Spring security Access-Control-Allow-Origin: * (CORS) issue on invalid JWT token

Posted

技术标签:

【中文标题】Spring security Access-Control-Allow-Origin: * (CORS) issue on invalid JWT token【英文标题】: 【发布时间】:2019-05-12 15:15:33 【问题描述】:

我在 Spring Boot 应用程序中使用 Spring Security 配置了 JWT 安全性。我有一个问题

Access-Control-Allow-Origin: *

标头,也称为 CORS。我配置了应用程序,因此每个服务器响应中都存在标头,但是一旦 JWT 令牌无效,服务器响应 403 错误代码而没有 Access-Control-Allow-Origin: * 标头。这会导致浏览器将错误消息写入控制台:

未能加载 http://... 没有“Access-Control-Allow-Origin”标头 出现在请求的资源上。因此,来源 'http://...' 是 不允许访问。响应的 HTTP 状态代码为 403。

这似乎是错误的,我想获得 Access-Control-Allow-Origin: * 标头作为响应,即使 JWT 令牌无效并且服务器响应带有 403 错误代码。

现在我尝试了什么以及我的代码。

依赖关系:

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.0.5.RELEASE</version>
    <relativePath/> <!-- lookup parent from repository -->
</parent>
...

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

据我了解,此问题可能是由过滤器链中的过滤器顺序引起的,我尝试将 JWT JwtAuthenticationFilter 放在 CorsFilter 或 CsrfFilter 之后,创建 CorsConfigurationSource bean。这在https://docs.spring.io/spring-security/site/docs/current/reference/html5/#cors 进行了描述并在How to configure CORS in a Spring Boot + Spring Security application? 和https://github.com/spring-projects/spring-boot/issues/5834 进行了讨论,但似乎没有任何帮助

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter 

    @Value("$com.faircloud.common.security.header")
    private String header;
    @Value("$com.faircloud.common.security.prefix")
    private String prefix;
    @Value("$com.faircloud.common.security.validateLink")
    private String validateLink;

    @Override
    protected void configure(HttpSecurity http) throws Exception 
        http.cors().and().authorizeRequests()
                .antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources/**", "/configuration/**",
                        "/swagger-ui.html", "/webjars/**")
                .permitAll()
                .and().authorizeRequests().anyRequest().authenticated().and()
                .addFilterAfter(new JwtAuthenticationFilter(header, prefix, validateLink),
                        CsrfFilter.class)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    

    @Bean
    public CorsConfigurationSource corsConfigurationSource() 
        final CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(ImmutableList.of("*"));
        configuration.setAllowedMethods(ImmutableList.of("HEAD", "GET", "POST", "PUT", "DELETE", "PATCH"));
        // setAllowCredentials(true) is important, otherwise:
        // The value of the 'Access-Control-Allow-Origin' header in the response must
        // not be the wildcard '*' when the request's credentials mode is 'include'.
        configuration.setAllowCredentials(true);
        // setAllowedHeaders is important! Without it, OPTIONS preflight request
        // will fail with 403 Invalid CORS request
        configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    

这里是 JwtAuthenticationFilter 类。请注意,要验证令牌,它会通过 http 调用其他微服务。此外,我的应用程序没有登录端点,因为登录是在其他微服务应用程序上实现的。

public class JwtAuthenticationFilter extends BasicAuthenticationFilter 

    private String header;
    private String prefix;
    private String validateLink;

    public JwtAuthenticationFilter(String header, String prefix, String validateLink) 
        super(new AuthenticationManager() 
            public Authentication authenticate(Authentication authentication) throws AuthenticationException
                return null;
            
        );
        this.header = header;
        this.prefix = prefix;
        this.validateLink = validateLink;
     

    @Override
    protected void doFilterInternal(HttpServletRequest request, 
            HttpServletResponse response, 
            FilterChain chain)
            throws ServletException, IOException 

        // 1. get the authentication header. Tokens are supposed to be passed in the
        // authentication header
        String headerValue = request.getHeader(header);

        // 2. validate the header and check the prefix
        if (headerValue == null || !headerValue.startsWith(prefix)) 
            chain.doFilter(request, response); // If not valid, go to the next filter.
            return;
        
        // 3. Get the token     
        String token = headerValue.replace(prefix, ""); 

        try 

            GatewayResponse gatewayResponse = validate(token);

            String userId = gatewayResponse.getUserId();

            /*
            Roles could come from gateway or loaded from current
            microservice database by user id. They are
            hardcoded here to illustrate how to populate
            SecurityContextHolder
            */
            List<String> authorities = new LinkedList<String>();
            authorities.add("USER");
            authorities.add("ADMIN");

            UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userId, null,
                    authorities.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
            SecurityContextHolder.getContext().setAuthentication(auth);
            addTokenToResponse(gatewayResponse.getAuthHeader(), response);
         catch (Exception e) 
            // In case of failure. Make sure it's clear; so guarantee user won't be
            // authenticated
            SecurityContextHolder.clearContext();
        

        // go to the next filter in the filter chain
        chain.doFilter(request, response);
    

    private void addTokenToResponse(String authHeaderValue, HttpServletResponse response) 
        response.addHeader(header, prefix+authHeaderValue);
    

    private GatewayResponse validate(String token) 
        /HTTP call here, returns null if invalid token
        ...
    

【问题讨论】:

【参考方案1】:

遇到类似问题,无法使其与 CorsConfigurationSource 一起使用。只有基于过滤器的 CORS 支持才有帮助:

@Bean
public FilterRegistrationBean filterRegistrationBean() 
    final CorsConfiguration config = new CorsConfiguration();

    config.setAllowCredentials(true);
    config.addAllowedOrigin("http://localhost:4200");
    config.addAllowedHeader("*");
    config.addAllowedMethod("*");

    final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", config);

    FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
    bean.setOrder(Ordered.HIGHEST_PRECEDENCE);

    return bean;

【讨论】:

为过滤器链中的 CorsFilter 设置最高优先级有效。【参考方案2】:

尝试使用交叉过滤器。找到以下示例。

@Bean
public CorsFilter corsFilter() 
    final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    final CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowCredentials(true);
    configuration.addAllowedOrigin("*");
    configuration.addAllowedHeader("*");
    configuration.addAllowedMethod("OPTIONS");
    configuration.addAllowedMethod("HEAD");
    configuration.addAllowedMethod("GET");
    configuration.addAllowedMethod("PUT");
    configuration.addAllowedMethod("POST");
    configuration.addAllowedMethod("DELETE");
    configuration.addAllowedMethod("PATCH");
    source.registerCorsConfiguration("/**", configuration);
    return new CorsFilter(source);

【讨论】:

以上是关于Spring security Access-Control-Allow-Origin: * (CORS) issue on invalid JWT token的主要内容,如果未能解决你的问题,请参考以下文章

Spring mvc / security:从spring security中排除登录页面

Spring Security:2.4 Getting Spring Security

没有 JSP 的 Spring Security /j_spring_security_check

Spring-Security

Spring Security 登录错误:HTTP 状态 404 - /j_spring_security_check

未调用 Spring Security j_spring_security_check