本地编译测试Filter顺序问题，引起绕过认证问题 #9861

qhyjoe · 2023-01-17T07:22:03Z

服务端版本：2.1.2
客户端版本：1.4.2
服务端配置如下：
nacos.core.auth.enable.userAgentAuthWhite=false
nacos.core.auth.server.identity.key=nacosKey
nacos.core.auth.server.identity.value=******
nacos.core.auth.enabled=true
本地测试发现，配置开启认证后，客户端不配置账号密码任然可以注册服务实例，发现是由于过滤器顺序问题引起。
com.alibaba.nacos.naming.web.DistroFilter和com.alibaba.nacos.core.auth.AuthFilter顺序配置的都是6，如果AuthFilter在DistroFilter之前执行是没有问题的，反过来就是有问题，DistroFilter代码中会转发请求并携带认证header，这样请求就会通过。

KomachiSion added kind/bug Category issues or prs related to bug. plugin labels Jan 28, 2023

KomachiSion added this to the 2.2.1 milestone Jan 28, 2023

KomachiSion added a commit to KomachiSion/nacos that referenced this issue Jan 28, 2023

Fix alibaba#9861, auth check before distro filter.

501d403

KomachiSion mentioned this issue Jan 28, 2023

[ISSUE #9861]Fix auth check before distro filter. #9871

Merged

5 tasks

onewe closed this as completed in #9871 Jan 28, 2023

onewe pushed a commit that referenced this issue Jan 28, 2023

Fix #9861, auth check before distro filter. (#9871)

fee349b

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

本地编译测试Filter顺序问题，引起绕过认证问题 #9861

本地编译测试Filter顺序问题，引起绕过认证问题 #9861

qhyjoe commented Jan 17, 2023

本地编译测试Filter顺序问题，引起绕过认证问题 #9861

本地编译测试Filter顺序问题，引起绕过认证问题 #9861

Comments

qhyjoe commented Jan 17, 2023