英文:
How to generate and pass CSRF token for a route in spring cloud gateway with Spring Security
问题
我正在尝试使用Okta、Spring Cloud Gateway和Spring Security实现基于OAuth2的身份验证。我想要实现的目标是,我希望Spring Cloud Gateway的某个路由对所有人都可用,无需身份验证。我知道Spring Cloud Gateway使用WebFlux,所以我正在配置Spring Security。我在Spring Cloud Gateway中有三个路由。
- /auth
- /doctors
- /patients
我希望这些/auth/**路由中的任何一个都对所有人可用,因为用户在这里注册,所以我不能在那里放置身份验证。对于另外两个/doctors/**和/patients/**,我希望进行身份验证和授权。在Cloud Gateway的SecurityConfig中,我试图实现相同的目标。目前,我已经创建了以下配置:
package com.sb.projects.medica.gateway.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity) {
httpSecurity.authorizeExchange(exchanges -> {
exchanges.pathMatchers("/doctor/**", "/patient/**").authenticated();
exchanges.pathMatchers("/auth/**").permitAll();
}).oauth2Client().and().oauth2ResourceServer().jwt();
return httpSecurity.build();
}
}
但似乎不起作用。当我尝试访问/auth/**的任何路由时,我收到以下错误消息:
未找到预期的CSRF令牌
如何解决此错误?如何创建CSRF令牌并将其发送到前端?
英文:
I'm trying to implement Oauth2 based authentication using Okta, Spring Cloud Gateway & Spring Security. The objective that I want to achieve is I want a route of spring cloud gateway to be available for all without any authentication. I know spring cloud gateway uses WebFlux. So according to that only I'm configuring Spring Security. I have three routes in spring cloud gateway.
- /auth
- /doctors
- /patients
I want any of these /auth/** routes should be available to all because here my users signup so I can not put authentication there. For the other two /doctors/** and /patients/** I want authentication and Authorisation. In the SecurityConfig in cloud gateway I'm trying to achieve the same. Currently I have made this config:
package com.sb.projects.medica.gateway.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity) {
httpSecurity.authorizeExchange(exchanges -> {
exchanges.pathMatchers("/doctor/**", "/patient/**").authenticated();
exchanges.pathMatchers("/auth/**").permitAll();
}).oauth2Client().and().oauth2ResourceServer().jwt();
return httpSecurity.build();
}
}
But it does not seem to work. When I try to hit any route of /auth/** I get
> An expected CSRF token cannot be found
How can I solve this error. How can I create a csrf token and send it to frontend
答案1
得分: 1
您显然刚刚开始配置CSRF。我建议您从Spring文档开始。真的,甚至在阅读本答案的其余部分之前仔细阅读它。
网关后面的REST API可能可以配置为"stateless"(在Servlet中是http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS),在响应式应用中是http.securityContextRepository(NoOpServerSecurityContextRepository.getInstance())),因此可以禁用CSRF保护(http.csrf().disable())。然后,您可以使用OAuth2授权配置Postman并直接查询API(而不是通过网关)。
根据您的React前端配置为OAuth2公共客户端还是网关作为Backend For Frontend(OAuth2机密客户端,带有TokenRelay过滤器),对CSRF保护的需求有很大的不同:
- 在第一种情况下,网关可以对安全性保持透明,因为它既不处理登录也不处理登出(这两者都由React应用中的OAuth2客户端库完成),也不处理与用户会话相关的任何内容,因此不需要关注CSRF。
- 在第二种情况下,网关必须维护授权码流程的会话,以便
TokenRelay过滤器能够正常工作(将OAuth2令牌与每个浏览器会话关联)。因此,必须启用CSRF,而您的应用是基于JavaScript的,需要使用Cookie存储库(在响应式应用程序中是http.csrf().csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()))。然后,您需要配置前端将CSRF令牌(作为Cookie接收)作为X-XSRF-TOKEN标头发送(如果您希望通过网关发送请求而不是直接查询API,则对Postman也有相同的要求)。
英文:
You are obviously just beginning your journey to CSRF configuration. I recommand you start with the Spring documentation. Like really. Read it carefully even before the rest of this answer.
The REST API(s) behind the gateway can probably be configured as "stateless" (http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) in a servlet or http.securityContextRepository(NoOpServerSecurityContextRepository.getInstance()) in a reactive app) and, as a consequence, CSRF protection can be disabled on it (http.csrf().disable()). You then configure Postman with OAuth2 authorization and query the API directly (not through the gateway).
Depending on your React frontend being configured as an OAuth2 public client or the gateway as a Backend For Frontend (OAuth2 confidential client with TokenRelay filter), the needs for CSRF protection are quite different:
-
in the first case, the gateway can be transparent to security and, as it handles neither login nor logout (both are done by the OAuth2 client lib in React app), nor anything related to user session, CSRF is not a concern
-
in the second case, the gateway has to maintain sessions for authorization-code flow to succeed and for the
TokenRelayfilter to work (keep OAuth2 tokens associated with each browser session). As a consequence, CSRF must be enabled and, as your app is Javascript based, with Cookie repo (http.csrf().csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse());on a reactive application likespring-cloud-gateway). You'll then have to configure your frontend to send the CSRF token (received as cookie) asX-XSRF-TOKENheader (same requirement for Postman if you want to send requests through the gateway instead of querying the API(s) directly).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论