spring-security - Zuul Gateway 通过 Eureka Server 启动时出现未经授权的异常

Question

我正在将 Spring Boot 从 1.5.12 迁移到 2.1.14。我们还必须迁移 Spring Cloud 依赖项。因此，为此我将 Spring cloud 版本从“Dalston.SR4”更改为“Greenwich.SR4”（Spring Boot 2.1.x 支持的版本）。

//implementation('org.springframework.boot:spring-boot-starter-security')
implementation('org.springframework.cloud:spring-cloud-starter-security')
implementation('org.springframework.cloud:spring-cloud-starter-oauth2')
//compile('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure')
implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
compile('org.springframework.boot:spring-boot-starter-web')
compile("org.springframework.cloud:spring-cloud-starter-netflix-eureka-server")
compile("org.springframework.cloud:spring-cloud-starter-netflix-eureka-client")
compile("org.springframework.cloud:spring-cloud-starter-netflix-zuul")

我有 Eureka Server 和 Zuul GateWay Application，它是微服务之一，将充当代理和 eureka 客户端，如下所示

Eureka Server:
----------------

 @SpringBootApplication(exclude = {
        HibernateJpaAutoConfiguration.class,
        JndiConnectionFactoryAutoConfiguration.class,
        DataSourceAutoConfiguration.class,
        DataSourceTransactionManagerAutoConfiguration.class,
        SecurityAutoConfiguration.class
})
@EnableEurekaServer
@ComponentScan("com.swp.service.eureka")
public class EurekaRegistryApplication {
    public static void main(String[] args) {
        SpringApplication springApplication = new SpringApplication(EurekaApplication.class);
        springApplication.run(args);
    }
 
 application-eureka.properties:
 -----------------------------
 spring.application.name=eureka
server.port=8761
eureka.instance.hostname=localhost
eureka.client.registerWithEureka=false
eureka.client.fetchRegistry=false
eureka.client.serviceUrl.defaultZone=http://${eureka.instance.hostname}:${server.port}/eureka/
security.enabled=false
 
Zuul Gateway:
--------------- 
 @SpringBootApplication(exclude = {
        HibernateJpaAutoConfiguration.class,
        JndiConnectionFactoryAutoConfiguration.class,
        DataSourceAutoConfiguration.class,
        DataSourceTransactionManagerAutoConfiguration.class,
        SecurityAutoConfiguration.class
})
@EnableZuulProxy
@EnableDiscoveryClient
@ComponentScan("com.swp.swp.service.zuul")
public class SWPGatewayApplication {

    public static void main(String[] args) {  
        SpringApplication springApplication = new SpringApplication(SWPGatewayApplication.class);
        springApplication.run(args);
    }
}

application-gateway.properties
-------------------------------

spring.application.name=zuul
server.port=8092
server.servlet.context-path=/swp-gateway
allowedOriginHeaders=http://localhost:9090
zuul.add-host-header=true
zuul.sensitiveHeaders=Cookie,Set-Cookie
zuul.host.connect-timeout-millis=300000
zuul.host.socket-timeout-millis=300000
zuul.routes.swp.path=/swpapp/**
zuul.routes.oauth.path=/authservice/**
zuul.routes.swp.serviceId=swpapp
zuul.routes.oauth.serviceId=oauthservice
ribbon.ReadTimeout=300000
ribbon.ConnectTimeout=300000
ribbon.eureka.enabled=true
hystrix.command.default.execution.isolation.thread.timeoutInMilliseconds=300000
eureka.client.registerWithEureka=false
eureka.client.serviceUrl.defaultZone=http://localhost:8761/eureka/
security.enabled=false

我们将 Spring Security 与 Oauth2 集成在一起，并拥有如下所示的授权服务器和资源服务器。

Authorization server:
---------------------

@Configuration
@EnableAuthorizationServer
@ConditionalOnProperty(name="EnableJwtToken", matchIfMissing=true, havingValue="false")
public class AuthServerConfig extends WebSecurityConfigurerAdapter implements AuthorizationServerConfigurer {
   
   
    @Bean
    public  AuthenticationManager authenticationManagerBean() throws Exception {
        return  super.authenticationManagerBean();
    }

    @Autowired
    private AuthenticationManager authenticationManager;
    
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        logger.info("AuthorizationServerSecurityConfigurer", "Enter into AuthorizationServerSecurityConfigurer");
        oauthServer.checkTokenAccess("isAuthenticated()").checkTokenAccess("permitAll()");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/**").permitAll();
    }

    @Override
    public void configure(WebSecurity web) {
        web.ignoring().antMatchers("/**");
    
    etc.. config for in memory auth and token generation.
}


Resource Server:
------------------

@Configuration
@EnableResourceServer
@EnableWebSecurity
@ConditionalOnProperty(name="EnableJWTSecurity", havingValue="false",matchIfMissing=true)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    
    @Override
    public void configure(HttpSecurity http) throws Exception {
        logger.info("ResourceServerConfig","Inside HttpSecurity http configure");
        /*http
                .authorizeRequests().
                antMatchers("/swp/**").
                authenticated()
                .anyRequest().permitAll();*/
        http.authorizeRequests()
                .antMatchers("/**")
                .permitAll()
                .antMatchers("/**")
                .authenticated();
    }
}

除了这些 MS，我还有其他一些微服务。当我启动作为 Eureka 服务器的 EurekaRegistry 应用程序时，我们没有错误并且能够成功启动它们。但是我们在运行 Zull Gateway 微服务时遇到问题，这会出现以下错误，要求授权。

25408     SWP  DEBUG  zuul   org.apache.http.headers    << Cache-Control: no-cache, no-store, max-age=0, must-revalidate
25408     SWP  DEBUG  zuul   org.apache.http.headers    << Pragma: no-cache
25408     SWP  DEBUG  zuul   org.apache.http.headers  2020-07-10 02:37:22.909  << Expires: 0
25408     SWP  DEBUG  zuul   org.apache.http.headers  2020-07-10 02:37:22.909  << X-Frame-Options: DENY
25408     SWP  DEBUG  zuul   org.apache.http.headers  2020-07-10 02:37:22.909  << Content-Type: application/json;charset=UTF-8
25408     SWP  DEBUG  zuul   org.apache.http.headers  2020-07-10 02:37:22.909  << Transfer-Encoding: chunked
25408     SWP  DEBUG  zuul   org.apache.http.headers  2020-07-10 02:37:22.909  << Date: Fri, 10 Jul 2020 06:37:22 GMT
25408     SWP  DEBUG  zuul   org.apache.http.headers  2020-07-10 02:37:22.909  << Keep-Alive: timeout=60
25408     SWP  DEBUG  zuul   org.apache.http.headers  2020-07-10 02:37:22.909  << Connection: keep-alive
25408     SWP  DEBUG  zuul   o.a.h.impl.client.DefaultHttpClient  2020-07-10 02:37:22.909  Connection can be kept alive for 60000 MILLISECONDS
25408     SWP  DEBUG  zuul   o.a.h.impl.client.DefaultHttpClient  2020-07-10 02:37:22.909  Authentication required
25408     SWP  DEBUG  zuul   o.a.h.impl.client.DefaultHttpClient  2020-07-10 02:37:22.909  localhost:8761 requested authentication
25408     SWP  DEBUG  zuul   o.a.h.i.c.TargetAuthenticationStrategy  2020-07-10 02:37:22.909  Authentication schemes in the order of preference: [Negotiate, Kerberos, NTLM, CredSSP, Digest, Basic]
25408     SWP  DEBUG  zuul   o.a.h.i.c.TargetAuthenticationStrategy  2020-07-10 02:37:22.912  Challenge for Negotiate authentication scheme not available
25408     SWP  DEBUG  zuul   o.a.h.i.c.TargetAuthenticationStrategy  2020-07-10 02:37:22.912  Challenge for Kerberos authentication scheme not available
25408     SWP  DEBUG  zuul   o.a.h.i.c.TargetAuthenticationStrategy  2020-07-10 02:37:22.912  Challenge for NTLM authentication scheme not available
25408     SWP  DEBUG  zuul   o.a.h.i.c.TargetAuthenticationStrategy  2020-07-10 02:37:22.912  Challenge for CredSSP authentication scheme not available
25408     SWP  DEBUG  zuul   o.a.h.i.c.TargetAuthenticationStrategy  2020-07-10 02:37:22.912  Challenge for Digest authentication scheme not available
25408     SWP  DEBUG  zuul   org.apache.http.wire  2020-07-10 02:37:22.912   << "80[\r][\n]"
25408     SWP  DEBUG  zuul   org.apache.http.wire  2020-07-10 02:37:22.912   << **"{"timestamp":"2020-07-10T06:37:22.908+0000","status":401,
"error":"Unauthorized","message":"Unauthorized","path":"/eureka/apps/"}"**
25408     SWP  DEBUG  zuul   c.n.d.s.t.j.AbstractJerseyEurekaHttpClient  2020-07-10 02:37:22.912  Jersey HTTP GET http://localhost:8761/eureka//apps/?; statusCode=401
25408     SWP  DEBUG  zuul   org.apache.http.wire  2020-07-10 02:37:22.912   << "[\r][\n]"
25408     SWP  DEBUG  zuul   org.apache.http.wire  2020-07-10 02:37:22.912   << "0[\r][\n]"
25408     SWP  DEBUG  zuul   org.apache.http.wire  2020-07-10 02:37:22.912   << "[\r][\n]"
25408     SWP  DEBUG  zuul   c.n.d.s.MonitoredConnectionManager  2020-07-10 02:37:22.912  Released connection is reusable.
25408     SWP  DEBUG  zuul   c.n.d.shared.NamedConnectionPool  2020-07-10 02:37:22.912  Releasing connection [{}->http://localhost:8761][null]
25408     SWP  DEBUG  zuul   c.n.d.shared.NamedConnectionPool  2020-07-10 02:37:22.912  Pooling connection [{}->http://localhost:8761][null]; keep alive for 60000 MILLISECONDS
25408     SWP  DEBUG  zuul   c.n.d.shared.NamedConnectionPool  2020-07-10 02:37:22.912  Notifying no-one, there are no waiting threads
25408     SWP  DEBUG  zuul   c.n.d.s.t.d.RedirectingEurekaHttpClient  2020-07-10 02:37:22.912  Pinning to endpoint null
25408     SWP   WARN  zuul   c.n.d.s.t.d.RetryableEurekaHttpClient  2020-07-10 02:37:22.912  Request execution failure with status code 401; retrying on another server if available
25408     SWP  ERROR  zuul   c.netflix.discovery.DiscoveryClient  2020-07-10 02:37:22.912  DiscoveryClient_ZUUL/WGA10015LDITEGG.uswin.ad.swp.com:zuul:8092 - was unable to refresh its cache! status = Cannot execute request on any known server
com.netflix.discovery.shared.transport.TransportException: Cannot execute request on any known server

注意：这里我们没有尝试向我们的 Eureka 服务器注册 Eureka Clients。尝试通过 Zuul 网关访问其他微服务并使用属性禁用安全性：security.enabled=false。迁移之前 security.basic.enabled=false。我们尝试使用不同的组合尽可能禁用安全性，但仍然出现上述错误。

有人可以告诉我可能是什么问题。

提前致谢。