我有一个在 Jetty 上运行的应用程序 (1),它部署在 Kubernetes 中。在应用程序之上,我们使用另一个部署来启用使用 IDP 提供程序的 apache2/shibboleth SAML2 的 SSO 配置。
因此,具有 apache2/shibboleth 的容器已使用 ingress 公开,并且已使用 httpd.conf 将流量重定向到后端部署(jetty 应用程序)。该应用程序在第一次尝试时运行良好,直到我们使用它为止。如果我们保持应用程序空闲并打开浏览器,它会抛出 CORS 错误
this is the error access to XMLHttpRequest at 'https://eIDP_provider:8443/nidp/saml2/sso?SAMLRequest=hZJPU4MwEMW%2FCpN…NcmKW6W1uSJ9aQmtiBnaU3puhSCt5GHnokA82DtQCwXVM8UfnwwKisVcJJSXqqm2eK3Q%3D%3D'(redirected from 'https://shib_ingress.domain.com/app_jetty/?wicket:interface=:1:searchPanel:p…searchForm:queryTypeSelect::IBehaviorListener:0:&random=0.9935442197361537') from origin 'https://shib_ingress.domain.com/' has been blocked by CORS policy: Response to preflight request doesn't
pass access control check: No 'access-control-allow-origin' header is present on the requested resource
这里是使用的注释
ingress.kubernetes.io/whitelist-source-range: 10.36.160.128/25
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/affinity-mode: persistent
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/cors-allow-origin: https://shib_ingress.domain.com
nginx.ingress.kubernetes.io/cors-max-age: "1728000"
nginx.ingress.kubernetes.io/keepalive: "6000"
nginx.ingress.kubernetes.io/proxy-pass-headers: '*'
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT,GET,POST,OPTIONS"
app_jetty.conf
ProxyPass /Shibboleth.sso/Status !
ProxyPassReverse /Shibboleth.sso//Status !
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
Header set employeeNumber %{employeeNumber}e
Header set email %{email}e
Header set displayName %{displayName}e
Header set roles %{roles}e
Header set MyHeader "%D %t"
RequestHeader set X-My-Host-Header "%{custom_host}e"
RequestHeader set X-Role-Host-Header "%{roles}e"
RequestHeader set email "%{email}e"
RequestHeader set displayName "%{displayName}e"
RequestHeader set roles "%{roles}e"
RequestHeader set employeeNumber "%{employeeNumber}e"
<VirtualHost _default_:8090>
UseCanonicalName On
ServerAdmin root@localhost
ServerName https://shib_ingress.domain.com
ServerAlias shib_ingress.domain.com
# Shibboleth-Attribute mapping to HTTP Headers for delivery to PF Server
Header set employeeNumber %{employeeNumber}e
Header set email %{email}e
Header set displayName %{displayName}e
Header set roles %{roles}e
RequestHeader set email "%{email}e"
RequestHeader set displayName "%{displayName}e"
RequestHeader set roles "%{roles}e"
RequestHeader set employeeNumber "%{employeeNumber}e"
RequestHeader set roles %{roles}e
#Attributes end here
ProxyPass /Shibboleth.sso/Status https://127.0.0.1/Shibboleth.sso/Status
ProxyPassReverse /Shibboleth.sso/Status https://127.0.0.1/Shibboleth.sso/Status
ProxyPass /app_jetty https://app.ns.svc.cluster.local:8080/app_jetty
ProxyPassReverse /app_jetty https://app.ns.svc.cluster.local:8080/app_jetty
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</VirtualHost>
shib 授权配置
Loadmodule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
ShibCompatValidUser Off
<Location /Shibboleth.sso>
AuthType None
Require all granted
</Location>
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
</Location>
#Added for app_jetty EIAM Auth
<Location /app_jetty>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
</Location>
我尝试了多种方法来解决该问题,方法是对应用程序代码和 httpd.conf 实施 access-control-allow-origin,在第一次尝试中它工作正常,但在空闲超时后这些标头不起作用。
60 秒后,该应用程序再次向 IDP 提供商发送请求,因为它已经过身份验证,因此不应向 IDP 提供商发送请求。同样在页面刷新时,它再次与身份验证相同的会话正常工作
我可能缺少一些东西来在应用程序中存储会话在 shibboleth 或应用程序级别或超时设置以增加某处,如果有人知道我们如何修改应用程序以在超时后使用相同的会话或我们如何增加超时时间和地点。 或任何其他缺失的点。