Spring security Access-Control-Allow-Origin: * (CORS) issue on invalid JWT token
Posted
技术标签:
【中文标题】Spring security Access-Control-Allow-Origin: * (CORS) issue on invalid JWT token【英文标题】: 【发布时间】:2019-05-12 15:15:33 【问题描述】:我在 Spring Boot 应用程序中使用 Spring Security 配置了 JWT 安全性。我有一个问题
Access-Control-Allow-Origin: *
标头,也称为 CORS。我配置了应用程序,因此每个服务器响应中都存在标头,但是一旦 JWT 令牌无效,服务器响应 403 错误代码而没有 Access-Control-Allow-Origin: * 标头。这会导致浏览器将错误消息写入控制台:
未能加载 http://... 没有“Access-Control-Allow-Origin”标头 出现在请求的资源上。因此,来源 'http://...' 是 不允许访问。响应的 HTTP 状态代码为 403。
这似乎是错误的,我想获得 Access-Control-Allow-Origin: * 标头作为响应,即使 JWT 令牌无效并且服务器响应带有 403 错误代码。
现在我尝试了什么以及我的代码。
依赖关系:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.5.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
...
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
据我了解,此问题可能是由过滤器链中的过滤器顺序引起的,我尝试将 JWT JwtAuthenticationFilter 放在 CorsFilter 或 CsrfFilter 之后,创建 CorsConfigurationSource bean。这在https://docs.spring.io/spring-security/site/docs/current/reference/html5/#cors 进行了描述并在How to configure CORS in a Spring Boot + Spring Security application? 和https://github.com/spring-projects/spring-boot/issues/5834 进行了讨论,但似乎没有任何帮助
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
@Value("$com.faircloud.common.security.header")
private String header;
@Value("$com.faircloud.common.security.prefix")
private String prefix;
@Value("$com.faircloud.common.security.validateLink")
private String validateLink;
@Override
protected void configure(HttpSecurity http) throws Exception
http.cors().and().authorizeRequests()
.antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources/**", "/configuration/**",
"/swagger-ui.html", "/webjars/**")
.permitAll()
.and().authorizeRequests().anyRequest().authenticated().and()
.addFilterAfter(new JwtAuthenticationFilter(header, prefix, validateLink),
CsrfFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
@Bean
public CorsConfigurationSource corsConfigurationSource()
final CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(ImmutableList.of("*"));
configuration.setAllowedMethods(ImmutableList.of("HEAD", "GET", "POST", "PUT", "DELETE", "PATCH"));
// setAllowCredentials(true) is important, otherwise:
// The value of the 'Access-Control-Allow-Origin' header in the response must
// not be the wildcard '*' when the request's credentials mode is 'include'.
configuration.setAllowCredentials(true);
// setAllowedHeaders is important! Without it, OPTIONS preflight request
// will fail with 403 Invalid CORS request
configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
这里是 JwtAuthenticationFilter 类。请注意,要验证令牌,它会通过 http 调用其他微服务。此外,我的应用程序没有登录端点,因为登录是在其他微服务应用程序上实现的。
public class JwtAuthenticationFilter extends BasicAuthenticationFilter
private String header;
private String prefix;
private String validateLink;
public JwtAuthenticationFilter(String header, String prefix, String validateLink)
super(new AuthenticationManager()
public Authentication authenticate(Authentication authentication) throws AuthenticationException
return null;
);
this.header = header;
this.prefix = prefix;
this.validateLink = validateLink;
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain)
throws ServletException, IOException
// 1. get the authentication header. Tokens are supposed to be passed in the
// authentication header
String headerValue = request.getHeader(header);
// 2. validate the header and check the prefix
if (headerValue == null || !headerValue.startsWith(prefix))
chain.doFilter(request, response); // If not valid, go to the next filter.
return;
// 3. Get the token
String token = headerValue.replace(prefix, "");
try
GatewayResponse gatewayResponse = validate(token);
String userId = gatewayResponse.getUserId();
/*
Roles could come from gateway or loaded from current
microservice database by user id. They are
hardcoded here to illustrate how to populate
SecurityContextHolder
*/
List<String> authorities = new LinkedList<String>();
authorities.add("USER");
authorities.add("ADMIN");
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userId, null,
authorities.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
SecurityContextHolder.getContext().setAuthentication(auth);
addTokenToResponse(gatewayResponse.getAuthHeader(), response);
catch (Exception e)
// In case of failure. Make sure it's clear; so guarantee user won't be
// authenticated
SecurityContextHolder.clearContext();
// go to the next filter in the filter chain
chain.doFilter(request, response);
private void addTokenToResponse(String authHeaderValue, HttpServletResponse response)
response.addHeader(header, prefix+authHeaderValue);
private GatewayResponse validate(String token)
/HTTP call here, returns null if invalid token
...
【问题讨论】:
【参考方案1】:遇到类似问题,无法使其与 CorsConfigurationSource 一起使用。只有基于过滤器的 CORS 支持才有帮助:
@Bean
public FilterRegistrationBean filterRegistrationBean()
final CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("http://localhost:4200");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return bean;
【讨论】:
为过滤器链中的 CorsFilter 设置最高优先级有效。【参考方案2】:尝试使用交叉过滤器。找到以下示例。
@Bean
public CorsFilter corsFilter()
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
final CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowCredentials(true);
configuration.addAllowedOrigin("*");
configuration.addAllowedHeader("*");
configuration.addAllowedMethod("OPTIONS");
configuration.addAllowedMethod("HEAD");
configuration.addAllowedMethod("GET");
configuration.addAllowedMethod("PUT");
configuration.addAllowedMethod("POST");
configuration.addAllowedMethod("DELETE");
configuration.addAllowedMethod("PATCH");
source.registerCorsConfiguration("/**", configuration);
return new CorsFilter(source);
【讨论】:
以上是关于Spring security Access-Control-Allow-Origin: * (CORS) issue on invalid JWT token的主要内容,如果未能解决你的问题,请参考以下文章
Spring mvc / security:从spring security中排除登录页面
Spring Security:2.4 Getting Spring Security
没有 JSP 的 Spring Security /j_spring_security_check