服务写入cookie敏感头问题

post测没啥问题
http://localhost:8087/accredit

服务写入cookie敏感头问题_第1张图片

cookie中什么都没有,什么情况?

服务写入cookie敏感头问题_第2张图片

1、1问题排查

cors跨域请求cookie生效的条件有三个:
1、addAllowedOrigin具体
2、setAllowCredentials(true); 允许发送cookie
3、addAllowedMethod 设置允许的方法
并没什么问题:

package com.leyou.gateway.config;
@Configuration
public class GlobalCorsConfig {
    @Bean
    public CorsFilter corsFilter() {
        //1.添加CORS配置信息
        CorsConfiguration config = new CorsConfiguration();

        //1) 允许的域,不要写*,否则cookie就无法使用了
        config.addAllowedOrigin("http://manage.leyou.com");
        config.addAllowedOrigin("http://www.leyou.com");

        //2) 是否发送Cookie信息
        config.setAllowCredentials(true);

        //3) 允许的请求方式
        config.addAllowedMethod("OPTIONS");
        config.addAllowedMethod("HEAD");
        config.addAllowedMethod("GET");
        config.addAllowedMethod("PUT");
        config.addAllowedMethod("POST");
        config.addAllowedMethod("DELETE");
        config.addAllowedMethod("PATCH");
        // 4)允许的头信息
        config.addAllowedHeader("*");

        //2.添加映射路径,我们拦截一切请求
        UrlBasedCorsConfigurationSource configSource = new UrlBasedCorsConfigurationSource();
        configSource.registerCorsConfiguration("/**", config);

        //3.返回新的CorsFilter.
        return new CorsFilter(configSource);
    }
}
1、2问题排查

前端页面设置也没什么问题,这说明问题出现在header中了、

axios.defaults.baseURL = "http://api.leyou.com/api";
axios.defaults.timeout = 5000;
axios.defaults.withCredentials = true
1、3问题排查

查看上面测试是没什么问题的,但是需要使用ip来测

Set-Cookie →LY_TOKEN=eyJhbGciOiJSUzI1NiJ9.eyJpZCI6MjksInVzZX
JuYW1lIjoiaGVpbWE1MSIsImV4cCI6MTU0NTkyMjA4MX0.UmPL7a_CN1hJUPnUAVub47TnQ9c
4P90ptApzghCqWjR0ObiBPD2YEe7_7Qq5-
qkcfZiJJlHPfrLiIAiHmI
1UE89mxJluqZxq3kEuZW4seyC5Cm6eAGSmDbQ-tU6heGWTzVgjEYF6sI4TBKwc2skFj_CxAbTWDegHWa6BJCQW6po;
Max-Age=1800; Expires=Thu, 27-Dec-2018 14:48:02 GMT; Domain=localhost; Path=/; HttpOnly

http://127.0.0.1:8087/accredit
服务写入cookie敏感头问题_第3张图片
使用debug跟进来、查看
服务写入cookie敏感头问题_第4张图片
发现变化0.0.1 ,所以禁止转发地址、

ngnix设置 proxy_set_header Host $host;
网关设置add-host-header、因为Zuul 还有一次转发 /auth/**

zuul:
  ignored-services:
    - upload-service # 忽略upload-service服务

  prefix: /api # 添加路由前缀
  retryable: true
  routes:
    item-service: /item/** # 将商品微服务映射到/item/**
    search-service: /search/**
    user-service: /user/**
    auth-service: /auth/**
  add-host-header: true

另外,还有一个问题可能引起,那就是Zuul版本冲突、或者Zuul版本bug

<dependency>
    <groupId>org.springframework.cloudgroupId>
    <artifactId>spring-cloud-netflix-zuulartifactId>
    <version>2.0.0.RELEASEversion>
dependency>

再次测试:
并测不出来,DEBUG仍旧出不来,只有设置了敏感头问题之后,cookie才能够出来;
Zuul 网关yml 文件配置添加

zuul:
  sensitive-headers:

服务写入cookie敏感头问题_第5张图片

查看下源码:
ZuulProxyAutoConfiguration extends ZuulServerAutoConfiguration

@Configuration
@Import({RestClientRibbonConfiguration.class, OkHttpRibbonConfiguration.class, HttpClientRibbonConfiguration.class, HttpClientConfiguration.class})
@ConditionalOnBean({Marker.class})
public class ZuulProxyAutoConfiguration extends ZuulServerAutoConfiguration {
	//-------
   @Bean
    @ConditionalOnMissingBean({RibbonRoutingFilter.class})
    public RibbonRoutingFilter ribbonRoutingFilter(ProxyRequestHelper helper, RibbonCommandFactory<?> ribbonCommandFactory) {
        RibbonRoutingFilter filter = new RibbonRoutingFilter(helper, ribbonCommandFactory, this.requestCustomizers);
        return filter;
    }
  //-------  
 }

查看配置类:ZuulProperties

@ConfigurationProperties("zuul")
public class ZuulProperties {
	//--
    private Set<String> ignoredServices = new LinkedHashSet();
    private Set<String> ignoredPatterns = new LinkedHashSet();
    private Set<String> ignoredHeaders = new LinkedHashSet();
    private Set<String> sensitiveHeaders = new LinkedHashSet(Arrays.asList("Cookie", "Set-Cookie", "Authorization"));
	//--
 public Set<String> getIgnoredHeaders() {
        Set<String> ignoredHeaders = new LinkedHashSet(this.ignoredHeaders);
        if (ClassUtils.isPresent("org.springframework.security.config.annotation.web.WebSecurityConfigurer", (ClassLoader)null) && Collections.disjoint(ignoredHeaders, SECURITY_HEADERS) && this.ignoreSecurityHeaders) {
            ignoredHeaders.addAll(SECURITY_HEADERS);
        }

        return ignoredHeaders;
    }
	//---
}

你可能感兴趣的:(项目,cookie敏感头问题)