
     * @param response
     * @return
     */
    private ServerHttpResponse responseInfo(ServerHttpResponse response) {
        response.setStatusCode(HttpStatus.OK);
        response.getHeaders().set(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
        response.getHeaders().set(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "*");
        response.getHeaders().set(HttpHeaders.CACHE_CONTROL, "no-cache");
        return response;
    }
}

 3、携带错误token测试

参考资料:

1、https://www.cnblogs.com/summerday152/p/13635948.html

2、https://juejin.cn/post/7036297405326688287

posted @ 2022-01-19 15:05  星空流年  阅读(1457)  评论(0编辑  收藏  举报