我的应用程序有一个微服务架构,有服务和网关(zuul)。从前端,所有请求都会发送到网关,然后代理到服务。
我有endpoint/iam/users/confirm,它是打开的(不需要授权)。
如果我在用户未授权(没有jsessionid cookie)或已授权时发送请求,则请求可以正常工作,但如果我在会话过期时发送请求,则网关中会出现401错误。
在网关中的我的控制台中:
o.a.coyote.http11.Http11InputBuffer : Received [POST /gateway/iam/users/confirm HTTP/1.1
Content-Type: application/json
User-Agent: PostmanRuntime/7.28.2
Accept: */*
Host: localhost:9292
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 55
Cookie: JSESSIONID=4696E27D6EE8B9BF05AF820AA0693B8D
{
"token": "3a330d68-8716-49af-8f93-fce739c95883"
}]
2021-07-14 17:22:50.687 DEBUG 13395 --- [nio-9292-exec-9] o.s.s.w.session.SessionManagementFilter : Requested session ID 4696E27D6EE8B9BF05AF820AA0693B8D is invalid.
2021-07-14 17:22:50.711 DEBUG 13395 --- [nio-9292-exec-9] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Using 'application/json', given [*/*] and supported [application/json, application/*+json, application/json, application/*+json]
2021-07-14 17:22:50.711 DEBUG 13395 --- [nio-9292-exec-9] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Writing [{timestamp=Wed Jul 14 17:22:50 MSK 2021, status=401, error=Unauthorized, message=No message availabl (truncated)...]
2021-07-14 17:22:50.714 DEBUG 13395 --- [nio-9292-exec-9] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2021-07-14 17:22:50.715 DEBUG 13395 --- [nio-9292-exec-9] o.s.web.servlet.DispatcherServlet : Exiting from "ERROR" dispatch, status 401我需要有关如何使端点/iam/users/confirm始终可用的帮助,而不考虑会话和授权。
网关中的WebSecurityConfigureAdapter.class
@Override
public void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.authorizeRequests()
.antMatchers("/audit/**").authenticated()
.anyRequest().permitAll()
.and()
.sessionManagement()
.sessionAuthenticationFailureHandler(failureHandler())
.invalidSessionStrategy(invalidSessionStrategy());
http.addFilterAfter(oAuth2ClientAuthenticationProcessingFilter(), DefaultLoginPageGeneratingFilter.class);
http.logout().
logoutUrl("/logout").invalidateHttpSession(true)
.clearAuthentication(true)
.deleteCookies("JSESSION")
.permitAll();
}
@Bean
public InvalidSessionStrategy invalidSessionStrategy() {
return (request, response) -> {
Cookie cookieRoot = new Cookie("JSESSIONID", null);
cookieRoot.setPath("/");
cookieRoot.setMaxAge(0);
response.addCookie(cookieRoot);
response.sendRedirect("http://localhost:9000");
};
}
暂无答案!
目前还没有任何答案,快来回答吧!