java 重定向太多:在Sping Boot 中使用OAuth2针对Azure AD实现SSO

nsc4cvqm  于 2022-12-10  发布在  Java
关注(0)|答案(1)|浏览(273)

在我的Java 11Spring Boot 2.7.4Maven应用程序中,我使用Spring Security,特别是AadWebSecurityConfigurerAdapter,以便按照教程通过Azure AD集成对我的用户进行身份验证。第一步是在我的pom.xml文件中包含以下依赖项:

<dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-oauth2-client</artifactId>
    </dependency>
    <dependency>
        <groupId>com.azure.spring</groupId>
        <artifactId>spring-cloud-azure-starter-active-directory</artifactId>
    </dependency>

接下来,我重写AadWebSecurityConfigurerAdapter,如下所示。注意安全异常。

import com.azure.spring.cloud.autoconfigure.aad.AadWebSecurityConfigurerAdapter;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.Ordered;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AadOAuth2LoginSecurityConfig extends AadWebSecurityConfigurerAdapter implements Ordered {

    @Value("${sso.azure.ad.auth.provider.order:2}")
    private int order;

    /**
     * Add configuration logic as needed.
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http
                .antMatcher("/**")
                .authorizeRequests()
                .antMatchers("/", "/login**","/callback/", "/webjars/**", "/error**", "/oauth2/authorization/**")
                .permitAll()
                .anyRequest()
                .authenticated();
    }

    @Override
    public int getOrder() {
        return order;
    }

}

此代码在简单的概念验证部署中运行良好。在此PoC中,服务直接在我个人笔记本电脑上的IDE中运行,Azure AD是我自己和一些测试用户设置的简单测试帐户。重定向URI指向localhost:

http://localhost:11120/login/oauth2/code/

然而,在我的生产环境中,代码被封装到Docker映像中,这些映像被部署到位于负载平衡器后面的一组AWSEC2示例中,Azure AD示例是为我的组织注册的正式生产示例。重定向URI引用负载平衡器(请注意没有尾随正斜杠):

https://my-load-balancer:11120/login/oauth2/code

在我的生产部署中,浏览器用户首先被重定向到预期的Microsoft登录屏幕,他们能够成功地对自己进行身份验证。但是,当应用程序随后尝试获取令牌时,我在日志中看到重复的重定向循环,请注意,日志已经过清理,为简洁起见,令牌替换为0.ARXXXXX。我已经标记了初始请求加上第一次和第二次验证尝试,之后在循环中看到相同的模式。

Original request:
    2022-12-06 15:58:59,437 DEBUG org.springframework.security.web.FilterChainProxy [https-jsse-nio-11120-exec-10] Securing GET /content/documents/myapp?test_no=I1111115432BBBBBBB&entry_number=415895J
    
    2022-12-06 15:58:59,446 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor [https-jsse-nio-11120-exec-10] Failed to authorize filter invocation [GET /content/documents
    /myapp?test_no=I1111115432BBBBBBB&entry_number=415895J] with attributes [authenticated]
    
    2022-12-06 15:58:59,461 DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache [https-jsse-nio-11120-exec-10] Saved request https://my-load-balancer:11120/content/
    documents/myapp?test_no=I1111115432BBBBBBB&entry_number=415895J to session
    
    First attempt to authenticate:
    2022-12-06 15:58:59,470 DEBUG org.springframework.security.web.DefaultRedirectStrategy [https-jsse-nio-11120-exec-10] Redirecting to https://my-load-balancer:11120/oauth2/authorization/azure
    
    2022-12-06 15:58:59,537 DEBUG org.springframework.security.web.FilterChainProxy [https-jsse-nio-11120-exec-9] Securing GET /oauth2/authorization/azure
    
    2022-12-06 15:58:59,558 DEBUG org.springframework.security.web.DefaultRedirectStrategy [https-jsse-nio-11120-exec-9] Redirecting to https://login.microsoftonline.com/ac52f73c-fd1a-4a9a-8e7a-4a248f31
    39e1/oauth2/v2.0/authorize?response_type=code&client_id=YYYYYYY&scope=openid%20profile%20offline_access&state=0jyV5HiOjxBLTG4cIs1koydlLFEPCZx_4RWuNg3wQpw%3D&redirect_uri
    =https://my-load-balancer:11120/login/oauth2/code&nonce=N-Tc2RIad5dFccOHTx79ifPhgs4UYoEnnJIJk0rApl8
    
    2022-12-06 15:59:00,356 DEBUG org.springframework.security.web.FilterChainProxy [https-jsse-nio-11120-exec-10] Securing GET /login/oauth2/code?code=0.ARXXXXX
    
    2022-12-06 15:59:00,357 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor [https-jsse-nio-11120-exec-10] Failed to authorize filter invocation [GET /login/oauth2/code
    ?code=0.ARXXXXX] with attributes [authenticated]
    
    2022-12-06 15:59:00,358 DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache [https-jsse-nio-11120-exec-10] Saved request https://my-load-balancer:11120/login/oa
    uth2/code?code=0.ARXXXXX to session
    
    Second attempt to authenticate:
    2022-12-06 15:59:00,358 DEBUG org.springframework.security.web.DefaultRedirectStrategy [https-jsse-nio-11120-exec-10] Redirecting to https://my-load-balancer:11120/oauth2/authorization/azure
    
    2022-12-06 15:59:00,391 DEBUG org.springframework.security.web.FilterChainProxy [https-jsse-nio-11120-exec-1] Securing GET /oauth2/authorization/azure
    
    2022-12-06 15:59:00,415 DEBUG org.springframework.security.web.DefaultRedirectStrategy [https-jsse-nio-11120-exec-1] Redirecting to https://login.microsoftonline.com/ac52f73c-fd1a-4a9a-8e7a-4a248f31
    39e1/oauth2/v2.0/authorize?response_type=code&client_id=YYYYYYY&scope=openid%20profile%20offline_access&state=N6S7RwKvgVQjwB1oAzcdvBF0rcCVbMkemLVV4KjfaKU%3D&redirect_uri
    =https://my-load-balancer:11120/login/oauth2/code&nonce=_Bg814QoGQJv7fbzslGq2oh_MePQLPBHTp8j2wdkY0w
    
    2022-12-06 15:59:00,693 DEBUG org.springframework.security.web.FilterChainProxy [https-jsse-nio-11120-exec-3] Securing GET /login/oauth2/code?code=0.ARXXXXX
    
    2022-12-06 15:59:00,694 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor [https-jsse-nio-11120-exec-3] Failed to authorize filter invocation [GET /login/oauth2/code?
    code=0.ARXXXXX] with attributes [authenticated]
    
    2022-12-06 15:59:00,695 DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache [https-jsse-nio-11120-exec-3] Saved request https://my-load-balancer:11120/login/oau
    th2/code?code=0.ARXXXXX to session
    
    Further attempts to authenticate follow in a loop until 'too many redirects' error is seen in browser.

作为修复此问题的第一次尝试,我添加了上面代码示例中看到的安全异常,以使这些模式免受安全性的影响,但这没有什么区别。
然后我想,也许Docker容器无法“看到”login.microsoftonline.com以进行身份验证。但是,我可以在日志中清楚地看到它,我没有看到任何连接异常或类似的,我希望看到如果这是问题。
现在,我认为这个问题很可能是由于重定向URI指向负载平衡器而不是localhost。关于这一点,有人建议我使用以下配置设置,但它没有效果:

server.forward-headers-strategy=NATIVE
server.tomcat.redirect-context-root=false

我现在在想,我应该尝试将重定向URI设置为localhost而不是负载平衡器,并在重定向URI中包含一个尾随斜杠。我将尝试这样做,但由于我在一个受限制的生产环境中工作,这将需要几天的时间才能生效。
在此期间,我将非常感谢任何建议或想法,我感谢你阅读我的职位。

y1aodyip

y1aodyip1#

我之所以发布一个答案,是因为我们通过在我们的安全配置类中添加安全异常(原始代码显示在原始帖子中),成功地越过了这个特殊的障碍。
login/oauth2/code的两个变体添加到异常中,得到下面的完整集合。

"/", "/home", "/login**", "/callback/", "/webjars/**", "/error**", "/oauth2/authorization/**", "login/oauth2/code", "/login/oauth2/code**")

这修复了Too Many Redirects问题。然而,下一个障碍是处理一个404异常,这个异常现在在试图访问login/oauth2/code时发生。为此,我问了另一个SO问题:Spring Boot SSO Azure AD Redirection causing 404 Error after successful authorization
非常感谢!

相关问题