请求被拒绝,因为 HTTP 方法“OPTIONS”未包含在白名单中 [POST, GET]

Posted

技术标签:

【中文标题】请求被拒绝,因为 HTTP 方法“OPTIONS”未包含在白名单中 [POST, GET]【英文标题】:The request was rejected because the HTTP method "OPTIONS" was not included within the whitelist [POST, GET] 【发布时间】:2021-05-12 22:17:49 【问题描述】:

我在 SPRING BOOT 2.2.5 上遇到了这个异常,但我不知道如何修复它。如何将“OPTIONS”添加到白名单?

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the HTTP method "OPTIONS" was not included within the whitelist [POST, GET]
   at org.springframework.security.web.firewall.StrictHttpFirewall.rejectForbiddenHttpMethod(StrictHttpFirewall.java:360) ~[spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
   at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:335) ~[spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
   at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194) ~[spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
   at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) ~[spring-security-web-5.2.2.RELEASE.jar:5.2.2.RELEASE]
   at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) ~[spring-web-5.2.4.RELEASE.jar:5.2.4.RELEASE]
   at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) ~[spring-web-5.2.4.RELEASE.jar:5.2.4.RELEASE]
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:712) ~[tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:461) ~[tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:384) ~[tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:312) ~[tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:394) [tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:253) [tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:348) [tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:173) [tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) [tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639) [tomcat-embed-core-9.0.31.jar:9.0.31]
   at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.31.jar:9.0.31]
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_111]
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_111]
   at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.31.jar:9.0.31]
   at java.lang.Thread.run(Thread.java:745) [na:1.8.0_111]

这是我的 WebConfig.java 中的 CORS 配置:

@Override
public void addCorsMappings(CorsRegistry registry) 
      registry.addMapping("/**")
            .allowedOrigins("http://localhost:4200")
            .allowedMethods("HEAD", "GET", "PUT", "POST", "DELETE", "PATCH", "OPTIONS")
            .exposedHeaders("Authorization")
            .allowCredentials(true);

    
 

【问题讨论】:

【参考方案1】:

我解决了:在 SecurityConfig.java 中定义了

@Bean
public HttpFirewall strictHttpFirewall() 
    StrictHttpFirewall firewall = new StrictHttpFirewall();
    firewall.setAllowedHttpMethods(Arrays.asList("GET", "POST"));
    return firewall;

我在 setAllowedHttpMethods 列表中添加了“OPTIONS”

【讨论】:

以上是关于请求被拒绝,因为 HTTP 方法“OPTIONS”未包含在白名单中 [POST, GET]的主要内容,如果未能解决你的问题,请参考以下文章

HTTP错误404.13 - Not Found 请求筛选模块被配置为拒绝超过请求内容长度的请求

IE11 CORS 拒绝 https 上的 OPTIONS

HTTP 错误 404.13 - Not Found 请求筛选模块被配置为拒绝超过请求内容长度的请求

拒绝在框架中显示,因为它将“X-Frame-Options”设置为 DENY facebook fb.ui 共享方法

拒绝在框架中显示网站,因为它的“X-Frame-Options”

HTTP的options方法作用