1. Zuhause
  2. Frage und Antwort
  3. Neue Sitzung aufgrund der optional www in der URL erstellt

Neue Sitzung aufgrund der optional www in der URL erstellt

2017-12-20 1 views
0

Crux:https://www.example.com vs https://example.comNeue Sitzung aufgrund der optional www in der URL erstellt

Hintergrund: Haben Sie einen feder Boot-Anwendung hinter einem Webserver (nginx auf https) .Have Setup Custom resource records mit @ und www zeigt auf den gleichen Server in DNS-Setup. Haben oauth2 Setup von Google bereitgestellt, nur ein Eintrag in Authorized redirect URIs, die https://example.com/login/google ist - der Rückruf nach oauth2 wird vom Endbenutzer genehmigt.

Problem: Wenn Benutzer verwendet https://example.com alles funktioniert einzuloggen, aber wenn Benutzer https://www.example.com verwendet und versucht, um sich einzuloggen, google Umleitungen zurück in https://example.com/login/google - und feder Boot denkt sich eine neue Anforderung (mit einer neuen Session-ID) und die Anmeldung schlägt fehl.

Frage: Hat jemand das vor gesehen? Wo wäre das beste Problem, nginx/google/spring-boot?

Symptom: Mögliche CSRF erkannt (vollständiges Ausnahmeprotokoll unten)

2017-12-13 22:42:59,917 [http-nio-8080-exec-4] DEBUG o.s.s.o.c.f.OAuth2ClientAuthenticationProcessingFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Could not obtain access token 
org.springframework.security.authentication.BadCredentialsException: Could not obtain access token 
    at org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter.attemptAuthentication(OAuth2ClientAuthenticationProcessingFilter.java:107) 
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) 
    at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:112) 
    at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:73) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
    at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) 
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) 
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) 
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) 
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) 
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) 
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) 
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 
    at org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter(OAuth2ClientContextFilter.java:60) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) 
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 
    at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:108) 
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 
    at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) 
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) 
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 
    at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106) 
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) 
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) 
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) 
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) 
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) 
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) 
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) 
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) 
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) 
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) 
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) 
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) 
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) 
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) 
    at java.lang.Thread.run(Thread.java:748) 
Caused by: org.springframework.security.oauth2.common.exceptions.InvalidRequestException: Possible CSRF detected - state parameter was required but no state could be found 
    at com.rathna.app.servi.core.security.AuthorizationCodeAccessTokenProvider.getParametersForTokenRequest(AuthorizationCodeAccessTokenProvider.java:103) 
    at com.rathna.app.servi.core.security.AuthorizationCodeAccessTokenProvider.obtainAccessToken(AuthorizationCodeAccessTokenProvider.java:50) 
    at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainNewAccessTokenInternal(AccessTokenProviderChain.java:148) 
    at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainAccessToken(AccessTokenProviderChain.java:121) 
    at com.rathna.app.servi.core.security.OAuth2RestTemplate.acquireAccessToken(OAuth2RestTemplate.java:73) 
    at org.springframework.security.oauth2.client.OAuth2RestTemplate.getAccessToken(OAuth2RestTemplate.java:173) 
    at org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter.attemptAuthentication(OAuth2ClientAuthenticationProcessingFilter.java:105) 
    ... 62 common frames omitted

Quelle

2017-12-20 Anand Rockzz

Antwort

0

Nevermind, war es am besten, es zu nginx zu beheben.

hinzugefügt folgendes /etc/nginx/sites-available/default

server { 
     server_name www.example.com; 
     return 301 https://example.com$request_uri; 
}

verändert sich auch diese bestehende Linie innerhalb des ersten server {}

server_name example.com www.example.com;

dieser

server_name example.com;

Hier ist die vollständige Datei:

server { 
     listen 80; 
     listen 443 ssl; 
     server_name www.example.com; 

     ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; 
     ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;      
     include /etc/letsencrypt/options-ssl-nginx.conf;      

     return 301 https://example.com$request_uri; 
} 

server { 
     listen 80 default_server; 
     listen [::]:80 default_server; 

     root /var/www/html; 

     server_name example.com; 
     ssl_dhparam /etc/ssl/certs/dhparam.pem; 

     location/{ 
       # First attempt to serve request as file, then 
       # as directory, then fall back to displaying a 404. 
       try_files $uri $uri/ =404; 
     } 
     location ^~ /ng/{ 
       # angular4 routing drama - always index.html 
       try_files $uri$args $uri$args/ /index.html; 
     } 
     location ^~ /usapi/ { 
       proxy_pass https://localhost:8080; 
       proxy_set_header X-Real-IP $remote_addr; 
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
       proxy_set_header X-NginX-Proxy true; 
       proxy_ssl_session_reuse off; 
       proxy_set_header Host $http_host; 
       proxy_cache_bypass $http_upgrade; 
       proxy_redirect off; 
     } 
     location ^~ /api/ { 
       proxy_pass https://localhost:8080; 
       proxy_set_header X-Real-IP $remote_addr; 
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
       proxy_set_header X-NginX-Proxy true; 
       proxy_ssl_session_reuse off; 
       proxy_set_header Host $http_host; 
       proxy_cache_bypass $http_upgrade; 
       proxy_redirect off; 
     } 
     location ^~ /login/ { 
       proxy_pass https://localhost:8080; 
       proxy_set_header X-Real-IP $remote_addr; 
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
       proxy_set_header X-NginX-Proxy true; 
       proxy_ssl_session_reuse off; 
       proxy_set_header Host $http_host; 
       proxy_cache_bypass $http_upgrade; 
       proxy_redirect off; 
     } 

     listen 443 ssl; # managed by Certbot 
     ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot 
     ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot 
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot 

     if ($scheme != "https") { 
       return 301 https://$host$request_uri; 
     } # managed by Certbot 
}

Quelle

2017-12-20 05:03:30

Verwandte Themen

 Verwandte Themen