Spring security Access-Control-Allow-Origin: * (CORS) issue on invalid JWT token

Posted 2023-02-27

【中文标题】Spring security Access-Control-Allow-Origin: * (CORS) issue on invalid JWT token

【英文标题】：

【发布时间】：2019-05-12 15:15:33

【问题描述】：

我在 Spring Boot 应用程序中使用 Spring Security 配置了 JWT 安全性。我有一个问题

Access-Control-Allow-Origin: *

标头，也称为 CORS。我配置了应用程序，因此每个服务器响应中都存在标头，但是一旦 JWT 令牌无效，服务器响应 403 错误代码而没有 Access-Control-Allow-Origin: * 标头。这会导致浏览器将错误消息写入控制台：

未能加载 http://... 没有“Access-Control-Allow-Origin”标头 出现在请求的资源上。因此，来源 'http://...' 是 不允许访问。响应的 HTTP 状态代码为 403。

这似乎是错误的，我想获得 Access-Control-Allow-Origin: * 标头作为响应，即使 JWT 令牌无效并且服务器响应带有 403 错误代码。

现在我尝试了什么以及我的代码。

依赖关系：

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.0.5.RELEASE</version>
    <relativePath/> <!-- lookup parent from repository -->
</parent>
...

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

据我了解，此问题可能是由过滤器链中的过滤器顺序引起的，我尝试将 JWT JwtAuthenticationFilter 放在 CorsFilter 或 CsrfFilter 之后，创建 CorsConfigurationSource bean。这在https://docs.spring.io/spring-security/site/docs/current/reference/html5/#cors 进行了描述并在How to configure CORS in a Spring Boot + Spring Security application? 和https://github.com/spring-projects/spring-boot/issues/5834 进行了讨论，但似乎没有任何帮助

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter 

    @Value("$com.faircloud.common.security.header")
    private String header;
    @Value("$com.faircloud.common.security.prefix")
    private String prefix;
    @Value("$com.faircloud.common.security.validateLink")
    private String validateLink;

    @Override
    protected void configure(HttpSecurity http) throws Exception 
        http.cors().and().authorizeRequests()
                .antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources/**", "/configuration/**",
                        "/swagger-ui.html", "/webjars/**")
                .permitAll()
                .and().authorizeRequests().anyRequest().authenticated().and()
                .addFilterAfter(new JwtAuthenticationFilter(header, prefix, validateLink),
                        CsrfFilter.class)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    

    @Bean
    public CorsConfigurationSource corsConfigurationSource() 
        final CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(ImmutableList.of("*"));
        configuration.setAllowedMethods(ImmutableList.of("HEAD", "GET", "POST", "PUT", "DELETE", "PATCH"));
        // setAllowCredentials(true) is important, otherwise:
        // The value of the 'Access-Control-Allow-Origin' header in the response must
        // not be the wildcard '*' when the request's credentials mode is 'include'.
        configuration.setAllowCredentials(true);
        // setAllowedHeaders is important! Without it, OPTIONS preflight request
        // will fail with 403 Invalid CORS request
        configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    

这里是 JwtAuthenticationFilter 类。请注意，要验证令牌，它会通过 http 调用其他微服务。此外，我的应用程序没有登录端点，因为登录是在其他微服务应用程序上实现的。

public class JwtAuthenticationFilter extends BasicAuthenticationFilter 

    private String header;
    private String prefix;
    private String validateLink;

    public JwtAuthenticationFilter(String header, String prefix, String validateLink) 
        super(new AuthenticationManager() 
            public Authentication authenticate(Authentication authentication) throws AuthenticationException
                return null;
            
        );
        this.header = header;
        this.prefix = prefix;
        this.validateLink = validateLink;
     

    @Override
    protected void doFilterInternal(HttpServletRequest request, 
            HttpServletResponse response, 
            FilterChain chain)
            throws ServletException, IOException 

        // 1. get the authentication header. Tokens are supposed to be passed in the
        // authentication header
        String headerValue = request.getHeader(header);

        // 2. validate the header and check the prefix
        if (headerValue == null || !headerValue.startsWith(prefix)) 
            chain.doFilter(request, response); // If not valid, go to the next filter.
            return;
        
        // 3. Get the token     
        String token = headerValue.replace(prefix, ""); 

        try 

            GatewayResponse gatewayResponse = validate(token);

            String userId = gatewayResponse.getUserId();

            /*
            Roles could come from gateway or loaded from current
            microservice database by user id. They are
            hardcoded here to illustrate how to populate
            SecurityContextHolder
            */
            List<String> authorities = new LinkedList<String>();
            authorities.add("USER");
            authorities.add("ADMIN");

            UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userId, null,
                    authorities.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
            SecurityContextHolder.getContext().setAuthentication(auth);
            addTokenToResponse(gatewayResponse.getAuthHeader(), response);
         catch (Exception e) 
            // In case of failure. Make sure it's clear; so guarantee user won't be
            // authenticated
            SecurityContextHolder.clearContext();
        

        // go to the next filter in the filter chain
        chain.doFilter(request, response);
    

    private void addTokenToResponse(String authHeaderValue, HttpServletResponse response) 
        response.addHeader(header, prefix+authHeaderValue);
    

    private GatewayResponse validate(String token) 
        /HTTP call here, returns null if invalid token
        ...
    

【参考方案1】：

遇到类似问题，无法使其与 CorsConfigurationSource 一起使用。只有基于过滤器的 CORS 支持才有帮助：

@Bean
public FilterRegistrationBean filterRegistrationBean() 
    final CorsConfiguration config = new CorsConfiguration();

    config.setAllowCredentials(true);
    config.addAllowedOrigin("http://localhost:4200");
    config.addAllowedHeader("*");
    config.addAllowedMethod("*");

    final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", config);

    FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
    bean.setOrder(Ordered.HIGHEST_PRECEDENCE);

    return bean;

【讨论】：

为过滤器链中的 CorsFilter 设置最高优先级有效。

【参考方案2】：

尝试使用交叉过滤器。找到以下示例。

@Bean
public CorsFilter corsFilter() 
    final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    final CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowCredentials(true);
    configuration.addAllowedOrigin("*");
    configuration.addAllowedHeader("*");
    configuration.addAllowedMethod("OPTIONS");
    configuration.addAllowedMethod("HEAD");
    configuration.addAllowedMethod("GET");
    configuration.addAllowedMethod("PUT");
    configuration.addAllowedMethod("POST");
    configuration.addAllowedMethod("DELETE");
    configuration.addAllowedMethod("PATCH");
    source.registerCorsConfiguration("/**", configuration);
    return new CorsFilter(source);