zuul+spring security oauth2 + thymeleaf问题

Angel_1987 2018-12-17 03:51:18

最近在做项目，搭建开发架构时遇到了两个问题。
第一个，是通过zuul转发到认证中心登录时，认证中心登录界面样式加载不成功。先贴出第一个配置。
网关配置



spring.application.name=service-zuul-gatway

server.port=8801



spring.aop.proxy-target-class=true





eureka.instance.prefer-ip-address=true

eureka.client.register-with-eureka=true

eureka.client.fetch-registry=true

eureka.client.service-url.defaultZone=http://service-register-server1:8000/eureka,http://service-register-server2:8001/eureka



zuul.host.connect-timeout-millis=60000

zuul.host.socket-timeout-millis=60000

ribbon.ReadTimeout=50000

ribbon.ConnectTimeout=50000





zuul.ignored-services='*'

#zuul.prefix=/api

#fail to retry

zuul.retryable=true

#zuul.ignore-security-headers=false

#zuul.add-host-header=true

#ribbon.eureka.enabled=false

zuul.add-proxy-headers=true





zuul.routes.auth-center.path=/oauth/**

zuul.routes.auth-center.service-id=auth-center

zuul.routes.auth-center.sensitive-headers=

zuul.routes.auth-center.strip-prefix=false



zuul.routes.side.path=/side/**

zuul.routes.side.service-id=side

zuul.routes.side.sensitive-headers=

#zuul.routes.side.strip-prefix=false

#zuul.routes.side.sensitive-headers=Cookie,Set-Cookie,Authorization



zuul.routes.resource-test.path=/test/**

zuul.routes.resource-test.service-id=resource-test

#zuul.routes.resource-test.sensitive-headers=





#spring.security.user.name=user

#spring.security.user.password=123456





security.oauth2.sso.login-path=/login

security.oauth2.client.access-token-uri=http://auth-center/oauth/oauth/token

security.oauth2.client.user-authorization-uri=/oauth/oauth/authorize



#security.oauth2.sso.login-path=http://localhost:8801/oauth/login

#security.oauth2.client.access-token-uri=http://localhost:8801/oauth/oauth/token

#security.oauth2.client.user-authorization-uri=http://localhost:8801/oauth/oauth/authorize



security.oauth2.client.client-id=client

security.oauth2.client.client-secret=secret

#security.oauth2.client.grant-type=password

security.oauth2.resource.jwt.key-value=1q2w3e4rasdf

security.oauth2.resource.id=openid

security.oauth2.resource.service-id=resource



#security.oauth2.client.registered-redirect-uri=http://localhost:8801/side/dologin

#security.oauth2.client.pre-established-redirect-uri=http://localhost:8801/side/dologin

#security.oauth2.client.use-current-uri=false

网关的security控制

@Configuration

@EnableOAuth2Sso

@Order(value = 0)

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    private static final String CSRF_COOKIE_NAME = "XSRF-TOKEN";

    private static final String CSRF_HEADER_NAME = "X-XSRF-TOKEN";



    @Bean

    @Primary

    public OAuth2ClientContextFilter sideOauth2ClientContextFilter() {

        return new SideOauth2ClientContextFilter();

    }



    @Override

    public void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests().antMatchers("/oauth/**", "/login").permitAll().anyRequest().authenticated()

        	.and()

            .csrf().requireCsrfProtectionMatcher(csrfRequestMatcher()).csrfTokenRepository(csrfTokenRepository())

            .and()

            .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)

            .logout().permitAll()

            .logoutSuccessUrl("/");

    }





    private RequestMatcher csrfRequestMatcher() {

        return new RequestMatcher() {

            // Always allow the HTTP GET method

            private final Pattern allowedMethods = Pattern.compile("^(GET|HEAD|OPTIONS|TRACE)$");



            // Disable CSFR protection on the following urls:

            private final AntPathRequestMatcher[] requestMatchers = { new AntPathRequestMatcher("/oauth/**") };



            @Override

            public boolean matches(HttpServletRequest request) {

                if (allowedMethods.matcher(request.getMethod()).matches()) {

                    return false;

                }



                for (AntPathRequestMatcher matcher : requestMatchers) {

                    if (matcher.matches(request)) {

                        return false;

                    }

                }

                return true;

            }

        };

    }



    private static Filter csrfHeaderFilter() {

        return new OncePerRequestFilter() {

            @Override

            protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,

                                            FilterChain filterChain) throws ServletException, IOException {

                CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());

                if (csrf != null) {

                    Cookie cookie = new Cookie(CSRF_COOKIE_NAME, csrf.getToken());

                    cookie.setPath("/");

                    cookie.setSecure(true);

                    response.addCookie(cookie);

                }

                filterChain.doFilter(request, response);

            }

        };

    }



    private static CsrfTokenRepository csrfTokenRepository() {

        HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();

        repository.setHeaderName(CSRF_HEADER_NAME);

        return repository;

    }

认证中心配置

#=============================================================

#server info configure

#=============================================================

server.port=8810

#\u4E0A\u4E0B\u6587\u914D\u7F6E

server.servlet.context-path=/oauth

#\u8BF7\u6C42\u5B57\u7B26\u96C6\u7F16\u7801

server.tomcat.uri-encoding=UTF-8

server.use-forward-headers=false

#springMVC\u89C6\u56FE\u9ED8\u8BA4\u8BBF\u95EE\u524D\u7F00

spring.mvc.view.prefix=/WEB-INF/pages/

#springMVC\u89C6\u56FE\u6587\u4EF6\u540E\u7F00

spring.mvc.view.suffix=.html

#\u8BBF\u95EE\u9759\u6001\u8D44\u6E90

spring.mvc.static-path-pattern=/**





#=================================================================

#thymeleaf configure

#=================================================================

spring.thymeleaf.prefix=/WEB-INF/pages/

spring.thymeleaf.encoding=utf-8

spring.thymeleaf.suffix=.html

spring.thymeleaf.mode=LEGACYHTML5

spring.thymeleaf.check-template-location=false

spring.thymeleaf.cache=false



spring.resources.static-locations = classpath:/templates/,classpath:/WEB-INF/pages/,classpath:/webapp/common/,classpath:/webapp/css/,classpath:/webapp/images/,classpath:/webapp/js/





#=============================================================

#eureka service register configure

#=============================================================

eureka.instance.prefer-ip-address=true

eureka.client.register-with-eureka=true

eureka.client.service-url.defaultZone=http://service-register-server1:8000/eureka,http://service-register-server2:8001/eureka

spring.application.name=auth-center



#=============================================================

#logging configure

#=============================================================

logging.level.org.springframework.security=DEBUG





#=============================================================

#data source configure

#=============================================================

#spring.datasource.type=com.mchange.v2.c3p0.ComboPooledDataSource

#spring.datasource.url=jdbc:mysql://node1:3306/SIDEDB?useUnicode=true&characterEncoding=utf8&useSSL=false

spring.datasource.url=jdbc:mysql://localhost:3306/SIDEDB?useUnicode=true&characterEncoding=utf8&useSSL=false

spring.datasource.username=root

spring.datasource.password=admin

spring.datasource.driver-class-name=com.mysql.jdbc.Driver

spring.datasource.tomcat.max-wait=10000

spring.datasource.tomcat.max-active=50

spring.datasource.tomcat.test-on-borrow=true

认证中心安全控制

@Configuration

@EnableWebSecurity

public class AuthServerWebSecurityConfig extends WebSecurityConfigurerAdapter{



	@Autowired

	@Qualifier("userDetailsService")

	private UserDetailsServiceImpl userDetailsService;

	@Override

	protected void configure(HttpSecurity http) throws Exception {

		http.formLogin().loginPage("/login").permitAll()

		.usernameParameter("userCode")

		.passwordParameter("password")

		.and()

		.authorizeRequests()

		.anyRequest()

		.authenticated();

	}

    @Override

    public void configure(WebSecurity web) throws Exception {

       web.ignoring().antMatchers("/js/**", "/images/**", "/css/**", "/common/**");

    }

通过zuul进入认证中心登录页面时，所有静态资源加载失败。
查看页面请求信息会看到如下信息。Cross-Origin Read Blocking (CORB) blocked cross-origin response http://192.168.28.208:8810/oauth/login with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
貌似是因为跨域的问题引起。此问题如何解决？

第二个问题，界面加载成功，但查看后台日志发现thymeleaf模板渲染异常。



org.thymeleaf.exceptions.TemplateInputException: An error happened during template parsing (template: "ServletContext resource [/WEB-INF/pages/index/login.html]")

	at org.thymeleaf.templateparser.markup.AbstractMarkupTemplateParser.parse(AbstractMarkupTemplateParser.java:241) ~[thymeleaf-3.0.9.RELEASE.jar:3.0.9.RELEASE]

	at org.thymeleaf.templateparser.markup.AbstractMarkupTemplateParser.parseStandalone(AbstractMarkupTemplateParser.java:100) ~[thymeleaf-3.0.9.RELEASE.jar:3.0.9.RELEASE]

	at org.thymeleaf.engine.TemplateManager.parseAndProcess(TemplateManager.java:666) ~[thymeleaf-3.0.9.RELEASE.jar:3.0.9.RELEASE]

	at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1098) [thymeleaf-3.0.9.RELEASE.jar:3.0.9.RELEASE]

	at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1072) [thymeleaf-3.0.9.RELEASE.jar:3.0.9.RELEASE]

	at org.thymeleaf.spring5.view.ThymeleafView.renderFragment(ThymeleafView.java:354) [thymeleaf-spring5-3.0.9.RELEASE.jar:3.0.9.RELEASE]

	at org.thymeleaf.spring5.view.ThymeleafView.render(ThymeleafView.java:187) [thymeleaf-spring5-3.0.9.RELEASE.jar:3.0.9.RELEASE]

	at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1325) [spring-webmvc-5.0.9

...全文