Menu
I'm using Spring Boot Cloud + OAuth2 Auth system, but I'm having a problem in the auth method. When I try to authenticate with my server the Zuul gateway is not sending the headers params, but if I try to authenticate directly to my oauth server I don't have a problem. The problem only happens when I try to authenticate through the Zuul gateway.
Auth Response:
error_description :"Full authentication is required to access this resource"
Request Header:
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
Accept-Language:pt,en-US;q=0.8,en;q=0.6
Authorization:Basic <MySecretToken>
Cache-Control:no-cache
Connection:keep-alive
Content-Length:0
DNT:1
Host:localhost:8181
Origin:http://localhost:9980
Pragma:no-cache
Referer:http://localhost:9980/login
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.11 Safari/537.36
OAuth Server Logging with Zuul Request:
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@541da561
2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/logout'
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90556c3e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1de6: RemoteIpAddress: 192.168.1.40; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.security.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/oauth/token'
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /oauth/token?password=myPassword&grant_type=password&username=system; Attributes: [fullyAuthenticated]
2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@90556c3e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1de6: RemoteIpAddress: 192.168.1.40; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-03-07 16:41:37.838 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@59b8fe9, returned: -1
2016-03-07 16:41:37.846 DEBUG 31205 --- [nio-9190-exec-5] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
Notes that in the filter 5 of 11 the filter must be executed, but it was not.
Look now the log of the some server but without the gateway:
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@541da561
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/logout'
2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-03-07 16:51:16.644 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'gateway'
2016-03-07 16:51:16.645 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@b0a7f710: Principal: org.springframework.security.core.userdetails.User@f4ba4644: Username: gateway; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@b0a7f710: Principal: org.springframework.security.core.userdetails.User@f4ba4644: Username: gateway; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER'
2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@727809f6
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] o.s.security.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
Now look at the second log, you will see that in the filter 5 of 11 the filter was accepted.
Here is the Gateway module setup information:
https://gist.github.com/tiarebalbi/07aaa61f84d3ea3822e0
Update:
Below the CorsFilter used in the gateway: https://gist.github.com/tiarebalbi/ce5f6fc9691e1a6e3aaa
Debug Information:
What I noticed is that the gateway receives all header parameters, but the authentication server doesn't.
Gateway:
OAuth Server:
Solution:
Reviewing the document i saw the description about the Sensitives Headers and as we can see here and here the Authorization is one of the list and because of this it wasn't sent to the others services.
Code after the update:
zuul:
ignored-services: "*"
prefix: /v1
routes:
auth-server:
path: /auth/**
sensitiveHeaders: Cookie,Set-Cookie
945
Yes, adding the sensitive-headers worked!
zuul.routes.myApi1.path=/api/**
zuul.routes.myApi1.url=http://localhost:8090/myApi/
zuul.sensitive-headers=Cookie,Set-Cookie
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
