Java 如何让spring安全性在跨多个域的负载平衡器后面工作？_Java_Spring_Amazon Web Services_Tomcat_Proxy

Java 如何让spring安全性在跨多个域的负载平衡器后面工作？

java spring amazon-web-services tomcat proxy

Java 如何让spring安全性在跨多个域的负载平衡器后面工作？,java,spring,amazon-web-services,tomcat,proxy,Java,Spring,Amazon Web Services,Tomcat,Proxy,我们正在将一个旧的java/spring应用程序迁移到AWS中，因此它位于AWS应用程序负载平衡器的后面。Tomcat直接在8080端口上的负载平衡器后面运行，我们在负载平衡器和Tomcat之间使用HTTP <bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor"> <property name="channelProcessorOverrides"

我们正在将一个旧的java/spring应用程序迁移到AWS中，因此它位于AWS应用程序负载平衡器的后面。Tomcat直接在8080端口上的负载平衡器后面运行，我们在负载平衡器和Tomcat之间使用HTTP

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

问题是在这种情况下，spring安全模块无法识别连接是否安全

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

我可以通过配置连接来解决此问题：

<Connector port="8080"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           proxyName="single-host.example.com"
           secure="true"
           scheme="https"
           redirectPort="443"
           proxyPort="443" />

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

但这似乎没有什么区别

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

有没有办法在这种情况下支持多个主机名？

您应该在LB上设置HTTPS连接，然后在LB和tomcat之间建立正确的TLS连接，这样spring就不会哭了。您只需向LB提供一个自签名证书，并使用生成该自签名证书的私钥设置spring安全模块

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

（更复杂的选项：正确设置tomcat代理，强制它将LB的HTTP流封装在HTTPS流中。在代理中设置所有TLS要求：证书、私钥…

AWS LoadBalancer在代理请求时发送标头

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

在Tomcat上，配置为从这些头中解释请求变量和其他请求变量

<Valve className="org.apache.catalina.valves.RemoteIpValve"/>

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

您还应该省略

连接器

配置上的设置

proxyName

，因为它应该自动来自阀门。

您是否尝试将LB地址作为proxyName？这可能对你的案子有用。

我有一些解决办法。因此，我提供了两个建议。第一个是一步一步的解决你的问题。如果没有，则转到第二个

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

第二个是使用

X-Forwarded-Proto

和相关配置来解决问题。希望它能帮助你

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

建议#1： Amazon云环境的负载平衡支持过程非常简单。此处提供了一个分步教程：

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

建议2：他给出了一个解决方案

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

在Tomcat中配置以下阀门将发出请求。ISSecurity（）函数与X-Forwarded-Proto头一起正常运行：

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

这可以添加到Tomcat的

server.xml

元素下的

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

当然，在所有这些之后，有一个非常非常简单的解决方案从一开始就解决了这个问题。真正需要做的就是从以下方面修改原型通道过滤器：

if ("https".equals(invocation.getHttpRequest().getHeader("X-Forwarded-Proto"))) {
    getEntryPoint().commence(invocation.getRequest(), invocation.getResponse());
}

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

致： 此处的最终配置应为：

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
      <list>
        <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" />
        <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" />
      </list>
    </property>
</bean>

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

此后,

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

有些人喜欢在负载平衡器上终止SSL，而不使用ApacheWeb服务器。在这种情况下，您通常在80/443上的LB处接受流量，然后将流量路由到8080上的Tomcat

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

如果您正在使用Spring的端口映射：

<sec:port-mappings>
    <sec:port-mapping http="8080" https="443"/>
</sec:port-mappings>

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

这将不起作用，因为它不会覆盖新通道处理器中的端口映射。以下是一个可以正常工作的配置：

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>

资源链接：

您愿意分享您的spring安全性吗config@EssexBoy当前位置如果不泄露机密信息，我不确定我能做到这一点。哪些部分最有用？您不需要共享密码或用户名，否则配置不敏感。实际上没有代理，这只是连接元素上的代理配置。该站点使用Tomcat 6-你不知道它是否仍然受支持吗？我现在无法在tomcat6上测试它，但至少可以从java文档中找到它，但它不会工作。proxyName是重定向到的名称。

<bean class="org.broadleafcommerce.common.security.channel.ProtoChannelBeanPostProcessor">
    <property name="channelProcessorOverrides">
        <list>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoInsecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
            <bean class="org.broadleafcommerce.common.security.channel.ProtoSecureChannelProcessor" >
                <property name="entryPoint">
                    <bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
                        <property name="portMapper" ref="portMapper"/>
                    </bean>
                </property>
            </bean>
        </list>
    </property>
</bean>